diff --git a/charts/databunker/templates/NOTES.txt b/charts/databunker/templates/NOTES.txt index 788d570..fba53f8 100644 --- a/charts/databunker/templates/NOTES.txt +++ b/charts/databunker/templates/NOTES.txt @@ -2,49 +2,74 @@ CHART NAME: {{ .Chart.Name }} CHART VERSION: {{ .Chart.Version }} APP VERSION: {{ .Chart.AppVersion }} -{{- if or .Values.mariadb.enabled .Values.externalDatabase.host -}} - ** Please be patient while the chart is being deployed ** -1. Get the Databunker URL: +{{- if or .Values.mariadb.enabled .Values.externalDatabase.host -}} -{{- if .Values.ingress.enabled }} +{{- if empty (include "databunker.host" .) -}} +############################################################################### +### ERROR: You did not provide an external host in your 'helm install' call ### +############################################################################### - You should be able to access your new Databunker installation through +This deployment will be incomplete until you configure Databunker with a resolvable +host. To configure Databunker with the URL of your service: - http://{{- .Values.ingress.hostname }}/ +1. Get the Databunker URL by running: -{{- else if eq .Values.service.type "LoadBalancer" }} + {{- if eq .Values.service.type "NodePort" }} + + export APP_PORT=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} -o jsonpath="{.spec.ports[0].nodePort}") + export APP_HOST=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + + {{- else if eq .Values.service.type "LoadBalancer" }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "common.names.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + export APP_HOST=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + export APP_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "databunker.secretName" . }} -o jsonpath="{.data.databunker-password}" | base64 --decode) + export DATABASE_ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "databunker.databaseSecretName" . }} -o jsonpath="{.data.mariadb-root-password}" | base64 --decode) + {{- end }} + export APP_DATABASE_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "databunker.databaseSecretName" . }} -o jsonpath="{.data.mariadb-password}" | base64 --decode) -{{- $port:=.Values.service.port | toString }} - echo "Databunker URL: http://$SERVICE_IP{{- if ne $port "80" }}:{{ .Values.service.port }}{{ end }}/" +2. Complete your Databunker deployment by running: -{{- else if eq .Values.service.type "ClusterIP" }} +{{- if .Values.mariadb.enabled }} - echo "Databunker URL: http://127.0.0.1:8080/" - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} 8080:{{ .Values.service.port }} + helm upgrade --namespace {{ .Release.Namespace }} {{ .Release.Name }} bitnami/{{ .Chart.Name }} \ + --set databunkerHost=$APP_HOST,databunkerPassword=$APP_PASSWORD,mariadb.auth.rootPassword=$DATABASE_ROOT_PASSWORD,mariadb.auth.password=$APP_DATABASE_PASSWORD{{- if .Values.global }}{{- if .Values.global.imagePullSecrets }},global.imagePullSecrets={{ .Values.global.imagePullSecrets }}{{- end }}{{- end }} +{{- else }} + ## PLEASE UPDATE THE EXTERNAL DATABASE CONNECTION PARAMETERS IN THE FOLLOWING COMMAND AS NEEDED ## + + helm upgrade --namespace {{ .Release.Namespace }} {{ .Release.Name }} bitnami/{{ .Chart.Name }} \ + --set databunkerPassword=$APP_PASSWORD,databunkerHost=$APP_HOST,service.type={{ .Values.service.type }},mariadb.enabled=false{{- if not (empty .Values.externalDatabase.host) }},externalDatabase.host={{ .Values.externalDatabase.host }}{{- end }}{{- if not (empty .Values.externalDatabase.user) }},externalDatabase.user={{ .Values.externalDatabase.user }}{{- end }}{{- if not (empty .Values.externalDatabase.password) }},externalDatabase.password={{ .Values.externalDatabase.password }}{{- end }}{{- if not (empty .Values.externalDatabase.database) }},externalDatabase.database={{ .Values.externalDatabase.database }}{{- end }}{{- if .Values.global }}{{- if .Values.global.imagePullSecrets }},global.imagePullSecrets={{ .Values.global.imagePullSecrets }}{{- end }}{{- end }} {{- end }} -{{- if eq .Values.service.type "NodePort" }} +{{- else -}} +1. Get the Databunker URL by running: - Or running: +{{- if eq .Values.service.type "ClusterIP" }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo "Databunker URL: http://$NODE_IP:$NODE_PORT/" + echo "Store URL: http{{ if .Values.databunkerUseHttps }}s{{ end }}://127.0.0.1:8080/" + echo "Admin URL: http{{ if .Values.databunkerUseSecureAdmin }}s{{ end }}://127.0.0.1:8080/{{ .Values.databunkerAdminUri }}" + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} 8080:{{ .Values.service.port }} + +{{- else }} + +{{- $port:=.Values.service.port | toString }} +{{- $httpsPort:=.Values.service.httpsPort | toString }} + + echo "Store URL: http{{ if .Values.databunkerUseHttps }}s{{ end }}://{{ include "databunker.host" . }}{{ if not (or (and (eq $port "80") (not .Values.databunkerUseHttps)) (and (eq $httpsPort "443") (.Values.databunkerUseHttps))) }}:{{ if .Values.databunkerUseHttps }}{{ .Values.service.httpsPort }}{{ else }}{{ .Values.service.port }}{{ end }}{{ end }}/" + echo "Admin URL: http{{ if .Values.databunkerUseSecureAdmin }}s{{ end }}://{{ include "databunker.host" . }}{{ if not (or (and (eq $port "80") (not .Values.databunkerUseSecureAdmin)) (and (eq $httpsPort "443") (.Values.databunkerUseSecureAdmin))) }}:{{ if .Values.databunkerUseSecureAdmin }}{{ .Values.service.httpsPort }}{{ else }}{{ .Values.service.port }}{{ end }}{{ end }}/{{ .Values.databunkerAdminUri }}" {{- end }} 2. Get your Databunker login credentials by running: - echo Masterkey: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "databunker.secretName" . }} -o jsonpath="{.data.databunker-masterkey}" | base64 --decode) - echo Roottoken: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "databunker.secretName" . }} -o jsonpath="{.data.databunker-roottoken}" | base64 --decode) + echo Username : {{ .Values.databunkerUsername }} + echo Password : $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "databunker.secretName" . }} -o jsonpath="{.data.databunker-password}" | base64 --decode) +{{- end }} {{- else -}} @@ -54,16 +79,26 @@ APP VERSION: {{ .Chart.AppVersion }} This deployment will be incomplete until you configure Databunker with a resolvable database host. To configure Databunker to use and external database host: - 1. Complete your Databunker deployment by running: +{{- if eq .Values.service.type "NodePort" }} + export APP_HOST=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") +{{- else if eq .Values.service.type "LoadBalancer" }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "common.names.fullname" . }}' + + export APP_HOST=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") +{{- else }} + + export APP_HOST=127.0.0.1 +{{- end }} export APP_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "databunker.secretName" . }} -o jsonpath="{.data.databunker-password}" | base64 --decode) ## PLEASE UPDATE THE EXTERNAL DATABASE CONNECTION PARAMETERS IN THE FOLLOWING COMMAND AS NEEDED ## helm upgrade --namespace {{ .Release.Namespace }} {{ .Release.Name }} bitnami/{{ .Chart.Name }} \ - --set databunkerPassword=$APP_PASSWORD,service.type={{ .Values.service.type }},mariadb.enabled=false{{- if not (empty .Values.externalDatabase.user) }},externalDatabase.user={{ .Values.externalDatabase.user }}{{- end }}{{- if not (empty .Values.externalDatabase.password) }},externalDatabase.password={{ .Values.externalDatabase.password }}{{- end }}{{- if not (empty .Values.externalDatabase.database) }},externalDatabase.database={{ .Values.externalDatabase.database }}{{- end }},externalDatabase.host=YOUR_EXTERNAL_DATABASE_HOST{{- if .Values.global }}{{- if .Values.global.imagePullSecrets }},global.imagePullSecrets={{ .Values.global.imagePullSecrets }}{{- end }}{{- end }} - + --set databunkerPassword=$APP_PASSWORD,databunkerHost=$APP_HOST,service.type={{ .Values.service.type }},mariadb.enabled=false{{- if not (empty .Values.externalDatabase.user) }},externalDatabase.user={{ .Values.externalDatabase.user }}{{- end }}{{- if not (empty .Values.externalDatabase.password) }},externalDatabase.password={{ .Values.externalDatabase.password }}{{- end }}{{- if not (empty .Values.externalDatabase.database) }},externalDatabase.database={{ .Values.externalDatabase.database }}{{- end }},externalDatabase.host=YOUR_EXTERNAL_DATABASE_HOST{{- if .Values.global }}{{- if .Values.global.imagePullSecrets }},global.imagePullSecrets={{ .Values.global.imagePullSecrets }}{{- end }}{{- end }} {{- end }} {{- include "common.warnings.rollingTag" .Values.image }} diff --git a/charts/databunker/templates/_certificates.tpl b/charts/databunker/templates/_certificates.tpl new file mode 100644 index 0000000..a82364a --- /dev/null +++ b/charts/databunker/templates/_certificates.tpl @@ -0,0 +1,124 @@ +{{/* Templates for certificates injection */}} + +{{/* +Return the proper image name used for setting up Certificates +*/}} +{{- define "certificates.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.certificates.image "global" .Values.global) }} +{{- end -}} + +{{- define "certificates.initContainer" -}} +{{- if .Values.certificates.customCAs }} +- name: certificates + image: {{ include "certificates.image" . }} + imagePullPolicy: {{ .Values.certificates.image.pullPolicy }} + {{- if .Values.image.pullSecrets}} + imagePullSecrets: + {{- range (default .Values.image.pullSecrets .Values.certificates.image.pullSecrets) }} + - name: {{ . }} + {{- end }} + {{- end }} + command: + {{- if .Values.certificates.command }} + {{- include "common.tplvalues.render" (dict "value" .Values.certificates.command "context" $) | nindent 4 }} + {{- else if .Values.certificates.customCertificate.certificateSecret }} + - sh + - -c + - install_packages ca-certificates openssl + {{- else }} + - sh + - -c + - install_packages ca-certificates openssl + && openssl req -new -x509 -days 3650 -nodes -sha256 + -subj "/CN=$(hostname)" -addext "subjectAltName = DNS:$(hostname)" + -out {{ .Values.certificates.customCertificate.certificateLocation }} + -keyout {{ .Values.certificates.customCertificate.keyLocation }} -extensions v3_req + && chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ .Values.certificates.customCertificate.keyLocation }} + {{- end }} + {{- if .Values.certificates.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.certificates.args "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.certificates.extraEnvVars }} + env: {{- include "common.tplvalues.render" (dict "value" .Values.certificates.extraEnvVars "context" $) | nindent 4 }} + {{- end }} + envFrom: + {{- if .Values.certificates.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.certificates.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.certificates.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.certificates.extraEnvVarsSecret "context" $) }} + {{- end }} + volumeMounts: + - name: etc-ssl-certs + mountPath: /etc/ssl/certs + readOnly: false + - name: etc-ssl-private + mountPath: /etc/ssl/private + readOnly: false + - name: custom-ca-certificates + mountPath: /usr/local/share/ca-certificates + readOnly: true +{{- end }} +{{- end }} + +{{- define "certificates.volumes" -}} +{{- if .Values.certificates.customCAs }} +- name: etc-ssl-certs + emptyDir: + medium: "Memory" +- name: etc-ssl-private + emptyDir: + medium: "Memory" +- name: custom-ca-certificates + projected: + defaultMode: 0400 + sources: + {{- range $index, $customCA := .Values.certificates.customCAs }} + - secret: + name: {{ $customCA.secret }} + # items not specified, will mount all keys + {{- end }} +{{- end -}} +{{- if .Values.certificates.customCertificate.certificateSecret }} +- name: custom-certificate + secret: + secretName: {{ .Values.certificates.customCertificate.certificateSecret }} +{{- if .Values.certificates.customCertificate.chainSecret }} +- name: custom-certificate-chain + secret: + secretName: {{ .Values.certificates.customCertificate.chainSecret.name }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "certificates.volumeMounts" -}} +{{- if .Values.certificates.customCAs }} +- name: etc-ssl-certs + mountPath: /etc/ssl/certs/ + readOnly: false +- name: etc-ssl-private + mountPath: /etc/ssl/private/ + readOnly: false +- name: custom-ca-certificates + mountPath: /usr/local/share/ca-certificates + readOnly: true +{{- end -}} +{{- if .Values.certificates.customCertificate.certificateSecret }} +- name: custom-certificate + mountPath: {{ .Values.certificates.customCertificate.certificateLocation }} + subPath: tls.crt + readOnly: true +- name: custom-certificate + mountPath: {{ .Values.certificates.customCertificate.keyLocation }} + subPath: tls.key + readOnly: true +{{- if .Values.certificates.customCertificate.chainSecret }} +- name: custom-certificate-chain + mountPath: {{ .Values.certificates.customCertificate.chainLocation }} + subPath: {{ .Values.certificates.customCertificate.chainSecret.key }} + readOnly: true +{{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/databunker/templates/_helpers.tpl b/charts/databunker/templates/_helpers.tpl index 9ec2c1e..fedd336 100644 --- a/charts/databunker/templates/_helpers.tpl +++ b/charts/databunker/templates/_helpers.tpl @@ -6,6 +6,41 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s" .Release.Name "mariadb" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "databunker.elasticsearch.fullname" -}} +{{- printf "%s-%s-coordinating-only" .Release.Name "elasticsearch" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Get the user defined LoadBalancerIP for this release. +Note, returns 127.0.0.1 if using ClusterIP. +*/}} +{{- define "databunker.serviceIP" -}} +{{- if eq .Values.service.type "ClusterIP" -}} +127.0.0.1 +{{- else -}} +{{- .Values.service.loadBalancerIP | default "" -}} +{{- end -}} +{{- end -}} + +{{/* +Gets the host to be used for this application. +If not using ClusterIP, or if a host or LoadBalancerIP is not defined, the value will be empty. +When using Ingress, it will be set to the Ingress hostname. +*/}} +{{- define "databunker.host" -}} +{{- if .Values.ingress.enabled }} +{{- $host := .Values.ingress.hostname | default "" -}} +{{- default (include "databunker.serviceIP" .) $host -}} +{{- else -}} +{{- $host := index .Values (printf "%sHost" .Chart.Name) | default "" -}} +{{- default (include "databunker.serviceIP" .) $host -}} +{{- end -}} +{{- end -}} + {{/* Return the proper certificate image name */}} diff --git a/charts/databunker/templates/deployment.yaml b/charts/databunker/templates/deployment.yaml index 0d0f45a..ce00cee 100644 --- a/charts/databunker/templates/deployment.yaml +++ b/charts/databunker/templates/deployment.yaml @@ -1,7 +1,9 @@ +{{- if (or .Values.mariadb.enabled .Values.externalDatabase.host) -}} apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} @@ -13,7 +15,7 @@ spec: selector: matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} {{- if .Values.updateStrategy }} - strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} + strategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }} {{- end }} replicas: {{ .Values.replicaCount }} template: @@ -79,54 +81,7 @@ spec: - name: databunker-data mountPath: /bitnami/databunker {{- end }} - {{- if .Values.certificates.customCAs }} - - name: certificates - image: {{ template "certificates.image" . }} - imagePullPolicy: {{ default .Values.image.pullPolicy .Values.certificates.image.pullPolicy }} - imagePullSecrets: - {{- range (default .Values.image.pullSecrets .Values.certificates.image.pullSecrets) }} - - name: {{ . }} - {{- end }} - command: - {{- if .Values.certificates.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.certificates.command "context" $) | nindent 12 }} - {{- else if .Values.certificates.customCertificate.certificateSecret }} - - sh - - -c - - install_packages ca-certificates openssl - {{- else }} - - sh - - -c - - install_packages ca-certificates openssl - && openssl req -new -x509 -days 3650 -nodes -sha256 - -subj "/CN=$(hostname)" -addext "subjectAltName = DNS:$(hostname)" - -out /etc/ssl/certs/ssl-cert-snakeoil.pem - -keyout /etc/ssl/private/ssl-cert-snakeoil.key -extensions v3_req - {{- end }} - {{- if .Values.certificates.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.certificates.args "context" $) | nindent 12 }} - {{- end }} - env: {{- include "common.tplvalues.render" (dict "value" .Values.certificates.extraEnvVars "context" $) | nindent 12 }} - envFrom: - {{- if .Values.certificates.extraEnvVarsCM }} - - configMapRef: - name: {{ include "common.tplvalues.render" (dict "value" .Values.certificates.extraEnvVarsCM "context" $) }} - {{- end }} - {{- if .Values.certificates.extraEnvVarsSecret }} - - secretRef: - name: {{ include "common.tplvalues.render" (dict "value" .Values.certificates.extraEnvVarsSecret "context" $) }} - {{- end }} - volumeMounts: - - name: etc-ssl-certs - mountPath: /etc/ssl/certs - readOnly: false - - name: etc-ssl-private - mountPath: /etc/ssl/private - readOnly: false - - name: custom-ca-certificates - mountPath: /usr/local/share/ca-certificates - readOnly: true - {{- end }} + {{- include "certificates.initContainer" . | nindent 8 }} containers: - name: {{ include "common.names.fullname" . }} image: {{ template "databunker.image" . }} @@ -193,6 +148,12 @@ spec: - name: SMTP_PROTOCOL value: {{ .Values.smtpProtocol | quote }} {{- end }} + {{- if .Values.certificates.customCAs }} + - name: SSL_CERTIFICATE + value: {{ .Values.certificates.customCertificate.certificateLocation }} + - name: SSL_CERTIFICATE_KEY + value: {{ .Values.certificates.customCertificate.keyLocation }} + {{- end }} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} @@ -209,8 +170,13 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} {{- end }} ports: + ##- name: http + ## containerPort: {{ .Values.containerPorts.http }} - name: https containerPort: {{ .Values.containerPorts.https }} + {{- if .Values.extraContainerPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraContainerPorts "context" $) | nindent 12 }} + {{- end }} {{- if .Values.livenessProbe.enabled }} livenessProbe: httpGet: @@ -237,12 +203,29 @@ spec: {{- else if .Values.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} {{- end }} + {{- if .Values.startupProbe.enabled }} + startupProbe: + httpGet: + path: {{ .Values.startupProbe.path }} + port: http + httpHeaders: + - name: Host + value: {{ include "magento.host" . | quote }} + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + {{- else if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- end }} {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 12 }} {{- end }} volumeMounts: - name: databunker-data mountPath: /bitnami/databunker + {{- include "certificates.volumeMounts" . | nindent 12 }} {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -279,6 +262,8 @@ spec: {{- else }} emptyDir: {} {{- end }} + {{- include "certificates.volumes" . | indent 8 }} {{- if .Values.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} {{- end }} +{{- end -}} diff --git a/charts/databunker/templates/externaldb-secrets.yaml b/charts/databunker/templates/externaldb-secrets.yaml index 43e9f4e..a8b5019 100644 --- a/charts/databunker/templates/externaldb-secrets.yaml +++ b/charts/databunker/templates/externaldb-secrets.yaml @@ -1,10 +1,17 @@ -{{- if not .Values.mariadb.enabled }} +{{- if not (or .Values.mariadb.enabled .Values.externalDatabase.existingSecret) }} apiVersion: v1 kind: Secret metadata: - name: "{{ include "common.names.fullname" . }}-externaldb" + name: {{ printf "%s-externaldb" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace }} labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} type: Opaque data: - db-password: {{ default "" .Values.externalDatabase.password | b64enc | quote }} + mariadb-password: {{ default "" .Values.externalDatabase.password | b64enc | quote }} {{- end }} diff --git a/charts/databunker/templates/hpa.yaml b/charts/databunker/templates/hpa.yaml new file mode 100644 index 0000000..490ce9a --- /dev/null +++ b/charts/databunker/templates/hpa.yaml @@ -0,0 +1,35 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: replica + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + kind: Deployment + name: {{ template "common.names.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPU }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- end }} + {{- if .Values.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/databunker/templates/ingress.yaml b/charts/databunker/templates/ingress.yaml index a81a353..c7c51a6 100644 --- a/charts/databunker/templates/ingress.yaml +++ b/charts/databunker/templates/ingress.yaml @@ -3,26 +3,36 @@ apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} + {{- if or .Values.ingress.annotations .Values.commonAnnotations .Values.ingress.certManager }} annotations: {{- if .Values.ingress.certManager }} kubernetes.io/tls-acme: "true" {{- end }} {{- if .Values.ingress.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" $) | nindent 4 }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" $ ) | nindent 4 }} {{- end }} {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} -spec: - {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} - ingressClassName: {{ .Values.ingress.ingressClassName | quote }} {{- end }} +spec: rules: - {{- range (coalesce .Values.ingress.extraHosts .Values.ingress.hosts) }} + {{- if .Values.ingress.hostname }} + - host: {{ .Values.ingress.hostname | quote }} + http: + paths: + - path: {{ default "/" .Values.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} - host: {{ .name | quote }} http: paths: diff --git a/charts/databunker/templates/networkpolicy-backend-ingress.yaml b/charts/databunker/templates/networkpolicy-backend-ingress.yaml index 99ce711..b2fc5e2 100644 --- a/charts/databunker/templates/networkpolicy-backend-ingress.yaml +++ b/charts/databunker/templates/networkpolicy-backend-ingress.yaml @@ -2,7 +2,7 @@ apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} kind: NetworkPolicy metadata: - name: {{ printf "%s-backend" (include "common.names.fullname" .) }} + name: {{ printf "%s-backend-mariadb" (include "common.names.fullname" .) }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} @@ -25,3 +25,60 @@ spec: matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }} {{- end }} +--- +{{- if and .Values.networkPolicy.enabled .Values.networkPolicy.ingressRules.backendOnlyAccessibleByFrontend }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ printf "%s-backend-elasticseach" (include "common.names.fullname" .) }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: + {{- if .Values.networkPolicy.ingressRules.customBackendSelector }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customBackendSelector "context" $) | nindent 6 }} + {{- else }} + app.kubernetes.io/name: elasticsearch + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + ingress: + - from: + - podSelector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 14 }} +{{- end }} +--- +{{- if and .Values.networkPolicy.enabled .Values.networkPolicy.ingressRules.backendOnlyAccessibleByFrontend }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ printf "%s-backend-elasticseach-nodes" (include "common.names.fullname" .) }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: + {{- if .Values.networkPolicy.ingressRules.customBackendSelector }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customBackendSelector "context" $) | nindent 6 }} + {{- else }} + app.kubernetes.io/name: elasticsearch + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: elasticsearch + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/databunker/templates/svc.yaml b/charts/databunker/templates/svc.yaml index 8348354..9cafcf7 100644 --- a/charts/databunker/templates/svc.yaml +++ b/charts/databunker/templates/svc.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} @@ -12,25 +13,34 @@ metadata: spec: type: {{ .Values.service.type }} sessionAffinity: {{ default "None" .Values.service.sessionAffinity }} - {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + {{- if (and .Values.service.clusterIP (eq .Values.service.type "ClusterIP")) }} clusterIP: {{ .Values.service.clusterIP }} {{- end }} - {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} + {{- if (and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer")) }} loadBalancerIP: {{ .Values.service.loadBalancerIP }} {{- end }} - {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} + {{- if (and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges) }} loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} {{- end }} - {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + {{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }} externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} {{- end }} ports: + ##- name: http + ## port: {{ .Values.service.port }} + ## targetPort: http + ## {{- if (and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.http))) }} + ## nodePort: {{ .Values.service.nodePorts.http }} + ## {{- else if eq .Values.service.type "ClusterIP" }} + ## nodePort: null + ## {{- end }} - name: https port: {{ .Values.service.httpsPort }} targetPort: https - {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.https)) }} + {{- if (and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.https))) }} nodePort: {{ .Values.service.nodePorts.https }} {{- else if eq .Values.service.type "ClusterIP" }} nodePort: null {{- end }} selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + publishNotReadyAddresses: true diff --git a/charts/databunker/templates/tls-secrets.yaml b/charts/databunker/templates/tls-secrets.yaml index 36742a9..68ef9aa 100644 --- a/charts/databunker/templates/tls-secrets.yaml +++ b/charts/databunker/templates/tls-secrets.yaml @@ -1,9 +1,11 @@ {{- if .Values.ingress.enabled }} +{{- if .Values.ingress.secrets }} {{- range .Values.ingress.secrets }} apiVersion: v1 kind: Secret metadata: name: {{ .name }} + namespace: {{ $.Release.Namespace }} labels: {{- include "common.labels.standard" $ | nindent 4 }} {{- if $.Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }} @@ -15,5 +17,28 @@ type: kubernetes.io/tls data: tls.crt: {{ .certificate | b64enc }} tls.key: {{ .key | b64enc }} +--- +{{- end }} +{{- end }} +{{- if and .Values.ingress.tls (not .Values.ingress.certManager) }} +{{- $ca := genCA "databunker-ca" 365 }} +{{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-tls" .Values.ingress.hostname }} + namespace: {{ .Release.Namespace }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} {{- end }} {{- end }} diff --git a/charts/databunker/values.yaml b/charts/databunker/values.yaml index 1dcd2e9..d94a074 100644 --- a/charts/databunker/values.yaml +++ b/charts/databunker/values.yaml @@ -21,19 +21,18 @@ global: ## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) ## kubeVersion: "" -## @param nameOverride String to partially override databunker.fullname template (will maintain the release name) +## @param nameOverride String to partially override databunker.fullname template ## nameOverride: "" ## @param fullnameOverride String to fully override databunker.fullname template ## fullnameOverride: "" -## @param commonAnnotations Common annotations to add to all Databunker resources (sub-charts are not considered). Evaluated as a template +## @param commonAnnotations Annotations to add to all deployed objects ## commonAnnotations: {} -## @param commonLabels Common labels to add to all Databunker resources (sub-charts are not considered). Evaluated as a template +## @param commonLabels Labels to add to all deployed objects ## commonLabels: {} - ## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template). ## extraDeploy: [] @@ -43,8 +42,8 @@ extraDeploy: [] ## Bitnami Databunker image version ## ref: https://hub.docker.com/r/bitnami/databunker/tags/ ## @param image.registry Databunker image registry -## @param image.repository Databunker Image name -## @param image.tag Databunker Image tag +## @param image.repository Databunker image repository +## @param image.tag Databunker image tag (immutable tags are recommended) ## @param image.pullPolicy Databunker image pull policy ## @param image.pullSecrets Specify docker-registry secret names as an array ## @param image.debug Specify if debug logs should be enabled @@ -58,10 +57,9 @@ image: ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: + ## Example: ## pullSecrets: ## - myRegistryKeySecretName ## @@ -69,16 +67,33 @@ image: ## Set to true if you would like to see extra information on logs ## debug: false -## @param replicaCount Number of Databunker Pods to run (requires ReadWriteMany PVC support) +## @param hostAliases [array] Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: + ## Necessary for apache-exporter to work + ## + - ip: "127.0.0.1" + hostnames: + - "status.localhost" +## @param replicaCount Number of Databunker Pods to run ## replicaCount: 1 ## @param databunkerSkipInstall Skip Databunker installation wizard. Useful for migrations and restoring from SQL dump ## ref: https://github.com/bitnami/bitnami-docker-databunker#configuration ## databunkerSkipInstall: false +## @param databunkerHost Databunker host to create application URLs +## ref: https://github.com/bitnami/bitnami-docker-databunker#configuration +## +databunkerHost: "localhost" ## @param databunkerMasterkey Databunker main encyption key (24 char hext string) ## ref: https://github.com/bitnami/bitnami-docker-databunker#configuration ## +databunkerHost: "" +## @param databunkerUsername User of the application +## ref: https://github.com/bitnami/bitnami-docker-databunker#configuration +## databunkerMasterkey: "" ## @param databunkerPassword Application password ## Defaults to a random uuid string if not set. You can set it to "DEMO" to enable demo access. @@ -103,21 +118,12 @@ args: ["-c", "/bin/busybox sleep 22; /databunker/bin/databunker -init -db databu ## updateStrategy: type: RollingUpdate -## @param hostAliases [array] Add deployment host aliases -## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ -## -hostAliases: - ## Necessary for apache-exporter to work - ## - - ip: "127.0.0.1" - hostnames: - - "status.localhost" ## @param extraEnvVars Extra environment variables ## For example: +## - name: BEARER_AUTH +## value: true ## extraEnvVars: [] -# - name: BEARER_AUTH -# value: true ## @param extraEnvVarsCM ConfigMap containing extra env vars ## extraEnvVarsCM: "" @@ -127,9 +133,16 @@ extraEnvVarsSecret: "" ## @param extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` ## extraVolumes: [] -## @param extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. +## @param extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes` ## extraVolumeMounts: [] +## @param extraContainerPorts Array of additional container ports for the Databunker container +## e.g: +## extraContainerPorts: +## - name: myservice +## containerPort: 9090 +## +extraContainerPorts: [] ## @param initContainers Add additional init containers to the pod (evaluated as a template) ## initContainers: [] @@ -143,19 +156,6 @@ tolerations: [] ## @param existingSecret Name of a secret with the application password ## existingSecret: "" -## SMTP mail delivery configuration -## ref: https://github.com/bitnami/bitnami-docker-databunker/#smtp-configuration -## @param smtpHost SMTP host -## @param smtpPort SMTP port -## @param smtpUser SMTP user -## @param smtpPassword SMTP password -## @param smtpProtocol SMTP Protocol (options: ssl,tls, nil) -## -smtpHost: "" -smtpPort: "" -smtpUser: "" -smtpPassword: "" -smtpProtocol: "" ## @param containerPorts [object] Container ports ## containerPorts: @@ -165,40 +165,6 @@ containerPorts: ## ref: https://kubernetes.io/docs/user-guide/services/ ## sessionAffinity: "None" -## Enable persistence using Persistent Volume Claims -## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ -## -persistence: - ## @param persistence.enabled Enable persistence using PVC - ## - enabled: false - ## @param persistence.storageClass PVC Storage Class for Databunker volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - storageClass: "" - ## @param persistence.accessMode PVC Access Mode for Databunker volume - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - ## - accessMode: ReadWriteOnce - ## @param persistence.size PVC Storage Request for Databunker volume - ## - size: 8Gi - ## @param persistence.existingClaim A manually managed Persistent Volume Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - ## - existingClaim: "" - ## @param persistence.hostPath If defined, the databunker-data volume will mount to the specified hostPath. - ## Requires persistence.enabled: true - ## Requires persistence.existingClaim: nil|false - ## Default: nil. - ## - hostPath: "" ## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## @@ -209,16 +175,17 @@ podAffinityPreset: "" podAntiAffinityPreset: soft ## Node affinity preset ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. -## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. ## nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## type: "" + ## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. ## E.g. ## key: "kubernetes.io/e2e-az-name" ## key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. ## E.g. ## values: ## - e2e-az1 @@ -227,20 +194,33 @@ nodeAffinityPreset: values: [] ## @param affinity Affinity for pod assignment ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set ## affinity: {} -## @param nodeSelector Node labels for pod assignment. Evaluated as a template. +## @param nodeSelector Node labels for pod assignment ## ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} -## @param resources [object] CPU/Memory resource requests/limits +## Configure resource requests and limits ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resources.limits The resources limits for the Databunker container +## @param resources.requests The requested resourcesc for the Databunker container ## resources: - requests: - memory: 512Mi - cpu: 300m + ## Example: + ## limits: + ## cpu: 250m + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 250m + ## memory: 256Mi + requests: {} ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enable Databunker pods' Security Context @@ -258,10 +238,6 @@ containerSecurityContext: enabled: true runAsUser: 1001 ## Configure extra options for liveness probe -## Databunker core exposes /user/login to unauthenticated requests, making it a good -## default liveness and readiness path. However, that may not always be the -## case. For example, if the image value is overridden to an image containing a -## module that alters that route, or an image that does not auto-install Databunker. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @param livenessProbe.enabled Enable livenessProbe ## @param livenessProbe.path Request path for livenessProbe @@ -280,10 +256,6 @@ livenessProbe: failureThreshold: 5 successThreshold: 1 ## Configure extra options for readiness probe -## Databunker core exposes /user/login to unauthenticated requests, making it a good -## default liveness and readiness path. However, that may not always be the -## case. For example, if the image value is overridden to an image containing a -## module that alters that route, or an image that does not auto-install Databunker. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @param readinessProbe.enabled Enable readinessProbe ## @param readinessProbe.path Request path for readinessProbe @@ -296,10 +268,28 @@ livenessProbe: readinessProbe: enabled: true path: /status - initialDelaySeconds: 30 + initialDelaySeconds: 40 periodSeconds: 5 - timeoutSeconds: 1 - failureThreshold: 5 + timeoutSeconds: 3 + failureThreshold: 6 + successThreshold: 1 +## Configure extra options for startupProbe probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.path Request path for startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + path: /status + initialDelaySeconds: 40 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 60 successThreshold: 1 ## @param customLivenessProbe Override default liveness probe ## @@ -307,6 +297,9 @@ customLivenessProbe: {} ## @param customReadinessProbe Override default readiness probe ## customReadinessProbe: {} +## @param customStartupProbe Override default startup probe +## +customStartupProbe: {} ## @param lifecycleHooks LifecycleHook to set additional configuration at startup Evaluated as a template ## lifecycleHooks: {} @@ -319,124 +312,103 @@ podAnnotations: {} ## podLabels: {} -## @section Traffic Exposure Parameters +## @section NetworkPolicy parameters -## Kubernetes configuration. For minikube, set this to NodePort, elsewhere use LoadBalancer +## Add networkpolicies ## -service: - ## @param service.type Kubernetes Service type - ## - type: LoadBalancer - ## @param service.port Service HTTP port - ## - #port: 3000 - ## @param service.httpsPort Service HTTPS port - ## - httpsPort: 3000 - ## @param service.loadBalancerSourceRanges Restricts access for LoadBalancer (only with `service.type: LoadBalancer`) - ## e.g: - ## loadBalancerSourceRanges: - ## - 0.0.0.0/0 - ## - loadBalancerSourceRanges: [] - ## @param service.loadBalancerIP loadBalancerIP for the Databunker Service (optional, cloud specific) - ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer - loadBalancerIP: "" - ## @param service.nodePorts [object] Kubernetes node port - ## nodePorts: - ## http: - ## https: - ## - nodePorts: - http: "" - https: "" - ## @param service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster -## Configure the ingress resource that allows you to access the -## Databunker installation. Set up the URL -## ref: https://kubernetes.io/docs/user-guide/ingress/ -## -ingress: - ## @param ingress.enabled Enable ingress controller resource +networkPolicy: + ## @param networkPolicy.enabled Enable network policies + ## If ingress.enabled or metrics.enabled are true, configure networkPolicy.ingress and networkPolicy.metrics selectors respectively to allow communication ## enabled: false - ## DEPRECATED: Use ingress.annotations instead of ingress.certManager - ## certManager: false + ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus) + ## @param networkPolicy.metrics.namespaceSelector databunker Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. + ## @param networkPolicy.metrics.podSelector databunker Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. ## + metrics: + enabled: false + ## e.g: + ## podSelector: + ## label: monitoring + ## + podSelector: {} + ## e.g: + ## namespaceSelector: + ## label: monitoring + ## + namespaceSelector: {} + ## @param networkPolicy.ingress.enabled Enable network policy for Ingress Proxies + ## @param networkPolicy.ingress.namespaceSelector databunker Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. + ## @param networkPolicy.ingress.podSelector databunker Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. + ## + ingress: + enabled: false + ## e.g: + ## podSelector: + ## label: ingress + ## + podSelector: {} + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## @param networkPolicy.ingressRules.backendOnlyAccessibleByFrontend Enable ingress rule that makes the backend (mariadb, elasticsearch) only accessible by databunker's pods. + ## @param networkPolicy.ingressRules.customBackendSelector databunker Backend selector labels. These labels will be used to identify the backend pods. + ## @param networkPolicy.ingressRules.accessOnlyFrom.enabled Enable ingress rule that makes databunker only accessible from a particular origin + ## @param networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector databunker Namespace selector label that is allowed to access databunker. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.accessOnlyFrom.podSelector databunker Pods selector label that is allowed to access databunker. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.customRules databunker Custom network policy ingress rule + ## + ingressRules: + ## mariadb and elacticsearch backends only can be accessed from databunker + ## + backendOnlyAccessibleByFrontend: false + ## Additional custom backend selector + ## e.g: + ## customBackendSelector: + ## - to: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customBackendSelector: {} + ## Allow only from the indicated: + ## + accessOnlyFrom: + enabled: false + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## e.g: + ## namespaceSelector: + ## label: access + ## + namespaceSelector: {} + ## custom ingress rules + ## e.g: + ## customRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). + ## @param networkPolicy.egressRules.customRules databunker Custom network policy rule + ## + egressRules: + # Deny connections to external. This is not compatible with an external database. + denyConnectionsToExternal: false + ## Additional custom egress rules + ## e.g: + ## customRules: + ## - to: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} - ## @param ingress.pathType Ingress Path type - ## - pathType: ImplementationSpecific - ## @param ingress.apiVersion Override API Version (automatically detected if not set) - ## - apiVersion: "" - ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) - ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . - ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - ## - ingressClassName: "" - ## @param ingress.hostname Default host for the ingress resource - ## - hostname: databunker.local - ## @param ingress.path The Path to Databunker. You may need to set this to '/*' in order to use this - ## with ALB ingress controllers. - ## - path: / - ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. - ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md - ## Use this parameter to set the required annotations for cert-manager, see - ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations - ## - ## e.g: - ## annotations: - ## kubernetes.io/ingress.class: nginx - ## cert-manager.io/cluster-issuer: cluster-issuer-name - ## - annotations: {} - ## @param ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter - ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} - ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it - ## - tls: false - ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. - ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array - ## extraHosts: - ## - name: databunker.local - ## path: / - extraHosts: [] - ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. - ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. - ## extraPaths: - ## - path: /* - ## backend: - ## serviceName: ssl-redirect - ## servicePort: use-annotation - extraPaths: [] - ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. - ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - ## extraTls: - ## - hosts: - ## - databunker.local - ## secretName: databunker.local-tls - extraTls: [] - ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets - ## key and certificate should start with -----BEGIN CERTIFICATE----- or - ## -----BEGIN RSA PRIVATE KEY----- - ## - ## name should line up with a tlsSecret set further up - ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set - ## - ## It is also possible to create and manage the certificates outside of this helm chart - ## Please see README.md for more information - ## Example: - ## - name: databunker.local-tls - ## key: - ## certificate: - ## - secrets: [] ## @section Database parameters @@ -448,25 +420,36 @@ mariadb: ## To use an external database set this to false and configure the externalDatabase parameters ## enabled: true - ## @param mariadb.architecture MariaDB architecture (`standalone` or `replication`) + ## Override MariaDB default image as 10.5 is not supported https://devdocs.databunker.com/guides/v2.4/install-gde/system-requirements.html#database + ## ref: https://github.com/bitnami/bitnami-docker-mariadb + ## @param mariadb.image.registry MariaDB image registry + ## @param mariadb.image.repository MariaDB image repository + ## @param mariadb.image.tag MariaDB image tag (immutable tags are recommended) + ## + image: + registry: docker.io + repository: bitnami/mariadb + tag: 10.3.32-debian-10-r32 + ## @param mariadb.architecture MariaDB architecture. Allowed values: `standalone` or `replication` ## architecture: standalone ## MariaDB Authentication parameters - ## @param mariadb.auth.rootPassword Password for the MariaDB `root` user - ## @param mariadb.auth.database Database name to create - ## @param mariadb.auth.username Database user to create - ## @param mariadb.auth.password Password for the database ## auth: + ## @param mariadb.auth.rootPassword Password for the MariaDB `root` user ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-the-root-password-on-first-run ## rootPassword: "" + ## @param mariadb.auth.database Database name to create ## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-on-first-run ## database: databunkerdb + ## @param mariadb.auth.username Database user to create ## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-user-on-first-run ## username: bunkeruser + ## @param mariadb.auth.password Password for the database + ## password: "" primary: ## Enable persistence using Persistent Volume Claims @@ -491,22 +474,32 @@ mariadb: accessModes: - ReadWriteOnce size: 8Gi + ## Set path in case you want to use local host path volumes (not recommended in production) + ## hostPath: "" + ## Use an existing PVC + ## existingClaim: "" ## External database configuration -## @param externalDatabase.host Host of the existing database -## @param externalDatabase.port Port of the existing database -## @param externalDatabase.user Existing username in the external db -## @param externalDatabase.password Password for the above username -## @param externalDatabase.database Name of the existing database ## externalDatabase: + ## @param externalDatabase.host Host of the existing database + ## host: "" + ## @param externalDatabase.port Port of the existing database + ## port: 3306 + ## @param externalDatabase.user Existing username in the external db + ## user: bunkeruser + ## @param externalDatabase.password Password for the above username + ## password: "" + ## @param externalDatabase.database Name of the existing database + ## database: databunkerdb + ## @section Volume Permissions parameters ## Init containers parameters: @@ -517,8 +510,8 @@ volumePermissions: ## enabled: false ## @param volumePermissions.image.registry Init container volume-permissions image registry - ## @param volumePermissions.image.repository Init container volume-permissions image name - ## @param volumePermissions.image.tag Init container volume-permissions image tag + ## @param volumePermissions.image.repository Init container volume-permissions image repository + ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array ## @@ -527,10 +520,9 @@ volumePermissions: repository: bitnami/bitnami-shell tag: 10-debian-10-r280 pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: + ## Example: ## pullSecrets: ## - myRegistryKeySecretName ## @@ -541,8 +533,8 @@ volumePermissions: ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param volumePermissions.resources.limits The resources limits for the container - ## @param volumePermissions.resources.requests The requested resources for the container + ## @param volumePermissions.resources.limits The resources limits for the init container + ## @param volumePermissions.resources.requests The requested resourcesc for the init container ## resources: ## Example: @@ -556,17 +548,135 @@ volumePermissions: ## memory: 128Mi requests: {} +## @section Traffic Exposure Parameters + +## Kubernetes configuration +## For minikube, set this to NodePort, elsewhere use LoadBalancer +## +service: + ## @param service.type Kubernetes Service type + ## + type: LoadBalancer + ## @param service.port Service HTTP port + ## + port: 8080 + ## @param service.httpsPort Service HTTPS port + ## + httpsPort: 8443 + ## @param service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.loadBalancerSourceRanges Control hosts connecting to "LoadBalancer" only + ## loadBalancerSourceRanges: + ## - 0.0.0.0/0 + ## + loadBalancerSourceRanges: [] + ## @param service.loadBalancerIP loadBalancerIP for the Databunker Service (optional, cloud specific) + ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param service.nodePorts.http Kubernetes http node port + ## @param service.nodePorts.https Kubernetes https node port + ## e.g: + ## nodePorts: + ## http: + ## https: + ## + nodePorts: + http: "" + https: "" + ## @param service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster +## Configure the ingress resource that allows you to access the +## Databunker installation. Set up the URL +## ref: https://kubernetes.io/docs/user-guide/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress controller resource + ## + enabled: false + ## DEPRECATED: Use ingress.annotations instead of ingress.certManager + ## certManager: false + ## + + ## @param ingress.pathType Default path type for the ingress resource + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Override API Version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.hostname Default host for the ingress resource + ## + hostname: databunker.local + ## @param ingress.path Default path for the ingress resource + ## + path: / + ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.tls Enable TLS for `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} + ## You can use the ingress.secrets parameter to create this TLS secret, relay on cert-manager to create it, or + ## let the chart create self-signed certificates for you + ## + tls: false + ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. + ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + ## Example: + ## extraHosts: + ## - name: databunker.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## Example: + ## extraTls: + ## - hosts: + ## - databunker.local + ## secretName: databunker.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY----- + ## name should line up with a secretName set further up + ## + ## If it is not set and you're using cert-manager, this is unneeded, as it will create the secret for you + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## + ## - name: databunker.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @section Metrics parameters ## Prometheus Exporter / Metrics ## metrics: - ## @param metrics.enabled Start a exporter side-car + ## @param metrics.enabled Start a side-car prometheus exporter ## enabled: false ## @param metrics.image.registry Apache exporter image registry ## @param metrics.image.repository Apache exporter image repository - ## @param metrics.image.tag Apache exporter image tag + ## @param metrics.image.tag Apache exporter image tag (immutable tags are recommended) ## @param metrics.image.pullPolicy Image pull policy ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array ## @@ -574,29 +684,56 @@ metrics: registry: docker.io repository: bitnami/apache-exporter tag: 0.10.1-debian-10-r82 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: + ## Example: ## pullSecrets: ## - myRegistryKeySecretName ## pullSecrets: [] - ## @param metrics.resources Metrics exporter resource requests and limits + ## Metrics exporter resource requests and limits ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param metrics.resources.limits The resources limits for the metrics container + ## @param metrics.resources.requests The requested resources for the metrics container ## - resources: {} + resources: + ## Example: + ## limits: + ## cpu: 250m + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 250m + ## memory: 256Mi + requests: {} + ## Prometheus exporter service parameters ## - ## @param metrics.podAnnotations [object] Additional annotations for Metrics exporter pod - ## - podAnnotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9117" + service: + ## @param metrics.service.type Prometheus metrics service type + ## + type: ClusterIP + ## @param metrics.service.port Service Metrics port + ## + port: 9117 + ## @param metrics.service.annotations [object] Annotations for the Prometheus exporter service + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.port }}" ## @section Certificate injection parameters -## Add custom certificates and certificate authorities to databunker container +## Add custom certificates and certificate authorities to Databunker container ## certificates: ## @param certificates.customCertificate.certificateSecret Secret containing the certificate and key to add @@ -609,15 +746,19 @@ certificates: customCertificate: certificateSecret: "" chainSecret: - name: secret-name - key: secret-key + name: "" + key: "" certificateLocation: /etc/ssl/certs/ssl-cert-snakeoil.pem keyLocation: /etc/ssl/private/ssl-cert-snakeoil.key chainLocation: /etc/ssl/certs/mychain.pem ## @param certificates.customCAs Defines a list of secrets to import into the container trust store ## - customCAs: [] + customCAs: + - secret: "databunker" ## @param certificates.command Override default container command (useful when using custom images) + ## e.g: + ## - secret: custom-CA + ## - secret: more-custom-CAs ## command: [] ## @param certificates.args Override default container args (useful when using custom images) @@ -634,7 +775,7 @@ certificates: extraEnvVarsSecret: "" ## @param certificates.image.registry Container sidecar registry ## @param certificates.image.repository Container sidecar image - ## @param certificates.image.tag Container sidecar image tag + ## @param certificates.image.tag Container sidecar image tag (immutable tags are recommended) ## @param certificates.image.pullPolicy Container sidecar image pull policy ## @param certificates.image.pullSecrets Container sidecar image pull secrets ## @@ -647,97 +788,26 @@ certificates: ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## pullPolicy: IfNotPresent - ## e.g: + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: ## pullSecrets: ## - myRegistryKeySecretName ## pullSecrets: [] -## @section NetworkPolicy parameters +## @section Other Parameters -## Add networkpolicies +## Autoscaling configuration +## @param autoscaling.enabled Enable autoscaling for replicas +## @param autoscaling.minReplicas Minimum number of replicas +## @param autoscaling.maxReplicas Maximum number of replicas +## @param autoscaling.targetCPU Target CPU utilization percentage +## @param autoscaling.targetMemory Target Memory utilization percentage ## -networkPolicy: - ## @param networkPolicy.enabled Enable network policies - ## If ingress.enabled or metrics.enabled are true, configure networkPolicy.ingress and networkPolicy.metrics selectors respectively to allow communication - ## +autoscaling: enabled: false - ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus) - ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. - ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. - ## - metrics: - enabled: false - ## e.g: - ## podSelector: - ## label: monitoring - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: monitoring - ## - namespaceSelector: {} - ## @param networkPolicy.ingress.enabled Enable network policy for Ingress Proxies - ## @param networkPolicy.ingress.namespaceSelector [object] Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. - ## @param networkPolicy.ingress.podSelector [object] Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. - ## - ingress: - enabled: false - ## e.g: - ## podSelector: - ## label: ingress - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## @param networkPolicy.ingressRules.backendOnlyAccessibleByFrontend Enable ingress rule that makes the backend (mariadb) only accessible by databunker's pods. - ## @param networkPolicy.ingressRules.customBackendSelector [object] Backend selector labels. These labels will be used to identify the backend pods. - ## @param networkPolicy.ingressRules.accessOnlyFrom.enabled Enable ingress rule that makes databunker only accessible from a particular origin - ## @param networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access databunker. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.accessOnlyFrom.podSelector [object] Pods selector label that is allowed to access databunker. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.customRules [object] Custom network policy ingress rule - ## - ingressRules: - ## mariadb backend only can be accessed from databunker - ## - backendOnlyAccessibleByFrontend: false - customBackendSelector: {} - ## Allow only from the indicated: - accessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## customRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - customRules: {} - ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). - ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule - ## - egressRules: - # Deny connections to external. This is not compatible with an external database. - denyConnectionsToExternal: false - ## Additional custom egress rules - ## e.g: - ## customRules: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - customRules: {} + minReplicas: 1 + maxReplicas: 11 + targetCPU: "" + targetMemory: ""