From c7568d2312866cca8e3a7962049995d73bc36a77 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Fri, 26 Apr 2024 10:18:22 +0200 Subject: [PATCH] Update kubeapps-15.0.2 (#103) Signed-off-by: Andrei Kvapil --- .../dashboard/charts/kubeapps/Chart.lock | 10 +- .../dashboard/charts/kubeapps/Chart.yaml | 24 +- .../dashboard/charts/kubeapps/README.md | 1458 +++++++++-------- .../charts/kubeapps/charts/common/Chart.yaml | 4 +- .../charts/common/templates/_resources.tpl | 8 +- .../charts/kubeapps/charts/redis/Chart.yaml | 2 +- .../charts/kubeapps/charts/redis/README.md | 1258 +++++++------- .../charts/redis/templates/podmonitor.yaml | 8 +- .../redis/templates/sentinel/statefulset.yaml | 5 +- .../redis/templates/servicemonitor.yaml | 8 +- .../charts/kubeapps/charts/redis/values.yaml | 74 +- .../templates/apprepository/deployment.yaml | 2 +- .../apprepository/networkpolicy.yaml | 59 + .../templates/apprepository/rbac.yaml | 8 +- .../apprepository/serviceaccount.yaml | 2 +- .../templates/dashboard/configmap.yaml | 2 +- .../templates/dashboard/deployment.yaml | 4 +- .../templates/dashboard/networkpolicy.yaml | 71 + .../kubeapps/templates/dashboard/service.yaml | 2 +- .../templates/frontend/configmap.yaml | 2 +- .../templates/frontend/deployment.yaml | 2 +- .../templates/frontend/networkpolicy.yaml | 77 + .../templates/frontend/oauth2-secret.yaml | 2 +- .../kubeapps/templates/frontend/service.yaml | 4 +- .../kubeapps/templates/ingress-api.yaml | 4 +- .../charts/kubeapps/templates/ingress.yaml | 2 +- .../templates/kubeappsapis/configmap.yaml | 2 +- .../templates/kubeappsapis/deployment.yaml | 2 +- .../templates/kubeappsapis/networkpolicy.yaml | 74 + .../templates/kubeappsapis/rbac_fluxv2.yaml | 2 +- .../templates/kubeappsapis/service.yaml | 2 +- .../kubeappsapis/serviceaccount.yaml | 2 +- .../kubeapps/templates/shared/config.yaml | 2 +- .../kubeapps/templates/tls-secrets.yaml | 2 +- .../dashboard/charts/kubeapps/values.yaml | 483 ++++-- .../system/dashboard/images/dashboard.json | 4 +- .../system/dashboard/images/dashboard.tag | 2 +- .../dashboard/images/dashboard/Dockerfile | 22 +- .../dashboard/images/kubeapps-apis.json | 4 +- .../system/dashboard/images/kubeapps-apis.tag | 2 +- .../dashboard/images/kubeapps-apis/Dockerfile | 19 +- .../images/kubeapps-apis/dockerfile.diff | 18 +- .../images/kubeapps-apis/fix-flux.diff | 28 - .../images/kubeapps-apis/labels.diff | 26 +- .../kubeapps-apis/reconcile-strategy.diff | 6 +- packages/system/dashboard/values.yaml | 9 + 46 files changed, 2188 insertions(+), 1625 deletions(-) create mode 100644 packages/system/dashboard/charts/kubeapps/templates/apprepository/networkpolicy.yaml create mode 100644 packages/system/dashboard/charts/kubeapps/templates/dashboard/networkpolicy.yaml create mode 100644 packages/system/dashboard/charts/kubeapps/templates/frontend/networkpolicy.yaml create mode 100644 packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/networkpolicy.yaml delete mode 100644 packages/system/dashboard/images/kubeapps-apis/fix-flux.diff diff --git a/packages/system/dashboard/charts/kubeapps/Chart.lock b/packages/system/dashboard/charts/kubeapps/Chart.lock index 47e3e91f..bcd6993a 100644 --- a/packages/system/dashboard/charts/kubeapps/Chart.lock +++ b/packages/system/dashboard/charts/kubeapps/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: redis repository: oci://registry-1.docker.io/bitnamicharts - version: 18.19.2 + version: 19.0.2 - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 13.4.6 + version: 15.2.4 - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.19.0 -digest: sha256:b4965a22517e61212e78abb8d1cbe86e800c8664b3139e2047f4bd62b3e55b24 -generated: "2024-03-13T11:51:34.216594+01:00" + version: 2.19.1 +digest: sha256:2ff034d67cb1b9c11f0243b3ab9a6a8642bf12142df2f86043f9006adf6dbba1 +generated: "2024-04-08T09:01:34.727544997Z" diff --git a/packages/system/dashboard/charts/kubeapps/Chart.yaml b/packages/system/dashboard/charts/kubeapps/Chart.yaml index 8e247095..4c7aeaf9 100644 --- a/packages/system/dashboard/charts/kubeapps/Chart.yaml +++ b/packages/system/dashboard/charts/kubeapps/Chart.yaml @@ -2,33 +2,33 @@ annotations: category: Infrastructure images: | - name: kubeapps-apis - image: docker.io/bitnami/kubeapps-apis:2.9.0-debian-12-r19 + image: docker.io/bitnami/kubeapps-apis:2.10.0-debian-12-r0 - name: kubeapps-apprepository-controller - image: docker.io/bitnami/kubeapps-apprepository-controller:2.9.0-debian-12-r18 + image: docker.io/bitnami/kubeapps-apprepository-controller:2.10.0-debian-12-r0 - name: kubeapps-asset-syncer - image: docker.io/bitnami/kubeapps-asset-syncer:2.9.0-debian-12-r19 + image: docker.io/bitnami/kubeapps-asset-syncer:2.10.0-debian-12-r0 - name: kubeapps-dashboard - image: docker.io/bitnami/kubeapps-dashboard:2.9.0-debian-12-r18 + image: docker.io/bitnami/kubeapps-dashboard:2.10.0-debian-12-r0 - name: kubeapps-oci-catalog - image: docker.io/bitnami/kubeapps-oci-catalog:2.9.0-debian-12-r17 + image: docker.io/bitnami/kubeapps-oci-catalog:2.10.0-debian-12-r0 - name: kubeapps-pinniped-proxy - image: docker.io/bitnami/kubeapps-pinniped-proxy:2.9.0-debian-12-r17 + image: docker.io/bitnami/kubeapps-pinniped-proxy:2.10.0-debian-12-r0 - name: nginx - image: docker.io/bitnami/nginx:1.25.4-debian-12-r3 + image: docker.io/bitnami/nginx:1.25.4-debian-12-r7 - name: oauth2-proxy - image: docker.io/bitnami/oauth2-proxy:7.6.0-debian-12-r4 + image: docker.io/bitnami/oauth2-proxy:7.6.0-debian-12-r7 licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.9.0 +appVersion: 2.10.0 dependencies: - condition: packaging.flux.enabled name: redis repository: oci://registry-1.docker.io/bitnamicharts - version: 18.x.x + version: 19.x.x - condition: packaging.helm.enabled name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 13.x.x + version: 15.x.x - name: common repository: oci://registry-1.docker.io/bitnamicharts tags: @@ -51,4 +51,4 @@ maintainers: name: kubeapps sources: - https://github.com/bitnami/charts/tree/main/bitnami/kubeapps -version: 14.7.2 +version: 15.0.2 diff --git a/packages/system/dashboard/charts/kubeapps/README.md b/packages/system/dashboard/charts/kubeapps/README.md index 9491e819..e4d3e597 100644 --- a/packages/system/dashboard/charts/kubeapps/README.md +++ b/packages/system/dashboard/charts/kubeapps/README.md @@ -57,638 +57,6 @@ The command deploys Kubeapps on the Kubernetes cluster in the `kubeapps` namespa Once you have installed Kubeapps follow the [Getting Started Guide](https://github.com/vmware-tanzu/kubeapps/blob/main/site/content/docs/latest/tutorials/getting-started.md) for additional information on how to access and use Kubeapps. -## Parameters - -### Global parameters - -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | - -### Common parameters - -| Name | Description | Value | -| ------------------------ | --------------------------------------------------------------------------------------- | -------------- | -| `kubeVersion` | Override Kubernetes version | `""` | -| `nameOverride` | String to partially override common.names.fullname | `""` | -| `fullnameOverride` | String to fully override common.names.fullname | `""` | -| `commonLabels` | Labels to add to all deployed objects | `{}` | -| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | -| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | -| `enableIPv6` | Enable IPv6 configuration | `false` | -| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | -| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | -| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | - -### Traffic Exposure Parameters - -| Name | Description | Value | -| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `ingress.enabled` | Enable ingress record generation for Kubeapps | `false` | -| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | -| `ingress.hostname` | Default host for the ingress record | `kubeapps.local` | -| `ingress.path` | Default path for the ingress record | `/` | -| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | -| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | -| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | -| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | -| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | -| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | -| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | -| `ingress.secrets` | Custom TLS certificates as secrets | `[]` | -| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | - -### Kubeapps packaging options - -| Name | Description | Value | -| -------------------------- | ---------------------------------------------------------- | ------- | -| `packaging.helm.enabled` | Enable the standard Helm packaging. | `true` | -| `packaging.carvel.enabled` | Enable support for the Carvel (kapp-controller) packaging. | `false` | -| `packaging.flux.enabled` | Enable support for Flux (v2) packaging. | `false` | - -### Frontend parameters - -| Name | Description | Value | -| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | -| `frontend.image.registry` | NGINX image registry | `REGISTRY_NAME` | -| `frontend.image.repository` | NGINX image repository | `REPOSITORY_NAME/nginx` | -| `frontend.image.digest` | NGINX image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `frontend.image.pullPolicy` | NGINX image pull policy | `IfNotPresent` | -| `frontend.image.pullSecrets` | NGINX image pull secrets | `[]` | -| `frontend.image.debug` | Enable image debug mode | `false` | -| `frontend.proxypassAccessTokenAsBearer` | Use access_token as the Bearer when talking to the k8s api server | `false` | -| `frontend.proxypassExtraSetHeader` | Set an additional proxy header for all requests proxied via NGINX | `""` | -| `frontend.largeClientHeaderBuffers` | Set large_client_header_buffers in NGINX config | `4 32k` | -| `frontend.replicaCount` | Number of frontend replicas to deploy | `2` | -| `frontend.updateStrategy.type` | Frontend deployment strategy type. | `RollingUpdate` | -| `frontend.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if frontend.resources is set (frontend.resources is recommended for production). | `none` | -| `frontend.resources.limits.cpu` | The CPU limits for the NGINX container | `250m` | -| `frontend.resources.limits.memory` | The memory limits for the NGINX container | `128Mi` | -| `frontend.resources.requests.cpu` | The requested CPU for the NGINX container | `25m` | -| `frontend.resources.requests.memory` | The requested memory for the NGINX container | `32Mi` | -| `frontend.extraEnvVars` | Array with extra environment variables to add to the NGINX container | `[]` | -| `frontend.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the NGINX container | `""` | -| `frontend.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the NGINX container | `""` | -| `frontend.containerPorts.http` | NGINX HTTP container port | `8080` | -| `frontend.podSecurityContext.enabled` | Enabled frontend pods' Security Context | `true` | -| `frontend.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `frontend.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `frontend.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `frontend.podSecurityContext.fsGroup` | Set frontend pod's Security Context fsGroup | `1001` | -| `frontend.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `frontend.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `frontend.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `frontend.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | -| `frontend.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `frontend.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `frontend.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `frontend.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `frontend.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `frontend.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `frontend.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `frontend.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | -| `frontend.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `frontend.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `frontend.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `frontend.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `frontend.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `frontend.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | -| `frontend.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `frontend.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `frontend.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `frontend.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `frontend.startupProbe.enabled` | Enable startupProbe | `false` | -| `frontend.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | -| `frontend.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `frontend.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `frontend.startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | -| `frontend.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `frontend.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `frontend.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `frontend.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `frontend.lifecycleHooks` | Custom lifecycle hooks for frontend containers | `{}` | -| `frontend.command` | Override default container command (useful when using custom images) | `[]` | -| `frontend.args` | Override default container args (useful when using custom images) | `[]` | -| `frontend.podLabels` | Extra labels for frontend pods | `{}` | -| `frontend.podAnnotations` | Annotations for frontend pods | `{}` | -| `frontend.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `frontend.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `frontend.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `frontend.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | -| `frontend.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | -| `frontend.affinity` | Affinity for pod assignment | `{}` | -| `frontend.nodeSelector` | Node labels for pod assignment | `{}` | -| `frontend.tolerations` | Tolerations for pod assignment | `[]` | -| `frontend.priorityClassName` | Priority class name for frontend pods | `""` | -| `frontend.schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `frontend.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | -| `frontend.automountServiceAccountToken` | Mount Service Account token in pod | `true` | -| `frontend.hostAliases` | Custom host aliases for frontend pods | `[]` | -| `frontend.extraVolumes` | Optionally specify extra list of additional volumes for frontend pods | `[]` | -| `frontend.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for frontend container(s) | `[]` | -| `frontend.sidecars` | Add additional sidecar containers to the frontend pod | `[]` | -| `frontend.initContainers` | Add additional init containers to the frontend pods | `[]` | -| `frontend.service.type` | Frontend service type | `ClusterIP` | -| `frontend.service.ports.http` | Frontend service HTTP port | `80` | -| `frontend.service.nodePorts.http` | Node port for HTTP | `""` | -| `frontend.service.clusterIP` | Frontend service Cluster IP | `""` | -| `frontend.service.loadBalancerIP` | Frontend service Load Balancer IP | `""` | -| `frontend.service.loadBalancerSourceRanges` | Frontend service Load Balancer sources | `[]` | -| `frontend.service.externalTrafficPolicy` | Frontend service external traffic policy | `Cluster` | -| `frontend.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `frontend.service.annotations` | Additional custom annotations for frontend service | `{}` | -| `frontend.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `frontend.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | - -### Dashboard parameters - -| Name | Description | Value | -| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------ | -| `dashboard.enabled` | Specifies whether Kubeapps Dashboard should be deployed or not | `true` | -| `dashboard.image.registry` | Dashboard image registry | `REGISTRY_NAME` | -| `dashboard.image.repository` | Dashboard image repository | `REPOSITORY_NAME/kubeapps-dashboard` | -| `dashboard.image.digest` | Dashboard image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `dashboard.image.pullPolicy` | Dashboard image pull policy | `IfNotPresent` | -| `dashboard.image.pullSecrets` | Dashboard image pull secrets | `[]` | -| `dashboard.image.debug` | Enable image debug mode | `false` | -| `dashboard.customStyle` | Custom CSS injected to the Dashboard to customize Kubeapps look and feel | `""` | -| `dashboard.customAppViews` | Package names to signal a custom app view | `[]` | -| `dashboard.customComponents` | Custom Form components injected into the BasicDeploymentForm | `""` | -| `dashboard.remoteComponentsUrl` | Remote URL that can be used to load custom components vs loading from the local filesystem | `""` | -| `dashboard.skipAvailablePackageDetails` | Skip the package details view and go straight to the installation view of the latest version | `false` | -| `dashboard.customLocale` | Custom translations injected to the Dashboard to customize the strings used in Kubeapps | `""` | -| `dashboard.defaultTheme` | Default theme used in the Dashboard if the user has not selected any theme yet. | `""` | -| `dashboard.replicaCount` | Number of Dashboard replicas to deploy | `2` | -| `dashboard.createNamespaceLabels` | Labels added to newly created namespaces | `{}` | -| `dashboard.updateStrategy.type` | Dashboard deployment strategy type. | `RollingUpdate` | -| `dashboard.extraEnvVars` | Array with extra environment variables to add to the Dashboard container | `[]` | -| `dashboard.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the Dashboard container | `""` | -| `dashboard.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the Dashboard container | `""` | -| `dashboard.containerPorts.http` | Dashboard HTTP container port | `8080` | -| `dashboard.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if dashboard.resources is set (dashboard.resources is recommended for production). | `none` | -| `dashboard.resources.limits.cpu` | The CPU limits for the Dashboard container | `250m` | -| `dashboard.resources.limits.memory` | The memory limits for the Dashboard container | `128Mi` | -| `dashboard.resources.requests.cpu` | The requested CPU for the Dashboard container | `25m` | -| `dashboard.resources.requests.memory` | The requested memory for the Dashboard container | `32Mi` | -| `dashboard.podSecurityContext.enabled` | Enabled Dashboard pods' Security Context | `true` | -| `dashboard.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `dashboard.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `dashboard.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `dashboard.podSecurityContext.fsGroup` | Set Dashboard pod's Security Context fsGroup | `1001` | -| `dashboard.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `dashboard.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `dashboard.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `dashboard.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | -| `dashboard.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `dashboard.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `dashboard.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `dashboard.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `dashboard.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `dashboard.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `dashboard.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `dashboard.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | -| `dashboard.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `dashboard.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `dashboard.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `dashboard.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `dashboard.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `dashboard.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | -| `dashboard.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `dashboard.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `dashboard.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `dashboard.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `dashboard.startupProbe.enabled` | Enable startupProbe | `true` | -| `dashboard.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | -| `dashboard.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `dashboard.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `dashboard.startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | -| `dashboard.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `dashboard.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `dashboard.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `dashboard.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `dashboard.lifecycleHooks` | Custom lifecycle hooks for Dashboard containers | `{}` | -| `dashboard.command` | Override default container command (useful when using custom images) | `[]` | -| `dashboard.args` | Override default container args (useful when using custom images) | `[]` | -| `dashboard.podLabels` | Extra labels for Dashboard pods | `{}` | -| `dashboard.podAnnotations` | Annotations for Dashboard pods | `{}` | -| `dashboard.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `dashboard.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `dashboard.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `dashboard.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | -| `dashboard.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | -| `dashboard.affinity` | Affinity for pod assignment | `{}` | -| `dashboard.nodeSelector` | Node labels for pod assignment | `{}` | -| `dashboard.tolerations` | Tolerations for pod assignment | `[]` | -| `dashboard.priorityClassName` | Priority class name for Dashboard pods | `""` | -| `dashboard.schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `dashboard.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | -| `dashboard.automountServiceAccountToken` | Mount Service Account token in pod | `true` | -| `dashboard.hostAliases` | Custom host aliases for Dashboard pods | `[]` | -| `dashboard.extraVolumes` | Optionally specify extra list of additional volumes for Dashboard pods | `[]` | -| `dashboard.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Dashboard container(s) | `[]` | -| `dashboard.sidecars` | Add additional sidecar containers to the Dashboard pod | `[]` | -| `dashboard.initContainers` | Add additional init containers to the Dashboard pods | `[]` | -| `dashboard.service.ports.http` | Dashboard service HTTP port | `8080` | -| `dashboard.service.annotations` | Additional custom annotations for Dashboard service | `{}` | - -### AppRepository Controller parameters - -| Name | Description | Value | -| ----------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------- | -| `apprepository.image.registry` | Kubeapps AppRepository Controller image registry | `REGISTRY_NAME` | -| `apprepository.image.repository` | Kubeapps AppRepository Controller image repository | `REPOSITORY_NAME/kubeapps-apprepository-controller` | -| `apprepository.image.digest` | Kubeapps AppRepository Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `apprepository.image.pullPolicy` | Kubeapps AppRepository Controller image pull policy | `IfNotPresent` | -| `apprepository.image.pullSecrets` | Kubeapps AppRepository Controller image pull secrets | `[]` | -| `apprepository.syncImage.registry` | Kubeapps Asset Syncer image registry | `REGISTRY_NAME` | -| `apprepository.syncImage.repository` | Kubeapps Asset Syncer image repository | `REPOSITORY_NAME/kubeapps-asset-syncer` | -| `apprepository.syncImage.digest` | Kubeapps Asset Syncer image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `apprepository.syncImage.pullPolicy` | Kubeapps Asset Syncer image pull policy | `IfNotPresent` | -| `apprepository.syncImage.pullSecrets` | Kubeapps Asset Syncer image pull secrets | `[]` | -| `apprepository.globalReposNamespaceSuffix` | Suffix for the namespace of global repos in the Helm plugin. Defaults to empty for backwards compatibility. Ignored if kubeappsapis.pluginConfig.helm.packages.v1alpha1.globalPackagingNamespace is set. | `""` | -| `apprepository.initialRepos` | Initial chart repositories to configure | `[]` | -| `apprepository.customAnnotations` | Custom annotations be added to each AppRepository-generated CronJob, Job and Pod | `{}` | -| `apprepository.customLabels` | Custom labels be added to each AppRepository-generated CronJob, Job and Pod | `{}` | -| `apprepository.initialReposProxy.enabled` | Enables the proxy | `false` | -| `apprepository.initialReposProxy.httpProxy` | URL for the http proxy | `""` | -| `apprepository.initialReposProxy.httpsProxy` | URL for the https proxy | `""` | -| `apprepository.initialReposProxy.noProxy` | URL to exclude from using the proxy | `""` | -| `apprepository.crontab` | Default schedule for syncing App repositories (defaults to every 10 minutes) | `""` | -| `apprepository.watchAllNamespaces` | Watch all namespaces to support separate AppRepositories per namespace | `true` | -| `apprepository.extraFlags` | Additional command line flags for AppRepository Controller | `[]` | -| `apprepository.replicaCount` | Number of AppRepository Controller replicas to deploy | `1` | -| `apprepository.updateStrategy.type` | AppRepository Controller deployment strategy type. | `RollingUpdate` | -| `apprepository.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if apprepository.resources is set (apprepository.resources is recommended for production). | `none` | -| `apprepository.resources.limits.cpu` | The CPU limits for the AppRepository Controller container | `250m` | -| `apprepository.resources.limits.memory` | The memory limits for the AppRepository Controller container | `128Mi` | -| `apprepository.resources.requests.cpu` | The requested CPU for the AppRepository Controller container | `25m` | -| `apprepository.resources.requests.memory` | The requested memory for the AppRepository Controller container | `32Mi` | -| `apprepository.podSecurityContext.enabled` | Enabled AppRepository Controller pods' Security Context | `true` | -| `apprepository.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `apprepository.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `apprepository.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `apprepository.podSecurityContext.fsGroup` | Set AppRepository Controller pod's Security Context fsGroup | `1001` | -| `apprepository.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `apprepository.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `apprepository.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `apprepository.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | -| `apprepository.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `apprepository.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `apprepository.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `apprepository.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `apprepository.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `apprepository.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `apprepository.lifecycleHooks` | Custom lifecycle hooks for AppRepository Controller containers | `{}` | -| `apprepository.command` | Override default container command (useful when using custom images) | `[]` | -| `apprepository.args` | Override default container args (useful when using custom images) | `[]` | -| `apprepository.extraEnvVars` | Array with extra environment variables to add to AppRepository Controller pod(s) | `[]` | -| `apprepository.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for AppRepository Controller pod(s) | `""` | -| `apprepository.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for AppRepository Controller pod(s) | `""` | -| `apprepository.extraVolumes` | Optionally specify extra list of additional volumes for the AppRepository Controller pod(s) | `[]` | -| `apprepository.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the AppRepository Controller container(s) | `[]` | -| `apprepository.podLabels` | Extra labels for AppRepository Controller pods | `{}` | -| `apprepository.podAnnotations` | Annotations for AppRepository Controller pods | `{}` | -| `apprepository.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `apprepository.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `apprepository.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `apprepository.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | -| `apprepository.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | -| `apprepository.affinity` | Affinity for pod assignment | `{}` | -| `apprepository.nodeSelector` | Node labels for pod assignment | `{}` | -| `apprepository.tolerations` | Tolerations for pod assignment | `[]` | -| `apprepository.priorityClassName` | Priority class name for AppRepository Controller pods | `""` | -| `apprepository.schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `apprepository.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | -| `apprepository.automountServiceAccountToken` | Mount Service Account token in pod | `true` | -| `apprepository.hostAliases` | Custom host aliases for AppRepository Controller pods | `[]` | -| `apprepository.sidecars` | Add additional sidecar containers to the AppRepository Controller pod(s) | `[]` | -| `apprepository.initContainers` | Add additional init containers to the AppRepository Controller pod(s) | `[]` | -| `apprepository.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `apprepository.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | -| `apprepository.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` | -| `apprepository.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | - -### Auth Proxy parameters - -| Name | Description | Value | -| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------ | -| `authProxy.enabled` | Specifies whether Kubeapps should configure OAuth login/logout | `false` | -| `authProxy.image.registry` | OAuth2 Proxy image registry | `REGISTRY_NAME` | -| `authProxy.image.repository` | OAuth2 Proxy image repository | `REPOSITORY_NAME/oauth2-proxy` | -| `authProxy.image.digest` | OAuth2 Proxy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `authProxy.image.pullPolicy` | OAuth2 Proxy image pull policy | `IfNotPresent` | -| `authProxy.image.pullSecrets` | OAuth2 Proxy image pull secrets | `[]` | -| `authProxy.external` | Use an external Auth Proxy instead of deploying its own one | `false` | -| `authProxy.oauthLoginURI` | OAuth Login URI to which the Kubeapps frontend redirects for authn | `/oauth2/start` | -| `authProxy.oauthLogoutURI` | OAuth Logout URI to which the Kubeapps frontend redirects for authn | `/oauth2/sign_out` | -| `authProxy.skipKubeappsLoginPage` | Skip the Kubeapps login page when using OIDC and directly redirect to the IdP | `false` | -| `authProxy.provider` | OAuth provider | `""` | -| `authProxy.clientID` | OAuth Client ID | `""` | -| `authProxy.clientSecret` | OAuth Client secret | `""` | -| `authProxy.cookieSecret` | Secret used by oauth2-proxy to encrypt any credentials | `""` | -| `authProxy.existingOauth2Secret` | Name of an existing secret containing the OAuth client secrets, it should contain the keys clientID, clientSecret, and cookieSecret | `""` | -| `authProxy.cookieRefresh` | Duration after which to refresh the cookie | `2m` | -| `authProxy.scope` | OAuth scope specification | `openid email groups` | -| `authProxy.emailDomain` | Allowed email domains | `*` | -| `authProxy.extraFlags` | Additional command line flags for oauth2-proxy | `[]` | -| `authProxy.lifecycleHooks` | for the Auth Proxy container(s) to automate configuration before or after startup | `{}` | -| `authProxy.command` | Override default container command (useful when using custom images) | `[]` | -| `authProxy.args` | Override default container args (useful when using custom images) | `[]` | -| `authProxy.extraEnvVars` | Array with extra environment variables to add to the Auth Proxy container | `[]` | -| `authProxy.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Auth Proxy containers(s) | `""` | -| `authProxy.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Auth Proxy containers(s) | `""` | -| `authProxy.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Auth Proxy container(s) | `[]` | -| `authProxy.containerPorts.proxy` | Auth Proxy HTTP container port | `3000` | -| `authProxy.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `authProxy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `authProxy.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `authProxy.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | -| `authProxy.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `authProxy.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `authProxy.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `authProxy.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `authProxy.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `authProxy.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `authProxy.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if authProxy.resources is set (authProxy.resources is recommended for production). | `none` | -| `authProxy.resources.limits.cpu` | The CPU limits for the OAuth2 Proxy container | `250m` | -| `authProxy.resources.limits.memory` | The memory limits for the OAuth2 Proxy container | `128Mi` | -| `authProxy.resources.requests.cpu` | The requested CPU for the OAuth2 Proxy container | `25m` | -| `authProxy.resources.requests.memory` | The requested memory for the OAuth2 Proxy container | `32Mi` | - -### Pinniped Proxy parameters - -| Name | Description | Value | -| ----------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | -| `pinnipedProxy.enabled` | Specifies whether Kubeapps should configure Pinniped Proxy | `false` | -| `pinnipedProxy.image.registry` | Pinniped Proxy image registry | `REGISTRY_NAME` | -| `pinnipedProxy.image.repository` | Pinniped Proxy image repository | `REPOSITORY_NAME/kubeapps-pinniped-proxy` | -| `pinnipedProxy.image.digest` | Pinniped Proxy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `pinnipedProxy.image.pullPolicy` | Pinniped Proxy image pull policy | `IfNotPresent` | -| `pinnipedProxy.image.pullSecrets` | Pinniped Proxy image pull secrets | `[]` | -| `pinnipedProxy.defaultPinnipedNamespace` | Namespace in which pinniped concierge is installed | `pinniped-concierge` | -| `pinnipedProxy.defaultAuthenticatorType` | Authenticator type | `JWTAuthenticator` | -| `pinnipedProxy.defaultAuthenticatorName` | Authenticator name | `jwt-authenticator` | -| `pinnipedProxy.defaultPinnipedAPISuffix` | API suffix | `pinniped.dev` | -| `pinnipedProxy.tls.existingSecret` | TLS secret with which to proxy requests | `""` | -| `pinnipedProxy.tls.caCertificate` | TLS CA cert config map which clients of pinniped proxy should use with TLS requests | `""` | -| `pinnipedProxy.lifecycleHooks` | For the Pinniped Proxy container(s) to automate configuration before or after startup | `{}` | -| `pinnipedProxy.command` | Override default container command (useful when using custom images) | `[]` | -| `pinnipedProxy.args` | Override default container args (useful when using custom images) | `[]` | -| `pinnipedProxy.extraEnvVars` | Array with extra environment variables to add to Pinniped Proxy container(s) | `[]` | -| `pinnipedProxy.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Pinniped Proxy container(s) | `""` | -| `pinnipedProxy.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Pinniped Proxy container(s) | `""` | -| `pinnipedProxy.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Pinniped Proxy container(s) | `[]` | -| `pinnipedProxy.containerPorts.pinnipedProxy` | Pinniped Proxy container port | `3333` | -| `pinnipedProxy.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `pinnipedProxy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `pinnipedProxy.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `pinnipedProxy.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | -| `pinnipedProxy.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `pinnipedProxy.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `pinnipedProxy.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `pinnipedProxy.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `pinnipedProxy.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `pinnipedProxy.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `pinnipedProxy.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if pinnipedProxy.resources is set (pinnipedProxy.resources is recommended for production). | `none` | -| `pinnipedProxy.resources.limits.cpu` | The CPU limits for the Pinniped Proxy container | `250m` | -| `pinnipedProxy.resources.limits.memory` | The memory limits for the Pinniped Proxy container | `128Mi` | -| `pinnipedProxy.resources.requests.cpu` | The requested CPU for the Pinniped Proxy container | `25m` | -| `pinnipedProxy.resources.requests.memory` | The requested memory for the Pinniped Proxy container | `32Mi` | -| `pinnipedProxy.service.ports.pinnipedProxy` | Pinniped Proxy service port | `3333` | -| `pinnipedProxy.service.annotations` | Additional custom annotations for Pinniped Proxy service | `{}` | - -### Other Parameters - -| Name | Description | Value | -| ------------- | --------------------------------------------------------- | ------ | -| `clusters` | List of clusters that Kubeapps can target for deployments | `[]` | -| `rbac.create` | Specifies whether RBAC resources should be created | `true` | - -### Feature flags - -| Name | Description | Value | -| --------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------- | -| `featureFlags.apiOnly.enabled` | Enable ingress for API operations only. Access to "/" will not be possible, so Dashboard will be unusable. | `false` | -| `featureFlags.apiOnly.grpc.annotations` | Specific annotations for the GRPC ingress in API-only mode | `{}` | -| `featureFlags.operators` | Enable support for Operators in Kubeapps | `false` | -| `featureFlags.schemaEditor.enabled` | Enable a visual editor for customizing the package schemas | `false` | - -### Database Parameters - -| Name | Description | Value | -| ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | -| `postgresql.enabled` | Deploy a PostgreSQL server to satisfy the applications database requirements | `true` | -| `postgresql.auth.username` | Username for PostgreSQL server | `postgres` | -| `postgresql.auth.postgresPassword` | Password for 'postgres' user | `""` | -| `postgresql.auth.database` | Name for a custom database to create | `assets` | -| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | -| `postgresql.primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `false` | -| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | -| `postgresql.securityContext.enabled` | Enabled PostgreSQL replicas pods' Security Context | `false` | -| `postgresql.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if postgresql.resources is set (postgresql.resources is recommended for production). | `none` | -| `postgresql.resources.limits` | The resources limits for the PostgreSQL container | `{}` | -| `postgresql.resources.requests.cpu` | The requested CPU for the PostgreSQL container | `250m` | -| `postgresql.resources.requests.memory` | The requested memory for the PostgreSQL container | `256Mi` | - -### kubeappsapis parameters - -| Name | Description | Value | -| ----------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------- | -| `kubeappsapis.enabledPlugins` | Manually override which plugins are enabled for the Kubeapps-APIs service | `[]` | -| `kubeappsapis.pluginConfig.core.packages.v1alpha1.versionsInSummary.major` | Number of major versions to display in the summary | `3` | -| `kubeappsapis.pluginConfig.core.packages.v1alpha1.versionsInSummary.minor` | Number of minor versions to display in the summary | `3` | -| `kubeappsapis.pluginConfig.core.packages.v1alpha1.versionsInSummary.patch` | Number of patch versions to display in the summary | `3` | -| `kubeappsapis.pluginConfig.core.packages.v1alpha1.timeoutSeconds` | Value to wait for Kubernetes commands to complete | `300` | -| `kubeappsapis.pluginConfig.helm.packages.v1alpha1.globalPackagingNamespace` | Custom global packaging namespace. Using this value will override the current "kubeapps release namespace + suffix" pattern and will create a new namespace if not exists. | `""` | -| `kubeappsapis.pluginConfig.kappController.packages.v1alpha1.defaultUpgradePolicy` | Default upgrade policy generating version constraints | `none` | -| `kubeappsapis.pluginConfig.kappController.packages.v1alpha1.defaultPrereleasesVersionSelection` | Default policy for allowing prereleases containing one of the identifiers | `nil` | -| `kubeappsapis.pluginConfig.kappController.packages.v1alpha1.defaultAllowDowngrades` | Default policy for allowing applications to be downgraded to previous versions | `false` | -| `kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace` | Default global packaging namespace | `kapp-controller-packaging-global` | -| `kubeappsapis.pluginConfig.flux.packages.v1alpha1.defaultUpgradePolicy` | Default upgrade policy generating version constraints | `none` | -| `kubeappsapis.pluginConfig.flux.packages.v1alpha1.noCrossNamespaceRefs` | Enable this flag to disallow cross-namespace references, useful when running Flux on multi-tenant clusters | `false` | -| `kubeappsapis.pluginConfig.resources.packages.v1alpha1.trustedNamespaces.headerName` | Optional header name for trusted namespaces | `""` | -| `kubeappsapis.pluginConfig.resources.packages.v1alpha1.trustedNamespaces.headerPattern` | Optional header pattern for trusted namespaces | `""` | -| `kubeappsapis.image.registry` | Kubeapps-APIs image registry | `REGISTRY_NAME` | -| `kubeappsapis.image.repository` | Kubeapps-APIs image repository | `REPOSITORY_NAME/kubeapps-apis` | -| `kubeappsapis.image.digest` | Kubeapps-APIs image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `kubeappsapis.image.pullPolicy` | Kubeapps-APIs image pull policy | `IfNotPresent` | -| `kubeappsapis.image.pullSecrets` | Kubeapps-APIs image pull secrets | `[]` | -| `kubeappsapis.replicaCount` | Number of frontend replicas to deploy | `2` | -| `kubeappsapis.updateStrategy.type` | KubeappsAPIs deployment strategy type. | `RollingUpdate` | -| `kubeappsapis.extraFlags` | Additional command line flags for KubeappsAPIs | `[]` | -| `kubeappsapis.qps` | KubeappsAPIs Kubernetes API client QPS limit | `50.0` | -| `kubeappsapis.burst` | KubeappsAPIs Kubernetes API client Burst limit | `100` | -| `kubeappsapis.terminationGracePeriodSeconds` | The grace time period for sig term | `300` | -| `kubeappsapis.extraEnvVars` | Array with extra environment variables to add to the KubeappsAPIs container | `[]` | -| `kubeappsapis.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the KubeappsAPIs container | `""` | -| `kubeappsapis.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the KubeappsAPIs container | `""` | -| `kubeappsapis.containerPorts.http` | KubeappsAPIs HTTP container port | `50051` | -| `kubeappsapis.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if kubeappsapis.resources is set (kubeappsapis.resources is recommended for production). | `none` | -| `kubeappsapis.resources.limits.cpu` | The CPU limits for the KubeappsAPIs container | `250m` | -| `kubeappsapis.resources.limits.memory` | The memory limits for the KubeappsAPIs container | `256Mi` | -| `kubeappsapis.resources.requests.cpu` | The requested CPU for the KubeappsAPIs container | `25m` | -| `kubeappsapis.resources.requests.memory` | The requested memory for the KubeappsAPIs container | `32Mi` | -| `kubeappsapis.podSecurityContext.enabled` | Enabled KubeappsAPIs pods' Security Context | `true` | -| `kubeappsapis.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `kubeappsapis.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `kubeappsapis.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `kubeappsapis.podSecurityContext.fsGroup` | Set KubeappsAPIs pod's Security Context fsGroup | `1001` | -| `kubeappsapis.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `kubeappsapis.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `kubeappsapis.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `kubeappsapis.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | -| `kubeappsapis.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `kubeappsapis.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `kubeappsapis.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `kubeappsapis.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `kubeappsapis.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `kubeappsapis.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `kubeappsapis.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `kubeappsapis.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | -| `kubeappsapis.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `kubeappsapis.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `kubeappsapis.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `kubeappsapis.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `kubeappsapis.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `kubeappsapis.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | -| `kubeappsapis.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `kubeappsapis.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `kubeappsapis.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `kubeappsapis.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `kubeappsapis.startupProbe.enabled` | Enable startupProbe | `false` | -| `kubeappsapis.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | -| `kubeappsapis.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `kubeappsapis.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `kubeappsapis.startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | -| `kubeappsapis.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `kubeappsapis.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `kubeappsapis.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `kubeappsapis.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `kubeappsapis.lifecycleHooks` | Custom lifecycle hooks for KubeappsAPIs containers | `{}` | -| `kubeappsapis.command` | Override default container command (useful when using custom images) | `[]` | -| `kubeappsapis.args` | Override default container args (useful when using custom images) | `[]` | -| `kubeappsapis.extraVolumes` | Optionally specify extra list of additional volumes for the KubeappsAPIs pod(s) | `[]` | -| `kubeappsapis.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the KubeappsAPIs container(s) | `[]` | -| `kubeappsapis.podLabels` | Extra labels for KubeappsAPIs pods | `{}` | -| `kubeappsapis.podAnnotations` | Annotations for KubeappsAPIs pods | `{}` | -| `kubeappsapis.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `kubeappsapis.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `kubeappsapis.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `kubeappsapis.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | -| `kubeappsapis.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | -| `kubeappsapis.affinity` | Affinity for pod assignment | `{}` | -| `kubeappsapis.nodeSelector` | Node labels for pod assignment | `{}` | -| `kubeappsapis.tolerations` | Tolerations for pod assignment | `[]` | -| `kubeappsapis.priorityClassName` | Priority class name for KubeappsAPIs pods | `""` | -| `kubeappsapis.schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `kubeappsapis.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | -| `kubeappsapis.automountServiceAccountToken` | Mount Service Account token in pod | `true` | -| `kubeappsapis.hostAliases` | Custom host aliases for KubeappsAPIs pods | `[]` | -| `kubeappsapis.sidecars` | Add additional sidecar containers to the KubeappsAPIs pod(s) | `[]` | -| `kubeappsapis.initContainers` | Add additional init containers to the KubeappsAPIs pod(s) | `[]` | -| `kubeappsapis.service.ports.http` | KubeappsAPIs service HTTP port | `8080` | -| `kubeappsapis.service.annotations` | Additional custom annotations for KubeappsAPIs service | `{}` | -| `kubeappsapis.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `kubeappsapis.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | -| `kubeappsapis.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` | -| `kubeappsapis.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | - -### OCI Catalog chart configuration - -| Name | Description | Value | -| -------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | -| `ociCatalog.enabled` | Enable the OCI catalog gRPC service for cataloging | `false` | -| `ociCatalog.image.registry` | OCI Catalog image registry | `REGISTRY_NAME` | -| `ociCatalog.image.repository` | OCI Catalog image repository | `REPOSITORY_NAME/kubeapps-oci-catalog` | -| `ociCatalog.image.digest` | OCI Catalog image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `ociCatalog.image.pullPolicy` | OCI Catalog image pull policy | `IfNotPresent` | -| `ociCatalog.image.pullSecrets` | OCI Catalog image pull secrets | `[]` | -| `ociCatalog.image.debug` | Enable image debug mode | `false` | -| `ociCatalog.extraFlags` | Additional command line flags for OCI Catalog | `[]` | -| `ociCatalog.extraEnvVars` | Array with extra environment variables to add to the oci-catalog container | `[]` | -| `ociCatalog.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the OCI Catalog container | `""` | -| `ociCatalog.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the OCI Catalog container | `""` | -| `ociCatalog.containerPorts.grpc` | OCI Catalog gRPC container port | `50061` | -| `ociCatalog.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if ociCatalog.resources is set (ociCatalog.resources is recommended for production). | `none` | -| `ociCatalog.resources.limits.cpu` | The CPU limits for the OCI Catalog container | `250m` | -| `ociCatalog.resources.limits.memory` | The memory limits for the OCI Catalog container | `256Mi` | -| `ociCatalog.resources.requests.cpu` | The requested CPU for the OCI Catalog container | `25m` | -| `ociCatalog.resources.requests.memory` | The requested memory for the OCI Catalog container | `32Mi` | -| `ociCatalog.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `ociCatalog.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `ociCatalog.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `ociCatalog.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | -| `ociCatalog.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `ociCatalog.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `ociCatalog.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `ociCatalog.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `ociCatalog.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `ociCatalog.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `ociCatalog.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `ociCatalog.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | -| `ociCatalog.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `ociCatalog.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `ociCatalog.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `ociCatalog.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `ociCatalog.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `ociCatalog.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | -| `ociCatalog.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `ociCatalog.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `ociCatalog.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `ociCatalog.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `ociCatalog.startupProbe.enabled` | Enable startupProbe | `false` | -| `ociCatalog.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | -| `ociCatalog.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `ociCatalog.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `ociCatalog.startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | -| `ociCatalog.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `ociCatalog.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `ociCatalog.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `ociCatalog.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `ociCatalog.lifecycleHooks` | Custom lifecycle hooks for OCI Catalog containers | `{}` | -| `ociCatalog.command` | Override default container command (useful when using custom images) | `[]` | -| `ociCatalog.args` | Override default container args (useful when using custom images) | `[]` | -| `ociCatalog.extraVolumes` | Optionally specify extra list of additional volumes for the OCI Catalog pod(s) | `[]` | -| `ociCatalog.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the OCI Catalog container(s) | `[]` | - -### Redis® chart configuration - -| Name | Description | Value | -| ----------------------------------- | ---------------------------------------------------------------- | -------------------------------------------------------- | -| `redis.auth.enabled` | Enable password authentication | `true` | -| `redis.auth.password` | Redis® password | `""` | -| `redis.auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | -| `redis.architecture` | Redis(R) architecture (`standalone` or `replication`) | `standalone` | -| `redis.master.extraFlags` | Array with additional command line flags for Redis® master | `["--maxmemory 200mb","--maxmemory-policy allkeys-lru"]` | -| `redis.master.disableCommands` | Array with commands to deactivate on Redis® | `[]` | -| `redis.master.persistence.enabled` | Enable Redis® master data persistence using PVC | `false` | -| `redis.replica.replicaCount` | Number of Redis® replicas to deploy | `1` | -| `redis.replica.extraFlags` | Array with additional command line flags for Redis® replicas | `["--maxmemory 200mb","--maxmemory-policy allkeys-lru"]` | -| `redis.replica.disableCommands` | Array with commands to deactivate on Redis® | `[]` | -| `redis.replica.persistence.enabled` | Enable Redis® replica data persistence using PVC | `false` | - -```console -helm install kubeapps --namespace kubeapps \ - --set ingress.enabled=true \ - oci://REGISTRY_NAME/REPOSITORY_NAME/kubeapps -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. - -The above command enables an Ingress Rule to expose Kubeapps. - -Alternatively, a YAML file that specifies the values for parameters can be provided while installing the chart. For example, - -```console -helm install kubeapps --namespace kubeapps -f custom-values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/kubeapps -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. - ## Configuration and installation details ### Resource requests and limits @@ -769,42 +137,662 @@ In the first two cases, it is needed a certificate and a key. We would expect th - To use self-signed certificates created by Helm, set both `ingress.tls` and `ingress.selfSigned` to `true`. - If your cluster has a [cert-manager](https://github.com/jetstack/cert-manager) add-on to automate the management and issuance of TLS certificates, set `ingress.certManager` boolean to true to enable the corresponding annotations for cert-manager. -## Upgrading Kubeapps +## Parameters -You can upgrade Kubeapps from the Kubeapps web interface. Select the namespace in which Kubeapps is installed (`kubeapps` if you followed the instructions in this guide) and click on the "Upgrade" button. Select the new version and confirm. +### Global parameters -You can also use the Helm CLI to upgrade Kubeapps, first ensure you have updated your local chart repository cache: +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | + +### Common parameters + +| Name | Description | Value | +| ------------------------ | --------------------------------------------------------------------------------------- | -------------- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `nameOverride` | String to partially override common.names.fullname | `""` | +| `fullnameOverride` | String to fully override common.names.fullname | `""` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `enableIPv6` | Enable IPv6 configuration | `false` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | + +### Traffic Exposure Parameters + +| Name | Description | Value | +| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `ingress.enabled` | Enable ingress record generation for Kubeapps | `false` | +| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `ingress.hostname` | Default host for the ingress record | `kubeapps.local` | +| `ingress.path` | Default path for the ingress record | `/` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | +| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `ingress.secrets` | Custom TLS certificates as secrets | `[]` | +| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | + +### Kubeapps packaging options + +| Name | Description | Value | +| -------------------------- | ---------------------------------------------------------- | ------- | +| `packaging.helm.enabled` | Enable the standard Helm packaging. | `true` | +| `packaging.carvel.enabled` | Enable support for the Carvel (kapp-controller) packaging. | `false` | +| `packaging.flux.enabled` | Enable support for Flux (v2) packaging. | `false` | + +### Frontend parameters + +| Name | Description | Value | +| ------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `frontend.image.registry` | NGINX image registry | `REGISTRY_NAME` | +| `frontend.image.repository` | NGINX image repository | `REPOSITORY_NAME/nginx` | +| `frontend.image.digest` | NGINX image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `frontend.image.pullPolicy` | NGINX image pull policy | `IfNotPresent` | +| `frontend.image.pullSecrets` | NGINX image pull secrets | `[]` | +| `frontend.image.debug` | Enable image debug mode | `false` | +| `frontend.proxypassAccessTokenAsBearer` | Use access_token as the Bearer when talking to the k8s api server | `false` | +| `frontend.proxypassExtraSetHeader` | Set an additional proxy header for all requests proxied via NGINX | `""` | +| `frontend.largeClientHeaderBuffers` | Set large_client_header_buffers in NGINX config | `4 32k` | +| `frontend.replicaCount` | Number of frontend replicas to deploy | `2` | +| `frontend.updateStrategy.type` | Frontend deployment strategy type. | `RollingUpdate` | +| `frontend.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if frontend.resources is set (frontend.resources is recommended for production). | `micro` | +| `frontend.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `frontend.extraEnvVars` | Array with extra environment variables to add to the NGINX container | `[]` | +| `frontend.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the NGINX container | `""` | +| `frontend.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the NGINX container | `""` | +| `frontend.containerPorts.http` | NGINX HTTP container port | `8080` | +| `frontend.podSecurityContext.enabled` | Enabled frontend pods' Security Context | `true` | +| `frontend.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `frontend.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `frontend.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `frontend.podSecurityContext.fsGroup` | Set frontend pod's Security Context fsGroup | `1001` | +| `frontend.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `frontend.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `frontend.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `frontend.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `frontend.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `frontend.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `frontend.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `frontend.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `frontend.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `frontend.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `frontend.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `frontend.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | +| `frontend.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `frontend.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `frontend.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `frontend.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `frontend.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `frontend.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | +| `frontend.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `frontend.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `frontend.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `frontend.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `frontend.startupProbe.enabled` | Enable startupProbe | `false` | +| `frontend.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | +| `frontend.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `frontend.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `frontend.startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | +| `frontend.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `frontend.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `frontend.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `frontend.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `frontend.lifecycleHooks` | Custom lifecycle hooks for frontend containers | `{}` | +| `frontend.command` | Override default container command (useful when using custom images) | `[]` | +| `frontend.args` | Override default container args (useful when using custom images) | `[]` | +| `frontend.podLabels` | Extra labels for frontend pods | `{}` | +| `frontend.podAnnotations` | Annotations for frontend pods | `{}` | +| `frontend.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `frontend.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `frontend.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `frontend.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | +| `frontend.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | +| `frontend.affinity` | Affinity for pod assignment | `{}` | +| `frontend.nodeSelector` | Node labels for pod assignment | `{}` | +| `frontend.tolerations` | Tolerations for pod assignment | `[]` | +| `frontend.priorityClassName` | Priority class name for frontend pods | `""` | +| `frontend.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `frontend.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `frontend.automountServiceAccountToken` | Mount Service Account token in pod | `true` | +| `frontend.hostAliases` | Custom host aliases for frontend pods | `[]` | +| `frontend.extraVolumes` | Optionally specify extra list of additional volumes for frontend pods | `[]` | +| `frontend.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for frontend container(s) | `[]` | +| `frontend.sidecars` | Add additional sidecar containers to the frontend pod | `[]` | +| `frontend.initContainers` | Add additional init containers to the frontend pods | `[]` | +| `frontend.service.type` | Frontend service type | `ClusterIP` | +| `frontend.service.ports.http` | Frontend service HTTP port | `80` | +| `frontend.service.nodePorts.http` | Node port for HTTP | `""` | +| `frontend.service.clusterIP` | Frontend service Cluster IP | `""` | +| `frontend.service.loadBalancerIP` | Frontend service Load Balancer IP | `""` | +| `frontend.service.loadBalancerSourceRanges` | Frontend service Load Balancer sources | `[]` | +| `frontend.service.externalTrafficPolicy` | Frontend service external traffic policy | `Cluster` | +| `frontend.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `frontend.service.annotations` | Additional custom annotations for frontend service | `{}` | +| `frontend.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `frontend.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `frontend.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `frontend.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `frontend.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `frontend.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `frontend.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `frontend.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `frontend.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `frontend.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | + +### Dashboard parameters + +| Name | Description | Value | +| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | +| `dashboard.enabled` | Specifies whether Kubeapps Dashboard should be deployed or not | `true` | +| `dashboard.image.registry` | Dashboard image registry | `REGISTRY_NAME` | +| `dashboard.image.repository` | Dashboard image repository | `REPOSITORY_NAME/kubeapps-dashboard` | +| `dashboard.image.digest` | Dashboard image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `dashboard.image.pullPolicy` | Dashboard image pull policy | `IfNotPresent` | +| `dashboard.image.pullSecrets` | Dashboard image pull secrets | `[]` | +| `dashboard.image.debug` | Enable image debug mode | `false` | +| `dashboard.customStyle` | Custom CSS injected to the Dashboard to customize Kubeapps look and feel | `""` | +| `dashboard.customAppViews` | Package names to signal a custom app view | `[]` | +| `dashboard.customComponents` | Custom Form components injected into the BasicDeploymentForm | `""` | +| `dashboard.remoteComponentsUrl` | Remote URL that can be used to load custom components vs loading from the local filesystem | `""` | +| `dashboard.skipAvailablePackageDetails` | Skip the package details view and go straight to the installation view of the latest version | `false` | +| `dashboard.customLocale` | Custom translations injected to the Dashboard to customize the strings used in Kubeapps | `""` | +| `dashboard.defaultTheme` | Default theme used in the Dashboard if the user has not selected any theme yet. | `""` | +| `dashboard.replicaCount` | Number of Dashboard replicas to deploy | `2` | +| `dashboard.createNamespaceLabels` | Labels added to newly created namespaces | `{}` | +| `dashboard.updateStrategy.type` | Dashboard deployment strategy type. | `RollingUpdate` | +| `dashboard.extraEnvVars` | Array with extra environment variables to add to the Dashboard container | `[]` | +| `dashboard.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the Dashboard container | `""` | +| `dashboard.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the Dashboard container | `""` | +| `dashboard.containerPorts.http` | Dashboard HTTP container port | `8080` | +| `dashboard.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dashboard.resources is set (dashboard.resources is recommended for production). | `micro` | +| `dashboard.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `dashboard.podSecurityContext.enabled` | Enabled Dashboard pods' Security Context | `true` | +| `dashboard.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `dashboard.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `dashboard.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `dashboard.podSecurityContext.fsGroup` | Set Dashboard pod's Security Context fsGroup | `1001` | +| `dashboard.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `dashboard.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `dashboard.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `dashboard.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `dashboard.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `dashboard.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `dashboard.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `dashboard.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `dashboard.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `dashboard.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `dashboard.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `dashboard.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | +| `dashboard.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `dashboard.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `dashboard.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `dashboard.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `dashboard.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `dashboard.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | +| `dashboard.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `dashboard.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `dashboard.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `dashboard.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `dashboard.startupProbe.enabled` | Enable startupProbe | `true` | +| `dashboard.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | +| `dashboard.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `dashboard.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `dashboard.startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | +| `dashboard.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `dashboard.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `dashboard.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `dashboard.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `dashboard.lifecycleHooks` | Custom lifecycle hooks for Dashboard containers | `{}` | +| `dashboard.command` | Override default container command (useful when using custom images) | `[]` | +| `dashboard.args` | Override default container args (useful when using custom images) | `[]` | +| `dashboard.podLabels` | Extra labels for Dashboard pods | `{}` | +| `dashboard.podAnnotations` | Annotations for Dashboard pods | `{}` | +| `dashboard.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `dashboard.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `dashboard.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `dashboard.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | +| `dashboard.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | +| `dashboard.affinity` | Affinity for pod assignment | `{}` | +| `dashboard.nodeSelector` | Node labels for pod assignment | `{}` | +| `dashboard.tolerations` | Tolerations for pod assignment | `[]` | +| `dashboard.priorityClassName` | Priority class name for Dashboard pods | `""` | +| `dashboard.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `dashboard.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `dashboard.automountServiceAccountToken` | Mount Service Account token in pod | `true` | +| `dashboard.hostAliases` | Custom host aliases for Dashboard pods | `[]` | +| `dashboard.extraVolumes` | Optionally specify extra list of additional volumes for Dashboard pods | `[]` | +| `dashboard.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Dashboard container(s) | `[]` | +| `dashboard.sidecars` | Add additional sidecar containers to the Dashboard pod | `[]` | +| `dashboard.initContainers` | Add additional init containers to the Dashboard pods | `[]` | +| `dashboard.service.ports.http` | Dashboard service HTTP port | `8080` | +| `dashboard.service.annotations` | Additional custom annotations for Dashboard service | `{}` | +| `dashboard.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `dashboard.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `dashboard.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `dashboard.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `dashboard.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `dashboard.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `dashboard.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `dashboard.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | + +### AppRepository Controller parameters + +| Name | Description | Value | +| ----------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------- | +| `apprepository.image.registry` | Kubeapps AppRepository Controller image registry | `REGISTRY_NAME` | +| `apprepository.image.repository` | Kubeapps AppRepository Controller image repository | `REPOSITORY_NAME/kubeapps-apprepository-controller` | +| `apprepository.image.digest` | Kubeapps AppRepository Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `apprepository.image.pullPolicy` | Kubeapps AppRepository Controller image pull policy | `IfNotPresent` | +| `apprepository.image.pullSecrets` | Kubeapps AppRepository Controller image pull secrets | `[]` | +| `apprepository.syncImage.registry` | Kubeapps Asset Syncer image registry | `REGISTRY_NAME` | +| `apprepository.syncImage.repository` | Kubeapps Asset Syncer image repository | `REPOSITORY_NAME/kubeapps-asset-syncer` | +| `apprepository.syncImage.digest` | Kubeapps Asset Syncer image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `apprepository.syncImage.pullPolicy` | Kubeapps Asset Syncer image pull policy | `IfNotPresent` | +| `apprepository.syncImage.pullSecrets` | Kubeapps Asset Syncer image pull secrets | `[]` | +| `apprepository.globalReposNamespaceSuffix` | Suffix for the namespace of global repos in the Helm plugin. Defaults to empty for backwards compatibility. Ignored if kubeappsapis.pluginConfig.helm.packages.v1alpha1.globalPackagingNamespace is set. | `""` | +| `apprepository.initialRepos` | Initial chart repositories to configure | `[]` | +| `apprepository.customAnnotations` | Custom annotations be added to each AppRepository-generated CronJob, Job and Pod | `{}` | +| `apprepository.customLabels` | Custom labels be added to each AppRepository-generated CronJob, Job and Pod | `{}` | +| `apprepository.initialReposProxy.enabled` | Enables the proxy | `false` | +| `apprepository.initialReposProxy.httpProxy` | URL for the http proxy | `""` | +| `apprepository.initialReposProxy.httpsProxy` | URL for the https proxy | `""` | +| `apprepository.initialReposProxy.noProxy` | URL to exclude from using the proxy | `""` | +| `apprepository.crontab` | Default schedule for syncing App repositories (defaults to every 10 minutes) | `""` | +| `apprepository.watchAllNamespaces` | Watch all namespaces to support separate AppRepositories per namespace | `true` | +| `apprepository.extraFlags` | Additional command line flags for AppRepository Controller | `[]` | +| `apprepository.replicaCount` | Number of AppRepository Controller replicas to deploy | `1` | +| `apprepository.updateStrategy.type` | AppRepository Controller deployment strategy type. | `RollingUpdate` | +| `apprepository.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if apprepository.resources is set (apprepository.resources is recommended for production). | `micro` | +| `apprepository.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `apprepository.podSecurityContext.enabled` | Enabled AppRepository Controller pods' Security Context | `true` | +| `apprepository.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `apprepository.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `apprepository.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `apprepository.podSecurityContext.fsGroup` | Set AppRepository Controller pod's Security Context fsGroup | `1001` | +| `apprepository.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `apprepository.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `apprepository.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `apprepository.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `apprepository.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `apprepository.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `apprepository.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `apprepository.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `apprepository.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `apprepository.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `apprepository.lifecycleHooks` | Custom lifecycle hooks for AppRepository Controller containers | `{}` | +| `apprepository.command` | Override default container command (useful when using custom images) | `[]` | +| `apprepository.args` | Override default container args (useful when using custom images) | `[]` | +| `apprepository.extraEnvVars` | Array with extra environment variables to add to AppRepository Controller pod(s) | `[]` | +| `apprepository.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for AppRepository Controller pod(s) | `""` | +| `apprepository.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for AppRepository Controller pod(s) | `""` | +| `apprepository.extraVolumes` | Optionally specify extra list of additional volumes for the AppRepository Controller pod(s) | `[]` | +| `apprepository.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the AppRepository Controller container(s) | `[]` | +| `apprepository.podLabels` | Extra labels for AppRepository Controller pods | `{}` | +| `apprepository.podAnnotations` | Annotations for AppRepository Controller pods | `{}` | +| `apprepository.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `apprepository.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `apprepository.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `apprepository.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | +| `apprepository.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | +| `apprepository.affinity` | Affinity for pod assignment | `{}` | +| `apprepository.nodeSelector` | Node labels for pod assignment | `{}` | +| `apprepository.tolerations` | Tolerations for pod assignment | `[]` | +| `apprepository.priorityClassName` | Priority class name for AppRepository Controller pods | `""` | +| `apprepository.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `apprepository.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `apprepository.automountServiceAccountToken` | Mount Service Account token in pod | `true` | +| `apprepository.hostAliases` | Custom host aliases for AppRepository Controller pods | `[]` | +| `apprepository.sidecars` | Add additional sidecar containers to the AppRepository Controller pod(s) | `[]` | +| `apprepository.initContainers` | Add additional init containers to the AppRepository Controller pod(s) | `[]` | +| `apprepository.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `apprepository.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `apprepository.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `apprepository.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `apprepository.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `apprepository.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `apprepository.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | +| `apprepository.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` | +| `apprepository.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | + +### Auth Proxy parameters + +| Name | Description | Value | +| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `authProxy.enabled` | Specifies whether Kubeapps should configure OAuth login/logout | `false` | +| `authProxy.image.registry` | OAuth2 Proxy image registry | `REGISTRY_NAME` | +| `authProxy.image.repository` | OAuth2 Proxy image repository | `REPOSITORY_NAME/oauth2-proxy` | +| `authProxy.image.digest` | OAuth2 Proxy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `authProxy.image.pullPolicy` | OAuth2 Proxy image pull policy | `IfNotPresent` | +| `authProxy.image.pullSecrets` | OAuth2 Proxy image pull secrets | `[]` | +| `authProxy.external` | Use an external Auth Proxy instead of deploying its own one | `false` | +| `authProxy.oauthLoginURI` | OAuth Login URI to which the Kubeapps frontend redirects for authn | `/oauth2/start` | +| `authProxy.oauthLogoutURI` | OAuth Logout URI to which the Kubeapps frontend redirects for authn | `/oauth2/sign_out` | +| `authProxy.skipKubeappsLoginPage` | Skip the Kubeapps login page when using OIDC and directly redirect to the IdP | `false` | +| `authProxy.provider` | OAuth provider | `""` | +| `authProxy.clientID` | OAuth Client ID | `""` | +| `authProxy.clientSecret` | OAuth Client secret | `""` | +| `authProxy.cookieSecret` | Secret used by oauth2-proxy to encrypt any credentials | `""` | +| `authProxy.existingOauth2Secret` | Name of an existing secret containing the OAuth client secrets, it should contain the keys clientID, clientSecret, and cookieSecret | `""` | +| `authProxy.cookieRefresh` | Duration after which to refresh the cookie | `2m` | +| `authProxy.scope` | OAuth scope specification | `openid email groups` | +| `authProxy.emailDomain` | Allowed email domains | `*` | +| `authProxy.extraFlags` | Additional command line flags for oauth2-proxy | `[]` | +| `authProxy.lifecycleHooks` | for the Auth Proxy container(s) to automate configuration before or after startup | `{}` | +| `authProxy.command` | Override default container command (useful when using custom images) | `[]` | +| `authProxy.args` | Override default container args (useful when using custom images) | `[]` | +| `authProxy.extraEnvVars` | Array with extra environment variables to add to the Auth Proxy container | `[]` | +| `authProxy.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Auth Proxy containers(s) | `""` | +| `authProxy.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Auth Proxy containers(s) | `""` | +| `authProxy.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Auth Proxy container(s) | `[]` | +| `authProxy.containerPorts.proxy` | Auth Proxy HTTP container port | `3000` | +| `authProxy.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `authProxy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `authProxy.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `authProxy.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `authProxy.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `authProxy.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `authProxy.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `authProxy.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `authProxy.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `authProxy.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `authProxy.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if authProxy.resources is set (authProxy.resources is recommended for production). | `micro` | +| `authProxy.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | + +### Pinniped Proxy parameters + +| Name | Description | Value | +| ----------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | +| `pinnipedProxy.enabled` | Specifies whether Kubeapps should configure Pinniped Proxy | `false` | +| `pinnipedProxy.image.registry` | Pinniped Proxy image registry | `REGISTRY_NAME` | +| `pinnipedProxy.image.repository` | Pinniped Proxy image repository | `REPOSITORY_NAME/kubeapps-pinniped-proxy` | +| `pinnipedProxy.image.digest` | Pinniped Proxy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `pinnipedProxy.image.pullPolicy` | Pinniped Proxy image pull policy | `IfNotPresent` | +| `pinnipedProxy.image.pullSecrets` | Pinniped Proxy image pull secrets | `[]` | +| `pinnipedProxy.defaultPinnipedNamespace` | Namespace in which pinniped concierge is installed | `pinniped-concierge` | +| `pinnipedProxy.defaultAuthenticatorType` | Authenticator type | `JWTAuthenticator` | +| `pinnipedProxy.defaultAuthenticatorName` | Authenticator name | `jwt-authenticator` | +| `pinnipedProxy.defaultPinnipedAPISuffix` | API suffix | `pinniped.dev` | +| `pinnipedProxy.tls.existingSecret` | TLS secret with which to proxy requests | `""` | +| `pinnipedProxy.tls.caCertificate` | TLS CA cert config map which clients of pinniped proxy should use with TLS requests | `""` | +| `pinnipedProxy.lifecycleHooks` | For the Pinniped Proxy container(s) to automate configuration before or after startup | `{}` | +| `pinnipedProxy.command` | Override default container command (useful when using custom images) | `[]` | +| `pinnipedProxy.args` | Override default container args (useful when using custom images) | `[]` | +| `pinnipedProxy.extraEnvVars` | Array with extra environment variables to add to Pinniped Proxy container(s) | `[]` | +| `pinnipedProxy.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Pinniped Proxy container(s) | `""` | +| `pinnipedProxy.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Pinniped Proxy container(s) | `""` | +| `pinnipedProxy.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Pinniped Proxy container(s) | `[]` | +| `pinnipedProxy.containerPorts.pinnipedProxy` | Pinniped Proxy container port | `3333` | +| `pinnipedProxy.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `pinnipedProxy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `pinnipedProxy.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `pinnipedProxy.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `pinnipedProxy.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `pinnipedProxy.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `pinnipedProxy.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `pinnipedProxy.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `pinnipedProxy.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `pinnipedProxy.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `pinnipedProxy.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if pinnipedProxy.resources is set (pinnipedProxy.resources is recommended for production). | `micro` | +| `pinnipedProxy.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `pinnipedProxy.service.ports.pinnipedProxy` | Pinniped Proxy service port | `3333` | +| `pinnipedProxy.service.annotations` | Additional custom annotations for Pinniped Proxy service | `{}` | + +### Other Parameters + +| Name | Description | Value | +| ------------- | --------------------------------------------------------- | ------ | +| `clusters` | List of clusters that Kubeapps can target for deployments | `[]` | +| `rbac.create` | Specifies whether RBAC resources should be created | `true` | + +### Feature flags + +| Name | Description | Value | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------- | +| `featureFlags.apiOnly.enabled` | Enable ingress for API operations only. Access to "/" will not be possible, so Dashboard will be unusable. | `false` | +| `featureFlags.apiOnly.grpc.annotations` | Specific annotations for the GRPC ingress in API-only mode | `{}` | +| `featureFlags.operators` | Enable support for Operators in Kubeapps | `false` | +| `featureFlags.schemaEditor.enabled` | Enable a visual editor for customizing the package schemas | `false` | + +### Database Parameters + +| Name | Description | Value | +| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | +| `postgresql.enabled` | Deploy a PostgreSQL server to satisfy the applications database requirements | `true` | +| `postgresql.auth.username` | Username for PostgreSQL server | `postgres` | +| `postgresql.auth.postgresPassword` | Password for 'postgres' user | `""` | +| `postgresql.auth.database` | Name for a custom database to create | `assets` | +| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | +| `postgresql.primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `false` | +| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | +| `postgresql.securityContext.enabled` | Enabled PostgreSQL replicas pods' Security Context | `false` | +| `postgresql.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if postgresql.resources is set (postgresql.resources is recommended for production). | `micro` | +| `postgresql.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | + +### kubeappsapis parameters + +| Name | Description | Value | +| ----------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | +| `kubeappsapis.enabledPlugins` | Manually override which plugins are enabled for the Kubeapps-APIs service | `[]` | +| `kubeappsapis.pluginConfig.core.packages.v1alpha1.versionsInSummary.major` | Number of major versions to display in the summary | `3` | +| `kubeappsapis.pluginConfig.core.packages.v1alpha1.versionsInSummary.minor` | Number of minor versions to display in the summary | `3` | +| `kubeappsapis.pluginConfig.core.packages.v1alpha1.versionsInSummary.patch` | Number of patch versions to display in the summary | `3` | +| `kubeappsapis.pluginConfig.core.packages.v1alpha1.timeoutSeconds` | Value to wait for Kubernetes commands to complete | `300` | +| `kubeappsapis.pluginConfig.helm.packages.v1alpha1.globalPackagingNamespace` | Custom global packaging namespace. Using this value will override the current "kubeapps release namespace + suffix" pattern and will create a new namespace if not exists. | `""` | +| `kubeappsapis.pluginConfig.kappController.packages.v1alpha1.defaultUpgradePolicy` | Default upgrade policy generating version constraints | `none` | +| `kubeappsapis.pluginConfig.kappController.packages.v1alpha1.defaultPrereleasesVersionSelection` | Default policy for allowing prereleases containing one of the identifiers | `nil` | +| `kubeappsapis.pluginConfig.kappController.packages.v1alpha1.defaultAllowDowngrades` | Default policy for allowing applications to be downgraded to previous versions | `false` | +| `kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace` | Default global packaging namespace | `kapp-controller-packaging-global` | +| `kubeappsapis.pluginConfig.flux.packages.v1alpha1.defaultUpgradePolicy` | Default upgrade policy generating version constraints | `none` | +| `kubeappsapis.pluginConfig.flux.packages.v1alpha1.noCrossNamespaceRefs` | Enable this flag to disallow cross-namespace references, useful when running Flux on multi-tenant clusters | `false` | +| `kubeappsapis.pluginConfig.resources.packages.v1alpha1.trustedNamespaces.headerName` | Optional header name for trusted namespaces | `""` | +| `kubeappsapis.pluginConfig.resources.packages.v1alpha1.trustedNamespaces.headerPattern` | Optional header pattern for trusted namespaces | `""` | +| `kubeappsapis.image.registry` | Kubeapps-APIs image registry | `REGISTRY_NAME` | +| `kubeappsapis.image.repository` | Kubeapps-APIs image repository | `REPOSITORY_NAME/kubeapps-apis` | +| `kubeappsapis.image.digest` | Kubeapps-APIs image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `kubeappsapis.image.pullPolicy` | Kubeapps-APIs image pull policy | `IfNotPresent` | +| `kubeappsapis.image.pullSecrets` | Kubeapps-APIs image pull secrets | `[]` | +| `kubeappsapis.replicaCount` | Number of frontend replicas to deploy | `2` | +| `kubeappsapis.updateStrategy.type` | KubeappsAPIs deployment strategy type. | `RollingUpdate` | +| `kubeappsapis.extraFlags` | Additional command line flags for KubeappsAPIs | `[]` | +| `kubeappsapis.qps` | KubeappsAPIs Kubernetes API client QPS limit | `50.0` | +| `kubeappsapis.burst` | KubeappsAPIs Kubernetes API client Burst limit | `100` | +| `kubeappsapis.terminationGracePeriodSeconds` | The grace time period for sig term | `300` | +| `kubeappsapis.extraEnvVars` | Array with extra environment variables to add to the KubeappsAPIs container | `[]` | +| `kubeappsapis.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the KubeappsAPIs container | `""` | +| `kubeappsapis.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the KubeappsAPIs container | `""` | +| `kubeappsapis.containerPorts.http` | KubeappsAPIs HTTP container port | `50051` | +| `kubeappsapis.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if kubeappsapis.resources is set (kubeappsapis.resources is recommended for production). | `micro` | +| `kubeappsapis.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `kubeappsapis.podSecurityContext.enabled` | Enabled KubeappsAPIs pods' Security Context | `true` | +| `kubeappsapis.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `kubeappsapis.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `kubeappsapis.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `kubeappsapis.podSecurityContext.fsGroup` | Set KubeappsAPIs pod's Security Context fsGroup | `1001` | +| `kubeappsapis.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `kubeappsapis.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `kubeappsapis.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `kubeappsapis.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `kubeappsapis.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `kubeappsapis.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `kubeappsapis.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `kubeappsapis.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `kubeappsapis.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `kubeappsapis.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `kubeappsapis.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `kubeappsapis.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | +| `kubeappsapis.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `kubeappsapis.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `kubeappsapis.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `kubeappsapis.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `kubeappsapis.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `kubeappsapis.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | +| `kubeappsapis.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `kubeappsapis.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `kubeappsapis.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `kubeappsapis.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `kubeappsapis.startupProbe.enabled` | Enable startupProbe | `false` | +| `kubeappsapis.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | +| `kubeappsapis.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `kubeappsapis.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `kubeappsapis.startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | +| `kubeappsapis.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `kubeappsapis.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `kubeappsapis.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `kubeappsapis.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `kubeappsapis.lifecycleHooks` | Custom lifecycle hooks for KubeappsAPIs containers | `{}` | +| `kubeappsapis.command` | Override default container command (useful when using custom images) | `[]` | +| `kubeappsapis.args` | Override default container args (useful when using custom images) | `[]` | +| `kubeappsapis.extraVolumes` | Optionally specify extra list of additional volumes for the KubeappsAPIs pod(s) | `[]` | +| `kubeappsapis.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the KubeappsAPIs container(s) | `[]` | +| `kubeappsapis.podLabels` | Extra labels for KubeappsAPIs pods | `{}` | +| `kubeappsapis.podAnnotations` | Annotations for KubeappsAPIs pods | `{}` | +| `kubeappsapis.podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `kubeappsapis.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `kubeappsapis.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `kubeappsapis.nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | +| `kubeappsapis.nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | +| `kubeappsapis.affinity` | Affinity for pod assignment | `{}` | +| `kubeappsapis.nodeSelector` | Node labels for pod assignment | `{}` | +| `kubeappsapis.tolerations` | Tolerations for pod assignment | `[]` | +| `kubeappsapis.priorityClassName` | Priority class name for KubeappsAPIs pods | `""` | +| `kubeappsapis.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `kubeappsapis.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `kubeappsapis.automountServiceAccountToken` | Mount Service Account token in pod | `true` | +| `kubeappsapis.hostAliases` | Custom host aliases for KubeappsAPIs pods | `[]` | +| `kubeappsapis.sidecars` | Add additional sidecar containers to the KubeappsAPIs pod(s) | `[]` | +| `kubeappsapis.initContainers` | Add additional init containers to the KubeappsAPIs pod(s) | `[]` | +| `kubeappsapis.service.ports.http` | KubeappsAPIs service HTTP port | `8080` | +| `kubeappsapis.service.annotations` | Additional custom annotations for KubeappsAPIs service | `{}` | +| `kubeappsapis.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `kubeappsapis.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `kubeappsapis.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `kubeappsapis.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `kubeappsapis.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `kubeappsapis.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `kubeappsapis.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `kubeappsapis.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `kubeappsapis.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `kubeappsapis.serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` | +| `kubeappsapis.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` | +| `kubeappsapis.serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` | + +### OCI Catalog chart configuration + +| Name | Description | Value | +| -------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | +| `ociCatalog.enabled` | Enable the OCI catalog gRPC service for cataloging | `false` | +| `ociCatalog.image.registry` | OCI Catalog image registry | `REGISTRY_NAME` | +| `ociCatalog.image.repository` | OCI Catalog image repository | `REPOSITORY_NAME/kubeapps-oci-catalog` | +| `ociCatalog.image.digest` | OCI Catalog image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `ociCatalog.image.pullPolicy` | OCI Catalog image pull policy | `IfNotPresent` | +| `ociCatalog.image.pullSecrets` | OCI Catalog image pull secrets | `[]` | +| `ociCatalog.image.debug` | Enable image debug mode | `false` | +| `ociCatalog.extraFlags` | Additional command line flags for OCI Catalog | `[]` | +| `ociCatalog.extraEnvVars` | Array with extra environment variables to add to the oci-catalog container | `[]` | +| `ociCatalog.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for the OCI Catalog container | `""` | +| `ociCatalog.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the OCI Catalog container | `""` | +| `ociCatalog.containerPorts.grpc` | OCI Catalog gRPC container port | `50061` | +| `ociCatalog.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if ociCatalog.resources is set (ociCatalog.resources is recommended for production). | `micro` | +| `ociCatalog.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `ociCatalog.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `ociCatalog.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `ociCatalog.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `ociCatalog.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `ociCatalog.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `ociCatalog.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `ociCatalog.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `ociCatalog.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `ociCatalog.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `ociCatalog.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `ociCatalog.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `ociCatalog.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | +| `ociCatalog.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `ociCatalog.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `ociCatalog.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `ociCatalog.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `ociCatalog.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `ociCatalog.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | +| `ociCatalog.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `ociCatalog.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `ociCatalog.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `ociCatalog.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `ociCatalog.startupProbe.enabled` | Enable startupProbe | `false` | +| `ociCatalog.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | +| `ociCatalog.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `ociCatalog.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `ociCatalog.startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | +| `ociCatalog.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `ociCatalog.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `ociCatalog.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `ociCatalog.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `ociCatalog.lifecycleHooks` | Custom lifecycle hooks for OCI Catalog containers | `{}` | +| `ociCatalog.command` | Override default container command (useful when using custom images) | `[]` | +| `ociCatalog.args` | Override default container args (useful when using custom images) | `[]` | +| `ociCatalog.extraVolumes` | Optionally specify extra list of additional volumes for the OCI Catalog pod(s) | `[]` | +| `ociCatalog.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the OCI Catalog container(s) | `[]` | + +### Redis® chart configuration + +| Name | Description | Value | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------- | +| `redis.auth.enabled` | Enable password authentication | `true` | +| `redis.auth.password` | Redis® password | `""` | +| `redis.auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | +| `redis.architecture` | Redis(R) architecture (`standalone` or `replication`) | `standalone` | +| `redis.master.extraFlags` | Array with additional command line flags for Redis® master | `["--maxmemory 200mb","--maxmemory-policy allkeys-lru"]` | +| `redis.master.disableCommands` | Array with commands to deactivate on Redis® | `[]` | +| `redis.master.persistence.enabled` | Enable Redis® master data persistence using PVC | `false` | +| `redis.master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `nano` | +| `redis.master.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `redis.replica.replicaCount` | Number of Redis® replicas to deploy | `1` | +| `redis.replica.extraFlags` | Array with additional command line flags for Redis® replicas | `["--maxmemory 200mb","--maxmemory-policy allkeys-lru"]` | +| `redis.replica.disableCommands` | Array with commands to deactivate on Redis® | `[]` | +| `redis.replica.persistence.enabled` | Enable Redis® replica data persistence using PVC | `false` | ```console -helm repo update -``` - -Now upgrade Kubeapps: - -```console -export RELEASE_NAME=kubeapps -helm upgrade $RELEASE_NAME oci://REGISTRY_NAME/REPOSITORY_NAME/kubeapps +helm install kubeapps --namespace kubeapps \ + --set ingress.enabled=true \ + oci://REGISTRY_NAME/REPOSITORY_NAME/kubeapps ``` > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -If you find issues upgrading Kubeapps, check the [troubleshooting](#error-while-upgrading-the-chart) section. +The above command enables an Ingress Rule to expose Kubeapps. -### To 14.0.0 +Alternatively, a YAML file that specifies the values for parameters can be provided while installing the chart. For example, -This major updates the PostgreSQL subchart to its newest major, 13.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1300) you can find more information about the changes introduced in that version. +```console +helm install kubeapps --namespace kubeapps -f custom-values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/kubeapps +``` -### To 13.0.0 +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -This major updates the Redis® subchart to its newest major, 18.0.0. [Here](https://github.com/bitnami/charts/tree/main/bitnami/redis#to-1800) you can find more information about the changes introduced in that version. +## Troubleshooting -NOTE: Due to an error in our release process, Redis®' chart versions higher or equal than 17.15.4 already use Redis® 7.2 by default. +### How to install Kubeapps for demo purposes? -### To 12.0.0 +Install Kubeapps for exclusively **demo purposes** by simply following the [getting started](https://github.com/vmware-tanzu/kubeapps/blob/main/site/content/docs/latest/tutorials/getting-started.md) docs. -This major updates the PostgreSQL subchart to its newest major, 12.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1200) you can find more information about the changes introduced in that version. +### How to install Kubeapps in production scenarios? -## Uninstalling the Chart +For any user-facing installation, you should [configure an OAuth2/OIDC provider](https://github.com/vmware-tanzu/kubeapps/blob/main/site/content/docs/latest/tutorials/using-an-OIDC-provider.md) to enable secure user authentication with Kubeapps and the cluster. +Please also refer to the [Access Control](https://github.com/vmware-tanzu/kubeapps/blob/main/site/content/docs/latest/howto/access-control.md) documentation to configure fine-grained access control for users. + +### How to use Kubeapps? + +Have a look at the [dashboard documentation](https://github.com/vmware-tanzu/kubeapps/blob/main/site/content/docs/latest/howto/dashboard.md) for knowing how to use the Kubeapps dashboard: deploying applications, listing and removing the applications running in your cluster and adding new repositories. + +### How to uninstall Kubeapps To uninstall/delete the `kubeapps` deployment: @@ -825,35 +813,6 @@ If you have dedicated a namespace only for Kubeapps you can completely clean the kubectl delete namespace kubeapps ``` -## FAQ - -- [How to install Kubeapps for demo purposes?](#how-to-install-kubeapps-for-demo-purposes) -- [How to install Kubeapps in production scenarios?](#how-to-install-kubeapps-in-production-scenarios) -- [How to use Kubeapps?](#how-to-use-kubeapps) -- [How to configure Kubeapps with Ingress](#how-to-configure-kubeapps-with-ingress) - - [Serving Kubeapps in a subpath](#serving-kubeapps-in-a-subpath) -- [Can Kubeapps install apps into more than one cluster?](#can-kubeapps-install-apps-into-more-than-one-cluster) -- [Can Kubeapps be installed without Internet connection?](#can-kubeapps-be-installed-without-internet-connection) -- [Does Kubeapps support private repositories?](#does-kubeapps-support-private-repositories) -- [Is there any API documentation?](#is-there-any-api-documentation) -- [Why can't I configure global private repositories?](#why-cant-i-configure-global-private-repositories) -- [Does Kubeapps support Operators?](#does-kubeapps-support-operators) -- [Slow response when listing namespaces?](#slow-response-when-listing-namespaces) -- [More questions?](#more-questions) - -### How to install Kubeapps for demo purposes? - -Install Kubeapps for exclusively **demo purposes** by simply following the [getting started](https://github.com/vmware-tanzu/kubeapps/blob/main/site/content/docs/latest/tutorials/getting-started.md) docs. - -### How to install Kubeapps in production scenarios? - -For any user-facing installation, you should [configure an OAuth2/OIDC provider](https://github.com/vmware-tanzu/kubeapps/blob/main/site/content/docs/latest/tutorials/using-an-OIDC-provider.md) to enable secure user authentication with Kubeapps and the cluster. -Please also refer to the [Access Control](https://github.com/vmware-tanzu/kubeapps/blob/main/site/content/docs/latest/howto/access-control.md) documentation to configure fine-grained access control for users. - -### How to use Kubeapps? - -Have a look at the [dashboard documentation](https://github.com/vmware-tanzu/kubeapps/blob/main/site/content/docs/latest/howto/dashboard.md) for knowing how to use the Kubeapps dashboard: deploying applications, listing and removing the applications running in your cluster and adding new repositories. - ### How to configure Kubeapps with Ingress The example below will match the URL `http://example.com` to the Kubeapps dashboard. For further configuration, please refer to your specific Ingress configuration docs (e.g., [NGINX](https://github.com/kubernetes/ingress-nginx) or [HAProxy](https://github.com/haproxytech/kubernetes-ingress)). @@ -943,45 +902,6 @@ This can lead to a slow response if the number of namespaces on the cluster is l To reduce this response time, you can increase the number of checks that Kubeapps will perform in parallel (per connection) setting the value: `kubeappsapis.burst=` and `kubeappsapis.QPS=`. -### More questions? - -Feel free to [open an issue](https://github.com/vmware-tanzu/kubeapps/issues/new) if you have any questions! - -## Troubleshooting - -### Upgrading to chart version 8.0.0 - -This major release renames several values in this chart and adds missing features, in order to get aligned with the rest of the assets in the Bitnami charts repository. - -Additionally, it updates both the [PostgreSQL](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) and the [Redis](https://github.com/bitnami/charts/tree/main/bitnami/redis) subcharts to their latest major versions, 11.0.0 and 16.0.0 respectively, where similar changes have been also performed. -Check [PostgreSQL Upgrading Notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1100) and [Redis Upgrading Notes](https://github.com/bitnami/charts/tree/main/bitnami/redis#to-1600) for more information. - -The following values have been renamed: - -- `frontend.service.port` renamed as `frontend.service.ports.http`. -- `frontend.service.nodePort` renamed as `frontend.service.nodePorts.http`. -- `frontend.containerPort` renamed as `frontend.containerPorts.http`. -- `dashboard.service.port` renamed as `dashboard.service.ports.http`. -- `dashboard.containerPort` renamed as `dashboard.containerPorts.http`. -- `apprepository.service.port` renamed as `apprepository.service.ports.http`. -- `apprepository.containerPort` renamed as `apprepository.containerPorts.http`. -- `kubeops.service.port` renamed as `kubeops.service.ports.http`. -- `kubeops.containerPort` renamed as `kubeops.containerPorts.http`. -- `assetsvc.service.port` renamed as `assetsvc.service.ports.http`. -- `assetsvc.containerPort` renamed as `assetsvc.containerPorts.http`. -- `authProxy.containerPort` renamed as `authProxy.containerPorts.proxy`. -- `authProxy.additionalFlags` renamed as `authProxy.extraFlags`, -- Pinniped Proxy service no longer uses `pinnipedProxy.containerPort`. Use `pinnipedProxy.service.ports.pinnipedProxy` to change the service port. -- `pinnipedProxy.containerPort` renamed as `pinnipedProxy.containerPorts.pinnipedProxy`. -- `postgresql.replication.enabled` has been removed. Use `postgresql.architecture` instead. -- `postgresql.postgresqlDatabase` renamed as `postgresql.auth.database`. -- `postgresql.postgresqlPassword` renamed as `postgresql.auth.password`. -- `postgresql.existingSecret` renamed as `postgresql.auth.existingSecret`. -- `redis.redisPassword` renamed as `redis.auth.password`. -- `redis.existingSecret` renamed as `redis.auth.existingSecret`. - -Note also that if you have an existing Postgresql secret that is used for Kubeapps, you will need to update the key from `postgresql-password` to `postgres-password`. - ### Nginx Ipv6 error When starting the application with the `--set enableIPv6=true` option, the Nginx server present in the services `kubeapps` and `kubeapps-internal-dashboard` may fail with the following: @@ -1025,8 +945,8 @@ helm install --name kubeapps --namespace kubeapps oci://REGISTRY_NAME/REPOSITORY It is possible that when upgrading Kubeapps an error appears. That can be caused by a breaking change in the new chart or because the current chart installation is in an inconsistent state. If you find issues upgrading Kubeapps you can follow these steps: > Note: These steps assume that you have installed Kubeapps in the namespace `kubeapps` using the name `kubeapps`. If that is not the case replace the command with your namespace and/or name. -> Note: If you are upgrading from 2.3.1 see the [following section](#upgrading-to-231). -> Note: If you are upgrading from 1.X to 2.X see the [following section](#upgrading-to-20). +> Note: If you are upgrading from 2.3.1 see the [following section](#to-600). +> Note: If you are upgrading from 1.X to 2.X see the [following section](#to-400). 1. (Optional) Backup your personal repositories (if you have any): @@ -1073,7 +993,93 @@ It is possible that when upgrading Kubeapps an error appears. That can be caused After that you should be able to access the new version of Kubeapps. If the above doesn't work for you or you run into any other issues please open an [issue](https://github.com/vmware-tanzu/kubeapps/issues/new). -### Upgrading to chart version 7.0.0 +### More questions? + +Feel free to [open an issue](https://github.com/vmware-tanzu/kubeapps/issues/new) if you have any questions! + +## Upgrading Kubeapps + +You can upgrade Kubeapps from the Kubeapps web interface. Select the namespace in which Kubeapps is installed (`kubeapps` if you followed the instructions in this guide) and click on the "Upgrade" button. Select the new version and confirm. + +You can also use the Helm CLI to upgrade Kubeapps, first ensure you have updated your local chart repository cache: + +```console +helm repo update +``` + +Now upgrade Kubeapps: + +```console +export RELEASE_NAME=kubeapps +helm upgrade $RELEASE_NAME oci://REGISTRY_NAME/REPOSITORY_NAME/kubeapps +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +If you find issues upgrading Kubeapps, check the [troubleshooting](#error-while-upgrading-the-chart) section. + +### To 15.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. +- The `networkPolicy` section has been normalized amongst all Bitnami charts. Compared to the previous approach, the values section has been simplified (check the Parameters section) and now it set to `enabled=true` by default. Egress traffic is allowed by default and ingress traffic is allowed by all pods but only to the ports set in `containerPorts`. +- The PostgreSQL subchart was updated to version 15.2.1, with the same security improvements. +- The Redis subchart was updated to version 19.0.2, with the same security improvements. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + +### To 14.0.0 + +This major updates the PostgreSQL subchart to its newest major, 13.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1300) you can find more information about the changes introduced in that version. + +### To 13.0.0 + +This major updates the Redis® subchart to its newest major, 18.0.0. [Here](https://github.com/bitnami/charts/tree/main/bitnami/redis#to-1800) you can find more information about the changes introduced in that version. + +NOTE: Due to an error in our release process, Redis®' chart versions higher or equal than 17.15.4 already use Redis® 7.2 by default. + +### To 12.0.0 + +This major updates the PostgreSQL subchart to its newest major, 12.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1200) you can find more information about the changes introduced in that version. + +### To 8.0.0 + +This major release renames several values in this chart and adds missing features, in order to get aligned with the rest of the assets in the Bitnami charts repository. + +Additionally, it updates both the [PostgreSQL](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) and the [Redis](https://github.com/bitnami/charts/tree/main/bitnami/redis) subcharts to their latest major versions, 11.0.0 and 16.0.0 respectively, where similar changes have been also performed. +Check [PostgreSQL Upgrading Notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1100) and [Redis Upgrading Notes](https://github.com/bitnami/charts/tree/main/bitnami/redis#to-1600) for more information. + +The following values have been renamed: + +- `frontend.service.port` renamed as `frontend.service.ports.http`. +- `frontend.service.nodePort` renamed as `frontend.service.nodePorts.http`. +- `frontend.containerPort` renamed as `frontend.containerPorts.http`. +- `dashboard.service.port` renamed as `dashboard.service.ports.http`. +- `dashboard.containerPort` renamed as `dashboard.containerPorts.http`. +- `apprepository.service.port` renamed as `apprepository.service.ports.http`. +- `apprepository.containerPort` renamed as `apprepository.containerPorts.http`. +- `kubeops.service.port` renamed as `kubeops.service.ports.http`. +- `kubeops.containerPort` renamed as `kubeops.containerPorts.http`. +- `assetsvc.service.port` renamed as `assetsvc.service.ports.http`. +- `assetsvc.containerPort` renamed as `assetsvc.containerPorts.http`. +- `authProxy.containerPort` renamed as `authProxy.containerPorts.proxy`. +- `authProxy.additionalFlags` renamed as `authProxy.extraFlags`, +- Pinniped Proxy service no longer uses `pinnipedProxy.containerPort`. Use `pinnipedProxy.service.ports.pinnipedProxy` to change the service port. +- `pinnipedProxy.containerPort` renamed as `pinnipedProxy.containerPorts.pinnipedProxy`. +- `postgresql.replication.enabled` has been removed. Use `postgresql.architecture` instead. +- `postgresql.postgresqlDatabase` renamed as `postgresql.auth.database`. +- `postgresql.postgresqlPassword` renamed as `postgresql.auth.password`. +- `postgresql.existingSecret` renamed as `postgresql.auth.existingSecret`. +- `redis.redisPassword` renamed as `redis.auth.password`. +- `redis.existingSecret` renamed as `redis.auth.existingSecret`. + +Note also that if you have an existing Postgresql secret that is used for Kubeapps, you will need to update the key from `postgresql-password` to `postgres-password`. + +### To 7.0.0 In this release, no breaking changes were included in Kubeapps (version 2.3.2). However, the chart adopted the standardizations included in the rest of the charts in the Bitnami catalog. @@ -1082,7 +1088,7 @@ Most of these standardizations simply add new parameters that allow to add more - Chart labels were adapted to follow the [Helm charts standard labels](https://helm.sh/docs/chart_best_practices/labels/#standard-labels). - `securityContext.*` parameters are deprecated in favor of `XXX.podSecurityContext.*` and `XXX.containerSecurityContext.*`, where _XXX_ is placeholder you need to replace with the actual component(s). For instance, to modify the container security context for "kubeops" use `kubeops.podSecurityContext` and `kubeops.containerSecurityContext` parameters. -### Upgrading to 2.3.1 +### To 6.0.0 Kubeapps 2.3.1 (Chart version 6.0.0) introduces some breaking changes. Helm-specific functionality has been removed in order to support other installation methods (like using YAML manifests, [`kapp`](https://carvel.dev/kapp) or [`kustomize`](https://kustomize.io/)). Because of that, there are some steps required before upgrading from a previous version: @@ -1128,7 +1134,7 @@ helm upgrade kubeapps oci://REGISTRY_NAME/REPOSITORY_NAME/kubeapps -n kubeapps - > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -### Upgrading to 2.0.1 (Chart 5.0.0) +### To 5.0.0 [On November 13, 2020, Helm 2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm 3 and to be consistent with the Helm project itself regarding the Helm 2 EOL. @@ -1158,7 +1164,7 @@ kubectl delete statefulset -n kubeapps kubeapps-postgresql-master kubeapps-postg - - -### Upgrading to 2.0 +### To 4.0.0 Kubeapps 2.0 (Chart version 4.0.0) introduces some breaking changes: diff --git a/packages/system/dashboard/charts/kubeapps/charts/common/Chart.yaml b/packages/system/dashboard/charts/kubeapps/charts/common/Chart.yaml index f86ccd23..8d0e5469 100644 --- a/packages/system/dashboard/charts/kubeapps/charts/common/Chart.yaml +++ b/packages/system/dashboard/charts/kubeapps/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.19.0 +appVersion: 2.19.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.19.0 +version: 2.19.1 diff --git a/packages/system/dashboard/charts/kubeapps/charts/common/templates/_resources.tpl b/packages/system/dashboard/charts/kubeapps/charts/common/templates/_resources.tpl index d90f8752..030fa1a9 100644 --- a/packages/system/dashboard/charts/kubeapps/charts/common/templates/_resources.tpl +++ b/packages/system/dashboard/charts/kubeapps/charts/common/templates/_resources.tpl @@ -11,7 +11,7 @@ These presets are for basic testing and not meant to be used in production {{ include "common.resources.preset" (dict "type" "nano") -}} */}} {{- define "common.resources.preset" -}} -{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}} {{- $presets := dict "nano" (dict "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") @@ -34,11 +34,11 @@ These presets are for basic testing and not meant to be used in production "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") ) "xlarge" (dict - "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "requests" (dict "cpu" "1.5" "memory" "4096Mi" "ephemeral-storage" "50Mi") "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") ) "2xlarge" (dict - "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "requests" (dict "cpu" "1.5" "memory" "4096Mi" "ephemeral-storage" "50Mi") "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") ) }} @@ -47,4 +47,4 @@ These presets are for basic testing and not meant to be used in production {{- else -}} {{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/packages/system/dashboard/charts/kubeapps/charts/redis/Chart.yaml b/packages/system/dashboard/charts/kubeapps/charts/redis/Chart.yaml index b72d1d5c..b767df5f 100644 --- a/packages/system/dashboard/charts/kubeapps/charts/redis/Chart.yaml +++ b/packages/system/dashboard/charts/kubeapps/charts/redis/Chart.yaml @@ -35,4 +35,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 18.19.2 +version: 19.0.2 diff --git a/packages/system/dashboard/charts/kubeapps/charts/redis/README.md b/packages/system/dashboard/charts/kubeapps/charts/redis/README.md index 8cac98b7..7f71fce9 100644 --- a/packages/system/dashboard/charts/kubeapps/charts/redis/README.md +++ b/packages/system/dashboard/charts/kubeapps/charts/redis/README.md @@ -1,8 +1,8 @@ -# Bitnami package for Redis(R) +# Bitnami package for Redis® -Redis(R) is an open source, advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. +Redis® is an open source, advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. [Overview of Redis®](http://redis.io) @@ -14,7 +14,7 @@ Disclaimer: Redis is a registered trademark of Redis Ltd. Any rights therein are helm install my-release oci://registry-1.docker.io/bitnamicharts/redis ``` -Looking to use Redisreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. +Looking to use Redis® in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. ## Introduction @@ -57,605 +57,6 @@ The command deploys Redis® on the Kubernetes cluster in the default configur > **Tip**: List all releases using `helm list` -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console -helm delete my-release -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Parameters - -### Global parameters - -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.redis.password` | Global Redis® password (overrides `auth.password`) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | - -### Common parameters - -| Name | Description | Value | -| ------------------------- | -------------------------------------------------------------------------------------------------------------- | --------------- | -| `kubeVersion` | Override Kubernetes version | `""` | -| `nameOverride` | String to partially override common.names.fullname | `""` | -| `fullnameOverride` | String to fully override common.names.fullname | `""` | -| `namespaceOverride` | String to fully override common.names.namespace | `""` | -| `commonLabels` | Labels to add to all deployed objects | `{}` | -| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | -| `secretAnnotations` | Annotations to add to secret | `{}` | -| `clusterDomain` | Kubernetes cluster domain name | `cluster.local` | -| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | -| `useHostnames` | Use hostnames internally when announcing replication. If false, the hostname will be resolved to an IP address | `true` | -| `nameResolutionThreshold` | Failure threshold for internal hostnames resolution | `5` | -| `nameResolutionTimeout` | Timeout seconds between probes for internal hostnames resolution | `5` | -| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | -| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | -| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | - -### Redis® Image parameters - -| Name | Description | Value | -| ------------------- | ---------------------------------------------------------------------------------------------------------- | ----------------------- | -| `image.registry` | Redis® image registry | `REGISTRY_NAME` | -| `image.repository` | Redis® image repository | `REPOSITORY_NAME/redis` | -| `image.digest` | Redis® image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | Redis® image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Redis® image pull secrets | `[]` | -| `image.debug` | Enable image debug mode | `false` | - -### Redis® common configuration parameters - -| Name | Description | Value | -| -------------------------------- | ------------------------------------------------------------------------------------- | ------------- | -| `architecture` | Redis® architecture. Allowed values: `standalone` or `replication` | `replication` | -| `auth.enabled` | Enable password authentication | `true` | -| `auth.sentinel` | Enable password authentication on sentinels too | `true` | -| `auth.password` | Redis® password | `""` | -| `auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | -| `auth.existingSecretPasswordKey` | Password key to be retrieved from existing secret | `""` | -| `auth.usePasswordFiles` | Mount credentials as files instead of using an environment variable | `false` | -| `auth.usePasswordFileFromSecret` | Mount password file from secret | `true` | -| `commonConfiguration` | Common configuration to be added into the ConfigMap | `""` | -| `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Redis® nodes | `""` | - -### Redis® master configuration parameters - -| Name | Description | Value | -| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------ | -| `master.count` | Number of Redis® master instances to deploy (experimental, requires additional configuration) | `1` | -| `master.configuration` | Configuration for Redis® master nodes | `""` | -| `master.disableCommands` | Array with Redis® commands to disable on master nodes | `["FLUSHDB","FLUSHALL"]` | -| `master.command` | Override default container command (useful when using custom images) | `[]` | -| `master.args` | Override default container args (useful when using custom images) | `[]` | -| `master.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | -| `master.preExecCmds` | Additional commands to run prior to starting Redis® master | `[]` | -| `master.extraFlags` | Array with additional command line flags for Redis® master | `[]` | -| `master.extraEnvVars` | Array with extra environment variables to add to Redis® master nodes | `[]` | -| `master.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® master nodes | `""` | -| `master.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® master nodes | `""` | -| `master.containerPorts.redis` | Container port to open on Redis® master nodes | `6379` | -| `master.startupProbe.enabled` | Enable startupProbe on Redis® master nodes | `false` | -| `master.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `20` | -| `master.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` | -| `master.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `master.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | -| `master.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `master.livenessProbe.enabled` | Enable livenessProbe on Redis® master nodes | `true` | -| `master.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | -| `master.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | -| `master.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `master.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `master.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `master.readinessProbe.enabled` | Enable readinessProbe on Redis® master nodes | `true` | -| `master.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | -| `master.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `master.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `master.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | -| `master.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `master.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `master.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `master.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `none` | -| `master.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `master.podSecurityContext.enabled` | Enabled Redis® master pods' Security Context | `true` | -| `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `master.podSecurityContext.fsGroup` | Set Redis® master pod's Security Context fsGroup | `1001` | -| `master.containerSecurityContext.enabled` | Enabled Redis® master containers' Security Context | `true` | -| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `master.containerSecurityContext.runAsUser` | Set Redis® master containers' Security Context runAsUser | `1001` | -| `master.containerSecurityContext.runAsGroup` | Set Redis® master containers' Security Context runAsGroup | `0` | -| `master.containerSecurityContext.runAsNonRoot` | Set Redis® master containers' Security Context runAsNonRoot | `true` | -| `master.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate Redis® pod(s) privileges | `false` | -| `master.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | -| `master.containerSecurityContext.seccompProfile.type` | Set Redis® master containers' Security Context seccompProfile | `RuntimeDefault` | -| `master.containerSecurityContext.capabilities.drop` | Set Redis® master containers' Security Context capabilities to drop | `["ALL"]` | -| `master.kind` | Use either Deployment, StatefulSet (default) or DaemonSet | `StatefulSet` | -| `master.schedulerName` | Alternate scheduler for Redis® master pods | `""` | -| `master.updateStrategy.type` | Redis® master statefulset strategy type | `RollingUpdate` | -| `master.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | -| `master.priorityClassName` | Redis® master pods' priorityClassName | `""` | -| `master.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `master.hostAliases` | Redis® master pods host aliases | `[]` | -| `master.podLabels` | Extra labels for Redis® master pods | `{}` | -| `master.podAnnotations` | Annotations for Redis® master pods | `{}` | -| `master.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® master pods | `false` | -| `master.podAffinityPreset` | Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `master.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `master.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `master.nodeAffinityPreset.key` | Node label key to match. Ignored if `master.affinity` is set | `""` | -| `master.nodeAffinityPreset.values` | Node label values to match. Ignored if `master.affinity` is set | `[]` | -| `master.affinity` | Affinity for Redis® master pods assignment | `{}` | -| `master.nodeSelector` | Node labels for Redis® master pods assignment | `{}` | -| `master.tolerations` | Tolerations for Redis® master pods assignment | `[]` | -| `master.topologySpreadConstraints` | Spread Constraints for Redis® master pod assignment | `[]` | -| `master.dnsPolicy` | DNS Policy for Redis® master pod | `""` | -| `master.dnsConfig` | DNS Configuration for Redis® master pod | `{}` | -| `master.lifecycleHooks` | for the Redis® master container(s) to automate configuration before or after startup | `{}` | -| `master.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® master pod(s) | `[]` | -| `master.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® master container(s) | `[]` | -| `master.sidecars` | Add additional sidecar containers to the Redis® master pod(s) | `[]` | -| `master.initContainers` | Add additional init containers to the Redis® master pod(s) | `[]` | -| `master.persistence.enabled` | Enable persistence on Redis® master nodes using Persistent Volume Claims | `true` | -| `master.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | -| `master.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | -| `master.persistence.path` | The path the volume will be mounted at on Redis® master containers | `/data` | -| `master.persistence.subPath` | The subdirectory of the volume to mount on Redis® master containers | `""` | -| `master.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® master containers | `""` | -| `master.persistence.storageClass` | Persistent Volume storage class | `""` | -| `master.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | -| `master.persistence.size` | Persistent Volume size | `8Gi` | -| `master.persistence.annotations` | Additional custom annotations for the PVC | `{}` | -| `master.persistence.labels` | Additional custom labels for the PVC | `{}` | -| `master.persistence.selector` | Additional labels to match for the PVC | `{}` | -| `master.persistence.dataSource` | Custom PVC data source | `{}` | -| `master.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | -| `master.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | -| `master.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `master.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | -| `master.service.type` | Redis® master service type | `ClusterIP` | -| `master.service.ports.redis` | Redis® master service port | `6379` | -| `master.service.nodePorts.redis` | Node port for Redis® master | `""` | -| `master.service.externalTrafficPolicy` | Redis® master service external traffic policy | `Cluster` | -| `master.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `master.service.internalTrafficPolicy` | Redis® master service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | -| `master.service.clusterIP` | Redis® master service Cluster IP | `""` | -| `master.service.loadBalancerIP` | Redis® master service Load Balancer IP | `""` | -| `master.service.loadBalancerClass` | master service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `master.service.loadBalancerSourceRanges` | Redis® master service Load Balancer sources | `[]` | -| `master.service.externalIPs` | Redis® master service External IPs | `[]` | -| `master.service.annotations` | Additional custom annotations for Redis® master service | `{}` | -| `master.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `master.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `master.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-master pods | `30` | -| `master.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `master.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `master.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | -| `master.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | - -### Redis® replicas configuration parameters - -| Name | Description | Value | -| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `replica.kind` | Use either DaemonSet or StatefulSet (default) | `StatefulSet` | -| `replica.replicaCount` | Number of Redis® replicas to deploy | `3` | -| `replica.configuration` | Configuration for Redis® replicas nodes | `""` | -| `replica.disableCommands` | Array with Redis® commands to disable on replicas nodes | `["FLUSHDB","FLUSHALL"]` | -| `replica.command` | Override default container command (useful when using custom images) | `[]` | -| `replica.args` | Override default container args (useful when using custom images) | `[]` | -| `replica.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | -| `replica.preExecCmds` | Additional commands to run prior to starting Redis® replicas | `[]` | -| `replica.extraFlags` | Array with additional command line flags for Redis® replicas | `[]` | -| `replica.extraEnvVars` | Array with extra environment variables to add to Redis® replicas nodes | `[]` | -| `replica.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® replicas nodes | `""` | -| `replica.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® replicas nodes | `""` | -| `replica.externalMaster.enabled` | Use external master for bootstrapping | `false` | -| `replica.externalMaster.host` | External master host to bootstrap from | `""` | -| `replica.externalMaster.port` | Port for Redis service external master host | `6379` | -| `replica.containerPorts.redis` | Container port to open on Redis® replicas nodes | `6379` | -| `replica.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `true` | -| `replica.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `replica.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `replica.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `replica.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | -| `replica.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `replica.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | -| `replica.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | -| `replica.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | -| `replica.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `replica.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `replica.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `replica.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | -| `replica.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | -| `replica.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `replica.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `replica.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | -| `replica.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `replica.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `replica.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `replica.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `replica.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production). | `none` | -| `replica.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `replica.podSecurityContext.enabled` | Enabled Redis® replicas pods' Security Context | `true` | -| `replica.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `replica.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `replica.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `replica.podSecurityContext.fsGroup` | Set Redis® replicas pod's Security Context fsGroup | `1001` | -| `replica.containerSecurityContext.enabled` | Enabled Redis® replicas containers' Security Context | `true` | -| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `replica.containerSecurityContext.runAsUser` | Set Redis® replicas containers' Security Context runAsUser | `1001` | -| `replica.containerSecurityContext.runAsGroup` | Set Redis® replicas containers' Security Context runAsGroup | `0` | -| `replica.containerSecurityContext.runAsNonRoot` | Set Redis® replicas containers' Security Context runAsNonRoot | `true` | -| `replica.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® replicas pod's Security Context allowPrivilegeEscalation | `false` | -| `replica.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | -| `replica.containerSecurityContext.seccompProfile.type` | Set Redis® replicas containers' Security Context seccompProfile | `RuntimeDefault` | -| `replica.containerSecurityContext.capabilities.drop` | Set Redis® replicas containers' Security Context capabilities to drop | `["ALL"]` | -| `replica.schedulerName` | Alternate scheduler for Redis® replicas pods | `""` | -| `replica.updateStrategy.type` | Redis® replicas statefulset strategy type | `RollingUpdate` | -| `replica.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | -| `replica.priorityClassName` | Redis® replicas pods' priorityClassName | `""` | -| `replica.podManagementPolicy` | podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods | `""` | -| `replica.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `replica.hostAliases` | Redis® replicas pods host aliases | `[]` | -| `replica.podLabels` | Extra labels for Redis® replicas pods | `{}` | -| `replica.podAnnotations` | Annotations for Redis® replicas pods | `{}` | -| `replica.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® replicas pods | `false` | -| `replica.podAffinityPreset` | Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `replica.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `replica.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `replica.nodeAffinityPreset.key` | Node label key to match. Ignored if `replica.affinity` is set | `""` | -| `replica.nodeAffinityPreset.values` | Node label values to match. Ignored if `replica.affinity` is set | `[]` | -| `replica.affinity` | Affinity for Redis® replicas pods assignment | `{}` | -| `replica.nodeSelector` | Node labels for Redis® replicas pods assignment | `{}` | -| `replica.tolerations` | Tolerations for Redis® replicas pods assignment | `[]` | -| `replica.topologySpreadConstraints` | Spread Constraints for Redis® replicas pod assignment | `[]` | -| `replica.dnsPolicy` | DNS Policy for Redis® replica pods | `""` | -| `replica.dnsConfig` | DNS Configuration for Redis® replica pods | `{}` | -| `replica.lifecycleHooks` | for the Redis® replica container(s) to automate configuration before or after startup | `{}` | -| `replica.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® replicas pod(s) | `[]` | -| `replica.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® replicas container(s) | `[]` | -| `replica.sidecars` | Add additional sidecar containers to the Redis® replicas pod(s) | `[]` | -| `replica.initContainers` | Add additional init containers to the Redis® replicas pod(s) | `[]` | -| `replica.persistence.enabled` | Enable persistence on Redis® replicas nodes using Persistent Volume Claims | `true` | -| `replica.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | -| `replica.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | -| `replica.persistence.path` | The path the volume will be mounted at on Redis® replicas containers | `/data` | -| `replica.persistence.subPath` | The subdirectory of the volume to mount on Redis® replicas containers | `""` | -| `replica.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® replicas containers | `""` | -| `replica.persistence.storageClass` | Persistent Volume storage class | `""` | -| `replica.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | -| `replica.persistence.size` | Persistent Volume size | `8Gi` | -| `replica.persistence.annotations` | Additional custom annotations for the PVC | `{}` | -| `replica.persistence.labels` | Additional custom labels for the PVC | `{}` | -| `replica.persistence.selector` | Additional labels to match for the PVC | `{}` | -| `replica.persistence.dataSource` | Custom PVC data source | `{}` | -| `replica.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | -| `replica.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | -| `replica.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `replica.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | -| `replica.service.type` | Redis® replicas service type | `ClusterIP` | -| `replica.service.ports.redis` | Redis® replicas service port | `6379` | -| `replica.service.nodePorts.redis` | Node port for Redis® replicas | `""` | -| `replica.service.externalTrafficPolicy` | Redis® replicas service external traffic policy | `Cluster` | -| `replica.service.internalTrafficPolicy` | Redis® replicas service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | -| `replica.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `replica.service.clusterIP` | Redis® replicas service Cluster IP | `""` | -| `replica.service.loadBalancerIP` | Redis® replicas service Load Balancer IP | `""` | -| `replica.service.loadBalancerClass` | replicas service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `replica.service.loadBalancerSourceRanges` | Redis® replicas service Load Balancer sources | `[]` | -| `replica.service.annotations` | Additional custom annotations for Redis® replicas service | `{}` | -| `replica.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `replica.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `replica.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-replicas pods | `30` | -| `replica.autoscaling.enabled` | Enable replica autoscaling settings | `false` | -| `replica.autoscaling.minReplicas` | Minimum replicas for the pod autoscaling | `1` | -| `replica.autoscaling.maxReplicas` | Maximum replicas for the pod autoscaling | `11` | -| `replica.autoscaling.targetCPU` | Percentage of CPU to consider when autoscaling | `""` | -| `replica.autoscaling.targetMemory` | Percentage of Memory to consider when autoscaling | `""` | -| `replica.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `replica.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `replica.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | -| `replica.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | - -### Redis® Sentinel configuration parameters - -| Name | Description | Value | -| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | -| `sentinel.enabled` | Use Redis® Sentinel on Redis® pods. | `false` | -| `sentinel.image.registry` | Redis® Sentinel image registry | `REGISTRY_NAME` | -| `sentinel.image.repository` | Redis® Sentinel image repository | `REPOSITORY_NAME/redis-sentinel` | -| `sentinel.image.digest` | Redis® Sentinel image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `sentinel.image.pullPolicy` | Redis® Sentinel image pull policy | `IfNotPresent` | -| `sentinel.image.pullSecrets` | Redis® Sentinel image pull secrets | `[]` | -| `sentinel.image.debug` | Enable image debug mode | `false` | -| `sentinel.annotations` | Additional custom annotations for Redis® Sentinel resource | `{}` | -| `sentinel.masterSet` | Master set name | `mymaster` | -| `sentinel.quorum` | Sentinel Quorum | `2` | -| `sentinel.getMasterTimeout` | Amount of time to allow before get_sentinel_master_info() times out. | `90` | -| `sentinel.automateClusterRecovery` | Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. | `false` | -| `sentinel.redisShutdownWaitFailover` | Whether the Redis® master container waits for the failover at shutdown (in addition to the Redis® Sentinel container). | `true` | -| `sentinel.downAfterMilliseconds` | Timeout for detecting a Redis® node is down | `60000` | -| `sentinel.failoverTimeout` | Timeout for performing a election failover | `180000` | -| `sentinel.parallelSyncs` | Number of replicas that can be reconfigured in parallel to use the new master after a failover | `1` | -| `sentinel.configuration` | Configuration for Redis® Sentinel nodes | `""` | -| `sentinel.command` | Override default container command (useful when using custom images) | `[]` | -| `sentinel.args` | Override default container args (useful when using custom images) | `[]` | -| `sentinel.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | -| `sentinel.preExecCmds` | Additional commands to run prior to starting Redis® Sentinel | `[]` | -| `sentinel.extraEnvVars` | Array with extra environment variables to add to Redis® Sentinel nodes | `[]` | -| `sentinel.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® Sentinel nodes | `""` | -| `sentinel.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® Sentinel nodes | `""` | -| `sentinel.externalMaster.enabled` | Use external master for bootstrapping | `false` | -| `sentinel.externalMaster.host` | External master host to bootstrap from | `""` | -| `sentinel.externalMaster.port` | Port for Redis service external master host | `6379` | -| `sentinel.containerPorts.sentinel` | Container port to open on Redis® Sentinel nodes | `26379` | -| `sentinel.startupProbe.enabled` | Enable startupProbe on Redis® Sentinel nodes | `true` | -| `sentinel.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `sentinel.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `sentinel.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `sentinel.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | -| `sentinel.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `sentinel.livenessProbe.enabled` | Enable livenessProbe on Redis® Sentinel nodes | `true` | -| `sentinel.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | -| `sentinel.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `sentinel.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `sentinel.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `sentinel.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `sentinel.readinessProbe.enabled` | Enable readinessProbe on Redis® Sentinel nodes | `true` | -| `sentinel.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | -| `sentinel.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `sentinel.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `sentinel.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `sentinel.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `sentinel.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `sentinel.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `sentinel.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `sentinel.persistence.enabled` | Enable persistence on Redis® sentinel nodes using Persistent Volume Claims (Experimental) | `false` | -| `sentinel.persistence.storageClass` | Persistent Volume storage class | `""` | -| `sentinel.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | -| `sentinel.persistence.size` | Persistent Volume size | `100Mi` | -| `sentinel.persistence.annotations` | Additional custom annotations for the PVC | `{}` | -| `sentinel.persistence.labels` | Additional custom labels for the PVC | `{}` | -| `sentinel.persistence.selector` | Additional labels to match for the PVC | `{}` | -| `sentinel.persistence.dataSource` | Custom PVC data source | `{}` | -| `sentinel.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | -| `sentinel.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | -| `sentinel.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | -| `sentinel.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `sentinel.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | -| `sentinel.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production). | `none` | -| `sentinel.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `sentinel.containerSecurityContext.enabled` | Enabled Redis® Sentinel containers' Security Context | `true` | -| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` | -| `sentinel.containerSecurityContext.runAsGroup` | Set Redis® Sentinel containers' Security Context runAsGroup | `0` | -| `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis® Sentinel containers' Security Context runAsNonRoot | `true` | -| `sentinel.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | -| `sentinel.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® Sentinel containers' Security Context allowPrivilegeEscalation | `false` | -| `sentinel.containerSecurityContext.seccompProfile.type` | Set Redis® Sentinel containers' Security Context seccompProfile | `RuntimeDefault` | -| `sentinel.containerSecurityContext.capabilities.drop` | Set Redis® Sentinel containers' Security Context capabilities to drop | `["ALL"]` | -| `sentinel.lifecycleHooks` | for the Redis® sentinel container(s) to automate configuration before or after startup | `{}` | -| `sentinel.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® Sentinel | `[]` | -| `sentinel.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® Sentinel container(s) | `[]` | -| `sentinel.service.type` | Redis® Sentinel service type | `ClusterIP` | -| `sentinel.service.ports.redis` | Redis® service port for Redis® | `6379` | -| `sentinel.service.ports.sentinel` | Redis® service port for Redis® Sentinel | `26379` | -| `sentinel.service.nodePorts.redis` | Node port for Redis® | `""` | -| `sentinel.service.nodePorts.sentinel` | Node port for Sentinel | `""` | -| `sentinel.service.externalTrafficPolicy` | Redis® Sentinel service external traffic policy | `Cluster` | -| `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `sentinel.service.clusterIP` | Redis® Sentinel service Cluster IP | `""` | -| `sentinel.service.createMaster` | Enable master service pointing to the current master (experimental) | `false` | -| `sentinel.service.loadBalancerIP` | Redis® Sentinel service Load Balancer IP | `""` | -| `sentinel.service.loadBalancerClass` | sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `sentinel.service.loadBalancerSourceRanges` | Redis® Sentinel service Load Balancer sources | `[]` | -| `sentinel.service.annotations` | Additional custom annotations for Redis® Sentinel service | `{}` | -| `sentinel.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `sentinel.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `sentinel.service.headless.annotations` | Annotations for the headless service. | `{}` | -| `sentinel.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-node pods | `30` | - -### Other Parameters - -| Name | Description | Value | -| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | -| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | -| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | -| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `networkPolicy.extraEgress` | Add extra egress rules to the NetworkPolicy | `[]` | -| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | -| `networkPolicy.metrics.allowExternal` | Don't require client label for connections for metrics endpoint | `true` | -| `networkPolicy.metrics.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces to metrics endpoint | `{}` | -| `networkPolicy.metrics.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces to metrics endpoint | `{}` | -| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | -| `podSecurityPolicy.enabled` | Enable PodSecurityPolicy's RBAC rules | `false` | -| `rbac.create` | Specifies whether RBAC resources should be created | `false` | -| `rbac.rules` | Custom RBAC rules to set | `[]` | -| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | -| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | -| `pdb.create` | Specifies whether a PodDisruptionBudget should be created | `false` | -| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` | -| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction | `""` | -| `tls.enabled` | Enable TLS traffic | `false` | -| `tls.authClients` | Require clients to authenticate | `true` | -| `tls.autoGenerated` | Enable autogenerated certificates | `false` | -| `tls.existingSecret` | The name of the existing secret that contains the TLS certificates | `""` | -| `tls.certificatesSecret` | DEPRECATED. Use existingSecret instead. | `""` | -| `tls.certFilename` | Certificate filename | `""` | -| `tls.certKeyFilename` | Certificate Key filename | `""` | -| `tls.certCAFilename` | CA Certificate filename | `""` | -| `tls.dhParamsFilename` | File containing DH params (in order to support DH based ciphers) | `""` | - -### Metrics Parameters - -| Name | Description | Value | -| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | -| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` | -| `metrics.image.registry` | Redis® Exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | Redis® Exporter image repository | `REPOSITORY_NAME/redis-exporter` | -| `metrics.image.digest` | Redis® Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Redis® Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Redis® Exporter image pull secrets | `[]` | -| `metrics.containerPorts.http` | Metrics HTTP container port | `9121` | -| `metrics.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.command` | Override default metrics container init command (useful when using custom images) | `[]` | -| `metrics.redisTargetHost` | A way to specify an alternative Redis® hostname | `localhost` | -| `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | -| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | -| `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `0` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | -| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® exporter containers' Security Context allowPrivilegeEscalation | `false` | -| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | -| `metrics.containerSecurityContext.seccompProfile.type` | Set Redis® exporter containers' Security Context seccompProfile | `RuntimeDefault` | -| `metrics.containerSecurityContext.capabilities.drop` | Set Redis® exporter containers' Security Context capabilities to drop | `["ALL"]` | -| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` | -| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar | `[]` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | -| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `metrics.podLabels` | Extra labels for Redis® exporter pods | `{}` | -| `metrics.podAnnotations` | Annotations for Redis® exporter pods | `{}` | -| `metrics.service.enabled` | Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor | `true` | -| `metrics.service.type` | Redis® exporter service type | `ClusterIP` | -| `metrics.service.ports.http` | Redis® exporter service port | `9121` | -| `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | -| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | -| `metrics.service.loadBalancerClass` | exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | -| `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | -| `metrics.service.clusterIP` | Redis® exporter service Cluster IP | `""` | -| `metrics.serviceMonitor.port` | the service port to scrape metrics from | `http-metrics` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | -| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | -| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` | -| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | -| `metrics.serviceMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | -| `metrics.serviceMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | -| `metrics.serviceMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | -| `metrics.podMonitor.port` | the pod port to scrape metrics from | `metrics` | -| `metrics.podMonitor.enabled` | Create PodMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | -| `metrics.podMonitor.namespace` | The namespace in which the PodMonitor will be created | `""` | -| `metrics.podMonitor.interval` | The interval at which metrics should be scraped | `30s` | -| `metrics.podMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | -| `metrics.podMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | -| `metrics.podMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | -| `metrics.podMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitor resource(s) can be discovered by Prometheus | `{}` | -| `metrics.podMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | -| `metrics.podMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | -| `metrics.podMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | -| `metrics.podMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | -| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` | -| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` | -| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` | -| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` | - -### Init Container Parameters - -| Name | Description | Value | -| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | -| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | -| `kubectl.image.registry` | Kubectl image registry | `REGISTRY_NAME` | -| `kubectl.image.repository` | Kubectl image repository | `REPOSITORY_NAME/kubectl` | -| `kubectl.image.digest` | Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `kubectl.image.pullPolicy` | Kubectl image pull policy | `IfNotPresent` | -| `kubectl.image.pullSecrets` | Kubectl pull secrets | `[]` | -| `kubectl.command` | kubectl command to execute | `["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"]` | -| `kubectl.resources.limits` | The resources limits for the kubectl containers | `{}` | -| `kubectl.resources.requests` | The requested resources for the kubectl containers | `{}` | -| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | -| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | -| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | -| `sysctl.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). | `none` | -| `sysctl.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | - -### useExternalDNS Parameters - -| Name | Description | Value | -| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `useExternalDNS.enabled` | Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. | `false` | -| `useExternalDNS.additionalAnnotations` | Extra annotations to be utilized when `external-dns` is enabled. | `{}` | -| `useExternalDNS.annotationKey` | The annotation key utilized when `external-dns` is enabled. Setting this to `false` will disable annotations. | `external-dns.alpha.kubernetes.io/` | -| `useExternalDNS.suffix` | The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release. | `""` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console -helm install my-release \ - --set auth.password=secretpassword \ - oci://REGISTRY_NAME/REPOSITORY_NAME/redis -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. - -The above command sets the Redis® server password to `secretpassword`. - -> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console -helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/redis -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/redis/values.yaml) - ## Configuration and installation details ### Resource requests and limits @@ -894,27 +295,11 @@ securityContext: Note that this will not disable transparent huge tables. -## Persistence - -By default, the chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at the `/data` path. The volume is created using dynamic volume provisioning. If a Persistent Volume Claim already exists, specify it during installation. - -### Existing PersistentVolumeClaim - -1. Create the PersistentVolume -2. Create the PersistentVolumeClaim -3. Install the chart - -```console -helm install my-release --set master.persistence.existingClaim=PVC_NAME oci://REGISTRY_NAME/REPOSITORY_NAME/redis -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. - -## Backup and restore +### Backup and restore To backup and restore Redis deployments on Kubernetes, you will need to create a snapshot of the data in the source cluster, and later restore it in a new cluster with the new parameters. Follow the instructions below: -### Step 1: Backup the deployment +#### Step 1: Backup the deployment - Connect to one of the nodes and start the Redis CLI tool. Then, run the commands below: @@ -933,7 +318,7 @@ To backup and restore Redis deployments on Kubernetes, you will need to create a kubectl cp my-release-master-0:/data/dump.rdb dump.rdb -c redis ``` -### Step 2: Restore the data on the destination cluster +#### Step 2: Restore the data on the destination cluster To restore the data in a new cluster, you will need to create a PVC and then upload the *dump.rdb* file to the new volume. @@ -1005,7 +390,7 @@ Follow the following steps: helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 ``` -## NetworkPolicy +### NetworkPolicy To enable network policy for Redis®, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. @@ -1022,12 +407,626 @@ networkPolicy: redis-client: true ``` -### Setting Pod's affinity +#### Setting Pod's affinity This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. +## Persistence + +By default, the chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at the `/data` path. The volume is created using dynamic volume provisioning. If a Persistent Volume Claim already exists, specify it during installation. + +### Existing PersistentVolumeClaim + +1. Create the PersistentVolume +2. Create the PersistentVolumeClaim +3. Install the chart + +```console +helm install my-release --set master.persistence.existingClaim=PVC_NAME oci://REGISTRY_NAME/REPOSITORY_NAME/redis +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.redis.password` | Global Redis® password (overrides `auth.password`) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | + +### Common parameters + +| Name | Description | Value | +| ------------------------- | -------------------------------------------------------------------------------------------------------------- | --------------- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `nameOverride` | String to partially override common.names.fullname | `""` | +| `fullnameOverride` | String to fully override common.names.fullname | `""` | +| `namespaceOverride` | String to fully override common.names.namespace | `""` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `secretAnnotations` | Annotations to add to secret | `{}` | +| `clusterDomain` | Kubernetes cluster domain name | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `useHostnames` | Use hostnames internally when announcing replication. If false, the hostname will be resolved to an IP address | `true` | +| `nameResolutionThreshold` | Failure threshold for internal hostnames resolution | `5` | +| `nameResolutionTimeout` | Timeout seconds between probes for internal hostnames resolution | `5` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | + +### Redis® Image parameters + +| Name | Description | Value | +| ------------------- | ---------------------------------------------------------------------------------------------------------- | ----------------------- | +| `image.registry` | Redis® image registry | `REGISTRY_NAME` | +| `image.repository` | Redis® image repository | `REPOSITORY_NAME/redis` | +| `image.digest` | Redis® image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | Redis® image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Redis® image pull secrets | `[]` | +| `image.debug` | Enable image debug mode | `false` | + +### Redis® common configuration parameters + +| Name | Description | Value | +| -------------------------------- | ------------------------------------------------------------------------------------- | ------------- | +| `architecture` | Redis® architecture. Allowed values: `standalone` or `replication` | `replication` | +| `auth.enabled` | Enable password authentication | `true` | +| `auth.sentinel` | Enable password authentication on sentinels too | `true` | +| `auth.password` | Redis® password | `""` | +| `auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | +| `auth.existingSecretPasswordKey` | Password key to be retrieved from existing secret | `""` | +| `auth.usePasswordFiles` | Mount credentials as files instead of using an environment variable | `false` | +| `auth.usePasswordFileFromSecret` | Mount password file from secret | `true` | +| `commonConfiguration` | Common configuration to be added into the ConfigMap | `""` | +| `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Redis® nodes | `""` | + +### Redis® master configuration parameters + +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------ | +| `master.count` | Number of Redis® master instances to deploy (experimental, requires additional configuration) | `1` | +| `master.configuration` | Configuration for Redis® master nodes | `""` | +| `master.disableCommands` | Array with Redis® commands to disable on master nodes | `["FLUSHDB","FLUSHALL"]` | +| `master.command` | Override default container command (useful when using custom images) | `[]` | +| `master.args` | Override default container args (useful when using custom images) | `[]` | +| `master.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `master.preExecCmds` | Additional commands to run prior to starting Redis® master | `[]` | +| `master.extraFlags` | Array with additional command line flags for Redis® master | `[]` | +| `master.extraEnvVars` | Array with extra environment variables to add to Redis® master nodes | `[]` | +| `master.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® master nodes | `""` | +| `master.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® master nodes | `""` | +| `master.containerPorts.redis` | Container port to open on Redis® master nodes | `6379` | +| `master.startupProbe.enabled` | Enable startupProbe on Redis® master nodes | `false` | +| `master.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `20` | +| `master.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` | +| `master.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `master.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | +| `master.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `master.livenessProbe.enabled` | Enable livenessProbe on Redis® master nodes | `true` | +| `master.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `master.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `master.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `master.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `master.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `master.readinessProbe.enabled` | Enable readinessProbe on Redis® master nodes | `true` | +| `master.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `master.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `master.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `master.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `master.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `master.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `master.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `master.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `nano` | +| `master.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `master.podSecurityContext.enabled` | Enabled Redis® master pods' Security Context | `true` | +| `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `master.podSecurityContext.fsGroup` | Set Redis® master pod's Security Context fsGroup | `1001` | +| `master.containerSecurityContext.enabled` | Enabled Redis® master containers' Security Context | `true` | +| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `master.containerSecurityContext.runAsUser` | Set Redis® master containers' Security Context runAsUser | `1001` | +| `master.containerSecurityContext.runAsGroup` | Set Redis® master containers' Security Context runAsGroup | `1001` | +| `master.containerSecurityContext.runAsNonRoot` | Set Redis® master containers' Security Context runAsNonRoot | `true` | +| `master.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate Redis® pod(s) privileges | `false` | +| `master.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `master.containerSecurityContext.seccompProfile.type` | Set Redis® master containers' Security Context seccompProfile | `RuntimeDefault` | +| `master.containerSecurityContext.capabilities.drop` | Set Redis® master containers' Security Context capabilities to drop | `["ALL"]` | +| `master.kind` | Use either Deployment, StatefulSet (default) or DaemonSet | `StatefulSet` | +| `master.schedulerName` | Alternate scheduler for Redis® master pods | `""` | +| `master.updateStrategy.type` | Redis® master statefulset strategy type | `RollingUpdate` | +| `master.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | +| `master.priorityClassName` | Redis® master pods' priorityClassName | `""` | +| `master.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `master.hostAliases` | Redis® master pods host aliases | `[]` | +| `master.podLabels` | Extra labels for Redis® master pods | `{}` | +| `master.podAnnotations` | Annotations for Redis® master pods | `{}` | +| `master.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® master pods | `false` | +| `master.podAffinityPreset` | Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `master.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `master.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `master.nodeAffinityPreset.key` | Node label key to match. Ignored if `master.affinity` is set | `""` | +| `master.nodeAffinityPreset.values` | Node label values to match. Ignored if `master.affinity` is set | `[]` | +| `master.affinity` | Affinity for Redis® master pods assignment | `{}` | +| `master.nodeSelector` | Node labels for Redis® master pods assignment | `{}` | +| `master.tolerations` | Tolerations for Redis® master pods assignment | `[]` | +| `master.topologySpreadConstraints` | Spread Constraints for Redis® master pod assignment | `[]` | +| `master.dnsPolicy` | DNS Policy for Redis® master pod | `""` | +| `master.dnsConfig` | DNS Configuration for Redis® master pod | `{}` | +| `master.lifecycleHooks` | for the Redis® master container(s) to automate configuration before or after startup | `{}` | +| `master.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® master pod(s) | `[]` | +| `master.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® master container(s) | `[]` | +| `master.sidecars` | Add additional sidecar containers to the Redis® master pod(s) | `[]` | +| `master.initContainers` | Add additional init containers to the Redis® master pod(s) | `[]` | +| `master.persistence.enabled` | Enable persistence on Redis® master nodes using Persistent Volume Claims | `true` | +| `master.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `master.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `master.persistence.path` | The path the volume will be mounted at on Redis® master containers | `/data` | +| `master.persistence.subPath` | The subdirectory of the volume to mount on Redis® master containers | `""` | +| `master.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® master containers | `""` | +| `master.persistence.storageClass` | Persistent Volume storage class | `""` | +| `master.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `master.persistence.size` | Persistent Volume size | `8Gi` | +| `master.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `master.persistence.labels` | Additional custom labels for the PVC | `{}` | +| `master.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `master.persistence.dataSource` | Custom PVC data source | `{}` | +| `master.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | +| `master.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | +| `master.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `master.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| `master.service.type` | Redis® master service type | `ClusterIP` | +| `master.service.ports.redis` | Redis® master service port | `6379` | +| `master.service.nodePorts.redis` | Node port for Redis® master | `""` | +| `master.service.externalTrafficPolicy` | Redis® master service external traffic policy | `Cluster` | +| `master.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `master.service.internalTrafficPolicy` | Redis® master service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | +| `master.service.clusterIP` | Redis® master service Cluster IP | `""` | +| `master.service.loadBalancerIP` | Redis® master service Load Balancer IP | `""` | +| `master.service.loadBalancerClass` | master service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `master.service.loadBalancerSourceRanges` | Redis® master service Load Balancer sources | `[]` | +| `master.service.externalIPs` | Redis® master service External IPs | `[]` | +| `master.service.annotations` | Additional custom annotations for Redis® master service | `{}` | +| `master.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `master.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `master.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-master pods | `30` | +| `master.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `master.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `master.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | +| `master.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | + +### Redis® replicas configuration parameters + +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `replica.kind` | Use either DaemonSet or StatefulSet (default) | `StatefulSet` | +| `replica.replicaCount` | Number of Redis® replicas to deploy | `3` | +| `replica.configuration` | Configuration for Redis® replicas nodes | `""` | +| `replica.disableCommands` | Array with Redis® commands to disable on replicas nodes | `["FLUSHDB","FLUSHALL"]` | +| `replica.command` | Override default container command (useful when using custom images) | `[]` | +| `replica.args` | Override default container args (useful when using custom images) | `[]` | +| `replica.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `replica.preExecCmds` | Additional commands to run prior to starting Redis® replicas | `[]` | +| `replica.extraFlags` | Array with additional command line flags for Redis® replicas | `[]` | +| `replica.extraEnvVars` | Array with extra environment variables to add to Redis® replicas nodes | `[]` | +| `replica.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® replicas nodes | `""` | +| `replica.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® replicas nodes | `""` | +| `replica.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `replica.externalMaster.host` | External master host to bootstrap from | `""` | +| `replica.externalMaster.port` | Port for Redis service external master host | `6379` | +| `replica.containerPorts.redis` | Container port to open on Redis® replicas nodes | `6379` | +| `replica.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `true` | +| `replica.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `replica.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `replica.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `replica.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | +| `replica.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `replica.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | +| `replica.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `replica.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `replica.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `replica.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `replica.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `replica.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | +| `replica.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `replica.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `replica.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `replica.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `replica.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `replica.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `replica.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `replica.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `replica.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production). | `nano` | +| `replica.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `replica.podSecurityContext.enabled` | Enabled Redis® replicas pods' Security Context | `true` | +| `replica.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `replica.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `replica.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `replica.podSecurityContext.fsGroup` | Set Redis® replicas pod's Security Context fsGroup | `1001` | +| `replica.containerSecurityContext.enabled` | Enabled Redis® replicas containers' Security Context | `true` | +| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `replica.containerSecurityContext.runAsUser` | Set Redis® replicas containers' Security Context runAsUser | `1001` | +| `replica.containerSecurityContext.runAsGroup` | Set Redis® replicas containers' Security Context runAsGroup | `1001` | +| `replica.containerSecurityContext.runAsNonRoot` | Set Redis® replicas containers' Security Context runAsNonRoot | `true` | +| `replica.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® replicas pod's Security Context allowPrivilegeEscalation | `false` | +| `replica.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `replica.containerSecurityContext.seccompProfile.type` | Set Redis® replicas containers' Security Context seccompProfile | `RuntimeDefault` | +| `replica.containerSecurityContext.capabilities.drop` | Set Redis® replicas containers' Security Context capabilities to drop | `["ALL"]` | +| `replica.schedulerName` | Alternate scheduler for Redis® replicas pods | `""` | +| `replica.updateStrategy.type` | Redis® replicas statefulset strategy type | `RollingUpdate` | +| `replica.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | +| `replica.priorityClassName` | Redis® replicas pods' priorityClassName | `""` | +| `replica.podManagementPolicy` | podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods | `""` | +| `replica.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `replica.hostAliases` | Redis® replicas pods host aliases | `[]` | +| `replica.podLabels` | Extra labels for Redis® replicas pods | `{}` | +| `replica.podAnnotations` | Annotations for Redis® replicas pods | `{}` | +| `replica.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® replicas pods | `false` | +| `replica.podAffinityPreset` | Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `replica.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `replica.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `replica.nodeAffinityPreset.key` | Node label key to match. Ignored if `replica.affinity` is set | `""` | +| `replica.nodeAffinityPreset.values` | Node label values to match. Ignored if `replica.affinity` is set | `[]` | +| `replica.affinity` | Affinity for Redis® replicas pods assignment | `{}` | +| `replica.nodeSelector` | Node labels for Redis® replicas pods assignment | `{}` | +| `replica.tolerations` | Tolerations for Redis® replicas pods assignment | `[]` | +| `replica.topologySpreadConstraints` | Spread Constraints for Redis® replicas pod assignment | `[]` | +| `replica.dnsPolicy` | DNS Policy for Redis® replica pods | `""` | +| `replica.dnsConfig` | DNS Configuration for Redis® replica pods | `{}` | +| `replica.lifecycleHooks` | for the Redis® replica container(s) to automate configuration before or after startup | `{}` | +| `replica.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® replicas pod(s) | `[]` | +| `replica.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® replicas container(s) | `[]` | +| `replica.sidecars` | Add additional sidecar containers to the Redis® replicas pod(s) | `[]` | +| `replica.initContainers` | Add additional init containers to the Redis® replicas pod(s) | `[]` | +| `replica.persistence.enabled` | Enable persistence on Redis® replicas nodes using Persistent Volume Claims | `true` | +| `replica.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `replica.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `replica.persistence.path` | The path the volume will be mounted at on Redis® replicas containers | `/data` | +| `replica.persistence.subPath` | The subdirectory of the volume to mount on Redis® replicas containers | `""` | +| `replica.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® replicas containers | `""` | +| `replica.persistence.storageClass` | Persistent Volume storage class | `""` | +| `replica.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `replica.persistence.size` | Persistent Volume size | `8Gi` | +| `replica.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `replica.persistence.labels` | Additional custom labels for the PVC | `{}` | +| `replica.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `replica.persistence.dataSource` | Custom PVC data source | `{}` | +| `replica.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | +| `replica.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | +| `replica.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `replica.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| `replica.service.type` | Redis® replicas service type | `ClusterIP` | +| `replica.service.ports.redis` | Redis® replicas service port | `6379` | +| `replica.service.nodePorts.redis` | Node port for Redis® replicas | `""` | +| `replica.service.externalTrafficPolicy` | Redis® replicas service external traffic policy | `Cluster` | +| `replica.service.internalTrafficPolicy` | Redis® replicas service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | +| `replica.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `replica.service.clusterIP` | Redis® replicas service Cluster IP | `""` | +| `replica.service.loadBalancerIP` | Redis® replicas service Load Balancer IP | `""` | +| `replica.service.loadBalancerClass` | replicas service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `replica.service.loadBalancerSourceRanges` | Redis® replicas service Load Balancer sources | `[]` | +| `replica.service.annotations` | Additional custom annotations for Redis® replicas service | `{}` | +| `replica.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `replica.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `replica.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-replicas pods | `30` | +| `replica.autoscaling.enabled` | Enable replica autoscaling settings | `false` | +| `replica.autoscaling.minReplicas` | Minimum replicas for the pod autoscaling | `1` | +| `replica.autoscaling.maxReplicas` | Maximum replicas for the pod autoscaling | `11` | +| `replica.autoscaling.targetCPU` | Percentage of CPU to consider when autoscaling | `""` | +| `replica.autoscaling.targetMemory` | Percentage of Memory to consider when autoscaling | `""` | +| `replica.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `replica.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `replica.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | +| `replica.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | + +### Redis® Sentinel configuration parameters + +| Name | Description | Value | +| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | +| `sentinel.enabled` | Use Redis® Sentinel on Redis® pods. | `false` | +| `sentinel.image.registry` | Redis® Sentinel image registry | `REGISTRY_NAME` | +| `sentinel.image.repository` | Redis® Sentinel image repository | `REPOSITORY_NAME/redis-sentinel` | +| `sentinel.image.digest` | Redis® Sentinel image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `sentinel.image.pullPolicy` | Redis® Sentinel image pull policy | `IfNotPresent` | +| `sentinel.image.pullSecrets` | Redis® Sentinel image pull secrets | `[]` | +| `sentinel.image.debug` | Enable image debug mode | `false` | +| `sentinel.annotations` | Additional custom annotations for Redis® Sentinel resource | `{}` | +| `sentinel.masterSet` | Master set name | `mymaster` | +| `sentinel.quorum` | Sentinel Quorum | `2` | +| `sentinel.getMasterTimeout` | Amount of time to allow before get_sentinel_master_info() times out. | `90` | +| `sentinel.automateClusterRecovery` | Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. | `false` | +| `sentinel.redisShutdownWaitFailover` | Whether the Redis® master container waits for the failover at shutdown (in addition to the Redis® Sentinel container). | `true` | +| `sentinel.downAfterMilliseconds` | Timeout for detecting a Redis® node is down | `60000` | +| `sentinel.failoverTimeout` | Timeout for performing a election failover | `180000` | +| `sentinel.parallelSyncs` | Number of replicas that can be reconfigured in parallel to use the new master after a failover | `1` | +| `sentinel.configuration` | Configuration for Redis® Sentinel nodes | `""` | +| `sentinel.command` | Override default container command (useful when using custom images) | `[]` | +| `sentinel.args` | Override default container args (useful when using custom images) | `[]` | +| `sentinel.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `sentinel.preExecCmds` | Additional commands to run prior to starting Redis® Sentinel | `[]` | +| `sentinel.extraEnvVars` | Array with extra environment variables to add to Redis® Sentinel nodes | `[]` | +| `sentinel.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® Sentinel nodes | `""` | +| `sentinel.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® Sentinel nodes | `""` | +| `sentinel.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `sentinel.externalMaster.host` | External master host to bootstrap from | `""` | +| `sentinel.externalMaster.port` | Port for Redis service external master host | `6379` | +| `sentinel.containerPorts.sentinel` | Container port to open on Redis® Sentinel nodes | `26379` | +| `sentinel.startupProbe.enabled` | Enable startupProbe on Redis® Sentinel nodes | `true` | +| `sentinel.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `sentinel.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `sentinel.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `sentinel.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | +| `sentinel.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `sentinel.livenessProbe.enabled` | Enable livenessProbe on Redis® Sentinel nodes | `true` | +| `sentinel.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `sentinel.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `sentinel.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `sentinel.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `sentinel.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `sentinel.readinessProbe.enabled` | Enable readinessProbe on Redis® Sentinel nodes | `true` | +| `sentinel.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `sentinel.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `sentinel.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `sentinel.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `sentinel.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `sentinel.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `sentinel.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `sentinel.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `sentinel.persistence.enabled` | Enable persistence on Redis® sentinel nodes using Persistent Volume Claims (Experimental) | `false` | +| `sentinel.persistence.storageClass` | Persistent Volume storage class | `""` | +| `sentinel.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `sentinel.persistence.size` | Persistent Volume size | `100Mi` | +| `sentinel.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `sentinel.persistence.labels` | Additional custom labels for the PVC | `{}` | +| `sentinel.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `sentinel.persistence.dataSource` | Custom PVC data source | `{}` | +| `sentinel.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `sentinel.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `sentinel.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | +| `sentinel.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `sentinel.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| `sentinel.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production). | `nano` | +| `sentinel.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `sentinel.containerSecurityContext.enabled` | Enabled Redis® Sentinel containers' Security Context | `true` | +| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` | +| `sentinel.containerSecurityContext.runAsGroup` | Set Redis® Sentinel containers' Security Context runAsGroup | `1001` | +| `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis® Sentinel containers' Security Context runAsNonRoot | `true` | +| `sentinel.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `sentinel.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® Sentinel containers' Security Context allowPrivilegeEscalation | `false` | +| `sentinel.containerSecurityContext.seccompProfile.type` | Set Redis® Sentinel containers' Security Context seccompProfile | `RuntimeDefault` | +| `sentinel.containerSecurityContext.capabilities.drop` | Set Redis® Sentinel containers' Security Context capabilities to drop | `["ALL"]` | +| `sentinel.lifecycleHooks` | for the Redis® sentinel container(s) to automate configuration before or after startup | `{}` | +| `sentinel.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® Sentinel | `[]` | +| `sentinel.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® Sentinel container(s) | `[]` | +| `sentinel.service.type` | Redis® Sentinel service type | `ClusterIP` | +| `sentinel.service.ports.redis` | Redis® service port for Redis® | `6379` | +| `sentinel.service.ports.sentinel` | Redis® service port for Redis® Sentinel | `26379` | +| `sentinel.service.nodePorts.redis` | Node port for Redis® | `""` | +| `sentinel.service.nodePorts.sentinel` | Node port for Sentinel | `""` | +| `sentinel.service.externalTrafficPolicy` | Redis® Sentinel service external traffic policy | `Cluster` | +| `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `sentinel.service.clusterIP` | Redis® Sentinel service Cluster IP | `""` | +| `sentinel.service.createMaster` | Enable master service pointing to the current master (experimental) | `false` | +| `sentinel.service.loadBalancerIP` | Redis® Sentinel service Load Balancer IP | `""` | +| `sentinel.service.loadBalancerClass` | sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `sentinel.service.loadBalancerSourceRanges` | Redis® Sentinel service Load Balancer sources | `[]` | +| `sentinel.service.annotations` | Additional custom annotations for Redis® Sentinel service | `{}` | +| `sentinel.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `sentinel.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `sentinel.service.headless.annotations` | Annotations for the headless service. | `{}` | +| `sentinel.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-node pods | `30` | + +### Other Parameters + +| Name | Description | Value | +| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra egress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.metrics.allowExternal` | Don't require client label for connections for metrics endpoint | `true` | +| `networkPolicy.metrics.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces to metrics endpoint | `{}` | +| `networkPolicy.metrics.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces to metrics endpoint | `{}` | +| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | +| `podSecurityPolicy.enabled` | Enable PodSecurityPolicy's RBAC rules | `false` | +| `rbac.create` | Specifies whether RBAC resources should be created | `false` | +| `rbac.rules` | Custom RBAC rules to set | `[]` | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | +| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| `pdb.create` | Specifies whether a PodDisruptionBudget should be created | `false` | +| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` | +| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction | `""` | +| `tls.enabled` | Enable TLS traffic | `false` | +| `tls.authClients` | Require clients to authenticate | `true` | +| `tls.autoGenerated` | Enable autogenerated certificates | `false` | +| `tls.existingSecret` | The name of the existing secret that contains the TLS certificates | `""` | +| `tls.certificatesSecret` | DEPRECATED. Use existingSecret instead. | `""` | +| `tls.certFilename` | Certificate filename | `""` | +| `tls.certKeyFilename` | Certificate Key filename | `""` | +| `tls.certCAFilename` | CA Certificate filename | `""` | +| `tls.dhParamsFilename` | File containing DH params (in order to support DH based ciphers) | `""` | + +### Metrics Parameters + +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | +| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` | +| `metrics.image.registry` | Redis® Exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Redis® Exporter image repository | `REPOSITORY_NAME/redis-exporter` | +| `metrics.image.digest` | Redis® Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Redis® Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Redis® Exporter image pull secrets | `[]` | +| `metrics.containerPorts.http` | Metrics HTTP container port | `9121` | +| `metrics.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.command` | Override default metrics container init command (useful when using custom images) | `[]` | +| `metrics.redisTargetHost` | A way to specify an alternative Redis® hostname | `localhost` | +| `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | +| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | +| `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® exporter containers' Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set Redis® exporter containers' Security Context seccompProfile | `RuntimeDefault` | +| `metrics.containerSecurityContext.capabilities.drop` | Set Redis® exporter containers' Security Context capabilities to drop | `["ALL"]` | +| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar | `[]` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.podLabels` | Extra labels for Redis® exporter pods | `{}` | +| `metrics.podAnnotations` | Annotations for Redis® exporter pods | `{}` | +| `metrics.service.enabled` | Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor | `true` | +| `metrics.service.type` | Redis® exporter service type | `ClusterIP` | +| `metrics.service.ports.http` | Redis® exporter service port | `9121` | +| `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | +| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | +| `metrics.service.loadBalancerClass` | exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | +| `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | +| `metrics.service.clusterIP` | Redis® exporter service Cluster IP | `""` | +| `metrics.serviceMonitor.port` | the service port to scrape metrics from | `http-metrics` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | +| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabelings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | +| `metrics.serviceMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | +| `metrics.serviceMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | +| `metrics.serviceMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | +| `metrics.podMonitor.port` | the pod port to scrape metrics from | `metrics` | +| `metrics.podMonitor.enabled` | Create PodMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | +| `metrics.podMonitor.namespace` | The namespace in which the PodMonitor will be created | `""` | +| `metrics.podMonitor.interval` | The interval at which metrics should be scraped | `30s` | +| `metrics.podMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.podMonitor.relabelings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.podMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.podMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitor resource(s) can be discovered by Prometheus | `{}` | +| `metrics.podMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | +| `metrics.podMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | +| `metrics.podMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | +| `metrics.podMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | +| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` | +| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` | + +### Init Container Parameters + +| Name | Description | Value | +| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | +| `kubectl.image.registry` | Kubectl image registry | `REGISTRY_NAME` | +| `kubectl.image.repository` | Kubectl image repository | `REPOSITORY_NAME/kubectl` | +| `kubectl.image.digest` | Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `kubectl.image.pullPolicy` | Kubectl image pull policy | `IfNotPresent` | +| `kubectl.image.pullSecrets` | Kubectl pull secrets | `[]` | +| `kubectl.command` | kubectl command to execute | `["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"]` | +| `kubectl.containerSecurityContext.enabled` | Enabled kubectl containers' Security Context | `true` | +| `kubectl.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `kubectl.containerSecurityContext.runAsUser` | Set kubectl containers' Security Context runAsUser | `1001` | +| `kubectl.containerSecurityContext.runAsGroup` | Set kubectl containers' Security Context runAsGroup | `1001` | +| `kubectl.containerSecurityContext.runAsNonRoot` | Set kubectl containers' Security Context runAsNonRoot | `true` | +| `kubectl.containerSecurityContext.allowPrivilegeEscalation` | Set kubectl containers' Security Context allowPrivilegeEscalation | `false` | +| `kubectl.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `kubectl.containerSecurityContext.seccompProfile.type` | Set kubectl containers' Security Context seccompProfile | `RuntimeDefault` | +| `kubectl.containerSecurityContext.capabilities.drop` | Set kubectl containers' Security Context capabilities to drop | `["ALL"]` | +| `kubectl.resources.limits` | The resources limits for the kubectl containers | `{}` | +| `kubectl.resources.requests` | The requested resources for the kubectl containers | `{}` | +| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | +| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | +| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | +| `sysctl.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). | `nano` | +| `sysctl.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | + +### useExternalDNS Parameters + +| Name | Description | Value | +| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `useExternalDNS.enabled` | Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. | `false` | +| `useExternalDNS.additionalAnnotations` | Extra annotations to be utilized when `external-dns` is enabled. | `{}` | +| `useExternalDNS.annotationKey` | The annotation key utilized when `external-dns` is enabled. Setting this to `false` will disable annotations. | `external-dns.alpha.kubernetes.io/` | +| `useExternalDNS.suffix` | The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release. | `""` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install my-release \ + --set auth.password=secretpassword \ + oci://REGISTRY_NAME/REPOSITORY_NAME/redis +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The above command sets the Redis® server password to `secretpassword`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/redis +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/redis/values.yaml) + ## Troubleshooting Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). @@ -1048,6 +1047,17 @@ This issue can be mitigated by splitting the upgrade into two stages: one for al - Stage 2 (anything else that is not up to date, in this case only master): `helm upgrade oci://REGISTRY_NAME/REPOSITORY_NAME/redis` +### To 19.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 18.0.0 This major version updates the Redis® docker image version used from `7.0` to `7.2`, the new stable version. There are no major changes in the chart, but we recommend checking the [Redis® 7.2 release notes](https://raw.githubusercontent.com/redis/redis/7.2/00-RELEASENOTES) before upgrading. @@ -1246,4 +1256,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. diff --git a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/podmonitor.yaml b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/podmonitor.yaml index e6521c60..0e50aab1 100644 --- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/podmonitor.yaml +++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/podmonitor.yaml @@ -28,8 +28,8 @@ spec: {{- if .Values.metrics.podMonitor.honorLabels }} honorLabels: {{ .Values.metrics.podMonitor.honorLabels }} {{- end }} - {{- if .Values.metrics.podMonitor.relabellings }} - relabelings: {{- toYaml .Values.metrics.podMonitor.relabellings | nindent 6 }} + {{- with concat .Values.metrics.podMonitor.relabelings .Values.metrics.podMonitor.relabellings }} + relabelings: {{- toYaml . | nindent 6 }} {{- end }} {{- if .Values.metrics.podMonitor.metricRelabelings }} metricRelabelings: {{- toYaml .Values.metrics.podMonitor.metricRelabelings | nindent 6 }} @@ -45,8 +45,8 @@ spec: {{- if .honorLabels }} honorLabels: {{ .honorLabels }} {{- end }} - {{- if .relabellings }} - relabelings: {{- toYaml .relabellings | nindent 6 }} + {{- with concat .Values.metrics.podMonitor.relabelings .Values.metrics.podMonitor.relabellings }} + relabelings: {{- toYaml . | nindent 6 }} {{- end }} {{- if .metricRelabelings }} metricRelabelings: {{- toYaml .metricRelabelings | nindent 6 }} diff --git a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/statefulset.yaml b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/statefulset.yaml index dfb1352b..563d40e7 100644 --- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/statefulset.yaml +++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/statefulset.yaml @@ -598,8 +598,9 @@ spec: image: {{ template "redis.kubectl.image" . }} imagePullPolicy: {{ .Values.kubectl.image.pullPolicy | quote }} command: {{- toYaml .Values.kubectl.command | nindent 12 }} - securityContext: - runAsUser: 0 + {{- if .Values.kubectl.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.kubectl.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} volumeMounts: - name: kubectl-shared mountPath: /etc/shared diff --git a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/servicemonitor.yaml b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/servicemonitor.yaml index 2e53ad93..0cda45d0 100644 --- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/servicemonitor.yaml +++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/servicemonitor.yaml @@ -28,8 +28,8 @@ spec: {{- if .Values.metrics.serviceMonitor.honorLabels }} honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} {{- end }} - {{- if .Values.metrics.serviceMonitor.relabellings }} - relabelings: {{- toYaml .Values.metrics.serviceMonitor.relabellings | nindent 6 }} + {{- with concat .Values.metrics.serviceMonitor.relabelings .Values.metrics.serviceMonitor.relabellings }} + relabelings: {{- toYaml . | nindent 6 }} {{- end }} {{- if .Values.metrics.serviceMonitor.metricRelabelings }} metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }} @@ -45,8 +45,8 @@ spec: {{- if .honorLabels }} honorLabels: {{ .honorLabels }} {{- end }} - {{- if .relabellings }} - relabelings: {{- toYaml .relabellings | nindent 6 }} + {{- with concat .Values.metrics.serviceMonitor.relabelings .Values.metrics.serviceMonitor.relabellings }} + relabelings: {{- toYaml . | nindent 6 }} {{- end }} {{- if .metricRelabelings }} metricRelabelings: {{- toYaml .metricRelabelings | nindent 6 }} diff --git a/packages/system/dashboard/charts/kubeapps/charts/redis/values.yaml b/packages/system/dashboard/charts/kubeapps/charts/redis/values.yaml index a9517f04..c22abd7d 100644 --- a/packages/system/dashboard/charts/kubeapps/charts/redis/values.yaml +++ b/packages/system/dashboard/charts/kubeapps/charts/redis/values.yaml @@ -30,7 +30,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @@ -275,7 +275,7 @@ master: ## @param master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -315,12 +315,12 @@ master: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: @@ -737,7 +737,7 @@ replica: ## @param replica.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param replica.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -777,12 +777,12 @@ replica: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: @@ -1306,7 +1306,7 @@ sentinel: ## @param sentinel.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param sentinel.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1332,12 +1332,12 @@ sentinel: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: @@ -1708,12 +1708,12 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: @@ -1729,7 +1729,7 @@ metrics: ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1812,7 +1812,10 @@ metrics: ## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended ## scrapeTimeout: "" - ## @param metrics.serviceMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping. + ## @param metrics.serviceMonitor.relabelings Metrics RelabelConfigs to apply to samples before scraping. + ## + relabelings: [] + ## @skip metrics.serviceMonitor.relabellings DEPRECATED: Use `metrics.serviceMonitor.relabelings` instead. ## relabellings: [] ## @param metrics.serviceMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion. @@ -1866,7 +1869,10 @@ metrics: ## @param metrics.podMonitor.scrapeTimeout The timeout after which the scrape is ended ## scrapeTimeout: "" - ## @param metrics.podMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping. + ## @param metrics.podMonitor.relabelings Metrics RelabelConfigs to apply to samples before scraping. + ## + relabelings: [] + ## @skip metrics.podMonitor.relabellings DEPRECATED: Use `metrics.podMonitor.relabelings` instead. ## relabellings: [] ## @param metrics.podMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion. @@ -1988,7 +1994,7 @@ volumePermissions: ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -2009,7 +2015,7 @@ volumePermissions: ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) ## containerSecurityContext: - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 0 ## Kubectl InitContainer @@ -2046,6 +2052,30 @@ kubectl: ## @param kubectl.command kubectl command to execute ## command: ["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"] + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param kubectl.containerSecurityContext.enabled Enabled kubectl containers' Security Context + ## @param kubectl.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param kubectl.containerSecurityContext.runAsUser Set kubectl containers' Security Context runAsUser + ## @param kubectl.containerSecurityContext.runAsGroup Set kubectl containers' Security Context runAsGroup + ## @param kubectl.containerSecurityContext.runAsNonRoot Set kubectl containers' Security Context runAsNonRoot + ## @param kubectl.containerSecurityContext.allowPrivilegeEscalation Set kubectl containers' Security Context allowPrivilegeEscalation + ## @param kubectl.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem + ## @param kubectl.containerSecurityContext.seccompProfile.type Set kubectl containers' Security Context seccompProfile + ## @param kubectl.containerSecurityContext.capabilities.drop Set kubectl containers' Security Context capabilities to drop + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] ## Bitnami Kubectl resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param kubectl.resources.limits The resources limits for the kubectl containers @@ -2096,7 +2126,7 @@ sysctl: ## @param sysctl.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param sysctl.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: diff --git a/packages/system/dashboard/charts/kubeapps/templates/apprepository/deployment.yaml b/packages/system/dashboard/charts/kubeapps/templates/apprepository/deployment.yaml index 709d3923..b52a9db7 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/apprepository/deployment.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/apprepository/deployment.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ template "kubeapps.apprepository.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.apprepository.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/apprepository/networkpolicy.yaml b/packages/system/dashboard/charts/kubeapps/templates/apprepository/networkpolicy.yaml new file mode 100644 index 00000000..cdf2d5cb --- /dev/null +++ b/packages/system/dashboard/charts/kubeapps/templates/apprepository/networkpolicy.yaml @@ -0,0 +1,59 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.packaging.helm.enabled .Values.apprepository.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "kubeapps.apprepository.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.apprepository.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: apprepository + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + policyTypes: + - Ingress + - Egress + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.apprepository.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: apprepository + {{- if .Values.apprepository.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- range $port := .Values.apprepository.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + # Allow connection to PostgreSQL + - ports: + - port: {{ include "kubeapps.postgresql.port" . }} + {{- if .Values.postgresql.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.apprepository.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.apprepository.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + {{- if .Values.apprepository.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.apprepository.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/apprepository/rbac.yaml b/packages/system/dashboard/charts/kubeapps/templates/apprepository/rbac.yaml index b59df30f..c2613618 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/apprepository/rbac.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/apprepository/rbac.yaml @@ -12,7 +12,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: Role metadata: name: {{ template "kubeapps.apprepository.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: apprepository {{- if .Values.commonAnnotations }} @@ -73,7 +73,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: RoleBinding metadata: name: {{ template "kubeapps.apprepository.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: apprepository {{- if .Values.commonAnnotations }} @@ -112,7 +112,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: Role metadata: name: {{ printf "%s-repositories-read" .Release.Name }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: apprepository {{- if .Values.commonAnnotations }} @@ -132,7 +132,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: Role metadata: name: {{ printf "%s-repositories-write" .Release.Name }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: apprepository {{- if .Values.commonAnnotations }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/apprepository/serviceaccount.yaml b/packages/system/dashboard/charts/kubeapps/templates/apprepository/serviceaccount.yaml index 00d56352..c3dd90a1 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/apprepository/serviceaccount.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/apprepository/serviceaccount.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "kubeapps.apprepository.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.apprepository.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml b/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml index af217e56..2a4bf215 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "kubeapps.dashboard-config.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dashboard.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/dashboard/deployment.yaml b/packages/system/dashboard/charts/kubeapps/templates/dashboard/deployment.yaml index f01cad05..069b5263 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/dashboard/deployment.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/dashboard/deployment.yaml @@ -3,12 +3,12 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.dashboard.enabled -}} +{{- if .Values.dashboard.enabled }} apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ template "kubeapps.dashboard.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dashboard.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/dashboard/networkpolicy.yaml b/packages/system/dashboard/charts/kubeapps/templates/dashboard/networkpolicy.yaml new file mode 100644 index 00000000..52181ec1 --- /dev/null +++ b/packages/system/dashboard/charts/kubeapps/templates/dashboard/networkpolicy.yaml @@ -0,0 +1,71 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.dashboard.enabled .Values.dashboard.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "kubeapps.dashboard.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dashboard.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: dashboard + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + policyTypes: + - Ingress + - Egress + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dashboard.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: dashboard + {{- if .Values.dashboard.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- range $port := .Values.dashboard.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + {{- if .Values.dashboard.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.dashboard.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + # Allow inbound connections + - ports: + - port: {{ .Values.dashboard.containerPorts.http }} + {{- if not .Values.dashboard.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.dashboard.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.dashboard.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.dashboard.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.dashboard.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.dashboard.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.dashboard.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/dashboard/service.yaml b/packages/system/dashboard/charts/kubeapps/templates/dashboard/service.yaml index 0f9da93b..4fbd1967 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/dashboard/service.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/dashboard/service.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "kubeapps.dashboard.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dashboard.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml b/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml index 44c10132..d43f521c 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "kubeapps.frontend-config.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/frontend/deployment.yaml b/packages/system/dashboard/charts/kubeapps/templates/frontend/deployment.yaml index 7ccec372..f6e78fe3 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/frontend/deployment.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/frontend/deployment.yaml @@ -7,7 +7,7 @@ apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/frontend/networkpolicy.yaml b/packages/system/dashboard/charts/kubeapps/templates/frontend/networkpolicy.yaml new file mode 100644 index 00000000..0c764ad8 --- /dev/null +++ b/packages/system/dashboard/charts/kubeapps/templates/frontend/networkpolicy.yaml @@ -0,0 +1,77 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.frontend.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: frontend + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + policyTypes: + - Ingress + - Egress + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.frontend.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: frontend + {{- if .Values.frontend.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- range $port := .Values.frontend.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + {{- if .Values.frontend.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.frontend.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + # Allow inbound connections + - ports: + - port: {{ .Values.frontend.containerPorts.http }} + {{- if and .Values.authProxy.enabled (not .Values.authProxy.external) }} + - port: {{ .Values.authProxy.containerPorts.proxy }} + {{- end }} + {{- if .Values.pinnipedProxy.enabled }} + - port: {{ .Values.pinnipedProxy.containerPorts.pinnipedProxy }} + {{- end }} + {{- if not .Values.frontend.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.frontend.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.frontend.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.frontend.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.frontend.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.frontend.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.frontend.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/frontend/oauth2-secret.yaml b/packages/system/dashboard/charts/kubeapps/templates/frontend/oauth2-secret.yaml index 6db0517e..6de6e8eb 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/frontend/oauth2-secret.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/frontend/oauth2-secret.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "kubeapps.oauth2_proxy-secret.name" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/frontend/service.yaml b/packages/system/dashboard/charts/kubeapps/templates/frontend/service.yaml index 13ce55b1..f4494820 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/frontend/service.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/frontend/service.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.frontend.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} @@ -64,7 +64,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "kubeapps.pinniped-proxy.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: frontend {{- if or .Values.pinnipedProxy.service.annotations .Values.commonAnnotations }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/ingress-api.yaml b/packages/system/dashboard/charts/kubeapps/templates/ingress-api.yaml index 54d02156..0fa22494 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/ingress-api.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/ingress-api.yaml @@ -15,7 +15,7 @@ apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ template "common.names.fullname" . }}-http-api - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.ingress.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} @@ -75,7 +75,7 @@ apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.featureFlags.apiOnly.grpc.annotations .Values.ingress.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.featureFlags.apiOnly.grpc.annotations .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/ingress.yaml b/packages/system/dashboard/charts/kubeapps/templates/ingress.yaml index 69f0c861..2887b30d 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/ingress.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/ingress.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.ingress.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/configmap.yaml b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/configmap.yaml index 2129cc8e..bbcd83e3 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/configmap.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/configmap.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-configmap" (include "kubeapps.kubeappsapis.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml index 21ec7e7f..61d6e603 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml @@ -7,7 +7,7 @@ apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ template "kubeapps.kubeappsapis.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/networkpolicy.yaml b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/networkpolicy.yaml new file mode 100644 index 00000000..015ecaf2 --- /dev/null +++ b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/networkpolicy.yaml @@ -0,0 +1,74 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.kubeappsapis.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "kubeapps.kubeappsapis.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: kubeappsapis + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + policyTypes: + - Ingress + - Egress + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.kubeappsapis.podLabels .Values.commonLabels $versionLabel ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: kubeappsapis + {{- if .Values.kubeappsapis.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- range $port := .Values.kubeappsapis.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + {{- if .Values.kubeappsapis.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.kubeappsapis.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + # Allow inbound connections + - ports: + - port: {{ .Values.kubeappsapis.containerPorts.http }} + {{- if .Values.ociCatalog.enabled }} + - port: {{ .Values.ociCatalog.containerPorts.grpc }} + {{- end }} + {{- if not .Values.kubeappsapis.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.kubeappsapis.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.kubeappsapis.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.kubeappsapis.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.kubeappsapis.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.kubeappsapis.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.kubeappsapis.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/rbac_fluxv2.yaml b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/rbac_fluxv2.yaml index 1632da6f..2b87813a 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/rbac_fluxv2.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/rbac_fluxv2.yaml @@ -53,6 +53,6 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "kubeapps.kubeappsapis.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- end }} {{- end }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/service.yaml b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/service.yaml index 85c1a6dc..a0016f1f 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/service.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/service.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "kubeapps.kubeappsapis.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/serviceaccount.yaml b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/serviceaccount.yaml index 170724d0..8d664520 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/serviceaccount.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/serviceaccount.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "kubeapps.kubeappsapis.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.kubeappsapis.image "chart" .Chart ) ) }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/shared/config.yaml b/packages/system/dashboard/charts/kubeapps/templates/shared/config.yaml index 7f633f1f..76b4e09b 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/shared/config.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/shared/config.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "kubeapps.clusters-config.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/packages/system/dashboard/charts/kubeapps/templates/tls-secrets.yaml b/packages/system/dashboard/charts/kubeapps/templates/tls-secrets.yaml index 1d3cbe8a..368cfceb 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/tls-secrets.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/tls-secrets.yaml @@ -30,7 +30,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/packages/system/dashboard/charts/kubeapps/values.yaml b/packages/system/dashboard/charts/kubeapps/values.yaml index 965620b3..3842f431 100644 --- a/packages/system/dashboard/charts/kubeapps/values.yaml +++ b/packages/system/dashboard/charts/kubeapps/values.yaml @@ -26,7 +26,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @param kubeVersion Override Kubernetes version @@ -211,7 +211,7 @@ frontend: image: registry: docker.io repository: bitnami/nginx - tag: 1.25.4-debian-12-r3 + tag: 1.25.4-debian-12-r7 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -258,22 +258,21 @@ frontend: type: RollingUpdate ## Frontend containers' resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param frontend.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if frontend.resources is set (frontend.resources is recommended for production). + ## @param frontend.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if frontend.resources is set (frontend.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## @param frontend.resources.limits.cpu The CPU limits for the NGINX container - ## @param frontend.resources.limits.memory The memory limits for the NGINX container - ## @param frontend.resources.requests.cpu The requested CPU for the NGINX container - ## @param frontend.resources.requests.memory The requested memory for the NGINX container + resourcesPreset: "micro" + ## @param frontend.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi ## - resources: - limits: - cpu: 250m - memory: 128Mi - requests: - cpu: 25m - memory: 32Mi + resources: {} ## @param frontend.extraEnvVars Array with extra environment variables to add to the NGINX container ## e.g: ## extraEnvVars: @@ -322,10 +321,10 @@ frontend: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -537,6 +536,64 @@ frontend: ## timeoutSeconds: 300 ## sessionAffinityConfig: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param frontend.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param frontend.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param frontend.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param frontend.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param frontend.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param frontend.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param frontend.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param frontend.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Dashboard parameters ## Dashboard parameters @@ -558,7 +615,7 @@ dashboard: image: registry: docker.io repository: bitnami/kubeapps-dashboard - tag: 2.9.0-debian-12-r18 + tag: 2.10.0-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -654,22 +711,21 @@ dashboard: http: 8080 ## Dashboard containers' resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param dashboard.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if dashboard.resources is set (dashboard.resources is recommended for production). + ## @param dashboard.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dashboard.resources is set (dashboard.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## @param dashboard.resources.limits.cpu The CPU limits for the Dashboard container - ## @param dashboard.resources.limits.memory The memory limits for the Dashboard container - ## @param dashboard.resources.requests.cpu The requested CPU for the Dashboard container - ## @param dashboard.resources.requests.memory The requested memory for the Dashboard container + resourcesPreset: "micro" + ## @param dashboard.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi ## - resources: - limits: - cpu: 250m - memory: 128Mi - requests: - cpu: 25m - memory: 32Mi + resources: {} ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param dashboard.podSecurityContext.enabled Enabled Dashboard pods' Security Context @@ -701,10 +757,10 @@ dashboard: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -876,6 +932,64 @@ dashboard: ## @param dashboard.service.annotations Additional custom annotations for Dashboard service ## annotations: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param dashboard.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param dashboard.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param dashboard.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param dashboard.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param dashboard.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param dashboard.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param dashboard.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param dashboard.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section AppRepository Controller parameters ## AppRepository Controller parameters @@ -893,7 +1007,7 @@ apprepository: image: registry: docker.io repository: bitnami/kubeapps-apprepository-controller - tag: 2.9.0-debian-12-r18 + tag: 2.10.0-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -920,7 +1034,7 @@ apprepository: syncImage: registry: docker.io repository: bitnami/kubeapps-asset-syncer - tag: 2.9.0-debian-12-r19 + tag: 2.10.0-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1029,22 +1143,21 @@ apprepository: type: RollingUpdate ## AppRepository Controller containers' resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param apprepository.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if apprepository.resources is set (apprepository.resources is recommended for production). + ## @param apprepository.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if apprepository.resources is set (apprepository.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## @param apprepository.resources.limits.cpu The CPU limits for the AppRepository Controller container - ## @param apprepository.resources.limits.memory The memory limits for the AppRepository Controller container - ## @param apprepository.resources.requests.cpu The requested CPU for the AppRepository Controller container - ## @param apprepository.resources.requests.memory The requested memory for the AppRepository Controller container + resourcesPreset: "micro" + ## @param apprepository.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi ## - resources: - limits: - cpu: 250m - memory: 128Mi - requests: - cpu: 25m - memory: 32Mi + resources: {} ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param apprepository.podSecurityContext.enabled Enabled AppRepository Controller pods' Security Context @@ -1076,10 +1189,10 @@ apprepository: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1199,6 +1312,52 @@ apprepository: ## command: ['sh', '-c', 'echo "hello world"'] ## initContainers: [] + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param apprepository.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param apprepository.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param apprepository.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param apprepository.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param apprepository.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] ## AppRepository Controller Service Account ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## @param apprepository.serviceAccount.create Specifies whether a ServiceAccount should be created @@ -1232,7 +1391,7 @@ authProxy: image: registry: docker.io repository: bitnami/oauth2-proxy - tag: 7.6.0-debian-12-r4 + tag: 7.6.0-debian-12-r7 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1342,10 +1501,10 @@ authProxy: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1353,22 +1512,21 @@ authProxy: type: "RuntimeDefault" ## OAuth2 Proxy containers' resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param authProxy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if authProxy.resources is set (authProxy.resources is recommended for production). + ## @param authProxy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if authProxy.resources is set (authProxy.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## @param authProxy.resources.limits.cpu The CPU limits for the OAuth2 Proxy container - ## @param authProxy.resources.limits.memory The memory limits for the OAuth2 Proxy container - ## @param authProxy.resources.requests.cpu The requested CPU for the OAuth2 Proxy container - ## @param authProxy.resources.requests.memory The requested memory for the OAuth2 Proxy container + resourcesPreset: "micro" + ## @param authProxy.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi ## - resources: - limits: - cpu: 250m - memory: 128Mi - requests: - cpu: 25m - memory: 32Mi + resources: {} ## @section Pinniped Proxy parameters ## Pinniped Proxy configuration for converting user OIDC tokens to k8s client authorization certs @@ -1389,7 +1547,7 @@ pinnipedProxy: image: registry: docker.io repository: bitnami/kubeapps-pinniped-proxy - tag: 2.9.0-debian-12-r17 + tag: 2.10.0-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1473,10 +1631,10 @@ pinnipedProxy: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1484,24 +1642,21 @@ pinnipedProxy: type: "RuntimeDefault" ## Pinniped Proxy containers' resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param pinnipedProxy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if pinnipedProxy.resources is set (pinnipedProxy.resources is recommended for production). + ## @param pinnipedProxy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if pinnipedProxy.resources is set (pinnipedProxy.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## Pinniped Proxy containers' resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param pinnipedProxy.resources.limits.cpu The CPU limits for the Pinniped Proxy container - ## @param pinnipedProxy.resources.limits.memory The memory limits for the Pinniped Proxy container - ## @param pinnipedProxy.resources.requests.cpu The requested CPU for the Pinniped Proxy container - ## @param pinnipedProxy.resources.requests.memory The requested memory for the Pinniped Proxy container + resourcesPreset: "micro" + ## @param pinnipedProxy.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi ## - resources: - limits: - cpu: 250m - memory: 128Mi - requests: - cpu: 25m - memory: 32Mi + resources: {} ## Pinniped Proxy service parameters ## service: @@ -1609,19 +1764,22 @@ postgresql: enabled: false ## PostgreSQL containers' resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param postgresql.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if postgresql.resources is set (postgresql.resources is recommended for production). + ## @param postgresql.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if postgresql.resources is set (postgresql.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## @param postgresql.resources.limits The resources limits for the PostgreSQL container - ## @param postgresql.resources.requests.cpu The requested CPU for the PostgreSQL container - ## @param postgresql.resources.requests.memory The requested memory for the PostgreSQL container + resourcesPreset: "micro" + ## @param postgresql.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi ## - resources: - limits: {} - requests: - memory: 256Mi - cpu: 250m + ## + resources: {} ## @section kubeappsapis parameters kubeappsapis: ## @param kubeappsapis.enabledPlugins Manually override which plugins are enabled for the Kubeapps-APIs service @@ -1704,7 +1862,7 @@ kubeappsapis: image: registry: docker.io repository: bitnami/kubeapps-apis - tag: 2.9.0-debian-12-r19 + tag: 2.10.0-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1765,22 +1923,21 @@ kubeappsapis: http: 50051 ## KubeappsAPIs containers' resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param kubeappsapis.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if kubeappsapis.resources is set (kubeappsapis.resources is recommended for production). + ## @param kubeappsapis.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if kubeappsapis.resources is set (kubeappsapis.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## @param kubeappsapis.resources.limits.cpu The CPU limits for the KubeappsAPIs container - ## @param kubeappsapis.resources.limits.memory The memory limits for the KubeappsAPIs container - ## @param kubeappsapis.resources.requests.cpu The requested CPU for the KubeappsAPIs container - ## @param kubeappsapis.resources.requests.memory The requested memory for the KubeappsAPIs container + resourcesPreset: "micro" + ## @param kubeappsapis.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi ## - resources: - limits: - cpu: 250m - memory: 256Mi - requests: - cpu: 25m - memory: 32Mi + resources: {} ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param kubeappsapis.podSecurityContext.enabled Enabled KubeappsAPIs pods' Security Context @@ -1812,10 +1969,10 @@ kubeappsapis: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1987,6 +2144,64 @@ kubeappsapis: ## @param kubeappsapis.service.annotations Additional custom annotations for KubeappsAPIs service ## annotations: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param kubeappsapis.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param kubeappsapis.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param kubeappsapis.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param kubeappsapis.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param kubeappsapis.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param kubeappsapis.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param kubeappsapis.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param kubeappsapis.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## kubeappsapis Service Account ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## @param kubeappsapis.serviceAccount.create Specifies whether a ServiceAccount should be created @@ -2017,7 +2232,7 @@ ociCatalog: image: registry: docker.io repository: bitnami/kubeapps-oci-catalog - tag: 2.9.0-debian-12-r17 + tag: 2.10.0-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -2057,22 +2272,21 @@ ociCatalog: grpc: 50061 ## OCI Catalog containers' resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - ## @param ociCatalog.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if ociCatalog.resources is set (ociCatalog.resources is recommended for production). + ## @param ociCatalog.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if ociCatalog.resources is set (ociCatalog.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" - ## @param ociCatalog.resources.limits.cpu The CPU limits for the OCI Catalog container - ## @param ociCatalog.resources.limits.memory The memory limits for the OCI Catalog container - ## @param ociCatalog.resources.requests.cpu The requested CPU for the OCI Catalog container - ## @param ociCatalog.resources.requests.memory The requested memory for the OCI Catalog container + resourcesPreset: "micro" + ## @param ociCatalog.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi ## - resources: - limits: - cpu: 250m - memory: 256Mi - requests: - cpu: 25m - memory: 32Mi + resources: {} ## Configure Container Security Context (only main container) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param ociCatalog.containerSecurityContext.enabled Enabled containers' Security Context @@ -2090,10 +2304,10 @@ ociCatalog: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -2211,6 +2425,23 @@ redis: ## @param redis.master.persistence.enabled Enable Redis® master data persistence using PVC ## enabled: false + ## Redis® master resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param redis.master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param redis.master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} replica: ## @param redis.replica.replicaCount Number of Redis® replicas to deploy ## diff --git a/packages/system/dashboard/images/dashboard.json b/packages/system/dashboard/images/dashboard.json index 611f0678..d093611c 100644 --- a/packages/system/dashboard/images/dashboard.json +++ b/packages/system/dashboard/images/dashboard.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:ebf11c0997c964a7eeadabecf3bade4c42f623cd03d4c742c8e0748d744f2b48", - "containerimage.digest": "sha256:1f2ba6374064bdc927fc7e61c95f58a6f76c121c828d438d212f8772bc52b170" + "containerimage.config.digest": "sha256:ac9429d9bf66dd913a37fa9c22a6a2ccdc5d6bef50986bfef7868b5643ecaab2", + "containerimage.digest": "sha256:b551704d07e93f9837d36bb610ae5d10508325c31e9bd98a019452eed12ed96f" } \ No newline at end of file diff --git a/packages/system/dashboard/images/dashboard.tag b/packages/system/dashboard/images/dashboard.tag index 6cca9596..6e88145f 100644 --- a/packages/system/dashboard/images/dashboard.tag +++ b/packages/system/dashboard/images/dashboard.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/dashboard:v0.3.1 +ghcr.io/aenix-io/cozystack/dashboard:latest diff --git a/packages/system/dashboard/images/dashboard/Dockerfile b/packages/system/dashboard/images/dashboard/Dockerfile index 279fa813..68bfe60f 100644 --- a/packages/system/dashboard/images/dashboard/Dockerfile +++ b/packages/system/dashboard/images/dashboard/Dockerfile @@ -1,10 +1,10 @@ # Copyright 2018-2023 the Kubeapps contributors. # SPDX-License-Identifier: Apache-2.0 -FROM bitnami/node:20.11.0 AS build +FROM bitnami/node:20.12.1 AS build WORKDIR /app -ARG VERSION=2.9.0 +ARG VERSION=2.10.0 RUN wget -O- https://github.com/vmware-tanzu/kubeapps/archive/refs/tags/v${VERSION}.tar.gz | tar xzf - --strip-components=2 kubeapps-${VERSION}/dashboard COPY apple-touch-icon.png favicon-16x16.png favicon-32x32.png favicon.ico mstile-144x144.png mstile-150x150.png mstile-310x150.png mstile-310x310.png mstile-70x70.png safari-pinned-tab.svg public/ @@ -26,8 +26,22 @@ RUN yarn install --frozen-lockfile RUN yarn run prettier-check && yarn run ts-compile-check RUN yarn run build -RUN sed -i 's/hsl(206, 25%, 25%)/hsl(225, 6%, 13%)/g' $(grep -rl 'hsl(206, 25\%, 25\%)') -RUN sed -i 's/#304250/#202124/g' $(grep -rl "#304250") +RUN sed -i \ + -e 's/#2d4048/#202124/g' \ + -e 's/#25333d/#1e2023/g' \ + -e 's/#fcfdfd/#f3f4f5/g' \ + -e 's/#f1f6f8/#e7e9eb/g' \ + -e 's/#e3eaed/#d3d6da/g' \ + -e 's/#cbd4d8/#b7bbc1/g' \ + -e 's/#aeb8bc/#989da3/g' \ + -e 's/#859399/#7b7f85/g' \ + -e 's/#6a7a81/#63666b/g' \ + -e 's/#4f6169/#4f5256/g' \ + -e 's/#3a4d55/#3a3d41/g' \ + -e 's/#2d4048/#202124/g' \ + -e 's/#21333b/#1a1c1f/g' \ + -e 's/#1b2b32/#141619/g' \ + $(grep -rl "#2d4048\|#25333d\|#fcfdfd\|#f1f6f8\|#e3eaed\|#cbd4d8\|#aeb8bc\|#859399\|#6a7a81\|#4f6169\|#3a4d55\|#2d4048\|#21333b\|#1b2b32") FROM bitnami/nginx:1.25.2 COPY --from=build /app/build /app diff --git a/packages/system/dashboard/images/kubeapps-apis.json b/packages/system/dashboard/images/kubeapps-apis.json index b93cd4f3..7ec66a96 100644 --- a/packages/system/dashboard/images/kubeapps-apis.json +++ b/packages/system/dashboard/images/kubeapps-apis.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:e5f295cce1b460e2423f07326e812a201fac6ab594ecfc75eddfa81f46fd10fb", - "containerimage.digest": "sha256:6e32bb3f1afaf93e4e619d5655c43dcd1bf10e0d30aa8136e738484f1b0bd474" + "containerimage.config.digest": "sha256:ab059b6397905b2a2084def06582e61b49c4a8a3374747e87b08c82621357420", + "containerimage.digest": "sha256:9c1093da42482f116b27407edcdf8b24122885e295cbb632e565213c66fc07c0" } \ No newline at end of file diff --git a/packages/system/dashboard/images/kubeapps-apis.tag b/packages/system/dashboard/images/kubeapps-apis.tag index 502d3dae..b87bc749 100644 --- a/packages/system/dashboard/images/kubeapps-apis.tag +++ b/packages/system/dashboard/images/kubeapps-apis.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.3.1 +ghcr.io/aenix-io/cozystack/kubeapps-apis:latest diff --git a/packages/system/dashboard/images/kubeapps-apis/Dockerfile b/packages/system/dashboard/images/kubeapps-apis/Dockerfile index fdc110ea..b53ee603 100644 --- a/packages/system/dashboard/images/kubeapps-apis/Dockerfile +++ b/packages/system/dashboard/images/kubeapps-apis/Dockerfile @@ -1,21 +1,19 @@ -# Copyright 2021-2023 the Kubeapps contributors. +# Copyright 2021-2024 the Kubeapps contributors. # SPDX-License-Identifier: Apache-2.0 # syntax = docker/dockerfile:1 FROM alpine as source -ARG VERSION=v2.9.0 +ARG VERSION=v2.10.0 RUN apk add --no-cache patch WORKDIR /source RUN wget -O- https://github.com/vmware-tanzu/kubeapps/archive/refs/tags/${VERSION}.tar.gz | tar xzf - --strip-components=1 -COPY fix-flux.diff /patches/fix-flux.diff COPY labels.diff /patches/labels.diff COPY reconcile-strategy.diff /patches/reconcile-strategy.diff -RUN patch -p1 < /patches/fix-flux.diff RUN patch -p1 < /patches/labels.diff RUN patch -p1 < /patches/reconcile-strategy.diff -FROM bitnami/golang:1.21.1 as builder +FROM bitnami/golang:1.22.2 as builder WORKDIR /go/src/github.com/vmware-tanzu/kubeapps COPY --from=source /source/go.mod /source/go.sum ./ ARG VERSION="devel" @@ -25,16 +23,16 @@ ARG TARGETARCH ARG lint # https://github.com/bufbuild/buf/releases/ -ARG BUF_VERSION="1.26.0" +ARG BUF_VERSION="1.30.1" # https://github.com/golangci/golangci-lint/releases -ARG GOLANGCILINT_VERSION="1.53.3" +ARG GOLANGCILINT_VERSION="1.57.2" # https://github.com/grpc-ecosystem/grpc-health-probe/releases/ -ARG GRPC_HEALTH_PROBE_VERSION="0.4.19" +ARG GRPC_HEALTH_PROBE_VERSION="0.4.25" # Install lint tools -RUN if [ ! -z "$lint" ]; then \ +RUN if [ ! -z ${lint:-} ]; then \ go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$GOLANGCILINT_VERSION; \ fi @@ -55,7 +53,7 @@ RUN --mount=type=cache,target=/go/pkg/mod \ COPY --from=source /source/pkg pkg COPY --from=source /source/cmd cmd -RUN if [ ! -z "$lint" ]; then \ +RUN if [ ! -z ${lint:-} ]; then \ # Run golangci-lint to detect issues golangci-lint run --timeout=10m ./cmd/kubeapps-apis/... && \ golangci-lint run --timeout=10m ./pkg/...; \ @@ -67,6 +65,7 @@ RUN /tmp/buf lint ./cmd/kubeapps-apis # Build the main grpc server RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/root/.cache/go-build \ + GOPROXY="https://proxy.golang.org,direct" \ go build \ -ldflags "-X github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/cmd.version=$VERSION" \ ./cmd/kubeapps-apis diff --git a/packages/system/dashboard/images/kubeapps-apis/dockerfile.diff b/packages/system/dashboard/images/kubeapps-apis/dockerfile.diff index ac997072..d8278408 100644 --- a/packages/system/dashboard/images/kubeapps-apis/dockerfile.diff +++ b/packages/system/dashboard/images/kubeapps-apis/dockerfile.diff @@ -1,27 +1,27 @@ -diff --git b/system/kubeapps/images/kubeapps-apis/Dockerfile a/system/kubeapps/images/kubeapps-apis/Dockerfile -index e5fcd8c..f72964d 100644 --- b/system/kubeapps/images/kubeapps-apis/Dockerfile +++ a/system/kubeapps/images/kubeapps-apis/Dockerfile -@@ -3,9 +3,17 @@ +@@ -3,9 +3,19 @@ # syntax = docker/dockerfile:1 +FROM alpine as source -+ARG VERSION=v2.9.0 ++ARG VERSION=v2.10.0 +RUN apk add --no-cache patch +WORKDIR /source +RUN wget -O- https://github.com/vmware-tanzu/kubeapps/archive/refs/tags/${VERSION}.tar.gz | tar xzf - --strip-components=1 -+COPY fix-flux.diff /patches/fix-flux.diff -+RUN patch -p1 < /patches/fix-flux.diff ++COPY labels.diff /patches/labels.diff ++COPY reconcile-strategy.diff /patches/reconcile-strategy.diff ++RUN patch -p1 < /patches/labels.diff ++RUN patch -p1 < /patches/reconcile-strategy.diff + - FROM bitnami/golang:1.21.1 as builder + FROM bitnami/golang:1.22.2 as builder WORKDIR /go/src/github.com/vmware-tanzu/kubeapps -COPY go.mod go.sum ./ +COPY --from=source /source/go.mod /source/go.sum ./ ARG VERSION="devel" ARG TARGETARCH -@@ -40,8 +48,8 @@ RUN --mount=type=cache,target=/go/pkg/mod \ +@@ -40,8 +52,8 @@ # We don't copy the pkg and cmd directories until here so the above layers can # be reused. @@ -30,5 +30,5 @@ index e5fcd8c..f72964d 100644 +COPY --from=source /source/pkg pkg +COPY --from=source /source/cmd cmd - RUN if [ ! -z "$lint" ]; then \ + RUN if [ ! -z ${lint:-} ]; then \ # Run golangci-lint to detect issues diff --git a/packages/system/dashboard/images/kubeapps-apis/fix-flux.diff b/packages/system/dashboard/images/kubeapps-apis/fix-flux.diff deleted file mode 100644 index fb0023b7..00000000 --- a/packages/system/dashboard/images/kubeapps-apis/fix-flux.diff +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go -index 8886f4d479e..1ab08c074a5 100644 ---- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go -+++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go -@@ -579,9 +579,9 @@ func (s *repoEventSink) onAddRepo(key string, obj ctrlclient.Object) (interface{ - // ref https://fluxcd.io/docs/components/source/helmrepositories/#status - func (s *repoEventSink) onAddHttpRepo(repo sourcev1.HelmRepository) ([]byte, bool, error) { - if artifact := repo.GetArtifact(); artifact != nil { -- if checksum := artifact.Checksum; checksum == "" { -+ if checksum := artifact.Digest; checksum == "" { - return nil, false, connect.NewError(connect.CodeInternal, -- fmt.Errorf("expected field status.artifact.checksum not found on HelmRepository\n[%s]", -+ fmt.Errorf("expected field status.artifact.digest not found on HelmRepository\n[%s]", - common.PrettyPrint(repo))) - } else { - return s.indexAndEncode(checksum, repo) -@@ -721,9 +721,9 @@ func (s *repoEventSink) onModifyHttpRepo(key string, oldValue interface{}, repo - // ref https://fluxcd.io/docs/components/source/helmrepositories/#status - var newChecksum string - if artifact := repo.GetArtifact(); artifact != nil { -- if newChecksum = artifact.Checksum; newChecksum == "" { -+ if newChecksum = artifact.Digest; newChecksum == "" { - return nil, false, connect.NewError(connect.CodeInternal, -- fmt.Errorf("expected field status.artifact.checksum not found on HelmRepository\n[%s]", -+ fmt.Errorf("expected field status.artifact.digest not found on HelmRepository\n[%s]", - common.PrettyPrint(repo))) - } - } else { diff --git a/packages/system/dashboard/images/kubeapps-apis/labels.diff b/packages/system/dashboard/images/kubeapps-apis/labels.diff index 71e1cc6a..23bcdc93 100644 --- a/packages/system/dashboard/images/kubeapps-apis/labels.diff +++ b/packages/system/dashboard/images/kubeapps-apis/labels.diff @@ -1,5 +1,5 @@ diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go -index fe7ca772d..3b46afbd1 100644 +index c489cb6ca..8884a6484 100644 --- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go +++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go @@ -29,8 +29,10 @@ import ( @@ -16,7 +16,7 @@ index fe7ca772d..3b46afbd1 100644 @@ -54,7 +56,10 @@ func (s *Server) listReleasesInCluster(ctx context.Context, headers http.Header, // see any results created/updated/deleted after the first request is issued // To fix this, we must make use of resourceVersion := relList.GetResourceVersion() - var relList helmv2.HelmReleaseList + var relList helmv2beta2.HelmReleaseList - if err = client.List(ctx, &relList); err != nil { + listOptions := ctrlclient.ListOptions{ + LabelSelector: labels.SelectorFromSet(labels.Set{"cozystack.io/ui": "true"}), @@ -25,18 +25,18 @@ index fe7ca772d..3b46afbd1 100644 return nil, connecterror.FromK8sError("list", "HelmRelease", namespace+"/*", err) } else { return relList.Items, nil -@@ -511,6 +516,9 @@ func (s *Server) newFluxHelmRelease(chart *models.Chart, targetName types.Namesp +@@ -512,6 +517,9 @@ func (s *Server) newFluxHelmRelease(chart *models.Chart, targetName types.Namesp ObjectMeta: metav1.ObjectMeta{ - Name: chart.Name + "-" + targetName.Name, + Name: targetName.Name, Namespace: targetName.Namespace, + Labels: map[string]string{ + "cozystack.io/ui": "true", + }, }, - Spec: helmv2.HelmReleaseSpec{ - Chart: helmv2.HelmChartTemplate{ + Spec: helmv2beta2.HelmReleaseSpec{ + Chart: helmv2beta2.HelmChartTemplate{ diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go -index 1ab08c074..cd7b3b9aa 100644 +index 790b21514..539276a17 100644 --- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go +++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go @@ -32,6 +32,7 @@ import ( @@ -49,7 +49,7 @@ index 1ab08c074..cd7b3b9aa 100644 log "k8s.io/klog/v2" @@ -64,7 +65,8 @@ func (s *Server) listReposInNamespace(ctx context.Context, headers http.Header, - var repoList sourcev1.HelmRepositoryList + var repoList sourcev1beta2.HelmRepositoryList listOptions := ctrlclient.ListOptions{ - Namespace: ns, + Namespace: ns, @@ -57,3 +57,13 @@ index 1ab08c074..cd7b3b9aa 100644 } if err := client.List(backgroundCtx, &repoList, &listOptions); err != nil { return nil, connecterror.FromK8sError("list", "HelmRepository", "", err) +@@ -927,6 +929,9 @@ func newFluxHelmRepo( + ObjectMeta: metav1.ObjectMeta{ + Name: targetName.Name, + Namespace: targetName.Namespace, ++ Labels: map[string]string{ ++ "cozystack.io/ui": "true", ++ }, + }, + Spec: sourcev1beta2.HelmRepositorySpec{ + URL: url, diff --git a/packages/system/dashboard/images/kubeapps-apis/reconcile-strategy.diff b/packages/system/dashboard/images/kubeapps-apis/reconcile-strategy.diff index fc1cc233..f4f9b20a 100644 --- a/packages/system/dashboard/images/kubeapps-apis/reconcile-strategy.diff +++ b/packages/system/dashboard/images/kubeapps-apis/reconcile-strategy.diff @@ -1,9 +1,9 @@ diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go -index fe7ca772d..8111feb1c 100644 +index 8884a6484..4bf77071c 100644 --- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go +++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go -@@ -521,6 +529,7 @@ func (s *Server) newFluxHelmRelease(chart *models.Chart, targetName types.Namesp - Kind: sourcev1.HelmRepositoryKind, +@@ -530,6 +530,7 @@ func (s *Server) newFluxHelmRelease(chart *models.Chart, targetName types.Namesp + Kind: sourcev1beta2.HelmRepositoryKind, Namespace: chart.Repo.Namespace, }, + ReconcileStrategy: "Revision", diff --git a/packages/system/dashboard/values.yaml b/packages/system/dashboard/values.yaml index 28aeeec3..48d7f271 100644 --- a/packages/system/dashboard/values.yaml +++ b/packages/system/dashboard/values.yaml @@ -15,3 +15,12 @@ kubeapps: #serviceaccount-selector { display: none; } + .login-moreinfo { + display: none; + } + a[href="#/docs"] { + display: none; + } + .login-group .clr-form-control .clr-control-label { + display: none; + }