core/oc-k8s
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Running all stack

Browse Source
This commit is contained in:
mr
2026-01-06 08:23:16 +01:00
parent 5a0651106d
commit 3d416169e3
56 changed files with 1974 additions and 435 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
opencloud/charts/mongodb/.relok8s-images.yaml Normal file
View File

@@ -0,0 +1,19 @@
# relok8s image hints file
# This file makes this Helm Chart relocatable by relok8s
# More info here https://github.com/vmware-tanzu/asset-relocation-tool-for-kubernetes
#
# mongodb chart
# mongodb image
- "{{.image.registry}}/{{.image.repository}}:{{.image.tag}}"
# kubectl image
- "{{.externalAccess.autoDiscovery.image.registry}}/{{.externalAccess.autoDiscovery.image.repository}}:{{.externalAccess.autoDiscovery.image.tag}}"
# mongodb-exporter image
- "{{.metrics.image.registry}}/{{.metrics.image.repository}}:{{.metrics.image.tag}}"
# nginx image
- "{{.tls.image.registry}}/{{.tls.image.repository}}:{{.tls.image.tag}}"
# os-shell image
- "{{.externalAccess.dnsCheck.image.registry}}/{{.externalAccess.dnsCheck.image.repository}}:{{.externalAccess.dnsCheck.image.tag}}"
# os-shell image
- "{{.volumePermissions.image.registry}}/{{.volumePermissions.image.repository}}:{{.volumePermissions.image.tag}}"

6
opencloud/charts/mongodb/Chart.lock
View File

@@ -1,6 +0,0 @@
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.27.0
digest: sha256:b711ab5874abf868a0c64353a790f17771758cee6f802acb9819be004c8460af
generated: "2024-11-14T11:36:35.060517594+01:00"

32
opencloud/charts/mongodb/Chart.yaml
View File

@@ -1,30 +1,34 @@
annotations:
category: Database
fips: "true"
images: |
- name: kubectl
image: docker.io/bitnami/kubectl:1.31.2-debian-12-r3
version: 1.34.1
image: registry-1.docker.io/bitnami/kubectl:latest
- name: mongodb
image: docker.io/bitnami/mongodb:8.0.3-debian-12-r0
version: 8.2.1
image: registry-1.docker.io/bitnami/mongodb:latest
- name: mongodb-exporter
image: docker.io/bitnami/mongodb-exporter:0.41.2-debian-12-r1
version: 0.47.1
image: registry-1.docker.io/bitnami/mongodb-exporter:latest
- name: nginx
image: docker.io/bitnami/nginx:1.27.2-debian-12-r2
version: 1.29.3
image: registry-1.docker.io/bitnami/nginx:latest
- name: os-shell
image: docker.io/bitnami/os-shell:12-debian-12-r32
version: "5"
image: registry-1.docker.io/bitnami/os-shell:latest
licenses: Apache-2.0
tanzuCategory: service
apiVersion: v2
appVersion: 8.0.3
appVersion: 8.2.1
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
tags:
- bitnami-common
version: 2.x.x
description: MongoDB(R) is a relational open source NoSQL database. Easy to use, it
stores data in JSON-like documents. Automated scalability and high-performance.
Ideal for developing cloud native applications.
version: 2.33.2
description: "MongoDB(R) is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications."
home: https://bitnami.com
icon: https://bitnami.com/assets/stacks/mongodb/img/mongodb-stack-220x234.png
icon: https://dyltqmyl993wv.cloudfront.net/assets/stacks/mongodb/img/mongodb-stack-220x234.png
keywords:
- mongodb
- database
@@ -33,9 +37,9 @@ keywords:
- replicaset
- replication
maintainers:
- name: Broadcom, Inc. All Rights Reserved.
- name: "Broadcom, Inc. All Rights Reserved."
url: https://github.com/bitnami/charts
name: mongodb
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/mongodb
version: 16.3.1
version: 18.1.9

113
opencloud/charts/mongodb/README.md
View File

@@ -1,27 +1,42 @@
<!--- app-name: MongoDB&reg; -->
# MongoDB(R) packaged by Bitnami
# MongoDB&reg; packaged by Bitnami
MongoDB(R) is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications.
MongoDB&reg; is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications.
[Overview of MongoDB&reg;](http://www.mongodb.org)
Disclaimer: The respective trademarks mentioned in the offering are owned by the respective companies. We do not provide a commercial license for any of these products. This listing has an open-source license. MongoDB(R) is run and maintained by MongoDB, which is a completely separate project from Bitnami.
Disclaimer: The respective trademarks mentioned in the offering are owned by the respective companies. We do not provide a commercial license for any of these products. This listing has an open-source license. MongoDB&reg; is run and maintained by MongoDB, which is a completely separate project from Bitnami.
## TL;DR
```console
helm install my-release oci://registry-1.docker.io/bitnamicharts/mongodb
helm install my-release oci://MY-OCI-REGISTRY/mongodb
```
Looking to use MongoDBreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog.
> Tip: Did you know that this app is also available as a Kubernetes App on the Azure Marketplace? Kubernetes Apps are the easiest way to deploy Bitnami on AKS. Click [here](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/bitnami.mongodb-cnab) to see the listing on Azure Marketplace.
## Why use Bitnami Secure Images?
Those are hardened, minimal CVE images built and maintained by Bitnami. Bitnami Secure Images are based on the cloud-optimized, security-hardened enterprise [OS Photon Linux](https://vmware.github.io/photon/). Why choose BSI images?
- Hardened secure images of popular open source software with Near-Zero Vulnerabilities
- Vulnerability Triage & Prioritization with VEX Statements, KEV and EPSS Scores
- Compliance focus with FIPS, STIG, and air-gap options, including secure bill of materials (SBOM)
- Software supply chain provenance attestation through in-toto
- First class support for the internets favorite Helm charts
Each image comes with valuable security metadata. You can view the metadata in [our public catalog here](https://app-catalog.vmware.com/bitnami/apps). Note: Some data is only available with [commercial subscriptions to BSI](https://bitnami.com/).
![Alt text](https://github.com/bitnami/containers/blob/main/BSI%20UI%201.png?raw=true "Application details")
![Alt text](https://github.com/bitnami/containers/blob/main/BSI%20UI%202.png?raw=true "Packaging report")
If you are looking for our previous generation of images based on Debian Linux, please see the [Bitnami Legacy registry](https://hub.docker.com/u/bitnamilegacy).
## Introduction
This chart bootstraps a [MongoDB(&reg;)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Architecture
This chart allows installing MongoDB(&reg;) using two different architecture setups: `standalone` or `replicaset`. Use the `architecture` parameter to choose the one to use:
@@ -121,7 +136,25 @@ The command deploys MongoDB(&reg;) on the Kubernetes cluster in the default conf
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcesPreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
### Prometheus metrics
This chart can be integrated with Prometheus by setting `metrics.enabled` to `true`. This will deploy a sidecar container with [mongodb_exporter](https://github.com/percona/mongodb_exporter) in all pods and a `metrics` service, which can be configured under the `metrics.service` section. This `metrics` service will have the necessary annotations to be automatically scraped by Prometheus.
#### Prometheus requirements
It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the [Bitnami Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/prometheus) or the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) to easily have a working Prometheus in your cluster.
#### Integration with Prometheus Operator
The chart can deploy `ServiceMonitor` objects for integration with Prometheus Operator installations. To do so, set the value `metrics.serviceMonitor.enabled=true`. Ensure that the Prometheus Operator `CustomResourceDefinitions` are installed in the cluster or it will fail with the following error:
```text
no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1"
```
Install the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) for having the necessary CRDs and the Prometheus Operator.
### [Rolling vs Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html)
@@ -318,7 +351,7 @@ passwordUpdateJob:
In the following example we update the password via values.yaml in a MongoDB installation with replication and several usernames and databases (including metrics).
```yaml
architecture: "replication"
architecture: "replicaset"
auth:
usernames:
@@ -363,7 +396,7 @@ passwordUpdateJob:
You can add extra update commands using the `passwordUpdateJob.extraCommands` value.
### Backup and restore MongoDB(R) deployments
### Backup and restore
Two different approaches are available to back up and restore Bitnami MongoDB&reg; Helm chart deployments on Kubernetes:
@@ -418,7 +451,7 @@ Custom Prometheus rules can be defined for the Prometheus Operator by using the
summary: High request latency
```
### Enable SSL/TLS
### Securing traffic using TLS
This chart supports enabling SSL/TLS between nodes in the cluster, as well as between MongoDB(&reg;) clients and nodes, by setting the `MONGODB_EXTRA_FLAGS` and `MONGODB_CLIENT_EXTRA_FLAGS` container environment variables, together with the correct `MONGODB_ADVERTISED_HOSTNAME`. To enable full TLS encryption, set the `tls.enabled` parameter to `true`.
@@ -465,6 +498,12 @@ This chart allows you to set your custom affinity using the `XXX.affinity` param
As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters.
### FIPS parameters
The FIPS parameters only have effect if you are using images from the [Bitnami Secure Images catalog](https://go-vmware.broadcom.com/contact-us).
For more information on this new support, please refer to the [FIPS Compliance section](https://techdocs.broadcom.com/us/en/vmware-tanzu/bitnami-secure-images/bitnami-secure-images/services/bsi-doc/security-frameworks-FIPS-compliance.html).
## Persistence
The [Bitnami MongoDB(&reg;)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) image stores the MongoDB(&reg;) data and configurations at the `/bitnami/mongodb` path of the container.
@@ -477,14 +516,16 @@ If you encounter errors when working with persistent volumes, refer to our [trou
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` |
| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` |
| `global.namespaceOverride` | Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` |
| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` |
| `global.namespaceOverride` | Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride | `""` |
| `global.defaultFips` | Default value for the FIPS configuration (allowed values: '', restricted, relaxed, off). Can be overriden by the 'fips' object | `restricted` |
| `global.security.allowInsecureImages` | Allows skipping image verification | `false` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
@@ -501,6 +542,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `topologyKey` | Override common lib default topology key. If empty - "kubernetes.io/hostname" is used | `""` |
| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` |
| `enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` |
| `usePasswordFiles` | Mount credentials as files instead of using environment variables | `true` |
| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` |
| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` |
@@ -549,6 +591,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `tls.mode` | Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) | `requireTLS` |
| `tls.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). | `nano` |
| `tls.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `tls.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `tls.securityContext` | Init container generate-tls-cert Security context | `{}` |
| `automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `hostAliases` | Add deployment host aliases | `[]` |
@@ -619,6 +662,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` |
| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `containerPorts.mongodb` | MongoDB(&reg;) container port | `27017` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
@@ -667,9 +711,10 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `service.annotations` | Provide any additional annotations that may be required | `{}` |
| `service.externalTrafficPolicy` | service external traffic policy (only for standalone architecture) | `Local` |
| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None` | `None` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity. Ignored if `service.sessionAffinity` is `None` | `{}` |
| `service.headless.annotations` | Annotations for the headless service. | `{}` |
| `service.publishNotReadyAddresses` | Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready | `false` |
| `externalAccess.enabled` | Enable Kubernetes external cluster access to MongoDB(&reg;) nodes (only for replicaset architecture) | `false` |
| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs by querying the K8s API | `false` |
| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `REGISTRY_NAME` |
@@ -679,6 +724,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` |
| `externalAccess.autoDiscovery.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). | `nano` |
| `externalAccess.autoDiscovery.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `externalAccess.autoDiscovery.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `externalAccess.dnsCheck.image.registry` | Init container dns-check image registry | `REGISTRY_NAME` |
| `externalAccess.dnsCheck.image.repository` | Init container dns-check image repository | `REPOSITORY_NAME/kubectl` |
| `externalAccess.dnsCheck.image.digest` | Init container dns-check image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
@@ -686,6 +732,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `externalAccess.dnsCheck.image.pullSecrets` | Init container dns-check image pull secrets | `[]` |
| `externalAccess.dnsCheck.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). | `nano` |
| `externalAccess.dnsCheck.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `externalAccess.dnsCheck.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `externalAccess.externalMaster.enabled` | Use external master for bootstrapping | `false` |
| `externalAccess.externalMaster.host` | External master host to bootstrap from | `""` |
| `externalAccess.externalMaster.port` | Port for MongoDB(&reg;) service external master host | `27017` |
@@ -703,8 +750,8 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `externalAccess.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `externalAccess.service.annotations` | Service annotations for external access. These annotations are common for all services created. | `{}` |
| `externalAccess.service.annotationsList` | Service annotations for eache external service. This value contains a list allowing different annotations per each external service. | `[]` |
| `externalAccess.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
| `externalAccess.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `externalAccess.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None` | `None` |
| `externalAccess.service.sessionAffinityConfig` | Additional settings for the sessionAffinity. Ignored if `externalAccess.service.sessionAffinity` is `None` | `{}` |
| `externalAccess.hidden.enabled` | Enable Kubernetes external cluster access to MongoDB(&reg;) hidden nodes | `false` |
| `externalAccess.hidden.service.type` | Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer | `LoadBalancer` |
| `externalAccess.hidden.service.portName` | MongoDB(&reg;) port name used for external access when service type is LoadBalancer | `mongodb` |
@@ -718,8 +765,8 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `externalAccess.hidden.service.domain` | Domain or external IP used to configure MongoDB(&reg;) advertised hostname when service type is NodePort | `""` |
| `externalAccess.hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `externalAccess.hidden.service.annotations` | Service annotations for external access | `{}` |
| `externalAccess.hidden.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
| `externalAccess.hidden.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `externalAccess.hidden.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None` | `None` |
| `externalAccess.hidden.service.sessionAffinityConfig` | Additional settings for the sessionAffinity. Ignored if `externalAccess.hidden.service.sessionAffinity` is `None` | `{}` |
### Password update job
@@ -755,6 +802,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `passwordUpdateJob.initContainers` | Add additional init containers for the mysql Primary pod(s) | `[]` |
| `passwordUpdateJob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if passwordUpdateJob.resources is set (passwordUpdateJob.resources is recommended for production). | `micro` |
| `passwordUpdateJob.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `passwordUpdateJob.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `passwordUpdateJob.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `passwordUpdateJob.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `passwordUpdateJob.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
@@ -810,6 +858,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` |
| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` |
| `backup.cronjob.backoffLimit` | Set the cronjob parameter backoffLimit | `6` |
| `backup.cronjob.serviceAccount.name` | Set the cronjob parameter serviceAccountName. If you change from the default values make sure that the SA already exists. | `default` |
| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
@@ -822,6 +871,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` |
| `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `backup.cronjob.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `backup.cronjob.command` | Set backup container's command to run | `[]` |
| `backup.cronjob.labels` | Set the cronjob labels | `{}` |
| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` |
@@ -862,6 +912,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` |
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `volumePermissions.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `volumePermissions.securityContext.runAsUser` | User ID for the volumePermissions container | `0` |
@@ -917,6 +968,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `arbiter.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `arbiter.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if arbiter.resources is set (arbiter.resources is recommended for production). | `small` |
| `arbiter.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `arbiter.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `arbiter.containerPorts.mongodb` | MongoDB(&reg;) arbiter container port | `27017` |
| `arbiter.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `arbiter.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
@@ -1005,6 +1057,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `hidden.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `hidden.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). | `micro` |
| `hidden.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `hidden.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `hidden.containerPorts.mongodb` | MongoDB(&reg;) hidden container port | `27017` |
| `hidden.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `hidden.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
@@ -1080,6 +1133,8 @@ If you encounter errors when working with persistent volumes, refer to our [trou
| `metrics.args` | Override default container args (useful when using custom images) | `[]` |
| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` |
| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `metrics.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` |
| `metrics.fips.golang` | Configure Golang FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `relaxed` |
| `metrics.containerPort` | Port of the Prometheus metrics container | `9216` |
| `metrics.service.annotations` | Annotations for Prometheus Exporter pods. Evaluated as a template. | `{}` |
| `metrics.service.type` | Type of the Prometheus metrics service | `ClusterIP` |
@@ -1151,6 +1206,10 @@ Find more information about how to deal with common errors related to Bitnami's
## Upgrading
### To 16.4.0
This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850).
If authentication is enabled, it's necessary to set the `auth.rootPassword` (also `auth.replicaSetKey` when using a replicaset architecture) when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Credentials' section. Please note down the password, and run the command below to upgrade your chart:
```console
@@ -1288,7 +1347,7 @@ extraDeploy:
## License
Copyright &copy; 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Copyright &copy; 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -1300,4 +1359,4 @@ Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
limitations under the License.

10
opencloud/charts/mongodb/charts/common/Chart.yaml
View File

@@ -1,12 +1,14 @@
annotations:
category: Infrastructure
fips: "true"
images: |
[]
licenses: Apache-2.0
apiVersion: v2
appVersion: 2.27.0
appVersion: 2.33.2
description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself.
home: https://bitnami.com
icon: https://bitnami.com/downloads/logos/bitnami-mark.png
icon: https://dyltqmyl993wv.cloudfront.net/downloads/logos/bitnami-mark.png
keywords:
- common
- helper
@@ -20,4 +22,4 @@ name: common
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/common
type: library
version: 2.27.0
version: 2.33.2

189
opencloud/charts/mongodb/charts/common/README.md
View File

@@ -1,6 +1,12 @@
# Bitnami Common Library Chart
<!--- app-name: Common -->
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts.
# Common library for Bitnami packages
A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself.
[Overview of Common](https://github.com/bitnami/charts/tree/main/bitnami/common)
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
## TL;DR
@@ -8,7 +14,7 @@ A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for gro
dependencies:
- name: common
version: 2.x.x
repository: oci://registry-1.docker.io/bitnamicharts
repository: oci://MY-OCI-REGISTRY
```
```console
@@ -24,14 +30,27 @@ data:
myvalue: "Hello World"
```
Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog.
## Why use Bitnami Secure Images?
Those are hardened, minimal CVE images built and maintained by Bitnami. Bitnami Secure Images are based on the cloud-optimized, security-hardened enterprise [OS Photon Linux](https://vmware.github.io/photon/). Why choose BSI images?
- Hardened secure images of popular open source software with Near-Zero Vulnerabilities
- Vulnerability Triage & Prioritization with VEX Statements, KEV and EPSS Scores
- Compliance focus with FIPS, STIG, and air-gap options, including secure bill of materials (SBOM)
- Software supply chain provenance attestation through in-toto
- First class support for the internets favorite Helm charts
Each image comes with valuable security metadata. You can view the metadata in [our public catalog here](https://app-catalog.vmware.com/bitnami/apps). Note: Some data is only available with [commercial subscriptions to BSI](https://bitnami.com/).
![Alt text](https://github.com/bitnami/containers/blob/main/BSI%20UI%201.png?raw=true "Application details")
![Alt text](https://github.com/bitnami/containers/blob/main/BSI%20UI%202.png?raw=true "Packaging report")
If you are looking for our previous generation of images based on Debian Linux, please see the [Bitnami Legacy registry](https://hub.docker.com/u/bitnamilegacy).
## Introduction
This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Prerequisites
- Kubernetes 1.23+
@@ -39,6 +58,162 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment
## Parameters
The following table lists the helpers available in the library which are scoped in different sections.
### Affinities
| Helper identifier | Description | Expected Input |
| ------------------------------- | ---------------------------------------------------- | ------------------------------------------------------------ |
| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.nodes` | Return a nodeAffinity definition | `dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.topologyKey` | Return a topologyKey definition | `dict "topologyKey" "FOO"` |
| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
| `common.affinities.pods` | Return a podAffinity/podAntiAffinity definition | `dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")` |
### Capabilities
| Helper identifier | Description | Expected Input |
| --------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | --------------------------------------- |
| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context |
| `common.capabilities.apiVersions.has` | Return true if the apiVersion is supported | `dict "version" "batch/v1" "context" $` |
| `common.capabilities.job.apiVersion` | Return the appropriate apiVersion for job. | `.` Chart context |
| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context |
| `common.capabilities.daemonset.apiVersion` | Return the appropriate apiVersion for daemonset. | `.` Chart context |
| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context |
| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context |
| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context |
| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context |
| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context |
| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context |
| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context |
| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context |
| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context |
| `common.capabilities.vpa.apiVersion` | Return the appropriate apiVersion for Vertical Pod Autoscaler. | `.` Chart context |
| `common.capabilities.psp.supported` | Returns true if PodSecurityPolicy is supported | `.` Chart context |
| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context |
| `common.capabilities.admissionConfiguration.supported` | Returns true if AdmissionConfiguration is supported | `.` Chart context |
| `common.capabilities.admissionConfiguration.apiVersion` | Return the appropriate apiVersion for AdmissionConfiguration. | `.` Chart context |
| `common.capabilities.podSecurityConfiguration.apiVersion` | Return the appropriate apiVersion for PodSecurityConfiguration. | `.` Chart context |
### Certificates
| Helper identifier | Description | Expected Input |
| ------------------ | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `common.certs.sans`| Returns a space-separated list of Subject Alternative Names (SANs) to create a TLS certificate | `dict "namespace" "default" "clusterDomain" "cluster.local" "serviceName" "my-service" "headlessServiceName" "my-service-headless"` |
### Compatibility
| Helper identifier | Description | Expected Input |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- |
| `common.compatibility.isOpenshift` | Return true if the detected platform is Openshift | `.` Chart context |
| `common.compatibility.renderSecurityContext` | Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC | `dict "secContext" .Values.containerSecurityContext "context" $` |
### Errors
| Helper identifier | Description | Expected Input |
| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` |
| `common.errors.insecureImages` | Throw error when original container images are replaced. The error can be bypassed by setting the `global.security.allowInsecureImages` to true. | `dict "images" (list .Values.path.to.the.imageRoot) "context" $` |
### Images
| Helper identifier | Description | Expected Input |
| --------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. |
| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` |
| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` |
| `common.images.version` | Return the proper image version | `dict "imageRoot" .Values.path.to.the.image "chart" .Chart` , see [ImageRoot](#imageroot) for the structure. |
### Ingress
| Helper identifier | Description | Expected Input |
| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences |
| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` |
### Labels
| Helper identifier | Description | Expected Input |
| --------------------------- | --------------------------------------------------------------------------- | ----------------- |
| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context |
| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context |
### Names
| Helper identifier | Description | Expected Input |
| ---------------------------------- | --------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- |
| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context |
| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context |
| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context |
| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context |
| `common.names.chart` | Chart name plus version | `.` Chart context |
| `common.names.dependency.fullname` | Create a default fully qualified dependency name. | `dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $` |
### Resources
| Helper identifier | Description | Expected Input |
| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- |
| `common.resources.preset` | Return a resource request/limit object based on a given preset. These presets are for basic testing and not meant to be used in production. | `dict "type" "nano"` |
### Secrets
| Helper identifier | Description | Expected Input |
| --------------------------------- | -------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. |
| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. |
| `common.secrets.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $`, length, strong, honorProvidedValues and chartName fields are optional. |
| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` |
| `common.secrets.lookup` | Reuses the value from an existing secret, otherwise sets its value to a default value. | `dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $` |
### Storage
| Helper identifier | Description | Expected Input |
| ---------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. |
### TplValues
| Helper identifier | Description | Expected Input |
| ---------------------------------- | ------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` |
| `common.tplvalues.merge` | Merge a list of values that contains template after rendering them. | `dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $` |
| `common.tplvalues.merge-overwrite` | Merge a list of values that contains template after rendering them. | `dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $` |
### Utils
| Helper identifier | Description | Expected Input |
| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` |
| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` |
| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` |
| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` |
| `common.utils.checksumTemplate` | Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376) | `dict "path" "/configmap.yaml" "context" $` |
### Validations
| Helper identifier | Description | Expected Input |
| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) |
| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) |
| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. |
### Warnings
| Helper identifier | Description | Expected Input |
| -------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------- |
| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
| `common.warnings.modifiedImages` | Warning about replaced images from the original. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
| `common.warnings.resources` | Warning about not setting the resource object in all deployments. | `dict "sections" (list "path1" "path2") context $` |
### FIPS
| Helper identifier | Description | Expected Input |
| -------------------- | ------------------- | ------------------------------------------------------------------------------- |
| `common.fips.enabled` | Enable FIPS mode | `.` Chart context |
| `common.fips.config` | Configure FIPS mode | `dict "tech" "openssl|java|golang" "fips" .Values.fips "global" .Values.global` |
## Special input schemas
### ImageRoot
@@ -220,7 +395,7 @@ helm install test mychart --set path.to.value00="",path.to.value01=""
## License
Copyright &copy; 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Copyright &copy; 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.

28
opencloud/charts/mongodb/charts/common/templates/_affinities.tpl
View File

@@ -82,7 +82,7 @@ preferredDuringSchedulingIgnoredDuringExecution:
namespaces:
- {{ .context.Release.Namespace }}
{{- with $extraNamespaces }}
{{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
{{- end }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
@@ -97,6 +97,13 @@ preferredDuringSchedulingIgnoredDuringExecution:
{{- range $key, $value := .extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if .namespaces }}
namespaces:
- {{ $.context.Release.Namespace }}
{{- with .namespaces }}
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
{{- end }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
weight: {{ .weight | default 1 -}}
{{- end -}}
@@ -121,13 +128,13 @@ requiredDuringSchedulingIgnoredDuringExecution:
{{- range $key, $value := $extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if $extraNamespaces }}
namespaces:
- {{ .context.Release.Namespace }}
{{- with $extraNamespaces }}
{{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
{{- end }}
{{- if $extraNamespaces }}
namespaces:
- {{ .context.Release.Namespace }}
{{- with $extraNamespaces }}
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 6 }}
{{- end }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
{{- range $extraPodAffinityTerms }}
- labelSelector:
@@ -138,6 +145,13 @@ requiredDuringSchedulingIgnoredDuringExecution:
{{- range $key, $value := .extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if .namespaces }}
namespaces:
- {{ $.context.Release.Namespace }}
{{- with .namespaces }}
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 6 }}
{{- end }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
{{- end -}}
{{- end -}}

103
opencloud/charts/mongodb/charts/common/templates/_capabilities.tpl
View File

@@ -12,159 +12,114 @@ Return the target Kubernetes version
{{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}}
{{- end -}}
{{/*
Return true if the apiVersion is supported
Usage:
{{ include "common.capabilities.apiVersions.has" (dict "version" "batch/v1" "context" $) }}
*/}}
{{- define "common.capabilities.apiVersions.has" -}}
{{- $providedAPIVersions := default .context.Values.apiVersions ((.context.Values.global).apiVersions) -}}
{{- if and (empty $providedAPIVersions) (.context.Capabilities.APIVersions.Has .version) -}}
{{- true -}}
{{- else if has .version $providedAPIVersions -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for poddisruptionbudget.
*/}}
{{- define "common.capabilities.policy.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}}
{{- print "policy/v1beta1" -}}
{{- else -}}
{{- print "policy/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for networkpolicy.
*/}}
{{- define "common.capabilities.networkPolicy.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.7-0" $kubeVersion) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for job.
*/}}
{{- define "common.capabilities.job.apiVersion" -}}
{{- print "batch/v1" -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for cronjob.
*/}}
{{- define "common.capabilities.cronjob.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}}
{{- print "batch/v1beta1" -}}
{{- else -}}
{{- print "batch/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for daemonset.
*/}}
{{- define "common.capabilities.daemonset.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "common.capabilities.deployment.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "common.capabilities.statefulset.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}}
{{- print "apps/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "common.capabilities.ingress.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if (.Values.ingress).apiVersion -}}
{{- .Values.ingress.apiVersion -}}
{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}}
{{- print "extensions/v1beta1" -}}
{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end }}
{{- end -}}
{{/*
Return the appropriate apiVersion for RBAC resources.
*/}}
{{- define "common.capabilities.rbac.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.17-0" $kubeVersion) -}}
{{- print "rbac.authorization.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "rbac.authorization.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for CRDs.
*/}}
{{- define "common.capabilities.crd.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}}
{{- print "apiextensions.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiextensions.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for APIService.
*/}}
{{- define "common.capabilities.apiService.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.10-0" $kubeVersion) -}}
{{- print "apiregistration.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiregistration.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for Horizontal Pod Autoscaler.
*/}}
{{- define "common.capabilities.hpa.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}}
{{- if .beta2 -}}
{{- print "autoscaling/v2beta2" -}}
{{- else -}}
{{- print "autoscaling/v2beta1" -}}
{{- end -}}
{{- else -}}
{{- print "autoscaling/v2" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for Vertical Pod Autoscaler.
*/}}
{{- define "common.capabilities.vpa.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}}
{{- if .beta2 -}}
{{- print "autoscaling/v2beta2" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
{{- print "autoscaling/v1beta2" -}}
{{- else -}}
{{- print "autoscaling/v2beta1" -}}
{{- end -}}
{{- else -}}
{{- print "autoscaling/v2" -}}
{{- print "autoscaling/v1" -}}
{{- end -}}
{{- end -}}
@@ -183,19 +138,15 @@ Returns true if AdmissionConfiguration is supported
*/}}
{{- define "common.capabilities.admissionConfiguration.supported" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if or (empty $kubeVersion) (not (semverCompare "<1.23-0" $kubeVersion)) -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for AdmissionConfiguration.
*/}}
{{- define "common.capabilities.admissionConfiguration.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}}
{{- print "apiserver.config.k8s.io/v1alpha1" -}}
{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
{{- print "apiserver.config.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiserver.config.k8s.io/v1" -}}
@@ -207,9 +158,7 @@ Return the appropriate apiVersion for PodSecurityConfiguration.
*/}}
{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}}
{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}}
{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
{{- print "pod-security.admission.config.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "pod-security.admission.config.k8s.io/v1" -}}

51
opencloud/charts/mongodb/charts/common/templates/_certs.tpl Normal file
View File

@@ -0,0 +1,51 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Returns a space-separated list of Subject Alternative Names (SANs) to create a TLS certificate
Usage:
{{ include "common.certs.sans" (dict "namespace" "default" "clusterDomain" "cluster.local" "serviceName" "my-service" "headlessServiceName" "my-service-headless" "loopback" true "extraSANs" (list "custom.domain.com")) }}
Params:
- namespace - String - Required - Namespace where the app which we are generating the certificate for is deployed.
- clusterDomain - String - Optional - Cluster domain. Default is "cluster.local".
- serviceName - String - Optional - App service name. If provided, the following SANs will be generated:
- serviceName.namespace.svc.clusterDomain
- serviceName.namespace.svc
- serviceName.namespace
- serviceName
- headlessServiceName - String - Optional - App headless service name. If provided, the following wildcard SANs will be generated:
- *.headlessServiceName.namespace.svc.clusterDomain
- *.headlessServiceName.namespace.svc
- *.headlessServiceName.namespace
- *.headlessServiceName
- extraSANs - List<String> - Optional - Additional custom SANs to be added.
- loopback - Boolean - Optional - If true, "localhost" will be added to the SANs.
*/}}
{{- define "common.certs.sans" -}}
{{- $sans := list }}
{{- if .serviceName -}}
{{- $sans = append $sans (printf "%s.%s.svc.%s" .serviceName .namespace (default "cluster.local" .clusterDomain)) -}}
{{- $sans = append $sans (printf "%s.%s.svc" .serviceName .namespace) -}}
{{- $sans = append $sans (printf "%s.%s" .serviceName .namespace) -}}
{{- $sans = append $sans .serviceName -}}
{{- end -}}
{{- if .headlessServiceName -}}
{{- /* Include wildcard SANs for headless service */ -}}
{{- $sans = append $sans (printf "*.%s.%s.svc.%s" .headlessServiceName .namespace (default "cluster.local" .clusterDomain)) -}}
{{- $sans = append $sans (printf "*.%s.%s.svc" .headlessServiceName .namespace) -}}
{{- $sans = append $sans (printf "*.%s.%s" .headlessServiceName .namespace) -}}
{{- $sans = append $sans (printf "*.%s" .headlessServiceName) -}}
{{- end -}}
{{- range .extraSANs }}
{{- $sans = append $sans . -}}
{{- end -}}
{{- if (default false .loopback) -}}
{{- $sans = append $sans "localhost" }}
{{- end -}}
{{- join " " $sans | trim -}}
{{- end -}}

2
opencloud/charts/mongodb/charts/common/templates/_compatibility.tpl
View File

@@ -40,7 +40,7 @@ Usage:
{{- end -}}
{{/* Remove fields that are disregarded when running the container in privileged mode */}}
{{- if $adaptedContext.privileged -}}
{{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}
{{- $adaptedContext = omit $adaptedContext "capabilities" -}}
{{- end -}}
{{- omit $adaptedContext "enabled" | toYaml -}}
{{- end -}}

66
opencloud/charts/mongodb/charts/common/templates/_errors.tpl
View File

@@ -5,7 +5,7 @@ SPDX-License-Identifier: APACHE-2.0
{{/* vim: set filetype=mustache: */}}
{{/*
Through error when upgrading using empty passwords values that must not be empty.
Throw error when upgrading using empty passwords values that must not be empty.
Usage:
{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
@@ -26,3 +26,67 @@ Required password params:
{{- printf $errorString $validationErrors | fail -}}
{{- end -}}
{{- end -}}
{{/*
Throw error when original container images are replaced.
The error can be bypassed by setting the "global.security.allowInsecureImages" to true. In this case,
a warning message will be shown instead.
Usage:
{{ include "common.errors.insecureImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }}
*/}}
{{- define "common.errors.insecureImages" -}}
{{- $relocatedImages := list -}}
{{- $replacedImages := list -}}
{{- $bitnamiLegacyImages := list -}}
{{- $retaggedImages := list -}}
{{- $globalRegistry := ((.context.Values.global).imageRegistry) -}}
{{- $originalImages := .context.Chart.Annotations.images -}}
{{- range .images -}}
{{- $registryName := default .registry $globalRegistry -}}
{{- $fullImageNameNoTag := printf "%s/%s" $registryName .repository -}}
{{- $fullImageName := printf "%s:%s" $fullImageNameNoTag .tag -}}
{{- if not (contains $fullImageNameNoTag $originalImages) -}}
{{- if not (contains $registryName $originalImages) -}}
{{- $relocatedImages = append $relocatedImages $fullImageName -}}
{{- else if not (contains .repository $originalImages) -}}
{{- $replacedImages = append $replacedImages $fullImageName -}}
{{- if contains "docker.io/bitnamilegacy/" $fullImageNameNoTag -}}
{{- $bitnamiLegacyImages = append $bitnamiLegacyImages $fullImageName -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if not (contains (printf "%s:%s" .repository .tag) $originalImages) -}}
{{- $retaggedImages = append $retaggedImages $fullImageName -}}
{{- end -}}
{{- end -}}
{{- if and (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) (((.context.Values.global).security).allowInsecureImages) -}}
{{- print "\n\n⚠ SECURITY WARNING: Verifying original container images was skipped. Please note this Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Bitnami Secure Images containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.\n" -}}
{{- else if (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) -}}
{{- $errorString := "Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables." -}}
{{- $errorString = print $errorString "\n\nUnrecognized images:" -}}
{{- range (concat $relocatedImages $replacedImages) -}}
{{- $errorString = print $errorString "\n - " . -}}
{{- end -}}
{{- if and (eq (len $relocatedImages) 0) (eq (len $replacedImages) (len $bitnamiLegacyImages)) -}}
{{- $errorString = print "\n\n⚠ WARNING: " $errorString -}}
{{- print $errorString -}}
{{- else if or (contains "docker.io/bitnami/" $originalImages) (contains "docker.io/bitnamiprem/" $originalImages) (contains "docker.io/bitnamisecure/" $originalImages) -}}
{{- $errorString = print "\n\n⚠ ERROR: " $errorString -}}
{{- $errorString = print $errorString "\n\nIf you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true." -}}
{{- $errorString = print $errorString "\nFurther information can be obtained at https://github.com/bitnami/charts/issues/30850" -}}
{{- print $errorString | fail -}}
{{- else if gt (len $replacedImages) 0 -}}
{{- $errorString = print "\n\n WARNING: " $errorString -}}
{{- print $errorString -}}
{{- end -}}
{{- else if gt (len $retaggedImages) 0 -}}
{{- $warnString := "\n\n WARNING: Original containers have been retagged. Please note this Helm chart was tested, and validated on multiple platforms using a specific set of Bitnami and Bitnami Secure Images containers. Substituting original image tags could cause unexpected behavior." -}}
{{- $warnString = print $warnString "\n\nRetagged images:" -}}
{{- range $retaggedImages -}}
{{- $warnString = print $warnString "\n - " . -}}
{{- end -}}
{{- print $warnString -}}
{{- end -}}
{{- end -}}

73
opencloud/charts/mongodb/charts/common/templates/_fips.tpl Normal file
View File

@@ -0,0 +1,73 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Enable FIPS features
{{ include "common.fips.enabled" . }}
*/}}
{{- define "common.fips.enabled" -}}
{{- $fips := .Chart.Annotations.fips -}}
{{- if eq "true" $fips -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Get FIPS environment variable value for the given tech
{{ include "common.fips.config" (dict "tech" "openssl|java|golang" "fips" .Values.fips "global" .Values.global) }}
*/}}
{{- define "common.fips.config" -}}
{{- $availableTechs := list "openssl" "java" "golang" -}}
{{- if not (has .tech $availableTechs) -}}
{{- printf "The common.fips.config method can only provide configuration for: %s" $availableTechs | fail -}}
{{- end -}}
{{- $tech := get (.fips) .tech -}}
{{- $value := $tech | default (.global).defaultFips -}}
{{- if empty $value -}}
{{- printf "Please configure a value for 'fips.%s' or 'global.defaultFips'" .tech | fail -}}
{{- else -}}
{{- $method := printf "common.fips.%s" .tech -}}
{{- include $method (dict "value" $value) | trim | print -}}
{{- end -}}
{{- end -}}
{{/*
Map OpenSSL values for FIPS configuration
{{ include "common.fips.openssl" (dict "value" "restricted") }}
*/}}
{{- define "common.fips.openssl" -}}
{{- ternary "yes" "no" (eq .value "restricted") | print -}}
{{- end -}}
{{/*
Map JAVA values for FIPS configuration
{{ include "common.fips.java" (dict "value" "restricted") }}
*/}}
{{- define "common.fips.java" -}}
{{- $suffix := ternary "original" .value (eq .value "off") -}}
{{- $javaSecurityFile := printf "java.security.%s" $suffix -}}
{{/* The two equals signs mean the property file will completely override the master properties file */}}
{{- $javaSecurityOpt := printf "-Djava.security.properties==/opt/bitnami/java/conf/security/%s" $javaSecurityFile -}}
{{- $bcModulesFlag := "--module-path=/opt/bitnami/bc-fips/" -}}
{{- $restrictedFlags := printf "%s %s" $bcModulesFlag $javaSecurityOpt -}}
{{- ternary $restrictedFlags $javaSecurityOpt (eq .value "restricted") | print -}}
{{- end -}}
{{/*
Map Golang values for FIPS configuration
{{ include "common.fips.golang" (dict "value" "restricted") }}
*/}}
{{- define "common.fips.golang" -}}
{{- if eq .value "restricted" -}}
{{- print "fips140=only" -}}
{{- else if eq .value "relaxed" -}}
{{- print "fips140=on" -}}
{{- else -}}
{{- print "fips140=off" -}}
{{- end -}}
{{- end -}}

32
opencloud/charts/mongodb/charts/common/templates/_ingress.tpl
View File

@@ -17,11 +17,6 @@ Params:
- context - Dict - Required. The context for the template evaluation.
*/}}
{{- define "common.ingress.backend" -}}
{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}}
{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}}
serviceName: {{ .serviceName }}
servicePort: {{ .servicePort }}
{{- else -}}
service:
name: {{ .serviceName }}
port:
@@ -31,33 +26,6 @@ service:
number: {{ .servicePort | int }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Print "true" if the API pathType field is supported
Usage:
{{ include "common.ingress.supportsPathType" . }}
*/}}
{{- define "common.ingress.supportsPathType" -}}
{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}}
{{- print "false" -}}
{{- else -}}
{{- print "true" -}}
{{- end -}}
{{- end -}}
{{/*
Returns true if the ingressClassname field is supported
Usage:
{{ include "common.ingress.supportsIngressClassname" . }}
*/}}
{{- define "common.ingress.supportsIngressClassname" -}}
{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "false" -}}
{{- else -}}
{{- print "true" -}}
{{- end -}}
{{- end -}}
{{/*
Return true if cert-manager required annotations for TLS signed

2
opencloud/charts/mongodb/charts/common/templates/_labels.tpl
View File

@@ -22,7 +22,7 @@ helm.sh/chart: {{ include "common.names.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Chart.AppVersion }}
app.kubernetes.io/version: {{ . | quote }}
app.kubernetes.io/version: {{ . | replace "+" "_" | quote }}
{{- end -}}
{{- end -}}
{{- end -}}

7
opencloud/charts/mongodb/charts/common/templates/_names.tpl
View File

@@ -28,10 +28,11 @@ If release name contains chart name it will be used as a full name.
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- $releaseName := regexReplaceAll "(-?[^a-z\\d\\-])+-?" (lower .Release.Name) "-" -}}
{{- if contains $name $releaseName -}}
{{- $releaseName | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- printf "%s-%s" $releaseName $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

2
opencloud/charts/mongodb/charts/common/templates/_resources.tpl
View File

@@ -19,7 +19,7 @@ These presets are for basic testing and not meant to be used in production
)
"micro" (dict
"requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi")
"limits" (dict "cpu" "380m" "memory" "384Mi" "ephemeral-storage" "2Gi")
)
"small" (dict
"requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")

4
opencloud/charts/mongodb/charts/common/templates/_secrets.tpl
View File

@@ -110,12 +110,12 @@ The order in which this function returns a secret password:
{{- end }}
{{- if and $providedPasswordValue .honorProvidedValues }}
{{- $password = $providedPasswordValue | toString }}
{{- $password = tpl ($providedPasswordValue | toString) .context }}
{{- end }}
{{- if not $password }}
{{- if $providedPasswordValue }}
{{- $password = $providedPasswordValue | toString }}
{{- $password = tpl ($providedPasswordValue | toString) .context }}
{{- else }}
{{- if .context.Values.enabled }}
{{- $subchart = $chartName }}

7
opencloud/charts/mongodb/templates/NOTES.txt
View File

@@ -2,6 +2,10 @@ CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
⚠ WARNING: Since August 28th, 2025, only a limited subset of images/charts are available for free.
Subscribe to Bitnami Secure Images to receive continued support and security updates.
More info at https://bitnami.com and https://github.com/bitnami/containers/issues/83267
{{- if .Values.diagnosticMode.enabled }}
The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with:
@@ -168,4 +172,5 @@ Then, open the obtained URL in a browser.
{{- include "common.warnings.rollingTag" .Values.tls.image }}
{{- include "mongodb.validateValues" . }}
{{- include "common.warnings.resources" (dict "sections" (list "arbiter" "externalAccess.autoDiscovery" "hidden" "metrics" "" "tls" "volumePermissions") "context" $) }}
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.tls.image .Values.externalAccess.autoDiscovery.image .Values.externalAccess.dnsCheck.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }}
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.tls.image .Values.externalAccess.autoDiscovery.image .Values.externalAccess.dnsCheck.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }}
{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.tls.image .Values.externalAccess.autoDiscovery.image .Values.externalAccess.dnsCheck.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }}

35
opencloud/charts/mongodb/templates/_helpers.tpl
View File

@@ -309,6 +309,11 @@ Init container definition to change/establish volume permissions.
{{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if include "common.fips.enabled" . }}
env:
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.volumePermissions.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
@@ -338,6 +343,11 @@ Init container definition to recover log dir.
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if include "common.fips.enabled" . }}
env:
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /opt/bitnami/mongodb/logs
@@ -366,6 +376,11 @@ Init container definition to get external IP addresses.
{{- else if ne .Values.externalAccess.autoDiscovery.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.autoDiscovery.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if include "common.fips.enabled" . }}
env:
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.externalAccess.autoDiscovery.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: shared
mountPath: /shared
@@ -401,6 +416,11 @@ Init container definition to wait external DNS names.
{{- else if ne .Values.externalAccess.dnsCheck.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.dnsCheck.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if include "common.fips.enabled" . }}
env:
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.externalAccess.dnsCheck.fips "global" .Values.global) | quote }}
{{- end }}
{{- end -}}
{{/*
@@ -644,24 +664,13 @@ Validate values of MongoDB&reg; exporter URI string - auth.enabled and/or tls.en
{{- end -}}
{{- if .Values.metrics.username -}}
{{- $uriAuth := ternary "$(echo $MONGODB_METRICS_USERNAME | sed -r \"s/@/%40/g;s/:/%3A/g\"):$(echo $MONGODB_METRICS_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}}
{{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}}
{{- printf "mongodb://%s$(hostname -s):%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}}
{{- else -}}
{{- $uriAuth := ternary "$MONGODB_ROOT_USER:$(echo $MONGODB_ROOT_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}}
{{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}}
{{- printf "mongodb://%s$(hostname -s):%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiGroup for PodSecurityPolicy.
*/}}
{{- define "podSecurityPolicy.apiGroup" -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "policy" -}}
{{- else -}}
{{- print "extensions" -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a TLS secret object should be created
*/}}

37
opencloud/charts/mongodb/templates/arbiter/statefulset.yaml
View File

@@ -87,7 +87,7 @@ spec:
{{- if .Values.arbiter.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.arbiter.initContainers "context" $) | nindent 8 }}
{{- end }}
{{- if and .Values.externalAccess.enabled ( or .Values.externalAccess.service.publicNames .Values.externalAccess.service.domain ) }}
{{- if and .Values.externalAccess.enabled .Values.externalAccess.service.publicNames }}
{{- include "mongodb.initContainers.dnsCheck" . | nindent 8 }}
{{- end }}
{{- if and .Values.tls.enabled .Values.arbiter.enabled }}
@@ -107,6 +107,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.tls.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
@@ -126,6 +130,9 @@ spec:
- /bitnami/scripts/generate-certs.sh
args:
- -s {{ include "mongodb.arbiter.service.nameOverride" . }}
{{- if .Values.tls.securityContext }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.tls.securityContext "context" $) | nindent 12 }}
{{- end }}
{{- end }}
containers:
- name: mongodb-arbiter
@@ -164,6 +171,10 @@ spec:
value: {{ include "mongodb.initialPrimaryHost" . | quote }}
- name: MONGODB_REPLICA_SET_NAME
value: {{ .Values.replicaSetName | quote }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.arbiter.fips "global" .Values.global) | quote }}
{{- end }}
- name: MONGODB_ADVERTISED_HOSTNAME
value: "$(MY_POD_NAME).{{ include "mongodb.arbiter.service.nameOverride" . }}.$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}"
- name: MONGODB_PORT_NUMBER
@@ -173,6 +184,12 @@ spec:
{{- if .Values.auth.enabled }}
- name: MONGODB_INITIAL_PRIMARY_ROOT_USER
value: {{ .Values.auth.rootUser | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-root-password"
- name: MONGODB_REPLICA_SET_KEY_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-replica-set-key"
{{- else }}
- name: MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD
valueFrom:
secretKeyRef:
@@ -184,6 +201,7 @@ spec:
name: {{ include "mongodb.secretName" . }}
key: mongodb-replica-set-key
{{- end }}
{{- end }}
- name: ALLOW_EMPTY_PASSWORD
value: {{ ternary "no" "yes" .Values.auth.enabled | quote }}
{{- $extraFlags := .Values.arbiter.extraFlags | join " " -}}
@@ -265,6 +283,10 @@ spec:
- name: empty-dir
mountPath: /bitnami/mongodb
subPath: app-volume-dir
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
mountPath: /opt/bitnami/mongodb/secrets
{{- end }}
{{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }}
- name: config
mountPath: /opt/bitnami/mongodb/conf/mongodb.conf
@@ -283,11 +305,16 @@ spec:
volumes:
- name: empty-dir
emptyDir: {}
{{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }}
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
secret:
secretName: {{ include "mongodb.secretName" . }}
{{- end }}
{{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }}
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
defaultMode: 0o555
defaultMode: 0555
{{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }}
- name: config
configMap:
@@ -303,10 +330,10 @@ spec:
items:
- key: mongodb-ca-cert
path: mongodb-ca-cert
mode: 0o600
mode: 0600
- key: mongodb-ca-key
path: mongodb-ca-key
mode: 0o600
mode: 0600
{{- else }}
- name: mongodb-certs-0
secret:

48
opencloud/charts/mongodb/templates/backup/cronjob.yaml
View File

@@ -28,8 +28,8 @@ metadata:
{{- end }}
spec:
schedule: {{ quote .Values.backup.cronjob.schedule }}
{{- if .Values.backup.cronjob.timezone }}
timeZone: {{ .Values.backup.cronjob.timezone | quote }}
{{- if .Values.backup.cronjob.timeZone }}
timeZone: {{ .Values.backup.cronjob.timeZone | quote }}
{{- end }}
concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }}
failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }}
@@ -70,6 +70,7 @@ spec:
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 12 }}
{{- end }}
enableServiceLinks: {{ .Values.enableServiceLinks }}
serviceAccountName: {{ .Values.backup.cronjob.serviceAccount.name | quote }}
{{- if .Values.tls.enabled }}
initContainers:
- name: generate-tls-certs
@@ -84,6 +85,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.tls.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
@@ -114,27 +119,39 @@ spec:
{{- else if ne .Values.tls.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 16 }}
{{- end }}
{{- if .Values.tls.securityContext }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.tls.securityContext "context" $) | nindent 16 }}
{{- end }}
{{- end }}
containers:
- name: {{ include "mongodb.fullname" . }}-mongodump
image: {{ include "mongodb.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
env:
{{- if .Values.auth.enabled }}
{{- if .Values.auth.enabled }}
- name: MONGODB_ROOT_USER
value: {{ .Values.auth.rootUser | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_ROOT_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-root-password"
{{- else }}
- name: MONGODB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "mongodb.secretName" . }}
key: mongodb-root-password
{{- end }}
{{- end }}
{{- end }}
- name: MONGODB_SERVICE_NAME
value: {{ include "mongodb.service.nameOverride" . }}
- name: MONGODB_PORT_NUMBER
value: {{ .Values.containerPorts.mongodb | quote }}
- name: MONGODUMP_DIR
value: {{ .Values.backup.cronjob.storage.mountPath }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.backup.cronjob.fips "global" .Values.global) | quote }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: MONGODB_CLIENT_EXTRA_FLAGS
value: --ssl --sslPEMKeyFile=/certs/mongodb.pem --sslCAFile=/certs/mongodb-ca-cert
@@ -143,9 +160,13 @@ spec:
command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }}
{{- else }}
command:
- /bin/sh
- /bin/bash
- -c
- "mongodump {{- if .Values.auth.enabled }} --username=${MONGODB_ROOT_USER} --password=${MONGODB_ROOT_PASSWORD} --authenticationDatabase=admin {{- end }} --host=${MONGODB_SERVICE_NAME} --port=${MONGODB_PORT_NUMBER} ${MONGODB_CLIENT_EXTRA_FLAGS} {{- if (eq $.Values.architecture "replicaset") }}--oplog{{- end }} --gzip --archive=${MONGODUMP_DIR}/mongodump-$(date '+%Y-%m-%d-%H-%M').gz"
- |
{{- if and .Values.auth.enabled .Values.usePasswordFiles }}
export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)"
{{- end }}
mongodump {{- if .Values.auth.enabled }} --username=${MONGODB_ROOT_USER} --password=${MONGODB_ROOT_PASSWORD} --authenticationDatabase=admin {{- end }} --host=${MONGODB_SERVICE_NAME} --port=${MONGODB_PORT_NUMBER} ${MONGODB_CLIENT_EXTRA_FLAGS} {{- if (eq $.Values.architecture "replicaset") }}--oplog{{- end }} --gzip --archive=${MONGODUMP_DIR}/mongodump-$(date '+%Y-%m-%d-%H-%M').gz
{{- end }}
{{- if .Values.backup.cronjob.resources }}
resources: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.resources "context" $) | nindent 14 }}
@@ -156,6 +177,10 @@ spec:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
mountPath: /opt/bitnami/mongodb/secrets
{{- end }}
{{- if .Values.tls.enabled }}
- name: certs
mountPath: /certs
@@ -181,7 +206,12 @@ spec:
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
defaultMode: 0o550
defaultMode: 0550
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
secret:
secretName: {{ include "mongodb.secretName" . }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: certs
emptyDir: {}
@@ -192,10 +222,10 @@ spec:
items:
- key: mongodb-ca-cert
path: mongodb-ca-cert
mode: 0o600
mode: 0600
- key: mongodb-ca-key
path: mongodb-ca-key
mode: 0o600
mode: 0600
{{- else }}
- name: mongodb-certs-0
secret:

74
opencloud/charts/mongodb/templates/hidden/statefulset.yaml
View File

@@ -96,7 +96,7 @@ spec:
{{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }}
{{- include "mongodb.initContainers.autoDiscovery" . | indent 8 }}
{{- end }}
{{- if and .Values.externalAccess.enabled ( or .Values.externalAccess.service.publicNames .Values.externalAccess.service.domain ) }}
{{- if and .Values.externalAccess.enabled .Values.externalAccess.service.publicNames }}
{{- include "mongodb.initContainers.dnsCheck" . | indent 8 }}
{{- end }}
{{- include "mongodb.initContainer.prepareLogDir" . | nindent 8 }}
@@ -117,6 +117,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.tls.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
{{- if (include "mongodb.autoGenerateCerts" .) }}
- name: certs-volume
@@ -149,6 +153,9 @@ spec:
{{- else if ne .Values.tls.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if .Values.tls.securityContext }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.tls.securityContext "context" $) | nindent 12 }}
{{- end }}
{{- end }}
containers:
- name: mongodb
@@ -196,6 +203,10 @@ spec:
value: "hidden"
- name: MONGODB_INITIAL_PRIMARY_HOST
value: {{ include "mongodb.initialPrimaryHost" . | quote }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.hidden.fips "global" .Values.global) | quote }}
{{- end }}
- name: MONGODB_REPLICA_SET_NAME
value: {{ .Values.replicaSetName | quote }}
{{- if and .Values.replicaSetHostnames (not .Values.externalAccess.hidden.enabled) }}
@@ -214,14 +225,25 @@ spec:
{{- end }}
{{- if .Values.auth.enabled }}
{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_EXTRA_PASSWORDS_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-passwords"
{{- else }}
- name: MONGODB_EXTRA_PASSWORDS
valueFrom:
secretKeyRef:
name: {{ include "mongodb.secretName" . }}
key: mongodb-passwords
{{- end }}
{{- end }}
- name: MONGODB_ROOT_USER
value: {{ .Values.auth.rootUser | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_ROOT_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-root-password"
- name: MONGODB_REPLICA_SET_KEY_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-replica-set-key"
{{- else }}
- name: MONGODB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
@@ -233,10 +255,15 @@ spec:
name: {{ include "mongodb.secretName" . }}
key: mongodb-replica-set-key
{{- end }}
{{- end }}
{{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }}
- name: MONGODB_METRICS_USERNAME
value: {{ .Values.metrics.username | quote }}
{{- if .Values.auth.enabled }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_METRICS_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password"
{{- else }}
- name: MONGODB_METRICS_PASSWORD
valueFrom:
secretKeyRef:
@@ -244,6 +271,7 @@ spec:
key: mongodb-metrics-password
{{- end }}
{{- end }}
{{- end }}
- name: ALLOW_EMPTY_PASSWORD
value: {{ ternary "no" "yes" .Values.auth.enabled | quote }}
- name: MONGODB_SYSTEM_LOG_VERBOSITY
@@ -329,6 +357,10 @@ spec:
subPath: {{ .Values.hidden.persistence.subPath }}
- name: common-scripts
mountPath: /bitnami/scripts
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
mountPath: /opt/bitnami/mongodb/secrets
{{- end }}
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
mountPath: /docker-entrypoint-initdb.d
@@ -390,6 +422,13 @@ spec:
{{- else }}
args:
- |
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
{{- if .Values.metrics.username }}
export MONGODB_METRICS_PASSWORD="$(< $MONGODB_METRICS_PASSWORD_FILE)"
{{- else }}
export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)"
{{- end }}
{{- end }}
/bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }}
{{- end }}
env:
@@ -397,14 +436,23 @@ spec:
{{- if not .Values.metrics.username }}
- name: MONGODB_ROOT_USER
value: {{ .Values.auth.rootUser | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_ROOT_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-root-password"
{{- else }}
- name: MONGODB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "mongodb.secretName" . }}
key: mongodb-root-password
{{- end }}
{{- else }}
- name: MONGODB_METRICS_USERNAME
value: {{ .Values.metrics.username | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_METRICS_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password"
{{- else }}
- name: MONGODB_METRICS_PASSWORD
valueFrom:
secretKeyRef:
@@ -412,10 +460,21 @@ spec:
key: mongodb-metrics-password
{{- end }}
{{- end }}
{{- end }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.metrics.fips "global" .Values.global) | quote }}
- name: GODEBUG
value: {{ include "common.fips.config" (dict "tech" "golang" "fips" .Values.metrics.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
mountPath: /opt/bitnami/mongodb/secrets
{{- end }}
{{- if .Values.tls.enabled }}
- name: certs
mountPath: /certs
@@ -468,7 +527,12 @@ spec:
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
defaultMode: 0o555
defaultMode: 0555
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
secret:
secretName: {{ include "mongodb.secretName" . }}
{{- end }}
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
configMap:
@@ -486,7 +550,7 @@ spec:
- name: scripts
configMap:
name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }}
defaultMode: 0o755
defaultMode: 0755
{{- if .Values.hidden.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumes "context" $) | nindent 8 }}
{{- end }}
@@ -500,10 +564,10 @@ spec:
items:
- key: mongodb-ca-cert
path: mongodb-ca-cert
mode: 0o600
mode: 0600
- key: mongodb-ca-key
path: mongodb-ca-key
mode: 0o600
mode: 0600
{{- else }}
{{- range $index, $secret := .Values.tls.hidden.existingSecrets }}
- name: mongodb-certs-{{ $index }}

4
opencloud/charts/mongodb/templates/networkpolicy.yaml
View File

@@ -57,7 +57,7 @@ spec:
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
@@ -95,4 +95,4 @@ spec:
{{- if $extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" $extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

34
opencloud/charts/mongodb/templates/replicaset/scripts-configmap.yaml
View File

@@ -111,11 +111,12 @@ data:
{{- $replicaCount := int .Values.replicaCount }}
{{- $portNumber := int .Values.service.ports.mongodb }}
{{- $fullname := include "mongodb.fullname" . }}
{{- $serviceName := include "mongodb.service.nameOverride" . }}
{{- $releaseNamespace := include "mongodb.namespace" . }}
{{- $clusterDomain := .Values.clusterDomain }}
{{- $mongoList := list }}
{{- range $e, $i := until $replicaCount }}
{{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $portNumber) }}
{{- $mongoList = append $mongoList (printf "%s-%d.%s.%s.svc.%s:%d" $fullname $i $serviceName $releaseNamespace $clusterDomain $portNumber) }}
{{- end }}
{{- if .Values.externalAccess.externalMaster.enabled }}
@@ -254,28 +255,34 @@ data:
# read rs.conf again and store it. settings format is '"<key>" : <value>,'
currentRsConf=$(mongosh ${usernameAndPassword} --eval 'rs.conf()')
desiredEqualsactual=unknown
desiredEqualsActual=unknown
settingsToConfigure=""
for key in ${!desiredRsConf[@]}; do
value=${desiredRsConf[$key]}
if ! $(echo "\"${currentRsConf}"\" | grep -q -e "${key}: ${value},"); then
if [[ $key =~ ^members\[[0-9]+\]\..+ ]]; then
memberIndex=$(echo $key | grep -o -E '[0-9]+')
nodeConfigKey=${key#*.}
settingsToConfigure="${settingsToConfigure}cfg.members[${memberIndex}].${nodeConfigKey} = ${value}; "
if [[ $key =~ ^members\[[0-9]+\]\..+ ]]; then
# Replica set member specific setting
if [[ "$(mongosh --eval "cfg=${currentRsConf}; cfg.${key}" 2>/dev/null)" != "${value}" ]]; then
desiredEqualsActual=false
logger "rs conf: ${key} needs to be updated to desired value: ${value}"
settingsToConfigure="${settingsToConfigure}cfg.${key} = ${value}; "
else
# General rs settings
settingsToConfigure="${settingsToConfigure}cfg.settings.${key} = ${value}; "
logger "rs conf: ${key} is already at desired value: ${value}"
fi
desiredEqualsactual=false
else
logger "rs conf: ${key} is already at desired value: ${value}"
# General rs setting
if [[ "$(mongosh --eval "cfg=${currentRsConf}; cfg.settings.${key}" 2>/dev/null)" != "${value}" ]]; then
desiredEqualsActual=false
logger "rs conf: ${key} needs to be updated to desired value: ${value}"
settingsToConfigure="${settingsToConfigure}cfg.settings.${key} = ${value}; "
else
logger "rs conf: ${key} is already at desired value: ${value}"
fi
fi
done
if [[ "${desiredEqualsactual}" != "false" ]]; then
if [[ "${desiredEqualsActual}" != "false" ]]; then
logger "replicaSetConfigurationSettings match the settings of the currently running rs"
desiredEqualsactual=true
desiredEqualsActual=true
rs_conf_configured_ok=true
logger "Current settings match desired settings (There have been ${rsConfWriteAttempts} attempts to write to mongoDB rs configuration)"
exit
@@ -313,4 +320,3 @@ data:
done
{{- end }}
{{- end }}

75
opencloud/charts/mongodb/templates/replicaset/statefulset.yaml
View File

@@ -97,7 +97,7 @@ spec:
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }}
{{- include "mongodb.initContainers.autoDiscovery" . | nindent 8 }}
{{- end }}
{{- if and .Values.externalAccess.enabled ( or .Values.externalAccess.service.publicNames .Values.externalAccess.service.domain ) }}
{{- if and .Values.externalAccess.enabled .Values.externalAccess.service.publicNames }}
{{- include "mongodb.initContainers.dnsCheck" . | nindent 8 }}
{{- end }}
{{- include "mongodb.initContainer.prepareLogDir" . | nindent 8 }}
@@ -118,6 +118,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.tls.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
{{- if (include "mongodb.autoGenerateCerts" .) }}
- name: certs-volume
@@ -200,6 +204,10 @@ spec:
value: {{ include "mongodb.initialPrimaryHost" . | quote }}
- name: MONGODB_REPLICA_SET_NAME
value: {{ .Values.replicaSetName | quote }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.fips "global" .Values.global) | quote }}
{{- end }}
{{- if and .Values.replicaSetHostnames (not .Values.externalAccess.enabled) }}
- name: MONGODB_ADVERTISED_HOSTNAME
value: "$(MY_POD_NAME).{{ include "mongodb.service.nameOverride" . }}.$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}"
@@ -216,14 +224,25 @@ spec:
{{- end }}
{{- if .Values.auth.enabled }}
{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_EXTRA_PASSWORDS_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-passwords"
{{- else }}
- name: MONGODB_EXTRA_PASSWORDS
valueFrom:
secretKeyRef:
name: {{ include "mongodb.secretName" . }}
key: mongodb-passwords
{{- end }}
{{- end }}
- name: MONGODB_ROOT_USER
value: {{ .Values.auth.rootUser | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_ROOT_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-root-password"
- name: MONGODB_REPLICA_SET_KEY_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-replica-set-key"
{{- else }}
- name: MONGODB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
@@ -235,10 +254,15 @@ spec:
name: {{ include "mongodb.secretName" . }}
key: mongodb-replica-set-key
{{- end }}
{{- end }}
{{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }}
- name: MONGODB_METRICS_USERNAME
value: {{ .Values.metrics.username | quote }}
{{- if .Values.auth.enabled }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_METRICS_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password"
{{- else }}
- name: MONGODB_METRICS_PASSWORD
valueFrom:
secretKeyRef:
@@ -246,6 +270,7 @@ spec:
key: mongodb-metrics-password
{{- end }}
{{- end }}
{{- end }}
- name: ALLOW_EMPTY_PASSWORD
value: {{ ternary "no" "yes" .Values.auth.enabled | quote }}
- name: MONGODB_SYSTEM_LOG_VERBOSITY
@@ -341,6 +366,10 @@ spec:
- name: empty-dir
mountPath: /.mongodb
subPath: mongosh-home
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
mountPath: /opt/bitnami/mongodb/secrets
{{- end }}
- name: {{ .Values.persistence.name | default "datadir" }}
mountPath: {{ .Values.persistence.mountPath }}
subPath: {{ .Values.persistence.subPath }}
@@ -397,6 +426,13 @@ spec:
{{- else }}
args:
- |
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
{{- if .Values.metrics.username }}
export MONGODB_METRICS_PASSWORD="$(< $MONGODB_METRICS_PASSWORD_FILE)"
{{- else }}
export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)"
{{- end }}
{{- end }}
/bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }}
{{- end }}
env:
@@ -404,14 +440,23 @@ spec:
{{- if not .Values.metrics.username }}
- name: MONGODB_ROOT_USER
value: {{ .Values.auth.rootUser | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_ROOT_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-root-password"
{{- else }}
- name: MONGODB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "mongodb.secretName" . }}
key: mongodb-root-password
{{- end }}
{{- else }}
- name: MONGODB_METRICS_USERNAME
value: {{ .Values.metrics.username | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_METRICS_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password"
{{- else }}
- name: MONGODB_METRICS_PASSWORD
valueFrom:
secretKeyRef:
@@ -419,10 +464,21 @@ spec:
key: mongodb-metrics-password
{{- end }}
{{- end }}
{{- end }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.metrics.fips "global" .Values.global) | quote }}
- name: GODEBUG
value: {{ include "common.fips.config" (dict "tech" "golang" "fips" .Values.metrics.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
mountPath: /opt/bitnami/mongodb/secrets
{{- end }}
{{- if .Values.tls.enabled }}
- name: certs
mountPath: /certs
@@ -472,7 +528,12 @@ spec:
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
defaultMode: 0o550
defaultMode: 0550
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
secret:
secretName: {{ include "mongodb.secretName" . }}
{{- end }}
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
configMap:
@@ -490,7 +551,7 @@ spec:
- name: scripts
configMap:
name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }}
defaultMode: 0o755
defaultMode: 0755
{{- if .Values.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
{{- end }}
@@ -504,10 +565,10 @@ spec:
items:
- key: mongodb-ca-cert
path: mongodb-ca-cert
mode: 0o600
mode: 0600
- key: mongodb-ca-key
path: mongodb-ca-key
mode: 0o600
mode: 0600
{{- else }}
{{- range $index, $secret := .Values.tls.replicaset.existingSecrets }}
- name: mongodb-certs-{{ $index }}
@@ -532,9 +593,7 @@ spec:
whenScaled: {{ .Values.persistentVolumeClaimRetentionPolicy.whenScaled }}
{{- end }}
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
- metadata:
name: datadir
{{- if .Values.persistence.annotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }}

1
opencloud/charts/mongodb/templates/replicaset/svc.yaml
View File

@@ -25,6 +25,7 @@ metadata:
{{- end }}
spec:
type: ClusterIP
publishNotReadyAddresses: {{ $root.Values.service.publishNotReadyAddresses }}
ports:
- name: {{ $root.Values.service.portName | quote }}
port: {{ $root.Values.service.ports.mongodb }}

2
opencloud/charts/mongodb/templates/role.yaml
View File

@@ -23,7 +23,7 @@ rules:
{{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
{{- end -}}
{{- if and (include "common.capabilities.psp.supported" .) .Values.podSecurityPolicy.create }}
- apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}']
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: [{{ include "mongodb.fullname" . }}]

65
opencloud/charts/mongodb/templates/standalone/dep-sts.yaml
View File

@@ -107,6 +107,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.tls.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
@@ -176,24 +180,38 @@ spec:
{{- end }}
{{- if .Values.auth.enabled }}
{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_EXTRA_PASSWORDS_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-passwords"
{{- else }}
- name: MONGODB_EXTRA_PASSWORDS
valueFrom:
secretKeyRef:
name: {{ include "mongodb.secretName" . }}
key: mongodb-passwords
{{- end }}
{{- end }}
- name: MONGODB_ROOT_USER
value: {{ .Values.auth.rootUser | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_ROOT_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-root-password"
{{- else }}
- name: MONGODB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "mongodb.secretName" . }}
key: mongodb-root-password
{{- end }}
{{- end }}
{{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }}
- name: MONGODB_METRICS_USERNAME
value: {{ .Values.metrics.username | quote }}
{{- if .Values.auth.enabled }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_METRICS_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password"
{{- else }}
- name: MONGODB_METRICS_PASSWORD
valueFrom:
secretKeyRef:
@@ -201,6 +219,11 @@ spec:
key: mongodb-metrics-password
{{- end }}
{{- end }}
{{- end }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.fips "global" .Values.global) | quote }}
{{- end }}
- name: ALLOW_EMPTY_PASSWORD
value: {{ ternary "no" "yes" .Values.auth.enabled | quote }}
- name: MONGODB_SYSTEM_LOG_VERBOSITY
@@ -305,6 +328,10 @@ spec:
subPath: {{ .Values.persistence.subPath }}
- name: common-scripts
mountPath: /bitnami/scripts
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
mountPath: /opt/bitnami/mongodb/secrets
{{- end }}
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
mountPath: /docker-entrypoint-initdb.d
@@ -344,6 +371,13 @@ spec:
{{- else }}
args:
- |
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
{{- if .Values.metrics.username }}
export MONGODB_METRICS_PASSWORD="$(< $MONGODB_METRICS_PASSWORD_FILE)"
{{- else }}
export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)"
{{- end }}
{{- end }}
/bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }}
{{- end }}
env:
@@ -351,14 +385,23 @@ spec:
{{- if not .Values.metrics.username }}
- name: MONGODB_ROOT_USER
value: {{ .Values.auth.rootUser | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_ROOT_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-root-password"
{{- else }}
- name: MONGODB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "mongodb.secretName" . }}
key: mongodb-root-password
{{- end }}
{{- else }}
- name: MONGODB_METRICS_USERNAME
value: {{ .Values.metrics.username | quote }}
{{- if .Values.usePasswordFiles }}
- name: MONGODB_METRICS_PASSWORD_FILE
value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password"
{{- else }}
- name: MONGODB_METRICS_PASSWORD
valueFrom:
secretKeyRef:
@@ -366,10 +409,21 @@ spec:
key: mongodb-metrics-password
{{- end }}
{{- end }}
{{- end }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.metrics.fips "global" .Values.global) | quote }}
- name: GODEBUG
value: {{ include "common.fips.config" (dict "tech" "golang" "fips" .Values.metrics.fips "global" .Values.global) | quote }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
mountPath: /opt/bitnami/mongodb/secrets
{{- end }}
{{- if .Values.tls.enabled }}
- name: certs
mountPath: /certs
@@ -419,7 +473,12 @@ spec:
- name: common-scripts
configMap:
name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
defaultMode: 0o550
defaultMode: 0550
{{- if and .Values.usePasswordFiles .Values.auth.enabled }}
- name: mongodb-secrets
secret:
secretName: {{ include "mongodb.secretName" . }}
{{- end }}
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
configMap:
@@ -443,10 +502,10 @@ spec:
items:
- key: mongodb-ca-cert
path: mongodb-ca-cert
mode: 0o600
mode: 0600
- key: mongodb-ca-key
path: mongodb-ca-key
mode: 0o600
mode: 0600
{{- else }}
- name: mongodb-certs-0
secret:

5
opencloud/charts/mongodb/templates/standalone/svc.yaml
View File

@@ -35,15 +35,16 @@ spec:
{{- if (eq .Values.service.type "LoadBalancer") }}
allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
{{- end }}
{{- if .Values.service.sessionAffinity }}
{{- if ne .Values.service.sessionAffinity "None" }}
sessionAffinity: {{ .Values.service.sessionAffinity }}
{{- end }}
{{- if .Values.service.sessionAffinityConfig }}
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }}
{{- end }}
{{- end }}
{{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }}
{{- end }}
publishNotReadyAddresses: {{ .Values.service.publishNotReadyAddresses }}
ports:
- name: {{ .Values.service.portName | quote }}
port: {{ .Values.service.ports.mongodb }}

14
opencloud/charts/mongodb/templates/update-password/job.yaml
View File

@@ -122,14 +122,14 @@ spec:
{{- if .Values.passwordUpdateJob.extraCommands }}
info "Running extra commmands"
{{- include "common.tplValues.render" (dict "value" .Values.passwordUpdateJob.extraCommands "context" $) | nindent 14 }}
{{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraCommands "context" $) | nindent 14 }}
{{- end }}
info "Password update job finished successfully"
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.image.debug | quote }}
{{- if not .Values.auth.usePasswordFiles }}
{{- if not .Values.usePasswordFiles }}
- name: MONGODB_PREVIOUS_ROOT_PASSWORD
valueFrom:
secretKeyRef:
@@ -141,12 +141,16 @@ spec:
name: {{ template "mongodb.update-job.newSecretName" . }}
key: mongodb-root-password
{{- end }}
{{- if include "common.fips.enabled" . }}
- name: OPENSSL_FIPS
value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.passwordUpdateJob.fips "global" .Values.global) | quote }}
{{- end }}
{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }}
- name: MONGODB_EXTRA_USERNAMES
value: {{ $customUsers | quote }}
- name: MONGODB_EXTRA_DATABASES
value: {{ $customDatabases | quote }}
{{- if not .Values.auth.usePasswordFiles }}
{{- if not .Values.usePasswordFiles }}
- name: MONGODB_NEW_EXTRA_PASSWORDS
valueFrom:
secretKeyRef:
@@ -157,7 +161,7 @@ spec:
{{- if .Values.metrics.username }}
- name: MONGODB_METRICS_USER
value: {{ .Values.metrics.username | quote }}
{{- if not .Values.auth.usePasswordFiles }}
{{- if not .Values.usePasswordFiles }}
- name: MONGODB_PREVIOUS_METRICS_PASSWORD
valueFrom:
secretKeyRef:
@@ -217,7 +221,7 @@ spec:
volumes:
- name: empty-dir
emptyDir: {}
{{- if and .Values.auth.usePasswordFiles }}
{{- if and .Values.usePasswordFiles }}
- name: mongodb-previous-credentials
secret:
secretName: {{ template "mongodb.update-job.previousSecretName" . }}

102
opencloud/charts/mongodb/values.yaml
View File

@@ -12,6 +12,7 @@
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
## @param global.namespaceOverride Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride
## @param global.defaultFips Default value for the FIPS configuration (allowed values: '', restricted, relaxed, off). Can be overriden by the 'fips' object
##
global:
imageRegistry: ""
@@ -22,6 +23,11 @@ global:
imagePullSecrets: []
defaultStorageClass: ""
storageClass: ""
## Security parameters
##
security:
## @param global.security.allowInsecureImages Allows skipping image verification
allowInsecureImages: false
namespaceOverride: ""
## Compatibility adaptations for Kubernetes platforms
##
@@ -32,6 +38,9 @@ global:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: auto
## Configure FIPS mode: '', 'restricted', 'relaxed', 'off'
##
defaultFips: restricted
## @section Common parameters
##
@@ -101,6 +110,9 @@ serviceBindings:
## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`.
##
enableServiceLinks: true
## @param usePasswordFiles Mount credentials as files instead of using environment variables
##
usePasswordFiles: true
## Enable diagnostic mode in the deployment
##
diagnosticMode:
@@ -129,9 +141,9 @@ diagnosticMode:
## @param image.debug Set to true if you would like to see extra information on logs
##
image:
registry: docker.io
registry: registry-1.docker.io
repository: bitnami/mongodb
tag: 8.0.3-debian-12-r0
tag: latest
digest: ""
## Specify a imagePullPolicy
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
@@ -255,9 +267,9 @@ tls:
## @param tls.extraDnsNames Add extra dns names to the CA, can solve x509 auth issue for pod clients
##
image:
registry: docker.io
registry: registry-1.docker.io
repository: bitnami/nginx
tag: 1.27.2-debian-12-r2
tag: latest
digest: ""
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
@@ -298,6 +310,10 @@ tls:
## memory: 1024Mi
##
resources: {}
## @param tls.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used
##
fips:
openssl: ""
## Init Container securityContext
## ref: https://kubernetes.io/docs/concepts/security/pod-security-policy/
## @param tls.securityContext Init container generate-tls-cert Security context
@@ -614,6 +630,10 @@ resourcesPreset: "small"
## memory: 1024Mi
##
resources: {}
## @param fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used
##
fips:
openssl: ""
## @param containerPorts.mongodb MongoDB(&reg;) container port
##
containerPorts:
@@ -802,12 +822,11 @@ service:
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
##
externalTrafficPolicy: Local
## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
## Values: ClientIP or None
## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None`
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
##
sessionAffinity: None
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity. Ignored if `service.sessionAffinity` is `None`
## sessionAffinityConfig:
## clientIP:
## timeoutSeconds: 300
@@ -819,6 +838,10 @@ service:
## @param service.headless.annotations Annotations for the headless service.
##
annotations: {}
## @param service.publishNotReadyAddresses Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready
## ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/
##
publishNotReadyAddresses: false
## External Access to MongoDB(&reg;) nodes configuration
##
externalAccess:
@@ -843,9 +866,9 @@ externalAccess:
## @param externalAccess.autoDiscovery.image.pullSecrets Init container auto-discovery image pull secrets
##
image:
registry: docker.io
registry: registry-1.docker.io
repository: bitnami/kubectl
tag: 1.31.2-debian-12-r3
tag: latest
digest: ""
## Specify a imagePullPolicy
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
@@ -879,6 +902,10 @@ externalAccess:
## memory: 1024Mi
##
resources: {}
## @param externalAccess.autoDiscovery.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used
##
fips:
openssl: ""
## Init container what mission is ensure public names can be resolved.
##
dnsCheck:
@@ -892,9 +919,9 @@ externalAccess:
## @param externalAccess.dnsCheck.image.pullSecrets Init container dns-check image pull secrets
##
image:
registry: docker.io
registry: registry-1.docker.io
repository: bitnami/os-shell
tag: 12-debian-12-r32
tag: latest
digest: ""
## Specify a imagePullPolicy
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
@@ -928,6 +955,10 @@ externalAccess:
## memory: 1024Mi
##
resources: {}
## @param externalAccess.dnsCheck.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used
##
fips:
openssl: ""
## Parameters to configure a set of Pods that connect to an existing MongoDB(&reg;) deployment that lies outside of Kubernetes.
## @param externalAccess.externalMaster.enabled Use external master for bootstrapping
## @param externalAccess.externalMaster.host External master host to bootstrap from
@@ -1005,12 +1036,11 @@ externalAccess:
## - external-dns.alpha.kubernetes.io/hostname: mongodb-1.example.com
##
annotationsList: []
## @param externalAccess.service.sessionAffinity Control where client requests go, to the same pod or round-robin
## Values: ClientIP or None
## @param externalAccess.service.sessionAffinity Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None`
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
##
sessionAffinity: None
## @param externalAccess.service.sessionAffinityConfig Additional settings for the sessionAffinity
## @param externalAccess.service.sessionAffinityConfig Additional settings for the sessionAffinity. Ignored if `externalAccess.service.sessionAffinity` is `None`
## sessionAffinityConfig:
## clientIP:
## timeoutSeconds: 300
@@ -1080,12 +1110,11 @@ externalAccess:
## @param externalAccess.hidden.service.annotations Service annotations for external access
##
annotations: {}
## @param externalAccess.hidden.service.sessionAffinity Control where client requests go, to the same pod or round-robin
## Values: ClientIP or None
## @param externalAccess.hidden.service.sessionAffinity Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None`
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
##
sessionAffinity: None
## @param externalAccess.hidden.service.sessionAffinityConfig Additional settings for the sessionAffinity
## @param externalAccess.hidden.service.sessionAffinityConfig Additional settings for the sessionAffinity. Ignored if `externalAccess.hidden.service.sessionAffinity` is `None`
## sessionAffinityConfig:
## clientIP:
## timeoutSeconds: 300
@@ -1193,6 +1222,10 @@ passwordUpdateJob:
## memory: 1024Mi
##
resources: {}
## @param passwordUpdateJob.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used
##
fips:
openssl: ""
## @param passwordUpdateJob.customLivenessProbe Custom livenessProbe that overrides the default one
##
customLivenessProbe: {}
@@ -1220,8 +1253,6 @@ passwordUpdateJob:
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## @section Network policy parameters
##
@@ -1405,6 +1436,9 @@ backup:
restartPolicy: OnFailure
## @param backup.cronjob.backoffLimit Set the cronjob parameter backoffLimit
backoffLimit: 6
## @param backup.cronjob.serviceAccount.name Set the cronjob parameter serviceAccountName. If you change from the default values make sure that the SA already exists.
serviceAccount:
name: "default"
## backup container's Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context
@@ -1452,6 +1486,10 @@ backup:
## memory: 1024Mi
##
resources: {}
## @param backup.cronjob.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used
##
fips:
openssl: ""
## @param backup.cronjob.command Set backup container's command to run
##
command: []
@@ -1618,9 +1656,9 @@ volumePermissions:
## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array
##
image:
registry: docker.io
registry: registry-1.docker.io
repository: bitnami/os-shell
tag: 12-debian-12-r32
tag: latest
digest: ""
## Specify a imagePullPolicy
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
@@ -1654,6 +1692,10 @@ volumePermissions:
## memory: 1024Mi
##
resources: {}
## @param volumePermissions.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used
##
fips:
openssl: ""
## Init container Security Context
## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
## and not the below volumePermissions.securityContext.runAsUser
@@ -1872,6 +1914,10 @@ arbiter:
## memory: 1024Mi
##
resources: {}
## @param arbiter.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used
##
fips:
openssl: ""
## @param arbiter.containerPorts.mongodb MongoDB(&reg;) arbiter container port
##
containerPorts:
@@ -2215,6 +2261,10 @@ hidden:
## memory: 1024Mi
##
resources: {}
## @param hidden.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used
##
fips:
openssl: ""
## @param hidden.containerPorts.mongodb MongoDB(&reg;) hidden container port
##
containerPorts:
@@ -2418,9 +2468,9 @@ metrics:
## @param metrics.image.pullSecrets Specify docker-registry secret names as an array
##
image:
registry: docker.io
registry: registry-1.docker.io
repository: bitnami/mongodb-exporter
tag: 0.41.2-debian-12-r1
tag: latest
digest: ""
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
@@ -2494,6 +2544,12 @@ metrics:
## memory: 1024Mi
##
resources: {}
## @param metrics.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used
## @param metrics.fips.golang Configure Golang FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used
##
fips:
openssl: ""
golang: relaxed
## @param metrics.containerPort Port of the Prometheus metrics container
##
containerPort: 9216

8
opencloud/templates/mongo.yaml
View File

@@ -1,4 +1,4 @@
{{- if .Values.mongodb.enabled }}
{{- if index .Values.mongodb.enabled }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
@@ -7,9 +7,9 @@ metadata:
annotations:
helm.sh/resource-policy: keep
spec:
accessModes: {{ .Values.mongodb.persistence.accessModes }}
accessModes: {{ index .Values.mongodb.persistence.accessModes }}
resources:
requests:
storage: {{ index .Values.mongodb.persistence.size }}
storageClassName: {{ index .Values.mongodb.persistence.storageClass }}
storage: {{ .Values.mongodb.persistence.size }}
storageClassName: {{ .Values.mongodb.persistence.storageClass }}
{{- end }}

2
opencloud/templates/mongoExpress.yaml
View File

@@ -12,7 +12,7 @@ spec:
priority: 10
services:
- kind: Service
name: {{ .Release.Name }}-mongo-express
name: {{ .Release.Name }}-mongo-express.{{ .Release.Namespace }}
passHostHeader: true
port: 8081
{{- end }}

13
opencloud/templates/nats.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if index .Values.nats.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: nats-config
data:
nats.conf: |
port: 4222
http_port: 8222
max_connections: 200000 # optional but recommended
max_subscriptions: 200000
{{- end }}

4
opencloud/templates/oc-auth/deployment.yaml
View File

@@ -53,8 +53,8 @@ spec:
memory: "{{ .Values.ocAuth.resources.requests.memory }}"
livenessProbe:
httpGet:
path: /metrics
port: http
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
{{- end }}

6
opencloud/templates/oc-catalog/deployment.yaml
View File

@@ -36,4 +36,10 @@ spec:
requests:
cpu: "{{ .Values.ocCatalog.resources.requests.cpu }}"
memory: "{{ .Values.ocCatalog.resources.requests.memory }}"
livenessProbe:
httpGet:
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
{{- end }}

6
opencloud/templates/oc-datacenter/deployment.yaml
View File

@@ -31,10 +31,10 @@ spec:
protocol: TCP
livenessProbe:
httpGet:
path: /metrics
port: http
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
periodSeconds: 30
resources:
limits:
cpu: "{{ .Values.ocDatacenter.resources.limits.cpu }}"

6
opencloud/templates/oc-front/deployment.yaml
View File

@@ -32,10 +32,10 @@ spec:
protocol: TCP
livenessProbe:
httpGet:
path: /metrics
port: http
path: /
port: 80
initialDelaySeconds: 10
periodSeconds: 30
periodSeconds: 30
resources:
limits:
cpu: "{{ .Values.ocFront.resources.limits.cpu }}"

6
opencloud/templates/oc-peer/deployment.yaml
View File

@@ -27,10 +27,10 @@ spec:
name: opencloud-config
livenessProbe:
httpGet:
path: /metrics
port: http
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
periodSeconds: 30
ports:
- name: http
containerPort: 8080

6
opencloud/templates/oc-scheduler/deployment.yaml
View File

@@ -28,10 +28,10 @@ spec:
name: opencloud-config
livenessProbe:
httpGet:
path: /metrics
port: http
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
periodSeconds: 30
ports:
- name: http
containerPort: 8080

6
opencloud/templates/oc-schedulerd/deployment.yaml
View File

@@ -25,12 +25,6 @@ spec:
envFrom:
- configMapRef:
name: opencloud-config
livenessProbe:
httpGet:
path: /metrics
port: http
initialDelaySeconds: 10
periodSeconds: 30
resources:
limits:
cpu: "{{ .Values.ocSchedulerd.resources.limits.cpu }}"

6
opencloud/templates/oc-shared/deployment.yaml
View File

@@ -27,10 +27,10 @@ spec:
name: opencloud-config
livenessProbe:
httpGet:
path: /metrics
port: http
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
periodSeconds: 30
ports:
- name: http
containerPort: 8080

6
opencloud/templates/oc-workflow/deployment.yaml
View File

@@ -31,10 +31,10 @@ spec:
protocol: TCP
livenessProbe:
httpGet:
path: /metrics
port: http
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
periodSeconds: 30
resources:
limits:
cpu: "{{ .Values.ocWorkflow.resources.limits.cpu }}"

6
opencloud/templates/oc-workspace/deployment.yaml
View File

@@ -27,10 +27,10 @@ spec:
protocol: TCP
livenessProbe:
httpGet:
path: /metrics
port: http
path: /oc/version
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
periodSeconds: 30
resources:
limits:
cpu: "{{ .Values.ocWorkspace.resources.limits.cpu }}"

5
opencloud/templates/openCloudConf.yaml
View File

@@ -24,7 +24,6 @@ data:
OC_LDAP_ROLE_BASEDN: "{{ index .Values.ocAuth.ldap.roleBaseDn }}"
OC_MONGO_URL: "mongodb://{{ index .Values.mongodb.auth.rootUser }}:{{ index .Values.mongodb.auth.rootPassword }}@{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}:27017/{{ index .Values.mongodb.auth.databases 0 }}"
OC_MONGO_DATABASE: "{{ index .Values.mongodb.auth.databases 0 }}"
OC_NATS_URL: "nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}:4222"
OC_LOKI_URL: "http://{{ .Release.Name }}-loki.{{ .Release.Namespace }}:3100"
OC_LOKI_URL: "http://{{ .Release.Name }}-loki.{{ .Release.Namespace }}:3100"
OC_NATS_URL: "nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}.svc.cluster.local:4222"
OC_LOKI_URL: "http://loki-headless.{{ .Release.Namespace }}.svc.cluster.local:3100"
OC_PROMETHEUS_URL: "http://{{ .Release.Name }}-monitor.{{ .Release.Namespace }}:9090"

2
opencloud/templates/openldap.yaml
View File

@@ -1,4 +1,4 @@
{{- if .Values.externalLDAP.enabled }}
{{- if .Values.openldap.externalLDAP.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:

27
opencloud/templates/prometheus.yaml
View File

@@ -1,15 +1,18 @@
{{- if .Values.prometheus.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
{{- if index .Values "prometheus" "enabled" }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: {{ .Release.Name }}-monitor.{{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
name: prometheus-ingress
spec:
selector:
matchLabels:
app: monitor
endpoints:
- port: http
interval: 30s
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.host }}`) && PathPrefix(`/monitor`)
priority: 10
services:
- kind: Service
name: {{ .Release.Name }}-monitor.{{ .Release.Namespace }}
passHostHeader: true
port: 9090
{{- end }}

10
opencloud/templates/sc-longhorn-nor1.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: longhorn-nor1
provisioner: driver.longhorn.io
parameters:
numberOfReplicas: "2" # set 1 for single-node testing
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: Immediate

108
opencloud/values.yaml.template
View File

@@ -1,11 +1,11 @@
env: {{ .Release.Name }} # For storage class provisioning
host: ${HOST:-exemple.com} # For reverse proxy rule
registryHost: ${REGISTRY_HOST:-registry.exemple.com} # For reverse proxy rule
env: ${RELEASE:-prod} # For storage class provisioning
host: ${HOST:-beta.opencloud.com} # For reverse proxy rule
registryHost: ${REGISTRY_HOST:-oc} # For reverse proxy rule
scheme: https # For reverse proxy rule
mongo-express:
enabled: ${OC_MONGOEXPRESS_ENABLED:-true}
mongodbServer: "{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}" # TO LOOK AFTER
mongodbServer: "${RELEASE:-prod}-mongodb.${RELEASE:-prod}" # TO LOOK AFTER
mongodbPort: 27017
mongodbEnableAdmin: true
mongodbAdminUsername: ${OC_MONGO_ADMIN:-admin}
@@ -19,26 +19,27 @@ mongo-express:
mongodb:
enabled: ${OC_MONGO_ENABLED:-true}
global:
defaultStorageClass: longhorn-nor1
storageClass: longhorn-nor1
defaultStorageClass: ${OC_MONGO_STORAGE:-""}
storageClass: ${OC_MONGO_STORAGE:-""}
architecture: standalone
useStatefulSet: false
auth:
enabled: true
rootUser: ${OC_MONGO_ADMIN:-admin}
rootPassword: ${OC_MONGO_PWD:-admin}
rootUser: ${OC_MONGO_ADMIN_USERNAME:-admin}
rootPassword: ${OC_MONGO_ADMIN_PWD:-admin}
databases: [ ${OC_MONGO_DATABASE:-opencloud} ]
usernames: []
passwords: []
usernames: [ ${OC_MONGO_USERNAME:-admin} ]
passwords: [ ${OC_MONGO_PWD:-admin} ]
resourcesPreset: "small"
replicaCount: 1
persistence:
enabled: true
storageClass: longhorn-nor1
existingClaim: mongo-pvc
create: false # do not auto-create
existingClaim: ${OC_MONGO_PVC:-mongo-pvc}
storageClassName: ${OC_MONGO_STORAGE:-""}
accessModes:
- ReadWriteOnce
size: ${OC_MONGO_SIZE:-5000Mi}
- ReadWriteOnce
size: ${OC_MONGO_SIZE:-5000Mi}
persistentVolumeClaimRetentionPolicy:
enabled: true
whenDeleted: Retain
@@ -52,11 +53,28 @@ mongodb:
nats:
enabled: ${OC_NATS_ENABLED:-true}
jetstream:
enabled: true
fileStore:
size: ${OC_NATS_SIZE:-20Mi}
storageClassName: longhorn-nor1
extraEnv:
- name: NATS_MAX_FILE_DESCRIPTORS
value: "65536"
extraVolumeMounts:
- name: nats-config
mountPath: /etc/nats
config:
jetstream:
enabled: true
fileStore:
enabled: true
dir: /data/jetstream # mountPath used by template
# pvc block must live here
pvc:
enabled: true
# if you already created the claim, set existingClaim:
existingClaim: nats-pvc
# storageClassName: local-path or standard (use the SC in your cluster)
storageClassName: ${OC_NATS_STORAGE:-""}
size: ${OC_NATS_SIZE:-50Gi}
# name is the volume name used in volumeMounts; keep it simple
name: nats-jetstream
openldap:
enabled: ${OC_LDAP_ENABLED:-true}
@@ -73,8 +91,8 @@ openldap:
LDAP_ORGANISATION: ${OC_LDAP_ORGANISATION:-Opencloud}
LDAP_DOMAIN: ${OC_LDAP_DOMAIN:-opencloud.com}
LDAP_BACKEND: "mdb"
LDAP_TLS: ${OC_LDAP_TLS:-false}
LDAP_TLS_ENFORCE: ${OC_LDAP_TLS:-false}
LDAP_TLS: "${OC_LDAP_TLS:-false}"
LDAP_TLS_ENFORCE: "${OC_LDAP_TLS:-false}"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
adminPassword: ${OC_LDAP_ADMIN_PWD:-admin}
configPassword: "${OC_LDAP_CONFIG_PWD:-config}"
@@ -82,9 +100,11 @@ openldap:
enabled: false
persistence:
enabled: true
create: false # do not auto-create
existingClaim: openldap-pvc
accessMode: ReadWriteOnce
size: ${OC_LDAP_SIZE:-10Mi}
storageClass: longhorn-nor1
storageClassName: ${OC_LDAP_STORAGE:-""}
replication:
enabled: false
externalLDAP:
@@ -168,6 +188,7 @@ openldap:
prometheus:
enabled: ${OC_PROMETHEUS_ENABLED:-true}
enableTraefikProxyIntegration: true
server:
persistentVolume:
enabled: true
@@ -188,13 +209,13 @@ ldapUserManager:
env:
SERVER_HOSTNAME: ${OC_LDAP_MNGT_HOST:-ldap.exemple.com}
LDAP_BASE_DN: ${OC_LDAP_MNGT_DN:-dc=example,dc=com}
LDAP_REQUIRE_STARTTLS: ${OC_LDAP_MNGT_REQUIRE_TLS:-false}
LDAP_REQUIRE_STARTTLS: "${OC_LDAP_MNGT_REQUIRE_TLS:-false}"
LDAP_ADMINS_GROUP: ${OC_LDAP_MNGT_ADMIN_GROUP:-ldapadmin}
LDAP_ADMIN_BIND_DN: ${OC_LDAP_MNGT_ADMIN_DN:-cn=admin,dc=example,dc=com}
LDAP_ADMIN_BIND_PWD: ${OC_LDAP_MNGT_ADMIN_PWD:-admin}
LDAP_IGNORE_CERT_ERRORS: ${OC_LDAP_MNGT_IGNORE_CERTS_ERRORS:-true}
EMAIL_DOMAIN: ${OC_LDAP_MNGT_EMAIL_DOMAIN:- }
NO_HTTPS: ${OC_LDAP_MNGT_NO_HTTPS:-true}
LDAP_IGNORE_CERT_ERRORS: "${OC_LDAP_MNGT_IGNORE_CERTS_ERRORS:-true}"
EMAIL_DOMAIN: ${OC_LDAP_MNGT_EMAIL_DOMAIN:-""}
NO_HTTPS: "${OC_LDAP_MNGT_NO_HTTPS:-true}"
SERVER_PATH: "/users"
ORGANISATION_NAME: ${OC_LDAP_ORGANISATION:-Opencloud}
LDAP_USER_OU: ${OC_LDAP_USERS_OU:-users}
@@ -239,7 +260,7 @@ hydra:
# consent: https://localhost-consent/consent/consent
# logout: https://localhost-logout/authentication/logout
self:
issuer: "http://{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}:4444/"
issuer: "http://${RELEASE:-prod}-hydra-public.${RELEASE:-prod}:4444/"
keto:
enabled: ${OC_KETO_ENABLED:-true}
@@ -303,8 +324,9 @@ loki:
enabled: false # Deactivate loki auto provisioning, rely on existing PVC
accessMode: ReadWriteOnce
size: ${OC_LOKI_SIZE:-1Gi}
storageClassName: longhorn-nor1
claimName: loki-pvc
storageClassName: ${OC_LOKI_STORAGE:-""}
create: false
claimName: ${OC_LOKI_PVC:-loki-pvc}
extraVolumeMounts:
- name: loki-storage
@@ -382,7 +404,7 @@ argo-workflows:
ocAuth:
enabled: ${OC_AUTH_ENABLED:-true}
enableTraefikProxyIntegration: true
image: ${OC_AUTH_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-auth:0.0.1}
image: "${REGISTRY_HOST:-oc}/${OC_AUTH_IMAGE:-oc-auth:0.0.1}"
authType: hydra
keto:
adminRole: admin
@@ -410,7 +432,7 @@ ocAuth:
ocFront:
enabled: ${OC_FRONT_ENABLED:-true}
enableTraefikProxyIntegration: true
image: ${OC_FRONT_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-front:0.0.1}
image: "${REGISTRY_HOST:-oc}/${OC_FRONT_IMAGE:-oc-front:0.0.1}"
resources:
limits:
cpu: ${OC_FRONT_LIMITS_CPU:-128m}
@@ -428,7 +450,7 @@ ocFront:
ocWorkspace:
enabled: ${OC_WORKSPACE_ENABLED:-true}
enableTraefikProxyIntegration: true
image: ${OC_WORKSPACE_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-workspace:0.0.1}
image: "${REGISTRY_HOST:-oc}/${OC_WORKSPACE_IMAGE:-oc-workspace:0.0.1}"
resources:
limits:
cpu: ${OC_WORKSPACE_LIMITS_CPU:-128m}
@@ -447,7 +469,7 @@ ocWorkspace:
ocShared:
enabled: ${OC_SHARED_ENABLED:-true}
enableTraefikProxyIntegration: true
image: ${OC_SHARED_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-shared:0.0.1}
image: "${REGISTRY_HOST:-oc}/${OC_SHARED_IMAGE:-oc-shared:0.0.1}"
resources:
limits:
cpu: ${OC_SHARED_LIMITS_CPU:-128m}
@@ -465,7 +487,7 @@ ocShared:
ocWorkflow:
enabled: ${OC_WORKFLOW_ENABLED:-true}
enableTraefikProxyIntegration: true
image: ${OC_WORKFLOW_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-workflow:0.0.1}
image: "${REGISTRY_HOST:-oc}/${OC_WORKFLOW_IMAGE:-oc-workflow:0.0.1}"
resources:
limits:
cpu: ${OC_WORKFLOW_LIMITS_CPU:-128m}
@@ -483,7 +505,7 @@ ocWorkflow:
ocCatalog:
enabled: ${OC_CATALOG_ENABLED:-true}
enableTraefikProxyIntegration: true
image: ${OC_CATALOG_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-catalog:0.0.1}
image: "${REGISTRY_HOST:-oc}/${OC_CATALOG_IMAGE:-oc-catalog:0.0.1}"
resources:
limits:
cpu: ${OC_CATALOG_LIMITS_CPU:-128m}
@@ -501,7 +523,7 @@ ocCatalog:
ocPeer:
enabled: ${OC_PEER_ENABLED:-true}
enableTraefikProxyIntegration: true
image: ${OC_PEER_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-peer:0.0.1}
image: "${REGISTRY_HOST:-oc}/${OC_PEER_IMAGE:-oc-peer:0.0.1}"
resources:
limits:
cpu: ${OC_PEER_LIMITS_CPU:-128m}
@@ -519,7 +541,7 @@ ocPeer:
ocDatacenter:
enabled: ${OC_DATACENTER_ENABLED:-true}
enableTraefikProxyIntegration: true
image: ${OC_DATACENTER_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-datacenter:0.0.1}
image: "${REGISTRY_HOST:-oc}/${OC_DATACENTER_IMAGE:-oc-datacenter:0.0.1}"
resources:
limits:
cpu: ${OC_DATACENTER_LIMITS_CPU:-128m}
@@ -537,7 +559,7 @@ ocDatacenter:
ocSchedulerd:
enabled: ${OC_SCHEDULERD_ENABLED:-true}
enableTraefikProxyIntegration: true
image: ${OC_SCHEDULERD_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-schedulerd:0.0.1}
image: "${REGISTRY_HOST:-oc}/${OC_SCHEDULERD_IMAGE:-oc-schedulerd:0.0.1}"
resources:
limits:
cpu: ${OC_SCHEDULERD_LIMITS_CPU:-128m}
@@ -555,7 +577,7 @@ ocSchedulerd:
ocScheduler:
enabled: ${OC_SCHEDULER_ENABLED:-true}
enableTraefikProxyIntegration: true
image: ${OC_SCHEDULER_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-scheduler:0.0.1}
image: "${REGISTRY_HOST:-oc}/${OC_SCHEDULER_IMAGE:-oc-scheduler:0.0.1}"
resources:
limits:
cpu: ${OC_SCHEDULER_LIMITS_CPU:-128m}
@@ -575,7 +597,7 @@ docker-registry-ui:
ui:
title: "opencloud docker registry"
proxy: true
dockerRegistryUrl: "http://{{ .Release.Name }}-docker-registry-ui-registry-server.{{ .Release.Namespace }}.svc.cluster.local:5000"
dockerRegistryUrl: "http://${RELEASE:-prod}-docker-registry-ui-registry-server.${RELEASE:-prod}.svc.cluster.local:5000"
registry:
secretName: regcred
enabled: true
@@ -583,6 +605,8 @@ docker-registry-ui:
persistentVolumeClaim:
claimName: docker-registry-pvc
persistence:
create: false
existingClaim: docker-registry-pvc
accessMode: ReadWriteOnce
storage: 5000Mi
storageClassName: longhorn-nor1
storage: ${OC_DOCKER_REGISTRY_SIZE:-5Gi}
storageClassName: ${OC_DOCKER_REGISTRY_STORAGE:-""}

4
opencloud/values/dev-values.yaml
View File

@@ -1,10 +1,10 @@
env: {{ .Release.Name }} # For storage class provisioning
env: dev # For storage class provisioning
host: beta.opencloud.com # For reverse proxy rule
scheme: http # For reverse proxy rule
mongo-express:
enabled: true
mongodbServer: "{{ .Release.Name }}-mongodb.d{{ .Release.Namespace }}ev"
mongodbServer: "{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}"
mongodbPort: 27017
mongodbEnableAdmin: true
mongodbAdminUsername: root

589
opencloud/values/exemple-values.yaml Normal file
View File

@@ -0,0 +1,589 @@
env: exemple # For storage class provisioning
host: truc # For reverse proxy rule
registryHost: oc # For reverse proxy rule
scheme: https # For reverse proxy rule
mongo-express:
enabled: true
mongodbServer: "{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}" # TO LOOK AFTER
mongodbPort: 27017
mongodbEnableAdmin: true
mongodbAdminUsername: admin
mongodbAdminPassword: admin
siteBaseUrl: /mongoexpress
basicAuthUsername: admin
basicAuthPassword: admin
mongodb:
enabled: false
mongodb:
enabled: true
global:
defaultStorageClass: longhorn-nor1
storageClass: longhorn-nor1
architecture: standalone
useStatefulSet: false
auth:
enabled: true
rootUser: admin
rootPassword: admin
databases: [ opencloud ]
usernames: [ admin ]
passwords: [ admin ]
resourcesPreset: "small"
replicaCount: 1
persistence:
enabled: true
storageClass: longhorn-nor1
existingClaim: mongo-pvc
accessModes:
- ReadWriteOnce
size: 5000Mi
persistentVolumeClaimRetentionPolicy:
enabled: true
whenDeleted: Retain
whenScaled: Retain
arbiter:
enabled: false
livenessProbe:
enabled: true
readinessProbe:
enabled: true
nats:
enabled: true
jetstream:
enabled: true
fileStore:
size: 20Mi
storageClassName: longhorn-nor1
openldap:
enabled: true
test:
enabled: false
ltb-passwd:
enabled: false
replicaCount: 1
image:
repository: osixia/openldap
tls:
enabled: false
env:
LDAP_ORGANISATION: Opencloud
LDAP_DOMAIN: opencloud.com
LDAP_BACKEND: "mdb"
LDAP_TLS: "false"
LDAP_TLS_ENFORCE: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
adminPassword: admin
configPassword: "config"
phpldapadmin:
enabled: false
persistence:
enabled: true
accessMode: ReadWriteOnce
size: 10Mi
storageClass: longhorn-nor1
replication:
enabled: false
externalLDAP:
enabled: false
url: ${OC_LDAP_EXTERNAL_ENDPOINT}
bindDN: cn=admin,dc=example,dc=com
bindPassword: admin
customLdifFiles:
01-schema.ldif: |-
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users
dn: cn=lastGID,dc=example,dc=com
objectClass: device
objectClass: top
description: Records the last GID used to create a Posix group. This prevents the re-use of a GID from a deleted group.
cn: lastGID
serialNumber: 2001
dn: cn=lastUID,dc=example,dc=com
objectClass: device
objectClass: top
serialNumber: 2001
description: Records the last UID used to create a Posix account. This prevents the re-use of a UID from a deleted account.
cn: lastUID
dn: cn=everybody,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: everybody
memberUid: admin
gidNumber: 2003
02-ldapadmin.ldif : |-
dn: cn=ldapadmin,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: ldapadmin
memberUid: ldapadmin
gidNumber: 2001
dn: uid=ldapadmin,ou=users,dc=example,dc=com
givenName: ldap
sn: admin
uid: ldapadmin
cn: ldapadmin
mail: ldapadmin@example.com
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword: sai1yeiT
uidNumber: 2001
gidNumber: 2001
loginShell: /bin/bash
homeDirectory: /home/ldapadmin
03-opencloudadmin.ldif : |-
dn: uid=admin,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
cn: Admin
sn: Istrator
uid: admin
userPassword: admin
mail: admin@example.com
ou: users
dn: ou=AppRoles,dc=example,dc=com
objectClass: organizationalunit
ou: AppRoles
description: AppRoles
dn: ou=App1,ou=AppRoles,dc=example,dc=com
objectClass: organizationalunit
ou: App1
description: App1
prometheus:
enabled: true
enableTraefikProxyIntegration: true
server:
persistentVolume:
enabled: true
size: 5Gi
service:
type: ClusterIP
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 128m
memory: 256Mi
# ldap user manager configuration
ldapUserManager:
enabled: true
env:
SERVER_HOSTNAME: ldap.exemple.com
LDAP_BASE_DN: dc=example,dc=com
LDAP_REQUIRE_STARTTLS: "false"
LDAP_ADMINS_GROUP: ldapadmin
LDAP_ADMIN_BIND_DN: cn=admin,dc=example,dc=com
LDAP_ADMIN_BIND_PWD: admin
LDAP_IGNORE_CERT_ERRORS: "true"
EMAIL_DOMAIN:
NO_HTTPS: "true"
SERVER_PATH: "/users"
ORGANISATION_NAME: Opencloud
LDAP_USER_OU: users
LDAP_GROUP_OU: groups
ACCEPT_WEAK_PASSWORDS: "true"
resources:
limits:
cpu: 128m
memory: 256Mi
requests:
cpu: 128m
memory: 256Mi
traefik:
enabled: true
service:
type: NodePort
ingressRoute:
dashboard:
enabled: true
matchRule: Host(`localhost`) && PathPrefix(`/api`) || PathPrefix(`/dashboard`)
entryPoints: [web]
ports:
web:
nodePort: 30950
hydra:
enabled: true
maester:
enabled: true
secret:
enabled: false
nameOverride: hydra-secret
hashSumEnabled: false
hydra:
dev: true
existingSecret: hydra-secret
config:
dsn: memory
urls:
# login: https://localhost-login/authentication/login
# consent: https://localhost-consent/consent/consent
# logout: https://localhost-logout/authentication/logout
self:
issuer: "http://{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}:4444/"
keto:
enabled: true
keto:
config:
serve:
read:
port: 4466
write:
port: 4467
metrics:
port: 4468
namespaces:
- id: 0
name: open-cloud
dsn: memory
loki:
enabled: true
loki:
auth_enabled: false
commonConfig:
replication_factor: 1
storage:
type: filesystem
filesystem:
chunks_directory: /var/loki/chunks
rules_directory: /var/loki/rules
admin_api_directory: /var/loki/admin
storage_config:
boltdb_shipper:
active_index_directory: /var/loki/index
filesystem:
directory: /var/loki/chunks
limits_config:
allow_structured_metadata: false
schemaConfig:
configs:
- from: "2020-01-01"
store: boltdb-shipper
object_store: filesystem
schema: v11
index:
prefix: index_
period: 24h
ingester:
chunk_encoding: snappy
tracing:
enabled: true
querier:
max_concurrent: 2
deploymentMode: SingleBinary
singleBinary:
extraVolumes:
- name: loki-storage
persistentVolumeClaim:
claimName: loki-pvc
persistence:
enabled: false # Deactivate loki auto provisioning, rely on existing PVC
accessMode: ReadWriteOnce
size: 1Gi
storageClassName: longhorn-nor1
claimName: loki-pvc
extraVolumeMounts:
- name: loki-storage
mountPath: /var/loki
replicas: 1
resources:
limits:
cpu: 3
memory: 4Gi
requests:
cpu: 1
memory: 0.5Gi
extraEnv:
- name: GOMEMLIMIT
value: 3750MiB
chunksCache:
# default is 500MB, with limited memory keep this smaller
writebackSizeLimit: 10MB
# Enable minio for storage
minio:
enabled: false
# Zero out replica counts of other deployment modes
backend:
replicas: 0
read:
replicas: 0
write:
replicas: 0
ingester:
replicas: 0
querier:
replicas: 0
queryFrontend:
replicas: 0
queryScheduler:
replicas: 0
distributor:
replicas: 0
compactor:
replicas: 0
indexGateway:
replicas: 0
bloomCompactor:
replicas: 0
bloomGateway:
replicas: 0
grafana:
enabled: true
adminUser: admin
adminPassword: admin
persistence:
enabled: true
size: 1Gi
service:
type: ClusterIP
argo-workflows:
enabled: false
workflow:
serviceAccount:
create: false
name: argo-workflow
rbac:
create: false # Manual provisioning
controller:
workflowNamespaces: [] #All of them
controller:
workflowDefaults:
spec:
serviceAccountName: argo-workflow
ocAuth:
enabled: true
enableTraefikProxyIntegration: true
image: "oc/oc-auth:0.0.1"
authType: hydra
keto:
adminRole: admin
hydra:
openCloudOauth2ClientSecretName: oc-oauth2-client-secret
ldap:
bindDn: cn=admin,dc=example,dc=com
binPwd: admin
baseDn: dc=example,dc=com
roleBaseDn: ou=AppRoles,dc=example,dc=com
resources:
limits:
cpu: 128m
memory: 256Mi
requests:
cpu: 128m
memory: 256Mi
replicas: 1
hpa:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
ocFront:
enabled: true
enableTraefikProxyIntegration: true
image: "oc/oc-front:0.0.1"
resources:
limits:
cpu: 128m
memory: 256Mi
requests:
cpu: 128m
memory: 256Mi
replicas: 1
hpa:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
ocWorkspace:
enabled: true
enableTraefikProxyIntegration: true
image: "oc/oc-workspace:0.0.1"
resources:
limits:
cpu: 128m
memory: 256Mi
requests:
cpu: 128m
memory: 256Mi
replicas: 1
hpa:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
ocShared:
enabled: true
enableTraefikProxyIntegration: true
image: "oc/oc-shared:0.0.1"
resources:
limits:
cpu: 128m
memory: 256Mi
requests:
cpu: 128m
memory: 256Mi
replicas: 1
hpa:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
ocWorkflow:
enabled: true
enableTraefikProxyIntegration: true
image: "oc/oc-workflow:0.0.1"
resources:
limits:
cpu: 128m
memory: 256Mi
requests:
cpu: 128m
memory: 256Mi
replicas: 1
hpa:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
ocCatalog:
enabled: true
enableTraefikProxyIntegration: true
image: "oc/oc-catalog:0.0.1"
resources:
limits:
cpu: 128m
memory: 256Mi
requests:
cpu: 128m
memory: 256Mi
replicas: 1
hpa:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
ocPeer:
enabled: true
enableTraefikProxyIntegration: true
image: "oc/oc-peer:0.0.1"
resources:
limits:
cpu: 128m
memory: 256Mi
requests:
cpu: 128m
memory: 256Mi
replicas: 1
hpa:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
ocDatacenter:
enabled: true
enableTraefikProxyIntegration: true
image: "oc/oc-datacenter:0.0.1"
resources:
limits:
cpu: 128m
memory: 256Mi
requests:
cpu: 128m
memory: 256Mi
replicas: 1
hpa:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
ocSchedulerd:
enabled: true
enableTraefikProxyIntegration: true
image: "oc/oc-schedulerd:0.0.1"
resources:
limits:
cpu: 128m
memory: 256Mi
requests:
cpu: 128m
memory: 256Mi
replicas: 1
hpa:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
ocScheduler:
enabled: true
enableTraefikProxyIntegration: true
image: "oc/oc-scheduler:0.0.1"
resources:
limits:
cpu: 128m
memory: 256Mi
requests:
cpu: 128m
memory: 256Mi
replicas: 1
hpa:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
docker-registry-ui:
enabled: true
ui:
title: "opencloud docker registry"
proxy: true
dockerRegistryUrl: "http://{{ .Release.Name }}-docker-registry-ui-registry-server.{{ .Release.Namespace }}.svc.cluster.local:5000"
registry:
secretName: regcred
enabled: true
dataVolume:
persistentVolumeClaim:
claimName: docker-registry-pvc
persistence:
accessMode: ReadWriteOnce
storage: 5000Mi
storageClassName: longhorn-nor1

119
opencloud/values/test-values.yaml
View File

@@ -1,11 +1,11 @@
env: {{ .Release.Name }} # For storage class provisioning
host: exemple.com # For reverse proxy rule
registryHost: registry.exemple.com # For reverse proxy rule
env: test # For storage class provisioning
host: beta.opencloud.com # For reverse proxy rule
registryHost: oc # For reverse proxy rule
scheme: https # For reverse proxy rule
mongo-express:
enabled: true
mongodbServer: "{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}" # TO LOOK AFTER
mongodbServer: "test-mongodb.test" # TO LOOK AFTER
mongodbPort: 27017
mongodbEnableAdmin: true
mongodbAdminUsername: admin
@@ -19,8 +19,8 @@ mongo-express:
mongodb:
enabled: true
global:
defaultStorageClass: longhorn-nor1
storageClass: longhorn-nor1
defaultStorageClass:
storageClass:
architecture: standalone
useStatefulSet: false
auth:
@@ -28,17 +28,18 @@ mongodb:
rootUser: admin
rootPassword: admin
databases: [ opencloud ]
usernames: []
passwords: []
usernames: [ admin ]
passwords: [ admin ]
resourcesPreset: "small"
replicaCount: 1
persistence:
enabled: true
storageClass: longhorn-nor1
create: false # do not auto-create
existingClaim: mongo-pvc
storageClassName:
accessModes:
- ReadWriteOnce
size: 5000Mi
- ReadWriteOnce
size: 5000Mi
persistentVolumeClaimRetentionPolicy:
enabled: true
whenDeleted: Retain
@@ -52,11 +53,45 @@ mongodb:
nats:
enabled: true
jetstream:
enabled: true
fileStore:
size: 20Mi
storageClassName: longhorn-nor1
extraEnv:
- name: NATS_MAX_FILE_DESCRIPTORS
value: "65536"
extraVolumeMounts:
- name: nats-config
mountPath: /etc/nats
config:
jetstream:
enabled: true
fileStore:
enabled: true
dir: /data/jetstream # mountPath used by template
# pvc block must live here
pvc:
enabled: true
# if you already created the claim, set existingClaim:
existingClaim: nats-pvc
# storageClassName: local-path or standard (use the SC in your cluster)
storageClassName:
size: 50Gi
# name is the volume name used in volumeMounts; keep it simple
name: nats-jetstream
reloader:
enabled: false
image: "natsio/nats-server-config-reloader:0.16.0-debian"
# Override ENTRYPOINT so we can raise ulimit before starting the real binary
command:
- /bin/sh
- -c
args:
- -pid
- /var/run/nats/nats.pid
- -config
- /etc/nats-config/nats.conf
# Required to allow ulimit raise
securityContext:
runAsUser: 0
openldap:
enabled: true
@@ -73,8 +108,8 @@ openldap:
LDAP_ORGANISATION: Opencloud
LDAP_DOMAIN: opencloud.com
LDAP_BACKEND: "mdb"
LDAP_TLS: false
LDAP_TLS_ENFORCE: false
LDAP_TLS: "false"
LDAP_TLS_ENFORCE: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
adminPassword: admin
configPassword: "config"
@@ -82,9 +117,11 @@ openldap:
enabled: false
persistence:
enabled: true
create: false # do not auto-create
existingClaim: openldap-pvc
accessMode: ReadWriteOnce
size: 10Mi
storageClass: longhorn-nor1
storageClassName:
replication:
enabled: false
externalLDAP:
@@ -154,7 +191,7 @@ openldap:
uid: admin
userPassword: admin
mail: admin@example.com
ou: Users
ou: users
dn: ou=AppRoles,dc=example,dc=com
objectClass: organizationalunit
@@ -168,6 +205,7 @@ openldap:
prometheus:
enabled: true
enableTraefikProxyIntegration: true
server:
persistentVolume:
enabled: true
@@ -188,13 +226,13 @@ ldapUserManager:
env:
SERVER_HOSTNAME: ldap.exemple.com
LDAP_BASE_DN: dc=example,dc=com
LDAP_REQUIRE_STARTTLS: false
LDAP_REQUIRE_STARTTLS: "false"
LDAP_ADMINS_GROUP: ldapadmin
LDAP_ADMIN_BIND_DN: cn=admin,dc=example,dc=com
LDAP_ADMIN_BIND_PWD: admin
LDAP_IGNORE_CERT_ERRORS: true
LDAP_IGNORE_CERT_ERRORS: "true"
EMAIL_DOMAIN:
NO_HTTPS: true
NO_HTTPS: "true"
SERVER_PATH: "/users"
ORGANISATION_NAME: Opencloud
LDAP_USER_OU: users
@@ -239,7 +277,7 @@ hydra:
# consent: https://localhost-consent/consent/consent
# logout: https://localhost-logout/authentication/logout
self:
issuer: "http://{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}:4444/"
issuer: "http://test-hydra-public.test:4444/"
keto:
enabled: true
@@ -303,8 +341,9 @@ loki:
enabled: false # Deactivate loki auto provisioning, rely on existing PVC
accessMode: ReadWriteOnce
size: 1Gi
storageClassName: longhorn-nor1
claimName: loki-pvc
storageClassName:
create: false
claimName: loki-pvc
extraVolumeMounts:
- name: loki-storage
@@ -382,7 +421,7 @@ argo-workflows:
ocAuth:
enabled: true
enableTraefikProxyIntegration: true
image: registry-opencloud.pf.irt-saintexupery.com/oc-auth:0.0.1
image: "oc/oc-auth:0.0.1"
authType: hydra
keto:
adminRole: admin
@@ -410,7 +449,7 @@ ocAuth:
ocFront:
enabled: true
enableTraefikProxyIntegration: true
image: registry-opencloud.pf.irt-saintexupery.com/oc-front:0.0.1
image: "oc/oc-front:0.0.1"
resources:
limits:
cpu: 128m
@@ -428,7 +467,7 @@ ocFront:
ocWorkspace:
enabled: true
enableTraefikProxyIntegration: true
image: registry-opencloud.pf.irt-saintexupery.com/oc-workspace:0.0.1
image: "oc/oc-workspace:0.0.1"
resources:
limits:
cpu: 128m
@@ -447,7 +486,7 @@ ocWorkspace:
ocShared:
enabled: true
enableTraefikProxyIntegration: true
image: registry-opencloud.pf.irt-saintexupery.com/oc-shared:0.0.1
image: "oc/oc-shared:0.0.1"
resources:
limits:
cpu: 128m
@@ -465,7 +504,7 @@ ocShared:
ocWorkflow:
enabled: true
enableTraefikProxyIntegration: true
image: registry-opencloud.pf.irt-saintexupery.com/oc-workflow:0.0.1
image: "oc/oc-workflow:0.0.1"
resources:
limits:
cpu: 128m
@@ -483,7 +522,7 @@ ocWorkflow:
ocCatalog:
enabled: true
enableTraefikProxyIntegration: true
image: registry-opencloud.pf.irt-saintexupery.com/oc-catalog:0.0.1
image: "oc/oc-catalog:0.0.1"
resources:
limits:
cpu: 128m
@@ -501,7 +540,7 @@ ocCatalog:
ocPeer:
enabled: true
enableTraefikProxyIntegration: true
image: registry-opencloud.pf.irt-saintexupery.com/oc-peer:0.0.1
image: "oc/oc-peer:0.0.1"
resources:
limits:
cpu: 128m
@@ -519,7 +558,7 @@ ocPeer:
ocDatacenter:
enabled: true
enableTraefikProxyIntegration: true
image: registry-opencloud.pf.irt-saintexupery.com/oc-datacenter:0.0.1
image: "oc/oc-datacenter:0.0.1"
resources:
limits:
cpu: 128m
@@ -537,7 +576,7 @@ ocDatacenter:
ocSchedulerd:
enabled: true
enableTraefikProxyIntegration: true
image: registry-opencloud.pf.irt-saintexupery.com/oc-schedulerd:0.0.1
image: "oc/oc-schedulerd:0.0.1"
resources:
limits:
cpu: 128m
@@ -555,7 +594,7 @@ ocSchedulerd:
ocScheduler:
enabled: true
enableTraefikProxyIntegration: true
image: registry-opencloud.pf.irt-saintexupery.com/oc-scheduler:0.0.1
image: "oc/oc-scheduler:0.0.1"
resources:
limits:
cpu: 128m
@@ -575,7 +614,7 @@ docker-registry-ui:
ui:
title: "opencloud docker registry"
proxy: true
dockerRegistryUrl: "http://{{ .Release.Name }}-docker-registry-ui-registry-server.{{ .Release.Namespace }}.svc.cluster.local:5000"
dockerRegistryUrl: "http://test-docker-registry-ui-registry-server.test.svc.cluster.local:5000"
registry:
secretName: regcred
enabled: true
@@ -583,6 +622,8 @@ docker-registry-ui:
persistentVolumeClaim:
claimName: docker-registry-pvc
persistence:
create: false
existingClaim: docker-registry-pvc
accessMode: ReadWriteOnce
storage: 5000Mi
storageClassName: longhorn-nor1
storage: 5Gi
storageClassName: