From 032286af25d3b51d64b3a1562001ac5c34d8e3c4 Mon Sep 17 00:00:00 2001 From: Tom Hayward Date: Fri, 1 Sep 2023 12:25:47 -0700 Subject: [PATCH 1/5] upgrade etcd chart to 8.12.0 9.x has manual steps required for deployment, which I want to defer for now. --- helm-charts/etcd/Chart.lock | 8 +- helm-charts/etcd/Chart.yaml | 25 +- helm-charts/etcd/README.md | 634 ++++++---- helm-charts/etcd/charts/common/Chart.yaml | 12 +- helm-charts/etcd/charts/common/README.md | 148 +-- .../charts/common/templates/_affinities.tpl | 34 +- .../charts/common/templates/_capabilities.tpl | 153 ++- .../etcd/charts/common/templates/_errors.tpl | 5 +- .../etcd/charts/common/templates/_images.tpl | 47 +- .../etcd/charts/common/templates/_ingress.tpl | 68 ++ .../etcd/charts/common/templates/_names.tpl | 34 + .../etcd/charts/common/templates/_secrets.tpl | 114 +- .../etcd/charts/common/templates/_utils.tpl | 19 +- .../templates/validations/_cassandra.tpl | 8 +- .../common/templates/validations/_mariadb.tpl | 10 +- .../common/templates/validations/_mongodb.tpl | 20 +- .../common/templates/validations/_mysql.tpl | 103 ++ .../templates/validations/_postgresql.tpl | 16 +- .../common/templates/validations/_redis.tpl | 54 +- .../templates/validations/_validations.tpl | 6 +- helm-charts/etcd/charts/common/values.yaml | 2 + helm-charts/etcd/templates/NOTES.txt | 92 +- helm-charts/etcd/templates/_helpers.tpl | 281 ++--- helm-charts/etcd/templates/configmap.yaml | 17 + helm-charts/etcd/templates/cronjob.yaml | 139 ++- helm-charts/etcd/templates/extra-list.yaml | 4 + helm-charts/etcd/templates/networkpolicy.yaml | 81 ++ helm-charts/etcd/templates/pdb.yaml | 17 +- helm-charts/etcd/templates/podmonitor.yaml | 42 + .../etcd/templates/prometheusrule.yaml | 26 + .../etcd/templates/scripts-configmap.yaml | 291 ----- helm-charts/etcd/templates/secrets.yaml | 13 +- .../etcd/templates/serviceaccount.yaml | 24 + .../etcd/templates/servicemonitor.yaml | 40 - helm-charts/etcd/templates/snapshot-pvc.yaml | 11 +- helm-charts/etcd/templates/statefulset.yaml | 336 ++++-- helm-charts/etcd/templates/svc-headless.yaml | 36 +- helm-charts/etcd/templates/svc.yaml | 64 +- helm-charts/etcd/templates/token-secrets.yaml | 14 + helm-charts/etcd/values-production.yaml | 472 -------- helm-charts/etcd/values.yaml | 1054 ++++++++++++----- 41 files changed, 2584 insertions(+), 1990 deletions(-) create mode 100644 helm-charts/etcd/charts/common/templates/_ingress.tpl create mode 100644 helm-charts/etcd/charts/common/templates/validations/_mysql.tpl create mode 100644 helm-charts/etcd/templates/configmap.yaml create mode 100644 helm-charts/etcd/templates/extra-list.yaml create mode 100644 helm-charts/etcd/templates/networkpolicy.yaml create mode 100644 helm-charts/etcd/templates/podmonitor.yaml create mode 100644 helm-charts/etcd/templates/prometheusrule.yaml delete mode 100644 helm-charts/etcd/templates/scripts-configmap.yaml create mode 100644 helm-charts/etcd/templates/serviceaccount.yaml delete mode 100644 helm-charts/etcd/templates/servicemonitor.yaml create mode 100644 helm-charts/etcd/templates/token-secrets.yaml delete mode 100644 helm-charts/etcd/values-production.yaml diff --git a/helm-charts/etcd/Chart.lock b/helm-charts/etcd/Chart.lock index e1f71f20..e70efc4c 100644 --- a/helm-charts/etcd/Chart.lock +++ b/helm-charts/etcd/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common - repository: https://charts.bitnami.com/bitnami - version: 1.1.2 -digest: sha256:e96477f37f86a4595dce9057f8d04f903f761f340440986129e53cc55f3d63ee -generated: "2020-12-11T12:20:37.294805+01:00" + repository: oci://registry-1.docker.io/bitnamicharts + version: 2.4.0 +digest: sha256:8c1a5dc923412d11d4d841420494b499cb707305c8b9f87f45ea1a8bf3172cb3 +generated: "2023-05-21T14:12:59.250402885Z" diff --git a/helm-charts/etcd/Chart.yaml b/helm-charts/etcd/Chart.yaml index 86af4c50..fc632733 100644 --- a/helm-charts/etcd/Chart.yaml +++ b/helm-charts/etcd/Chart.yaml @@ -1,17 +1,19 @@ annotations: category: Database + licenses: Apache-2.0 apiVersion: v2 -appVersion: 3.4.14 +appVersion: 3.5.9 dependencies: - name: common - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts tags: - bitnami-common - version: 1.x.x -description: etcd is a distributed key value store that provides a reliable way to - store data across a cluster of machines -home: https://github.com/bitnami/charts/tree/master/bitnami/etcd -icon: https://bitnami.com/assets/stacks/etcd/img/etcd-stack-110x117.png + version: 2.x.x +description: etcd is a distributed key-value store designed to securely store data + across a cluster. etcd is widely used in production on account of its reliability, + fault-tolerance and ease of use. +home: https://bitnami.com +icon: https://bitnami.com/assets/stacks/etcd/img/etcd-stack-220x234.png keywords: - etcd - cluster @@ -19,10 +21,9 @@ keywords: - cache - key-value maintainers: -- email: containers@bitnami.com - name: Bitnami +- name: VMware, Inc. + url: https://github.com/bitnami/charts name: etcd sources: -- https://github.com/bitnami/bitnami-docker-etcd -- https://coreos.com/etcd/ -version: 5.3.2 +- https://github.com/bitnami/charts/tree/main/bitnami/etcd +version: 8.12.0 diff --git a/helm-charts/etcd/README.md b/helm-charts/etcd/README.md index 486bae13..93d4a12c 100644 --- a/helm-charts/etcd/README.md +++ b/helm-charts/etcd/README.md @@ -1,24 +1,29 @@ -# etcd + -[etcd](https://www.etcd.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance. +# Etcd packaged by Bitnami + +etcd is a distributed key-value store designed to securely store data across a cluster. etcd is widely used in production on account of its reliability, fault-tolerance and ease of use. + +[Overview of Etcd](https://etcd.io/) + +Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. ## TL;DR ```console -$ helm repo add bitnami https://charts.bitnami.com/bitnami -$ helm install my-release bitnami/etcd +helm install my-release oci://registry-1.docker.io/bitnamicharts/etcd ``` ## Introduction -This chart bootstraps a [etcd](https://github.com/bitnami/bitnami-docker-etcd) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. +This chart bootstraps a [etcd](https://github.com/bitnami/containers/tree/main/bitnami/etcd) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. -Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. ## Prerequisites -- Kubernetes 1.12+ -- Helm 3.0-beta3+ +- Kubernetes 1.19+ +- Helm 3.2.0+ - PV provisioner support in the underlying infrastructure ## Installing the Chart @@ -26,8 +31,7 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment To install the chart with the release name `my-release`: ```console -$ helm repo add bitnami https://charts.bitnami.com/bitnami -$ helm install my-release bitnami/etcd +helm install my-release oci://registry-1.docker.io/bitnamicharts/etcd ``` These commands deploy etcd on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. @@ -39,145 +43,284 @@ These commands deploy etcd on the Kubernetes cluster in the default configuratio To uninstall/delete the `my-release` deployment: ```console -$ helm delete my-release +helm delete my-release ``` The command removes all the Kubernetes components associated with the chart and deletes the release. ## Parameters -The following tables lists the configurable parameters of the etcd chart and their default values. - -| Parameter | Description | Default | -|-------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------| -| `global.imageRegistry` | Global Docker image registry | `nil` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | -| `image.registry` | etcd image registry | `docker.io` | -| `image.repository` | etcd image name | `bitnami/etcd` | -| `image.tag` | etcd image tag | `{TAG_NAME}` | -| `image.pullPolicy` | etcd image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `image.debug` | Specify if debug values should be set | `false` | -| `nameOverride` | String to partially override etcd.fullname template with a string (will prepend the release name) | `nil` | -| `fullnameOverride` | String to fully override etcd.fullname template with a string | `nil` | -| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | -| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | -| `volumePermissions.resources` | Init container resource requests/limit | `nil` | -| `statefulset.updateStrategy` | Update strategy for the stateful set | `RollingUpdate` | -| `statefulset.rollingUpdatePartition` | Partition for Rolling Update strategy | `nil` | -| `statefulset.podManagementPolicy` | Pod management policy for the stateful set | `OrderedReady` | -| `statefulset.replicaCount` | Number of etcd nodes | `1` | -| `configFileConfigMap` | ConfigMap that contains a etcd.conf.yaml to be mounted | `nil` | -| `envVarsConfigMap` | ConfigMap that contains environment variables to be set in the container | `nil` | -| `allowNoneAuthentication` | Allow to use etcd without configuring RBAC authentication | `true` | -| `maxProcs` | Set GOMAXPROCS environment variable to limit the number of CPUs | `nil` | -| `etcd.initialClusterState` | Initial cluster state. Allowed values: 'new' or 'existing' | `nil` | -| `auth.rbac.enabled` | Switch to enable the etcd authentication. | `true` | -| `auth.rbac.rootPassword` | Password for the root user | `nil` | -| `auth.rbac.existingSecret` | Name of the existing secret containing the root password | `nil` | -| `auth.client.secureTransport` | Switch to encrypt client communication using TLS certificates | `false` | -| `auth.client.useAutoTLS` | Switch to automatically create the TLS certificates | `false` | -| `auth.client.enableAuthentication` | Switch to enable host authentication using TLS certificates. Requires existing secret. | `secret` | -| `auth.client.existingSecret` | Name of the existing secret containing cert files for client communication. | `nil` | -| `auth.client.certFilename` | Name of the file containing the client certificate. | `cert.pem` | -| `auth.client.certKeyFilename` | Name of the file containing the client certificate private key. | `key.pem` | -| `auth.client.caFilename` | Name of the file containing the client CA certificate. If not specified and `enableAuthentication` or `rbac.enabled` is true, the default is is `ca.crt`. | `""` | -| `auth.peer.secureTransport` | Switch to encrypt peer communication using TLS certificates | `false` | -| `auth.peer.useAutoTLS` | Switch to automatically create the TLS certificates | `false` | -| `auth.peer.enableAuthentication` | Switch to enable host authentication using TLS certificates. Requires existing secret. | `false` | -| `auth.peer.existingSecret` | Name of the existing secret containing cert files for peer communication. | `nil` | -| `auth.peer.certFilename` | Name of the file containing the peer certificate. | `cert.pem` | -| `auth.peer.certKeyFilename` | Name of the file containing the peer certificate private key. | `key.pem` | -| `auth.peer.caFilename` | Name of the file containing the peer CA certificate. If not specified and `enableAuthentication` or `rbac.enabled` is true, the default is is `ca.crt`. | `""` | -| `securityContext.enabled` | Enable security context | `true` | -| `securityContext.fsGroup` | Group ID for the container | `1001` | -| `securityContext.runAsUser` | User ID for the container | `1001` | -| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.port` | etcd client port | `2379` | -| `service.clientPortNameOverride` | etcd client port name override | `""` | -| `service.peerPort` | etcd peer port | `2380` | -| `service.peerPortNameOverride` | etcd peer port name override | `""` | -| `service.nodePorts.clientPort` | Kubernetes etcd client node port | `""` | -| `service.nodePorts.peerPort` | Kubernetes etcd peer node port | `""` | -| `service.annotations` | Annotations for etcd service | `{}` | -| `service.loadBalancerIP` | loadBalancerIP if etcd service type is `LoadBalancer` | `nil` | -| `service.loadBalancerSourceRanges` | loadBalancerSourceRanges if etcd service type is `LoadBalancer` | `nil` | -| `persistence.enabled` | Enable persistence using PVC | `true` | -| `persistence.storageClass` | PVC Storage Class for etcd volume | `nil` | -| `persistence.accessMode` | PVC Access Mode for etcd volume | `ReadWriteOnce` | -| `persistence.selector` | PVC label selector for etcd volume | `{}` | -| `persistence.size` | PVC Storage Request for etcd volume | `8Gi` | -| `persistence.annotations` | Annotations for the PVC | `{}` | -| `pdb.enabled` | Pod Disruption Budget toggle | `false` | -| `pdb.minAvailable` | Minimum available pods | `nil` | -| `pdb.maxUnavailable` | Maximum unavailable pods | `nil` | -| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` | -| `livenessProbe.enabled` | Turn on and off liveness probe | `true` | -| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | `10` | -| `livenessProbe.periodSeconds` | How often to perform the probe | `10` | -| `livenessProbe.timeoutSeconds` | When the probe times out | `5` | -| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `2` | -| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | `1` | -| `readinessProbe.enabled` | Turn on and off readiness probe | `true` | -| `readinessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | `15` | -| `readinessProbe.periodSeconds` | How often to perform the probe | `10` | -| `readinessProbe.timeoutSeconds` | When the probe times out | `5` | -| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `6` | -| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | `1` | -| `statefulsetLabels` | Extra statefulset labels | `{}` (evaluated as a template) | -| `podAnnotations` | Annotations to be added to pods | `{}` | -| `podLabels` | Extra pod labels | `{}` (evaluated as a template) | -| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | -| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | -| `affinity` | Affinity for pod assignment | `{}` (evaluated as a template) | -| `nodeSelector` | Node labels for pod assignment | `{}` (evaluated as a template) | -| `tolerations` | Tolerations for pod assignment | `[]` (evaluated as a template) | -| `priorityClassName` | Name of the existing priority class to be used by etcd pods. | `""` | -| `metrics.enabled` | Enable Prometheus exporter to expose etcd metrics | `false` | -| `metrics.podAnnotations` | Annotations for enabling prometheus to access the metrics endpoint | {`prometheus.io/scrape: "true",prometheus.io/port: "2379"`} | -| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` | -| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `nil` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `nil` (Prometheus Operator default value) | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion scraping | `[]` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.scheme` | HTTP scheme to use for scraping | `""` (Prometheus Operator default value) | -| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `nil` (Prometheus Operator default value) | -| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `nil` | -| `metrics.serviceMonitor.tlsConfig` | TLS configuration used for scrape endpoints used by Prometheus | `nil` | -| `startFromSnapshot.enabled` | Initialize new cluster recovering an existing snapshot | `false` | -| `startFromSnapshot.existingClaim` | PVC containing the existing snapshot | `nil` | -| `startFromSnapshot.snapshotFilename` | Snapshot filename | `nil` | -| `disasterRecovery.enabled` | Enable auto disaster recovery by periodically snapshotting the keyspace | `false` | -| `disasterRecovery.debug` | Enable debug logging for snapshots | `false` | -| `disasterRecovery.cronjob.schedule` | Schedule in Cron format to save snapshots | `*/30 * * * *` | -| `disasterRecovery.cronjob.historyLimit` | Number of successful finished jobs to retain | `1` | -| `disasterRecovery.cronjob.snapshotHistoryLimit` | Number of etcd snapshots to retain, tagged by date | `1` | -| `disasterRecovery.cronjob.podAnnotations` | Pod annotations for cronjob pods | `{}` | -| `disasterRecovery.pvc.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. | `nil` | -| `disasterRecovery.pvc.size` | PVC Storage Request | `2Gi` | -| `disasterRecovery.pvc.storageClassName` | Storage Class for snapshots volume | `nfs` | +### Global parameters + +| Name | Description | Value | +| ------------------------- | ----------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | + +### Common parameters + +| Name | Description | Value | +| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- | +| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | +| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override common.names.fullname template | `""` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | + +### etcd parameters + +| Name | Description | Value | +| -------------------------------------- | ----------------------------------------------------------------------------------------------------------- | -------------------- | +| `image.registry` | etcd image registry | `docker.io` | +| `image.repository` | etcd image name | `bitnami/etcd` | +| `image.tag` | etcd image tag | `3.5.9-debian-11-r4` | +| `image.digest` | etcd image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | etcd image pull policy | `IfNotPresent` | +| `image.pullSecrets` | etcd image pull secrets | `[]` | +| `image.debug` | Enable image debug mode | `false` | +| `auth.rbac.create` | Switch to enable RBAC authentication | `true` | +| `auth.rbac.allowNoneAuthentication` | Allow to use etcd without configuring RBAC authentication | `true` | +| `auth.rbac.rootPassword` | Root user password. The root user is always `root` | `""` | +| `auth.rbac.existingSecret` | Name of the existing secret containing credentials for the root user | `""` | +| `auth.rbac.existingSecretPasswordKey` | Name of key containing password to be retrieved from the existing secret | `""` | +| `auth.token.enabled` | Enables token authentication | `true` | +| `auth.token.type` | Authentication token type. Allowed values: 'simple' or 'jwt' | `jwt` | +| `auth.token.privateKey.filename` | Name of the file containing the private key for signing the JWT token | `jwt-token.pem` | +| `auth.token.privateKey.existingSecret` | Name of the existing secret containing the private key for signing the JWT token | `""` | +| `auth.token.signMethod` | JWT token sign method | `RS256` | +| `auth.token.ttl` | JWT token TTL | `10m` | +| `auth.client.secureTransport` | Switch to encrypt client-to-server communications using TLS certificates | `false` | +| `auth.client.useAutoTLS` | Switch to automatically create the TLS certificates | `false` | +| `auth.client.existingSecret` | Name of the existing secret containing the TLS certificates for client-to-server communications | `""` | +| `auth.client.enableAuthentication` | Switch to enable host authentication using TLS certificates. Requires existing secret | `false` | +| `auth.client.certFilename` | Name of the file containing the client certificate | `cert.pem` | +| `auth.client.certKeyFilename` | Name of the file containing the client certificate private key | `key.pem` | +| `auth.client.caFilename` | Name of the file containing the client CA certificate | `""` | +| `auth.peer.secureTransport` | Switch to encrypt server-to-server communications using TLS certificates | `false` | +| `auth.peer.useAutoTLS` | Switch to automatically create the TLS certificates | `false` | +| `auth.peer.existingSecret` | Name of the existing secret containing the TLS certificates for server-to-server communications | `""` | +| `auth.peer.enableAuthentication` | Switch to enable host authentication using TLS certificates. Requires existing secret | `false` | +| `auth.peer.certFilename` | Name of the file containing the peer certificate | `cert.pem` | +| `auth.peer.certKeyFilename` | Name of the file containing the peer certificate private key | `key.pem` | +| `auth.peer.caFilename` | Name of the file containing the peer CA certificate | `""` | +| `autoCompactionMode` | Auto compaction mode, by default periodic. Valid values: "periodic", "revision". | `""` | +| `autoCompactionRetention` | Auto compaction retention for mvcc key value store in hour, by default 0, means disabled | `""` | +| `initialClusterState` | Initial cluster state. Allowed values: 'new' or 'existing' | `""` | +| `logLevel` | Sets the log level for the etcd process. Allowed values: 'debug', 'info', 'warn', 'error', 'panic', 'fatal' | `info` | +| `maxProcs` | Limits the number of operating system threads that can execute user-level | `""` | +| `removeMemberOnContainerTermination` | Use a PreStop hook to remove the etcd members from the etcd cluster on container termination | `true` | +| `configuration` | etcd configuration. Specify content for etcd.conf.yml | `""` | +| `existingConfigmap` | Existing ConfigMap with etcd configuration | `""` | +| `extraEnvVars` | Extra environment variables to be set on etcd container | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` | +| `command` | Default container command (useful when using custom images) | `[]` | +| `args` | Default container args (useful when using custom images) | `[]` | + +### etcd statefulset parameters + +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------- | --------------- | +| `replicaCount` | Number of etcd replicas to deploy | `1` | +| `updateStrategy.type` | Update strategy type, can be set to RollingUpdate or OnDelete. | `RollingUpdate` | +| `podManagementPolicy` | Pod management policy for the etcd statefulset | `Parallel` | +| `hostAliases` | etcd pod host aliases | `[]` | +| `lifecycleHooks` | Override default etcd container hooks | `{}` | +| `containerPorts.client` | Client port to expose at container level | `2379` | +| `containerPorts.peer` | Peer port to expose at container level | `2380` | +| `podSecurityContext.enabled` | Enabled etcd pods' Security Context | `true` | +| `podSecurityContext.fsGroup` | Set etcd pod's Security Context fsGroup | `1001` | +| `containerSecurityContext.enabled` | Enabled etcd containers' Security Context | `true` | +| `containerSecurityContext.runAsUser` | Set etcd container's Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set etcd container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.allowPrivilegeEscalation` | Force the child process to be run as nonprivilege | `false` | +| `resources.limits` | The resources limits for the etcd container | `{}` | +| `resources.requests` | The requested resources for the etcd container | `{}` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `60` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `60` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Override default liveness probe | `{}` | +| `customReadinessProbe` | Override default readiness probe | `{}` | +| `customStartupProbe` | Override default startup probe | `{}` | +| `extraVolumes` | Optionally specify extra list of additional volumes for etcd pods | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for etcd container(s) | `[]` | +| `initContainers` | Add additional init containers to the etcd pods | `[]` | +| `sidecars` | Add additional sidecar containers to the etcd pods | `[]` | +| `podAnnotations` | Annotations for etcd pods | `{}` | +| `podLabels` | Extra labels for etcd pods | `{}` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `terminationGracePeriodSeconds` | Seconds the pod needs to gracefully terminate | `""` | +| `schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `priorityClassName` | Name of the priority class to be used by etcd pods | `""` | +| `runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` | +| `shareProcessNamespace` | Enable shared process namespace in a pod. | `false` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | +| `persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | + +### Traffic exposure parameters + +| Name | Description | Value | +| ---------------------------------- | ---------------------------------------------------------------------------------- | ----------- | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.enabled` | create second service if equal true | `true` | +| `service.clusterIP` | Kubernetes service Cluster IP | `""` | +| `service.ports.client` | etcd client port | `2379` | +| `service.ports.peer` | etcd peer port | `2380` | +| `service.nodePorts.client` | Specify the nodePort client value for the LoadBalancer and NodePort service types. | `""` | +| `service.nodePorts.peer` | Specify the nodePort peer value for the LoadBalancer and NodePort service types. | `""` | +| `service.clientPortNameOverride` | etcd client port name override | `""` | +| `service.peerPortNameOverride` | etcd peer port name override | `""` | +| `service.loadBalancerIP` | loadBalancerIP for the etcd service (optional, cloud specific) | `""` | +| `service.loadBalancerSourceRanges` | Load Balancer source ranges | `[]` | +| `service.externalIPs` | External IPs | `[]` | +| `service.externalTrafficPolicy` | %%MAIN_CONTAINER_NAME%% service external traffic policy | `Cluster` | +| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `service.annotations` | Additional annotations for the etcd service | `{}` | +| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.headless.annotations` | Annotations for the headless service. | `{}` | + +### Persistence parameters + +| Name | Description | Value | +| -------------------------- | --------------------------------------------------------------- | ------------------- | +| `persistence.enabled` | If true, use a Persistent Volume Claim. If false, use emptyDir. | `true` | +| `persistence.storageClass` | Persistent Volume Storage Class | `""` | +| `persistence.annotations` | Annotations for the PVC | `{}` | +| `persistence.labels` | Labels for the PVC | `{}` | +| `persistence.accessModes` | Persistent Volume Access Modes | `["ReadWriteOnce"]` | +| `persistence.size` | PVC Storage Request for etcd data volume | `8Gi` | +| `persistence.selector` | Selector to match an existing Persistent Volume | `{}` | + +### Volume Permissions parameters + +| Name | Description | Value | +| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/bitnami-shell` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag | `11-debian-11-r118` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | +| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | + +### Network Policy parameters + +| Name | Description | Value | +| --------------------------------------- | ---------------------------------------------------------- | ------- | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | + +### Metrics parameters + +| Name | Description | Value | +| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | ------------ | +| `metrics.enabled` | Expose etcd metrics | `false` | +| `metrics.podAnnotations` | Annotations for the Prometheus metrics on etcd pods | `{}` | +| `metrics.podMonitor.enabled` | Create PodMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.podMonitor.namespace` | Namespace in which Prometheus is running | `monitoring` | +| `metrics.podMonitor.interval` | Specify the interval at which metrics should be scraped | `30s` | +| `metrics.podMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `30s` | +| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitors will be discovered by Prometheus | `{}` | +| `metrics.podMonitor.scheme` | Scheme to use for scraping | `http` | +| `metrics.podMonitor.tlsConfig` | TLS configuration used for scrape endpoints used by Prometheus | `{}` | +| `metrics.podMonitor.relabelings` | Prometheus relabeling rules | `[]` | +| `metrics.prometheusRule.enabled` | Create a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | + +### Snapshotting parameters + +| Name | Description | Value | +| ----------------------------------------------- | ----------------------------------------------------------------------- | -------------- | +| `startFromSnapshot.enabled` | Initialize new cluster recovering an existing snapshot | `false` | +| `startFromSnapshot.existingClaim` | Existing PVC containing the etcd snapshot | `""` | +| `startFromSnapshot.snapshotFilename` | Snapshot filename | `""` | +| `disasterRecovery.enabled` | Enable auto disaster recovery by periodically snapshotting the keyspace | `false` | +| `disasterRecovery.cronjob.schedule` | Schedule in Cron format to save snapshots | `*/30 * * * *` | +| `disasterRecovery.cronjob.historyLimit` | Number of successful finished jobs to retain | `1` | +| `disasterRecovery.cronjob.snapshotHistoryLimit` | Number of etcd snapshots to retain, tagged by date | `1` | +| `disasterRecovery.cronjob.snapshotsDir` | Directory to store snapshots | `/snapshots` | +| `disasterRecovery.cronjob.podAnnotations` | Pod annotations for cronjob pods | `{}` | +| `disasterRecovery.cronjob.resources.limits` | Cronjob container resource limits | `{}` | +| `disasterRecovery.cronjob.resources.requests` | Cronjob container resource requests | `{}` | +| `disasterRecovery.cronjob.nodeSelector` | Node labels for cronjob pods assignment | `{}` | +| `disasterRecovery.cronjob.tolerations` | Tolerations for cronjob pods assignment | `[]` | +| `disasterRecovery.pvc.existingClaim` | A manually managed Persistent Volume and Claim | `""` | +| `disasterRecovery.pvc.size` | PVC Storage Request | `2Gi` | +| `disasterRecovery.pvc.storageClassName` | Storage Class for snapshots volume | `nfs` | +| `disasterRecovery.pvc.subPath` | Path within the volume from which to mount | `""` | + +### Service account parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------ | ------- | +| `serviceAccount.create` | Enable/disable service account creation | `false` | +| `serviceAccount.name` | Name of the service account to create or use | `""` | +| `serviceAccount.automountServiceAccountToken` | Enable/disable auto mounting of service account token | `true` | +| `serviceAccount.annotations` | Additional annotations to be included on the service account | `{}` | +| `serviceAccount.labels` | Additional labels to be included on the service account | `{}` | + +### Other parameters + +| Name | Description | Value | +| -------------------- | -------------------------------------------------------------- | ------ | +| `pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | +| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `51%` | +| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `""` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, ```console -$ helm install my-release \ - --set auth.rbac.rootPassword=secretpassword bitnami/etcd +helm install my-release \ + --set auth.rbac.rootPassword=secretpassword oci://registry-1.docker.io/bitnamicharts/etcd ``` The above command sets the etcd `root` account password to `secretpassword`. +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, ```console -$ helm install my-release -f values.yaml bitnami/etcd +helm install my-release -f values.yaml oci://registry-1.docker.io/bitnamicharts/etcd ``` > **Tip**: You can use the default [values.yaml](values.yaml) @@ -190,171 +333,158 @@ It is strongly recommended to use immutable tags in a production environment. Th Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. -### Production configuration and horizontal scaling +### Cluster configuration -This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one. +The Bitnami etcd chart can be used to bootstrap an etcd cluster, easy to scale and with available features to implement disaster recovery. -- Number of etcd nodes: -```diff -- statefulset.replicaCount: 1 -+ statefulset.replicaCount: 3 -``` +Refer to the [chart documentation](https://docs.bitnami.com/kubernetes/infrastructure/etcd/get-started/understand-default-configuration/) for more information about all these details. -- Switch to encrypt client communication using TLS certificates: -```diff -- auth.client.secureTransport: false -+ auth.client.secureTransport: true -``` +### Enable security for etcd -- Switch to enable host authentication using TLS certificates: -```diff -- auth.client.enableAuthentication: false -+ auth.client.enableAuthentication: true -``` +The etcd chart can be configured with Role-based access control and TLS encryption to improve its security. -- Switch to encrypt peer communication using TLS certificates: -```diff -- auth.peer.secureTransport: false -+ auth.peer.secureTransport: true -``` +[Learn more about security in the chart documentation](https://docs.bitnami.com/kubernetes/infrastructure/etcd/administration/enable-security/). -- Switch to automatically create the TLS certificates: -```diff -- auth.peer.useAutoTLS: false -+ auth.peer.useAutoTLS: true -``` +### Persistence -- Enable prometheus to access etcd metrics endpoint: -```diff -- metrics.enabled: false -+ metrics.enabled: true -``` +The [Bitnami etcd](https://github.com/bitnami/containers/tree/main/bitnami/etcd) image stores the etcd data at the `/bitnami/etcd` path of the container. Persistent Volume Claims are used to keep the data across statefulsets. -To horizontally scale this chart once it has been deployed, you can upgrade the deployment using a new value for the `statefulset.replicaCount` parameter. +The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) volume at this location. The volume is created using dynamic volume provisioning by default. An existing PersistentVolumeClaim can also be defined for this purpose. -### Using custom configuration +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). -In order to use custom configuration parameters, two options are available: +### Backup and restore the etcd keyspace -- Using environment variables: etcd allows setting environment variables that map to configuration settings. In order to set extra environment variables, use the `envVarsConfigMap` value to point to a ConfigMap (shown in the below example) that contains them. This ConfigMap can be created with the `-f /tmp/configurationEnvVars.yaml` flag. Then deploy the chart with the `envVarsConfigMap=etcd-env-vars` parameter: +The Bitnami etcd chart provides mechanisms to bootstrap the etcd cluster restoring an existing snapshot before initializing. -```console -$ cat << EOF > /tmp/configurationEnvVars.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: etcd-env-vars - namespace: default -data: - ETCD_AUTO_COMPACTION_RETENTION: "0" - ETCD_HEARTBEAT_INTERVAL: "150" -EOF -``` +[Learn more about backup/restore features in the chart documentation](https://docs.bitnami.com/kubernetes/infrastructure/etcd/administration/backup-restore/). -- Using a custom `etcd.conf.yml`: The etcd chart allows mounting a custom etcd.conf.yml file as ConfigMap (named, for example, etcd-conf) and deploy it using the `configFileConfigMap=etcd-conf` parameter. +### Exposing etcd metrics -### Enable security for etcd +The metrics exposed by etcd can be exposed to be scraped by Prometheus. This can be done by adding the required annotations for Prometheus to discover the metrics endpoints or creating a PodMonitor entry if you are using the Prometheus Operator. -#### Configure RBAC +[Learn more about exposing metrics in the chart documentation](https://docs.bitnami.com/kubernetes/infrastructure/etcd/administration/enable-metrics/). -In order to enable [Role-based access control for etcd](https://coreos.com/etcd/docs/latest/op-guide/authentication.html) you can set the following parameters: +### Using custom configuration -```console -auth.rbac.enabled=true -auth.rbac.rootPassword=YOUR-PASSWORD -``` +In order to use custom configuration parameters, two options are available: + +- Using environment variables: etcd allows setting environment variables that map to configuration settings. In order to set extra environment variables, you can use the `extraEnvVars` property. Alternatively, you can use a ConfigMap or a Secret with the environment variables using the `extraEnvVarsCM` or the `extraEnvVarsSecret` properties. -The previous command will deploy etcd creating a `root` user with its associate `root` role with access to everything. The rest of users will use the `guest` role and won't have permissions to do anything. +```yaml +extraEnvVars: + - name: ETCD_AUTO_COMPACTION_RETENTION + value: "0" + - name: ETCD_HEARTBEAT_INTERVAL + value: "150" +``` -#### Configure certificated for peer communication +- Using a custom `etcd.conf.yml`: The etcd chart allows mounting a custom `etcd.conf.yml` file as ConfigMap. In order to so, you can use the `configuration` property. Alternatively, you can use an existing ConfigMap using the `existingConfigmap` parameter. -In order to enable secure transport between peer nodes deploy the helm chart with these options: +### Auto Compaction -```console -auth.peer.secureTransport=true -auth.peer.useAutoTLS=true -``` +Since etcd keeps an exact history of its keyspace, this history should be periodically compacted to avoid performance degradation and eventual storage space exhaustion. Compacting the keyspace history drops all information about keys superseded prior to a given keyspace revision. The space used by these keys then becomes available for additional writes to the keyspace. -#### Configure certificates for client communication +`autoCompactionMode`, by default periodic. Valid values: "periodic", "revision". -In order to enable secure transport between client and server you have to create a secret containing the cert and key files and the CA used to sign those client certificates. +- 'periodic' for duration based retention, defaulting to hours if no time unit is provided (e.g. "5m"). +- 'revision' for revision number based retention. +`autoCompactionRetention` for mvcc key value store in hour, by default 0, means disabled. -You can create that secret and deploy the helm chart with these options: +You can enable auto compaction by using following parameters: ```console -auth.client.secureTransport=true -auth.client.enableAuthentication=true -auth.client.existingSecret=etcd-client-certs +autoCompactionMode=periodic +autoCompactionRetention=10m ``` -> Ref: [etcd security model](https://coreos.com/etcd/docs/latest/op-guide/security.html) -> -> Ref: [Generate self-signed certificagtes for etcd](https://coreos.com/os/docs/latest/generate-self-signed-certificates.html) +### Sidecars and Init Containers -### Disaster recovery +If you have a need for additional containers to run within the same pod as the etcd app (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. -You can enable auto disaster recovery by periodically snapshotting the keyspace. If the cluster permanently loses more than (N-1)/2 members, it tries to recover the cluster from a previous snapshot. You can enable it using the following parameters: - -```console -persistence.enabled=true -disasterRecovery.enabled=true -disasterRecovery.pvc.size=2Gi -disasterRecovery.pvc.storageClassName=nfs +```yaml +sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 ``` -> **Note**: Disaster recovery feature requires using volumes with ReadWriteMany access mode. For instance, you can use the stable/nfs-server-provisioner chart to provide NFS PVCs. +Similarly, you can add extra init containers using the `initContainers` parameter. -### Setting Pod's affinity +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` -This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). +### Deploying extra resources -As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. +There are cases where you may want to deploy extra objects, such a ConfigMap containing your app's configuration or some extra deployment with a micro service used by your app. For covering this case, the chart allows adding the full specification of other objects using the `extraDeploy` parameter. -## Persistence +### Setting Pod's affinity -The [Bitnami etcd](https://github.com/bitnami/bitnami-docker-etcd) image stores the etcd data at the `/bitnami/etcd` path of the container. Persistent Volume Claims are used to keep the data across statefulsets. +This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). -By default, the chart mounts a [Persistent Volume](http://kubernetes.io/docs/user-guide/persistent-volumes/) at this location. The volume is created using dynamic volume provisioning. See the [Parameters](#parameters) section to configure the PVC. +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. -### Adjust permissions of persistent volume mountpoint +## Troubleshooting -As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it. +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). -By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. -As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination. +## Upgrading -You can enable this initContainer by setting `volumePermissions.enabled` to `true`. +### To 8.0.0 -## Troubleshooting +This version reverts the change in the previous major bump ([7.0.0](https://github.com/bitnami/charts/tree/main/bitnami/etcd#to-700)). Now the default `etcd` branch is `3.5` again once confirmed by the [etcd developers](https://github.com/etcd-io/etcd/tree/main/CHANGELOG#production-recommendation) that this version is production-ready once solved the data corruption issue. -Find more information about how to deal with common errors related to Bitnami’s Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). +### To 7.0.0 -## Upgrading +This version changes the default `etcd` branch to `3.4` as suggested by [etcd developers](https://github.com/etcd-io/etcd/tree/main/CHANGELOG#production-recommendation). In order to migrate the data follow the official etcd instructions. -### 5.2.0 +### To 6.0.0 -This version also introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/master/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade. +This version introduces several features and performance improvements: -### To 5.0.0 +- The statefulset can now be scaled using `kubectl scale` command. Using `helm upgrade` to recalculate available endpoints is no longer needed. +- The scripts used for bootstrapping, runtime reconfiguration, and disaster recovery have been refactored and moved to the etcd container with two purposes: removing technical debt & improving the stability. +- Several parameters were reorganized to simplify the structure and follow the same standard used on other Bitnami charts: + - `etcd.initialClusterState` is renamed to `initialClusterState`. + - `statefulset.replicaCount` is renamed to `replicaCount`. + - `statefulset.podManagementPolicy` is renamed to `podManagementPolicy`. + - `statefulset.updateStrategy` and `statefulset.rollingUpdatePartition` are merged into `updateStrategy`. + - `securityContext.*` is deprecated in favor of `podSecurityContext` and `containerSecurityContext`. + - `configFileConfigMap` is deprecated in favor of `configuration` and `existingConfigmap`. + - `envVarsConfigMap` is deprecated in favor of `extraEnvVars`, `extraEnvVarsCM` and `extraEnvVarsSecret`. + - `allowNoneAuthentication` is renamed to `auth.rbac.allowNoneAuthentication`. +- New parameters/features were added: + - `extraDeploy` to deploy any extra desired object. + - `initContainers` and `sidecars` to define custom init containers and sidecars. + - `extraVolumes` and `extraVolumeMounts` to define custom volumes and mount points. + - Probes can be now customized, and support to startup probes is added. + - LifecycleHooks can be customized using `lifecycleHooks` parameter. + - The default command/args can be customized using `command` and `args` parameters. +- Metrics integration with Prometheus Operator does no longer use a ServiceMonitor object, but a PodMonitor instead. -[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. +Consequences: -**What changes were introduced in this major version?** +- Backwards compatibility is not guaranteed unless you adapt you **values.yaml** according to the changes described above. -- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. -- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts +### To 5.2.0 -**Considerations when upgrading to this version** +This version introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/main/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade. -- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues -- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore -- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 +### To 5.0.0 -**Useful links** +[On November 13, 2020, Helm v2 support formally ended](https://github.com/helm/charts#status-of-the-project). This major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ -- https://helm.sh/docs/topics/v2_v3_migration/ -- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ +[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/etcd/administration/upgrade-helm3/). ### To 4.4.14 @@ -372,7 +502,7 @@ To upgrade from previous charts versions, create a snapshot of the keyspace and You can use the command below to upgrade your chart by starting a new cluster using an existing snapshot, available in an existing PVC, to initialize the members: ```console -$ helm install new-release bitnami/etcd \ +helm install new-release oci://registry-1.docker.io/bitnamicharts/etcd \ --set statefulset.replicaCount=3 \ --set persistence.enabled=true \ --set persistence.size=8Gi \ @@ -387,5 +517,21 @@ Backwards compatibility is not guaranteed unless you modify the labels used on t Use the workaround below to upgrade from versions previous to 1.0.0. The following example assumes that the release name is etcd: ```console -$ kubectl delete statefulset etcd --cascade=false +kubectl delete statefulset etcd --cascade=false ``` + +## License + +Copyright © 2023 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/helm-charts/etcd/charts/common/Chart.yaml b/helm-charts/etcd/charts/common/Chart.yaml index 1bda8e2d..4fc56bbb 100644 --- a/helm-charts/etcd/charts/common/Chart.yaml +++ b/helm-charts/etcd/charts/common/Chart.yaml @@ -1,10 +1,11 @@ annotations: category: Infrastructure + licenses: Apache-2.0 apiVersion: v2 -appVersion: 1.1.1 +appVersion: 2.4.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. -home: https://github.com/bitnami/charts/tree/master/bitnami/common +home: https://bitnami.com icon: https://bitnami.com/downloads/logos/bitnami-mark.png keywords: - common @@ -13,11 +14,10 @@ keywords: - function - bitnami maintainers: -- email: containers@bitnami.com - name: Bitnami +- name: VMware, Inc. + url: https://github.com/bitnami/charts name: common sources: - https://github.com/bitnami/charts -- http://www.bitnami.com/ type: library -version: 1.1.2 +version: 2.4.0 diff --git a/helm-charts/etcd/charts/common/README.md b/helm-charts/etcd/charts/common/README.md index a6889536..72fca33d 100644 --- a/helm-charts/etcd/charts/common/README.md +++ b/helm-charts/etcd/charts/common/README.md @@ -1,18 +1,20 @@ # Bitnami Common Library Chart -A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. + +Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. ## TL;DR ```yaml dependencies: - name: common - version: 0.x.x - repository: https://charts.bitnami.com/bitnami + version: 1.x.x + repository: oci://registry-1.docker.io/bitnamicharts ``` -```bash -$ helm dependency update +```console +helm dependency update ``` ```yaml @@ -28,107 +30,15 @@ data: This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. -Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. ## Prerequisites -- Kubernetes 1.12+ -- Helm 3.0-beta3+ +- Kubernetes 1.19+ +- Helm 3.2.0+ ## Parameters -The following table lists the helpers available in the library which are scoped in different sections. - -### Affinities - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | -| `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | -| `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | -| `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | - -### Capabilities - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | -| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | -| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | - -### Errors - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | - -### Images - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | -| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | - -### Labels - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | -| `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context | - -### Names - -| Helper identifier | Description | Expected Inpput | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | -| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | -| `common.names.chart` | Chart name plus version | `.` Chart context | - -### Secrets - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | -| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | - -### Storage - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | - -### TplValues - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frecuently is the chart context `$` or `.` | - -### Utils - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | -| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | -| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | - -### Validations - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "context" $` secret and field are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | -| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | -| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | -| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | -| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | -| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | -| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | - -### Warnings - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | - ## Special input schemas ### ImageRoot @@ -157,7 +67,7 @@ pullSecrets: type: array items: type: string - description: Optionally specify an array of imagePullSecrets. + description: Optionally specify an array of imagePullSecrets (evaluated as templates). debug: type: boolean @@ -227,7 +137,7 @@ keyMapping: #### Example of use -When we store sensitive data for a deployment in a secret, some times we want to give to users the possiblity of using theirs existing secrets. +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. ```yaml # templates/secret.yaml @@ -274,14 +184,14 @@ keyMapping: If we force those values to be empty we will see some alerts ```console -$ helm install test mychart --set path.to.value00="",path.to.value01="" +helm install test mychart --set path.to.value00="",path.to.value01="" 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: - export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode) + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: - export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode) + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) ``` ## Upgrading @@ -290,20 +200,36 @@ $ helm install test mychart --set path.to.value00="",path.to.value01="" [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -**What changes were introduced in this major version?** +#### What changes were introduced in this major version? - Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. - Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. - The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts -**Considerations when upgrading to this version** +#### Considerations when upgrading to this version - If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues - If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore - If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 -**Useful links** +#### Useful links + +- +- +- + +## License + +Copyright © 2023 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + -- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ -- https://helm.sh/docs/topics/v2_v3_migration/ -- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/helm-charts/etcd/charts/common/templates/_affinities.tpl b/helm-charts/etcd/charts/common/templates/_affinities.tpl index 1ff26d58..81902a68 100644 --- a/helm-charts/etcd/charts/common/templates/_affinities.tpl +++ b/helm-charts/etcd/charts/common/templates/_affinities.tpl @@ -1,7 +1,7 @@ {{/* vim: set filetype=mustache: */}} {{/* -Return a soft nodeAffinity definition +Return a soft nodeAffinity definition {{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} */}} {{- define "common.affinities.nodes.soft" -}} @@ -12,7 +12,7 @@ preferredDuringSchedulingIgnoredDuringExecution: operator: In values: {{- range .values }} - - {{ . }} + - {{ . | quote }} {{- end }} weight: 1 {{- end -}} @@ -29,7 +29,7 @@ requiredDuringSchedulingIgnoredDuringExecution: operator: In values: {{- range .values }} - - {{ . }} + - {{ . | quote }} {{- end }} {{- end -}} @@ -45,12 +45,21 @@ Return a nodeAffinity definition {{- end -}} {{- end -}} +{{/* +Return a topologyKey definition +{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}} +*/}} +{{- define "common.affinities.topologyKey" -}} +{{ .topologyKey | default "kubernetes.io/hostname" -}} +{{- end -}} + {{/* Return a soft podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.soft" (dict "component" "FOO" "context" $) -}} +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}} */}} {{- define "common.affinities.pods.soft" -}} {{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: @@ -58,27 +67,30 @@ preferredDuringSchedulingIgnoredDuringExecution: {{- if not (empty $component) }} {{ printf "app.kubernetes.io/component: %s" $component }} {{- end }} - namespaces: - - {{ .context.Release.Namespace }} - topologyKey: kubernetes.io/hostname + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} weight: 1 {{- end -}} {{/* Return a hard podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.hard" (dict "component" "FOO" "context" $) -}} +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}} */}} {{- define "common.affinities.pods.hard" -}} {{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} {{- if not (empty $component) }} {{ printf "app.kubernetes.io/component: %s" $component }} {{- end }} - namespaces: - - {{ .context.Release.Namespace }} - topologyKey: kubernetes.io/hostname + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} {{- end -}} {{/* diff --git a/helm-charts/etcd/charts/common/templates/_capabilities.tpl b/helm-charts/etcd/charts/common/templates/_capabilities.tpl index 143bef2a..697486a3 100644 --- a/helm-charts/etcd/charts/common/templates/_capabilities.tpl +++ b/helm-charts/etcd/charts/common/templates/_capabilities.tpl @@ -1,9 +1,69 @@ {{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "common.capabilities.daemonset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + {{/* Return the appropriate apiVersion for deployment. */}} {{- define "common.capabilities.deployment.apiVersion" -}} -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} {{- print "extensions/v1beta1" -}} {{- else -}} {{- print "apps/v1" -}} @@ -14,7 +74,7 @@ Return the appropriate apiVersion for deployment. Return the appropriate apiVersion for statefulset. */}} {{- define "common.capabilities.statefulset.apiVersion" -}} -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} {{- print "apps/v1beta1" -}} {{- else -}} {{- print "apps/v1" -}} @@ -25,9 +85,96 @@ Return the appropriate apiVersion for statefulset. Return the appropriate apiVersion for ingress. */}} {{- define "common.capabilities.ingress.apiVersion" -}} -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} {{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} {{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} {{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "common.capabilities.hpa.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Vertical Pod Autoscaler. +*/}} +{{- define "common.capabilities.vpa.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} {{- end -}} {{- end -}} diff --git a/helm-charts/etcd/charts/common/templates/_errors.tpl b/helm-charts/etcd/charts/common/templates/_errors.tpl index d6d3ec65..a79cc2e3 100644 --- a/helm-charts/etcd/charts/common/templates/_errors.tpl +++ b/helm-charts/etcd/charts/common/templates/_errors.tpl @@ -14,7 +14,10 @@ Required password params: {{- define "common.errors.upgrade.passwords.empty" -}} {{- $validationErrors := join "" .validationErrors -}} {{- if and $validationErrors .context.Release.IsUpgrade -}} - {{- $errorString := "\nPASSWORDS ERROR: you must provide your current passwords when upgrade the release%s" -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} {{- printf $errorString $validationErrors | fail -}} {{- end -}} {{- end -}} diff --git a/helm-charts/etcd/charts/common/templates/_images.tpl b/helm-charts/etcd/charts/common/templates/_images.tpl index aafde9f3..d60c22e2 100644 --- a/helm-charts/etcd/charts/common/templates/_images.tpl +++ b/helm-charts/etcd/charts/common/templates/_images.tpl @@ -1,22 +1,31 @@ {{/* vim: set filetype=mustache: */}} {{/* Return the proper image name -{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }} */}} {{- define "common.images.image" -}} {{- $registryName := .imageRoot.registry -}} {{- $repositoryName := .imageRoot.repository -}} -{{- $tag := .imageRoot.tag | toString -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} {{- if .global }} {{- if .global.imageRegistry }} {{- $registryName = .global.imageRegistry -}} {{- end -}} {{- end -}} -{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} {{- end -}} {{/* -Return the proper Docker Image Registry Secret Names +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) {{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} */}} {{- define "common.images.pullSecrets" -}} @@ -36,7 +45,35 @@ Return the proper Docker Image Registry Secret Names {{- if (not (empty $pullSecrets)) }} imagePullSecrets: - {{- range $pullSecrets }} + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets | uniq }} - name: {{ . }} {{- end }} {{- end }} diff --git a/helm-charts/etcd/charts/common/templates/_ingress.tpl b/helm-charts/etcd/charts/common/templates/_ingress.tpl new file mode 100644 index 00000000..831da9ca --- /dev/null +++ b/helm-charts/etcd/charts/common/templates/_ingress.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/helm-charts/etcd/charts/common/templates/_names.tpl b/helm-charts/etcd/charts/common/templates/_names.tpl index adf2a74f..617a2348 100644 --- a/helm-charts/etcd/charts/common/templates/_names.tpl +++ b/helm-charts/etcd/charts/common/templates/_names.tpl @@ -30,3 +30,37 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} {{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a fully qualified app name adding the installation's namespace. +*/}} +{{- define "common.names.fullname.namespace" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/helm-charts/etcd/charts/common/templates/_secrets.tpl b/helm-charts/etcd/charts/common/templates/_secrets.tpl index ebfb5d42..a1708b2e 100644 --- a/helm-charts/etcd/charts/common/templates/_secrets.tpl +++ b/helm-charts/etcd/charts/common/templates/_secrets.tpl @@ -8,7 +8,7 @@ Usage: Params: - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. - +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. - context - Dict - Required. The context for the template evaluation. */}} @@ -21,7 +21,9 @@ Params: {{- with .existingSecret -}} {{- if not (typeIs "string" .) -}} -{{- $name = .name -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} {{- else -}} {{- $name = . -}} {{- end -}} @@ -39,7 +41,7 @@ Usage: Params: - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. - +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret - key - String - Required. Name of the key in the secret. */}} {{- define "common.secrets.key" -}} @@ -55,3 +57,109 @@ Params: {{- printf "%s" $key -}} {{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + +The order in which this function returns a secret password: + 1. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 2. Password provided via the values.yaml + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 3. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key | quote }} + {{- else }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Reuses the value from an existing secret, otherwise sets its value to a default value. + +Usage: +{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - context - Context - Required - Parent context. + +*/}} +{{- define "common.secrets.lookup" -}} +{{- $value := "" -}} +{{- $defaultValue := required "\n'common.secrets.lookup': Argument 'defaultValue' missing or empty" .defaultValue -}} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else -}} + {{- $value = $defaultValue | toString | b64enc -}} +{{- end -}} +{{- printf "%s" $value -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/helm-charts/etcd/charts/common/templates/_utils.tpl b/helm-charts/etcd/charts/common/templates/_utils.tpl index 74774a3c..b1ead50c 100644 --- a/helm-charts/etcd/charts/common/templates/_utils.tpl +++ b/helm-charts/etcd/charts/common/templates/_utils.tpl @@ -6,7 +6,7 @@ Usage: */}} {{- define "common.utils.secret.getvalue" -}} {{- $varname := include "common.utils.fieldToEnvVar" . -}} -export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode) +export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) {{- end -}} {{/* @@ -43,3 +43,20 @@ Usage: {{- end -}} {{- printf "%v" (default "" $value) -}} {{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/helm-charts/etcd/charts/common/templates/validations/_cassandra.tpl b/helm-charts/etcd/charts/common/templates/validations/_cassandra.tpl index 7a274a08..ded1ae3b 100644 --- a/helm-charts/etcd/charts/common/templates/validations/_cassandra.tpl +++ b/helm-charts/etcd/charts/common/templates/validations/_cassandra.tpl @@ -14,7 +14,7 @@ Params: {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} - {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} {{- $requiredPasswords := list -}} {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} @@ -26,7 +26,7 @@ Params: {{- end -}} {{/* -Auxiliar function to get the right value for existingSecret. +Auxiliary function to get the right value for existingSecret. Usage: {{ include "common.cassandra.values.existingSecret" (dict "context" $) }} @@ -42,7 +42,7 @@ Params: {{- end -}} {{/* -Auxiliar function to get the right value for enabled cassandra. +Auxiliary function to get the right value for enabled cassandra. Usage: {{ include "common.cassandra.values.enabled" (dict "context" $) }} @@ -56,7 +56,7 @@ Usage: {{- end -}} {{/* -Auxiliar function to get the right value for the key dbUser +Auxiliary function to get the right value for the key dbUser Usage: {{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} diff --git a/helm-charts/etcd/charts/common/templates/validations/_mariadb.tpl b/helm-charts/etcd/charts/common/templates/validations/_mariadb.tpl index 3bf669dd..b6906ff7 100644 --- a/helm-charts/etcd/charts/common/templates/validations/_mariadb.tpl +++ b/helm-charts/etcd/charts/common/templates/validations/_mariadb.tpl @@ -18,7 +18,7 @@ Params: {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} - {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} {{- $requiredPasswords := list -}} {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} @@ -41,7 +41,7 @@ Params: {{- end -}} {{/* -Auxiliar function to get the right value for existingSecret. +Auxiliary function to get the right value for existingSecret. Usage: {{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} @@ -57,7 +57,7 @@ Params: {{- end -}} {{/* -Auxiliar function to get the right value for enabled mariadb. +Auxiliary function to get the right value for enabled mariadb. Usage: {{ include "common.mariadb.values.enabled" (dict "context" $) }} @@ -71,7 +71,7 @@ Usage: {{- end -}} {{/* -Auxiliar function to get the right value for architecture +Auxiliary function to get the right value for architecture Usage: {{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} @@ -87,7 +87,7 @@ Params: {{- end -}} {{/* -Auxiliar function to get the right value for the key auth +Auxiliary function to get the right value for the key auth Usage: {{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} diff --git a/helm-charts/etcd/charts/common/templates/validations/_mongodb.tpl b/helm-charts/etcd/charts/common/templates/validations/_mongodb.tpl index 7e0c1cbc..f820ec10 100644 --- a/helm-charts/etcd/charts/common/templates/validations/_mongodb.tpl +++ b/helm-charts/etcd/charts/common/templates/validations/_mongodb.tpl @@ -1,12 +1,12 @@ {{/* vim: set filetype=mustache: */}} {{/* -Validate MongoDB required passwords are not empty. +Validate MongoDB® required passwords are not empty. Usage: {{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} Params: - - secret - String - Required. Name of the secret where MongoDB values are stored, e.g: "mongodb-passwords-secret" - - subchart - Boolean - Optional. Whether MongoDB is used as subchart or not. Default: false + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false */}} {{- define "common.validations.values.mongodb.passwords" -}} {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} @@ -22,7 +22,7 @@ Params: {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} - {{- if and (not $existingSecret) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} {{- $requiredPasswords := list -}} {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} @@ -46,7 +46,7 @@ Params: {{- end -}} {{/* -Auxiliar function to get the right value for existingSecret. +Auxiliary function to get the right value for existingSecret. Usage: {{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} @@ -62,7 +62,7 @@ Params: {{- end -}} {{/* -Auxiliar function to get the right value for enabled mongodb. +Auxiliary function to get the right value for enabled mongodb. Usage: {{ include "common.mongodb.values.enabled" (dict "context" $) }} @@ -76,12 +76,12 @@ Usage: {{- end -}} {{/* -Auxiliar function to get the right value for the key auth +Auxiliary function to get the right value for the key auth Usage: {{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} Params: - - subchart - Boolean - Optional. Whether MongoDB is used as subchart or not. Default: false + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false */}} {{- define "common.mongodb.values.key.auth" -}} {{- if .subchart -}} @@ -92,12 +92,12 @@ Params: {{- end -}} {{/* -Auxiliar function to get the right value for architecture +Auxiliary function to get the right value for architecture Usage: {{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false */}} {{- define "common.mongodb.values.architecture" -}} {{- if .subchart -}} diff --git a/helm-charts/etcd/charts/common/templates/validations/_mysql.tpl b/helm-charts/etcd/charts/common/templates/validations/_mysql.tpl new file mode 100644 index 00000000..74472a06 --- /dev/null +++ b/helm-charts/etcd/charts/common/templates/validations/_mysql.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MySQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mysql.passwords" -}} + {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mysql.values.enabled" . -}} + {{- $architecture := include "common.mysql.values.architecture" . -}} + {{- $authPrefix := include "common.mysql.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mysql. + +Usage: +{{ include "common.mysql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mysql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mysql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.key.auth" -}} + {{- if .subchart -}} + mysql.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/helm-charts/etcd/charts/common/templates/validations/_postgresql.tpl b/helm-charts/etcd/charts/common/templates/validations/_postgresql.tpl index f25e0ffb..164ec0d0 100644 --- a/helm-charts/etcd/charts/common/templates/validations/_postgresql.tpl +++ b/helm-charts/etcd/charts/common/templates/validations/_postgresql.tpl @@ -13,10 +13,8 @@ Params: {{- $enabled := include "common.postgresql.values.enabled" . -}} {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} - - {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} {{- $requiredPasswords := list -}} - {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} @@ -31,7 +29,7 @@ Params: {{- end -}} {{/* -Auxiliar function to decide whether evaluate global values. +Auxiliary function to decide whether evaluate global values. Usage: {{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} @@ -47,7 +45,7 @@ Params: {{- end -}} {{/* -Auxiliar function to get the right value for existingSecret. +Auxiliary function to get the right value for existingSecret. Usage: {{ include "common.postgresql.values.existingSecret" (dict "context" $) }} @@ -63,7 +61,7 @@ Usage: {{- end -}} {{/* -Auxiliar function to get the right value for enabled postgresql. +Auxiliary function to get the right value for enabled postgresql. Usage: {{ include "common.postgresql.values.enabled" (dict "context" $) }} @@ -77,7 +75,7 @@ Usage: {{- end -}} {{/* -Auxiliar function to get the right value for the key postgressPassword. +Auxiliary function to get the right value for the key postgressPassword. Usage: {{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} @@ -99,7 +97,7 @@ Params: {{- end -}} {{/* -Auxiliar function to get the right value for enabled.replication. +Auxiliary function to get the right value for enabled.replication. Usage: {{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} @@ -115,7 +113,7 @@ Params: {{- end -}} {{/* -Auxiliar function to get the right value for the key replication.password. +Auxiliary function to get the right value for the key replication.password. Usage: {{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} diff --git a/helm-charts/etcd/charts/common/templates/validations/_redis.tpl b/helm-charts/etcd/charts/common/templates/validations/_redis.tpl index 2ccc04d2..dcccfc1a 100644 --- a/helm-charts/etcd/charts/common/templates/validations/_redis.tpl +++ b/helm-charts/etcd/charts/common/templates/validations/_redis.tpl @@ -1,7 +1,7 @@ {{/* vim: set filetype=mustache: */}} {{/* -Validate Redis required passwords are not empty. +Validate Redis® required passwords are not empty. Usage: {{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} @@ -10,17 +10,21 @@ Params: - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false */}} {{- define "common.validations.values.redis.passwords" -}} - {{- $existingSecret := include "common.redis.values.existingSecret" . -}} {{- $enabled := include "common.redis.values.enabled" . -}} {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} - {{- $valueKeyRedisPassword := printf "%s%s" $valueKeyPrefix "password" -}} - {{- $valueKeyRedisUsePassword := printf "%s%s" $valueKeyPrefix "usePassword" -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} - {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} {{- $requiredPasswords := list -}} - {{- $usePassword := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUsePassword "context" .context) -}} - {{- if eq $usePassword "true" -}} + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} {{- end -}} @@ -30,23 +34,7 @@ Params: {{- end -}} {{/* -Redis Auxiliar function to get the right value for existingSecret. - -Usage: -{{ include "common.redis.values.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Redis is used as subchart or not. Default: false -*/}} -{{- define "common.redis.values.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.redis.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for enabled redis. +Auxiliary function to get the right value for enabled redis. Usage: {{ include "common.redis.values.enabled" (dict "context" $) }} @@ -60,7 +48,7 @@ Usage: {{- end -}} {{/* -Auxiliar function to get the right prefix path for the values +Auxiliary function to get the right prefix path for the values Usage: {{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} @@ -70,3 +58,19 @@ Params: {{- define "common.redis.values.keys.prefix" -}} {{- if .subchart -}}redis.{{- else -}}{{- end -}} {{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/helm-charts/etcd/charts/common/templates/validations/_validations.tpl b/helm-charts/etcd/charts/common/templates/validations/_validations.tpl index d4cf32c7..9a814cf4 100644 --- a/helm-charts/etcd/charts/common/templates/validations/_validations.tpl +++ b/helm-charts/etcd/charts/common/templates/validations/_validations.tpl @@ -22,15 +22,17 @@ Validate value params: Validate a value must not be empty. Usage: -{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "context" $) }} +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} Validate value params: - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. */}} {{- define "common.validations.values.single.empty" -}} {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} {{- if not $value -}} {{- $varname := "my-value" -}} @@ -39,6 +41,6 @@ Validate value params: {{- $varname = include "common.utils.fieldToEnvVar" . -}} {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} {{- end -}} - {{- printf "\n '%s' must not be empty, please add '--set %s=$%s' to the command.%s" .valueKey .valueKey $varname $getCurrentValue -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} {{- end -}} {{- end -}} diff --git a/helm-charts/etcd/charts/common/values.yaml b/helm-charts/etcd/charts/common/values.yaml index 9ecdc93f..f2df68e5 100644 --- a/helm-charts/etcd/charts/common/values.yaml +++ b/helm-charts/etcd/charts/common/values.yaml @@ -1,3 +1,5 @@ ## bitnami/common ## It is required by CI/CD tools and processes. +## @skip exampleValue +## exampleValue: common-chart diff --git a/helm-charts/etcd/templates/NOTES.txt b/helm-charts/etcd/templates/NOTES.txt index 458cf385..bfa6e162 100644 --- a/helm-charts/etcd/templates/NOTES.txt +++ b/helm-charts/etcd/templates/NOTES.txt @@ -1,63 +1,86 @@ -{{- if contains .Values.service.type "LoadBalancer" }} -{{- if .Values.allowNoneAuthentication }} +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +{{- if and (eq .Values.service.type "LoadBalancer") .Values.auth.rbac.allowNoneAuthentication }} ------------------------------------------------------------------------------- WARNING - By specifying "service.type=LoadBalancer" and "allowNoneAuthentication=true" you - have most likely exposed the etcd service externally without any authentication - mechanism. + By specifying "service.type=LoadBalancer", "auth.rbac.enabled=false" and + "auth.rbac.allowNoneAuthentication=true" you have most likely exposed the etcd + service externally without any authentication mechanism. For security reasons, we strongly suggest that you switch to "ClusterIP" or - "NodePort". As alternative, you can also switch to "usePassword=true" - providing a valid password on "password" parameter. + "NodePort". As alternative, you can also switch to "auth.rbac.enabled=true" + providing a valid password on "auth.rbac.rootPassword" parameter. ------------------------------------------------------------------------------- {{- end }} -{{- end }} ** Please be patient while the chart is being deployed ** -etcd can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster: +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash - {{ template "etcd.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} +In order to replicate the container startup scripts execute this command: -To set a key run the following command: + /opt/bitnami/scripts/etcd/entrypoint.sh /opt/bitnami/scripts/etcd/run.sh - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "etcd.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - kubectl exec -it $POD_NAME -- etcdctl put /message Hello +{{- else }} + +etcd can be accessed via port {{ coalesce .Values.service.ports.client .Values.service.port }} on the following DNS name from within your cluster: + + {{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + +To create a pod that you can use as a etcd client run the following command: -To get a key run the following command: + kubectl run {{ template "common.names.fullname" . }}-client --restart='Never' --image {{ template "etcd.image" . }}{{- if or .Values.auth.rbac.create .Values.auth.rbac.enabled }} --env ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} -o jsonpath="{.data.etcd-root-password}" | base64 -d){{- end }} --env ETCDCTL_ENDPOINTS="{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ coalesce .Values.service.ports.client .Values.service.port }}" --namespace {{ .Release.Namespace }} --command -- sleep infinity - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "etcd.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - kubectl exec -it $POD_NAME -- etcdctl get /message +Then, you can set/get a key using the commands below: + + kubectl exec --namespace {{ .Release.Namespace }} -it {{ template "common.names.fullname" . }}-client -- bash + {{- $etcdAuthOptions := include "etcd.authOptions" . }} + etcdctl {{ $etcdAuthOptions }} put /message Hello + etcdctl {{ $etcdAuthOptions }} get /message To connect to your etcd server from outside the cluster execute the following commands: {{- if contains "NodePort" .Values.service.type }} export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "etcd.fullname" . }}) + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) echo "etcd URL: http://$NODE_IP:$NODE_PORT/" {{- else if contains "LoadBalancer" .Values.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "etcd.fullname" . }}' + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "etcd.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo "etcd URL: http://$SERVICE_IP:{{ .Values.service.port }}/" + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + echo "etcd URL: http://$SERVICE_IP:{{ coalesce .Values.service.ports.client .Values.service.port }}/" {{- else if contains "ClusterIP" .Values.service.type }} - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "etcd.fullname" . }} {{ .Values.service.port }}:{{ .Values.service.port }} & - echo "etcd URL: http://127.0.0.1:{{ .Values.service.port }}" + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ coalesce .Values.service.ports.client .Values.service.port }}:{{ coalesce .Values.service.ports.client .Values.service.port }} & + echo "etcd URL: http://127.0.0.1:{{ coalesce .Values.service.ports.client .Values.service.port }}" {{- end }} -{{- if .Values.auth.rbac.enabled }} +{{- if or .Values.auth.rbac.create .Values.auth.rbac.enabled }} * As rbac is enabled you should add the flag `--user root:$ETCD_ROOT_PASSWORD` to the etcdctl commands. Use the command below to export the password: - export ETCD_ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "etcd.fullname" . }} -o jsonpath="{.data.etcd-root-password}" | base64 --decode) + export ETCD_ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} -o jsonpath="{.data.etcd-root-password}" | base64 -d) {{- end }} {{- if .Values.auth.client.secureTransport }} @@ -73,19 +96,24 @@ To connect to your etcd server from outside the cluster execute the following co * You should also export a proper etcdctl endpoint using the https schema. Eg. - export ETCDCTL_ENDPOINTS=https://{{ template "etcd.fullname" . }}-0:{{ .Values.service.port }} + export ETCDCTL_ENDPOINTS=https://{{ template "common.names.fullname" . }}-0:{{ coalesce .Values.service.ports.client .Values.service.port }} {{- end }} {{- if .Values.auth.client.enableAuthentication }} - * As TLS host authentication is enabled you should add the flag `--ca-file /opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt"}}` to the etcdctl commands. + * As TLS host authentication is enabled you should add the flag `--ca-file /opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt" }}` to the etcdctl commands. {{- end }} -{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} - -WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ - {{- end }} -{{ include "etcd.validateValues" . }} +{{- include "common.warnings.rollingTag" .Values.image }} +{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} +{{- include "etcd.validateValues" . }} +{{- $requiredPassword := list -}} +{{- $secretName := include "etcd.secretName" . -}} +{{- if and (or .Values.auth.rbac.create .Values.auth.rbac.enabled) (not .Values.auth.rbac.existingSecret) -}} + {{- $requiredEtcdPassword := dict "valueKey" "auth.rbac.rootPassword" "secret" $secretName "field" "etcd-root-password" -}} + {{- $requiredPassword = append $requiredPassword $requiredEtcdPassword -}} +{{- end -}} +{{- $requiredEtcdPasswordErrors := include "common.validations.values.multiple.empty" (dict "required" $requiredPassword "context" $) -}} +{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $requiredEtcdPasswordErrors) "context" $) -}} diff --git a/helm-charts/etcd/templates/_helpers.tpl b/helm-charts/etcd/templates/_helpers.tpl index 9e017c93..35b1a57e 100644 --- a/helm-charts/etcd/templates/_helpers.tpl +++ b/helm-charts/etcd/templates/_helpers.tpl @@ -1,75 +1,24 @@ {{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "etcd.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} {{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "etcd.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "etcd.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels +Return the proper etcd image name */}} -{{- define "etcd.labels" -}} -app.kubernetes.io/name: {{ include "etcd.name" . }} -helm.sh/chart: {{ include "etcd.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- define "etcd.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} {{- end -}} {{/* -Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +Return the proper image name (for the init container volume-permissions image) */}} -{{- define "etcd.matchLabels" -}} -app.kubernetes.io/name: {{ include "etcd.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} +{{- define "etcd.volumePermissions.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} {{- end -}} - -{{/* -Return the proper etcd image name -*/}} -{{- define "etcd.image" -}} -{{- $registryName := .Values.image.registry -}} -{{- $repositoryName := .Values.image.repository -}} -{{- $tag := .Values.image.tag | toString -}} {{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. -Also, we can't use a single if because lazy evaluation is not an option +Return the proper Docker Image Registry Secret Names */}} -{{- if .Values.global }} - {{- if .Values.global.imageRegistry }} - {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} +{{- define "etcd.imagePullSecrets" -}} +{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.volumePermissions.image) "global" .Values.global) }} {{- end -}} {{/* @@ -94,86 +43,110 @@ Return the proper etcd client protocol {{- end -}} {{- end -}} -{{/* -Return the proper Disaster Recovery PVC name -*/}} -{{- define "etcd.disasterRecovery.pvc.name" -}} -{{- if .Values.disasterRecovery.pvc.existingClaim -}} -{{- with .Values.disasterRecovery.pvc.existingClaim -}} -{{ tpl . $ }} -{{- end -}} -{{- else -}} -{{ template "etcd.fullname" . }}-snapshotter -{{- end -}} -{{- end -}} - {{/* Return the proper etcdctl authentication options */}} {{- define "etcd.authOptions" -}} -{{- $rbacOption := "--user root:$ETCD_ROOT_PASSWORD" -}} +{{- $rbacOption := "--user root:$ROOT_PASSWORD" -}} {{- $certsOption := " --cert $ETCD_CERT_FILE --key $ETCD_KEY_FILE" -}} {{- $autoCertsOption := " --cert /bitnami/etcd/data/fixtures/client/cert.pem --key /bitnami/etcd/data/fixtures/client/key.pem" -}} {{- $caOption := " --cacert $ETCD_TRUSTED_CA_FILE" -}} -{{- if .Values.auth.rbac.enabled -}} -{{- printf "%s" $rbacOption -}} +{{- if or .Values.auth.rbac.create .Values.auth.rbac.enabled -}} + {{- printf "%s" $rbacOption -}} {{- end -}} {{- if and .Values.auth.client.secureTransport .Values.auth.client.useAutoTLS -}} -{{- printf "%s" $autoCertsOption -}} + {{- printf "%s" $autoCertsOption -}} {{- else if and .Values.auth.client.secureTransport (not .Values.auth.client.useAutoTLS) -}} -{{- printf "%s" $certsOption -}} -{{- if .Values.auth.client.enableAuthentication -}} -{{- printf "%s" $caOption -}} + {{- printf "%s" $certsOption -}} + {{- if .Values.auth.client.enableAuthentication -}} + {{- printf "%s" $caOption -}} + {{- end -}} +{{- end -}} {{- end -}} + +{{/* +Return the etcd configuration configmap +*/}} +{{- define "etcd.configmapName" -}} +{{- if .Values.existingConfigmap -}} + {{- printf "%s" (tpl .Values.existingConfigmap $) | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- printf "%s-configuration" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} {{- end -}} {{/* -Return the etcd env vars ConfigMap name +Return true if a configmap object should be created */}} -{{- define "etcd.envVarsCM" -}} -{{- printf "%s" .Values.envVarsConfigMap -}} +{{- define "etcd.createConfigmap" -}} +{{- if and .Values.configuration (not .Values.existingConfigmap) }} + {{- true -}} +{{- end -}} {{- end -}} {{/* -Return the etcd env vars ConfigMap name +Return the secret with etcd credentials */}} -{{- define "etcd.configFileCM" -}} -{{- printf "%s" .Values.configFileConfigMap -}} +{{- define "etcd.secretName" -}} + {{- if .Values.auth.rbac.existingSecret -}} + {{- printf "%s" .Values.auth.rbac.existingSecret | trunc 63 | trimSuffix "-" -}} + {{- else -}} + {{- printf "%s" (include "common.names.fullname" .) -}} + {{- end -}} {{- end -}} {{/* -Return the proper Docker Image Registry Secret Names +Get the secret password key to be retrieved from etcd secret. */}} -{{- define "etcd.imagePullSecrets" -}} +{{- define "etcd.secretPasswordKey" -}} +{{- if and .Values.auth.rbac.existingSecret .Values.auth.rbac.existingSecretPasswordKey -}} +{{- printf "%s" .Values.auth.rbac.existingSecretPasswordKey -}} +{{- else -}} +{{- printf "etcd-root-password" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created for the etcd token private key +*/}} +{{- define "etcd.token.createSecret" -}} +{{- if and (eq .Values.auth.token.enabled true) (eq .Values.auth.token.type "jwt") (empty .Values.auth.token.privateKey.existingSecret) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret with etcd token private key +*/}} +{{- define "etcd.token.secretName" -}} + {{- if .Values.auth.token.privateKey.existingSecret -}} + {{- printf "%s" .Values.auth.token.privateKey.existingSecret | trunc 63 | trimSuffix "-" -}} + {{- else -}} + {{- printf "%s-jwt-token" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} + {{- end -}} +{{- end -}} + {{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. -Also, we can not use a single if because lazy evaluation is not an option +Return the proper Disaster Recovery PVC name */}} -{{- if .Values.global }} -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- else if or .Values.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} -imagePullSecrets: -{{- range .Values.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.volumePermissions.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- end -}} -{{- else if or .Values.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} -imagePullSecrets: -{{- range .Values.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.volumePermissions.image.pullSecrets }} - - name: {{ . }} -{{- end }} +{{- define "etcd.disasterRecovery.pvc.name" -}} +{{- if .Values.disasterRecovery.pvc.existingClaim -}} + {{- printf "%s" (tpl .Values.disasterRecovery.pvc.existingClaim $) | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.startFromSnapshot.existingClaim -}} + {{- printf "%s" (tpl .Values.startFromSnapshot.existingClaim $) | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- printf "%s-snapshotter" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end -}} +{{- end -}} + +{{/* + Create the name of the service account to use + */}} +{{- define "etcd.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} +{{ default (include "common.names.fullname" .) .Values.serviceAccount.name | trunc 63 | trimSuffix "-" }} +{{- else -}} +{{ default "default" .Values.serviceAccount.name | trunc 63 | trimSuffix "-" }} {{- end -}} {{- end -}} @@ -195,18 +168,18 @@ Compile all warnings into a single message, and call fail. {{/* Validate values of etcd - an existing claim must be provided when startFromSnapshot is enabled */}} {{- define "etcd.validateValues.startFromSnapshot.existingClaim" -}} -{{- if and .Values.startFromSnapshot.enabled (not .Values.startFromSnapshot.existingClaim) -}} +{{- if and .Values.startFromSnapshot.enabled (not .Values.startFromSnapshot.existingClaim) (not .Values.disasterRecovery.enabled) -}} etcd: startFromSnapshot.existingClaim - An existing claim must be provided when startFromSnapshot is enabled!! + An existing claim must be provided when startFromSnapshot is enabled and disasterRecovery is disabled!! Please provide it (--set startFromSnapshot.existingClaim="xxxx") {{- end -}} {{- end -}} {{/* Validate values of etcd - the snapshot filename must be provided when startFromSnapshot is enabled */}} {{- define "etcd.validateValues.startFromSnapshot.snapshotFilename" -}} -{{- if and .Values.startFromSnapshot.enabled (not .Values.startFromSnapshot.snapshotFilename) -}} +{{- if and .Values.startFromSnapshot.enabled (not .Values.startFromSnapshot.snapshotFilename) (not .Values.disasterRecovery.enabled) -}} etcd: startFromSnapshot.snapshotFilename - The snapshot filename must be provided when startFromSnapshot is enabled!! + The snapshot filename must be provided when startFromSnapshot is enabled and disasterRecovery is disabled!! Please provide it (--set startFromSnapshot.snapshotFilename="xxxx") {{- end -}} {{- end -}} @@ -220,73 +193,13 @@ etcd: disasterRecovery {{- end -}} {{- end -}} -{{/* -Return the proper image name (for the init container volume-permissions image) -*/}} -{{- define "etcd.volumePermissions.image" -}} -{{- $registryName := .Values.volumePermissions.image.registry -}} -{{- $repositoryName := .Values.volumePermissions.image.repository -}} -{{- $tag := .Values.volumePermissions.image.tag | toString -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. -Also, we can't use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} - {{- if .Values.global.imageRegistry }} - {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper Storage Class -*/}} -{{- define "etcd.storageClass" -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. -*/}} -{{- if .Values.global -}} - {{- if .Values.global.storageClass -}} - {{- if (eq "-" .Values.global.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.global.storageClass -}} - {{- end -}} - {{- else -}} - {{- if .Values.persistence.storageClass -}} - {{- if (eq "-" .Values.persistence.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} - {{- end -}} - {{- end -}} - {{- end -}} +{{- define "etcd.token.jwtToken" -}} +{{- if (include "etcd.token.createSecret" .) -}} +{{- $jwtToken := lookup "v1" "Secret" .Release.Namespace (printf "%s-jwt-token" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" ) -}} +{{- if $jwtToken -}} +{{ index $jwtToken "data" "jwt-token.pem" | b64dec }} {{- else -}} - {{- if .Values.persistence.storageClass -}} - {{- if (eq "-" .Values.persistence.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.persistence.storageClass -}} - {{- end -}} - {{- end -}} +{{ genPrivateKey "rsa" }} {{- end -}} {{- end -}} - -{{/* -Renders a value that contains template. -Usage: -{{ include "etcd.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }} -*/}} -{{- define "etcd.tplValue" -}} - {{- if typeIs "string" .value }} - {{- tpl .value .context }} - {{- else }} - {{- tpl (.value | toYaml) .context }} - {{- end }} {{- end -}} diff --git a/helm-charts/etcd/templates/configmap.yaml b/helm-charts/etcd/templates/configmap.yaml new file mode 100644 index 00000000..ca69d7f4 --- /dev/null +++ b/helm-charts/etcd/templates/configmap.yaml @@ -0,0 +1,17 @@ +{{- if (include "etcd.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-configuration" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + etcd.conf.yml: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.configuration "context" $ ) | nindent 4 }} +{{- end }} diff --git a/helm-charts/etcd/templates/cronjob.yaml b/helm-charts/etcd/templates/cronjob.yaml index c923226e..88faa310 100644 --- a/helm-charts/etcd/templates/cronjob.yaml +++ b/helm-charts/etcd/templates/cronjob.yaml @@ -1,9 +1,16 @@ {{- if .Values.disasterRecovery.enabled -}} -apiVersion: batch/v1beta1 +apiVersion: {{ include "common.capabilities.cronjob.apiVersion" . }} kind: CronJob metadata: - name: {{ include "etcd.fullname" . }}-snapshotter - labels: {{- include "etcd.labels" . | nindent 4 }} + name: {{ printf "%s-snapshotter" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: concurrencyPolicy: Forbid schedule: {{ .Values.disasterRecovery.cronjob.schedule | quote }} @@ -12,62 +19,106 @@ spec: spec: template: metadata: - labels: {{- include "etcd.labels" . | nindent 12 }} + labels: {{- include "common.labels.standard" . | nindent 12 }} app.kubernetes.io/component: snapshotter {{- if .Values.disasterRecovery.cronjob.podAnnotations }} - annotations: {{- include "etcd.tplValue" ( dict "value" .Values.disasterRecovery.cronjob.podAnnotations "context" $) | nindent 12 }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.disasterRecovery.cronjob.podAnnotations "context" $) | nindent 12 }} {{- end }} spec: + {{- if .Values.disasterRecovery.cronjob.nodeSelector }} + nodeSelector: {{- toYaml .Values.disasterRecovery.cronjob.nodeSelector | nindent 12 }} + {{- end }} + {{- if .Values.disasterRecovery.cronjob.tolerations }} + tolerations: {{- toYaml .Values.disasterRecovery.cronjob.tolerations | nindent 12 }} + {{- end }} + {{- include "etcd.imagePullSecrets" . | nindent 10 }} restartPolicy: OnFailure - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - runAsUser: {{ .Values.securityContext.runAsUser }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled (or .Values.podSecurityContext.enabled .Values.containerSecurityContext.enabled) }} + initContainers: + - name: volume-permissions + image: {{ include "etcd.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + - | + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} /snapshots + securityContext: + runAsUser: 0 + {{- if .Values.volumePermissions.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.volumePermissions.resources "context" $) | nindent 16 }} + {{- end }} + volumeMounts: + - name: snapshot-volume + mountPath: /snapshots {{- end }} containers: - name: etcd-snapshotter image: {{ include "etcd.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - command: - - /scripts/save-snapshot.sh - env: - - name: BITNAMI_SNAPSHOT_DEBUG - value: {{ ternary "true" "false" .Values.disasterRecovery.debug | quote }} - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" .Values.image.debug | quote }} - - name: ETCDCTL_API - value: "3" - {{- if .Values.auth.client.secureTransport }} - - name: ETCD_CERT_FILE - value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.certFilename }}" - - name: ETCD_KEY_FILE - value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.certKeyFilename }}" - {{- if .Values.auth.client.enableAuthentication }} - - name: ETCD_CLIENT_CERT_AUTH - value: "true" - - name: ETCD_TRUSTED_CA_FILE - value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt"}}" - {{- else if .Values.auth.client.caFilename }} - - name: ETCD_TRUSTED_CA_FILE - value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt"}}" - {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 16 }} {{- end }} - {{- if .Values.auth.rbac.enabled }} - - name: ETCD_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ if .Values.auth.rbac.existingSecret }}{{ .Values.auth.rbac.existingSecret }}{{ else }}{{ include "etcd.fullname" . }}{{ end }} - key: etcd-root-password + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 16 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 16 }} + {{- else }} + command: + - /opt/bitnami/scripts/etcd/snapshot.sh {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: ETCDCTL_API + value: "3" + - name: ETCD_ON_K8S + value: "yes" + - name: MY_STS_NAME + value: {{ include "common.names.fullname" . | quote }} + {{- $releaseNamespace := .Release.Namespace }} + {{- $etcdFullname := include "common.names.fullname" . }} + {{- $etcdHeadlessServiceName := (printf "%s-%s" $etcdFullname "headless" | trunc 63 | trimSuffix "-") }} + {{- $clusterDomain := .Values.clusterDomain }} + - name: ETCD_CLUSTER_DOMAIN + value: {{ printf "%s.%s.svc.%s" $etcdHeadlessServiceName $releaseNamespace $clusterDomain | quote }} + - name: ETCD_SNAPSHOT_HISTORY_LIMIT + value: {{ .Values.disasterRecovery.cronjob.snapshotHistoryLimit | quote }} + - name: ETCD_SNAPSHOTS_DIR + value: {{ .Values.disasterRecovery.cronjob.snapshotsDir | quote }} + {{- if .Values.auth.client.secureTransport }} + - name: ETCD_CERT_FILE + value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.certFilename }}" + - name: ETCD_KEY_FILE + value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.certKeyFilename }}" + {{- if .Values.auth.client.enableAuthentication }} + - name: ETCD_CLIENT_CERT_AUTH + value: "true" + - name: ETCD_TRUSTED_CA_FILE + value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt" }}" + {{- else if .Values.auth.client.caFilename }} + - name: ETCD_TRUSTED_CA_FILE + value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt" }}" + {{- end }} + {{- end }} + {{- if or .Values.auth.rbac.create .Values.auth.rbac.enabled }} + - name: ETCD_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "etcd.secretName" . }} + key: {{ include "etcd.secretPasswordKey" . }} + {{- end }} {{- if .Values.disasterRecovery.cronjob.resources }} resources: {{- toYaml .Values.disasterRecovery.cronjob.resources | nindent 16 }} {{- end }} volumeMounts: - - name: scripts - mountPath: /scripts/save-snapshot.sh - subPath: save-snapshot.sh - name: snapshot-volume mountPath: /snapshots + {{- if .Values.disasterRecovery.pvc.subPath }} + subPath: {{ .Values.disasterRecovery.pvc.subPath }} + {{- end }} {{- if .Values.auth.client.secureTransport }} - name: certs mountPath: /opt/bitnami/etcd/certs/client @@ -77,13 +128,9 @@ spec: {{- if .Values.auth.client.secureTransport }} - name: certs secret: - secretName: {{ required "A secret containinig the client certificates is required" .Values.auth.client.existingSecret }} + secretName: {{ required "A secret containing the client certificates is required" (tpl .Values.auth.client.existingSecret .) }} defaultMode: 256 {{- end }} - - name: scripts - configMap: - name: {{ include "etcd.fullname" . }}-scripts - defaultMode: 0755 - name: snapshot-volume persistentVolumeClaim: claimName: {{ include "etcd.disasterRecovery.pvc.name" . }} diff --git a/helm-charts/etcd/templates/extra-list.yaml b/helm-charts/etcd/templates/extra-list.yaml new file mode 100644 index 00000000..9ac65f9e --- /dev/null +++ b/helm-charts/etcd/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/helm-charts/etcd/templates/networkpolicy.yaml b/helm-charts/etcd/templates/networkpolicy.yaml new file mode 100644 index 00000000..a2e333bb --- /dev/null +++ b/helm-charts/etcd/templates/networkpolicy.yaml @@ -0,0 +1,81 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + {{- if .Values.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 6 }} + {{- end }} + policyTypes: + - Ingress + - Egress + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.containerPorts.client }} + - port: {{ .Values.containerPorts.peer }} + to: + - podSelector: + matchLabels: {{- include "common.labels.standard" . | nindent 14 }} + {{- if .Values.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + ingress: + # Allow inbound connections + - ports: + - port: {{ .Values.containerPorts.client }} + - port: {{ .Values.containerPorts.peer }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + - podSelector: + matchLabels: {{- include "common.labels.standard" . | nindent 14 }} + {{- if .Values.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.metrics.enabled }} + # Allow prometheus scrapes for metrics + - ports: + - port: 2379 + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm-charts/etcd/templates/pdb.yaml b/helm-charts/etcd/templates/pdb.yaml index 245f8511..f0649288 100644 --- a/helm-charts/etcd/templates/pdb.yaml +++ b/helm-charts/etcd/templates/pdb.yaml @@ -1,9 +1,16 @@ -{{- if .Values.pdb.enabled }} -apiVersion: policy/v1beta1 +{{- if .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: - name: {{ template "etcd.fullname" . }} - labels: {{- include "etcd.labels" . | nindent 4 }} + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: {{- if .Values.pdb.minAvailable }} minAvailable: {{ .Values.pdb.minAvailable }} @@ -12,5 +19,5 @@ spec: maxUnavailable: {{ .Values.pdb.maxUnavailable }} {{- end }} selector: - matchLabels: {{- include "etcd.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} {{- end }} diff --git a/helm-charts/etcd/templates/podmonitor.yaml b/helm-charts/etcd/templates/podmonitor.yaml new file mode 100644 index 00000000..952e569b --- /dev/null +++ b/helm-charts/etcd/templates/podmonitor.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.metrics.enabled .Values.metrics.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ ternary .Values.metrics.podMonitor.namespace .Release.Namespace (not (empty .Values.metrics.podMonitor.namespace)) }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.podMonitor.additionalLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.podMonitor.additionalLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podMetricsEndpoints: + - port: client + path: /metrics + {{- if .Values.metrics.podMonitor.interval }} + interval: {{ .Values.metrics.podMonitor.interval }} + {{- end }} + {{- if .Values.metrics.podMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.podMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.podMonitor.scheme }} + scheme: {{ .Values.metrics.podMonitor.scheme }} + {{- end }} + {{- if .Values.metrics.podMonitor.tlsConfig }} + tlsConfig: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podMonitor.tlsConfig "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.podMonitor.relabelings }} + relabelings: + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.podMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/helm-charts/etcd/templates/prometheusrule.yaml b/helm-charts/etcd/templates/prometheusrule.yaml new file mode 100644 index 00000000..58a5594b --- /dev/null +++ b/helm-charts/etcd/templates/prometheusrule.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "common.names.fullname" . }} + {{- if .Values.metrics.prometheusRule.namespace }} + namespace: {{ .Values.metrics.prometheusRule.namespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.prometheusRule.additionalLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + groups: + - name: {{ include "common.names.fullname" . }} + rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 6 }} +{{- end }} diff --git a/helm-charts/etcd/templates/scripts-configmap.yaml b/helm-charts/etcd/templates/scripts-configmap.yaml deleted file mode 100644 index 22bf7010..00000000 --- a/helm-charts/etcd/templates/scripts-configmap.yaml +++ /dev/null @@ -1,291 +0,0 @@ -{{- $replicaCount := int .Values.statefulset.replicaCount }} -{{- $clientPort := int .Values.service.port }} -{{- $peerPort := int .Values.service.peerPort }} -{{- $etcdAuthOptions := include "etcd.authOptions" . }} -{{- $etcdFullname := include "etcd.fullname" . }} -{{- $releaseNamespace := .Release.Namespace }} -{{- $etcdHeadlessServiceName := printf "%s-%s" $etcdFullname "headless" }} -{{- $clusterDomain := .Values.clusterDomain }} -{{- $etcdPeerProtocol := include "etcd.peerProtocol" . }} -{{- $etcdClientProtocol := include "etcd.clientProtocol" . }} -{{- $initSnapshotFilename := .Values.startFromSnapshot.snapshotFilename }} -{{- $snapshotHistoryLimit := .Values.disasterRecovery.cronjob.snapshotHistoryLimit }} -{{- $endpoints := list }} -{{- range $e, $i := until $replicaCount }} -{{- $endpoints = append $endpoints (printf "%s-%d.%s.%s.svc.%s:%d" $etcdFullname $i $etcdHeadlessServiceName $releaseNamespace $clusterDomain $peerPort) }} -{{- end }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "etcd.fullname" . }}-scripts - labels: {{- include "etcd.labels" . | nindent 4 }} -data: - setup.sh: |- - #!/bin/bash - - set -o errexit - set -o pipefail - set -o nounset - - # Debug section - exec 3>&1 - exec 4>&2 - - if [[ "${BITNAMI_DEBUG:-false}" = true ]]; then - echo "==> Bash debug is on" - else - echo "==> Bash debug is off" - exec 1>/dev/null - exec 2>/dev/null - fi - - # Constants - HOSTNAME="$(hostname -s)" - AUTH_OPTIONS={{ $etcdAuthOptions | quote }} - export ETCDCTL_ENDPOINTS={{ join "," $endpoints | quote }} - export ROOT_PASSWORD="${ETCD_ROOT_PASSWORD:-}" - if [[ -n "${ETCD_ROOT_PASSWORD:-}" ]]; then - unset ETCD_ROOT_PASSWORD - fi - # Functions - ## Store member id for later member replacement - store_member_id() { - while ! etcdctl $AUTH_OPTIONS member list; do sleep 1; done - etcdctl $AUTH_OPTIONS member list | grep -w "$HOSTNAME" | awk '{ print $1}' | awk -F "," '{ print $1}' > "$ETCD_DATA_DIR/member_id" - echo "==> Stored member id: $(cat ${ETCD_DATA_DIR}/member_id)" 1>&3 2>&4 - exit 0 - } - ## Configure RBAC - configure_rbac() { - # When there's more than one replica, we can assume the 1st member - # to be created is "{{ $etcdFullname }}-0" since a statefulset is used - if [[ -n "${ROOT_PASSWORD:-}" ]] && [[ "$HOSTNAME" == "{{ $etcdFullname }}-0" ]]; then - echo "==> Configuring RBAC authentication!" 1>&3 2>&4 - etcd & - ETCD_PID=$! - while ! etcdctl $AUTH_OPTIONS member list; do sleep 1; done - echo "$ROOT_PASSWORD" | etcdctl $AUTH_OPTIONS user add root --interactive=false - etcdctl $AUTH_OPTIONS auth enable - kill "$ETCD_PID" - sleep 5 - fi - } - ## Checks whether there was a disaster or not - is_disastrous_failure() { - local endpoints_array=(${ETCDCTL_ENDPOINTS//,/ }) - local active_endpoints=0 - local -r min_endpoints=$((({{ $replicaCount }} + 1)/2)) - - for e in "${endpoints_array[@]}"; do - if [[ "$e" != "$ETCD_ADVERTISE_CLIENT_URLS" ]] && (unset -v ETCDCTL_ENDPOINTS; etcdctl $AUTH_OPTIONS endpoint health --endpoints="$e"); then - active_endpoints=$((active_endpoints + 1)) - fi - done -{{- if .Values.disasterRecovery.enabled }} - if [[ -f "/snapshots/.disaster_recovery" ]]; then - if [[ $active_endpoints -eq $(({{ $replicaCount }} - 1)) ]]; then - echo "==> I'm the last to recover from the disaster!" 1>&3 2>&4 - rm "/snapshots/.disaster_recovery" 1>&3 2>&4 - fi - true - else - if [[ $active_endpoints -lt $min_endpoints ]]; then - touch "/snapshots/.disaster_recovery" 1>&3 2>&4 - true - else - false - fi - fi -{{- else }} - if [[ $active_endpoints -lt $min_endpoints ]]; then - true - else - false - fi -{{- end }} - } - - ## Check whether the member was successfully removed from the cluster - should_add_new_member() { - return_value=0 - if (grep -E "^Member[[:space:]]+[a-z0-9]+\s+removed\s+from\s+cluster\s+[a-z0-9]+$" "$(dirname "$ETCD_DATA_DIR")/member_removal.log") || \ - ! ([[ -d "$ETCD_DATA_DIR/member/snap" ]] && [[ -f "$ETCD_DATA_DIR/member_id" ]]); then - rm -rf $ETCD_DATA_DIR/* 1>&3 2>&4 - else - return_value=1 - fi - rm -f "$(dirname "$ETCD_DATA_DIR")/member_removal.log" 1>&3 2>&4 - return $return_value - } - - if [[ ! -d "$ETCD_DATA_DIR" ]]; then - echo "==> Creating data dir..." 1>&3 2>&4 - echo "==> There is no data at all. Initializing a new member of the cluster..." 1>&3 2>&4 -{{- if .Values.startFromSnapshot.enabled }} - if [[ -f "/init-snapshot/{{ $initSnapshotFilename }}" ]]; then - echo "==> Initializing member by restoring etcd cluster from snapshot..." 1>&3 2>&4 - etcdctl snapshot restore /init-snapshot/{{ $initSnapshotFilename }} \ - {{- if gt $replicaCount 1 }} - --name $ETCD_NAME \ - --initial-cluster $ETCD_INITIAL_CLUSTER \ - --initial-cluster-token $ETCD_INITIAL_CLUSTER_TOKEN \ - --initial-advertise-peer-urls $ETCD_INITIAL_ADVERTISE_PEER_URLS \ - {{- end }} - --data-dir $ETCD_DATA_DIR 1>&3 2>&4 - store_member_id & 1>&3 2>&4 - else - echo "==> There was no snapshot to perform data recovery!!" 1>&3 2>&4 - exit 1 - fi -{{- else }} - store_member_id & 1>&3 2>&4 - configure_rbac -{{- end }} - else - echo "==> Detected data from previous deployments..." 1>&3 2>&4 - if [[ $(stat -c "%a" "$ETCD_DATA_DIR") != *700 ]]; then - echo "==> Setting data directory permissions to 700 in a recursive way (required in etcd >=3.4.10)" 1>&3 2>&4 - chmod -R 700 $ETCD_DATA_DIR - else - echo "==> The data directory is already configured with the proper permissions" 1>&3 2>&4 - fi - if [[ {{ $replicaCount }} -eq 1 ]]; then - echo "==> Single node cluster detected!!" 1>&3 2>&4 - elif is_disastrous_failure; then - echo "==> Cluster not responding!!" 1>&3 2>&4 -{{- if .Values.disasterRecovery.enabled }} - latest_snapshot_file="$(find /snapshots/ -maxdepth 1 -type f -name 'db-*' | sort | tail -n 1)" - if [[ "${latest_snapshot_file}" != "" ]]; then - echo "==> Restoring etcd cluster from snapshot..." 1>&3 2>&4 - - rm -rf $ETCD_DATA_DIR 1>&3 2>&4 - etcdctl snapshot restore "${latest_snapshot_file}" \ - --name $ETCD_NAME \ - --data-dir $ETCD_DATA_DIR \ - --initial-cluster $ETCD_INITIAL_CLUSTER \ - --initial-cluster-token $ETCD_INITIAL_CLUSTER_TOKEN \ - --initial-advertise-peer-urls $ETCD_INITIAL_ADVERTISE_PEER_URLS 1>&3 2>&4 - store_member_id & 1>&3 2>&4 - else - echo "==> There was no snapshot to perform data recovery!!" 1>&3 2>&4 - exit 1 - fi -{{- else }} - echo "==> Disaster recovery is disabled, the cluster will try to recover on it's own..." 1>&3 2>&4 -{{- end }} - elif should_add_new_member; then - echo "==> Adding new member to existing cluster..." 1>&3 2>&4 - etcdctl $AUTH_OPTIONS member add "$HOSTNAME" --peer-urls="{{ $etcdPeerProtocol }}://${HOSTNAME}.{{ $etcdHeadlessServiceName }}.{{ .Release.Namespace }}.svc.{{ $clusterDomain }}:{{ $peerPort }}" | grep "^ETCD_" > "$ETCD_DATA_DIR/new_member_envs" - sed -ie "s/^/export /" "$ETCD_DATA_DIR/new_member_envs" - echo "==> Loading env vars of existing cluster..." 1>&3 2>&4 - source "$ETCD_DATA_DIR/new_member_envs" 1>&3 2>&4 - store_member_id & 1>&3 2>&4 - else - echo "==> Updating member in existing cluster..." 1>&3 2>&4 - etcdctl $AUTH_OPTIONS member update "$(cat "$ETCD_DATA_DIR/member_id")" --peer-urls="{{ $etcdPeerProtocol }}://${HOSTNAME}.{{ $etcdHeadlessServiceName }}.{{ .Release.Namespace }}.svc.{{ $clusterDomain }}:{{ $peerPort }}" 1>&3 2>&4 - fi - fi - - {{- if .Values.configFileConfigMap }} - exec etcd --config-file /opt/bitnami/etcd/conf/etcd.conf.yml 1>&3 2>&4 - {{- else }} - exec etcd 1>&3 2>&4 - {{- end }} - prestop-hook.sh: |- - #!/bin/bash - - set -o errexit - set -o pipefail - set -o nounset - - # Debug section - exec 3>&1 - exec 4>&2 - - if [[ "${BITNAMI_DEBUG:-false}" = true ]]; then - echo "==> Bash debug is on" - else - echo "==> Bash debug is off" - exec 1>/dev/null - exec 2>/dev/null - fi - - # Constants - AUTH_OPTIONS={{ $etcdAuthOptions | quote }} - export ETCDCTL_ENDPOINTS={{ join "," $endpoints | quote }} - - etcdctl $AUTH_OPTIONS member remove --debug=true "$(cat "$ETCD_DATA_DIR/member_id")" > "$(dirname "$ETCD_DATA_DIR")/member_removal.log" 2>&1 - probes.sh: |- - #!/bin/bash - - set -o errexit - set -o pipefail - set -o nounset - - # Debug section - exec 3>&1 - exec 4>&2 - - if [[ "${BITNAMI_DEBUG:-false}" = true ]]; then - echo "==> Bash debug is on" - else - echo "==> Bash debug is off" - exec 1>/dev/null - exec 2>/dev/null - fi - - # Constants - AUTH_OPTIONS={{ $etcdAuthOptions | quote }} - - echo "==> [DEBUG] Probing etcd cluster" - echo "==> [DEBUG] Probe command: \"etcdctl $AUTH_OPTIONS endpoint health\"" - etcdctl $AUTH_OPTIONS endpoint health -{{- if .Values.disasterRecovery.enabled }} - save-snapshot.sh: |- - #!/bin/bash - - set -o errexit - set -o pipefail - set -o nounset - - # Debug section - exec 3>&1 - exec 4>&2 - - if [[ "${BITNAMI_SNAPSHOT_DEBUG:-false}" = true ]] || [[ "${BITNAMI_DEBUG:-false}" = true ]]; then - echo "==> Bash debug is on" - set -x - else - echo "==> Bash debug is off" - exec 1>/dev/null - exec 2>/dev/null - fi - - # Constants - AUTH_OPTIONS={{ $etcdAuthOptions | quote }} - export ETCDCTL_ENDPOINTS={{ join "," $endpoints | quote }} - - mkdir -p "/snapshots" 1>&3 2>&4 - - read -r -a endpoints <<< "$(tr ',;' ' ' <<< "$ETCDCTL_ENDPOINTS")" - for endp in "${endpoints[@]}"; do - echo "Using endpoint $endp" 1>&3 2>&4 - if (unset -v ETCDCTL_ENDPOINTS; etcdctl $AUTH_OPTIONS endpoint health --endpoints=${endp}); then - echo "Snapshotting the keyspace..." 1>&3 2>&4 - current_time="$(date -u "+%Y-%m-%d_%H-%M")" - unset -v ETCDCTL_ENDPOINTS; etcdctl $AUTH_OPTIONS snapshot save "/snapshots/db-${current_time}" --endpoints=${endp} 1>&3 2>&4 - find /snapshots/ -maxdepth 1 -type f -name 'db-*' \! -name "db-${current_time}" \ - | sort -r \ - | tail -n+$((1 + {{ $snapshotHistoryLimit }})) \ - | xargs rm -f 1>&3 2>&4 - exit 0 - else - echo "Warning - etcd endpoint ${ETCDCTL_ENDPOINTS} not healthy" 1>&3 2>&4 - echo "Trying another endpoint." 1>&3 2>&4 - fi - done - - # exit with error if all endpoints are bad - echo "Error - all etcd endpoints are unhealthy!" 1>&3 2>&4 - exit 1 -{{- end }} diff --git a/helm-charts/etcd/templates/secrets.yaml b/helm-charts/etcd/templates/secrets.yaml index d06f2ec4..ea46c28c 100644 --- a/helm-charts/etcd/templates/secrets.yaml +++ b/helm-charts/etcd/templates/secrets.yaml @@ -1,9 +1,16 @@ -{{- if and .Values.auth.rbac.enabled (not .Values.auth.rbac.existingSecret) -}} +{{- if and (or .Values.auth.rbac.create .Values.auth.rbac.enabled) (not .Values.auth.rbac.existingSecret) -}} apiVersion: v1 kind: Secret metadata: - name: {{ include "etcd.fullname" . }} - labels: {{- include "etcd.labels" . | nindent 4 }} + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} type: Opaque data: {{- if .Values.auth.rbac.rootPassword }} diff --git a/helm-charts/etcd/templates/serviceaccount.yaml b/helm-charts/etcd/templates/serviceaccount.yaml new file mode 100644 index 00000000..a5721db4 --- /dev/null +++ b/helm-charts/etcd/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +metadata: + name: {{ include "etcd.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.serviceAccount.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.labels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.serviceAccount.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/helm-charts/etcd/templates/servicemonitor.yaml b/helm-charts/etcd/templates/servicemonitor.yaml deleted file mode 100644 index caf5ebe3..00000000 --- a/helm-charts/etcd/templates/servicemonitor.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "etcd.fullname" . }} - {{- if .Values.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.metrics.serviceMonitor.namespace }} - {{- end }} - labels: {{- include "etcd.labels" . | nindent 4 }} - {{- range $key, $value := .Values.metrics.serviceMonitor.selector }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - selector: - matchLabels: {{- include "etcd.matchLabels" . | nindent 6 }} - endpoints: - - port: client - path: /metrics - {{- if .Values.metrics.serviceMonitor.interval }} - interval: {{ .Values.metrics.serviceMonitor.interval }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.relabelings }} - relabelings: {{- toYaml .Values.metrics.serviceMonitor.relabelings | nindent 8 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.metricRelabelings }} - metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 8 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.scheme }} - scheme: {{ .Values.metrics.serviceMonitor.scheme }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.tlsConfig }} - tlsConfig: {{- toYaml .Values.metrics.serviceMonitor.tlsConfig | nindent 8 }} - {{- end }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} -{{- end }} diff --git a/helm-charts/etcd/templates/snapshot-pvc.yaml b/helm-charts/etcd/templates/snapshot-pvc.yaml index 8f03c426..2415b891 100644 --- a/helm-charts/etcd/templates/snapshot-pvc.yaml +++ b/helm-charts/etcd/templates/snapshot-pvc.yaml @@ -2,8 +2,15 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: - name: {{ include "etcd.fullname" . }}-snapshotter - labels: {{- include "etcd.labels" . | nindent 4 }} + name: {{ printf "%s-snapshotter" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: accessModes: - ReadWriteMany diff --git a/helm-charts/etcd/templates/statefulset.yaml b/helm-charts/etcd/templates/statefulset.yaml index c7c24d05..f276eb09 100644 --- a/helm-charts/etcd/templates/statefulset.yaml +++ b/helm-charts/etcd/templates/statefulset.yaml @@ -1,44 +1,48 @@ -apiVersion: apps/v1 +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} kind: StatefulSet metadata: - name: {{ include "etcd.fullname" . }} - labels: {{- include "etcd.labels" . | nindent 4 }} - {{- if .Values.statefulsetLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.statefulsetLabels "context" $) | nindent 4 }} + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: + replicas: {{ .Values.replicaCount }} selector: - matchLabels: {{- include "etcd.matchLabels" . | nindent 6 }} - serviceName: {{ include "etcd.fullname" . }}-headless - podManagementPolicy: {{ .Values.statefulset.podManagementPolicy }} - replicas: {{ .Values.statefulset.replicaCount }} - updateStrategy: - type: {{ .Values.statefulset.updateStrategy }} - {{- if (eq "Recreate" .Values.statefulset.updateStrategy) }} - rollingUpdate: null - {{- else if .Values.statefulset.rollingUpdatePartition }} - rollingUpdate: - partition: {{ .Values.statefulset.rollingUpdatePartition }} - {{- end }} + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + podManagementPolicy: {{ .Values.podManagementPolicy }} + updateStrategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }} template: metadata: - labels: {{- include "etcd.labels" . | nindent 8 }} + labels: {{- include "common.labels.standard" . | nindent 8 }} {{- if .Values.podLabels }} {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} {{- end }} - {{- if or .Values.podAnnotations (and .Values.metrics.enabled .Values.metrics.podAnnotations (not .Values.metrics.serviceMonitor.enabled)) }} annotations: {{- if .Values.podAnnotations }} - {{- include "etcd.tplValue" ( dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- include "common.tplvalues.render" ( dict "value" .Values.podAnnotations "context" $) | nindent 8 }} {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations (not .Values.metrics.serviceMonitor.enabled) }} - {{- include "etcd.tplValue" ( dict "value" .Values.metrics.podAnnotations "context" $) | nindent 8 }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- if (include "etcd.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if (include "etcd.token.createSecret" .) }} + checksum/token-secret: {{ include (print $.Template.BasePath "/token-secrets.yaml") . | sha256sum }} {{- end }} - {{- end }} spec: -{{- include "etcd.imagePullSecrets" . | indent 6 }} + {{- include "etcd.imagePullSecrets" . | nindent 6 }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} {{- if .Values.affinity }} - affinity: {{- include "etcd.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} {{- else }} affinity: podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }} @@ -46,21 +50,39 @@ spec: nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} {{- end }} {{- if .Values.nodeSelector }} - nodeSelector: {{- include "etcd.tplValue" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} {{- end }} {{- if .Values.tolerations }} - tolerations: {{- include "etcd.tplValue" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} {{- end }} {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - runAsUser: {{ .Values.securityContext.runAsUser }} + {{- if .Values.runtimeClassName }} + runtimeClassName: {{ .Values.runtimeClassName }} {{- end }} - {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.shareProcessNamespace }} + shareProcessNamespace: {{ .Values.shareProcessNamespace }} + {{- end }} + serviceAccountName: {{ include "etcd.serviceAccountName" $ | quote }} + {{- if or .Values.initContainers (and .Values.volumePermissions.enabled .Values.persistence.enabled) }} initContainers: + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - name: volume-permissions image: {{ include "etcd.volumePermissions.image" . }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} @@ -68,48 +90,45 @@ spec: - /bin/bash - -ec - | - chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /bitnami/etcd + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} /bitnami/etcd securityContext: runAsUser: 0 {{- if .Values.volumePermissions.resources }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.volumePermissions.resources "context" $) | nindent 12 }} {{- end }} volumeMounts: - name: data mountPath: /bitnami/etcd + {{- end }} {{- end }} containers: - # Variables to populate static cluster - {{- $replicaCount := int .Values.statefulset.replicaCount }} - {{- $clientPort := int .Values.service.port }} - {{- $peerPort := int .Values.service.peerPort }} - {{- $etcdFullname := include "etcd.fullname" . }} + {{- $replicaCount := int .Values.replicaCount }} + {{- $peerPort := int .Values.containerPorts.peer }} + {{- $etcdFullname := include "common.names.fullname" . }} {{- $releaseNamespace := .Release.Namespace }} - {{- $etcdHeadlessServiceName := printf "%s-%s" $etcdFullname "headless" }} + {{- $etcdHeadlessServiceName := (printf "%s-%s" $etcdFullname "headless" | trunc 63 | trimSuffix "-") }} {{- $clusterDomain := .Values.clusterDomain }} {{- $etcdPeerProtocol := include "etcd.peerProtocol" . }} {{- $etcdClientProtocol := include "etcd.clientProtocol" . }} - name: etcd image: {{ include "etcd.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - command: - - /scripts/setup.sh - lifecycle: - preStop: - exec: - command: - - /scripts/prestop-hook.sh - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} {{- end }} - {{- if .Values.envVarsConfigMap }} - envFrom: - - configMapRef: - name: {{ include "etcd.envVarsCM" . }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} {{- end }} env: - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" .Values.image.debug | quote }} + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - name: MY_POD_IP valueFrom: fieldRef: @@ -118,20 +137,55 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: MY_STS_NAME + value: {{ include "common.names.fullname" . | quote }} - name: ETCDCTL_API value: "3" + - name: ETCD_ON_K8S + value: "yes" + - name: ETCD_START_FROM_SNAPSHOT + value: {{ ternary "yes" "no" .Values.startFromSnapshot.enabled | quote }} + - name: ETCD_DISASTER_RECOVERY + value: {{ ternary "yes" "no" .Values.disasterRecovery.enabled | quote }} - name: ETCD_NAME value: "$(MY_POD_NAME)" - name: ETCD_DATA_DIR - value: /bitnami/etcd/data + value: "/bitnami/etcd/data" + - name: ETCD_LOG_LEVEL + value: {{ ternary "debug" .Values.logLevel .Values.image.debug | quote }} + - name: ALLOW_NONE_AUTHENTICATION + value: {{ ternary "yes" "no" (and (not (or .Values.auth.rbac.create .Values.auth.rbac.enabled)) .Values.auth.rbac.allowNoneAuthentication) | quote }} + {{- if or .Values.auth.rbac.create .Values.auth.rbac.enabled }} + - name: ETCD_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "etcd.secretName" . }} + key: {{ include "etcd.secretPasswordKey" . }} + {{- end }} + {{- if .Values.auth.token.enabled }} + - name: ETCD_AUTH_TOKEN + {{- if eq .Values.auth.token.type "jwt" }} + value: {{ printf "jwt,priv-key=/opt/bitnami/etcd/certs/token/%s,sign-method=%s,ttl=%s" .Values.auth.token.privateKey.filename .Values.auth.token.signMethod .Values.auth.token.ttl | quote }} + {{- else if eq .Values.auth.token.type "simple" }} + value: "simple" + {{- end }} + {{- end }} - name: ETCD_ADVERTISE_CLIENT_URLS - value: "{{ $etcdClientProtocol }}://$(MY_POD_NAME).{{ $etcdHeadlessServiceName }}.{{ .Release.Namespace }}.svc.{{ $clusterDomain }}:{{ .Values.service.port }}" + value: "{{ $etcdClientProtocol }}://$(MY_POD_NAME).{{ $etcdHeadlessServiceName }}.{{ .Release.Namespace }}.svc.{{ $clusterDomain }}:{{ .Values.containerPorts.client }},{{ $etcdClientProtocol }}://{{ $etcdFullname }}.{{ .Release.Namespace }}.svc.{{ $clusterDomain }}:{{ coalesce .Values.service.ports.client .Values.service.port }}" - name: ETCD_LISTEN_CLIENT_URLS - value: "{{ $etcdClientProtocol }}://0.0.0.0:{{ .Values.service.port }}" + value: "{{ $etcdClientProtocol }}://0.0.0.0:{{ .Values.containerPorts.client }}" - name: ETCD_INITIAL_ADVERTISE_PEER_URLS - value: "{{ $etcdPeerProtocol }}://$(MY_POD_NAME).{{ $etcdHeadlessServiceName }}.{{ .Release.Namespace }}.svc.{{ $clusterDomain }}:{{ .Values.service.peerPort }}" + value: "{{ $etcdPeerProtocol }}://$(MY_POD_NAME).{{ $etcdHeadlessServiceName }}.{{ .Release.Namespace }}.svc.{{ $clusterDomain }}:{{ .Values.containerPorts.peer }}" - name: ETCD_LISTEN_PEER_URLS - value: "{{ $etcdPeerProtocol }}://0.0.0.0:{{ .Values.service.peerPort }}" + value: "{{ $etcdPeerProtocol }}://0.0.0.0:{{ .Values.containerPorts.peer }}" + {{- if .Values.autoCompactionMode }} + - name: ETCD_AUTO_COMPACTION_MODE + value: {{ .Values.autoCompactionMode | quote }} + {{- end }} + {{- if .Values.autoCompactionRetention }} + - name: ETCD_AUTO_COMPACTION_RETENTION + value: {{ .Values.autoCompactionRetention | quote }} + {{- end }} {{- if .Values.maxProcs }} - name: GOMAXPROCS value: {{ .Values.maxProcs }} @@ -140,13 +194,7 @@ spec: - name: ETCD_INITIAL_CLUSTER_TOKEN value: "etcd-cluster-k8s" - name: ETCD_INITIAL_CLUSTER_STATE - {{- if not (empty .Values.etcd.initialClusterState) }} - value: {{ .Values.etcd.initialClusterState | quote }} - {{- else if .Release.IsInstall }} - value: "new" - {{- else }} - value: "existing" - {{- end }} + value: {{ default (ternary "new" "existing" .Release.IsInstall) .Values.initialClusterState | quote }} {{- $initialCluster := list }} {{- range $e, $i := until $replicaCount }} {{- $initialCluster = append $initialCluster (printf "%s-%d=%s://%s-%d.%s.%s.svc.%s:%d" $etcdFullname $i $etcdPeerProtocol $etcdFullname $i $etcdHeadlessServiceName $releaseNamespace $clusterDomain $peerPort) }} @@ -154,15 +202,8 @@ spec: - name: ETCD_INITIAL_CLUSTER value: {{ join "," $initialCluster | quote }} {{- end }} - - name: ALLOW_NONE_AUTHENTICATION - value: {{ ternary "yes" "no" (or .Values.auth.rbac.enabled .Values.allowNoneAuthentication) | quote }} - {{- if .Values.auth.rbac.enabled }} - - name: ETCD_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ if .Values.auth.rbac.existingSecret }}{{ .Values.auth.rbac.existingSecret }}{{ else }}{{ include "etcd.fullname" . }}{{ end }} - key: etcd-root-password - {{- end }} + - name: ETCD_CLUSTER_DOMAIN + value: {{ printf "%s.%s.svc.%s" $etcdHeadlessServiceName $releaseNamespace $clusterDomain | quote }} {{- if and .Values.auth.client.secureTransport .Values.auth.client.useAutoTLS }} - name: ETCD_AUTO_TLS value: "true" @@ -175,10 +216,10 @@ spec: - name: ETCD_CLIENT_CERT_AUTH value: "true" - name: ETCD_TRUSTED_CA_FILE - value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt"}}" + value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt" }}" {{- else if .Values.auth.client.caFilename }} - name: ETCD_TRUSTED_CA_FILE - value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt"}}" + value: "/opt/bitnami/etcd/certs/client/{{ .Values.auth.client.caFilename | default "ca.crt" }}" {{- end }} {{- end }} {{- if and .Values.auth.peer.secureTransport .Values.auth.peer.useAutoTLS }} @@ -193,60 +234,110 @@ spec: - name: ETCD_PEER_CLIENT_CERT_AUTH value: "true" - name: ETCD_PEER_TRUSTED_CA_FILE - value: "/opt/bitnami/etcd/certs/peer/{{ .Values.auth.peer.caFilename | default "ca.crt"}}" + value: "/opt/bitnami/etcd/certs/peer/{{ .Values.auth.peer.caFilename | default "ca.crt" }}" {{- else if .Values.auth.peer.caFilename }} - name: ETCD_PEER_TRUSTED_CA_FILE - value: "/opt/bitnami/etcd/certs/peer/{{ .Values.auth.peer.caFilename | default "ca.crt"}}" + value: "/opt/bitnami/etcd/certs/peer/{{ .Values.auth.peer.caFilename | default "ca.crt" }}" + {{- end }} + {{- end }} + {{- if .Values.startFromSnapshot.enabled }} + - name: ETCD_INIT_SNAPSHOT_FILENAME + value: {{ .Values.startFromSnapshot.snapshotFilename | quote }} + - name: ETCD_INIT_SNAPSHOTS_DIR + value: {{ ternary "/snapshots" "/init-snapshot" (and .Values.disasterRecovery.enabled (not .Values.disasterRecovery.pvc.existingClaim)) | quote }} + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} {{- end }} ports: - name: client - containerPort: 2379 + containerPort: {{ .Values.containerPorts.client }} + protocol: TCP - name: peer - containerPort: 2380 - {{- if .Values.livenessProbe.enabled }} + containerPort: {{ .Values.containerPorts.peer }} + protocol: TCP + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} livenessProbe: exec: command: - - /scripts/probes.sh + - /opt/bitnami/scripts/etcd/healthcheck.sh initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.livenessProbe.periodSeconds }} timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} successThreshold: {{ .Values.livenessProbe.successThreshold }} failureThreshold: {{ .Values.livenessProbe.failureThreshold }} {{- end }} - {{- if .Values.readinessProbe.enabled }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} readinessProbe: exec: command: - - /scripts/probes.sh + - /opt/bitnami/scripts/etcd/healthcheck.sh initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.readinessProbe.periodSeconds }} timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} successThreshold: {{ .Values.readinessProbe.successThreshold }} failureThreshold: {{ .Values.readinessProbe.failureThreshold }} {{- end }} + {{- if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.startupProbe.enabled }} + startupProbe: + exec: + command: + - /opt/bitnami/scripts/etcd/healthcheck.sh + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- else if and (gt $replicaCount 1) .Values.removeMemberOnContainerTermination }} + lifecycle: + preStop: + exec: + command: + - /opt/bitnami/scripts/etcd/prestop.sh + {{- end }} + {{- end }} + {{- if .Values.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.resources "context" $) | nindent 12 }} + {{- end }} volumeMounts: - - name: scripts - mountPath: /scripts/setup.sh - subPath: setup.sh - - name: scripts - mountPath: /scripts/prestop-hook.sh - subPath: prestop-hook.sh - - name: scripts - mountPath: /scripts/probes.sh - subPath: probes.sh - name: data mountPath: /bitnami/etcd - {{- if .Values.startFromSnapshot.enabled }} + {{- if and (eq .Values.auth.token.enabled true) (eq .Values.auth.token.type "jwt") }} + - name: etcd-jwt-token + mountPath: /opt/bitnami/etcd/certs/token/ + readOnly: true + {{- end }} + {{- if or (and .Values.startFromSnapshot.enabled (not .Values.disasterRecovery.enabled)) (and .Values.disasterRecovery.enabled .Values.startFromSnapshot.enabled .Values.disasterRecovery.pvc.existingClaim) }} - name: init-snapshot-volume mountPath: /init-snapshot {{- end }} - {{- if .Values.disasterRecovery.enabled }} + {{- if or .Values.disasterRecovery.enabled (and .Values.disasterRecovery.enabled .Values.startFromSnapshot.enabled) }} - name: snapshot-volume mountPath: /snapshots + {{- if .Values.disasterRecovery.pvc.subPath }} + subPath: {{ .Values.disasterRecovery.pvc.subPath }} + {{- end }} {{- end }} - {{- if .Values.configFileConfigMap }} + {{- if or .Values.configuration .Values.existingConfigmap }} - name: etcd-config mountPath: /opt/bitnami/etcd/conf/ {{- end }} @@ -260,47 +351,66 @@ spec: mountPath: /opt/bitnami/etcd/certs/peer/ readOnly: true {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} volumes: - - name: scripts - configMap: - name: {{ include "etcd.fullname" . }}-scripts - defaultMode: 0755 - {{- if .Values.startFromSnapshot.enabled }} + {{- if and (eq .Values.auth.token.enabled true) (eq .Values.auth.token.type "jwt") }} + - name: etcd-jwt-token + secret: + secretName: {{ include "etcd.token.secretName" . }} + defaultMode: 256 + {{- end }} + {{- if or (and .Values.startFromSnapshot.enabled (not .Values.disasterRecovery.enabled)) (and .Values.disasterRecovery.enabled .Values.startFromSnapshot.enabled .Values.disasterRecovery.pvc.existingClaim) }} - name: init-snapshot-volume persistentVolumeClaim: claimName: {{ .Values.startFromSnapshot.existingClaim }} {{- end }} - {{- if .Values.disasterRecovery.enabled }} + {{- if or .Values.disasterRecovery.enabled (and .Values.disasterRecovery.enabled .Values.startFromSnapshot.enabled) }} - name: snapshot-volume persistentVolumeClaim: claimName: {{ include "etcd.disasterRecovery.pvc.name" . }} {{- end }} - {{- if .Values.configFileConfigMap }} + {{- if or .Values.configuration .Values.existingConfigmap }} - name: etcd-config configMap: - name: {{ include "etcd.configFileCM" . }} + name: {{ include "etcd.configmapName" . }} {{- end }} {{- if or .Values.auth.client.enableAuthentication (and .Values.auth.client.secureTransport (not .Values.auth.client.useAutoTLS )) }} - name: etcd-client-certs secret: - secretName: {{ required "A secret containinig the client certificates is required" .Values.auth.client.existingSecret }} + secretName: {{ required "A secret containing the client certificates is required" (tpl .Values.auth.client.existingSecret .) }} defaultMode: 256 {{- end }} {{- if or .Values.auth.peer.enableAuthentication (and .Values.auth.peer.secureTransport (not .Values.auth.peer.useAutoTLS )) }} - name: etcd-peer-certs secret: - secretName: {{ required "A secret containinig the peer certificates is required" .Values.auth.peer.existingSecret }} + secretName: {{ required "A secret containing the peer certificates is required" (tpl .Values.auth.peer.existingSecret .) }} defaultMode: 256 {{- end }} -{{- if not .Values.persistence.enabled }} + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if not .Values.persistence.enabled }} - name: data emptyDir: {} -{{- else }} + {{- else }} + {{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} volumeClaimTemplates: - metadata: name: data {{- if .Values.persistence.annotations }} - annotations: {{- include "etcd.tplValue" ( dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.persistence.labels }} + labels: {{- include "common.tplvalues.render" ( dict "value" .Values.persistence.labels "context" $) | nindent 10 }} {{- end }} spec: accessModes: @@ -310,8 +420,8 @@ spec: resources: requests: storage: {{ .Values.persistence.size | quote }} - {{ include "etcd.storageClass" . }} {{- if .Values.persistence.selector }} - selector: {{- include "etcd.tplValue" ( dict "value" .Values.persistence.selector "context" $) | nindent 10 }} + selector: {{- include "common.tplvalues.render" ( dict "value" .Values.persistence.selector "context" $) | nindent 10 }} {{- end }} -{{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- end }} diff --git a/helm-charts/etcd/templates/svc-headless.yaml b/helm-charts/etcd/templates/svc-headless.yaml index 198d26f0..0d4df3e0 100644 --- a/helm-charts/etcd/templates/svc-headless.yaml +++ b/helm-charts/etcd/templates/svc-headless.yaml @@ -1,35 +1,45 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "etcd.fullname" . }}-headless - labels: {{- include "etcd.labels" . | nindent 4 }} + name: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + {{- if .Values.service.headless.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.headless.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }} + {{- end }} spec: type: ClusterIP clusterIP: None publishNotReadyAddresses: true ports: - {{- if .Values.auth.client.clientPortNameOverride }} + {{- if .Values.service.clientPortNameOverride }} {{- if .Values.auth.client.secureTransport }} - name: {{ .Values.service.clientPortNameOverride }}-ssl - {{- else}} + {{- else }} - name: {{ .Values.service.clientPortNameOverride }} {{- end }} - {{- else}} - - name: "client" + {{- else }} + - name: client {{- end }} - port: {{ .Values.service.port }} + port: {{ .Values.containerPorts.client }} targetPort: client - {{- if .Values.auth.client.peerPortNameOverride }} + {{- if .Values.service.peerPortNameOverride }} {{- if .Values.auth.peer.secureTransport }} - name: {{ .Values.service.peerPortNameOverride }}-ssl - {{- else}} + {{- else }} - name: {{ .Values.service.peerPortNameOverride }} {{- end }} - {{- else}} - - name: "peer" + {{- else }} + - name: peer {{- end }} - port: {{ .Values.service.peerPort }} + port: {{ .Values.containerPorts.peer }} targetPort: peer - selector: {{- include "etcd.matchLabels" . | nindent 4 }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} diff --git a/helm-charts/etcd/templates/svc.yaml b/helm-charts/etcd/templates/svc.yaml index 3875fd59..abefe141 100644 --- a/helm-charts/etcd/templates/svc.yaml +++ b/helm-charts/etcd/templates/svc.yaml @@ -1,42 +1,62 @@ +{{- if .Values.service.enabled }} apiVersion: v1 kind: Service metadata: - name: {{ include "etcd.fullname" . }} - labels: {{- include "etcd.labels" . | nindent 4 }} - {{- if .Values.service.annotations }} - annotations: {{- include "etcd.tplValue" ( dict "value" .Values.service.annotations "context" $) | nindent 4 }} - {{- end }} + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.service.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: type: {{ .Values.service.type }} + {{- if .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }} loadBalancerIP: {{ .Values.service.loadBalancerIP }} {{- end }} {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerSourceRanges)) }} loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} {{- end }} + {{- if .Values.service.externalIPs }} + externalIPs: {{- toYaml .Values.service.externalIPs | nindent 4 }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} ports: - {{- if .Values.auth.client.clientPortNameOverride }} - - name: {{ .Values.service.clientPortNameOverride }} - {{- else }} - - name: "client" - {{- end }} - port: {{ .Values.service.port }} + - name: {{ default "client" .Values.service.clientPortNameOverride | quote }} + port: {{ coalesce .Values.service.ports.client .Values.service.port }} targetPort: client - {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.clientPort)) }} - nodePort: {{ .Values.service.nodePorts.clientPort }} + {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty (coalesce .Values.service.nodePorts.client .Values.service.nodePorts.clientPort))) }} + nodePort: {{ coalesce .Values.service.nodePorts.client .Values.service.nodePorts.clientPort }} {{- else if eq .Values.service.type "ClusterIP" }} nodePort: null {{- end }} - {{- if .Values.auth.client.peerPortNameOverride }} - - name: {{ .Values.service.peerPortNameOverride }} - {{- else }} - - name: "peer" - {{- end }} - port: {{ .Values.service.peerPort }} + - name: {{ default "peer" .Values.service.peerPortNameOverride | quote }} + port: {{ coalesce .Values.service.ports.peer .Values.service.peerPort }} targetPort: peer - {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.peerPort)) }} - nodePort: {{ .Values.service.nodePorts.peerPort }} + {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty (coalesce .Values.service.nodePorts.peer .Values.service.nodePorts.peerPort))) }} + nodePort: {{ coalesce .Values.service.nodePorts.peer .Values.service.nodePorts.peerPort }} {{- else if eq .Values.service.type "ClusterIP" }} nodePort: null {{- end }} - selector: {{- include "etcd.matchLabels" . | nindent 4 }} + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} +{{- end }} diff --git a/helm-charts/etcd/templates/token-secrets.yaml b/helm-charts/etcd/templates/token-secrets.yaml new file mode 100644 index 00000000..c0246fba --- /dev/null +++ b/helm-charts/etcd/templates/token-secrets.yaml @@ -0,0 +1,14 @@ +{{- if (include "etcd.token.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-jwt-token" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + jwt-token.pem: {{ include "etcd.token.jwtToken" . | b64enc | quote }} +{{- end }} diff --git a/helm-charts/etcd/values-production.yaml b/helm-charts/etcd/values-production.yaml deleted file mode 100644 index 60ca2a0d..00000000 --- a/helm-charts/etcd/values-production.yaml +++ /dev/null @@ -1,472 +0,0 @@ -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry and imagePullSecrets -## -# global: -# imageRegistry: myRegistryName -# imagePullSecrets: -# - myRegistryKeySecretName -# storageClass: myStorageClass - -## Bitnami etcd image version -## ref: https://hub.docker.com/r/bitnami/etcd/tags/ -## -image: - registry: docker.io - repository: bitnami/etcd - tag: 3.4.14-debian-10-r0 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - - ## Set to true if you would like to see extra information on logs - ## It turns BASH and NAMI debugging in minideb and in etcd pod scripts - ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging - debug: false - -## String to partially override etcd.fullname template (will maintain the release name) -## -# nameOverride: - -## String to fully override etcd.fullname template -## -# fullnameOverride: - -## Init containers parameters: -## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. -## -volumePermissions: - enabled: false - image: - registry: docker.io - repository: bitnami/minideb - tag: buster - pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - ## Init container' resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - ## - resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: {} - # cpu: 100m - # memory: 128Mi - requests: {} - # cpu: 100m - # memory: 128Mi - -## Statefulset parameters -## -statefulset: - ## Number of replicas - ## - replicaCount: 3 - ## Update strategy, can be set to RollingUpdate or OnDelete by default. - ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets - ## - updateStrategy: RollingUpdate - ## Partition update strategy - ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions - ## - # rollingUpdatePartition: - ## Pod management policy - ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies - ## - podManagementPolicy: Parallel - -## ConfigMap that includes the etcd.conf.yml file -## -# configFileConfigMap: - -## ConfigMap that includes extra environment variables -## -# envVarsConfigMap: - -## Allow to use etcd without configuring RBAC authentication -## -allowNoneAuthentication: true - -## Limits the number of operating system threads that can execute user-level -## Go code simultaneously by setting GOMAXPROCS environment variable -## ref: https://golang.org/pkg/runtime -## -# maxProcs: - -## Authentication parameteres -## https://github.com/bitnami/bitnami-docker-etcd#security -## -auth: - rbac: - enabled: true - ## etcd root user password. The root user is always `root` - ## - # rootPassword: - ## Name of the existing secret containing credentials for the root user. - ## - # existingSecret: name-of-existing-secret - - client: - ## Switch to encrypt client communication using TLS certificates - ## - secureTransport: true - ## Switch to automatically create the TLS certificates - ## - useAutoTLS: false - ## Switch to enable host authentication using TLS certificates. Requires existing secret. - ## - enableAuthentication: true - ## Name of the existing secret containing cert files for client communication. - ## - # existingSecret: name-of-existing-secret - ## Name of the file containing the client certificate. - ## - certFilename: cert.pem - ## Name of the file containing the client certificate private key. - ## - certKeyFilename: key.pem - ## Name of the file containing the client CA certificate. - ## If not specified and `enableAuthentication: true` or `rbac.enabled: true`, the default is is `ca.crt`. - ## - caFilename: "" - - peer: - ## Switch to encrypt peer communication using TLS certificates - ## - secureTransport: true - ## Switch to automatically create the TLS certificates - ## - useAutoTLS: true - ## Switch to enable host authentication using TLS certificates. Requires existing secret. - ## - enableAuthentication: false - ## Name of the existing secret containing cert files for peer communication. - ## - # existingSecret: name-of-existing-secret - certFilename: cert.pem - ## Name of the file containing the peer certificate private key. - ## - certKeyFilename: key.pem - ## Name of the file containing the peer CA certificate. - ## If not specified and `enableAuthentication: true` or `rbac.enabled: true`, the default is is `ca.crt`. - ## - caFilename: "" - -## Kubernetes Security Context -## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -## -securityContext: - enabled: true - fsGroup: 1001 - runAsUser: 1001 - -## Kubernetes Cluster Domain -## -clusterDomain: cluster.local - -## etcd variables -## -etcd: - ## Initial cluster state. Allowed values: 'new' or 'existing' - ## If this values is not set, the default values below are set: - ## - 'new': when installing the chart ('helm install ...') - ## - 'existing': when upgrading the chart ('helm upgrade ...') - ## - initialClusterState: "" - -## Service parameters -## -service: - ## K8s service type - ## - type: ClusterIP - ## etcd client port - ## - port: 2379 - ## etcd client port name override - ## - clientPortNameOverride: "" - ## etcd peer port - ## - peerPort: 2380 - ## etcd peer port name override - ## - peerPortNameOverride: "" - ## Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - clientPort: "" - peerPort: "" - ## Set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - # loadBalancerIP: - # loadBalancerSourceRanges: ["10.0.0.0/8"] - ## Provide any additional annotations which may be required. This can be used to - ## set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - annotations: {} - -## Enable persistence using Persistent Volume Claims -## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ -## -persistence: - ## If true, use a Persistent Volume Claim, If false, use emptyDir - ## - enabled: true - ## Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - ## Persistent Volume Claim annotations - ## - annotations: {} - ## Persistent Volume Access Mode - ## - accessModes: - - ReadWriteOnce - ## Persistent Volume size - ## - size: 8Gi - ## Persistent Volume selector - ## Can specify a label selector to further filter the set of volumes. - ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector - selector: {} - -## Define a disruption budget -## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ -## -pdb: - enabled: false - # minAvailable: 1 - # maxUnavailable: 1 - -## Etcd containers' resource requests and limits -## ref: http://kubernetes.io/docs/user-guide/compute-resources/ -## -resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: {} - # cpu: 500m - # memory: 1Gi - requests: {} - # cpu: 250m - # memory: 256Mi - -## Etcd containers' liveness and readiness probes -## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes -## -livenessProbe: - enabled: true - initialDelaySeconds: 60 - periodSeconds: 30 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 -readinessProbe: - enabled: true - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - -## Statefulset labels. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -## -statefulsetLabels: {} - -## Pod annotations -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -## -podAnnotations: {} - -## Pod labels. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -## -podLabels: {} - -## Pod affinity preset -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## Allowed values: soft, hard -## -podAffinityPreset: "" - -## Pod anti-affinity preset -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## Allowed values: soft, hard -## -podAntiAffinityPreset: soft - -## Node affinity preset -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -## Allowed values: soft, hard -## -nodeAffinityPreset: - ## Node affinity type - ## Allowed values: soft, hard - type: "" - ## Node label key to match - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## Node label values to match - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - -## Affinity for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set -## -affinity: {} - -## Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} - -## Tolerations for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -## -tolerations: [] - -## Name of the priority class to be used by etcd pods, priority class needs to be created beforehand -## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ -priorityClassName: "" - -## Etcd Prometheus exporter configuration -## -metrics: - enabled: true - podAnnotations: - prometheus.io/scrape: "true" - prometheus.io/port: "2379" - - ## Prometheus Operator ServiceMonitor configuration - ## - serviceMonitor: - enabled: false - ## Namespace in which Prometheus is running - ## - # namespace: monitoring - - ## Interval at which metrics should be scraped. - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - # interval: 10s - - ## MetricRelabelConfigs to apply to samples before ingestion - ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint - ## - # metricRelabelings: [] - - ## RelabelConfigs to apply to samples before ingestion - ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint - ## - # relabelings: [] - - ## HTTP scheme to use for scraping. - ## - # scheme: "" - - ## Timeout after which the scrape is ended - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - # scrapeTimeout: 10s - - ## ServiceMonitor selector labels - ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration - ## - - # selector: - # prometheus: my-prometheus - ## TLS configuration for the endpoints to be scraped. - ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#tlsconfig - # tlsConfig: - # ca: - # secret: - # name: existingSecretName - -## Start a new etcd cluster recovering the data from an existing snaptshot before -## initializing the members -## -startFromSnapshot: - enabled: false - ## Existingn PVC containing the etcd snapshot - ## - # existingClaim - ## Snapshot filename - ## - # snapshotFilename - -## Enable auto disaster recovery by periodically snapshotting the keyspace -## - It creates a cronjob to periodically snapshotting the keyspace -## - It also creates a ReadWriteMany PVC to store the snapshots -## If the cluster permanently loses more than (N-1)/2 members, it tries to recover -## the cluster from a previous snapshot. -## -disasterRecovery: - enabled: false - ## Set to true if you would like to see extra information on logs for snapshotting - debug: false - cronjob: - ## Schedule in Cron format to save snapshots - ## See https://en.wikipedia.org/wiki/Cron - ## - schedule: "*/30 * * * *" - ## Number of successful finished jobs to retain - ## - historyLimit: 1 - ## Number of etcd snapshots to retain, tagged with date - ## - snapshotHistoryLimit: 1 - ## Pod annotations - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - ## Configure resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - ## - # resources: - pvc: - ## A manually managed Persistent Volume and Claim - ## If defined, PVC must be created manually before volume will be bound - ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart - ## - # existingClaim: - - ## PVC Storage Request - ## - size: 2Gi - ## storageClassName, choose a storageClassName with ReadWriteMany support - ## - storageClassName: nfs diff --git a/helm-charts/etcd/values.yaml b/helm-charts/etcd/values.yaml index 6681ca95..d657ac1b 100644 --- a/helm-charts/etcd/values.yaml +++ b/helm-charts/etcd/values.yaml @@ -1,286 +1,331 @@ +## @section Global parameters ## Global Docker image parameters ## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass ## -# global: -# imageRegistry: myRegistryName -# imagePullSecrets: -# - myRegistryKeySecretName -# storageClass: myStorageClass -## Bitnami etcd image version -## ref: https://hub.docker.com/r/bitnami/etcd/tags/ +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets [array] Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) ## -image: - registry: docker.io - repository: bitnami/etcd - tag: 3.4.14-debian-10-r0 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName ## - # pullSecrets: - # - myRegistryKeySecretName - - ## Set to true if you would like to see extra information on logs - ## It turns BASH and NAMI debugging in minideb and in etcd pod scripts - ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging - debug: false + imagePullSecrets: [] + storageClass: "" -## String to partially override etcd.fullname template (will maintain the release name) +## @section Common parameters ## -# nameOverride: -## String to fully override etcd.fullname template +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) ## -# fullnameOverride: - -## Init containers parameters: -## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) ## -volumePermissions: - enabled: false - image: - registry: docker.io - repository: bitnami/minideb - tag: buster - pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - ## Init container' resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - ## - resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: {} - # cpu: 100m - # memory: 128Mi - requests: {} - # cpu: 100m - # memory: 128Mi +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname template +## +fullnameOverride: "" +## @param commonLabels [object] Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations [object] Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param clusterDomain Default Kubernetes cluster domain +## +clusterDomain: cluster.local +## @param extraDeploy [array] Array of extra objects to deploy with the release +## +extraDeploy: [] -## Statefulset parameters +## Enable diagnostic mode in the deployment ## -statefulset: - ## Number of replicas - ## - replicaCount: 1 - ## Update strategy, can be set to RollingUpdate or OnDelete by default. - ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) ## - updateStrategy: RollingUpdate - ## Partition update strategy - ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment ## - # rollingUpdatePartition: - ## Pod management policy - ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment ## - podManagementPolicy: Parallel - -## ConfigMap that includes the etcd.conf.yml file -## -# configFileConfigMap: - -## ConfigMap that includes extra environment variables -## -# envVarsConfigMap: + args: + - infinity -## Allow to use etcd without configuring RBAC authentication +## @section etcd parameters ## -allowNoneAuthentication: true -## Limits the number of operating system threads that can execute user-level -## Go code simultaneously by setting GOMAXPROCS environment variable -## ref: https://golang.org/pkg/runtime +## Bitnami etcd image version +## ref: https://hub.docker.com/r/bitnami/etcd/tags/ +## @param image.registry etcd image registry +## @param image.repository etcd image name +## @param image.tag etcd image tag +## @param image.digest etcd image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## -# maxProcs: - -## Authentication parameteres -## https://github.com/bitnami/bitnami-docker-etcd#security +image: + registry: docker.io + repository: bitnami/etcd + tag: 3.5.9-debian-11-r4 + digest: "" + ## @param image.pullPolicy etcd image pull policy + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## @param image.pullSecrets [array] etcd image pull secrets + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param image.debug Enable image debug mode + ## Set to true if you would like to see extra information on logs + ## + debug: false +## Authentication parameters ## auth: + ## Role-based access control parameters + ## ref: https://etcd.io/docs/current/op-guide/authentication/ + ## rbac: - enabled: true - ## etcd root user password. The root user is always `root` + ## @param auth.rbac.create Switch to enable RBAC authentication ## - # rootPassword: - ## Name of the existing secret containing credentials for the root user. + create: true + ## @param auth.rbac.allowNoneAuthentication Allow to use etcd without configuring RBAC authentication ## - # existingSecret: name-of-existing-secret - + allowNoneAuthentication: true + ## @param auth.rbac.rootPassword Root user password. The root user is always `root` + ## + rootPassword: "" + ## @param auth.rbac.existingSecret Name of the existing secret containing credentials for the root user + ## + existingSecret: "" + ## @param auth.rbac.existingSecretPasswordKey Name of key containing password to be retrieved from the existing secret + ## + existingSecretPasswordKey: "" + ## Authentication token + ## ref: https://etcd.io/docs/latest/learning/design-auth-v3/#two-types-of-tokens-simple-and-jwt + ## + token: + ## @param auth.token.enabled Enables token authentication + ## + enabled: true + ## @param auth.token.type Authentication token type. Allowed values: 'simple' or 'jwt' + ## ref: https://etcd.io/docs/latest/op-guide/configuration/#--auth-token + ## + type: jwt + ## @param auth.token.privateKey.filename Name of the file containing the private key for signing the JWT token + ## @param auth.token.privateKey.existingSecret Name of the existing secret containing the private key for signing the JWT token + ## NOTE: Ignored if auth.token.type=simple + ## NOTE: A secret containing a private key will be auto-generated if an existing one is not provided. + ## + privateKey: + filename: jwt-token.pem + existingSecret: "" + ## @param auth.token.signMethod JWT token sign method + ## NOTE: Ignored if auth.token.type=simple + ## + signMethod: RS256 + ## @param auth.token.ttl JWT token TTL + ## NOTE: Ignored if auth.token.type=simple + ## + ttl: 10m + ## TLS authentication for client-to-server communications + ## ref: https://etcd.io/docs/current/op-guide/security/ + ## client: - ## Switch to encrypt client communication using TLS certificates + ## @param auth.client.secureTransport Switch to encrypt client-to-server communications using TLS certificates ## secureTransport: false - ## Switch to automatically create the TLS certificates + ## @param auth.client.useAutoTLS Switch to automatically create the TLS certificates ## useAutoTLS: false - ## Switch to enable host authentication using TLS certificates. Requires existing secret. + ## @param auth.client.existingSecret Name of the existing secret containing the TLS certificates for client-to-server communications ## - enableAuthentication: false - ## Name of the existing secret containing cert files for client communication. + existingSecret: "" + ## @param auth.client.enableAuthentication Switch to enable host authentication using TLS certificates. Requires existing secret ## - # existingSecret: name-of-existing-secret - ## Name of the file containing the client certificate. + enableAuthentication: false + ## @param auth.client.certFilename Name of the file containing the client certificate ## certFilename: cert.pem - ## Name of the file containing the client certificate private key. + ## @param auth.client.certKeyFilename Name of the file containing the client certificate private key ## certKeyFilename: key.pem - ## Name of the file containing the client CA certificate. - ## If not specified and `enableAuthentication: true` or `rbac.enabled: true`, the default is is `ca.crt`. + ## @param auth.client.caFilename Name of the file containing the client CA certificate + ## If not specified and `auth.client.enableAuthentication=true` or `auth.rbac.enabled=true`, the default is is `ca.crt` ## caFilename: "" - + ## TLS authentication for server-to-server communications + ## ref: https://etcd.io/docs/current/op-guide/security/ + ## peer: - ## Switch to encrypt peer communication using TLS certificates + ## @param auth.peer.secureTransport Switch to encrypt server-to-server communications using TLS certificates ## secureTransport: false - ## Switch to automatically create the TLS certificates + ## @param auth.peer.useAutoTLS Switch to automatically create the TLS certificates ## useAutoTLS: false - ## Switch to enable host authentication using TLS certificates. Requires existing secret. + ## @param auth.peer.existingSecret Name of the existing secret containing the TLS certificates for server-to-server communications ## - enableAuthentication: false - ## Name of the existing secret containing cert files for peer communication. + existingSecret: "" + ## @param auth.peer.enableAuthentication Switch to enable host authentication using TLS certificates. Requires existing secret ## - # existingSecret: name-of-existing-secret - ## Name of the file containing the peer certificate. + enableAuthentication: false + ## @param auth.peer.certFilename Name of the file containing the peer certificate ## certFilename: cert.pem - ## Name of the file containing the peer certificate private key. + ## @param auth.peer.certKeyFilename Name of the file containing the peer certificate private key ## certKeyFilename: key.pem - ## Name of the file containing the peer CA certificate. - ## If not specified and `enableAuthentication: true` or `rbac.enabled: true`, the default is is `ca.crt`. + ## @param auth.peer.caFilename Name of the file containing the peer CA certificate + ## If not specified and `auth.peer.enableAuthentication=true` or `rbac.enabled=true`, the default is is `ca.crt` ## caFilename: "" - -## Kubernetes Security Context -## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## @param autoCompactionMode Auto compaction mode, by default periodic. Valid values: "periodic", "revision". +## - 'periodic' for duration based retention, defaulting to hours if no time unit is provided (e.g. 5m). +## - 'revision' for revision number based retention. ## -securityContext: - enabled: true - fsGroup: 1001 - runAsUser: 1001 - -## Kubernetes Cluster Domain +autoCompactionMode: "" +## @param autoCompactionRetention Auto compaction retention for mvcc key value store in hour, by default 0, means disabled ## -clusterDomain: cluster.local - -## etcd variables +autoCompactionRetention: "" +## @param initialClusterState Initial cluster state. Allowed values: 'new' or 'existing' +## If this values is not set, the default values below are set: +## - 'new': when installing the chart ('helm install ...') +## - 'existing': when upgrading the chart ('helm upgrade ...') ## -etcd: - ## Initial cluster state. Allowed values: 'new' or 'existing' - ## If this values is not set, the default values below are set: - ## - 'new': when installing the chart ('helm install ...') - ## - 'existing': when upgrading the chart ('helm upgrade ...') - ## - initialClusterState: "" +initialClusterState: "" +## @param logLevel Sets the log level for the etcd process. Allowed values: 'debug', 'info', 'warn', 'error', 'panic', 'fatal' +## +logLevel: "info" +## @param maxProcs Limits the number of operating system threads that can execute user-level +## Go code simultaneously by setting GOMAXPROCS environment variable +## ref: https://golang.org/pkg/runtime +## +maxProcs: "" +## @param removeMemberOnContainerTermination Use a PreStop hook to remove the etcd members from the etcd cluster on container termination +## they the containers are terminated. Set to 'false' if appears an error-related member ID wasn't properly stored. +## NOTE: Ignored if lifecycleHooks is set or replicaCount=1 +## +removeMemberOnContainerTermination: true +## @param configuration etcd configuration. Specify content for etcd.conf.yml +## e.g: +## configuration: |- +## foo: bar +## baz: +## +configuration: "" +## @param existingConfigmap Existing ConfigMap with etcd configuration +## NOTE: When it's set the configuration parameter is ignored +## +existingConfigmap: "" +## @param extraEnvVars [array] Extra environment variables to be set on etcd container +## e.g: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Name of existing Secret containing extra env vars +## +extraEnvVarsSecret: "" +## @param command [array] Default container command (useful when using custom images) +## +command: [] +## @param args [array] Default container args (useful when using custom images) +## +args: [] -## Service parameters +## @section etcd statefulset parameters ## -service: - ## K8s service type - ## - type: ClusterIP - ## etcd client port - ## - port: 2379 - ## etcd client port name override - ## - clientPortNameOverride: "" - ## etcd peer port - ## - peerPort: 2380 - ## etcd peer port name override - ## - peerPortNameOverride: "" - ## Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - clientPort: "" - peerPort: "" - ## Set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - # loadBalancerIP: - # loadBalancerSourceRanges: ["10.0.0.0/8"] - ## Provide any additional annotations which may be required. This can be used to - ## set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - annotations: {} -## Enable persistence using Persistent Volume Claims -## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + +## @param replicaCount Number of etcd replicas to deploy ## -persistence: - ## If true, use a Persistent Volume Claim, If false, use emptyDir - ## +replicaCount: 1 +## Update strategy +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## @param updateStrategy.type Update strategy type, can be set to RollingUpdate or OnDelete. +## +updateStrategy: + type: RollingUpdate +## @param podManagementPolicy Pod management policy for the etcd statefulset +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies +## +podManagementPolicy: Parallel +## @param hostAliases [array] etcd pod host aliases +## ref: https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param lifecycleHooks [object] Override default etcd container hooks +## +lifecycleHooks: {} +## etcd container ports to open +## @param containerPorts.client Client port to expose at container level +## @param containerPorts.peer Peer port to expose at container level +## +containerPorts: + client: 2379 + peer: 2380 +## etcd pods' Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled etcd pods' Security Context +## @param podSecurityContext.fsGroup Set etcd pod's Security Context fsGroup +## +podSecurityContext: enabled: true - ## Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - ## Persistent Volume Claim annotations - ## - annotations: {} - ## Persistent Volume Access Mode - ## - accessModes: - - ReadWriteOnce - ## Persistent Volume size - ## - size: 8Gi - ## Persistent Volume selector - ## Can specify a label selector to further filter the set of volumes. - ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector - selector: {} - -## Define a disruption budget -## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + fsGroup: 1001 +## etcd containers' SecurityContext +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled etcd containers' Security Context +## @param containerSecurityContext.runAsUser Set etcd container's Security Context runAsUser +## @param containerSecurityContext.runAsNonRoot Set etcd container's Security Context runAsNonRoot +## @param containerSecurityContext.allowPrivilegeEscalation Force the child process to be run as nonprivilege ## -pdb: - enabled: false - # minAvailable: 1 - # maxUnavailable: 1 - -## Etcd containers' resource requests and limits -## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + allowPrivilegeEscalation: false +## etcd containers' resource requests and limits +## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resources.limits [object] The resources limits for the etcd container +## @param resources.requests [object] The requested resources for the etcd container ## resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## Example: + ## limits: + ## cpu: 500m + ## memory: 1Gi + ## limits: {} - # cpu: 500m - # memory: 1Gi requests: {} - # cpu: 250m - # memory: 256Mi - -## Etcd containers' liveness and readiness probes -## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## Configure extra options for liveness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe ## livenessProbe: enabled: true @@ -289,6 +334,15 @@ livenessProbe: timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 +## Configure extra options for readiness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## readinessProbe: enabled: true initialDelaySeconds: 60 @@ -296,179 +350,557 @@ readinessProbe: timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 - -## Statefulset labels. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## Configure extra options for liveness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe ## -statefulsetLabels: {} - -## Pod annotations +startupProbe: + enabled: false + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 60 +## @param customLivenessProbe [object] Override default liveness probe +## +customLivenessProbe: {} +## @param customReadinessProbe [object] Override default readiness probe +## +customReadinessProbe: {} +## @param customStartupProbe [object] Override default startup probe +## +customStartupProbe: {} +## @param extraVolumes [array] Optionally specify extra list of additional volumes for etcd pods +## +extraVolumes: [] +## @param extraVolumeMounts [array] Optionally specify extra list of additional volumeMounts for etcd container(s) +## +extraVolumeMounts: [] +## @param initContainers [array] Add additional init containers to the etcd pods +## e.g: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +initContainers: [] +## @param sidecars [array] Add additional sidecar containers to the etcd pods +## e.g: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: [] +## @param podAnnotations [object] Annotations for etcd pods ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} - -## Pod labels. Evaluated as a template +## @param podLabels [object] Extra labels for etcd pods ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ## podLabels: {} - -## Pod affinity preset +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## Allowed values: soft, hard ## podAffinityPreset: "" - -## Pod anti-affinity preset +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## Allowed values: soft, hard ## podAntiAffinityPreset: soft - ## Node affinity preset ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -## Allowed values: soft, hard +## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. +## @param nodeAffinityPreset.values [array] Node label values to match. Ignored if `affinity` is set. ## nodeAffinityPreset: - ## Node affinity type - ## Allowed values: soft, hard type: "" - ## Node label key to match - ## E.g. + ## e.g: ## key: "kubernetes.io/e2e-az-name" ## key: "" - ## Node label values to match - ## E.g. + ## e.g: ## values: ## - e2e-az1 ## - e2e-az2 ## values: [] - -## Affinity for pod assignment +## @param affinity [object] Affinity for pod assignment ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set ## affinity: {} - -## Node labels for pod assignment +## @param nodeSelector [object] Node labels for pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} - -## Tolerations for pod assignment +## @param tolerations [array] Tolerations for pod assignment ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## tolerations: [] - -## Name of the priority class to be used by etcd pods, priority class needs to be created beforehand +## @param terminationGracePeriodSeconds Seconds the pod needs to gracefully terminate +## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution +## +terminationGracePeriodSeconds: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param priorityClassName Name of the priority class to be used by etcd pods +## Priority class needs to be created beforehand ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## priorityClassName: "" +## @param runtimeClassName Name of the runtime class to be used by pod(s) +## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ +## +runtimeClassName: "" +## @param shareProcessNamespace Enable shared process namespace in a pod. +## If set to false (default), each container will run in separate namespace, etcd will have PID=1. +## If set to true, the /pause will run as init process and will reap any zombie PIDs, +## for example, generated by a custom exec probe running longer than a probe timeoutSeconds. +## Enable this only if customLivenessProbe or customReadinessProbe is used and zombie PIDs are accumulating. +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ +## +shareProcessNamespace: false +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] +## persistentVolumeClaimRetentionPolicy +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention +## @param persistentVolumeClaimRetentionPolicy.enabled Controls if and how PVCs are deleted during the lifecycle of a StatefulSet +## @param persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced +## @param persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted +persistentVolumeClaimRetentionPolicy: + enabled: false + whenScaled: Retain + whenDeleted: Retain +## @section Traffic exposure parameters +## + +service: + ## @param service.type Kubernetes Service type + ## + type: ClusterIP + ## @param service.enabled create second service if equal true + ## + enabled: true + ## @param service.clusterIP Kubernetes service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.ports.client etcd client port + ## @param service.ports.peer etcd peer port + ## + ports: + client: 2379 + peer: 2380 + ## @param service.nodePorts.client Specify the nodePort client value for the LoadBalancer and NodePort service types. + ## @param service.nodePorts.peer Specify the nodePort peer value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + client: "" + peer: "" + ## @param service.clientPortNameOverride etcd client port name override + ## + clientPortNameOverride: "" + ## @param service.peerPortNameOverride etcd peer port name override + ## + peerPortNameOverride: "" + ## @param service.loadBalancerIP loadBalancerIP for the etcd service (optional, cloud specific) + ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges [array] Load Balancer source ranges + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalIPs [array] External IPs + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + ## + externalIPs: [] + ## @param service.externalTrafficPolicy %%MAIN_CONTAINER_NAME%% service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param service.annotations [object] Additional annotations for the etcd service + ## + annotations: {} + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## + annotations: {} + +## @section Persistence parameters +## + +## Enable persistence using Persistent Volume Claims +## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + ## @param persistence.enabled If true, use a Persistent Volume Claim. If false, use emptyDir. + ## + enabled: true + ## @param persistence.storageClass Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## + ## @param persistence.annotations [object] Annotations for the PVC + ## + annotations: {} + ## @param persistence.labels [object] Labels for the PVC + ## + labels: {} + ## @param persistence.accessModes Persistent Volume Access Modes + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size PVC Storage Request for etcd data volume + ## + size: 8Gi + ## @param persistence.selector [object] Selector to match an existing Persistent Volume + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + ## + selector: {} + +## @section Volume Permissions parameters +## -## Etcd Prometheus exporter configuration +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. ## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` + ## + enabled: false + ## @param volumePermissions.image.registry Init container volume-permissions image registry + ## @param volumePermissions.image.repository Init container volume-permissions image name + ## @param volumePermissions.image.tag Init container volume-permissions image tag + ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 11-debian-11-r118 + digest: "" + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## + pullPolicy: IfNotPresent + ## @param volumePermissions.image.pullSecrets [array] Specify docker-registry secret names as an array + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container' resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param volumePermissions.resources.limits [object] Init container volume-permissions resource limits + ## @param volumePermissions.resources.requests [object] Init container volume-permissions resource requests + ## + resources: + ## Example: + ## limits: + ## cpu: 500m + ## memory: 1Gi + ## + limits: {} + requests: {} + +## @section Network Policy parameters +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources + ## + enabled: false + ## @param networkPolicy.allowExternal Don't require client label for connections + ## When set to false, only pods with the correct client label will have network access to the ports + ## etcd is listening on. When true, etcd will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + +## @section Metrics parameters +## + metrics: + ## @param metrics.enabled Expose etcd metrics + ## enabled: false + ## @param metrics.podAnnotations [object] Annotations for the Prometheus metrics on etcd pods + ## podAnnotations: prometheus.io/scrape: "true" - prometheus.io/port: "2379" - - ## Prometheus Operator ServiceMonitor configuration + prometheus.io/port: "{{ .Values.containerPorts.client }}" + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint ## - serviceMonitor: + podMonitor: + ## @param metrics.podMonitor.enabled Create PodMonitor Resource for scraping metrics using PrometheusOperator + ## enabled: false - ## Namespace in which Prometheus is running + ## @param metrics.podMonitor.namespace Namespace in which Prometheus is running ## - # namespace: monitoring - - ## Interval at which metrics should be scraped. - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + namespace: monitoring + ## @param metrics.podMonitor.interval Specify the interval at which metrics should be scraped ## - # interval: 10s - - ## MetricRelabelConfigs to apply to samples before ingestion - ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint + interval: 30s + ## @param metrics.podMonitor.scrapeTimeout Specify the timeout after which the scrape is ended ## - # metricRelabelings: [] - - ## RelabelConfigs to apply to samples before ingestion - ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint + scrapeTimeout: 30s + ## @param metrics.podMonitor.additionalLabels [object] Additional labels that can be used so PodMonitors will be discovered by Prometheus + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec ## - # relabelings: [] - - ## HTTP scheme to use for scraping. + additionalLabels: {} + ## @param metrics.podMonitor.scheme Scheme to use for scraping ## - # scheme: "" - - ## Timeout after which the scrape is ended - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + scheme: http + ## @param metrics.podMonitor.tlsConfig [object] TLS configuration used for scrape endpoints used by Prometheus + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#tlsconfig + ## e.g: + ## tlsConfig: + ## ca: + ## secret: + ## name: existingSecretName + ## + tlsConfig: {} + ## @param metrics.podMonitor.relabelings [array] Prometheus relabeling rules ## - # scrapeTimeout: 10s + relabelings: [] - ## ServiceMonitor selector labels - ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## Prometheus Operator PrometheusRule configuration + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + additionalLabels: {} + ## @param metrics.prometheusRule.rules Prometheus Rule definitions + # - alert: ETCD has no leader + # annotations: + # summary: "ETCD has no leader" + # description: "pod {{`{{`}} $labels.pod {{`}}`}} state error, can't connect leader" + # for: 1m + # expr: etcd_server_has_leader == 0 + # labels: + # severity: critical + # group: PaaS ## - # selector: - # prometheus: my-prometheus + rules: [] - ## TLS configuration for the endpoints to be scraped. - ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#tlsconfig - # tlsConfig: - # ca: - # secret: - # name: existingSecretName -## Start a new etcd cluster recovering the data from an existing snaptshot before -## initializing the members +## @section Snapshotting parameters +## + +## Start a new etcd cluster recovering the data from an existing snapshot before bootstrapping ## startFromSnapshot: + ## @param startFromSnapshot.enabled Initialize new cluster recovering an existing snapshot + ## enabled: false - ## Existingn PVC containing the etcd snapshot + ## @param startFromSnapshot.existingClaim Existing PVC containing the etcd snapshot ## - # existingClaim - ## Snapshot filename + existingClaim: "" + ## @param startFromSnapshot.snapshotFilename Snapshot filename ## - # snapshotFilename - -## Enable auto disaster recovery by periodically snapshotting the keyspace + snapshotFilename: "" +## Enable auto disaster recovery by periodically snapshotting the keyspace: ## - It creates a cronjob to periodically snapshotting the keyspace ## - It also creates a ReadWriteMany PVC to store the snapshots -## If the cluster permanently loses more than (N-1)/2 members, it tries to recover -## the cluster from a previous snapshot. +## If the cluster permanently loses more than (N-1)/2 members, it tries to +## recover itself from the last available snapshot. ## disasterRecovery: + ## @param disasterRecovery.enabled Enable auto disaster recovery by periodically snapshotting the keyspace + ## enabled: false - ## Set to true if you would like to see extra information on logs for snapshotting - debug: true cronjob: - ## Schedule in Cron format to save snapshots + ## @param disasterRecovery.cronjob.schedule Schedule in Cron format to save snapshots ## See https://en.wikipedia.org/wiki/Cron ## schedule: "*/30 * * * *" - ## Number of successful finished jobs to retain + ## @param disasterRecovery.cronjob.historyLimit Number of successful finished jobs to retain ## historyLimit: 1 - ## Number of etcd snapshots to retain, tagged with date + ## @param disasterRecovery.cronjob.snapshotHistoryLimit Number of etcd snapshots to retain, tagged by date ## snapshotHistoryLimit: 1 - ## Pod annotations + ## @param disasterRecovery.cronjob.snapshotsDir Directory to store snapshots + ## + snapshotsDir: "/snapshots" + ## @param disasterRecovery.cronjob.podAnnotations [object] Pod annotations for cronjob pods ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} - ## Configure resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - ## - # resources: + ## Configure resource requests and limits for snapshotter containers + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param disasterRecovery.cronjob.resources.limits [object] Cronjob container resource limits + ## @param disasterRecovery.cronjob.resources.requests [object] Cronjob container resource requests + ## + resources: + ## Example: + ## limits: + ## cpu: 500m + ## memory: 1Gi + ## + limits: {} + requests: {} + + ## @param disasterRecovery.cronjob.nodeSelector Node labels for cronjob pods assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param disasterRecovery.cronjob.tolerations Tolerations for cronjob pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + pvc: - ## A manually managed Persistent Volume and Claim + ## @param disasterRecovery.pvc.existingClaim A manually managed Persistent Volume and Claim ## If defined, PVC must be created manually before volume will be bound ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart ## - # existingClaim: - - ## PVC Storage Request + existingClaim: "" + ## @param disasterRecovery.pvc.size PVC Storage Request ## size: 2Gi - ## storageClassName, choose a storageClassName with ReadWriteMany support + ## @param disasterRecovery.pvc.storageClassName Storage Class for snapshots volume ## storageClassName: nfs + ## @param disasterRecovery.pvc.subPath Path within the volume from which to mount + ## Useful if snapshots should only be stored in a subdirectory of the volume + ## + subPath: "" + +## @section Service account parameters +## + +serviceAccount: + ## @param serviceAccount.create Enable/disable service account creation + ## + create: false + ## @param serviceAccount.name Name of the service account to create or use + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Enable/disable auto mounting of service account token + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server + ## + automountServiceAccountToken: true + ## @param serviceAccount.annotations [object] Additional annotations to be included on the service account + ## + annotations: {} + ## @param serviceAccount.labels [object] Additional labels to be included on the service account + ## + labels: {} + +## @section Other parameters +## + +## etcd Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## +pdb: + ## @param pdb.create Enable/disable a Pod Disruption Budget creation + ## + create: true + ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## + minAvailable: 51% + ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable + ## + maxUnavailable: "" From fc3bd88f912da164bcb2a541cc336a785a9eba78 Mon Sep 17 00:00:00 2001 From: Tom Hayward Date: Fri, 1 Sep 2023 12:26:22 -0700 Subject: [PATCH 2/5] update etcd chart url to oci version --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 2f7b4569..a51a7883 100644 --- a/Makefile +++ b/Makefile @@ -261,7 +261,7 @@ deploy-example-apiserver: kind-load-apiserver upgrade-etcd: cd $(CHART_DIR) && \ rm -rf etcd* && \ - helm pull --debug --untar --repo https://charts.bitnami.com/bitnami etcd + helm pull --debug --untar oci://registry-1.docker.io/bitnamicharts/etcd clean: rm -rf \ From 70f0a2be0729b6ed8aa485057b12b6fb3806cb6c Mon Sep 17 00:00:00 2001 From: Tom Hayward Date: Fri, 1 Sep 2023 13:35:18 -0700 Subject: [PATCH 3/5] support new format for etcd hostname Fixes probe error: `transport: authentication handshake failed: x509: certificate is valid for localhost, runner-konk-etcd-headless, runner-konk-init-66f6497746-xkclr, not runner-konk-etcd-0.runner-konk-etcd-headless.konk.svc.cluster.local` --- helm-charts/konk/scripts/provision.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/helm-charts/konk/scripts/provision.sh b/helm-charts/konk/scripts/provision.sh index 13c17f04..8bee53e3 100644 --- a/helm-charts/konk/scripts/provision.sh +++ b/helm-charts/konk/scripts/provision.sh @@ -33,6 +33,9 @@ etcd: serverCertSANs: - localhost - $RELEASE-etcd-headless + - $RELEASE-etcd-0.$RELEASE-etcd-headless.$NAMESPACE.svc.cluster.local + - $RELEASE-etcd-1.$RELEASE-etcd-headless.$NAMESPACE.svc.cluster.local + - $RELEASE-etcd-2.$RELEASE-etcd-headless.$NAMESPACE.svc.cluster.local EOF kubeadm init phase certs all --apiserver-cert-extra-sans $FULLNAME,$FULLNAME.$NAMESPACE,$FULLNAME.$NAMESPACE.svc,$FULLNAME.$NAMESPACE.svc.cluster.local From 35ea8c67a47c4c27973b4d5696156ccf2be76dba Mon Sep 17 00:00:00 2001 From: Tom Hayward Date: Fri, 1 Sep 2023 15:33:23 -0700 Subject: [PATCH 4/5] migrate values for new etcd chart --- helm-charts/konk/README.md | 2 +- helm-charts/konk/templates/etcd.yaml | 2 +- helm-charts/konk/values.yaml | 3 +-- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/helm-charts/konk/README.md b/helm-charts/konk/README.md index 2df6b9ba..b1e795bc 100644 --- a/helm-charts/konk/README.md +++ b/helm-charts/konk/README.md @@ -32,11 +32,11 @@ When deploying with `helm install`, these configurations are values and can be o | autoscaling.targetCPUUtilizationPercentage | int | `80` | | | certManager.namespace | string | `nil` | | | etcd.operator | bool | `true` | defines how Konk's internal etcd is deployed. `true`: etcd is deployed by konk-operator `false`: etcd is deployed as a sidecar of konk's kube-apiserver | +| etcd.replicaCount | int | `3` | | | etcd.resources.limits.memory | string | `"4Gi"` | | | etcd.resources.requests.cpu | string | `"10m"` | | | etcd.resources.requests.memory | string | `"64Mi"` | | | etcd.securityContext | object | `{}` | | -| etcd.statefulset.replicaCount | int | `3` | | | fullnameOverride | string | `""` | | | imagePullSecrets | list | `[]` | | | ingress.annotations."nginx.ingress.kubernetes.io/backend-protocol" | string | `"HTTPS"` | | diff --git a/helm-charts/konk/templates/etcd.yaml b/helm-charts/konk/templates/etcd.yaml index 0626ff00..b108f1ca 100644 --- a/helm-charts/konk/templates/etcd.yaml +++ b/helm-charts/konk/templates/etcd.yaml @@ -11,7 +11,7 @@ spec: {{ toYaml . | nindent 2 }} auth: rbac: - enabled: false + create: false client: enableAuthentication: true secureTransport: true diff --git a/helm-charts/konk/values.yaml b/helm-charts/konk/values.yaml index 5bc0024a..589c2297 100644 --- a/helm-charts/konk/values.yaml +++ b/helm-charts/konk/values.yaml @@ -79,8 +79,7 @@ etcd: # `true`: etcd is deployed by konk-operator # `false`: etcd is deployed as a sidecar of konk's kube-apiserver operator: true - statefulset: - replicaCount: 3 + replicaCount: 3 kind: image: From 81b69b2d7306bf30fd37cfb732409c2200f16c3b Mon Sep 17 00:00:00 2001 From: Tom Hayward Date: Tue, 5 Sep 2023 11:25:08 -0700 Subject: [PATCH 5/5] extend timeout --- .github/workflows/pr.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 565c7b70..b4b710a6 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -118,18 +118,18 @@ jobs: make kind-load-konk KIND_NAME="chart-testing" make deploy-crds deploy-konk-operator - name: Test Konk - timeout-minutes: 6 + timeout-minutes: 10 run: | kubectl create ns $KONK_NAMESPACE || true kubectl apply -n $KONK_NAMESPACE -f examples/konk.yaml # FIXME: use the helm-operator status to detect installation was successful - until kubectl wait -n $KONK_NAMESPACE --timeout=3m --for=condition=ready pod -l app.kubernetes.io/name=etcd + until kubectl wait -n $KONK_NAMESPACE --timeout=1m --for=condition=ready pod -l app.kubernetes.io/name=etcd do - sleep 1 + sleep 6 done - until kubectl wait -n $KONK_NAMESPACE --timeout=3m --for=condition=ready pod -l app.kubernetes.io/component=apiserver,app.kubernetes.io/name=konk + until kubectl wait -n $KONK_NAMESPACE --timeout=1m --for=condition=ready pod -l app.kubernetes.io/component=apiserver,app.kubernetes.io/name=konk do - sleep 1 + sleep 6 done make test-konk KONK_NAMESPACE=$KONK_NAMESPACE make test-konk-local