jan/openreplay
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: jan:main
Branches Tags
jan:main
jan:dependabot/pip/dev/boto3-1.38.32
jan:dependabot/pip/dev/elasticsearch-9.0.2
jan:patch/main/90510aa33b6f4d7ba0d940e5886ca708aa13598f
jan:dev
jan:slots-support
jan:add_locales_to_KAI
jan:split-saas
jan:patch/main/d4a13edcf0fb374e4f61f6a151aea52e3ef6ca1b
jan:patch/main/36abcda1e1201edd01a5353f55c474b837dea747
jan:patch-audio-pl
jan:audio-f
jan:patch/main/f9ada412723f7e5c10bc64629b8fe9ae704515f8
jan:change_chart_fetch_method
jan:e2e_tests_frontend
jan:ui-events-dynamic
jan:or-1666-finish-the-scim-integration
jan:dependabot/pip/dev/redis-6.2.0
jan:dependabot/pip/dev/uvicorn-standard--0.34.3
jan:patch/api-v1.22.0
jan:scim_server
jan:or-1915-ensure-enterprise-edition-can-be-run-locally-with-external
jan:patch/main/a2905fa8ed591e8bf8011d1ae0902cebe41945d6
jan:patch/main/681f57ca3b9bc465814deb536d2de4c9d81de104
jan:patch/main/8d6b57b5f9df6b0fd5d345e02e0641e059a8a3fd
jan:patch/main/c6f7de04cc2c5d9972addb764f5b578840bb97ca
jan:revert-3450-fix-new-card-data
jan:fix-new-card-data
jan:fix_incidents_layout
jan:dependabot/pip/ee/connectors/deploy/pip-8070fb41c8
jan:add_incident_event
jan:spot-testing
jan:patch/main/33fb8f16e0ae91cc23b622b64b7a29c7e54d9fc8
jan:add_node_count_warning_toast
jan:go_pa_charts
jan:fix_utils_webpack_error
jan:unit_testing_replay
jan:router-refactoring
jan:improve-network-121
jan:test-redis-consumer
jan:inliner-testing2
jan:tracker_events_throttling
jan:inliner-testing
jan:patch/main/71b7cca5697d74024c2643a3722784858f60a0be
jan:assist-api
jan:tracker-16.x.x
jan:patch/main/66b485cccffa3b9d93e4f432effac8a2ff3d171b
jan:or-2027-github-actions-create-patch-from-main-branch-auto-update
jan:patch/main/58da1d3f6433392e62c68361b999c12eed0038e7
jan:patch/main/39eb943b86387c01c3c7da3d25341996d22e9b10
jan:fix_events_highlight
jan:patch/main/fbe5d7827030dc091b7d70c730ceb7f2ba62fa76
jan:revert_update
jan:patch/main/9ed3cb1b7edae196dfdcc5ad8e90fb35895cf02d
jan:add_searched_events
jan:highlight_searched_events
jan:patch/main/d78b33dcd278f27c74ab716135dd6ad099b5b32e
jan:sunburst-chart
jan:patch/main/d922fc7ad51d6e32708a5b7ad023222abeb43dbc
jan:patch_frontend_inlineCss
jan:change_inlinecss_opts_view
jan:patch/main/3ba40a4811cde3374f748576c9528e9c587e1853
jan:change-ui-table
jan:fix-filters-v1.21
jan:patch/main/74ed29915bfa28a47025d1ea72aad7ef0f188fd5
jan:patch/main/0e469fd056e2d80146660cde8eb6e4a7a949e476
jan:timepicker-fix-zone
jan:observer-vtree
jan:patch-121-search
jan:actions-fix
jan:meta-tags
jan:fix-table-of-cards
jan:patch_frontend
jan:fix_event_sorting
jan:or-1928-clickhouse-enable-caching
jan:fix-table-of-cards-drilldown
jan:patch_assist
jan:assist_remote_canvas_control
jan:ui-cards-daterange
jan:fix-cards-try
jan:patch_assist_canvas
jan:assist_fix_canvas_clearing
jan:assist-server
jan:long-anim-task-ui-improvements
jan:assist_patch_canvas
jan:assist_fix_canvas_stream
jan:tracker-15.x.x
jan:local-coverage
jan:assist_patch
jan:updated_version
jan:test_turn
jan:fix-ee-check
jan:assist_with_sticky_sess
jan:assist_add_conference_call
jan:fix-cards-list
jan:patch_prod
jan:update_batch_writer
jan:network-panel-batcher-1.21
jan:assist_fix_session_not_found
jan:update_unshift_method_in_tracker
jan:fix-auth-forms
jan:add_pooling_to_ws_transport
jan:tracker-sdk
jan:ui-recaptcha
jan:fix_whitescreen_error
jan:assist-fetch-queue
jan:change_call_window_widget
jan:fix_locales
jan:ui_improves_for_localisation
jan:update_locales
jan:fix_localisation
jan:app-boot
jan:react-router-upgrade
jan:add_lokalisation
jan:actions_test
jan:workerless-tracker
jan:docs-links
jan:migrate_to_webrtc
jan:enable_conference_calls
jan:add_webrtc_socket_events_handling
jan:feature/add_webrtc_socket_events_handling
jan:improve/migrate_from_peerjs_to_webrtc
jan:event-analytics
jan:spot-testing-mp4
jan:scim_integration
jan:blog
jan:fix-G3001
jan:dev-image
jan:tracker-buffer-batching
jan:fix-conditional-capture
jan:filekey-preloader
jan:fix-ui-misc
jan:spot-network-mix
jan:api-pa-events-metrics
jan:fix-capture-rate
jan:live-se-red
jan:api-highlights
jan:ui-fix-password
jan:ui-projects
jan:fix-table-cards
jan:fix-ui-sessions-list
jan:mobile-gql
jan:devtools_for_mobile
jan:product-analytics-go
jan:dependabot/go_modules/backend/go_modules-f18a858995
jan:fix-funnel-clicks
jan:dependabot/npm_and_yarn/assist/npm_and_yarn-244ac6efb7
jan:expo-support
jan:fix-card-filters
jan:ui-webhook-allow-port
jan:fix-roles
jan:new_timeseries_view_type_mock
jan:fix-403-clear
jan:fix-session-search
jan:fix-assist-navigation
jan:fix-sessions-refresh
jan:fix-sessions-list
jan:cp-54abbe58a
jan:main-fix
jan:tracker-14.x.x
jan:version-endpoint
jan:service-analytics
jan:secret-rotation
jan:ui-sentry-update
jan:pnpm
jan:tracker-iframe-mem
jan:rtm-temp
jan:change-network-url
jan:fix-alerts
jan:correct_trim
jan:snyk-fix-a9d6aa889da95e84eadd3044b3c6728f
jan:snyk-fix-5679497c6fd9200b41f2264d6dc227c4
jan:cache-queries
jan:test_oauth
jan:oauthbutton
jan:ui-events-manage
jan:spots-tmp
jan:upgrade-test
jan:mobile-bucket-patch
jan:kafka-topics-patch
jan:revert-2402-fix-2399
jan:1.18-frontend-patch
jan:1.17.frontend-patch
jan:tracker-13.x.x
jan:snyk-fix-8df62ecfebc326517d8024161d3480f9
jan:log-maxHttpBufferSize-assist
jan:tracker-9.0.0
jan:temporary-frontent-build-patch
jan:tracker-12.x.x
jan:update_quickwit
jan:snyk-fix-d5842431700ced37b359849bf992cb3f
jan:gh-actions
jan:patch/msaas/frontend-v1.17.0
jan:recommendations-update
jan:snyk-fix-55f3c2a5d070af5495b7dc8c7920bbb0
jan:feat-api-async
jan:api-testing
jan:Keshav-Agarwal/main
jan:snyk-fix-cfdaab8ddf56f9cff49bc466b113485d
jan:snyk-fix-eebbed696f944ddbca56cf6da2adfdf5
jan:tracker-11.x.x
jan:snyk-fix-c5c818678695093fa19431cc304df63f
jan:redshift-connector-update-v3
jan:snyk-fix-5adc34a6b6f25c0d8d5d408e237209be
jan:tracker-10.x.x
jan:docker-compose
jan:quickwit-metrics
jan:pr-env
jan:v1.15.0-pr
jan:dev-pr-v1.14-changes
jan:main_v1.11.0
jan:revert-1196-main
jan:player-ref-ph3-drafts
jan:encryption-patch
jan:multibyte-message-type
jan:tmp-brach-to-delete
jan:clickhouse
jan:monitoring
jan:kafka-ssl-v1.6.0
jan:backend_ci_test
jan:backend-actions-fix
jan:installation-test
jan:testmigration
jan:helmchart
jan:dev-ios-temp
jan:api_insights
jan:kube-change-nfs
jan:heuristics
jan:v1.22.0
jan:v1.22.0-backup-20250530132247
jan:v1.22.0-backup-20250528201734
jan:v1.22.0-backup-20250528193843
jan:v1.21.0-backup-20250520130718
jan:v1.22.0.test
jan:v1.21.0-backup-20250424123357
jan:v1.21.0-backup-20250423140451
jan:v1.21.0-backup-20250423111109
jan:v1.21.0-backup-20250423105115
jan:v1.21.0-backup-20250520132858
jan:v1.21.0
jan:pre-v1.22.0
jan:v1.20.0
jan:pre-v1.21.0
jan:v1.20.0-backup-20250604101909
jan:pre-v1.20.0
jan:v1.19.0
jan:v1.18.0
jan:v1.17.0
jan:v0.5.0
jan:pre-v1.19.0
jan:argo
jan:pre_v1.18.0
jan:v1.14.0
jan:v1.15.0
jan:v1.10.0
jan:v1.16.0
jan:1.16.0
jan:v1.12.0
jan:v1.13.0
jan:v.1.14.0
jan:v1.11.0
jan:v1.9.0
jan:v1.8.1
jan:v1.8.0
jan:v1.7.0
jan:v1.6.0
jan:v1.5.4
jan:v1.5.3
jan:v1.5.2
jan:v1.5.1
jan:v1.5.0
jan:v1.4.0
jan:v1.3.6
jan:v1.3.5
jan:v1.3.0
jan:v1.2.0
jan:v1.1.0
jan:v1.0.0
...
pull from: jan:helmchart
Branches Tags
jan:dependabot/pip/dev/boto3-1.38.32
jan:dependabot/pip/dev/elasticsearch-9.0.2
jan:patch/main/90510aa33b6f4d7ba0d940e5886ca708aa13598f
jan:main
jan:dev
jan:slots-support
jan:add_locales_to_KAI
jan:split-saas
jan:patch/main/d4a13edcf0fb374e4f61f6a151aea52e3ef6ca1b
jan:patch/main/36abcda1e1201edd01a5353f55c474b837dea747
jan:patch-audio-pl
jan:audio-f
jan:patch/main/f9ada412723f7e5c10bc64629b8fe9ae704515f8
jan:change_chart_fetch_method
jan:e2e_tests_frontend
jan:ui-events-dynamic
jan:or-1666-finish-the-scim-integration
jan:dependabot/pip/dev/redis-6.2.0
jan:dependabot/pip/dev/uvicorn-standard--0.34.3
jan:patch/api-v1.22.0
jan:scim_server
jan:or-1915-ensure-enterprise-edition-can-be-run-locally-with-external
jan:patch/main/a2905fa8ed591e8bf8011d1ae0902cebe41945d6
jan:patch/main/681f57ca3b9bc465814deb536d2de4c9d81de104
jan:patch/main/8d6b57b5f9df6b0fd5d345e02e0641e059a8a3fd
jan:patch/main/c6f7de04cc2c5d9972addb764f5b578840bb97ca
jan:revert-3450-fix-new-card-data
jan:fix-new-card-data
jan:fix_incidents_layout
jan:dependabot/pip/ee/connectors/deploy/pip-8070fb41c8
jan:add_incident_event
jan:spot-testing
jan:patch/main/33fb8f16e0ae91cc23b622b64b7a29c7e54d9fc8
jan:add_node_count_warning_toast
jan:go_pa_charts
jan:fix_utils_webpack_error
jan:unit_testing_replay
jan:router-refactoring
jan:improve-network-121
jan:test-redis-consumer
jan:inliner-testing2
jan:tracker_events_throttling
jan:inliner-testing
jan:patch/main/71b7cca5697d74024c2643a3722784858f60a0be
jan:assist-api
jan:tracker-16.x.x
jan:patch/main/66b485cccffa3b9d93e4f432effac8a2ff3d171b
jan:or-2027-github-actions-create-patch-from-main-branch-auto-update
jan:patch/main/58da1d3f6433392e62c68361b999c12eed0038e7
jan:patch/main/39eb943b86387c01c3c7da3d25341996d22e9b10
jan:fix_events_highlight
jan:patch/main/fbe5d7827030dc091b7d70c730ceb7f2ba62fa76
jan:revert_update
jan:patch/main/9ed3cb1b7edae196dfdcc5ad8e90fb35895cf02d
jan:add_searched_events
jan:highlight_searched_events
jan:patch/main/d78b33dcd278f27c74ab716135dd6ad099b5b32e
jan:sunburst-chart
jan:patch/main/d922fc7ad51d6e32708a5b7ad023222abeb43dbc
jan:patch_frontend_inlineCss
jan:change_inlinecss_opts_view
jan:patch/main/3ba40a4811cde3374f748576c9528e9c587e1853
jan:change-ui-table
jan:fix-filters-v1.21
jan:patch/main/74ed29915bfa28a47025d1ea72aad7ef0f188fd5
jan:patch/main/0e469fd056e2d80146660cde8eb6e4a7a949e476
jan:timepicker-fix-zone
jan:observer-vtree
jan:patch-121-search
jan:actions-fix
jan:meta-tags
jan:fix-table-of-cards
jan:patch_frontend
jan:fix_event_sorting
jan:or-1928-clickhouse-enable-caching
jan:fix-table-of-cards-drilldown
jan:patch_assist
jan:assist_remote_canvas_control
jan:ui-cards-daterange
jan:fix-cards-try
jan:patch_assist_canvas
jan:assist_fix_canvas_clearing
jan:assist-server
jan:long-anim-task-ui-improvements
jan:assist_patch_canvas
jan:assist_fix_canvas_stream
jan:tracker-15.x.x
jan:local-coverage
jan:assist_patch
jan:updated_version
jan:test_turn
jan:fix-ee-check
jan:assist_with_sticky_sess
jan:assist_add_conference_call
jan:fix-cards-list
jan:patch_prod
jan:update_batch_writer
jan:network-panel-batcher-1.21
jan:assist_fix_session_not_found
jan:update_unshift_method_in_tracker
jan:fix-auth-forms
jan:add_pooling_to_ws_transport
jan:tracker-sdk
jan:ui-recaptcha
jan:fix_whitescreen_error
jan:assist-fetch-queue
jan:change_call_window_widget
jan:fix_locales
jan:ui_improves_for_localisation
jan:update_locales
jan:fix_localisation
jan:app-boot
jan:react-router-upgrade
jan:add_lokalisation
jan:actions_test
jan:workerless-tracker
jan:docs-links
jan:migrate_to_webrtc
jan:enable_conference_calls
jan:add_webrtc_socket_events_handling
jan:feature/add_webrtc_socket_events_handling
jan:improve/migrate_from_peerjs_to_webrtc
jan:event-analytics
jan:spot-testing-mp4
jan:scim_integration
jan:blog
jan:fix-G3001
jan:dev-image
jan:tracker-buffer-batching
jan:fix-conditional-capture
jan:filekey-preloader
jan:fix-ui-misc
jan:spot-network-mix
jan:api-pa-events-metrics
jan:fix-capture-rate
jan:live-se-red
jan:api-highlights
jan:ui-fix-password
jan:ui-projects
jan:fix-table-cards
jan:fix-ui-sessions-list
jan:mobile-gql
jan:devtools_for_mobile
jan:product-analytics-go
jan:dependabot/go_modules/backend/go_modules-f18a858995
jan:fix-funnel-clicks
jan:dependabot/npm_and_yarn/assist/npm_and_yarn-244ac6efb7
jan:expo-support
jan:fix-card-filters
jan:ui-webhook-allow-port
jan:fix-roles
jan:new_timeseries_view_type_mock
jan:fix-403-clear
jan:fix-session-search
jan:fix-assist-navigation
jan:fix-sessions-refresh
jan:fix-sessions-list
jan:cp-54abbe58a
jan:main-fix
jan:tracker-14.x.x
jan:version-endpoint
jan:service-analytics
jan:secret-rotation
jan:ui-sentry-update
jan:pnpm
jan:tracker-iframe-mem
jan:rtm-temp
jan:change-network-url
jan:fix-alerts
jan:correct_trim
jan:snyk-fix-a9d6aa889da95e84eadd3044b3c6728f
jan:snyk-fix-5679497c6fd9200b41f2264d6dc227c4
jan:cache-queries
jan:test_oauth
jan:oauthbutton
jan:ui-events-manage
jan:spots-tmp
jan:upgrade-test
jan:mobile-bucket-patch
jan:kafka-topics-patch
jan:revert-2402-fix-2399
jan:1.18-frontend-patch
jan:1.17.frontend-patch
jan:tracker-13.x.x
jan:snyk-fix-8df62ecfebc326517d8024161d3480f9
jan:log-maxHttpBufferSize-assist
jan:tracker-9.0.0
jan:temporary-frontent-build-patch
jan:tracker-12.x.x
jan:update_quickwit
jan:snyk-fix-d5842431700ced37b359849bf992cb3f
jan:gh-actions
jan:patch/msaas/frontend-v1.17.0
jan:recommendations-update
jan:snyk-fix-55f3c2a5d070af5495b7dc8c7920bbb0
jan:feat-api-async
jan:api-testing
jan:Keshav-Agarwal/main
jan:snyk-fix-cfdaab8ddf56f9cff49bc466b113485d
jan:snyk-fix-eebbed696f944ddbca56cf6da2adfdf5
jan:tracker-11.x.x
jan:snyk-fix-c5c818678695093fa19431cc304df63f
jan:redshift-connector-update-v3
jan:snyk-fix-5adc34a6b6f25c0d8d5d408e237209be
jan:tracker-10.x.x
jan:docker-compose
jan:quickwit-metrics
jan:pr-env
jan:v1.15.0-pr
jan:dev-pr-v1.14-changes
jan:main_v1.11.0
jan:revert-1196-main
jan:player-ref-ph3-drafts
jan:encryption-patch
jan:multibyte-message-type
jan:tmp-brach-to-delete
jan:clickhouse
jan:monitoring
jan:kafka-ssl-v1.6.0
jan:backend_ci_test
jan:backend-actions-fix
jan:installation-test
jan:testmigration
jan:helmchart
jan:dev-ios-temp
jan:api_insights
jan:kube-change-nfs
jan:heuristics
jan:v1.22.0
jan:v1.22.0-backup-20250530132247
jan:v1.22.0-backup-20250528201734
jan:v1.22.0-backup-20250528193843
jan:v1.21.0-backup-20250520130718
jan:v1.22.0.test
jan:v1.21.0-backup-20250424123357
jan:v1.21.0-backup-20250423140451
jan:v1.21.0-backup-20250423111109
jan:v1.21.0-backup-20250423105115
jan:v1.21.0-backup-20250520132858
jan:v1.21.0
jan:pre-v1.22.0
jan:v1.20.0
jan:pre-v1.21.0
jan:v1.20.0-backup-20250604101909
jan:pre-v1.20.0
jan:v1.19.0
jan:v1.18.0
jan:v1.17.0
jan:v0.5.0
jan:pre-v1.19.0
jan:argo
jan:pre_v1.18.0
jan:v1.14.0
jan:v1.15.0
jan:v1.10.0
jan:v1.16.0
jan:1.16.0
jan:v1.12.0
jan:v1.13.0
jan:v.1.14.0
jan:v1.11.0
jan:v1.9.0
jan:v1.8.1
jan:v1.8.0
jan:v1.7.0
jan:v1.6.0
jan:v1.5.4
jan:v1.5.3
jan:v1.5.2
jan:v1.5.1
jan:v1.5.0
jan:v1.4.0
jan:v1.3.6
jan:v1.3.5
jan:v1.3.0
jan:v1.2.0
jan:v1.1.0
jan:v1.0.0
Sign in to create a new pull request.

34 commits
main ... helmchart

Author SHA1 Message Date
Rajesh Rajendran
ea65c0e35a chore(helm): Adding default nginx ssl 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-22 13:13:41 +05:30
Rajesh Rajendran
c328548c31 chore(helm): Adding nginx-ingress commit 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-22 12:56:55 +05:30
Rajesh Rajendran
2370a4e8dc docs(values): comment for nginx redirect 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-22 12:55:55 +05:30
Rajesh Rajendran
eae1d6b763 removing duplicate helm chart 2021-12-22 12:49:48 +05:30
Rajesh Rajendran
975333c084 chore(dock): update the comments 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-22 12:47:00 +05:30
Rajesh Rajendran
4b1e9a69c9 docs(helm): example for overriding values. 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-19 11:24:17 +05:30
Rajesh Rajendran
8c2875c82d chore(helm): pinning http port for http service 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-19 11:07:35 +05:30
Rajesh Rajendran
90167a3046 fix(helm): image name 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-19 10:46:45 +05:30
Rajesh Rajendran
7d0670049a
fix(helm): templates 2021-12-19 10:32:53 +05:30
Rajesh Rajendran
fc82f0a976 chore(helm): update version 2021-12-18 22:49:58 +05:30
Rajesh Rajendran
7cf2700075 chore(helm): separate chart.yaml for all helm charts. 2021-12-18 22:44:25 +05:30
Rajesh Rajendran
68ccc5e7a4
chore(helm): cloning main branch 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-18 22:32:26 +05:30
Rajesh Rajendran
e479532dcc
chore(helm): sample override value 2021-12-18 22:28:21 +05:30
Rajesh Rajendran
c244d8d219 chore(helm): helm chart to install openreplay 2021-12-18 21:11:18 +05:30
Rajesh Rajendran
085b942ed1
fix(migration): kafka migration 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-14 15:09:19 +05:30
Rajesh Rajendran
8e47849275
chore(helm): kafka db upgrade 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-12 22:13:55 +05:30
Rajesh Rajendran
6bb87ffaa8
chore(clickhouse): ignore db errors 2021-12-12 21:08:39 +05:30
Rajesh Rajendran
81c7924a8d
fix(helm): inject env vars 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-12 21:04:06 +05:30
Rajesh Rajendran
8042cb2696
fix(helm): clickhouse port 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-12 20:57:04 +05:30
Rajesh Rajendran
b0e37e6c8f
chore(helm): enterprise migration 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-12 20:51:43 +05:30
Rajesh Rajendran
8ac4c7bdc4
chore(helm): add enterprise copy support 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-12 20:45:44 +05:30
Rajesh Rajendran
c2f8398a85
fix(helm): clickhouse upgrade script 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-12 20:08:17 +05:30
Rajesh Rajendran
7f1daf01c7 chore(helm): Adding ee charts 2021-12-12 18:59:02 +05:30
Rajesh Rajendran
443db93866
fix(uprade): version check 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-12 18:41:38 +05:30
Rajesh Rajendran
50feb5e2d3
chore(helm): db init scripts 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-12 17:56:23 +05:30
Rajesh Rajendran
9b37c25cf6
chore(helm): upgrade script 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-12 15:46:28 +05:30
Rajesh Rajendran
20a1a9f422
chore(helm): upgrade hook 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-12 11:45:34 +05:30
Rajesh Rajendran
cb1d9bb658
chore(dbMigrate): modularize the job 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-12 07:26:58 +05:30
Rajesh Rajendran
63b64b6120 chore(helm): pass fromVersion as command 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-12 06:14:14 +05:30
Rajesh Rajendran
911164e47a
chore(helm): database-migrate script 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-12 06:04:13 +05:30
Rajesh Rajendran
05ceca4c87
chore(helm): app chart 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-12 04:10:55 +05:30
Rajesh Rajendran
af029d59e4
chore(helm): global override file 
Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
 2021-12-11 16:09:50 +05:30
Rajesh Rajendran
5aa82a73e3
chore(values): update subchart information 2021-12-11 14:41:05 +05:30
Rajesh Rajendran
fe4147dda2
single db chart 2021-12-11 13:22:49 +05:30
324 changed files with 27889 additions and 0 deletions
Show stats Expand all files Collapse all files

23
ee/scripts/helm/helm/databases/charts/clickhouse/.helmignore Normal file
View file

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

23
ee/scripts/helm/helm/databases/charts/clickhouse/Chart.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: v2
name: clickhouse
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: 1.16.0

62
ee/scripts/helm/helm/databases/charts/clickhouse/templates/_helpers.tpl Normal file
View file

@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "clickhouse.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "clickhouse.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "clickhouse.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "clickhouse.labels" -}}
helm.sh/chart: {{ include "clickhouse.chart" . }}
{{ include "clickhouse.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "clickhouse.selectorLabels" -}}
app.kubernetes.io/name: {{ include "clickhouse.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "clickhouse.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "clickhouse.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

19
ee/scripts/helm/helm/databases/charts/clickhouse/templates/service.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: v1
kind: Service
metadata:
name: clickhouse
labels:
{{- include "clickhouse.labels" . | nindent 4 }}
spec:
type: ClusterIP
ports:
- port: {{ .Values.service.webPort }}
targetPort: web
protocol: TCP
name: web
- port: {{ .Values.service.dataPort }}
targetPort: data
protocol: TCP
name: data
selector:
{{- include "clickhouse.selectorLabels" . | nindent 4 }}

12
ee/scripts/helm/helm/databases/charts/clickhouse/templates/serviceaccount.yaml Normal file
View file

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "clickhouse.serviceAccountName" . }}
labels:
{{- include "clickhouse.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

69
ee/scripts/helm/helm/databases/charts/clickhouse/templates/statefulset.yaml Normal file
View file

@ -0,0 +1,69 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "clickhouse.fullname" . }}
labels:
{{- include "clickhouse.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
serviceName: {{ include "clickhouse.fullname" . }}
selector:
matchLabels:
{{- include "clickhouse.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "clickhouse.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "clickhouse.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
env:
{{- range $key, $value := .Values.env }}
- name: "{{ $key }}"
value: "{{ $value }}"
{{- end }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- containerPort: 9000
name: web
- containerPort: 8123
name: data
volumeMounts:
- name: ch-volume
mountPath: /var/lib/mydata
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumeClaimTemplates:
- metadata:
name: ch-volume
spec:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: {{ .Values.storageSize }}

62
ee/scripts/helm/helm/databases/charts/clickhouse/values.yaml Normal file
View file

@ -0,0 +1,62 @@
# Default values for clickhouse.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: yandex/clickhouse-server
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "20.9"
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
env: {}
service:
webPort: 9000
dataPort: 8123
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
storageSize: 8G

21
ee/scripts/helm/helm/databases/charts/kafka/.helmignore Executable file
View file

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

22
ee/scripts/helm/helm/databases/charts/kafka/Chart.yaml Executable file
View file

@ -0,0 +1,22 @@
annotations:
category: Infrastructure
apiVersion: v1
appVersion: 2.6.0
description: Apache Kafka is a distributed streaming platform.
engine: gotpl
home: https://github.com/bitnami/charts/tree/master/bitnami/kafka
icon: https://bitnami.com/assets/stacks/kafka/img/kafka-stack-110x117.png
keywords:
- kafka
- zookeeper
- streaming
- producer
- consumer
maintainers:
- email: containers@bitnami.com
name: Bitnami
name: kafka
sources:
- https://github.com/bitnami/bitnami-docker-kafka
- https://kafka.apache.org/
version: 11.8.6

737
ee/scripts/helm/helm/databases/charts/kafka/README.md Executable file
View file

@ -0,0 +1,737 @@
# Kafka
[Kafka](https://www.kafka.org/) is a distributed streaming platform used for building real-time data pipelines and streaming apps. It is horizontally scalable, fault-tolerant, wicked fast, and runs in production in thousands of companies.
## TL;DR
```console
helm repo add bitnami https://charts.bitnami.com/bitnami
helm install my-release bitnami/kafka
```
## Introduction
This chart bootstraps a [Kafka](https://github.com/bitnami/bitnami-docker-kafka) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.
## Prerequisites
- Kubernetes 1.12+
- Helm 2.12+ or Helm 3.0-beta3+
- PV provisioner support in the underlying infrastructure
## Installing the Chart
To install the chart with the release name `my-release`:
```console
helm repo add bitnami https://charts.bitnami.com/bitnami
helm install my-release bitnami/kafka
```
These commands deploy Kafka on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Parameters
The following tables lists the configurable parameters of the Kafka chart and their default values per section/component:
### Global parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `global.imageRegistry` | Global Docker image registry | `nil` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `global.storageClass` | Global storage class for dynamic provisioning | `nil` |
### Common parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `nameOverride` | String to partially override kafka.fullname | `nil` |
| `fullnameOverride` | String to fully override kafka.fullname | `nil` |
| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` |
| `commonLabels` | Labels to add to all deployed objects | `{}` |
| `commonAnnotations` | Annotations to add to all deployed objects | `{}` |
| `extraDeploy` | Array of extra objects to deploy with the release | `nil` (evaluated as a template) |
### Kafka parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `image.registry` | Kafka image registry | `docker.io` |
| `image.repository` | Kafka image name | `bitnami/kafka` |
| `image.tag` | Kafka image tag | `{TAG_NAME}` |
| `image.pullPolicy` | Kafka image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `image.debug` | Set to true if you would like to see extra information on logs | `false` |
| `config` | Configuration file for Kafka. Auto-generated based on other parameters when not specified | `nil` |
| `existingConfigmap` | Name of existing ConfigMap with Kafka configuration | `nil` |
| `log4j` | An optional log4j.properties file to overwrite the default of the Kafka brokers. | `nil` |
| `existingLog4jConfigMap` | The name of an existing ConfigMap containing a log4j.properties file. | `nil` |
| `heapOpts` | Kafka's Java Heap size | `-Xmx1024m -Xms1024m` |
| `deleteTopicEnable` | Switch to enable topic deletion or not | `false` |
| `autoCreateTopicsEnable` | Switch to enable auto creation of topics. Enabling auto creation of topics not recommended for production or similar environments | `false` |
| `logFlushIntervalMessages` | The number of messages to accept before forcing a flush of data to disk | `10000` |
| `logFlushIntervalMs` | The maximum amount of time a message can sit in a log before we force a flush | `1000` |
| `logRetentionBytes` | A size-based retention policy for logs | `_1073741824` |
| `logRetentionCheckIntervalMs` | The interval at which log segments are checked to see if they can be deleted | `300000` |
| `logRetentionHours` | The minimum age of a log file to be eligible for deletion due to age | `168` |
| `logSegmentBytes` | The maximum size of a log segment file. When this size is reached a new log segment will be created | `_1073741824` |
| `logsDirs` | A comma separated list of directories under which to store log files | `/bitnami/kafka/data` |
| `maxMessageBytes` | The largest record batch size allowed by Kafka | `1000012` |
| `defaultReplicationFactor` | Default replication factors for automatically created topics | `1` |
| `offsetsTopicReplicationFactor` | The replication factor for the offsets topic | `1` |
| `transactionStateLogReplicationFactor` | The replication factor for the transaction topic | `1` |
| `transactionStateLogMinIsr` | Overridden min.insync.replicas config for the transaction topic | `1` |
| `numIoThreads` | The number of threads doing disk I/O | `8` |
| `numNetworkThreads` | The number of threads handling network requests | `3` |
| `numPartitions` | The default number of log partitions per topic | `1` |
| `numRecoveryThreadsPerDataDir` | The number of threads per data directory to be used for log recovery at startup and flushing at shutdown | `1` |
| `socketReceiveBufferBytes` | The receive buffer (SO_RCVBUF) used by the socket server | `102400` |
| `socketRequestMaxBytes` | The maximum size of a request that the socket server will accept (protection against OOM) | `_104857600` |
| `socketSendBufferBytes` | The send buffer (SO_SNDBUF) used by the socket server | `102400` |
| `zookeeperConnectionTimeoutMs` | Timeout in ms for connecting to Zookeeper | `6000` |
| `extraEnvVars` | Extra environment variables to add to kafka pods | `[]` |
| `extraVolumes` | Extra volume(s) to add to Kafka statefulset | `[]` |
| `extraVolumeMounts` | Extra volumeMount(s) to add to Kafka containers | `[]` |
| `auth.clientProtocol` | Authentication protocol for communications with clients. Allowed protocols: `plaintext`, `tls`, `mtls`, `sasl` and `sasl_tls` | `plaintext` |
| `auth.interBrokerProtocol` | Authentication protocol for inter-broker communications. Allowed protocols: `plaintext`, `tls`, `mtls`, `sasl` and `sasl_tls` | `plaintext` |
| `auth.saslMechanisms` | SASL mechanisms when either `auth.interBrokerProtocol` or `auth.clientProtocol` are `sasl`. Allowed types: `plain`, `scram-sha-256`, `scram-sha-512` | `plain,scram-sha-256,scram-sha-512` |
| `auth.saslInterBrokerMechanism` | SASL mechanism to use as inter broker protocol, it must be included at `auth.saslMechanisms` | `plain` |
| `auth.jksSecret` | Name of the existing secret containing the truststore and one keystore per Kafka broker you have in the cluster | `nil` |
| `auth.jksPassword` | Password to access the JKS files when they are password-protected | `nil` |
| `auth.tlsEndpointIdentificationAlgorithm` | The endpoint identification algorithm to validate server hostname using server certificate | `https` |
| `auth.jaas.interBrokerUser` | Kafka inter broker communication user for SASL authentication | `admin` |
| `auth.jaas.interBrokerPassword` | Kafka inter broker communication password for SASL authentication | `nil` |
| `auth.jaas.zookeeperUser` | Kafka Zookeeper user for SASL authentication | `nil` |
| `auth.jaas.zookeeperPassword` | Kafka Zookeeper password for SASL authentication | `nil` |
| `auth.jaas.existingSecret` | Name of the existing secret containing credentials for brokerUser, interBrokerUser and zookeeperUser | `nil` |
| `auth.jaas.clientUsers` | List of Kafka client users to be created, separated by commas. This values will override `auth.jaas.clientUser` | `[]` |
| `auth.jaas.clientPasswords` | List of passwords for `auth.jaas.clientUsers`. It is mandatory to provide the passwords when using `auth.jaas.clientUsers` | `[]` |
| `listeners` | The address(es) the socket server listens on. Auto-calculated it's set to an empty array | `[]` |
| `advertisedListeners` | The address(es) (hostname:port) the broker will advertise to producers and consumers. Auto-calculated it's set to an empty array | `[]` |
| `listenerSecurityProtocolMap` | The protocol->listener mapping. Auto-calculated it's set to nil | `nil` |
| `allowPlaintextListener` | Allow to use the PLAINTEXT listener | `true` |
| `interBrokerListenerName` | The listener that the brokers should communicate on | `INTERNAL` |
### Statefulset parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `replicaCount` | Number of Kafka nodes | `1` |
| `updateStrategy` | Update strategy for the stateful set | `RollingUpdate` |
| `rollingUpdatePartition` | Partition update strategy | `nil` |
| `podLabels` | Kafka pod labels | `{}` (evaluated as a template) |
| `podAnnotations` | Kafka Pod annotations | `{}` (evaluated as a template) |
| `affinity` | Affinity for pod assignment | `{}` (evaluated as a template) |
| `priorityClassName` | Name of the existing priority class to be used by kafka pods | `""` |
| `nodeSelector` | Node labels for pod assignment | `{}` (evaluated as a template) |
| `tolerations` | Tolerations for pod assignment | `[]` (evaluated as a template) |
| `podSecurityContext` | Kafka pods' Security Context | `{}` |
| `containerSecurityContext` | Kafka containers' Security Context | `{}` |
| `resources.limits` | The resources limits for Kafka containers | `{}` |
| `resources.requests` | The requested resources for Kafka containers | `{}` |
| `livenessProbe` | Liveness probe configuration for Kafka | `Check values.yaml file` |
| `readinessProbe` | Readiness probe configuration for Kafka | `Check values.yaml file` |
| `customLivenessProbe` | Custom Liveness probe configuration for Kafka | `{}` |
| `customReadinessProbe` | Custom Readiness probe configuration for Kafka | `{}` |
| `pdb.create` | Enable/disable a Pod Disruption Budget creation | `false` |
| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `nil` |
| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `1` |
| `command` | Override kafka container command | `['/scripts/setup.sh']` (evaluated as a template) |
| `args` | Override kafka container arguments | `[]` (evaluated as a template) |
| `sidecars` | Attach additional sidecar containers to the Kafka pod | `{}` |
### Exposure parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.port` | Kafka port for client connections | `9092` |
| `service.internalPort` | Kafka port for inter-broker connections | `9093` |
| `service.externalPort` | Kafka port for external connections | `9094` |
| `service.nodePorts.client` | Nodeport for client connections | `""` |
| `service.nodePorts.external` | Nodeport for external connections | `""` |
| `service.loadBalancerIP` | loadBalancerIP for Kafka Service | `nil` |
| `service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` |
| `service.annotations` | Service annotations | `{}`(evaluated as a template) |
| `externalAccess.enabled` | Enable Kubernetes external cluster access to Kafka brokers | `false` |
| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs/ports by querying the K8s API | `false` |
| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry (kubectl) | `docker.io` |
| `externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image name (kubectl) | `bitnami/kubectl` |
| `externalAccess.autoDiscovery.image.tag` | Init container auto-discovery image tag (kubectl) | `{TAG_NAME}` |
| `externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy (kubectl) | `Always` |
| `externalAccess.autoDiscovery.resources.limits` | Init container auto-discovery resource limits | `{}` |
| `externalAccess.autoDiscovery.resources.requests` | Init container auto-discovery resource requests | `{}` |
| `externalAccess.service.type` | Kubernetes Service type for external access. It can be NodePort or LoadBalancer | `LoadBalancer` |
| `externalAccess.service.port` | Kafka port used for external access when service type is LoadBalancer | `9094` |
| `externalAccess.service.loadBalancerIPs` | Array of load balancer IPs for Kafka brokers | `[]` |
| `externalAccess.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` |
| `externalAccess.service.domain` | Domain or external ip used to configure Kafka external listener when service type is NodePort | `nil` |
| `externalAccess.service.nodePorts` | Array of node ports used to configure Kafka external listener when service type is NodePort | `[]` |
| `externalAccess.service.annotations` | Service annotations for external access | `{}`(evaluated as a template) |
### Persistence parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `persistence.enabled` | Enable Kafka data persistence using PVC, note that Zookeeper persistence is unaffected | `true` |
| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template | `nil` |
| `persistence.storageClass` | PVC Storage Class for Kafka data volume | `nil` |
| `persistence.accessMode` | PVC Access Mode for Kafka data volume | `ReadWriteOnce` |
| `persistence.size` | PVC Storage Request for Kafka data volume | `8Gi` |
| `persistence.annotations` | Annotations for the PVC | `{}`(evaluated as a template) |
### RBAC parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `serviceAccount.create` | Enable creation of ServiceAccount for Kafka pods | `true` |
| `serviceAccount.name` | Name of the created serviceAccount | Generated using the `kafka.fullname` template |
| `rbac.create` | Weather to create & use RBAC resources or not | `false` |
### Volume Permissions parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` |
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` |
| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` |
### Metrics parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `metrics.kafka.enabled` | Whether or not to create a standalone Kafka exporter to expose Kafka metrics | `false` |
| `metrics.kafka.image.registry` | Kafka exporter image registry | `docker.io` |
| `metrics.kafka.image.repository` | Kafka exporter image name | `bitnami/kafka-exporter` |
| `metrics.kafka.image.tag` | Kafka exporter image tag | `{TAG_NAME}` |
| `metrics.kafka.image.pullPolicy` | Kafka exporter image pull policy | `IfNotPresent` |
| `metrics.kafka.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `metrics.kafka.extraFlags` | Extra flags to be passed to Kafka exporter | `{}` |
| `metrics.kafka.certificatesSecret` | Name of the existing secret containing the optional certificate and key files | `nil` |
| `metrics.kafka.resources.limits` | Kafka Exporter container resource limits | `{}` |
| `metrics.kafka.resources.requests` | Kafka Exporter container resource requests | `{}` |
| `metrics.kafka.service.type` | Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) for Kafka Exporter | `ClusterIP` |
| `metrics.kafka.service.port` | Kafka Exporter Prometheus port | `9308` |
| `metrics.kafka.service.nodePort` | Kubernetes HTTP node port | `""` |
| `metrics.kafka.service.annotations` | Annotations for Prometheus metrics service | `Check values.yaml file` |
| `metrics.kafka.service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` |
| `metrics.kafka.service.clusterIP` | Static clusterIP or None for headless services | `nil` |
| `metrics.jmx.enabled` | Whether or not to expose JMX metrics to Prometheus | `false` |
| `metrics.jmx.image.registry` | JMX exporter image registry | `docker.io` |
| `metrics.jmx.image.repository` | JMX exporter image name | `bitnami/jmx-exporter` |
| `metrics.jmx.image.tag` | JMX exporter image tag | `{TAG_NAME}` |
| `metrics.jmx.image.pullPolicy` | JMX exporter image pull policy | `IfNotPresent` |
| `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `metrics.jmx.resources.limits` | JMX Exporter container resource limits | `{}` |
| `metrics.jmx.resources.requests` | JMX Exporter container resource requests | `{}` |
| `metrics.jmx.service.type` | Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) for JMX Exporter | `ClusterIP` |
| `metrics.jmx.service.port` | JMX Exporter Prometheus port | `5556` |
| `metrics.jmx.service.nodePort` | Kubernetes HTTP node port | `""` |
| `metrics.jmx.service.annotations` | Annotations for Prometheus metrics service | `Check values.yaml file` |
| `metrics.jmx.service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` |
| `metrics.jmx.service.clusterIP` | Static clusterIP or None for headless services | `nil` |
| `metrics.jmx.whitelistObjectNames` | Allows setting which JMX objects you want to expose to via JMX stats to JMX Exporter | (see `values.yaml`) |
| `metrics.jmx.config` | Configuration file for JMX exporter | (see `values.yaml`) |
| `metrics.jmx.existingConfigmap` | Name of existing ConfigMap with JMX exporter configuration | `nil` |
| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (requires `metrics.kafka.enabled` or `metrics.jmx.enabled` to be `true`) | `false` |
| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `monitoring` |
| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `nil` |
| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `nil` (Prometheus Operator default value) |
| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `nil` (Prometheus Operator default value) |
### Zookeeper chart parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `zookeeper.enabled` | Switch to enable or disable the Zookeeper helm chart | `true` |
| `zookeeper.persistence.enabled` | Enable Zookeeper persistence using PVC | `true` |
| `externalZookeeper.servers` | Server or list of external Zookeeper servers to use | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
helm install my-release \
--set replicaCount=3 \
bitnami/kafka
```
The above command deploys Kafka with 3 brokers (replicas).
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```console
helm install my-release -f values.yaml bitnami/kafka
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Configuration and installation details
### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Production configuration and horizontal scaling
This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one.
- Number of Kafka nodes:
```diff
- replicaCount: 1
+ replicaCount: 3
```
- Allow to use the PLAINTEXT listener:
```diff
- allowPlaintextListener: true
+ allowPlaintextListener: false
```
- Default replication factors for automatically created topics:
```diff
- defaultReplicationFactor: 1
+ defaultReplicationFactor: 3
```
- Allow auto creation of topics.
```diff
- autoCreateTopicsEnable: true
+ autoCreateTopicsEnable: false
```
- The replication factor for the offsets topic:
```diff
- offsetsTopicReplicationFactor: 1
+ offsetsTopicReplicationFactor: 3
```
- The replication factor for the transaction topic:
```diff
- transactionStateLogReplicationFactor: 1
+ transactionStateLogReplicationFactor: 3
```
- Overridden min.insync.replicas config for the transaction topic:
```diff
- transactionStateLogMinIsr: 1
+ transactionStateLogMinIsr: 3
```
- Switch to enable the Kafka SASAL authentication on client and inter-broker communications:
```diff
- auth.clientProtocol: plaintext
+ auth.clientProtocol: sasl
- auth.interBrokerProtocol: plaintext
+ auth.interBrokerProtocol: sasl
```
- Enable Zookeeper authentication:
```diff
+ auth.jaas.zookeeperUser: zookeeperUser
+ auth.jaas.zookeeperPassword: zookeeperPassword
- zookeeper.auth.enabled: false
+ zookeeper.auth.enabled: true
+ zookeeper.auth.clientUser: zookeeperUser
+ zookeeper.auth.clientPassword: zookeeperPassword
+ zookeeper.auth.serverUsers: zookeeperUser
+ zookeeper.auth.serverPasswords: zookeeperPassword
```
- Enable Pod Disruption Budget:
```diff
- pdb.create: false
+ pdb.create: true
```
- Create a separate Kafka metrics exporter:
```diff
- metrics.kafka.enabled: false
+ metrics.kafka.enabled: true
```
- Expose JMX metrics to Prometheus:
```diff
- metrics.jmx.enabled: false
+ metrics.jmx.enabled: true
```
- Enable Zookeeper metrics:
```diff
+ zookeeper.metrics.enabled: true
```
To horizontally scale this chart once it has been deployed, you can upgrade the statefulset using a new value for the `replicaCount` parameter. Please note that, when enabling TLS encryption, you must update your JKS secret including the keystore for the new replicas.
### Setting custom parameters
Any environment variable beginning with `KAFKA_CFG_` will be mapped to its corresponding Kafka key. For example, use `KAFKA_CFG_BACKGROUND_THREADS` in order to set `background.threads`. In order to pass custom environment variables use the `extraEnvVars` property.
### Listeners configuration
This chart allows you to automatically configure Kafka with 3 listeners:
- One for inter-broker communications.
- A second one for communications with clients within the K8s cluster.
- (optional) a third listener for communications with clients outside the K8s cluster. Check [this section](#accessing-kafka-brokers-from-outside-the-clusters) for more information.
For more complex configurations, set the `listeners`, `advertisedListeners` and `listenerSecurityProtocolMap` parameters as needed.
### Enable security for Kafka and Zookeeper
You can configure different authentication protocols for each listener you configure in Kafka. For instance, you can use `sasl_tls` authentication for client communications, while using `tls` for inter-broker communications. This table shows the available protocols and the security they provide:
| Method | Authentication | Encryption via TLS |
|-----------|-------------------------------|--------------------|
| plaintext | None | No |
| tls | None | Yes |
| mtls | Yes (two-way authentication) | Yes |
| sasl | Yes (via SASL) | No |
| sasl_tls | Yes (via SASL) | Yes |
If you enabled SASL authentication on any listener, you can set the SASL credentials using the parameters below:
- `auth.jaas.clientUsers`/`auth.jaas.clientPasswords`: when enabling SASL authentication for communications with clients.
- `auth.jaas.interBrokerUser`/`auth.jaas.interBrokerPassword`: when enabling SASL authentication for inter-broker communications.
- `auth.jaas.zookeeperUser`/`auth.jaas.zookeeperPassword`: In the case that the Zookeeper chart is deployed with SASL authentication enabled.
In order to configure TLS authentication/encryption, you **must** create a secret containing the Java Key Stores (JKS) files: the truststore (`kafka.truststore.jks`) and one keystore (`kafka.keystore.jks`) per Kafka broker you have in the cluster. Then, you need pass the secret name with the `--auth.jksSecret` parameter when deploying the chart.
> **Note**: If the JKS files are password protected (recommended), you will need to provide the password to get access to the keystores. To do so, use the `auth.jksPassword` parameter to provide your password.
For instance, to configure TLS authentication on a Kafka cluster with 2 Kafka brokers use the command below to create the secret:
```console
kubectl create secret generic kafka-jks --from-file=./kafka.truststore.jks --from-file=./kafka-0.keystore.jks --from-file=./kafka-1.keystore.jks
```
> **Note**: the command above assumes you already created the trustore and keystores files. This [script](https://raw.githubusercontent.com/confluentinc/confluent-platform-security-tools/master/kafka-generate-ssl.sh) can help you with the JKS files generation.
As an alternative to manually create the secret before installing the chart, you can put your JKS files inside the chart folder `files/jks`, an a secret including them will be generated. Please note this alternative requires to have the chart downloaded locally, so you will have to clone this repository or fetch the chart before installing it.
You can deploy the chart with authentication using the following parameters:
```console
replicaCount=2
auth.clientProtocol=sasl
auth.interBrokerProtocol=tls
auth.certificatesSecret=kafka-jks
auth.certificatesPassword=jksPassword
auth.jaas.clientUsers[0]=brokerUser
auth.jaas.clientPassword[0]=brokerPassword
auth.jaas.zookeeperUser=zookeeperUser
auth.jaas.zookeeperPassword=zookeeperPassword
zookeeper.auth.enabled=true
zookeeper.auth.serverUsers=zookeeperUser
zookeeper.auth.serverPasswords=zookeeperPassword
zookeeper.auth.clientUser=zookeeperUser
zookeeper.auth.clientPassword=zookeeperPassword
```
If you also enable exposing metrics using the Kafka expoter, and you are using `sasl_tls`, `tls`, or `mtls` authentication protocols, you need to mount the CA certificated used to sign the brokers certificates in the exporter so it can validate the Kafka brokers. To do so, create a secret containing the CA, and set the `metrics.certificatesSecret` parameter. As an alternative, you can skip TLS validation using extra flags:
```console
metrics.kafka.extraFlags={tls.insecure-skip-tls-verify: ""}
```
### Accessing Kafka brokers from outside the cluster
In order to access Kafka Brokers from outside the cluster, an additional listener and advertised listener must be configured. Additionally, a specific service per kafka pod will be created.
There are two ways of configuring external access. Using LoadBalancer services or using NodePort services.
#### Using LoadBalancer services
You have two alternatives to use LoadBalancer services:
- Option A) Use random load balancer IPs using an **initContainer** that waits for the IPs to be ready and discover them automatically.
```console
externalAccess.enabled=true
externalAccess.service.type=LoadBalancer
externalAccess.service.port=9094
externalAccess.autoDiscovery.enabled=true
serviceAccount.create=true
rbac.create=true
```
Note: This option requires creating RBAC rules on clusters where RBAC policies are enabled.
- Option B) Manually specify the load balancer IPs:
```console
externalAccess.enabled=true
externalAccess.service.type=LoadBalancer
externalAccess.service.port=9094
externalAccess.service.loadBalancerIPs[0]='external-ip-1'
externalAccess.service.loadBalancerIPs[1]='external-ip-2'}
```
Note: You need to know in advance the load balancer IPs so each Kafka broker advertised listener is configured with it.
#### Using NodePort services
You have two alternatives to use NodePort services:
- Option A) Use random node ports using an **initContainer** that discover them automatically.
```console
externalAccess.enabled=true
externalAccess.service.type=NodePort
externalAccess.autoDiscovery.enabled=true
serviceAccount.create=true
rbac.create=true
```
Note: This option requires creating RBAC rules on clusters where RBAC policies are enabled.
- Option B) Manually specify the node ports:
```console
externalAccess.enabled=true
externalAccess.service.type=NodePort
externalAccess.serivce.nodePorts[0]='node-port-1'
externalAccess.serivce.nodePorts[1]='node-port-2'
```
Note: You need to know in advance the node ports that will be exposed so each Kafka broker advertised listener is configured with it.
The pod will try to get the external ip of the node using `curl -s https://ipinfo.io/ip` unless `externalAccess.service.domain` is provided.
Following the aforementioned steps will also allow to connect the brokers from the outside using the cluster's default service (when `service.type` is `LoadBalancer` or `NodePort`). Use the property `service.externalPort` to specify the port used for external connections.
### Sidecars
If you have a need for additional containers to run within the same pod as Kafka (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
```yaml
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
### Deploying extra resources
There are cases where you may want to deploy extra objects, such as Kafka Connect. For covering this case, the chart allows adding the full specification of other objects using the `extraDeploy` parameter. The following example would create a deployment including a Kafka Connect deployment so you can connect Kafka with MongoDB:
```yaml
## Extra objects to deploy (value evaluated as a template)
##
extraDeploy: |-
- apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kafka.fullname" . }}-connect
labels: {{- include "kafka.labels" . | nindent 6 }}
app.kubernetes.io/component: connector
spec:
replicas: 1
selector:
matchLabels: {{- include "kafka.matchLabels" . | nindent 8 }}
app.kubernetes.io/component: connector
template:
metadata:
labels: {{- include "kafka.labels" . | nindent 10 }}
app.kubernetes.io/component: connector
spec:
containers:
- name: connect
image: KAFKA-CONNECT-IMAGE
imagePullPolicy: IfNotPresent
ports:
- name: connector
containerPort: 8083
volumeMounts:
- name: configuration
mountPath: /opt/bitnami/kafka/config
volumes:
- name: configuration
configMap:
name: {{ include "kafka.fullname" . }}-connect
- apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "kafka.fullname" . }}-connect
labels: {{- include "kafka.labels" . | nindent 6 }}
app.kubernetes.io/component: connector
data:
connect-standalone.properties: |-
bootstrap.servers = {{ include "kafka.fullname" . }}-0.{{ include "kafka.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.service.port }}
...
mongodb.properties: |-
connection.uri=mongodb://root:password@mongodb-hostname:27017
...
- apiVersion: v1
kind: Service
metadata:
name: {{ include "kafka.fullname" . }}-connect
labels: {{- include "kafka.labels" . | nindent 6 }}
app.kubernetes.io/component: connector
spec:
ports:
- protocol: TCP
port: 8083
targetPort: connector
selector: {{- include "kafka.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: connector
```
You can create the Kafka Connect image using the Dockerfile below:
```Dockerfile
FROM bitnami/kafka:latest
# Download MongoDB Connector for Apache Kafka https://www.confluent.io/hub/mongodb/kafka-connect-mongodb
RUN mkdir -p /opt/bitnami/kafka/plugins && \
cd /opt/bitnami/kafka/plugins && \
curl --remote-name --location --silent https://search.maven.org/remotecontent?filepath=org/mongodb/kafka/mongo-kafka-connect/1.2.0/mongo-kafka-connect-1.2.0-all.jar
CMD /opt/bitnami/kafka/bin/connect-standalone.sh /opt/bitnami/kafka/config/connect-standalone.properties /opt/bitnami/kafka/config/mongo.properties
```
## Persistence
The [Bitnami Kafka](https://github.com/bitnami/bitnami-docker-kafka) image stores the Kafka data at the `/bitnami/kafka` path of the container.
Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. See the [Parameters](#persistence-parameters) section to configure the PVC or to disable persistence.
### Adjust permissions of persistent volume mountpoint
As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it.
By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions.
As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination.
You can enable this initContainer by setting `volumePermissions.enabled` to `true`.
## Upgrading
### To 11.8.0
External access to brokers can now be archived through the cluster's Kafka service.
- `service.nodePort` -> deprecated in favor of `service.nodePorts.client` and `service.nodePorts.external`
### To 11.7.0
The way to configure the users and passwords changed. Now it is allowed to create multiple users during the installation by providing the list of users and passwords.
- `auth.jaas.clientUser` (string) -> deprecated in favor of `auth.jaas.clientUsers` (array).
- `auth.jaas.clientPassword` (string) -> deprecated in favor of `auth.jaas.clientPasswords` (array).
### To 11.0.0
The way to configure listeners and authentication on Kafka is totally refactored allowing users to configure different authentication protocols on different listeners. Please check the sections [Listeners Configuration](listeners-configuration) and [Listeners Configuration](enable-kafka-for-kafka-and-zookeeper) for more information.
Backwards compatibility is not guaranteed you adapt your values.yaml to the new format. Here you can find some parameters that were renamed or disappeared in favor of new ones on this major version:
- `auth.enabled` -> deprecated in favor of `auth.clientProtocol` and `auth.interBrokerProtocol` parameters.
- `auth.ssl` -> deprecated in favor of `auth.clientProtocol` and `auth.interBrokerProtocol` parameters.
- `auth.certificatesSecret` -> renamed to `auth.jksSecret`.
- `auth.certificatesPassword` -> renamed to `auth.jksPassword`.
- `sslEndpointIdentificationAlgorithm` -> renamedo to `auth.tlsEndpointIdentificationAlgorithm`.
- `auth.interBrokerUser` -> renamed to `auth.jaas.interBrokerUser`
- `auth.interBrokerPassword` -> renamed to `auth.jaas.interBrokerPassword`
- `auth.zookeeperUser` -> renamed to `auth.jaas.zookeeperUser`
- `auth.zookeeperPassword` -> renamed to `auth.jaas.zookeeperPassword`
- `auth.existingSecret` -> renamed to `auth.jaas.existingSecret`
- `service.sslPort` -> deprecated in favor of `service.internalPort`
- `service.nodePorts.kafka` and `service.nodePorts.ssl` -> deprecated in favor of `service.nodePort`
- `metrics.kafka.extraFlag` -> new parameter
- `metrics.kafka.certificatesSecret` -> new parameter
### To 10.0.0
If you are setting the `config` or `log4j` parameter, backwards compatibility is not guaranteed, because the `KAFKA_MOUNTED_CONFDIR` has moved from `/opt/bitnami/kafka/conf` to `/bitnami/kafka/config`. In order to continue using these parameters, you must also upgrade your image to `docker.io/bitnami/kafka:2.4.1-debian-10-r38` or later.
### To 9.0.0
Backwards compatibility is not guaranteed you adapt your values.yaml to the new format. Here you can find some parameters that were renamed on this major version:
```diff
- securityContext.enabled
- securityContext.fsGroup
- securityContext.fsGroup
+ podSecurityContext
- externalAccess.service.loadBalancerIP
+ externalAccess.service.loadBalancerIPs
- externalAccess.service.nodePort
+ externalAccess.service.nodePorts
- metrics.jmx.configMap.enabled
- metrics.jmx.configMap.overrideConfig
+ metrics.jmx.config
- metrics.jmx.configMap.overrideName
+ metrics.jmx.existingConfigmap
```
Ports names were prefixed with the protocol to comply with Istio (see https://istio.io/docs/ops/deployment/requirements/).
### To 8.0.0
There is not backwards compatibility since the brokerID changes to the POD_NAME. For more information see [this PR](https://github.com/bitnami/charts/pull/2028).
### To 7.0.0
Backwards compatibility is not guaranteed when Kafka metrics are enabled, unless you modify the labels used on the exporter deployments.
Use the workaround below to upgrade from versions previous to 7.0.0. The following example assumes that the release name is kafka:
```console
helm upgrade kafka bitnami/kafka --version 6.1.8 --set metrics.kafka.enabled=false
helm upgrade kafka bitnami/kafka --version 7.0.0 --set metrics.kafka.enabled=true
```
### To 2.0.0
Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments.
Use the workaround below to upgrade from versions previous to 2.0.0. The following example assumes that the release name is kafka:
```console
kubectl delete statefulset kafka-kafka --cascade=false
kubectl delete statefulset kafka-zookeeper --cascade=false
```
### To 1.0.0
Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments.
Use the workaround below to upgrade from versions previous to 1.0.0. The following example assumes that the release name is kafka:
```console
kubectl delete statefulset kafka-kafka --cascade=false
kubectl delete statefulset kafka-zookeeper --cascade=false
```

21
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/.helmignore Executable file
View file

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

20
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/Chart.yaml Executable file
View file

@ -0,0 +1,20 @@
annotations:
category: Infrastructure
apiVersion: v1
appVersion: 3.6.2
description: A centralized service for maintaining configuration information, naming,
providing distributed synchronization, and providing group services for distributed
applications.
engine: gotpl
home: https://github.com/bitnami/charts/tree/master/bitnami/zookeeper
icon: https://bitnami.com/assets/stacks/zookeeper/img/zookeeper-stack-110x117.png
keywords:
- zookeeper
maintainers:
- email: containers@bitnami.com
name: Bitnami
name: zookeeper
sources:
- https://github.com/bitnami/bitnami-docker-zookeeper
- https://zookeeper.apache.org/
version: 5.21.9

297
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/README.md Executable file
View file

@ -0,0 +1,297 @@
# ZooKeeper
[ZooKeeper](https://zookeeper.apache.org/) is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services. All of these kinds of services are used in some form or other by distributed applications.
## TL;DR
```console
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/zookeeper
```
## Introduction
This chart bootstraps a [ZooKeeper](https://github.com/bitnami/bitnami-docker-zookeeper) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.
## Prerequisites
- Kubernetes 1.12+
- Helm 2.12+ or Helm 3.0-beta3+
- PV provisioner support in the underlying infrastructure
## Installing the Chart
To install the chart with the release name `my-release`:
```console
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/zookeeper
```
These commands deploy ZooKeeper on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Parameters
The following tables lists the configurable parameters of the ZooKeeper chart and their default values per section/component:
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `global.imageRegistry` | Global Docker image registry | `nil` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `global.storageClass` | Global storage class for dynamic provisioning | `nil` |
### Common parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `nameOverride` | String to partially override zookeeper.fullname | `nil` |
| `fullnameOverride` | String to fully override zookeeper.fullname | `nil` |
| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` |
| `commonLabels` | Labels to add to all deployed objects | `{}` |
| `commonAnnotations` | Annotations to add to all deployed objects | `{}` |
| `schedulerName` | Kubernetes pod scheduler registry | `nil` (use the default-scheduler) |
### Zookeeper chart parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `image.registry` | ZooKeeper image registry | `docker.io` |
| `image.repository` | ZooKeeper Image name | `bitnami/zookeeper` |
| `image.tag` | ZooKeeper Image tag | `{TAG_NAME}` |
| `image.pullPolicy` | ZooKeeper image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `image.debug` | Specify if debug values should be set | `false` |
| `tickTime` | Basic time unit in milliseconds used by ZooKeeper for heartbeats | `2000` |
| `initLimit` | Time the ZooKeeper servers in quorum have to connect to a leader | `10` |
| `syncLimit` | How far out of date a server can be from a leader | `5` |
| `maxClientCnxns` | Number of concurrent connections that a single client may make to a single member | `60` |
| `maxSessionTimeout` | Maximum session timeout in milliseconds that the server will allow the client to negotiate. | `40000` |
| `autopurge.snapRetainCount` | Number of retains snapshots for autopurge | `3` |
| `autopurge.purgeInterval` | The time interval in hours for which the purge task has to be triggered | `0` |
| `fourlwCommandsWhitelist` | A list of comma separated Four Letter Words commands to use | `srvr, mntr` |
| `listenOnAllIPs` | Allow Zookeeper to listen for connections from its peers on all available IP addresses. | `false` |
| `allowAnonymousLogin` | Allow to accept connections from unauthenticated users | `yes` |
| `auth.existingSecret` | Use existing secret (ignores previous password) | `nil` |
| `auth.enabled` | Enable ZooKeeper auth | `false` |
| `auth.clientUser` | User that will use ZooKeeper clients to auth | `nil` |
| `auth.clientPassword` | Password that will use ZooKeeper clients to auth | `nil` |
| `auth.serverUsers` | List of user to be created | `nil` |
| `auth.serverPasswords` | List of passwords to assign to users when created | `nil` |
| `heapSize` | Size in MB for the Java Heap options (Xmx and XMs) | `[]` |
| `logLevel` | Log level of ZooKeeper server | `ERROR` |
| `jvmFlags` | Default JVMFLAGS for the ZooKeeper process | `nil` |
| `config` | Configure ZooKeeper with a custom zoo.conf file | `nil` |
| `dataLogDir` | Data log directory | `""` |
### Statefulset parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `replicaCount` | Number of ZooKeeper nodes | `1` |
| `updateStrategy` | Update strategy for the statefulset | `RollingUpdate` |
| `rollingUpdatePartition` | Partition update strategy | `nil` |
| `podManagementPolicy` | Pod management policy | `Parallel` |
| `podLabels` | ZooKeeper pod labels | `{}` (evaluated as a template) |
| `podAnnotations` | ZooKeeper Pod annotations | `{}` (evaluated as a template) |
| `affinity` | Affinity for pod assignment | `{}` (evaluated as a template) |
| `nodeSelector` | Node labels for pod assignment | `{}` (evaluated as a template) |
| `tolerations` | Tolerations for pod assignment | `[]` (evaluated as a template) |
| `priorityClassName` | Name of the existing priority class to be used by ZooKeeper pods | `""` |
| `securityContext.enabled` | Enable security context (ZooKeeper master pod) | `true` |
| `securityContext.fsGroup` | Group ID for the container (ZooKeeper master pod) | `1001` |
| `securityContext.runAsUser` | User ID for the container (ZooKeeper master pod) | `1001` |
| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` |
| `livenessProbe` | Liveness probe configuration for ZooKeeper | Check `values.yaml` file |
| `readinessProbe` | Readiness probe configuration for ZooKeeper | Check `values.yaml` file |
| `extraVolumes` | Extra volumes | `nil` |
| `extraVolumeMounts` | Mount extra volume(s) | `nil` |
| `podDisruptionBudget.maxUnavailable` | Max number of pods down simultaneously | `1` |
### Exposure parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.port` | ZooKeeper port | `2181` |
| `service.followerPort` | ZooKeeper follower port | `2888` |
| `service.electionPort` | ZooKeeper election port | `3888` |
| `service.publishNotReadyAddresses` | If the ZooKeeper headless service should publish DNS records for not ready pods | `true` |
| `serviceAccount.create` | Enable creation of ServiceAccount for zookeeper pod | `false` |
| `serviceAccount.name` | The name of the service account to use. If not set and `create` is `true`, a name is generated | Generated using the `zookeeper.fullname` template |
| `service.tls.client_enable` | Enable tls for client connections | `false` |
| `service.tls.quorum_enable` | Enable tls for quorum protocol | `false` |
| `service.tls.disable_base_client_port` | Remove client port from service definitions. | `false` |
| `service.tls.client_port` | Service port for tls client connections | `3181` |
| `service.tls.client_keystore_path` | KeyStore file path. Refer to extraVolumes and extraVolumeMounts for mounting files into the pods | `/tls_key_store/key_store_file` |
| `service.tls.client_keystore_password` | KeyStore password. You can use environment variables. | `nil` |
| `service.tls.client_truststore_path` | TrustStore file path. Refer to extraVolumes and extraVolumeMounts for mounting files into the pods | `/tls_trust_store/trust_store_file` |
| `service.tls.client_truststore_password` | TrustStore password. You can use environment variables. | `nil` |
| `service.tls.quorum_keystore_path` | KeyStore file path. Refer to extraVolumes and extraVolumeMounts for mounting files into the pods | `/tls_key_store/key_store_file` |
| `service.tls.quorum_keystore_password` | KeyStore password. You can use environment variables. | `nil` |
| `service.tls.quorum_truststore_path` | TrustStore file path. Refer to extraVolumes and extraVolumeMounts for mounting files into the pods | `/tls_trust_store/trust_store_file` |
| `service.tls.quorum_truststore_password` | TrustStore password. You can use environment variables. | `nil` |
| `service.annotations` | Annotations for the Service | `{}` |
| `service.headless.annotations` | Annotations for the Headless Service | `{}` |
| `networkPolicy.enabled` | Enable NetworkPolicy | `false` |
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
### Persistence parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `persistence.enabled` | Enable Zookeeper data persistence using PVC | `true` |
| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim` | `nil` (evaluated as a template) |
| `persistence.storageClass` | PVC Storage Class for ZooKeeper data volume | `nil` |
| `persistence.accessMode` | PVC Access Mode for ZooKeeper data volume | `ReadWriteOnce` |
| `persistence.size` | PVC Storage Request for ZooKeeper data volume | `8Gi` |
| `persistence.annotations` | Annotations for the PVC | `{}` (evaluated as a template) |
| `persistence.dataLogDir.size` | PVC Storage Request for ZooKeeper's Data log directory | `8Gi` |
| `persistence.dataLogDir.existingClaim` | Provide an existing `PersistentVolumeClaim` for Zookeeper's Data log directory | `nil` (evaluated as a template) |
### Volume Permissions parameters
| Parameter | Description | Default |
|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` |
| `volumePermissions.resources` | Init container resource requests/limit | `nil` |
### Metrics parameters
| Parameter | Description | Default |
|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
| `metrics.enabled` | Enable prometheus to access zookeeper metrics endpoint | `false` |
| `metrics.containerPort` | Port where a Jetty server will expose Prometheus metrics | `9141` |
| `metrics.service.type` | Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) for Jetty server exposing Prometheus metrics | `ClusterIP` |
| `metrics.service.port` | Prometheus metrics service port | `9141` |
| `metrics.service.annotations` | Service annotations for Prometheus to auto-discover the metrics endpoint | `{prometheus.io/scrape: "true", prometheus.io/port: "9141"}` |
| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` |
| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource | The Release Namespace |
| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `nil` (Prometheus Operator default value) |
| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `nil` (Prometheus Operator default value) |
| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `nil` |
| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` |
| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource | The Release Namespace |
| `metrics.prometheusRule.selector` | Prometheus instance selector labels | `nil` |
| `metrics.prometheusRule.rules` | Prometheus Rule definitions (see values.yaml for examples) | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
$ helm install my-release \
--set auth.clientUser=newUser \
bitnami/zookeeper
```
The above command sets the ZooKeeper user to `newUser`.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```console
$ helm install my-release -f values.yaml bitnami/zookeeper
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Configuration and installation details
### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Production configuration
This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one.
- Number of ZooKeeper nodes:
```diff
- replicaCount: 1
+ replicaCount: 3
```
- Enable prometheus metrics:
```diff
- metrics.enabled: false
+ metrics.enabled: true
```
### Log level
You can configure the ZooKeeper log level using the `ZOO_LOG_LEVEL` environment variable. By default, it is set to `ERROR` because of each readiness probe produce an `INFO` message on connection and a `WARN` message on disconnection.
## Persistence
The [Bitnami ZooKeeper](https://github.com/bitnami/bitnami-docker-zookeeper) image stores the ZooKeeper data and configurations at the `/bitnami/zookeeper` path of the container.
Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube.
See the [Parameters](#parameters) section to configure the PVC or to disable persistence.
### Adjust permissions of persistent volume mountpoint
As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it.
By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions.
As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination.
You can enable this initContainer by setting `volumePermissions.enabled` to `true`.
### Data Log Directory
You can use a dedicated device for logs (instead of using the data directory) to help avoiding competition between logging and snapshots. To do so, set the `dataLogDir` parameter with the path to be used for writing transaction logs. Alternatively, set this parameter with an empty string an it result in the log being written to the data directory (Zookeeper's default behavior).
When using a dedicated device for logs, you can use a PVC to persist the logs. To do so, set `persistence.enabled` to `true`. See the [Persistence Parameters](#persistence-parameters) section for more information.
## Upgrading
### To 5.21.0
A couple of parameters related to Zookeeper metrics were renamed or disappeared in favor of new ones:
- `metrics.port` is renamed to `metrics.containerPort`.
- `metrics.annotations` is deprecated in favor of `metrics.service.annotations`.
### To 3.0.0
This new version of the chart includes the new ZooKeeper major version 3.5.5. Note that to perform an automatic upgrade
of the application, each node will need to have at least one snapshot file created in the data directory. If not, the
new version of the application won't be able to start the service. Please refer to [ZOOKEEPER-3056](https://issues.apache.org/jira/browse/ZOOKEEPER-3056)
in order to find ways to workaround this issue in case you are facing it.
### To 2.0.0
Backwards compatibility is not guaranteed unless you modify the labels used on the chart's statefulsets.
Use the workaround below to upgrade from versions previous to 2.0.0. The following example assumes that the release name is `zookeeper`:
```console
$ kubectl delete statefulset zookeeper-zookeeper --cascade=false
```
### To 1.0.0
Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments.
Use the workaround below to upgrade from versions previous to 1.0.0. The following example assumes that the release name is zookeeper:
```console
$ kubectl delete statefulset zookeeper-zookeeper --cascade=false
```

57
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/templates/NOTES.txt Executable file
View file

@ -0,0 +1,57 @@
{{- if contains .Values.service.type "LoadBalancer" }}
{{- if not .Values.auth.clientPassword }}
-------------------------------------------------------------------------------
WARNING
By specifying "serviceType=LoadBalancer" and not specifying "auth.enabled=true"
you have most likely exposed the ZooKeeper service externally without any
authentication mechanism.
For security reasons, we strongly suggest that you switch to "ClusterIP" or
"NodePort". As alternative, you can also specify a valid password on the
"auth.clientPassword" parameter.
-------------------------------------------------------------------------------
{{- end }}
{{- end }}
** Please be patient while the chart is being deployed **
ZooKeeper can be accessed via port 2181 on the following DNS name from within your cluster:
{{ template "zookeeper.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
To connect to your ZooKeeper server run the following commands:
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "zookeeper.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=zookeeper" -o jsonpath="{.items[0].metadata.name}")
kubectl exec -it $POD_NAME -- zkCli.sh
To connect to your ZooKeeper server from outside the cluster execute the following commands:
{{- if contains "NodePort" .Values.service.type }}
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "zookeeper.fullname" . }})
zkCli.sh $NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "zookeeper.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "zookeeper.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
zkCli.sh $SERVICE_IP:2181
{{- else if contains "ClusterIP" .Values.service.type }}
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "zookeeper.fullname" . }} 2181:2181 &
zkCli.sh 127.0.0.1:2181
{{- end }}
{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}

212
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/templates/_helpers.tpl Executable file
View file

@ -0,0 +1,212 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "zookeeper.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "zookeeper.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "zookeeper.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "zookeeper.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "zookeeper.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the proper Zookeeper image name
*/}}
{{- define "zookeeper.image" -}}
{{- $registryName := .Values.image.registry -}}
{{- $repositoryName := .Values.image.repository -}}
{{- $tag := .Values.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "zookeeper.imagePullSecrets" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
Also, we can not use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- else if or .Values.image.pullSecrets .Values.volumePermissions.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.volumePermissions.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- else if or .Values.image.pullSecrets .Values.volumePermissions.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.volumePermissions.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "zookeeper.labels" -}}
app.kubernetes.io/name: {{ include "zookeeper.name" . }}
helm.sh/chart: {{ include "zookeeper.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Renders a value that contains template.
Usage:
{{ include "zookeeper.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "zookeeper.tplValue" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}
{{/*
Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
*/}}
{{- define "zookeeper.matchLabels" -}}
app.kubernetes.io/name: {{ include "zookeeper.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Return ZooKeeper Client Password
*/}}
{{- define "zookeeper.clientPassword" -}}
{{- if .Values.auth.clientPassword -}}
{{- .Values.auth.clientPassword -}}
{{- else -}}
{{- randAlphaNum 10 -}}
{{- end -}}
{{- end -}}
{{/*
Return ZooKeeper Servers Passwords
*/}}
{{- define "zookeeper.serverPasswords" -}}
{{- if .Values.auth.serverPasswords -}}
{{- .Values.auth.serverPasswords -}}
{{- else -}}
{{- randAlphaNum 10 -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper image name (for the init container volume-permissions image)
*/}}
{{- define "zookeeper.volumePermissions.image" -}}
{{- $registryName := .Values.volumePermissions.image.registry -}}
{{- $repositoryName := .Values.volumePermissions.image.repository -}}
{{- $tag := .Values.volumePermissions.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Storage Class
*/}}
{{- define "zookeeper.storageClass" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
*/}}
{{- if .Values.global -}}
{{- if .Values.global.storageClass -}}
{{- if (eq "-" .Values.global.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.global.storageClass -}}
{{- end -}}
{{- else -}}
{{- if .Values.persistence.storageClass -}}
{{- if (eq "-" .Values.persistence.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.persistence.storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- else -}}
{{- if .Values.persistence.storageClass -}}
{{- if (eq "-" .Values.persistence.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.persistence.storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

17
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/templates/configmap.yaml Executable file
View file

@ -0,0 +1,17 @@
{{- if .Values.config }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "zookeeper.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "zookeeper.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "zookeeper.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
zoo.cfg: |-
{{ .Values.config | indent 4 }}
{{- end -}}

29
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/templates/metrics-svc.yaml Executable file
View file

@ -0,0 +1,29 @@
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "zookeeper.fullname" . }}-metrics
namespace: {{ .Release.Namespace }}
labels: {{- include "zookeeper.labels" . | nindent 4 }}
app.kubernetes.io/component: zookeeper
{{- if .Values.commonLabels }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.metrics.service.annotations .Values.commonAnnotations }}
annotations:
{{- if .Values.metrics.service.annotations }}
{{ include "zookeeper.tplValue" ( dict "value" .Values.metrics.service.annotations "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.metrics.service.type }}
ports:
- name: tcp-metrics
port: {{ .Values.metrics.service.port }}
targetPort: metrics
selector: {{- include "zookeeper.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: zookeeper
{{- end }}

43
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/templates/networkpolicy.yaml Executable file
View file

@ -0,0 +1,43 @@
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ include "zookeeper.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "zookeeper.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "zookeeper.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels: {{- include "zookeeper.matchLabels" . | nindent 6 }}
ingress:
# Allow inbound connections to zookeeper
- ports:
- port: {{ .Values.service.port }}
from:
{{- if not .Values.networkPolicy.allowExternal }}
- podSelector:
matchLabels:
{{ include "zookeeper.fullname" . }}-client: "true"
- podSelector:
matchLabels: {{- include "zookeeper.matchLabels" . | nindent 14 }}
{{- else }}
- podSelector:
matchLabels: {}
{{- end }}
# Internal ports
- ports: &intranodes_ports
- port: {{ .Values.service.followerPort }}
- port: {{ .Values.service.electionPort }}
from:
- podSelector:
matchLabels: {{- include "zookeeper.matchLabels" . | nindent 14 }}
egress:
- ports: *intranodes_ports
# Allow outbound connections from zookeeper nodes
{{- end }}

21
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/templates/poddisruptionbudget.yaml Executable file
View file

@ -0,0 +1,21 @@
{{- $replicaCount := int .Values.replicaCount }}
{{- if gt $replicaCount 1 }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ template "zookeeper.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "zookeeper.labels" . | nindent 4 }}
app.kubernetes.io/component: zookeeper
{{- if .Values.commonLabels }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "zookeeper.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels: {{- include "zookeeper.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: zookeeper
{{- toYaml .Values.podDisruptionBudget | nindent 2 }}
{{- end }}

27
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/templates/prometheusrules.yaml Executable file
View file

@ -0,0 +1,27 @@
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled .Values.metrics.prometheusRule.rules }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ include "zookeeper.fullname" . }}
{{- if .Values.metrics.prometheusRule.namespace }}
namespace: {{ .Values.metrics.prometheusRule.namespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels: {{- include "zookeeper.labels" . | nindent 4 }}
app.kubernetes.io/component: zookeeper
{{- range $key, $value := .Values.metrics.prometheusRule.selector }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if .Values.commonLabels }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "zookeeper.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
groups:
- name: {{ include "zookeeper.fullname" . }}
rules: {{- toYaml .Values.metrics.prometheusRule.rules | nindent 6 }}
{{- end }}

18
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/templates/secrets.yaml Executable file
View file

@ -0,0 +1,18 @@
{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "zookeeper.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "zookeeper.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "zookeeper.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
client-password: {{ include "zookeeper.clientPassword" . | b64enc | quote }}
server-password: {{ include "zookeeper.serverPasswords" . | b64enc | quote }}
{{- end }}

15
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/templates/serviceaccount.yaml Executable file
View file

@ -0,0 +1,15 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "zookeeper.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "zookeeper.labels" . | nindent 4 }}
role: zookeeper
{{- if .Values.commonLabels }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "zookeeper.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

38
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/templates/servicemonitor.yaml Executable file
View file

@ -0,0 +1,38 @@
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "zookeeper.fullname" . }}
{{- if .Values.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels: {{- include "zookeeper.labels" . | nindent 4 }}
app.kubernetes.io/component: zookeeper
{{- range $key, $value := .Values.metrics.serviceMonitor.selector }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if .Values.commonLabels }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "zookeeper.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels: {{- include "zookeeper.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: zookeeper
endpoints:
- port: tcp-metrics
path: "/metrics"
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
{{- end }}

334
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/templates/statefulset.yaml Executable file
View file

@ -0,0 +1,334 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "zookeeper.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "zookeeper.labels" . | nindent 4 }}
app.kubernetes.io/component: zookeeper
role: zookeeper
{{- if .Values.commonLabels }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "zookeeper.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
serviceName: {{ template "zookeeper.fullname" . }}-headless
replicas: {{ .Values.replicaCount }}
podManagementPolicy: {{ .Values.podManagementPolicy }}
updateStrategy:
type: {{ .Values.updateStrategy }}
{{- if (eq "Recreate" .Values.updateStrategy) }}
rollingUpdate: null
{{- else if .Values.rollingUpdatePartition }}
rollingUpdate:
partition: {{ .Values.rollingUpdatePartition }}
{{- end }}
selector:
matchLabels: {{- include "zookeeper.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: zookeeper
template:
metadata:
name: {{ template "zookeeper.fullname" . }}
labels: {{- include "zookeeper.labels" . | nindent 8 }}
app.kubernetes.io/component: zookeeper
{{- if .Values.podLabels }}
{{- include "zookeeper.tplValue" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.podAnnotations }}
annotations: {{- include "zookeeper.tplValue" ( dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName }}
{{- end }}
{{- include "zookeeper.imagePullSecrets" . | nindent 6 }}
serviceAccountName: {{ template "zookeeper.serviceAccountName" . }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- end }}
{{- if .Values.affinity }}
affinity: {{- include "zookeeper.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{- include "zookeeper.tplValue" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{- include "zookeeper.tplValue" (dict "value" .Values.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
initContainers:
- name: volume-permissions
image: {{ template "zookeeper.volumePermissions.image" . }}
imagePullPolicy: {{ default "" .Values.volumePermissions.image.pullPolicy | quote }}
command:
- chown
args:
- -R
- {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}
- /bitnami/zookeeper
{{- if .Values.dataLogDir }}
- {{ .Values.dataLogDir }}
{{- end }}
securityContext:
runAsUser: 0
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
{{- end }}
volumeMounts:
- name: data
mountPath: /bitnami/zookeeper
{{- if .Values.dataLogDir }}
- name: data-log
mountPath: {{ .Values.dataLogDir }}
{{- end }}
{{- end }}
containers:
- name: zookeeper
image: {{ template "zookeeper.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
command:
- bash
- -ec
- |
# Execute entrypoint as usual after obtaining ZOO_SERVER_ID based on POD hostname
HOSTNAME=`hostname -s`
if [[ $HOSTNAME =~ (.*)-([0-9]+)$ ]]; then
ORD=${BASH_REMATCH[2]}
export ZOO_SERVER_ID=$((ORD+1))
else
echo "Failed to get index from hostname $HOST"
exit 1
fi
exec /entrypoint.sh /run.sh
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- end }}
env:
- name: ZOO_DATA_LOG_DIR
value: {{ .Values.dataLogDir | quote }}
- name: ZOO_PORT_NUMBER
value: {{ .Values.service.port | quote }}
- name: ZOO_TICK_TIME
value: {{ .Values.tickTime | quote }}
- name: ZOO_INIT_LIMIT
value: {{ .Values.initLimit | quote }}
- name: ZOO_SYNC_LIMIT
value: {{ .Values.syncLimit | quote }}
- name: ZOO_MAX_CLIENT_CNXNS
value: {{ .Values.maxClientCnxns | quote }}
- name: ZOO_4LW_COMMANDS_WHITELIST
value: {{ .Values.fourlwCommandsWhitelist | quote }}
- name: ZOO_LISTEN_ALLIPS_ENABLED
value: {{ ternary "yes" "no" .Values.listenOnAllIPs | quote }}
- name: ZOO_AUTOPURGE_INTERVAL
value: {{ .Values.autopurge.purgeInterval | quote }}
- name: ZOO_AUTOPURGE_RETAIN_COUNT
value: {{ .Values.autopurge.snapRetainCount | quote }}
- name: ZOO_MAX_SESSION_TIMEOUT
value: {{ .Values.maxSessionTimeout | quote }}
- name: ZOO_SERVERS
{{- $replicaCount := int .Values.replicaCount }}
{{- $followerPort := int .Values.service.followerPort }}
{{- $electionPort := int .Values.service.electionPort }}
{{- $releaseNamespace := .Release.Namespace }}
{{- $zookeeperFullname := include "zookeeper.fullname" . }}
{{- $zookeeperHeadlessServiceName := printf "%s-%s" $zookeeperFullname "headless" | trunc 63 }}
{{- $clusterDomain := .Values.clusterDomain }}
value: {{ range $i, $e := until $replicaCount }}{{ $zookeeperFullname }}-{{ $e }}.{{ $zookeeperHeadlessServiceName }}.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $followerPort }}:{{ $electionPort }} {{ end }}
- name: ZOO_ENABLE_AUTH
value: {{ ternary "yes" "no" .Values.auth.enabled | quote }}
{{- if .Values.auth.enabled }}
- name: ZOO_CLIENT_USER
value: {{ .Values.auth.clientUser | quote }}
- name: ZOO_CLIENT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ if .Values.auth.existingSecret }}{{ .Values.auth.existingSecret }}{{ else }}{{ template "zookeeper.fullname" . }}{{ end }}
key: client-password
- name: ZOO_SERVER_USERS
value: {{ .Values.auth.serverUsers | quote }}
- name: ZOO_SERVER_PASSWORDS
valueFrom:
secretKeyRef:
name: {{ if .Values.auth.existingSecret }}{{ .Values.auth.existingSecret }}{{ else }}{{ template "zookeeper.fullname" . }}{{ end }}
key: server-password
{{- end }}
- name: ZOO_HEAP_SIZE
value: {{ .Values.heapSize | quote }}
- name: ZOO_LOG_LEVEL
value: {{ .Values.logLevel | quote }}
- name: ALLOW_ANONYMOUS_LOGIN
value: {{ ternary "yes" "no" .Values.allowAnonymousLogin | quote }}
{{- if .Values.jvmFlags }}
- name: JVMFLAGS
value: {{ .Values.jvmFlags | quote }}
{{- end }}
{{- if .Values.metrics.enabled }}
- name: ZOO_ENABLE_PROMETHEUS_METRICS
value: "yes"
- name: ZOO_PROMETHEUS_METRICS_PORT_NUMBER
value: {{ .Values.metrics.containerPort | quote }}
{{- end }}
{{- if .Values.service.tls.client_enable }}
- name: ZOO_TLS_CLIENT_ENABLE
value: {{ .Values.service.tls.client_enable | quote }}
- name: ZOO_TLS_CLIENT_KEYSTORE_FILE
value: {{ .Values.service.tls.client_keystore_path | quote }}
- name: ZOO_TLS_CLIENT_KEYSTORE_PASSWORD
value: {{ .Values.service.tls.client_keystore_password | quote }}
- name: ZOO_TLS_CLIENT_TRUSTSTORE_FILE
value: {{ .Values.service.tls.client_truststore_path | quote }}
- name: ZOO_TLS_CLIENT_TRUSTSTORE_PASSWORD
value: {{ .Values.service.tls.client_truststore_password | quote }}
{{ end }}
{{- if .Values.service.tls.quorum_enable }}
- name: ZOO_TLS_QUORUM_ENABLE
value: {{ .Values.service.tls.quorum_enable | quote }}
- name: ZOO_TLS_QUORUM_KEYSTORE_FILE
value: {{ .Values.service.tls.quorum_keystore_path | quote }}
- name: ZOO_TLS_QUORUM_KEYSTORE_PASSWORD
value: {{ .Values.service.tls.quorum_keystore_password | quote }}
- name: ZOO_TLS_QUORUM_TRUSTSTORE_FILE
value: {{ .Values.service.tls.quorum_truststore_path | quote }}
- name: ZOO_TLS_QUORUM_TRUSTSTORE_PASSWORD
value: {{ .Values.service.tls.quorum_truststore_password | quote }}
{{ end }}
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
{{- if .Values.extraEnvVars }}
{{- toYaml .Values.extraEnvVars | nindent 12 }}
{{- end }}
ports:
{{ if not .Values.service.tls.disable_base_client_port }}
- name: client
containerPort: {{ .Values.service.port }}
{{ end }}
{{ if .Values.service.tls.client_enable }}
- name: client-tls
containerPort: {{ .Values.service.tls.client_port }}
{{ end }}
- name: follower
containerPort: {{ .Values.service.followerPort }}
- name: election
containerPort: {{ .Values.service.electionPort }}
{{- if .Values.metrics.enabled }}
- name: metrics
containerPort: {{ .Values.metrics.containerPort }}
{{- end }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
exec:
{{- if not .Values.service.tls.disable_base_client_port }}
command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.livenessProbe.probeCommandTimeout }} nc -w {{ .Values.livenessProbe.probeCommandTimeout }} localhost {{ .Values.service.port }} | grep imok']
{{- else }}
command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.livenessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.service.tls.client_port }} | grep imok']
{{- end }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
exec:
{{- if not .Values.service.tls.disable_base_client_port }}
command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.readinessProbe.probeCommandTimeout }} nc -w {{ .Values.readinessProbe.probeCommandTimeout }} localhost {{ .Values.service.port }} | grep imok']
{{- else }}
command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.readinessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.service.tls.client_port }} | grep imok']
{{- end }}
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- end }}
volumeMounts:
- name: data
mountPath: /bitnami/zookeeper
{{- if .Values.dataLogDir }}
- name: data-log
mountPath: {{ .Values.dataLogDir }}
{{- end }}
{{- if .Values.config }}
- name: config
mountPath: /opt/bitnami/zookeeper/conf/zoo.cfg
subPath: zoo.cfg
{{- end }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
volumes:
{{- if .Values.config }}
- name: config
configMap:
name: {{ template "zookeeper.fullname" . }}
{{- end }}
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
- name: data
persistentVolumeClaim:
claimName: {{ printf "%s" (tpl .Values.persistence.existingClaim .) }}
{{- else if not .Values.persistence.enabled }}
- name: data
emptyDir: {}
{{- end }}
{{- if and .Values.persistence.enabled .Values.persistence.dataLogDir.existingClaim }}
- name: data-log
persistentVolumeClaim:
claimName: {{ printf "%s" (tpl .Values.persistence.dataLogDir.existingClaim .) }}
{{- else if and ( not .Values.persistence.enabled ) .Values.dataLogDir }}
- name: data-log
emptyDir: {}
{{- end }}
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
{{- if and .Values.persistence.enabled (not (and .Values.persistence.existingClaim .Values.persistence.dataLogDir.existingClaim) )}}
volumeClaimTemplates:
{{- if not .Values.persistence.existingClaim }}
- metadata:
name: data
annotations:
{{- range $key, $value := .Values.persistence.annotations }}
{{ $key }}: {{ $value }}
{{- end }}
spec:
accessModes:
{{- range .Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- include "zookeeper.storageClass" . | nindent 8 }}
{{- end }}
{{- if and (not .Values.persistence.dataLogDir.existingClaim) .Values.dataLogDir }}
- metadata:
name: data-log
annotations:
{{- range $key, $value := .Values.persistence.annotations }}
{{ $key }}: {{ $value }}
{{- end }}
spec:
accessModes:
{{- range .Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.dataLogDir.size | quote }}
{{- include "zookeeper.storageClass" . | nindent 8 }}
{{- end }}
{{- end }}

42
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/templates/svc-headless.yaml Executable file
View file

@ -0,0 +1,42 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "zookeeper.fullname" . }}-headless
namespace: {{ .Release.Namespace }}
labels: {{- include "zookeeper.labels" . | nindent 4 }}
app.kubernetes.io/component: zookeeper
{{- if .Values.commonLabels }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.commonAnnotations .Values.service.annotations }}
annotations:
{{- if .Values.service.headless.annotations }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.service.headless.annotations "context" $ ) | nindent 4 }}\
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: ClusterIP
clusterIP: None
publishNotReadyAddresses: {{ .Values.service.publishNotReadyAddresses }}
ports:
{{ if not .Values.service.tls.disable_base_client_port }}
- name: tcp-client
port: 2181
targetPort: client
{{ end }}
{{ if .Values.service.tls.client_enable }}
- name: tcp-client-tls
port: {{ .Values.service.tls.client_port }}
targetPort: client-tls
{{ end }}
- name: follower
port: 2888
targetPort: follower
- name: tcp-election
port: 3888
targetPort: election
selector: {{- include "zookeeper.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: zookeeper

40
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/templates/svc.yaml Executable file
View file

@ -0,0 +1,40 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "zookeeper.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "zookeeper.labels" . | nindent 4 }}
app.kubernetes.io/component: zookeeper
{{- if .Values.commonLabels }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.commonAnnotations .Values.service.annotations }}
annotations:
{{- if .Values.service.annotations }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.service.annotations "context" $ ) | nindent 4 }}\
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "zookeeper.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
{{ if not .Values.service.tls.disable_base_client_port }}
- name: tcp-client
port: 2181
targetPort: client
{{ end }}
{{ if .Values.service.tls.client_enable }}
- name: tcp-client-tls
port: {{ .Values.service.tls.client_port }}
targetPort: client-tls
{{ end }}
- name: follower
port: 2888
targetPort: follower
- name: tcp-election
port: 3888
targetPort: election
selector: {{- include "zookeeper.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: zookeeper

430
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/values-production.yaml Executable file
View file

@ -0,0 +1,430 @@
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry and imagePullSecrets
##
# global:
# imageRegistry: myRegistryName
# imagePullSecrets:
# - myRegistryKeySecretName
# storageClass: myStorageClass
## Bitnami Zookeeper image version
## ref: https://hub.docker.com/r/bitnami/zookeeper/tags/
##
image:
registry: docker.io
repository: bitnami/zookeeper
tag: 3.6.2-debian-10-r10
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Set to true if you would like to see extra information on logs
## It turns BASH and NAMI debugging in minideb
## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging
##
debug: false
## String to partially override zookeeper.fullname template (will maintain the release name)
# nameOverride:
## String to fully override zookeeper.fullname template
# fullnameOverride:
## Kubernetes Cluster Domain
##
clusterDomain: cluster.local
## Add labels to all the deployed resources
##
commonLabels: {}
## Add annotations to all the deployed resources
##
commonAnnotations: {}
## Init containers parameters:
## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section.
##
volumePermissions:
enabled: false
image:
registry: docker.io
repository: bitnami/minideb
tag: buster
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
resources: {}
## extraVolumes and extraVolumeMounts allows you to mount other volumes
## Example Use Cases:
## mount certificates to enable tls
# extraVolumes:
# - name: zookeeper-keystore
# secret:
# defaultMode: 288
# secretName: zookeeper-keystore
# - name: zookeeper-trustsore
# secret:
# defaultMode: 288
# secretName: zookeeper-truststore
# extraVolumeMounts:
# - name: zookeeper-keystore
# mountPath: /certs/keystore
# readOnly: true
# - name: zookeeper-truststore
# mountPath: /certs/truststore
# readOnly: true
## StatefulSet controller supports automated updates. There are two valid update strategies: RollingUpdate and OnDelete
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
##
updateStrategy: RollingUpdate
## Limits the number of pods of the replicated application that are down simultaneously from voluntary disruptions
## The PDB will only be created if replicaCount is greater than 1
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions
##
podDisruptionBudget:
maxUnavailable: 1
## Partition update strategy
## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions
##
# rollingUpdatePartition:
## StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
##
podManagementPolicy: Parallel
## Number of ZooKeeper nodes
##
replicaCount: 3
## Basic time unit in milliseconds used by ZooKeeper for heartbeats
##
tickTime: 2000
## ZooKeeper uses to limit the length of time the ZooKeeper servers in quorum have to connect to a leader
##
initLimit: 10
## How far out of date a server can be from a leader
##
syncLimit: 5
## Limits the number of concurrent connections that a single client may make to a single member of the ZooKeeper ensemble
##
maxClientCnxns: 60
## Maximum session timeout in milliseconds that the server will allow the client to negotiate. Defaults to 20 times the tickTime.
##
maxSessionTimeout: 40000
## A list of comma separated Four Letter Words commands to use
##
fourlwCommandsWhitelist: srvr, mntr, ruok
## Allow zookeeper to listen for peers on all IPs
##
listenOnAllIPs: false
## Allow to accept connections from unauthenticated users
##
allowAnonymousLogin: true
autopurge:
## Retains the snapRetainCount most recent snapshots and the corresponding transaction logs and deletes the rest
##
snapRetainCount: 3
## The time interval in hours for which the purge task has to be triggered. Set to a positive integer (1 and above) to enable the auto purging.
##
purgeInterval: 0
auth:
## Use existing secret (ignores previous password)
##
# existingSecret:
## Enable Zookeeper auth. It uses SASL/Digest-MD5
##
enabled: false
## User that will use Zookeeper clients to auth
##
clientUser:
## Password that will use Zookeeper clients to auth
##
clientPassword:
## Comma, semicolon or whitespace separated list of user to be created. Specify them as a string, for example: "user1,user2,admin"
##
serverUsers:
## Comma, semicolon or whitespace separated list of passwords to assign to users when created. Specify them as a string, for example: "pass4user1, pass4user2, pass4admin"
##
serverPasswords:
## Size in MB for the Java Heap options (Xmx and XMs). This env var is ignored if Xmx an Xms are configured via JVMFLAGS
##
heapSize: 1024
## Log level for the Zookeeper server. ERROR by default. Have in mind if you set it to INFO or WARN the ReadinessProve will produce a lot of logs.
##
logLevel: ERROR
## Data log directory. Specifying this option will direct zookeeper to write the transaction log to the dataLogDir rather than the dataDir.
## This allows a dedicated log device to be used, and helps avoid competition between logging and snaphots.
## Example:
## dataLogDir: /bitnami/zookeeper/dataLog
##
dataLogDir: ""
## Default JVMFLAGS for the ZooKeeper process
##
# jvmFlags:
## Configure ZooKeeper with a custom zoo.cfg file
##
# config:
## Kubernetes configuration
## For minikube, set this to NodePort, elsewhere use LoadBalancer
##
service:
type: ClusterIP
port: 2181
followerPort: 2888
electionPort: 3888
publishNotReadyAddresses: true
tls:
client_enable: true
quorum_enable: true
disable_base_client_port: true
client_port: 3181
client_keystore_path: /tls_key_store/key_store_file
client_keystore_password: ""
client_truststore_path: /tls_trust_store/trust_store_file
client_truststore_password: ""
quorum_keystore_path: /tls_key_store/key_store_file
quorum_keystore_password: ""
quorum_truststore_path: /tls_trust_store/trust_store_file
quorum_truststore_password: ""
annotations: {}
headless:
annotations: {}
## Service account for Zookeeper to use.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
##
serviceAccount:
## Specifies whether a ServiceAccount should be created
##
create: false
## The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the zookeeper.fullname template
# name:
## Zookeeper Pod Security Context
securityContext:
enabled: true
fsGroup: 1001
runAsUser: 1001
## Zookeeper data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
persistence:
enabled: true
## A manually managed Persistent Volume and Claim
## If defined, PVC must be created manually before volume will be bound
## The value is evaluated as a template
##
# existingClaim:
# storageClass: "-"
accessModes:
- ReadWriteOnce
size: 8Gi
annotations: {}
dataLogDir:
size: 8Gi
## A manually managed Persistent Volume and Claim
## If defined, PVC must be created manually before volume will be bound
## The value is evaluated as a template
##
# existingClaim:
## Node labels for pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## Tolerations for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## Labels
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
## Annotations
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
## Name of the priority class to be used by zookeeper pods, priority class needs to be created beforehand
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
## Affinity for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}
## Scheduler name
## https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
# schedulerName: stork
## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
requests:
memory: 256Mi
cpu: 250m
## Configure extra options for liveness and readiness probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
##
livenessProbe:
enabled: true
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
probeCommandTimeout: 2
readinessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
probeCommandTimeout: 2
## Network policies
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## Specifies whether a NetworkPolicy should be created
##
enabled: true
## The Policy model to apply. When set to false, only pods with the correct
## client label will have network access to the port Redis is listening
## on. When true, zookeeper accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## Zookeeper Prometheus Exporter configuration
##
metrics:
enabled: false
## Zookeeper Prometheus Exporter container port
##
containerPort: 9141
## Service configuration
##
service:
## Zookeeper Prometheus Exporter service type
##
type: ClusterIP
## Zookeeper Prometheus Exporter service port
##
port: 9141
## Annotations for the Zookeeper Prometheus Exporter metrics service
##
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.metrics.service.port }}"
prometheus.io/path: "/metrics"
## Prometheus Operator ServiceMonitor configuration
##
serviceMonitor:
enabled: false
## Namespace for the ServiceMonitor Resource (defaults to the Release Namespace)
##
namespace:
## Interval at which metrics should be scraped.
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
# interval: 10s
## Timeout after which the scrape is ended
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
# scrapeTimeout: 10s
## ServiceMonitor selector labels
## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration
##
# selector:
# prometheus: my-prometheus
## Prometheus Operator PrometheusRule configuration
##
prometheusRule:
enabled: false
## Namespace for the PrometheusRule Resource (defaults to the Release Namespace)
##
namespace:
## PrometheusRule selector labels
## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration
##
# selector:
# prometheus: my-prometheus
## Some example rules.
rules: []
# - alert: ZookeeperSyncedFollowers
# annotations:
# message: The number of synced followers for the leader node in Zookeeper deployment my-release is less than 2. This usually means that some of the Zookeeper nodes aren't communicating properly. If it doesn't resolve itself you can try killing the pods (one by one).
# expr: max(synced_followers{service="my-release-metrics"}) < 2
# for: 5m
# labels:
# severity: critical
# - alert: ZookeeperOutstandingRequests
# annotations:
# message: The number of outstanding requests for Zookeeper pod {{ $labels.pod }} is greater than 10. This can indicate a performance issue with the Pod or cluster a whole.
# expr: outstanding_requests{service="my-release-metrics"} > 10
# for: 5m
# labels:
# severity: critical

430
ee/scripts/helm/helm/databases/charts/kafka/charts/zookeeper/values.yaml Executable file
View file

@ -0,0 +1,430 @@
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry and imagePullSecrets
##
# global:
# imageRegistry: myRegistryName
# imagePullSecrets:
# - myRegistryKeySecretName
# storageClass: myStorageClass
## Bitnami Zookeeper image version
## ref: https://hub.docker.com/r/bitnami/zookeeper/tags/
##
image:
registry: docker.io
repository: bitnami/zookeeper
tag: 3.6.2-debian-10-r10
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Set to true if you would like to see extra information on logs
## It turns BASH and NAMI debugging in minideb
## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging
##
debug: false
## String to partially override zookeeper.fullname template (will maintain the release name)
# nameOverride:
## String to fully override zookeeper.fullname template
# fullnameOverride:
## Kubernetes Cluster Domain
##
clusterDomain: cluster.local
## Add labels to all the deployed resources
##
commonLabels: {}
## Add annotations to all the deployed resources
##
commonAnnotations: {}
## Init containers parameters:
## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section.
##
volumePermissions:
enabled: false
image:
registry: docker.io
repository: bitnami/minideb
tag: buster
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
resources: {}
## extraVolumes and extraVolumeMounts allows you to mount other volumes
## Example Use Cases:
## mount certificates to enable tls
# extraVolumes:
# - name: zookeeper-keystore
# secret:
# defaultMode: 288
# secretName: zookeeper-keystore
# - name: zookeeper-trustsore
# secret:
# defaultMode: 288
# secretName: zookeeper-truststore
# extraVolumeMounts:
# - name: zookeeper-keystore
# mountPath: /certs/keystore
# readOnly: true
# - name: zookeeper-truststore
# mountPath: /certs/truststore
# readOnly: true
## StatefulSet controller supports automated updates. There are two valid update strategies: RollingUpdate and OnDelete
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
##
updateStrategy: RollingUpdate
## Limits the number of pods of the replicated application that are down simultaneously from voluntary disruptions
## The PDB will only be created if replicaCount is greater than 1
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions
##
podDisruptionBudget:
maxUnavailable: 1
## Partition update strategy
## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions
##
# rollingUpdatePartition:
## StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
##
podManagementPolicy: Parallel
## Number of ZooKeeper nodes
##
replicaCount: 1
## Basic time unit in milliseconds used by ZooKeeper for heartbeats
##
tickTime: 2000
## ZooKeeper uses to limit the length of time the ZooKeeper servers in quorum have to connect to a leader
##
initLimit: 10
## How far out of date a server can be from a leader
##
syncLimit: 5
## Limits the number of concurrent connections that a single client may make to a single member of the ZooKeeper ensemble
##
maxClientCnxns: 60
## A list of comma separated Four Letter Words commands to use
##
fourlwCommandsWhitelist: srvr, mntr, ruok
## Allow zookeeper to listen for peers on all IPs
##
listenOnAllIPs: false
## Allow to accept connections from unauthenticated users
##
allowAnonymousLogin: true
autopurge:
## Retains the snapRetainCount most recent snapshots and the corresponding transaction logs and deletes the rest
##
snapRetainCount: 3
## The time interval in hours for which the purge task has to be triggered. Set to a positive integer (1 and above) to enable the auto purging.
##
purgeInterval: 0
## Maximum session timeout in milliseconds that the server will allow the client to negotiate. Defaults to 20 times the tickTime.
##
maxSessionTimeout: 40000
auth:
## Use existing secret (ignores previous password)
##
# existingSecret:
## Enable Zookeeper auth. It uses SASL/Digest-MD5
##
enabled: false
## User that will use Zookeeper clients to auth
##
clientUser:
## Password that will use Zookeeper clients to auth
##
clientPassword:
## Comma, semicolon or whitespace separated list of user to be created. Specify them as a string, for example: "user1,user2,admin"
##
serverUsers:
## Comma, semicolon or whitespace separated list of passwords to assign to users when created. Specify them as a string, for example: "pass4user1, pass4user2, pass4admin"
##
serverPasswords:
## Size in MB for the Java Heap options (Xmx and XMs). This env var is ignored if Xmx an Xms are configured via JVMFLAGS
##
heapSize: 1024
## Log level for the Zookeeper server. ERROR by default. Have in mind if you set it to INFO or WARN the ReadinessProve will produce a lot of logs.
##
logLevel: ERROR
## Data log directory. Specifying this option will direct zookeeper to write the transaction log to the dataLogDir rather than the dataDir.
## This allows a dedicated log device to be used, and helps avoid competition between logging and snaphots.
## Example:
## dataLogDir: /bitnami/zookeeper/dataLog
##
dataLogDir: ""
## Default JVMFLAGS for the ZooKeeper process
##
# jvmFlags:
## Configure ZooKeeper with a custom zoo.cfg file
##
# config:
## Kubernetes configuration
## For minikube, set this to NodePort, elsewhere use LoadBalancer
##
service:
type: ClusterIP
port: 2181
followerPort: 2888
electionPort: 3888
publishNotReadyAddresses: true
tls:
client_enable: false
quorum_enable: false
disable_base_client_port: false
client_port: 3181
client_keystore_path: /tls_key_store/key_store_file
client_keystore_password: ""
client_truststore_path: /tls_trust_store/trust_store_file
client_truststore_password: ""
quorum_keystore_path: /tls_key_store/key_store_file
quorum_keystore_password: ""
quorum_truststore_path: /tls_trust_store/trust_store_file
quorum_truststore_password: ""
annotations: {}
headless:
annotations: {}
## Service account for Zookeeper to use.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
##
serviceAccount:
## Specifies whether a ServiceAccount should be created
##
create: false
## The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the zookeeper.fullname template
# name:
## Zookeeper Pod Security Context
securityContext:
enabled: true
fsGroup: 1001
runAsUser: 1001
## Zookeeper data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
persistence:
## A manually managed Persistent Volume and Claim
## If defined, PVC must be created manually before volume will be bound
## The value is evaluated as a template
##
# existingClaim:
enabled: true
# storageClass: "-"
accessModes:
- ReadWriteOnce
size: 8Gi
annotations: {}
dataLogDir:
size: 8Gi
## A manually managed Persistent Volume and Claim
## If defined, PVC must be created manually before volume will be bound
## The value is evaluated as a template
##
# existingClaim:
## Node labels for pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## Tolerations for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## Labels
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
## Annotations
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
## Name of the priority class to be used by zookeeper pods, priority class needs to be created beforehand
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
## Affinity for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}
## Scheduler name
## https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
# schedulerName: stork
## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
requests:
memory: 256Mi
cpu: 250m
## Configure extra options for liveness and readiness probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
##
livenessProbe:
enabled: true
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
probeCommandTimeout: 2
readinessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
probeCommandTimeout: 2
## Network policies
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## Specifies whether a NetworkPolicy should be created
##
enabled: false
## The Policy model to apply. When set to false, only pods with the correct
## client label will have network access to the port Redis is listening
## on. When true, zookeeper accept connections from any source
## (with the correct destination port).
##
# allowExternal: true
## Zookeeper Prometheus Exporter configuration
##
metrics:
enabled: false
## Zookeeper Prometheus Exporter container port
##
containerPort: 9141
## Service configuration
##
service:
## Zookeeper Prometheus Exporter service type
##
type: ClusterIP
## Zookeeper Prometheus Exporter service port
##
port: 9141
## Annotations for the Zookeeper Prometheus Exporter metrics service
##
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.metrics.service.port }}"
prometheus.io/path: "/metrics"
## Prometheus Operator ServiceMonitor configuration
##
serviceMonitor:
enabled: false
## Namespace for the ServiceMonitor Resource (defaults to the Release Namespace)
##
namespace:
## Interval at which metrics should be scraped.
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
# interval: 10s
## Timeout after which the scrape is ended
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
# scrapeTimeout: 10s
## ServiceMonitor selector labels
## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration
##
# selector:
# prometheus: my-prometheus
## Prometheus Operator PrometheusRule configuration
##
prometheusRule:
enabled: false
## Namespace for the PrometheusRule Resource (defaults to the Release Namespace)
##
namespace:
## PrometheusRule selector labels
## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration
##
# selector:
# prometheus: my-prometheus
## Some example rules.
rules: []
# - alert: ZookeeperSyncedFollowers
# annotations:
# message: The number of synced followers for the leader node in Zookeeper deployment my-release is less than 2. This usually means that some of the Zookeeper nodes aren't communicating properly. If it doesn't resolve itself you can try killing the pods (one by one).
# expr: max(synced_followers{service="my-release-metrics"}) < 2
# for: 5m
# labels:
# severity: critical
# - alert: ZookeeperOutstandingRequests
# annotations:
# message: The number of outstanding requests for Zookeeper pod {{ $labels.pod }} is greater than 10. This can indicate a performance issue with the Pod or cluster a whole.
# expr: outstanding_requests{service="my-release-metrics"} > 10
# for: 5m
# labels:
# severity: critical

10
ee/scripts/helm/helm/databases/charts/kafka/files/jks/README.md Executable file
View file

@ -0,0 +1,10 @@
# Java Key Stores
You can copy here your Java Key Stores (JKS) files so a secret is created including them. Remember to use a truststore (`kafka.truststore.jks`) and one keystore (`kafka.keystore.jks`) per Kafka broker you have in the cluster. For instance, if you have 3 brokers you need to copy here the following files:
- kafka.truststore.jks
- kafka-0.keystore.jks
- kafka-1.keystore.jks
- kafka-2.keystore.jks
Find more info in [this section](https://github.com/bitnami/charts/tree/master/bitnami/kafka#enable-security-for-kafka-and-zookeeper) of the README.md file.

521
ee/scripts/helm/helm/databases/charts/kafka/kafka.yaml Normal file
View file

@ -0,0 +1,521 @@
---
# Source: kafka/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: kafka
labels:
app.kubernetes.io/name: kafka
helm.sh/chart: kafka-11.8.6
app.kubernetes.io/instance: kafka
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: kafka
---
# Source: kafka/templates/scripts-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: kafka-scripts
labels:
app.kubernetes.io/name: kafka
helm.sh/chart: kafka-11.8.6
app.kubernetes.io/instance: kafka
app.kubernetes.io/managed-by: Helm
data:
setup.sh: |-
#!/bin/bash
ID="${MY_POD_NAME#"kafka-"}"
export KAFKA_CFG_BROKER_ID="$ID"
exec /entrypoint.sh /run.sh
---
# Source: kafka/charts/zookeeper/templates/svc-headless.yaml
apiVersion: v1
kind: Service
metadata:
name: kafka-zookeeper-headless
namespace: db
labels:
app.kubernetes.io/name: zookeeper
helm.sh/chart: zookeeper-5.21.9
app.kubernetes.io/instance: kafka
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: zookeeper
spec:
type: ClusterIP
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: tcp-client
port: 2181
targetPort: client
- name: follower
port: 2888
targetPort: follower
- name: tcp-election
port: 3888
targetPort: election
selector:
app.kubernetes.io/name: zookeeper
app.kubernetes.io/instance: kafka
app.kubernetes.io/component: zookeeper
---
# Source: kafka/charts/zookeeper/templates/svc.yaml
apiVersion: v1
kind: Service
metadata:
name: kafka-zookeeper
namespace: db
labels:
app.kubernetes.io/name: zookeeper
helm.sh/chart: zookeeper-5.21.9
app.kubernetes.io/instance: kafka
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: zookeeper
spec:
type: ClusterIP
ports:
- name: tcp-client
port: 2181
targetPort: client
- name: follower
port: 2888
targetPort: follower
- name: tcp-election
port: 3888
targetPort: election
selector:
app.kubernetes.io/name: zookeeper
app.kubernetes.io/instance: kafka
app.kubernetes.io/component: zookeeper
---
# Source: kafka/templates/kafka-metrics-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: kafka-metrics
labels:
app.kubernetes.io/name: kafka
helm.sh/chart: kafka-11.8.6
app.kubernetes.io/instance: kafka
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: metrics
annotations:
prometheus.io/path: /metrics
prometheus.io/port: '9308'
prometheus.io/scrape: "true"
spec:
type: ClusterIP
ports:
- name: http-metrics
port: 9308
protocol: TCP
targetPort: metrics
nodePort: null
selector:
app.kubernetes.io/name: kafka
app.kubernetes.io/instance: kafka
app.kubernetes.io/component: metrics
---
# Source: kafka/templates/svc-headless.yaml
apiVersion: v1
kind: Service
metadata:
name: kafka-headless
labels:
app.kubernetes.io/name: kafka
helm.sh/chart: kafka-11.8.6
app.kubernetes.io/instance: kafka
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: kafka
spec:
type: ClusterIP
clusterIP: None
ports:
- name: tcp-client
port: 9092
protocol: TCP
targetPort: kafka-client
- name: tcp-internal
port: 9093
protocol: TCP
targetPort: kafka-internal
selector:
app.kubernetes.io/name: kafka
app.kubernetes.io/instance: kafka
app.kubernetes.io/component: kafka
---
# Source: kafka/templates/svc.yaml
apiVersion: v1
kind: Service
metadata:
name: kafka
labels:
app.kubernetes.io/name: kafka
helm.sh/chart: kafka-11.8.6
app.kubernetes.io/instance: kafka
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: kafka
spec:
type: ClusterIP
ports:
- name: tcp-client
port: 9092
protocol: TCP
targetPort: kafka-client
nodePort: null
selector:
app.kubernetes.io/name: kafka
app.kubernetes.io/instance: kafka
app.kubernetes.io/component: kafka
---
# Source: kafka/templates/kafka-metrics-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: kafka-exporter
labels:
app.kubernetes.io/name: kafka
helm.sh/chart: kafka-11.8.6
app.kubernetes.io/instance: kafka
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: metrics
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: kafka
app.kubernetes.io/instance: kafka
app.kubernetes.io/component: metrics
template:
metadata:
labels:
app.kubernetes.io/name: kafka
helm.sh/chart: kafka-11.8.6
app.kubernetes.io/instance: kafka
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: metrics
spec:
containers:
- name: kafka-exporter
image: docker.io/bitnami/kafka-exporter:1.2.0-debian-10-r220
imagePullPolicy: "IfNotPresent"
command:
- /bin/bash
- -ec
- |
read -r -a sasl_passwords <<< "$(tr ',;' ' ' <<< "${SASL_USER_PASSWORD}")"
kafka_exporter \
--kafka.server=kafka-0.kafka-headless.db.svc.cluster.local:9092 \
--kafka.server=kafka-1.kafka-headless.db.svc.cluster.local:9092 \
--web.listen-address=:9308
ports:
- name: metrics
containerPort: 9308
resources:
limits: {}
requests: {}
---
# Source: kafka/charts/zookeeper/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: kafka-zookeeper
namespace: db
labels:
app.kubernetes.io/name: zookeeper
helm.sh/chart: zookeeper-5.21.9
app.kubernetes.io/instance: kafka
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: zookeeper
role: zookeeper
spec:
serviceName: kafka-zookeeper-headless
replicas: 1
podManagementPolicy: Parallel
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: zookeeper
app.kubernetes.io/instance: kafka
app.kubernetes.io/component: zookeeper
template:
metadata:
name: kafka-zookeeper
labels:
app.kubernetes.io/name: zookeeper
helm.sh/chart: zookeeper-5.21.9
app.kubernetes.io/instance: kafka
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: zookeeper
spec:
serviceAccountName: default
securityContext:
fsGroup: 1001
containers:
- name: zookeeper
image: docker.io/bitnami/zookeeper:3.6.2-debian-10-r10
imagePullPolicy: "IfNotPresent"
securityContext:
runAsUser: 1001
command:
- bash
- -ec
- |
# Execute entrypoint as usual after obtaining ZOO_SERVER_ID based on POD hostname
HOSTNAME=`hostname -s`
if [[ $HOSTNAME =~ (.*)-([0-9]+)$ ]]; then
ORD=${BASH_REMATCH[2]}
export ZOO_SERVER_ID=$((ORD+1))
else
echo "Failed to get index from hostname $HOST"
exit 1
fi
exec /entrypoint.sh /run.sh
resources:
requests:
cpu: 250m
memory: 256Mi
env:
- name: ZOO_DATA_LOG_DIR
value: ""
- name: ZOO_PORT_NUMBER
value: "2181"
- name: ZOO_TICK_TIME
value: "2000"
- name: ZOO_INIT_LIMIT
value: "10"
- name: ZOO_SYNC_LIMIT
value: "5"
- name: ZOO_MAX_CLIENT_CNXNS
value: "60"
- name: ZOO_4LW_COMMANDS_WHITELIST
value: "srvr, mntr, ruok"
- name: ZOO_LISTEN_ALLIPS_ENABLED
value: "no"
- name: ZOO_AUTOPURGE_INTERVAL
value: "0"
- name: ZOO_AUTOPURGE_RETAIN_COUNT
value: "3"
- name: ZOO_MAX_SESSION_TIMEOUT
value: "40000"
- name: ZOO_SERVERS
value: kafka-zookeeper-0.kafka-zookeeper-headless.db.svc.cluster.local:2888:3888
- name: ZOO_ENABLE_AUTH
value: "no"
- name: ZOO_HEAP_SIZE
value: "1024"
- name: ZOO_LOG_LEVEL
value: "ERROR"
- name: ALLOW_ANONYMOUS_LOGIN
value: "yes"
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
ports:
- name: client
containerPort: 2181
- name: follower
containerPort: 2888
- name: election
containerPort: 3888
livenessProbe:
exec:
command: ['/bin/bash', '-c', 'echo "ruok" | timeout 2 nc -w 2 localhost 2181 | grep imok']
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
readinessProbe:
exec:
command: ['/bin/bash', '-c', 'echo "ruok" | timeout 2 nc -w 2 localhost 2181 | grep imok']
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
volumeMounts:
- name: data
mountPath: /bitnami/zookeeper
volumes:
volumeClaimTemplates:
- metadata:
name: data
annotations:
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "8Gi"
---
# Source: kafka/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: kafka
labels:
app.kubernetes.io/name: kafka
helm.sh/chart: kafka-11.8.6
app.kubernetes.io/instance: kafka
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: kafka
spec:
podManagementPolicy: Parallel
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: kafka
app.kubernetes.io/instance: kafka
app.kubernetes.io/component: kafka
serviceName: kafka-headless
updateStrategy:
type: "RollingUpdate"
template:
metadata:
labels:
app.kubernetes.io/name: kafka
helm.sh/chart: kafka-11.8.6
app.kubernetes.io/instance: kafka
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: kafka
spec:
securityContext:
fsGroup: 1001
runAsUser: 1001
serviceAccountName: kafka
containers:
- name: kafka
image: docker.io/bitnami/kafka:2.6.0-debian-10-r30
imagePullPolicy: "IfNotPresent"
command:
- /scripts/setup.sh
env:
- name: BITNAMI_DEBUG
value: "false"
- name: MY_POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KAFKA_CFG_ZOOKEEPER_CONNECT
value: "kafka-zookeeper"
- name: KAFKA_INTER_BROKER_LISTENER_NAME
value: "INTERNAL"
- name: KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP
value: "INTERNAL:PLAINTEXT,CLIENT:PLAINTEXT"
- name: KAFKA_CFG_LISTENERS
value: "INTERNAL://:9093,CLIENT://:9092"
- name: KAFKA_CFG_ADVERTISED_LISTENERS
value: "INTERNAL://$(MY_POD_NAME).kafka-headless.db.svc.cluster.local:9093,CLIENT://$(MY_POD_NAME).kafka-headless.db.svc.cluster.local:9092"
- name: ALLOW_PLAINTEXT_LISTENER
value: "yes"
- name: KAFKA_CFG_DELETE_TOPIC_ENABLE
value: "false"
- name: KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE
value: "true"
- name: KAFKA_HEAP_OPTS
value: "-Xmx1024m -Xms1024m"
- name: KAFKA_CFG_LOG_FLUSH_INTERVAL_MESSAGES
value: "10000"
- name: KAFKA_CFG_LOG_FLUSH_INTERVAL_MS
value: "1000"
- name: KAFKA_CFG_LOG_RETENTION_BYTES
value: "1073741824"
- name: KAFKA_CFG_LOG_RETENTION_CHECK_INTERVALS_MS
value: "300000"
- name: KAFKA_CFG_LOG_RETENTION_HOURS
value: "168"
- name: KAFKA_CFG_MESSAGE_MAX_BYTES
value: "1000012"
- name: KAFKA_CFG_LOG_SEGMENT_BYTES
value: "1073741824"
- name: KAFKA_CFG_LOG_DIRS
value: "/bitnami/kafka/data"
- name: KAFKA_CFG_DEFAULT_REPLICATION_FACTOR
value: "1"
- name: KAFKA_CFG_OFFSETS_TOPIC_REPLICATION_FACTOR
value: "1"
- name: KAFKA_CFG_TRANSACTION_STATE_LOG_REPLICATION_FACTOR
value: "1"
- name: KAFKA_CFG_TRANSACTION_STATE_LOG_MIN_ISR
value: "1"
- name: KAFKA_CFG_NUM_IO_THREADS
value: "8"
- name: KAFKA_CFG_NUM_NETWORK_THREADS
value: "3"
- name: KAFKA_CFG_NUM_PARTITIONS
value: "1"
- name: KAFKA_CFG_NUM_RECOVERY_THREADS_PER_DATA_DIR
value: "1"
- name: KAFKA_CFG_SOCKET_RECEIVE_BUFFER_BYTES
value: "102400"
- name: KAFKA_CFG_SOCKET_REQUEST_MAX_BYTES
value: "104857600"
- name: KAFKA_CFG_SOCKET_SEND_BUFFER_BYTES
value: "102400"
- name: KAFKA_CFG_ZOOKEEPER_CONNECTION_TIMEOUT_MS
value: "6000"
ports:
- name: kafka-client
containerPort: 9092
- name: kafka-internal
containerPort: 9093
livenessProbe:
tcpSocket:
port: kafka-client
initialDelaySeconds: 10
timeoutSeconds: 5
failureThreshold:
periodSeconds:
successThreshold:
readinessProbe:
tcpSocket:
port: kafka-client
initialDelaySeconds: 5
timeoutSeconds: 5
failureThreshold: 6
periodSeconds:
successThreshold:
resources:
limits: {}
requests: {}
volumeMounts:
- name: data
mountPath: /bitnami/kafka
- name: scripts
mountPath: /scripts/setup.sh
subPath: setup.sh
volumes:
- name: scripts
configMap:
name: kafka-scripts
defaultMode: 0755
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "8Gi"

6
ee/scripts/helm/helm/databases/charts/kafka/requirements.lock Executable file
View file

@ -0,0 +1,6 @@
dependencies:
- name: zookeeper
repository: https://charts.bitnami.com/bitnami
version: 5.21.9
digest: sha256:2f3c43ce02e3966648b8c89be121fe39537f62ea1d161ad908f51ddc90e4243e
generated: "2020-09-29T07:43:56.483358254Z"

5
ee/scripts/helm/helm/databases/charts/kafka/requirements.yaml Executable file
View file

@ -0,0 +1,5 @@
dependencies:
- name: zookeeper
version: 5.x.x
repository: https://charts.bitnami.com/bitnami
condition: zookeeper.enabled

181
ee/scripts/helm/helm/databases/charts/kafka/templates/NOTES.txt Executable file
View file

@ -0,0 +1,181 @@
{{- $replicaCount := int .Values.replicaCount -}}
{{- $releaseNamespace := .Release.Namespace -}}
{{- $clusterDomain := .Values.clusterDomain -}}
{{- $fullname := include "kafka.fullname" . -}}
{{- $clientProtocol := include "kafka.listenerType" ( dict "protocol" .Values.auth.clientProtocol ) -}}
{{- $servicePort := int .Values.service.port -}}
{{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs -}}
{{- if and .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.service.type "LoadBalancer") }}
###############################################################################
### ERROR: You enabled external access to Kafka brokers without specifying ###
### the array of load balancer IPs for Kafka brokers. ###
###############################################################################
This deployment will be incomplete until you configure the array of load balancer
IPs for Kafka brokers. To complete your deployment follow the steps below:
1. Wait for the load balancer IPs (it may take a few minutes for them to be available):
kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -w
2. Obtain the load balancer IPs and upgrade your chart:
{{- range $i, $e := until $replicaCount }}
LOAD_BALANCER_IP_{{ add $i 1 }}="$(kubectl get svc --namespace {{ $releaseNamespace }} {{ $fullname }}-{{ $i }}-external -o jsonpath='{.status.loadBalancer.ingress[0].ip}')"
{{- end }}
3. Upgrade you chart:
helm upgrade {{ .Release.Name }} bitnami/{{ .Chart.Name }} \
--set replicaCount={{ $replicaCount }} \
--set externalAccess.enabled=true \
{{- range $i, $e := until $replicaCount }}
--set externalAccess.service.loadBalancerIPs[{{ $i }}]=$LOAD_BALANCER_IP_{{ add $i 1 }} \
{{- end }}
--set externalAccess.service.type=LoadBalancer
{{- else }}
{{- if and (or (eq .Values.service.type "LoadBalancer") .Values.externalAccess.enabled) (eq .Values.auth.clientProtocol "plaintext") }}
---------------------------------------------------------------------------------------------
WARNING
By specifying "serviceType=LoadBalancer" and not configuring the authentication
you have most likely exposed the Kafka service externally without any
authentication mechanism.
For security reasons, we strongly suggest that you switch to "ClusterIP" or
"NodePort". As alternative, you can also configure the Kafka authentication.
---------------------------------------------------------------------------------------------
{{- end }}
** Please be patient while the chart is being deployed **
Kafka can be accessed by consumers via port {{ $servicePort }} on the following DNS name from within your cluster:
{{ $fullname }}.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}
Each Kafka broker can be accessed by producers via port {{ $servicePort }} on the following DNS name(s) from within your cluster:
{{- $brokerList := list }}
{{- range $e, $i := until $replicaCount }}
{{- $brokerList = append $brokerList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $servicePort) }}
{{- end }}
{{ join "\n" $brokerList | nindent 4 }}
{{- if (include "kafka.client.saslAuthentication" .) }}
You need to configure your Kafka client to access using SASL authentication. To do so, you need to create the 'kafka_jaas.conf' and 'client.properties' configuration files by executing these commands:
- kafka_jaas.conf:
cat > kafka_jaas.conf <<EOF
KafkaClient {
{{- if .Values.auth.saslMechanisms | regexFind "scram" }}
org.apache.kafka.common.security.scram.ScramLoginModule required
{{- else }}
org.apache.kafka.common.security.plain.PlainLoginModule required
{{- end }}
username="{{ index .Values.auth.jaas.clientUsers 0 }}"
password="$(kubectl get secret {{ $fullname }}-jaas -n {{ $releaseNamespace }} -o jsonpath='{.data.client-passwords}' | base64 --decode | cut -d , -f 1)";
};
EOF
- client.properties:
cat > client.properties <<EOF
security.protocol={{ $clientProtocol }}
{{- if .Values.auth.saslMechanisms | regexFind "scram-sha-256" }}
sasl.mechanism=SCRAM-SHA-256
{{- else if .Values.auth.saslMechanisms | regexFind "scram-sha-512" }}
sasl.mechanism=SCRAM-SHA-512
{{- else -}}
sasl.mechanism=PLAIN
{{- end }}
{{- if eq .Values.auth.clientProtocol "sasl_tls" }}
ssl.truststore.location=/tmp/kafka.truststore.jks
{{- if .Values.auth.jksPassword }}
ssl.truststore.password={{ .Values.auth.jksPassword }}
{{- end }}
{{- end }}
{{- if eq .Values.auth.tlsEndpointIdentificationAlgorithm "" }}
ssl.endpoint.identification.algorithm=
{{- end }}
EOF
{{- end }}
To create a pod that you can use as a Kafka client run the following commands:
kubectl run {{ $fullname }}-client --restart='Never' --image {{ template "kafka.image" . }} --namespace {{ $releaseNamespace }} --command -- sleep infinity
{{- if (include "kafka.client.saslAuthentication" .) }}
kubectl cp --namespace {{ $releaseNamespace }} /path/to/client.properties {{ $fullname }}-client:/tmp/client.properties
kubectl cp --namespace {{ $releaseNamespace }} /path/to/kafka_jaas.conf {{ $fullname }}-client:/tmp/kafka_jaas.conf
{{- if eq .Values.auth.clientProtocol "sasl_tls" }}
kubectl cp --namespace {{ $releaseNamespace }} ./kafka.truststore.jks {{ $fullname }}-client:/tmp/kafka.truststore.jks
{{- end }}
{{- end }}
kubectl exec --tty -i {{ $fullname }}-client --namespace {{ $releaseNamespace }} -- bash
{{- if (include "kafka.client.saslAuthentication" .) }}
export KAFKA_OPTS="-Djava.security.auth.login.config=/tmp/kafka_jaas.conf"
{{- end }}
PRODUCER:
kafka-console-producer.sh \
{{ if (include "kafka.client.saslAuthentication" .) }}--producer.config /tmp/client.properties \{{ end }}
--broker-list {{ join "," $brokerList }} \
--topic test
CONSUMER:
kafka-console-consumer.sh \
{{ if (include "kafka.client.saslAuthentication" .) }}--consumer.config /tmp/client.properties \{{ end }}
--bootstrap-server {{ $fullname }}.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ .Values.service.port }} \
--topic test \
--from-beginning
{{- if .Values.externalAccess.enabled }}
To connect to your Kafka server from outside the cluster, follow the instructions below:
{{- if eq "NodePort" .Values.externalAccess.service.type }}
{{- if .Values.externalAccess.service.domain }}
Kafka brokers domain: Use your provided hostname to reach Kafka brokers, {{ .Values.externalAccess.service.domain }}
{{- else }}
Kafka brokers domain: You can get the external node IP from the Kafka configuration file with the following commands (Check the EXTERNAL listener)
1. Obtain the pod name:
kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka"
2. Obtain pod configuration:
kubectl exec -it KAFKA_POD -- cat /opt/bitnami/kafka/config/server.properties | grep advertised.listeners
{{- end }}
Kafka brokers port: You will have a different node port for each Kafka broker. You can get the list of configured node ports using the command below:
echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -o jsonpath='{.items[*].spec.ports[0].nodePort}' | tr ' ' '\n')"
{{- else if contains "LoadBalancer" .Values.externalAccess.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IPs to be available.
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -w'
Kafka Brokers domain: You will have a different external IP for each Kafka broker. You can get the list of external IPs using the command below:
echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "kafka.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=kafka,pod" -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}' | tr ' ' '\n')"
Kafka Brokers port: {{ .Values.externalAccess.service.port }}
{{- end }}
{{- end }}
{{- end }}
{{- include "kafka.checkRollingTags" . }}
{{- include "kafka.validateValues" . }}

556
ee/scripts/helm/helm/databases/charts/kafka/templates/_helpers.tpl Executable file
View file

@ -0,0 +1,556 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "kafka.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kafka.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kafka.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "kafka.labels" -}}
app.kubernetes.io/name: {{ include "kafka.name" . }}
helm.sh/chart: {{ include "kafka.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
*/}}
{{- define "kafka.matchLabels" -}}
app.kubernetes.io/name: {{ include "kafka.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Create a default fully qualified zookeeper name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "kafka.zookeeper.fullname" -}}
{{- if .Values.zookeeper.fullnameOverride -}}
{{- .Values.zookeeper.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default "zookeeper" .Values.zookeeper.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "kafka.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "kafka.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the proper Kafka image name
*/}}
{{- define "kafka.image" -}}
{{- $registryName := .Values.image.registry -}}
{{- $repositoryName := .Values.image.repository -}}
{{- $tag := .Values.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper image name (for the init container auto-discovery image)
*/}}
{{- define "kafka.externalAccess.autoDiscovery.image" -}}
{{- $registryName := .Values.externalAccess.autoDiscovery.image.registry -}}
{{- $repositoryName := .Values.externalAccess.autoDiscovery.image.repository -}}
{{- $tag := .Values.externalAccess.autoDiscovery.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper image name (for the init container volume-permissions image)
*/}}
{{- define "kafka.volumePermissions.image" -}}
{{- $registryName := .Values.volumePermissions.image.registry -}}
{{- $repositoryName := .Values.volumePermissions.image.repository -}}
{{- $tag := .Values.volumePermissions.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Kafka exporter image name
*/}}
{{- define "kafka.metrics.kafka.image" -}}
{{- $registryName := .Values.metrics.kafka.image.registry -}}
{{- $repositoryName := .Values.metrics.kafka.image.repository -}}
{{- $tag := .Values.metrics.kafka.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper JMX exporter image name
*/}}
{{- define "kafka.metrics.jmx.image" -}}
{{- $registryName := .Values.metrics.jmx.image.registry -}}
{{- $repositoryName := .Values.metrics.jmx.image.repository -}}
{{- $tag := .Values.metrics.jmx.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "kafka.imagePullSecrets" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
Also, we can not use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- else if or .Values.image.pullSecrets .Values.externalAccess.autoDiscovery.image.pullSecrets .Values.volumePermissions.image.pullSecrets .Values.metrics.kafka.image.pullSecrets .Values.metrics.jmx.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.externalAccess.autoDiscovery.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.volumePermissions.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.metrics.kafka.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.metrics.jmx.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- else if or .Values.image.pullSecrets .Values.externalAccess.autoDiscovery.image.pullSecrets .Values.volumePermissions.image.pullSecrets .Values.metrics.kafka.image.pullSecrets .Values.metrics.jmx.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.externalAccess.autoDiscovery.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.volumePermissions.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.metrics.kafka.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.metrics.jmx.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Return the proper Storage Class
*/}}
{{- define "kafka.storageClass" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
*/}}
{{- if .Values.global -}}
{{- if .Values.global.storageClass -}}
{{- if (eq "-" .Values.global.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.global.storageClass -}}
{{- end -}}
{{- else -}}
{{- if .Values.persistence.storageClass -}}
{{- if (eq "-" .Values.persistence.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.persistence.storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- else -}}
{{- if .Values.persistence.storageClass -}}
{{- if (eq "-" .Values.persistence.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.persistence.storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Return true if authentication via SASL should be configured for client communications
*/}}
{{- define "kafka.client.saslAuthentication" -}}
{{- $saslProtocols := list "sasl" "sasl_tls" -}}
{{- if has .Values.auth.clientProtocol $saslProtocols -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return true if authentication via SASL should be configured for inter-broker communications
*/}}
{{- define "kafka.interBroker.saslAuthentication" -}}
{{- $saslProtocols := list "sasl" "sasl_tls" -}}
{{- if has .Values.auth.interBrokerProtocol $saslProtocols -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return true if encryption via TLS should be configured
*/}}
{{- define "kafka.tlsEncryption" -}}
{{- $tlsProtocols := list "tls" "mtls" "sasl_tls" -}}
{{- if or (has .Values.auth.clientProtocol $tlsProtocols) (has .Values.auth.interBrokerProtocol $tlsProtocols) -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the type of listener
Usage:
{{ include "kafka.listenerType" ( dict "protocol" .Values.path.to.the.Value ) }}
*/}}
{{- define "kafka.listenerType" -}}
{{- if eq .protocol "plaintext" -}}
PLAINTEXT
{{- else if or (eq .protocol "tls") (eq .protocol "mtls") -}}
SSL
{{- else if eq .protocol "sasl_tls" -}}
SASL_SSL
{{- else if eq .protocol "sasl" -}}
SASL_PLAINTEXT
{{- end -}}
{{- end -}}
{{/*
Return the SASL type
Usage:
{{ include "kafka.auth.saslMechanisms" ( dict "type" .Values.path.to.the.Value ) }}
*/}}
{{- define "kafka.auth.saslMechanisms" -}}
{{- $mechanisms := list -}}
{{- if .type | regexFind "plain" -}}
{{- $mechanisms = append $mechanisms "PLAIN" -}}
{{- end -}}
{{- if .type | regexFind "scram-sha-256" -}}
{{- $mechanisms = append $mechanisms "SCRAM-SHA-256" -}}
{{- end -}}
{{- if .type | regexFind "scram-sha-512" -}}
{{- $mechanisms = append $mechanisms "SCRAM-SHA-512" -}}
{{- end -}}
{{- $mechanisms = join "," $mechanisms -}}
{{- printf "%s" $mechanisms -}}
{{- end -}}
{{/*
Return the Kafka JAAS credentials secret
*/}}
{{- define "kafka.jaasSecretName" -}}
{{- if .Values.auth.jaas.existingSecret -}}
{{- printf "%s" (tpl .Values.auth.jaas.existingSecret $) -}}
{{- else -}}
{{- printf "%s-jaas" (include "kafka.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a JAAS credentials secret object should be created
*/}}
{{- define "kafka.createJaasSecret" -}}
{{- if and (or (include "kafka.client.saslAuthentication" .) (include "kafka.interBroker.saslAuthentication" .) .Values.auth.jaas.zookeeperUser) (not .Values.auth.jaas.existingSecret) -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the Kafka JKS credentials secret
*/}}
{{- define "kafka.jksSecretName" -}}
{{- if .Values.auth.jksSecret -}}
{{- printf "%s" (tpl .Values.auth.jksSecret $) -}}
{{- else -}}
{{- printf "%s-jks" (include "kafka.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a JAAS credentials secret object should be created
*/}}
{{- define "kafka.createJksSecret" -}}
{{- if and (.Files.Glob "files/jks/*.jks") (not .Values.auth.jksSecret) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the Kafka configuration configmap
*/}}
{{- define "kafka.configmapName" -}}
{{- if .Values.existingConfigmap -}}
{{- printf "%s" (tpl .Values.existingConfigmap $) -}}
{{- else -}}
{{- printf "%s-configuration" (include "kafka.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap object should be created
*/}}
{{- define "kafka.createConfigmap" -}}
{{- if and .Values.config (not .Values.existingConfigmap) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the Kafka log4j ConfigMap name.
*/}}
{{- define "kafka.log4j.configMapName" -}}
{{- if .Values.existingLog4jConfigMap -}}
{{- printf "%s" (tpl .Values.existingLog4jConfigMap $) -}}
{{- else -}}
{{- printf "%s-log4j-configuration" (include "kafka.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a log4j ConfigMap object should be created.
*/}}
{{- define "kafka.log4j.createConfigMap" -}}
{{- if and .Values.log4j (not .Values.existingLog4jConfigMap) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the Kafka configuration configmap
*/}}
{{- define "kafka.metrics.jmx.configmapName" -}}
{{- if .Values.metrics.jmx.existingConfigmap -}}
{{- printf "%s" (tpl .Values.metrics.jmx.existingConfigmap $) -}}
{{- else -}}
{{- printf "%s-jmx-configuration" (include "kafka.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap object should be created
*/}}
{{- define "kafka.metrics.jmx.createConfigmap" -}}
{{- if and .Values.metrics.jmx.enabled .Values.metrics.jmx.config (not .Values.metrics.jmx.existingConfigmap) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Renders a value that contains template.
Usage:
{{ include "kafka.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "kafka.tplValue" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}
{{/*
Check if there are rolling tags in the images
*/}}
{{- define "kafka.checkRollingTags" -}}
{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- if and (contains "bitnami/" .Values.externalAccess.autoDiscovery.image.repository) (not (.Values.externalAccess.autoDiscovery.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .Values.externalAccess.autoDiscovery.image.repository }}:{{ .Values.externalAccess.autoDiscovery.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- if and (contains "bitnami/" .Values.metrics.kafka.image.repository) (not (.Values.metrics.kafka.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .Values.metrics.kafka.image.repository }}:{{ .Values.metrics.kafka.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- if and (contains "bitnami/" .Values.metrics.jmx.image.repository) (not (.Values.metrics.jmx.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .Values.metrics.jmx.image.repository }}:{{ .Values.metrics.jmx.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- end -}}
{{/*
Compile all warnings into a single message, and call fail.
*/}}
{{- define "kafka.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "kafka.validateValues.authProtocols" .) -}}
{{- $messages := append $messages (include "kafka.validateValues.nodePortListLength" .) -}}
{{- $messages := append $messages (include "kafka.validateValues.externalAccessServiceType" .) -}}
{{- $messages := append $messages (include "kafka.validateValues.externalAccessAutoDiscoveryRBAC" .) -}}
{{- $messages := append $messages (include "kafka.validateValues.jksSecret" .) -}}
{{- $messages := append $messages (include "kafka.validateValues.saslMechanisms" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/* Validate values of Kafka - Authentication protocols for Kafka */}}
{{- define "kafka.validateValues.authProtocols" -}}
{{- $authProtocols := list "plaintext" "tls" "mtls" "sasl" "sasl_tls" -}}
{{- if or (not (has .Values.auth.clientProtocol $authProtocols)) (not (has .Values.auth.interBrokerProtocol $authProtocols)) -}}
kafka: auth.clientProtocol auth.interBrokerProtocol
Available authentication protocols are "plaintext", "tls", "mtls", "sasl" and "sasl_tls"
{{- end -}}
{{- end -}}
{{/* Validate values of Kafka - number of replicas must be the same than NodePort list */}}
{{- define "kafka.validateValues.nodePortListLength" -}}
{{- $replicaCount := int .Values.replicaCount }}
{{- $nodePortListLength := len .Values.externalAccess.service.nodePorts }}
{{- if and .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $nodePortListLength )) (eq .Values.externalAccess.service.type "NodePort") -}}
kafka: .Values.externalAccess.service.nodePorts
Number of replicas and nodePort array length must be the same. Currently: replicaCount = {{ $replicaCount }} and nodePorts = {{ $nodePortListLength }}
{{- end -}}
{{- end -}}
{{/* Validate values of Kafka - service type for external access */}}
{{- define "kafka.validateValues.externalAccessServiceType" -}}
{{- if and (not (eq .Values.externalAccess.service.type "NodePort")) (not (eq .Values.externalAccess.service.type "LoadBalancer")) -}}
kafka: externalAccess.service.type
Available servive type for external access are NodePort or LoadBalancer.
{{- end -}}
{{- end -}}
{{/* Validate values of Kafka - RBAC should be enabled when autoDiscovery is enabled */}}
{{- define "kafka.validateValues.externalAccessAutoDiscoveryRBAC" -}}
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (not .Values.rbac.create )}}
kafka: rbac.create
By specifying "externalAccess.enabled=true" and "externalAccess.autoDiscovery.enabled=true"
an initContainer will be used to autodetect the external IPs/ports by querying the
K8s API. Please note this initContainer requires specific RBAC resources. You can create them
by specifying "--set rbac.create=true".
{{- end -}}
{{- end -}}
{{/* Validate values of Kafka - A secret containing JKS files must be provided when TLS authentication is enabled */}}
{{- define "kafka.validateValues.jksSecret" -}}
{{- if and (include "kafka.tlsEncryption" .) (not .Values.auth.jksSecret) (not (.Files.Glob "files/jks/*.jks")) }}
kafka: auth.jksSecret
A secret containing the Kafka JKS files is required when TLS encryption in enabled
{{- end -}}
{{- end -}}
{{/* Validate values of Kafka - SASL mechanisms must be provided when using SASL */}}
{{- define "kafka.validateValues.saslMechanisms" -}}
{{- if and (or (.Values.auth.clientProtocol | regexFind "sasl") (.Values.auth.interBrokerProtocol | regexFind "sasl") .Values.auth.jaas.zookeeperUser) (not .Values.auth.saslMechanisms) }}
kafka: auth.saslMechanisms
The SASL mechanisms are required when either auth.clientProtocol or auth.interBrokerProtocol use SASL or Zookeeper user is provided.
{{- end }}
{{- if not (contains .Values.auth.saslInterBrokerMechanism .Values.auth.saslMechanisms) }}
kafka: auth.saslMechanisms
auth.saslInterBrokerMechanism must be provided and it should be one of the specified mechanisms at auth.saslMechanisms
{{- end -}}
{{- end -}}

16
ee/scripts/helm/helm/databases/charts/kafka/templates/configmap.yaml Executable file
View file

@ -0,0 +1,16 @@
{{- if (include "kafka.createConfigmap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kafka.fullname" . }}-configuration
labels: {{- include "kafka.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
server.properties: |-
{{ .Values.config | nindent 4 }}
{{- end -}}

5
ee/scripts/helm/helm/databases/charts/kafka/templates/extra-list.yaml Executable file
View file

@ -0,0 +1,5 @@
{{- if .Values.extraDeploy }}
apiVersion: v1
kind: List
items: {{- include "kafka.tplValue" (dict "value" .Values.extraDeploy "context" $) | nindent 2 }}
{{- end }}

32
ee/scripts/helm/helm/databases/charts/kafka/templates/jaas-secret.yaml Executable file
View file

@ -0,0 +1,32 @@
{{- if (include "kafka.createJaasSecret" .) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kafka.fullname" . }}-jaas
labels: {{- include "kafka.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if (include "kafka.client.saslAuthentication" .) }}
{{- if .Values.auth.jaas.clientPasswords }}
client-passwords: {{ join "," .Values.auth.jaas.clientPasswords | b64enc | quote }}
{{- else }}
{{- $passwords := list }}
{{- range .Values.auth.jaas.clientUsers }}
{{- $passwords = append $passwords (randAlphaNum 10) }}
{{- end }}
client-passwords: {{ join "," $passwords | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.auth.jaas.zookeeperUser }}
zookeeper-password: {{ ternary (randAlphaNum 10) .Values.auth.jaas.zookeeperPassword (empty .Values.auth.jaas.zookeeperPassword) | b64enc | quote }}
{{- end }}
{{- if (include "kafka.interBroker.saslAuthentication" .) }}
inter-broker-password: {{ ternary (randAlphaNum 10) .Values.auth.jaas.interBrokerPassword (empty .Values.auth.jaas.interBrokerPassword) | b64enc | quote }}
{{- end }}
{{- end }}

19
ee/scripts/helm/helm/databases/charts/kafka/templates/jks-secret.yaml Executable file
View file

@ -0,0 +1,19 @@
{{- if (include "kafka.createJksSecret" .) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kafka.fullname" . }}-jks
labels: {{- include "kafka.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- $root := . }}
{{- range $path, $bytes := .Files.Glob "files/jks/*.jks" }}
{{ base $path }}: {{ $root.Files.Get $path | b64enc | quote }}
{{- end }}
{{- end }}

59
ee/scripts/helm/helm/databases/charts/kafka/templates/jmx-configmap.yaml Executable file
View file

@ -0,0 +1,59 @@
{{- if (include "kafka.metrics.jmx.createConfigmap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kafka.fullname" . }}-jmx-configuration
labels: {{- include "kafka.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
jmx-kafka-prometheus.yml: |-
{{- include "kafka.tplValue" ( dict "value" .Values.metrics.jmx.config "context" $ ) | nindent 4 }}
rules:
- pattern: kafka.controller<type=(ControllerChannelManager), name=(QueueSize), broker-id=(\d+)><>(Value)
name: kafka_controller_$1_$2_$4
labels:
broker_id: "$3"
- pattern: kafka.controller<type=(ControllerChannelManager), name=(TotalQueueSize)><>(Value)
name: kafka_controller_$1_$2_$3
- pattern: kafka.controller<type=(KafkaController), name=(.+)><>(Value)
name: kafka_controller_$1_$2_$3
- pattern: kafka.controller<type=(ControllerStats), name=(.+)><>(Count)
name: kafka_controller_$1_$2_$3
- pattern: kafka.server<type=(ReplicaFetcherManager), name=(.+), clientId=(.+)><>(Value)
name: kafka_server_$1_$2_$4
labels:
client_id: "$3"
- pattern : kafka.network<type=(Processor), name=(IdlePercent), networkProcessor=(.+)><>(Value)
name: kafka_network_$1_$2_$4
labels:
network_processor: $3
- pattern : kafka.network<type=(RequestMetrics), name=(RequestsPerSec), request=(.+)><>(Count)
name: kafka_network_$1_$2_$4
labels:
request: $3
- pattern: kafka.server<type=(.+), name=(.+), topic=(.+)><>(Count|OneMinuteRate)
name: kafka_server_$1_$2_$4
labels:
topic: $3
- pattern: kafka.server<type=(DelayedOperationPurgatory), name=(.+), delayedOperation=(.+)><>(Value)
name: kafka_server_$1_$2_$3_$4
- pattern: kafka.server<type=(.+), name=(.+)><>(Count|Value|OneMinuteRate)
name: kafka_server_$1_total_$2_$3
- pattern: kafka.server<type=(.+)><>(queue-size)
name: kafka_server_$1_$2
- pattern: java.lang<type=(.+), name=(.+)><(.+)>(\w+)
name: java_lang_$1_$4_$3_$2
- pattern: java.lang<type=(.+), name=(.+)><>(\w+)
name: java_lang_$1_$3_$2
- pattern : java.lang<type=(.*)>
- pattern: kafka.log<type=(.+), name=(.+), topic=(.+), partition=(.+)><>Value
name: kafka_log_$1_$2
labels:
topic: $3
partition: $4
{{- end -}}

45
ee/scripts/helm/helm/databases/charts/kafka/templates/jmx-metrics-svc.yaml Executable file
View file

@ -0,0 +1,45 @@
{{- if .Values.metrics.jmx.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "kafka.fullname" . }}-jmx-metrics
labels: {{- include "kafka.labels" . | nindent 4 }}
app.kubernetes.io/component: kafka
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.metrics.jmx.service.annotations .Values.commonAnnotations }}
annotations:
{{- if .Values.metrics.jmx.service.annotations }}
{{ include "kafka.tplValue" ( dict "value" .Values.metrics.jmx.service.annotations "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.metrics.jmx.service.type }}
{{- if eq .Values.metrics.jmx.service.type "LoadBalancer" }}
{{- if .Values.metrics.jmx.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.metrics.jmx.service.loadBalancerIP }}
{{- end }}
{{- if .Values.metrics.jmx.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{- toYaml .Values.metrics.jmx.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- end }}
{{- if and (eq .Values.metrics.jmx.service.type "ClusterIP") .Values.metrics.jmx.service.clusterIP }}
clusterIP: {{ .Values.metrics.jmx.service.clusterIP }}
{{- end }}
ports:
- name: http-metrics
port: {{ .Values.metrics.jmx.service.port }}
protocol: TCP
targetPort: metrics
{{- if and (or (eq .Values.metrics.jmx.service.type "NodePort") (eq .Values.metrics.jmx.service.type "LoadBalancer")) (not (empty .Values.metrics.jmx.service.nodePort)) }}
nodePort: {{ .Values.metrics.jmx.service.nodePort }}
{{- else if eq .Values.metrics.jmx.service.type "ClusterIP" }}
nodePort: null
{{- end }}
selector: {{- include "kafka.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: kafka
{{- end }}

87
ee/scripts/helm/helm/databases/charts/kafka/templates/kafka-metrics-deployment.yaml Executable file
View file

@ -0,0 +1,87 @@
{{- if .Values.metrics.kafka.enabled }}
{{- $replicaCount := int .Values.replicaCount -}}
{{- $releaseNamespace := .Release.Namespace -}}
{{- $clusterDomain := .Values.clusterDomain -}}
{{- $fullname := include "kafka.fullname" . -}}
{{- $servicePort := int .Values.service.port -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "kafka.fullname" . }}-exporter
labels: {{- include "kafka.labels" . | nindent 4 }}
app.kubernetes.io/component: metrics
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: 1
selector:
matchLabels: {{- include "kafka.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: metrics
template:
metadata:
labels: {{- include "kafka.labels" . | nindent 8 }}
app.kubernetes.io/component: metrics
spec:
{{- include "kafka.imagePullSecrets" . | indent 6 }}
containers:
- name: kafka-exporter
image: {{ include "kafka.metrics.kafka.image" . }}
imagePullPolicy: {{ .Values.metrics.kafka.image.pullPolicy | quote }}
command:
- /bin/bash
- -ec
- |
read -r -a sasl_passwords <<< "$(tr ',;' ' ' <<< "${SASL_USER_PASSWORD}")"
kafka_exporter \
{{- range $i, $e := until $replicaCount }}
--kafka.server={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $servicePort }} \
{{- end }}
{{- if (include "kafka.client.saslAuthentication" .) }}
--sasl.enabled \
--sasl.username="$SASL_USERNAME" \
--sasl.password="${sasl_passwords[0]}" \
{{- end }}
{{- if (include "kafka.tlsEncryption" .) }}
--tls.enabled \
{{- if .Values.metrics.kafka.certificatesSecret }}
--tls.ca-file="/opt/bitnami/kafka-exporter/certs/ca-file" \
--tls.cert-file="/opt/bitnami/kafka-exporter/certs/cert-file" \
--tls.key-file="/opt/bitnami/kafka-exporter/certs/key-file" \
{{- end }}
{{- end }}
{{- range $key, $value := .Values.metrics.kafka.extraFlags }}
--{{ $key }}{{ if $value }}={{ $value }}{{ end }} \
{{- end }}
--web.listen-address=:9308
{{- if (include "kafka.client.saslAuthentication" .) }}
env:
- name: SASL_USERNAME
value: {{ index .Values.auth.jaas.clientUsers 0 | quote }}
- name: SASL_USER_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "kafka.jaasSecretName" . }}
key: client-passwords
{{- end }}
ports:
- name: metrics
containerPort: 9308
{{- if .Values.metrics.kafka.resources }}
resources: {{ toYaml .Values.metrics.kafka.resources | nindent 12 }}
{{- end }}
{{- if and (include "kafka.tlsEncryption" .) .Values.metrics.kafka.certificatesSecret }}
volumeMounts:
- name: kafka-exporter-certificates
mountPath: /opt/bitnami/kafka-exporter/certs/
readOnly: true
volumes:
- name: kafka-exporter-certificates
secret:
secretName: {{ .Values.metrics.kafka.certificatesSecret }}
defaultMode: 0440
{{- end }}
{{- end }}

45
ee/scripts/helm/helm/databases/charts/kafka/templates/kafka-metrics-svc.yaml Executable file
View file

@ -0,0 +1,45 @@
{{- if .Values.metrics.kafka.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "kafka.fullname" . }}-metrics
labels: {{- include "kafka.labels" . | nindent 4 }}
app.kubernetes.io/component: metrics
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.metrics.kafka.service.annotations .Values.commonAnnotations }}
annotations:
{{- if .Values.metrics.kafka.service.annotations }}
{{ include "kafka.tplValue" ( dict "value" .Values.metrics.kafka.service.annotations "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.metrics.kafka.service.type }}
{{- if eq .Values.metrics.kafka.service.type "LoadBalancer" }}
{{- if .Values.metrics.kafka.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.metrics.kafka.service.loadBalancerIP }}
{{- end }}
{{- if .Values.metrics.kafka.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{- toYaml .Values.metrics.kafka.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- end }}
{{- if and (eq .Values.metrics.kafka.service.type "ClusterIP") .Values.metrics.kafka.service.clusterIP }}
clusterIP: {{ .Values.metrics.kafka.service.clusterIP }}
{{- end }}
ports:
- name: http-metrics
port: {{ .Values.metrics.kafka.service.port }}
protocol: TCP
targetPort: metrics
{{- if and (or (eq .Values.metrics.kafka.service.type "NodePort") (eq .Values.metrics.kafka.service.type "LoadBalancer")) (not (empty .Values.metrics.kafka.service.nodePort)) }}
nodePort: {{ .Values.metrics.kafka.service.nodePort }}
{{- else if eq .Values.metrics.kafka.service.type "ClusterIP" }}
nodePort: null
{{- end }}
selector: {{- include "kafka.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: metrics
{{- end }}

16
ee/scripts/helm/helm/databases/charts/kafka/templates/log4j-configmap.yaml Executable file
View file

@ -0,0 +1,16 @@
{{- if (include "kafka.log4j.createConfigMap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "kafka.log4j.configMapName" . }}
labels: {{- include "kafka.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
log4j.properties: |-
{{ .Values.log4j | nindent 4 }}
{{- end -}}

25
ee/scripts/helm/helm/databases/charts/kafka/templates/poddisruptionbudget.yaml Executable file
View file

@ -0,0 +1,25 @@
{{- $replicaCount := int .Values.replicaCount }}
{{- if and .Values.pdb.create (gt $replicaCount 1) }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ template "kafka.fullname" . }}
labels: {{- include "kafka.labels" . | nindent 4 }}
app.kubernetes.io/component: kafka
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.pdb.minAvailable }}
minAvailable: {{ .Values.pdb.minAvailable }}
{{- end }}
{{- if .Values.pdb.maxUnavailable }}
maxUnavailable: {{ .Values.pdb.maxUnavailable }}
{{- end }}
selector:
matchLabels: {{- include "kafka.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: kafka
{{- end }}

23
ee/scripts/helm/helm/databases/charts/kafka/templates/role.yaml Executable file
View file

@ -0,0 +1,23 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "kafka.fullname" . }}
labels: {{- include "kafka.labels" . | nindent 4 }}
app.kubernetes.io/component: kafka
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
{{- end -}}

22
ee/scripts/helm/helm/databases/charts/kafka/templates/rolebinding.yaml Executable file
View file

@ -0,0 +1,22 @@
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "kafka.fullname" . }}
labels: {{- include "kafka.labels" . | nindent 4 }}
app.kubernetes.io/component: kafka
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
kind: Role
name: {{ template "kafka.fullname" . }}
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ template "kafka.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

118
ee/scripts/helm/helm/databases/charts/kafka/templates/scripts-configmap.yaml Executable file
View file

@ -0,0 +1,118 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kafka.fullname" . }}-scripts
labels: {{- include "kafka.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
{{- $fullname := include "kafka.fullname" . }}
{{- $releaseNamespace := .Release.Namespace }}
{{- $clusterDomain := .Values.clusterDomain }}
{{- $interBrokerPort := .Values.service.internalPort }}
{{- $clientPort := .Values.service.port }}
{{- if .Values.externalAccess.autoDiscovery.enabled }}
auto-discovery.sh: |-
#!/bin/bash
SVC_NAME="${MY_POD_NAME}-external"
{{- if eq .Values.externalAccess.service.type "LoadBalancer" }}
# Auxiliar functions
retry_while() {
local -r cmd="${1:?cmd is missing}"
local -r retries="${2:-12}"
local -r sleep_time="${3:-5}"
local return_value=1
read -r -a command <<< "$cmd"
for ((i = 1 ; i <= retries ; i+=1 )); do
"${command[@]}" && return_value=0 && break
sleep "$sleep_time"
done
return $return_value
}
k8s_svc_lb_ip() {
local namespace=${1:?namespace is missing}
local service=${2:?service is missing}
local service_ip=$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
local service_hostname=$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.status.loadBalancer.ingress[0].hostname}")
if [[ -n ${service_ip} ]]; then
echo "${service_ip}"
else
echo "${service_hostname}"
fi
}
k8s_svc_lb_ip_ready() {
local namespace=${1:?namespace is missing}
local service=${2:?service is missing}
[[ -n "$(k8s_svc_lb_ip "$namespace" "$service")" ]]
}
# Wait until LoadBalancer IP is ready
retry_while "k8s_svc_lb_ip_ready {{ $releaseNamespace }} $SVC_NAME" || exit 1
# Obtain LoadBalancer external IP
k8s_svc_lb_ip "{{ $releaseNamespace }}" "$SVC_NAME" | tee "$SHARED_FILE"
{{- else if eq .Values.externalAccess.service.type "NodePort" }}
k8s_svc_node_port() {
local namespace=${1:?namespace is missing}
local service=${2:?service is missing}
local index=${3:-0}
local node_port="$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.spec.ports[$index].nodePort}")"
echo "$node_port"
}
k8s_svc_node_port "{{ $releaseNamespace }}" "$SVC_NAME" | tee "$SHARED_FILE"
{{- end }}
{{- end }}
setup.sh: |-
#!/bin/bash
ID="${MY_POD_NAME#"{{ $fullname }}-"}"
export KAFKA_CFG_BROKER_ID="$ID"
{{- if .Values.externalAccess.enabled }}
# Configure external ip and port
{{- if eq .Values.externalAccess.service.type "LoadBalancer" }}
{{- if .Values.externalAccess.autoDiscovery.enabled }}
export EXTERNAL_ACCESS_IP="$(<${SHARED_FILE})"
{{- else }}
export EXTERNAL_ACCESS_IP=$(echo '{{ .Values.externalAccess.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))")
{{- end }}
export EXTERNAL_ACCESS_PORT={{ .Values.externalAccess.service.port }}
{{- else if eq .Values.externalAccess.service.type "NodePort" }}
{{- if .Values.externalAccess.service.domain }}
export EXTERNAL_ACCESS_IP={{ .Values.externalAccess.service.domain }}
{{- else }}
export EXTERNAL_ACCESS_IP=$(curl -s https://ipinfo.io/ip)
{{- end }}
{{- if .Values.externalAccess.autoDiscovery.enabled }}
export EXTERNAL_ACCESS_PORT="$(<${SHARED_FILE})"
{{- else }}
export EXTERNAL_ACCESS_PORT=$(echo '{{ .Values.externalAccess.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))")
{{- end }}
{{- end }}
# Configure Kafka advertised listeners
{{- if .Values.advertisedListeners }}
export KAFKA_CFG_ADVERTISED_LISTENERS={{ .Values.advertisedListeners }}
{{- else }}
export KAFKA_CFG_ADVERTISED_LISTENERS="INTERNAL://${MY_POD_NAME}.{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $interBrokerPort }},CLIENT://${MY_POD_NAME}.{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $clientPort }},EXTERNAL://${EXTERNAL_ACCESS_IP}:${EXTERNAL_ACCESS_PORT}"
{{- end }}
{{- end }}
{{- if (include "kafka.tlsEncryption" .) }}
if [[ -f "/certs/kafka.truststore.jks" ]] && [[ -f "/certs/kafka-${ID}.keystore.jks" ]]; then
mkdir -p /opt/bitnami/kafka/config/certs
cp "/certs/kafka.truststore.jks" "/opt/bitnami/kafka/config/certs/kafka.truststore.jks"
cp "/certs/kafka-${ID}.keystore.jks" "/opt/bitnami/kafka/config/certs/kafka.keystore.jks"
else
echo "Couldn't find the expected Java Key Stores (JKS) files! They are mandatory when encryption via TLS is enabled."
exit 1
fi
{{- end }}
exec /entrypoint.sh /run.sh

14
ee/scripts/helm/helm/databases/charts/kafka/templates/serviceaccount.yaml Executable file
View file

@ -0,0 +1,14 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kafka.serviceAccountName" . }}
labels: {{- include "kafka.labels" . | nindent 4 }}
app.kubernetes.io/component: kafka
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

36
ee/scripts/helm/helm/databases/charts/kafka/templates/servicemonitor-jmx-metrics.yaml Executable file
View file

@ -0,0 +1,36 @@
{{- if and .Values.metrics.jmx.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "kafka.fullname" . }}-jmx-metrics
{{- if .Values.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
{{- end }}
labels: {{- include "kafka.labels" . | nindent 4 }}
app.kubernetes.io/component: kafka
{{- range $key, $value := .Values.metrics.serviceMonitor.selector }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels: {{- include "kafka.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: kafka
endpoints:
- port: http-metrics
path: "/"
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
{{- end }}

36
ee/scripts/helm/helm/databases/charts/kafka/templates/servicemonitor-metrics.yaml Executable file
View file

@ -0,0 +1,36 @@
{{- if and .Values.metrics.kafka.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "kafka.fullname" . }}-metrics
{{- if .Values.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
{{- end }}
labels: {{- include "kafka.labels" . | nindent 4 }}
app.kubernetes.io/component: metrics
{{- range $key, $value := .Values.metrics.serviceMonitor.selector }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels: {{- include "kafka.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: metrics
endpoints:
- port: http-metrics
path: "/metrics"
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
{{- end }}

435
ee/scripts/helm/helm/databases/charts/kafka/templates/statefulset.yaml Executable file
View file

@ -0,0 +1,435 @@
{{- $replicaCount := int .Values.replicaCount }}
{{- $fullname := include "kafka.fullname" . }}
{{- $releaseNamespace := .Release.Namespace }}
{{- $clusterDomain := .Values.clusterDomain }}
{{- $interBrokerPort := .Values.service.internalPort }}
{{- $clientPort := .Values.service.port }}
{{- $interBrokerProtocol := include "kafka.listenerType" ( dict "protocol" .Values.auth.interBrokerProtocol ) -}}
{{- $clientProtocol := include "kafka.listenerType" ( dict "protocol" .Values.auth.clientProtocol ) -}}
{{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }}
{{- if not (and .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.service.type "LoadBalancer")) }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "kafka.fullname" . }}
labels: {{- include "kafka.labels" . | nindent 4 }}
app.kubernetes.io/component: kafka
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
podManagementPolicy: Parallel
replicas: {{ .Values.replicaCount }}
selector:
matchLabels: {{- include "kafka.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: kafka
serviceName: {{ template "kafka.fullname" . }}-headless
updateStrategy:
type: {{ .Values.updateStrategy | quote }}
{{- if (eq "OnDelete" .Values.updateStrategy) }}
rollingUpdate: null
{{- else if .Values.rollingUpdatePartition }}
rollingUpdate:
partition: {{ .Values.rollingUpdatePartition }}
{{- end }}
template:
metadata:
labels: {{- include "kafka.labels" . | nindent 8 }}
app.kubernetes.io/component: kafka
{{- if .Values.podLabels }}
{{- include "kafka.tplValue" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
{{- end }}
{{- if or (include "kafka.createConfigmap" .) (include "kafka.createJaasSecret" .) .Values.externalAccess.enabled (include "kafka.metrics.jmx.createConfigmap" .) .Values.podAnnotations }}
annotations:
{{- if (include "kafka.createConfigmap" .) }}
checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if (include "kafka.createJaasSecret" .) }}
checksum/secret: {{ include (print $.Template.BasePath "/jaas-secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.externalAccess.enabled }}
checksum/scripts: {{ include (print $.Template.BasePath "/scripts-configmap.yaml") . | sha256sum }}
{{- end }}
{{- if (include "kafka.metrics.jmx.createConfigmap" .) }}
checksum/jmx-configuration: {{ include (print $.Template.BasePath "/jmx-configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- include "kafka.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
{{- end }}
{{- end }}
spec:
{{- include "kafka.imagePullSecrets" . | indent 6 }}
{{- if .Values.affinity }}
affinity: {{- include "kafka.tplValue" ( dict "value" .Values.affinity "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{- include "kafka.tplValue" ( dict "value" .Values.nodeSelector "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{- include "kafka.tplValue" ( dict "value" .Values.tolerations "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- end }}
{{- if .Values.serviceAccount.create }}
serviceAccountName: {{ template "kafka.serviceAccountName" . }}
{{- end }}
{{- if or (and .Values.volumePermissions.enabled .Values.persistence.enabled) (and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled) }}
initContainers:
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
- name: volume-permissions
image: {{ include "kafka.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
command:
- /bin/bash
args:
- -ec
- |
mkdir -p /bitnami/kafka
chown -R "{{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}" "/bitnami/kafka"
securityContext:
runAsUser: 0
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
{{- end }}
volumeMounts:
- name: data
mountPath: /bitnami/kafka
{{- end }}
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }}
- name: auto-discovery
image: {{ include "kafka.externalAccess.autoDiscovery.image" . }}
imagePullPolicy: {{ .Values.externalAccess.autoDiscovery.image.pullPolicy | quote }}
command:
- /scripts/auto-discovery.sh
env:
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: SHARED_FILE
value: "/shared/info.txt"
{{- if .Values.externalAccess.autoDiscovery.resources }}
resources: {{- toYaml .Values.externalAccess.autoDiscovery.resources | nindent 12 }}
{{- end }}
volumeMounts:
- name: shared
mountPath: /shared
- name: scripts
mountPath: /scripts/auto-discovery.sh
subPath: auto-discovery.sh
{{- end }}
{{- end }}
containers:
- name: kafka
image: {{ include "kafka.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
command: {{- include "kafka.tplValue" (dict "value" .Values.command "context" $) | nindent 12 }}
{{- if .Values.args }}
args: {{- include "kafka.tplValue" (dict "value" .Values.args "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.image.debug | quote }}
- name: MY_POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KAFKA_CFG_ZOOKEEPER_CONNECT
{{- if .Values.zookeeper.enabled }}
value: {{ include "kafka.zookeeper.fullname" . | quote }}
{{- else }}
value: {{ join "," .Values.externalZookeeper.servers | quote }}
{{- end }}
- name: KAFKA_INTER_BROKER_LISTENER_NAME
value: {{ .Values.interBrokerListenerName | quote }}
- name: KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP
{{- if .Values.listenerSecurityProtocolMap }}
value: {{ .Values.listenerSecurityProtocolMap | quote }}
{{- else if .Values.externalAccess.enabled }}
value: "INTERNAL:{{ $interBrokerProtocol }},CLIENT:{{ $clientProtocol }},EXTERNAL:{{ $clientProtocol }}"
{{- else }}
value: "INTERNAL:{{ $interBrokerProtocol }},CLIENT:{{ $clientProtocol }}"
{{- end }}
{{- if or ($clientProtocol | regexFind "SASL") ($interBrokerProtocol | regexFind "SASL") .Values.auth.jaas.zookeeperUser }}
- name: KAFKA_CFG_SASL_ENABLED_MECHANISMS
value: {{ include "kafka.auth.saslMechanisms" ( dict "type" .Values.auth.saslMechanisms ) }}
- name: KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL
value: {{ upper .Values.auth.saslInterBrokerMechanism | quote }}
{{- end }}
- name: KAFKA_CFG_LISTENERS
{{- if .Values.listeners }}
value: {{ .Values.listeners }}
{{- else if .Values.externalAccess.enabled }}
value: "INTERNAL://:{{ $interBrokerPort }},CLIENT://:9092,EXTERNAL://:9094"
{{- else }}
value: "INTERNAL://:{{ $interBrokerPort }},CLIENT://:9092"
{{- end }}
{{- if .Values.externalAccess.enabled }}
{{- if .Values.externalAccess.autoDiscovery.enabled }}
- name: SHARED_FILE
value: "/shared/info.txt"
{{- end }}
{{- else }}
- name: KAFKA_CFG_ADVERTISED_LISTENERS
{{- if .Values.advertisedListeners }}
value: {{ .Values.advertisedListeners }}
{{- else }}
value: "INTERNAL://$(MY_POD_NAME).{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $interBrokerPort }},CLIENT://$(MY_POD_NAME).{{ $fullname }}-headless.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $clientPort }}"
{{- end }}
{{- end }}
- name: ALLOW_PLAINTEXT_LISTENER
value: {{ ternary "yes" "no" (or .Values.auth.enabled .Values.allowPlaintextListener) | quote }}
{{- if or (include "kafka.client.saslAuthentication" .) (include "kafka.interBroker.saslAuthentication" .) }}
- name: KAFKA_OPTS
value: "-Djava.security.auth.login.config=/opt/bitnami/kafka/config/kafka_jaas.conf"
{{- if (include "kafka.client.saslAuthentication" .) }}
- name: KAFKA_CLIENT_USERS
value: {{ join "," .Values.auth.jaas.clientUsers | quote }}
- name: KAFKA_CLIENT_PASSWORDS
valueFrom:
secretKeyRef:
name: {{ include "kafka.jaasSecretName" . }}
key: client-passwords
{{- end }}
{{- if .Values.auth.jaas.zookeeperUser }}
- name: KAFKA_ZOOKEEPER_PROTOCOL
value: "SASL"
- name: KAFKA_ZOOKEEPER_USER
value: {{ .Values.auth.jaas.zookeeperUser | quote }}
- name: KAFKA_ZOOKEEPER_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "kafka.jaasSecretName" . }}
key: zookeeper-password
{{- end }}
{{- if (include "kafka.interBroker.saslAuthentication" .) }}
- name: KAFKA_INTER_BROKER_USER
value: {{ .Values.auth.jaas.interBrokerUser | quote }}
- name: KAFKA_INTER_BROKER_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "kafka.jaasSecretName" . }}
key: inter-broker-password
{{- end }}
{{- end }}
{{- if (include "kafka.tlsEncryption" .) }}
- name: KAFKA_CFG_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM
value: {{ .Values.auth.tlsEndpointIdentificationAlgorithm | quote }}
{{- if .Values.auth.jksPassword }}
- name: KAFKA_CERTIFICATE_PASSWORD
value: {{ .Values.auth.jksPassword | quote }}
{{- end }}
{{- end }}
{{- if .Values.metrics.jmx.enabled }}
- name: JMX_PORT
value: "5555"
{{- end }}
- name: KAFKA_CFG_DELETE_TOPIC_ENABLE
value: {{ .Values.deleteTopicEnable | quote }}
- name: KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE
value: {{ .Values.autoCreateTopicsEnable | quote }}
- name: KAFKA_HEAP_OPTS
value: {{ .Values.heapOpts | quote }}
- name: KAFKA_CFG_LOG_FLUSH_INTERVAL_MESSAGES
value: {{ .Values.logFlushIntervalMessages | quote }}
- name: KAFKA_CFG_LOG_FLUSH_INTERVAL_MS
value: {{ .Values.logFlushIntervalMs | quote }}
- name: KAFKA_CFG_LOG_RETENTION_BYTES
value: {{ .Values.logRetentionBytes | replace "_" "" | quote }}
- name: KAFKA_CFG_LOG_RETENTION_CHECK_INTERVALS_MS
value: {{ .Values.logRetentionCheckIntervalMs | quote }}
- name: KAFKA_CFG_LOG_RETENTION_HOURS
value: {{ .Values.logRetentionHours | quote }}
- name: KAFKA_CFG_MESSAGE_MAX_BYTES
value: {{ .Values.maxMessageBytes | replace "_" "" | quote }}
- name: KAFKA_CFG_LOG_SEGMENT_BYTES
value: {{ .Values.logSegmentBytes | replace "_" "" | quote }}
- name: KAFKA_CFG_LOG_DIRS
value: {{ .Values.logsDirs | quote }}
- name: KAFKA_CFG_DEFAULT_REPLICATION_FACTOR
value: {{ .Values.defaultReplicationFactor | quote }}
- name: KAFKA_CFG_OFFSETS_TOPIC_REPLICATION_FACTOR
value: {{ .Values.offsetsTopicReplicationFactor | quote }}
- name: KAFKA_CFG_TRANSACTION_STATE_LOG_REPLICATION_FACTOR
value: {{ .Values.transactionStateLogReplicationFactor | quote }}
- name: KAFKA_CFG_TRANSACTION_STATE_LOG_MIN_ISR
value: {{ .Values.transactionStateLogMinIsr | quote }}
- name: KAFKA_CFG_NUM_IO_THREADS
value: {{ .Values.numIoThreads | quote }}
- name: KAFKA_CFG_NUM_NETWORK_THREADS
value: {{ .Values.numNetworkThreads | quote }}
- name: KAFKA_CFG_NUM_PARTITIONS
value: {{ .Values.numPartitions | quote }}
- name: KAFKA_CFG_NUM_RECOVERY_THREADS_PER_DATA_DIR
value: {{ .Values.numRecoveryThreadsPerDataDir | quote }}
- name: KAFKA_CFG_SOCKET_RECEIVE_BUFFER_BYTES
value: {{ .Values.socketReceiveBufferBytes | quote }}
- name: KAFKA_CFG_SOCKET_REQUEST_MAX_BYTES
value: {{ .Values.socketRequestMaxBytes | replace "_" "" | quote }}
- name: KAFKA_CFG_SOCKET_SEND_BUFFER_BYTES
value: {{ .Values.socketSendBufferBytes | quote }}
- name: KAFKA_CFG_ZOOKEEPER_CONNECTION_TIMEOUT_MS
value: {{ .Values.zookeeperConnectionTimeoutMs | quote }}
{{- if .Values.extraEnvVars }}
{{ include "kafka.tplValue" ( dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
ports:
- name: kafka-client
containerPort: 9092
- name: kafka-internal
containerPort: {{ $interBrokerPort }}
{{- if .Values.externalAccess.enabled }}
- name: kafka-external
containerPort: 9094
{{- end }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
tcpSocket:
port: kafka-client
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
{{- else if .Values.customLivenessProbe }}
livenessProbe: {{- include "kafka.tplValue" (dict "value" .Values.customlivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
tcpSocket:
port: kafka-client
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
{{- else if .Values.customReadinessProbe }}
readinessProbe: {{- include "kafka.tplValue" (dict "value" .Values.customreadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- end }}
volumeMounts:
- name: data
mountPath: /bitnami/kafka
{{- if or .Values.config .Values.existingConfigmap }}
- name: kafka-config
mountPath: /bitnami/kafka/config/server.properties
subPath: server.properties
{{- end }}
{{- if or .Values.log4j .Values.existingLog4jConfigMap }}
- name: log4j-config
mountPath: /bitnami/kafka/config/log4j.properties
subPath: log4j.properties
{{- end }}
- name: scripts
mountPath: /scripts/setup.sh
subPath: setup.sh
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }}
- name: shared
mountPath: /shared
{{- end }}
{{- if (include "kafka.tlsEncryption" .) }}
- name: kafka-certificates
mountPath: /certs
readOnly: true
{{- end }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.metrics.jmx.enabled }}
- name: jmx-exporter
image: {{ template "kafka.metrics.jmx.image" . }}
imagePullPolicy: {{ .Values.metrics.jmx.image.pullPolicy | quote }}
command:
- java
- -XX:+UnlockExperimentalVMOptions
- -XX:+UseCGroupMemoryLimitForHeap
- -XX:MaxRAMFraction=1
- -XshowSettings:vm
- -jar
- jmx_prometheus_httpserver.jar
- "5556"
- /etc/jmx-kafka/jmx-kafka-prometheus.yml
ports:
- name: metrics
containerPort: 5556
{{- if .Values.metrics.jmx.resources }}
resources: {{- toYaml .Values.metrics.jmx.resources | nindent 12 }}
{{- end }}
volumeMounts:
- name: jmx-config
mountPath: /etc/jmx-kafka
{{- end }}
{{- if .Values.sidecars }}
{{- include "kafka.tplValue" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
{{- if or .Values.config .Values.existingConfigmap }}
- name: kafka-config
configMap:
name: {{ include "kafka.configmapName" . }}
{{- end }}
{{- if or .Values.log4j .Values.existingLog4jConfigMap }}
- name: log4j-config
configMap:
name: {{ include "kafka.log4j.configMapName" . }}
{{ end }}
- name: scripts
configMap:
name: {{ include "kafka.fullname" . }}-scripts
defaultMode: 0755
{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }}
- name: shared
emptyDir: {}
{{- end }}
{{- if .Values.metrics.jmx.enabled }}
- name: jmx-config
configMap:
name: {{ include "kafka.metrics.jmx.configmapName" . }}
{{- end }}
{{- if (include "kafka.tlsEncryption" .) }}
- name: kafka-certificates
secret:
secretName: {{ include "kafka.jksSecretName" . }}
defaultMode: 256
{{- end }}
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
{{- if not .Values.persistence.enabled }}
- name: data
emptyDir: {}
{{- else if .Values.persistence.existingClaim }}
- name: data
persistentVolumeClaim:
claimName: {{ printf "%s" (tpl .Values.persistence.existingClaim .) }}
{{- else }}
volumeClaimTemplates:
- metadata:
name: data
{{- if .Values.persistence.annotations }}
annotations: {{- include "kafka.tplValue" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }}
{{- end }}
spec:
accessModes:
{{- range .Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{ include "kafka.storageClass" . | nindent 8 }}
{{- end }}
{{- end }}

52
ee/scripts/helm/helm/databases/charts/kafka/templates/svc-external-access.yaml Executable file
View file

@ -0,0 +1,52 @@
{{- if .Values.externalAccess.enabled }}
{{- $fullName := include "kafka.fullname" . }}
{{- $replicaCount := .Values.replicaCount | int }}
{{- $root := . }}
{{- range $i, $e := until $replicaCount }}
{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ template "kafka.fullname" $ }}-{{ $i }}-external
labels: {{- include "kafka.labels" $ | nindent 4 }}
app.kubernetes.io/component: kafka
pod: {{ $targetPod }}
{{- if $root.Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" $root.Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or $root.Values.externalAccess.service.annotations $root.Values.commonAnnotations }}
annotations:
{{- if $root.Values.externalAccess.service.annotations }}
{{ include "kafka.tplValue" ( dict "value" $root.Values.externalAccess.service.annotations "context" $) | nindent 4 }}
{{- end }}
{{- if $root.Values.commonAnnotations }}
{{- include "kafka.tplValue" ( dict "value" $root.Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: {{ $root.Values.externalAccess.service.type }}
{{- if eq $root.Values.externalAccess.service.type "LoadBalancer" }}
{{- if not (empty $root.Values.externalAccess.service.loadBalancerIPs) }}
loadBalancerIP: {{ index $root.Values.externalAccess.service.loadBalancerIPs $i }}
{{- end }}
{{- if $root.Values.externalAccess.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- end }}
ports:
- name: tcp-kafka
port: {{ $root.Values.externalAccess.service.port }}
{{- if not (empty $root.Values.externalAccess.service.nodePorts) }}
nodePort: {{ index $root.Values.externalAccess.service.nodePorts $i }}
{{- else }}
nodePort: null
{{- end }}
targetPort: kafka-external
selector: {{- include "kafka.matchLabels" $ | nindent 4 }}
app.kubernetes.io/component: kafka
statefulset.kubernetes.io/pod-name: {{ $targetPod }}
---
{{- end }}
{{- end }}

26
ee/scripts/helm/helm/databases/charts/kafka/templates/svc-headless.yaml Executable file
View file

@ -0,0 +1,26 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "kafka.fullname" . }}-headless
labels: {{- include "kafka.labels" . | nindent 4 }}
app.kubernetes.io/component: kafka
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
clusterIP: None
ports:
- name: tcp-client
port: {{ .Values.service.port }}
protocol: TCP
targetPort: kafka-client
- name: tcp-internal
port: {{ .Values.service.internalPort }}
protocol: TCP
targetPort: kafka-internal
selector: {{- include "kafka.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: kafka

49
ee/scripts/helm/helm/databases/charts/kafka/templates/svc.yaml Executable file
View file

@ -0,0 +1,49 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "kafka.fullname" . }}
labels: {{- include "kafka.labels" . | nindent 4 }}
app.kubernetes.io/component: kafka
{{- if .Values.commonLabels }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.service.annotations .Values.commonAnnotations }}
annotations:
{{- if .Values.service.annotations }}
{{ include "kafka.tplValue" ( dict "value" .Values.service.annotations "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "kafka.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if eq .Values.service.type "LoadBalancer" }}
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- end }}
ports:
- name: tcp-client
port: {{ .Values.service.port }}
protocol: TCP
targetPort: kafka-client
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.client)) }}
nodePort: {{ .Values.service.nodePorts.client }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if and .Values.externalAccess.enabled (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) }}
- name: tcp-external
port: {{ .Values.service.externalPort }}
protocol: TCP
targetPort: kafka-external
{{- if (not (empty .Values.service.nodePorts.external)) }}
nodePort: {{ .Values.service.nodePorts.external }}
{{- end }}
{{- end }}
selector: {{- include "kafka.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: kafka

931
ee/scripts/helm/helm/databases/charts/kafka/values-production.yaml Executable file
View file

@ -0,0 +1,931 @@
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry and imagePullSecrets
##
# global:
# imageRegistry: myRegistryName
# imagePullSecrets:
# - myRegistryKeySecretName
# storageClass: myStorageClass
## Bitnami Kafka image version
## ref: https://hub.docker.com/r/bitnami/kafka/tags/
##
image:
registry: docker.io
repository: bitnami/kafka
tag: 2.6.0-debian-10-r30
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Set to true if you would like to see extra information on logs
##
debug: false
## String to partially override kafka.fullname template (will maintain the release name)
##
# nameOverride:
## String to fully override kafka.fullname template
##
# fullnameOverride:
## Kubernetes Cluster Domain
##
clusterDomain: cluster.local
## Add labels to all the deployed resources
##
commonLabels: {}
## Add annotations to all the deployed resources
##
commonAnnotations: {}
## Kafka Configuration
## Specify content for server.properties
## The server.properties is auto-generated based on other parameters when this paremeter is not specified
##
## Example:
## config: |-
## broker.id=-1
## listeners=PLAINTEXT://:9092
## advertised.listeners=PLAINTEXT://KAFKA_IP:9092
## num.network.threads=3
## num.io.threads=8
## socket.send.buffer.bytes=102400
## socket.receive.buffer.bytes=102400
## socket.request.max.bytes=104857600
## log.dirs=/bitnami/kafka/data
## num.partitions=1
## num.recovery.threads.per.data.dir=1
## offsets.topic.replication.factor=1
## transaction.state.log.replication.factor=1
## transaction.state.log.min.isr=1
## log.flush.interval.messages=10000
## log.flush.interval.ms=1000
## log.retention.hours=168
## log.retention.bytes=1073741824
## log.segment.bytes=1073741824
## log.retention.check.interval.ms=300000
## zookeeper.connect=ZOOKEEPER_SERVICE_NAME
## zookeeper.connection.timeout.ms=6000
## group.initial.rebalance.delay.ms=0
##
# config:
## ConfigMap with Kafka Configuration
## NOTE: This will override config
##
# existingConfigmap:
## Kafka Log4J Configuration
## An optional log4j.properties file to overwrite the default of the Kafka brokers.
## See an example log4j.properties at:
## https://github.com/apache/kafka/blob/trunk/config/log4j.properties
##
# log4j:
## Kafka Log4j ConfigMap
## The name of an existing ConfigMap containing a log4j.properties file.
## NOTE: this will override log4j.
##
# existingLog4jConfigMap:
## Kafka's Java Heap size
##
heapOpts: -Xmx1024m -Xms1024m
## Switch to enable topic deletion or not.
##
deleteTopicEnable: false
## Switch to enable auto creation of topics.
## Enabling auto creation of topics not recommended for production or similar environments.
##
autoCreateTopicsEnable: false
## The number of messages to accept before forcing a flush of data to disk.
##
logFlushIntervalMessages: 10000
## The maximum amount of time a message can sit in a log before we force a flush.
##
logFlushIntervalMs: 1000
## A size-based retention policy for logs.
##
logRetentionBytes: _1073741824
## The interval at which log segments are checked to see if they can be deleted.
##
logRetentionCheckIntervalMs: 300000
## The minimum age of a log file to be eligible for deletion due to age.
##
logRetentionHours: 168
## The maximum size of a log segment file. When this size is reached a new log segment will be created.
##
logSegmentBytes: _1073741824
## A comma separated list of directories under which to store log files.
##
logsDirs: /bitnami/kafka/data
## The largest record batch size allowed by Kafka
##
maxMessageBytes: _1000012
## Default replication factors for automatically created topics
##
defaultReplicationFactor: 3
## The replication factor for the offsets topic
##
offsetsTopicReplicationFactor: 3
## The replication factor for the transaction topic
##
transactionStateLogReplicationFactor: 3
## Overridden min.insync.replicas config for the transaction topic
##
transactionStateLogMinIsr: 3
## The number of threads doing disk I/O.
##
numIoThreads: 8
## The number of threads handling network requests.
##
numNetworkThreads: 3
## The default number of log partitions per topic.
##
numPartitions: 1
## The number of threads per data directory to be used for log recovery at startup and flushing at shutdown.
##
numRecoveryThreadsPerDataDir: 1
## The receive buffer (SO_RCVBUF) used by the socket server.
##
socketReceiveBufferBytes: 102400
## The maximum size of a request that the socket server will accept (protection against OOM).
##
socketRequestMaxBytes: _104857600
## The send buffer (SO_SNDBUF) used by the socket server.
##
socketSendBufferBytes: 102400
## Timeout in ms for connecting to zookeeper.
##
zookeeperConnectionTimeoutMs: 6000
## Command and args for running the container. Use array form
##
command:
- /scripts/setup.sh
args:
## All the parameters from the configuration file can be overwritten by using environment variables with this format: KAFKA_CFG_{KEY}
## ref: https://github.com/bitnami/bitnami-docker-kafka#configuration
## Example:
## extraEnvVars:
## - name: KAFKA_CFG_BACKGROUND_THREADS
## value: "10"
##
extraEnvVars: []
## extraVolumes and extraVolumeMounts allows you to mount other volumes
## Examples:
# extraVolumes:
# - name: kafka-jaas
# secret:
# secretName: kafka-jaas
# extraVolumeMounts:
# - name: kafka-jaas
# mountPath: /bitnami/kafka/config/kafka_jaas.conf
# subPath: kafka_jaas.conf
extraVolumes: []
extraVolumeMounts: []
## Extra objects to deploy (value evaluated as a template)
##
extraDeploy: []
## Authentication parameteres
## https://github.com/bitnami/bitnami-docker-kafka#security
##
auth:
## Authentication protocol for client and inter-broker communications
## Supported values: 'plaintext', 'tls', 'mtls', 'sasl' and 'sasl_tls'
## This table shows the security provided on each protocol:
## | Method | Authentication | Encryption via TLS |
## | plaintext | None | No |
## | tls | None | Yes |
## | mtls | Yes (two-way authentication) | Yes |
## | sasl | Yes (via SASL) | No |
## | sasl_tls | Yes (via SASL) | Yes |
##
clientProtocol: sasl
interBrokerProtocol: sasl
## Allowed SASL mechanisms when clientProtocol or interBrokerProtocol are using either sasl or sasl_tls
##
saslMechanisms: plain,scram-sha-256,scram-sha-512
## SASL mechanism for inter broker communication
##
saslInterBrokerMechanism: plain
## Name of the existing secret containing the truststore and
## one keystore per Kafka broker you have in the Kafka cluster.
## MANDATORY when 'tls', 'mtls', or 'sasl_tls' authentication protocols are used.
## Create this secret following the steps below:
## 1) Generate your trustore and keystore files. Helpful script: https://raw.githubusercontent.com/confluentinc/confluent-platform-security-tools/master/kafka-generate-ssl.sh
## 2) Rename your truststore to `kafka.truststore.jks`.
## 3) Rename your keystores to `kafka-X.keystore.jks` where X is the ID of each Kafka broker.
## 4) Run the command below where SECRET_NAME is the name of the secret you want to create:
## kubectl create secret generic SECRET_NAME --from-file=./kafka.truststore.jks --from-file=./kafka-0.keystore.jks --from-file=./kafka-1.keystore.jks ...
## Alternatively, you can put your JKS files under the files/jks directory
##
# jksSecret:
## Password to access the JKS files when they are password-protected.
##
# jksPassword:
## The endpoint identification algorithm used by clients to validate server host name.
## Disable server host name verification by setting it to an empty string
## See: https://docs.confluent.io/current/kafka/authentication_ssl.html#optional-settings
##
tlsEndpointIdentificationAlgorithm: https
## JAAS configuration for SASL authentication
## MANDATORY when method is 'sasl', or 'sasl_tls'
##
jaas:
## Kafka client user list
##
## clientUsers:
## - user1
## - user2
##
clientUsers:
- user
## Kafka client passwords
##
## clientPasswords:
## - password1
## - password2
##
clientPasswords: []
## Kafka inter broker communication user
##
interBrokerUser: admin
## Kafka inter broker communication password
##
interBrokerPassword: ""
## Kafka Zookeeper user
##
zookeeperUser: zookeeperUser
## Kafka Zookeeper password
##
zookeeperPassword: zookeeperPassword
## Name of the existing secret containing credentials for clientUsers, interBrokerUser and zookeeperUser.
## Create this secret running the command below where SECRET_NAME is the name of the secret you want to create:
## kubectl create secret generic SECRET_NAME --from-literal=client-password=CLIENT_PASSWORD1,CLIENT_PASSWORD2 --from-literal=inter-broker-password=INTER_BROKER_PASSWORD --from-literal=zookeeper-password=ZOOKEEPER_PASSWORD
##
# existingSecret:
## The address(es) the socket server listens on.
## When it's set to an empty array, the listeners will be configured
## based on the authentication protocols (auth.clientProtocol and auth.interBrokerProtocol parameters)
##
listeners: []
## The address(es) (hostname:port) the brokers will advertise to producers and consumers.
## When it's set to an empty array, the advertised listeners will be configured
## based on the authentication protocols (auth.clientProtocol and auth.interBrokerProtocol parameters)
##
advertisedListeners: []
## The listener->protocol mapping
## When it's nil, the listeners will be configured
## based on the authentication protocols (auth.clientProtocol and auth.interBrokerProtocol parameters)
##
# listenerSecurityProtocolMap:
## Allow to use the PLAINTEXT listener.
##
allowPlaintextListener: false
## Name of listener used for communication between brokers.
##
interBrokerListenerName: INTERNAL
## Number of Kafka brokers to deploy
##
replicaCount: 3
## StrategyType, can be set to RollingUpdate or OnDelete by default.
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
##
updateStrategy: RollingUpdate
## Partition update strategy
## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions
##
# rollingUpdatePartition:
## Pod labels. Evaluated as a template
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
## Pod annotations. Evaluated as a template
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## Name of the priority class to be used by kafka pods, priority class needs to be created beforehand
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
## Affinity for pod assignment. Evaluated as a template
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}
## Node labels for pod assignment. Evaluated as a template
## ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## Tolerations for pod assignment. Evaluated as a template
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## Kafka pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
##
podSecurityContext:
fsGroup: 1001
runAsUser: 1001
## Kafka containers' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## Example:
## containerSecurityContext:
## capabilities:
## drop: ["NET_RAW"]
## readOnlyRootFilesystem: true
##
containerSecurityContext: {}
## Kafka containers' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 250m
# memory: 1Gi
requests: {}
# cpu: 250m
# memory: 256Mi
## Kafka containers' liveness and readiness probes. Evaluated as a template.
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
livenessProbe:
tcpSocket:
port: kafka-client
initialDelaySeconds: 10
timeoutSeconds: 5
# failureThreshold: 3
# periodSeconds: 10
# successThreshold: 1
readinessProbe:
tcpSocket:
port: kafka-client
initialDelaySeconds: 5
failureThreshold: 6
timeoutSeconds: 5
# periodSeconds: 10
# successThreshold: 1
## Pod Disruption Budget configuration
## The PDB will only be created if replicaCount is greater than 1
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions
##
pdb:
create: true
## Min number of pods that must still be available after the eviction
##
# minAvailable: 1
## Max number of pods that can be unavailable after the eviction
##
maxUnavailable: 1
## Add sidecars to the pod.
## Example:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
sidecars: {}
## Service parameters
##
service:
## Service type
##
type: ClusterIP
## Kafka port for client connections
##
port: 9092
## Kafka port for inter-broker connections
##
internalPort: 9093
## Kafka port for external connections
##
externalPort: 9094
## Specify the nodePort value for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
nodePorts:
client: ""
external: ""
## Set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
## Load Balancer sources
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## Example:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## Provide any additional annotations which may be required. Evaluated as a template
##
annotations: {}
## External Access to Kafka brokers configuration
##
externalAccess:
## Enable Kubernetes external cluster access to Kafka brokers
##
enabled: false
## External IPs auto-discovery configuration
## An init container is used to auto-detect LB IPs or node ports by querying the K8s API
## Note: RBAC might be required
##
autoDiscovery:
## Enable external IP/ports auto-discovery
##
enabled: false
## Bitnami Kubectl image
## ref: https://hub.docker.com/r/bitnami/kubectl/tags/
##
image:
registry: docker.io
repository: bitnami/kubectl
tag: 1.17.12-debian-10-r3
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Init Container resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 100m
# memory: 128Mi
requests: {}
# cpu: 100m
# memory: 128Mi
## Parameters to configure K8s service(s) used to externally access Kafka brokers
## A new service per broker will be created
##
service:
## Service type. Allowed values: LoadBalancer or NodePort
##
type: LoadBalancer
## Port used when service type is LoadBalancer
##
port: 9094
## Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount
## Example:
## loadBalancerIPs:
## - X.X.X.X
## - Y.Y.Y.Y
##
loadBalancerIPs: []
## Load Balancer sources
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## Example:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## Array of node ports used for each Kafka broker. Length must be the same as replicaCount
## Example:
## nodePorts:
## - 30001
## - 30002
##
nodePorts: []
## When service type is NodePort, you can specify the domain used for Kafka advertised listeners.
## If not specified, the container will try to get the kubernetes node external IP
##
# domain: mydomain.com
## Provide any additional annotations which may be required. Evaluated as a template
##
annotations: {}
## Persistence paramaters
##
persistence:
enabled: true
## A manually managed Persistent Volume and Claim
## If defined, PVC must be created manually before volume will be bound
## The value is evaluated as a template
##
# existingClaim:
## PV Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner.
##
# storageClass: "-"
## PV Access Mode
##
accessModes:
- ReadWriteOnce
## PVC size
##
size: 8Gi
## PVC annotations
##
annotations: {}
## Init Container paramaters
## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component
## values from the securityContext section of the component
##
volumePermissions:
enabled: false
## Bitnami Minideb image
## ref: https://hub.docker.com/r/bitnami/minideb/tags/
##
image:
registry: docker.io
repository: bitnami/minideb
tag: buster
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: Always
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Init Container resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 100m
# memory: 128Mi
requests: {}
# cpu: 100m
# memory: 128Mi
## Kafka pods ServiceAccount
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
##
serviceAccount:
## Specifies whether a ServiceAccount should be created
##
create: true
## The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the fluentd.fullname template
##
# name:
## Role Based Access
## ref: https://kubernetes.io/docs/admin/authorization/rbac/
##
rbac:
## Specifies whether RBAC rules should be created
## binding Kafka ServiceAccount to a role
## that allows Kafka pods querying the K8s API
##
create: false
## Prometheus Exporters / Metrics
##
metrics:
## Prometheus Kafka Exporter: exposes complimentary metrics to JMX Exporter
##
kafka:
enabled: true
## Bitnami Kafka exporter image
## ref: https://hub.docker.com/r/bitnami/kafka-exporter/tags/
##
image:
registry: docker.io
repository: bitnami/kafka-exporter
tag: 1.2.0-debian-10-r220
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Extra flags to be passed to Kafka exporter
## Example:
## extraFlags:
## tls.insecure-skip-tls-verify: ""
## web.telemetry-path: "/metrics"
##
extraFlags: {}
## Name of the existing secret containing the optional certificate and key files
## for Kafka Exporter client authentication
##
# certificatesSecret:
## Prometheus Kafka Exporter' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 100m
# memory: 128Mi
requests: {}
# cpu: 100m
# memory: 128Mi
## Service configuration
##
service:
## Kafka Exporter Service type
##
type: ClusterIP
## Kafka Exporter Prometheus port
##
port: 9308
## Specify the nodePort value for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
nodePort: ""
## Set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
## Load Balancer sources
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## Example:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## Set the Cluster IP to use
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
##
# clusterIP: None
## Annotations for the Kafka Exporter Prometheus metrics service
##
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.metrics.kafka.service.port }}"
prometheus.io/path: "/metrics"
## Prometheus JMX Exporter: exposes the majority of Kafkas metrics
##
jmx:
enabled: true
## Bitnami JMX exporter image
## ref: https://hub.docker.com/r/bitnami/jmx-exporter/tags/
##
image:
registry: docker.io
repository: bitnami/jmx-exporter
tag: 0.14.0-debian-10-r15
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Prometheus JMX Exporter' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 100m
# memory: 128Mi
requests: {}
# cpu: 100m
# memory: 128Mi
## Service configuration
##
service:
## JMX Exporter Service type
##
type: ClusterIP
## JMX Exporter Prometheus port
##
port: 5556
## Specify the nodePort value for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
nodePort: ""
## Set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
## Load Balancer sources
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## Example:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## Set the Cluster IP to use
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
##
# clusterIP: None
## Annotations for the JMX Exporter Prometheus metrics service
##
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.metrics.jmx.service.port }}"
prometheus.io/path: "/"
## JMX Whitelist Objects, can be set to control which JMX metrics are exposed. Only whitelisted
## values will be exposed via JMX Exporter. They must also be exposed via Rules. To expose all metrics
## (warning its crazy excessive and they aren't formatted in a prometheus style) (1) `whitelistObjectNames: []`
## (2) commented out above `overrideConfig`.
##
whitelistObjectNames:
- kafka.controller:*
- kafka.server:*
- java.lang:*
- kafka.network:*
- kafka.log:*
## Prometheus JMX exporter configuration
## Specify content for jmx-kafka-prometheus.yml. Evaluated as a template
##
## Credits to the incubator/kafka chart for the JMX configuration.
## https://github.com/helm/charts/tree/master/incubator/kafka
##
config: |-
jmxUrl: service:jmx:rmi:///jndi/rmi://127.0.0.1:5555/jmxrmi
lowercaseOutputName: true
lowercaseOutputLabelNames: true
ssl: false
{{- if .Values.metrics.jmx.whitelistObjectNames }}
whitelistObjectNames: ["{{ join "\",\"" .Values.metrics.jmx.whitelistObjectNames }}"]
{{- end }}
## ConfigMap with Prometheus JMX exporter configuration
## NOTE: This will override metrics.jmx.config
##
# existingConfigmap:
## Prometheus Operator ServiceMonitor configuration
##
serviceMonitor:
enabled: false
## Namespace in which Prometheus is running
##
# namespace: monitoring
## Interval at which metrics should be scraped.
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
# interval: 10s
## Timeout after which the scrape is ended
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
# scrapeTimeout: 10s
## ServiceMonitor selector labels
## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration
##
# selector:
# prometheus: my-prometheus
##
## Zookeeper chart configuration
##
## https://github.com/bitnami/charts/blob/master/bitnami/zookeeper/values.yaml
##
zookeeper:
enabled: true
auth:
## Enable Zookeeper auth
##
enabled: true
## User that will use Zookeeper clients to auth
##
clientUser: zookeeperUser
## Password that will use Zookeeper clients to auth
##
clientPassword: zookeeperPassword
## Comma, semicolon or whitespace separated list of user to be created. Specify them as a string, for example: "user1,user2,admin"
##
serverUsers: zookeeperUser
## Comma, semicolon or whitespace separated list of passwords to assign to users when created. Specify them as a string, for example: "pass4user1, pass4user2, pass4admin"
##
serverPasswords: zookeeperPassword
metrics:
enabled: true
## This value is only used when zookeeper.enabled is set to false
##
externalZookeeper:
## Server or list of external zookeeper servers to use.
##
servers: []

934
ee/scripts/helm/helm/databases/charts/kafka/values.yaml Executable file
View file

@ -0,0 +1,934 @@
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry and imagePullSecrets
##
# global:
# imageRegistry: myRegistryName
# imagePullSecrets:
# - myRegistryKeySecretName
# storageClass: myStorageClass
## Bitnami Kafka image version
## ref: https://hub.docker.com/r/bitnami/kafka/tags/
##
image:
registry: docker.io
repository: bitnami/kafka
tag: 2.6.0-debian-10-r30
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Set to true if you would like to see extra information on logs
##
debug: false
## String to partially override kafka.fullname template (will maintain the release name)
##
# nameOverride:
## String to fully override kafka.fullname template
##
# fullnameOverride:
## Kubernetes Cluster Domain
##
clusterDomain: cluster.local
## Add labels to all the deployed resources
##
commonLabels: {}
## Add annotations to all the deployed resources
##
commonAnnotations: {}
## Kafka Configuration
## Specify content for server.properties
## The server.properties is auto-generated based on other parameters when this paremeter is not specified
##
## Example:
## config: |-
## broker.id=-1
## listeners=PLAINTEXT://:9092
## advertised.listeners=PLAINTEXT://KAFKA_IP:9092
## num.network.threads=3
## num.io.threads=8
## socket.send.buffer.bytes=102400
## socket.receive.buffer.bytes=102400
## socket.request.max.bytes=104857600
## log.dirs=/bitnami/kafka/data
## num.partitions=1
## num.recovery.threads.per.data.dir=1
## offsets.topic.replication.factor=1
## transaction.state.log.replication.factor=1
## transaction.state.log.min.isr=1
## log.flush.interval.messages=10000
## log.flush.interval.ms=1000
## log.retention.hours=168
## log.retention.bytes=1073741824
## log.segment.bytes=1073741824
## log.retention.check.interval.ms=300000
## zookeeper.connect=ZOOKEEPER_SERVICE_NAME
## zookeeper.connection.timeout.ms=6000
## group.initial.rebalance.delay.ms=0
##
# config:
## ConfigMap with Kafka Configuration
## NOTE: This will override config
##
# existingConfigmap:
## Kafka Log4J Configuration
## An optional log4j.properties file to overwrite the default of the Kafka brokers.
## See an example log4j.properties at:
## https://github.com/apache/kafka/blob/trunk/config/log4j.properties
##
# log4j:
## Kafka Log4j ConfigMap
## The name of an existing ConfigMap containing a log4j.properties file.
## NOTE: this will override log4j.
##
# existingLog4jConfigMap:
## Kafka's Java Heap size
##
heapOpts: -Xmx1024m -Xms1024m
## Switch to enable topic deletion or not.
##
deleteTopicEnable: false
## Switch to enable auto creation of topics.
## Enabling auto creation of topics not recommended for production or similar environments.
##
autoCreateTopicsEnable: true
## The number of messages to accept before forcing a flush of data to disk.
##
logFlushIntervalMessages: 10000
## The maximum amount of time a message can sit in a log before we force a flush.
##
logFlushIntervalMs: 1000
## A size-based retention policy for logs.
##
logRetentionBytes: _1073741824
## The interval at which log segments are checked to see if they can be deleted.
##
logRetentionCheckIntervalMs: 300000
## The minimum age of a log file to be eligible for deletion due to age.
##
logRetentionHours: 168
## The maximum size of a log segment file. When this size is reached a new log segment will be created.
##
logSegmentBytes: _1073741824
## A comma separated list of directories under which to store log files.
##
logsDirs: /bitnami/kafka/data
## The largest record batch size allowed by Kafka
##
maxMessageBytes: _1000012
## Default replication factors for automatically created topics
##
defaultReplicationFactor: 1
## The replication factor for the offsets topic
##
offsetsTopicReplicationFactor: 1
## The replication factor for the transaction topic
##
transactionStateLogReplicationFactor: 1
## Overridden min.insync.replicas config for the transaction topic
##
transactionStateLogMinIsr: 1
## The number of threads doing disk I/O.
##
numIoThreads: 8
## The number of threads handling network requests.
##
numNetworkThreads: 3
## The default number of log partitions per topic.
##
numPartitions: 1
## The number of threads per data directory to be used for log recovery at startup and flushing at shutdown.
##
numRecoveryThreadsPerDataDir: 1
## The receive buffer (SO_RCVBUF) used by the socket server.
##
socketReceiveBufferBytes: 102400
## The maximum size of a request that the socket server will accept (protection against OOM).
##
socketRequestMaxBytes: _104857600
## The send buffer (SO_SNDBUF) used by the socket server.
##
socketSendBufferBytes: 102400
## Timeout in ms for connecting to zookeeper.
##
zookeeperConnectionTimeoutMs: 6000
## Command and args for running the container. Use array form
##
command:
- /scripts/setup.sh
args:
## All the parameters from the configuration file can be overwritten by using environment variables with this format: KAFKA_CFG_{KEY}
## ref: https://github.com/bitnami/bitnami-docker-kafka#configuration
## Example:
## extraEnvVars:
## - name: KAFKA_CFG_BACKGROUND_THREADS
## value: "10"
##
extraEnvVars: []
## extraVolumes and extraVolumeMounts allows you to mount other volumes
## Examples:
# extraVolumes:
# - name: kafka-jaas
# secret:
# secretName: kafka-jaas
# extraVolumeMounts:
# - name: kafka-jaas
# mountPath: /bitnami/kafka/config/kafka_jaas.conf
# subPath: kafka_jaas.conf
extraVolumes: []
extraVolumeMounts: []
## Extra objects to deploy (value evaluated as a template)
##
extraDeploy: []
## Authentication parameteres
## https://github.com/bitnami/bitnami-docker-kafka#security
##
auth:
## Authentication protocol for client and inter-broker communications
## Supported values: 'plaintext', 'tls', 'mtls', 'sasl' and 'sasl_tls'
## This table shows the security provided on each protocol:
## | Method | Authentication | Encryption via TLS |
## | plaintext | None | No |
## | tls | None | Yes |
## | mtls | Yes (two-way authentication) | Yes |
## | sasl | Yes (via SASL) | No |
## | sasl_tls | Yes (via SASL) | Yes |
##
clientProtocol: plaintext
interBrokerProtocol: plaintext
## Allowed SASL mechanisms when clientProtocol or interBrokerProtocol are using either sasl or sasl_tls
##
saslMechanisms: plain,scram-sha-256,scram-sha-512
## SASL mechanism for inter broker communication
##
saslInterBrokerMechanism: plain
## Name of the existing secret containing the truststore and
## one keystore per Kafka broker you have in the Kafka cluster.
## MANDATORY when 'tls', 'mtls', or 'sasl_tls' authentication protocols are used.
## Create this secret following the steps below:
## 1) Generate your trustore and keystore files. Helpful script: https://raw.githubusercontent.com/confluentinc/confluent-platform-security-tools/master/kafka-generate-ssl.sh
## 2) Rename your truststore to `kafka.truststore.jks`.
## 3) Rename your keystores to `kafka-X.keystore.jks` where X is the ID of each Kafka broker.
## 4) Run the command below where SECRET_NAME is the name of the secret you want to create:
## kubectl create secret generic SECRET_NAME --from-file=./kafka.truststore.jks --from-file=./kafka-0.keystore.jks --from-file=./kafka-1.keystore.jks ...
## Alternatively, you can put your JKS files under the files/jks directory
##
# jksSecret:
## Password to access the JKS files when they are password-protected.
##
# jksPassword:
## The endpoint identification algorithm used by clients to validate server host name.
## Disable server host name verification by setting it to an empty string
## See: https://docs.confluent.io/current/kafka/authentication_ssl.html#optional-settings
##
tlsEndpointIdentificationAlgorithm: https
## JAAS configuration for SASL authentication
## MANDATORY when method is 'sasl', or 'sasl_tls'
##
jaas:
## Kafka client user list
##
## clientUsers:
## - user1
## - user2
##
clientUsers:
- user
## Kafka client passwords. This is mandatory if more than one user is specified in clientUsers.
##
## clientPasswords:
## - password1
## - password2"
##
clientPasswords: []
## Kafka inter broker communication user
##
interBrokerUser: admin
## Kafka inter broker communication password
##
interBrokerPassword: ""
## Kafka Zookeeper user
##
# zookeeperUser:
## Kafka Zookeeper password
##
# zookeeperPassword:
## Name of the existing secret containing credentials for clientUsers, interBrokerUser and zookeeperUser.
## Create this secret running the command below where SECRET_NAME is the name of the secret you want to create:
## kubectl create secret generic SECRET_NAME --from-literal=client-passwords=CLIENT_PASSWORD1,CLIENT_PASSWORD2 --from-literal=inter-broker-password=INTER_BROKER_PASSWORD --from-literal=zookeeper-password=ZOOKEEPER_PASSWORD
##
# existingSecret:
## The address(es) the socket server listens on.
## When it's set to an empty array, the listeners will be configured
## based on the authentication protocols (auth.clientProtocol and auth.interBrokerProtocol parameters)
##
listeners: []
## The address(es) (hostname:port) the brokers will advertise to producers and consumers.
## When it's set to an empty array, the advertised listeners will be configured
## based on the authentication protocols (auth.clientProtocol and auth.interBrokerProtocol parameters)
##
advertisedListeners: []
## The listener->protocol mapping
## When it's nil, the listeners will be configured
## based on the authentication protocols (auth.clientProtocol and auth.interBrokerProtocol parameters)
##
# listenerSecurityProtocolMap:
## Allow to use the PLAINTEXT listener.
##
allowPlaintextListener: true
## Name of listener used for communication between brokers.
##
interBrokerListenerName: INTERNAL
## Number of Kafka brokers to deploy
##
replicaCount: 2
## StrategyType, can be set to RollingUpdate or OnDelete by default.
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
##
updateStrategy: RollingUpdate
## Partition update strategy
## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions
##
# rollingUpdatePartition:
## Pod labels. Evaluated as a template
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podLabels: {}
## Pod annotations. Evaluated as a template
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## Name of the priority class to be used by kafka pods, priority class needs to be created beforehand
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
##
priorityClassName: ""
## Affinity for pod assignment. Evaluated as a template
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}
## Node labels for pod assignment. Evaluated as a template
## ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## Tolerations for pod assignment. Evaluated as a template
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## Kafka pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
##
podSecurityContext:
fsGroup: 1001
runAsUser: 1001
## Kafka containers' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## Example:
## containerSecurityContext:
## capabilities:
## drop: ["NET_RAW"]
## readOnlyRootFilesystem: true
##
containerSecurityContext: {}
## Kafka containers' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 250m
# memory: 1Gi
requests: {}
# cpu: 250m
# memory: 256Mi
## Kafka containers' liveness and readiness probes. Evaluated as a template.
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
livenessProbe:
enabled: true
initialDelaySeconds: 10
timeoutSeconds: 5
# failureThreshold: 3
# periodSeconds: 10
# successThreshold: 1
readinessProbe:
enabled: true
initialDelaySeconds: 5
failureThreshold: 6
timeoutSeconds: 5
# periodSeconds: 10
# successThreshold: 1
## Custom liveness/readiness probes that will override the default ones
##
customLivenessProbe: {}
customReadinessProbe: {}
## Pod Disruption Budget configuration
## The PDB will only be created if replicaCount is greater than 1
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions
##
pdb:
create: true
## Min number of pods that must still be available after the eviction
##
# minAvailable: 1
## Max number of pods that can be unavailable after the eviction
##
maxUnavailable: 1
## Add sidecars to the pod.
## Example:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
sidecars: {}
## Service parameters
##
service:
## Service type
##
type: ClusterIP
## Kafka port for client connections
##
port: 9092
## Kafka port for inter-broker connections
##
internalPort: 9093
## Kafka port for external connections
##
externalPort: 9094
## Specify the nodePort value for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
nodePorts:
client: ""
external: ""
## Set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
## Load Balancer sources
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## Example:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## Provide any additional annotations which may be required. Evaluated as a template
##
annotations: {}
## External Access to Kafka brokers configuration
##
externalAccess:
## Enable Kubernetes external cluster access to Kafka brokers
##
enabled: false
## External IPs auto-discovery configuration
## An init container is used to auto-detect LB IPs or node ports by querying the K8s API
## Note: RBAC might be required
##
autoDiscovery:
## Enable external IP/ports auto-discovery
##
enabled: false
## Bitnami Kubectl image
## ref: https://hub.docker.com/r/bitnami/kubectl/tags/
##
image:
registry: docker.io
repository: bitnami/kubectl
tag: 1.17.12-debian-10-r3
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Init Container resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 100m
# memory: 128Mi
requests: {}
# cpu: 100m
# memory: 128Mi
## Parameters to configure K8s service(s) used to externally access Kafka brokers
## A new service per broker will be created
##
service:
## Service type. Allowed values: LoadBalancer or NodePort
##
type: LoadBalancer
## Port used when service type is LoadBalancer
##
port: 9094
## Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount
## Example:
## loadBalancerIPs:
## - X.X.X.X
## - Y.Y.Y.Y
##
loadBalancerIPs: []
## Load Balancer sources
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## Example:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## Array of node ports used for each Kafka broker. Length must be the same as replicaCount
## Example:
## nodePorts:
## - 30001
## - 30002
##
nodePorts: []
## When service type is NodePort, you can specify the domain used for Kafka advertised listeners.
## If not specified, the container will try to get the kubernetes node external IP
##
# domain: mydomain.com
## Provide any additional annotations which may be required. Evaluated as a template
##
annotations: {}
## Persistence paramaters
##
persistence:
enabled: true
## A manually managed Persistent Volume and Claim
## If defined, PVC must be created manually before volume will be bound
## The value is evaluated as a template
##
# existingClaim:
## PV Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner.
##
# storageClass: "-"
## PV Access Mode
##
accessModes:
- ReadWriteOnce
## PVC size
##
size: 8Gi
## PVC annotations
##
annotations: {}
## Init Container paramaters
## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component
## values from the securityContext section of the component
##
volumePermissions:
enabled: false
## Bitnami Minideb image
## ref: https://hub.docker.com/r/bitnami/minideb/tags/
##
image:
registry: docker.io
repository: bitnami/minideb
tag: buster
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: Always
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Init Container resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 100m
# memory: 128Mi
requests: {}
# cpu: 100m
# memory: 128Mi
## Kafka pods ServiceAccount
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
##
serviceAccount:
## Specifies whether a ServiceAccount should be created
##
create: true
## The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the fluentd.fullname template
##
# name:
## Role Based Access
## ref: https://kubernetes.io/docs/admin/authorization/rbac/
##
rbac:
## Specifies whether RBAC rules should be created
## binding Kafka ServiceAccount to a role
## that allows Kafka pods querying the K8s API
##
create: false
## Prometheus Exporters / Metrics
##
metrics:
## Prometheus Kafka Exporter: exposes complimentary metrics to JMX Exporter
##
kafka:
enabled: false
## Bitnami Kafka exporter image
## ref: https://hub.docker.com/r/bitnami/kafka-exporter/tags/
##
image:
registry: docker.io
repository: bitnami/kafka-exporter
tag: 1.2.0-debian-10-r220
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Extra flags to be passed to Kafka exporter
## Example:
## extraFlags:
## tls.insecure-skip-tls-verify: ""
## web.telemetry-path: "/metrics"
##
extraFlags: {}
## Name of the existing secret containing the optional certificate and key files
## for Kafka Exporter client authentication
##
# certificatesSecret:
## Prometheus Kafka Exporter' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 100m
# memory: 128Mi
requests: {}
# cpu: 100m
# memory: 128Mi
## Service configuration
##
service:
## Kafka Exporter Service type
##
type: ClusterIP
## Kafka Exporter Prometheus port
##
port: 9308
## Specify the nodePort value for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
nodePort: ""
## Set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
## Load Balancer sources
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## Example:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## Set the Cluster IP to use
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
##
# clusterIP: None
## Annotations for the Kafka Exporter Prometheus metrics service
##
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.metrics.kafka.service.port }}"
prometheus.io/path: "/metrics"
## Prometheus JMX Exporter: exposes the majority of Kafkas metrics
##
jmx:
enabled: false
## Bitnami JMX exporter image
## ref: https://hub.docker.com/r/bitnami/jmx-exporter/tags/
##
image:
registry: docker.io
repository: bitnami/jmx-exporter
tag: 0.14.0-debian-10-r15
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Prometheus JMX Exporter' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 100m
# memory: 128Mi
requests: {}
# cpu: 100m
# memory: 128Mi
## Service configuration
##
service:
## JMX Exporter Service type
##
type: ClusterIP
## JMX Exporter Prometheus port
##
port: 5556
## Specify the nodePort value for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
nodePort: ""
## Set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
## Load Balancer sources
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## Example:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## Set the Cluster IP to use
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
##
# clusterIP: None
## Annotations for the JMX Exporter Prometheus metrics service
##
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.metrics.jmx.service.port }}"
prometheus.io/path: "/"
## JMX Whitelist Objects, can be set to control which JMX metrics are exposed. Only whitelisted
## values will be exposed via JMX Exporter. They must also be exposed via Rules. To expose all metrics
## (warning its crazy excessive and they aren't formatted in a prometheus style) (1) `whitelistObjectNames: []`
## (2) commented out above `overrideConfig`.
##
whitelistObjectNames:
- kafka.controller:*
- kafka.server:*
- java.lang:*
- kafka.network:*
- kafka.log:*
## Prometheus JMX exporter configuration
## Specify content for jmx-kafka-prometheus.yml. Evaluated as a template
##
## Credits to the incubator/kafka chart for the JMX configuration.
## https://github.com/helm/charts/tree/master/incubator/kafka
##
config: |-
jmxUrl: service:jmx:rmi:///jndi/rmi://127.0.0.1:5555/jmxrmi
lowercaseOutputName: true
lowercaseOutputLabelNames: true
ssl: false
{{- if .Values.metrics.jmx.whitelistObjectNames }}
whitelistObjectNames: ["{{ join "\",\"" .Values.metrics.jmx.whitelistObjectNames }}"]
{{- end }}
## ConfigMap with Prometheus JMX exporter configuration
## NOTE: This will override metrics.jmx.config
##
# existingConfigmap:
## Prometheus Operator ServiceMonitor configuration
##
serviceMonitor:
enabled: false
## Namespace in which Prometheus is running
##
# namespace: monitoring
## Interval at which metrics should be scraped.
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
# interval: 10s
## Timeout after which the scrape is ended
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
# scrapeTimeout: 10s
## ServiceMonitor selector labels
## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration
##
# selector:
# prometheus: my-prometheus
##
## Zookeeper chart configuration
##
## https://github.com/bitnami/charts/blob/master/bitnami/zookeeper/values.yaml
##
zookeeper:
enabled: true
auth:
## Enable Zookeeper auth
##
enabled: false
## User that will use Zookeeper clients to auth
##
# clientUser:
## Password that will use Zookeeper clients to auth
##
# clientPassword:
## Comma, semicolon or whitespace separated list of user to be created. Specify them as a string, for example: "user1,user2,admin"
##
# serverUsers:
## Comma, semicolon or whitespace separated list of passwords to assign to users when created. Specify them as a string, for example: "pass4user1, pass4user2, pass4admin"
##
# serverPasswords:
## This value is only used when zookeeper.enabled is set to false
##
externalZookeeper:
## Server or list of external zookeeper servers to use.
##
servers: []

9
scripts/helm/helm/README.md Normal file
View file

@ -0,0 +1,9 @@
- Initialize databases
- we've to pass the --wait flag, else the db installation won't be complete. and it'll break the db init.
- collate all dbs required
- How to distinguish b/w enterprise and community
- Or fist only community then enterprise
- install db migration
- have to have another helm chart with low hook value for higher prioriry
- install app
- customize values.yaml file

23
scripts/helm/helm/databases/.helmignore Normal file
View file

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

24
scripts/helm/helm/databases/Chart.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: v2
name: databases
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"

21
scripts/helm/helm/databases/charts/minio/.helmignore Executable file
View file

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

24
scripts/helm/helm/databases/charts/minio/Chart.yaml Executable file
View file

@ -0,0 +1,24 @@
annotations:
category: Infrastructure
apiVersion: v1
appVersion: 2020.10.9
description: MinIO is an object storage server, compatible with Amazon S3 cloud storage
service, mainly used for storing unstructured data (such as photos, videos, log
files, etc.)
engine: gotpl
home: https://github.com/bitnami/charts/tree/master/bitnami/minio
icon: https://bitnami.com/assets/stacks/minio/img/minio-stack-220x234.png
keywords:
- minio
- storage
- object-storage
- s3
- cluster
maintainers:
- email: containers@bitnami.com
name: Bitnami
name: minio
sources:
- https://github.com/bitnami/bitnami-docker-minio
- https://min.io
version: 3.7.14

259
scripts/helm/helm/databases/charts/minio/README.md Executable file
View file

@ -0,0 +1,259 @@
# MinIO
[MinIO](https://min.io) is an object storage server, compatible with Amazon S3 cloud storage service, mainly used for storing unstructured data (such as photos, videos, log files, etc.)
## TL;DR
```console
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/minio
```
## Introduction
This chart bootstraps a [MinIO](https://github.com/bitnami/bitnami-docker-minio) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.
## Prerequisites
- Kubernetes 1.12+
- Helm 2.12+ or Helm 3.0-beta3+
- PV provisioner support in the underlying infrastructure
- ReadWriteMany volumes for deployment scaling
## Installing the Chart
To install the chart with the release name `my-release`:
```console
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/minio
```
These commands deploy MinIO on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Parameters
The following table lists the configurable parameters of the MinIO chart and their default values.
| Parameter | Description | Default |
|--------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `global.imageRegistry` | Global Docker image registry | `nil` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `global.storageClass` | Global storage class for dynamic provisioning | `nil` |
| `global.minio.existingSecret` | Name of existing secret to use for MinIO credentials (overrides `existingSecret`) | `nil` |
| `global.minio.accessKey` | MinIO Access Key (overrides `accessKey.password`) | `nil` |
| `global.minio.secretKey` | MinIO Secret Key (overrides `secretKey.password`) | `nil` |
| `image.registry` | MinIO image registry | `docker.io` |
| `image.repository` | MinIO image name | `bitnami/minio` |
| `image.tag` | MinIO image tag | `{TAG_NAME}` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `image.debug` | Specify if debug logs should be enabled | `false` |
| `nameOverride` | String to partially override minio.fullname template with a string (will prepend the release name) | `nil` |
| `fullnameOverride` | String to fully override minio.fullname template with a string | `nil` |
| `schedulerName` | Specifies the schedulerName, if it's nil uses kube-scheduler | `nil` |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.name` | If serviceAccount.create is enabled, what should the serviceAccount name be - otherwise defaults to the fullname | `nil` |
| `clusterDomain` | Kubernetes cluster domain | `cluster.local` |
| `clientImage.registry` | MinIO Client image registry | `docker.io` |
| `clientImage.repository` | MinIO Client image name | `bitnami/minio-client` |
| `clientImage.tag` | MinIO Client image tag | `{TAG_NAME}` |
| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` |
| `volumePermissions.resources` | Init container resource requests/limit | `nil` |
| `mode` | MinIO server mode (`standalone` or `distributed`) | `standalone` |
| `statefulset.replicaCount` | Number of pods (only for Minio distributed mode). Should be 4 <= x <= 32 | `4` |
| `statefulset.updateStrategy` | Statefulset update strategy policy | `RollingUpdate` |
| `statefulset.podManagementpolicy` | Statefulset pods management policy | `Parallel` |
| `deployment.updateStrategy` | Deployment update strategy policy | `Recreate` |
| `existingSecret` | Existing secret with MinIO credentials | `nil` |
| `useCredentialsFile` | Have the secret mounted as a file instead of env vars | `false` |
| `forceNewKeys` | Force admin credentials (access and secret key) to be reconfigured every time they change in the secrets | `false` |
| `accessKey.password` | MinIO Access Key. Ignored if existing secret is provided. | _random 10 character alphanumeric string_ |
| `accessKey.forcePassword` | Force users to specify an Access Key | `false` |
| `secretKey.password` | MinIO Secret Key. Ignored if existing secret is provided. | _random 40 character alphanumeric string_ |
| `secretKey.forcePassword` | Force users to specify an Secret Key | `false` |
| `defaultBuckets` | Comma, semi-colon or space separated list of buckets to create (only in standalone mode) | `nil` |
| `disableWebUI` | Disable MinIO Web UI | `false` |
| `extraEnv` | Any extra environment variables you would like to pass to the pods | `{}` |
| `command` | Command for the minio container | `{}` |
| `resources` | Minio containers' resources | `{}` |
| `podAnnotations` | Pod annotations | `{}` |
| `affinity` | Map of node/pod affinities | `{}` (The value is evaluated as a template) |
| `nodeSelector` | Node labels for pod assignment | `{}` (The value is evaluated as a template) |
| `tolerations` | Tolerations for pod assignment | `[]` (The value is evaluated as a template) |
| `securityContext.enabled` | Enable security context | `true` |
| `securityContext.fsGroup` | Group ID for the container | `1001` |
| `securityContext.runAsUser` | User ID for the container | `1001` |
| `livenessProbe.enabled` | Enable/disable the Liveness probe | `true` |
| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | `60` |
| `livenessProbe.periodSeconds` | How often to perform the probe | `10` |
| `livenessProbe.timeoutSeconds` | When the probe times out | `5` |
| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `6` |
| `readinessProbe.enabled` | Enable/disable the Readiness probe | `true` |
| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | `5` |
| `readinessProbe.periodSeconds` | How often to perform the probe | `10` |
| `readinessProbe.timeoutSeconds` | When the probe times out | `5` |
| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `6` |
| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
| `persistence.enabled` | Use a PVC to persist data | `true` |
| `persistence.mountPath` | Path to mount the volume at | `/data` |
| `persistence.storageClass` | Storage class of backing PVC | `nil` (uses alpha storage class annotation) |
| `persistence.accessMode` | Use volume as ReadOnly or ReadWrite | `ReadWriteOnce` |
| `persistence.size` | Size of data volume | `8Gi` |
| `persistence.annotations` | Persistent Volume annotations | `{}` |
| `persistence.existingClaim` | Name of an existing PVC to use (only in "standalone" mode) | `nil` |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.port` | MinIO service port | `9000` |
| `service.nodePort` | Port to bind to for NodePort service type | `nil` |
| `service.loadBalancerIP` | Static IP Address to use for LoadBalancer service type | `nil` |
| `service.annotations` | Kubernetes service annotations | `{}` |
| `ingress.enabled` | Enable/disable ingress | `false` |
| `ingress.certManager` | Add annotations for cert-manager | `false` |
| `ingress.annotations` | Ingress annotations | `[]` |
| `ingress.labels` | Ingress additional labels | `{}` |
| `ingress.hosts[0].name` | Hostname to your MinIO installation | `minio.local` |
| `ingress.hosts[0].path` | Path within the url structure | `/` |
| `ingress.hosts[0].tls` | Utilize TLS backend in ingress | `false` |
| `ingress.hosts[0].tlsHosts` | Array of TLS hosts for ingress record (defaults to `ingress.hosts[0].name` if `nil`) | `nil` |
| `ingress.hosts[0].tlsSecret` | TLS Secret (certificates) | `minio.local-tls` |
| `ingress.secrets[0].name` | TLS Secret Name | `nil` |
| `ingress.secrets[0].certificate` | TLS Secret Certificate | `nil` |
| `ingress.secrets[0].key` | TLS Secret Key | `nil` |
| `networkPolicy.enabled` | Enable NetworkPolicy | `false` |
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
| `prometheusAuthType` | Authentication mode for Prometheus (`jwt` or `public`) | `public` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
$ helm install my-release \
--set accessKey.password=minio-access-key \
--set secretKey.password=minio-secret-key \
bitnami/minio
```
The above command sets the MinIO Server access key and secret key to `minio-access-key` and `minio-secret-key`, respectively.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```console
$ helm install my-release -f values.yaml bitnami/minio
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Configuration and installation details
### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Production configuration
This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one.
- MinIO server mode:
```diff
- mode: standalone
+ mode: distributed
```
- Disable MinIO Web UI:
```diff
- disableWebUI: false
+ disableWebUI: true
```
- Annotations to be added to pods:
```diff
- podAnnotations: {}
+ podAnnotations:
+ prometheus.io/scrape: "true"
+ prometheus.io/path: "/minio/prometheus/metrics"
+ prometheus.io/port: "9000"
```
- Pod resources:
```diff
- resources: {}
+ resources:
+ requests:
+ memory: 256Mi
+ cpu: 250m
```
- Enable NetworkPolicy:
```diff
- networkPolicy.enabled: false
+ networkPolicy.enabled: true
```
- Don't require client label for connections:
```diff
- networkPolicy.allowExternal: true
+ networkPolicy.allowExternal: false
```
- Change Prometheus authentication:
```diff
- prometheusAuthType: public
+ prometheusAuthType: jwt
```
### Distributed mode
You can start the MinIO chart in distributed mode with the following parameter: `mode=distributed`
This chart sets Minio server in distributed mode with 4 nodes by default. You can change the number of nodes setting the `statefulset.replicaCount` parameter, for example to `statefulset.replicaCount=8`
> Note: that the number of replicas must even, greater than 4 and lower than 32
### Prometheus exporter
MinIO exports Prometheus metrics at `/minio/prometheus/metrics`. To allow Prometheus collecting your MinIO metrics, modify the `values.yaml` adding the corresponding annotations:
```diff
- podAnnotations: {}
+ podAnnotations:
+ prometheus.io/scrape: "true"
+ prometheus.io/path: "/minio/prometheus/metrics"
+ prometheus.io/port: "9000"
```
> Find more information about MinIO metrics at https://docs.min.io/docs/how-to-monitor-minio-using-prometheus.html
## Persistence
The [Bitnami MinIO](https://github.com/bitnami/bitnami-docker-minio) image stores data at the `/data` path of the container.
The chart mounts a [Persistent Volume](http://kubernetes.io/docs/user-guide/persistent-volumes/) at this location. The volume is created using dynamic volume provisioning.
### Adjust permissions of persistent volume mountpoint
As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it.
By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions.
As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination.
You can enable this initContainer by setting `volumePermissions.enabled` to `true`.

27
scripts/helm/helm/databases/charts/minio/ci/values-production.yaml Executable file
View file

@ -0,0 +1,27 @@
# Test values file for generating all of the yaml and check that
# the rendering is correct
volumePermissions:
enabled: true
mode: distributed
useCredentialsFile: true
disableWebUI: false
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/path: "/minio/prometheus/metric"
prometheus.io/port: "9000"
resources:
requests:
cpu: 250m
memory: 256Mi
ingress:
enabled: true
networkPolicy:
enabled: true

71
scripts/helm/helm/databases/charts/minio/templates/NOTES.txt Executable file
View file

@ -0,0 +1,71 @@
** Please be patient while the chart is being deployed **
MinIO can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster:
{{ include "minio.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
To get your credentials run:
export MINIO_ACCESS_KEY=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "minio.fullname" . }} -o jsonpath="{.data.access-key}" | base64 --decode)
export MINIO_SECRET_KEY=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "minio.fullname" . }} -o jsonpath="{.data.secret-key}" | base64 --decode)
To connect to your MinIO server using a client:
- Run a MinIO Client pod and append the desired command (e.g. 'admin info server'):
kubectl run --namespace {{ .Release.Namespace }} {{ include "minio.fullname" . }}-client \
--rm --tty -i --restart='Never' \
--env MINIO_SERVER_ACCESS_KEY=$MINIO_ACCESS_KEY \
--env MINIO_SERVER_SECRET_KEY=$MINIO_SECRET_KEY \
--env MINIO_SERVER_HOST={{ include "minio.fullname" . }} \
{{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
--labels="{{ template "minio.name" . }}-client=true" \
{{- end }}
--image {{ template "minio.clientImage" . }} -- admin info server minio
{{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
NOTE: Since NetworkPolicy is enabled, only pods with label
"{{ template "minio.fullname" . }}-client=true" will be able to connect to MinIO.
{{- end }}
{{- if not .Values.disableWebUI }}
To access the MinIO web UI:
- Get the MinIO URL:
{{- if .Values.ingress.enabled }}
You should be able to access your new MinIO web UI through
{{- range .Values.ingress.hosts }}
{{ if .tls }}https{{ else }}http{{ end }}://{{ .name }}/minio/
{{- end }}
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "minio.fullname" . }}'
{{- $port:=.Values.service.port | toString }}
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "minio.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo "MinIO web URL: http://$SERVICE_IP{{- if ne $port "80" }}:{{ .Values.service.port }}{{ end }}/minio"
{{- else if contains "ClusterIP" .Values.service.type }}
echo "MinIO web URL: http://127.0.0.1:9000/minio"
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "minio.fullname" . }} 9000:{{ .Values.service.port }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "minio.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo "MinIO web URL: http://$NODE_IP:$NODE_PORT/minio"
{{- end }}
{{- else }}
WARN: MinIO Web UI is disabled.
{{- end }}
{{ include "minio.validateValues" . }}
{{ include "minio.checkRollingTags" . }}

265
scripts/helm/helm/databases/charts/minio/templates/_helpers.tpl Executable file
View file

@ -0,0 +1,265 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "minio.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "minio.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "minio.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "minio.labels" -}}
app.kubernetes.io/name: {{ include "minio.name" . }}
helm.sh/chart: {{ include "minio.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
*/}}
{{- define "minio.matchLabels" -}}
app.kubernetes.io/name: {{ include "minio.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Return the proper MinIO image name
*/}}
{{- define "minio.image" -}}
{{- $registryName := coalesce .Values.global.imageRegistry .Values.image.registry -}}
{{- $repositoryName := .Values.image.repository -}}
{{- $tag := .Values.image.tag | toString -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{/*
Return the proper MinIO Client image name
*/}}
{{- define "minio.clientImage" -}}
{{- $registryName := coalesce .Values.global.imageRegistry .Values.clientImage.registry -}}
{{- $repositoryName := .Values.clientImage.repository -}}
{{- $tag := .Values.clientImage.tag | toString -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "minio.imagePullSecrets" -}}
{{- $imagePullSecrets := coalesce .Values.global.imagePullSecrets .Values.image.pullSecrets .Values.volumePermissions.image.pullSecrets -}}
{{- if $imagePullSecrets }}
imagePullSecrets:
{{- range $imagePullSecrets }}
- name: {{ . }}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Return MinIO accessKey
*/}}
{{- define "minio.accessKey" -}}
{{- $accessKey := coalesce .Values.global.minio.accessKey .Values.accessKey.password -}}
{{- if $accessKey }}
{{- $accessKey -}}
{{- else if (not .Values.accessKey.forcePassword) }}
{{- randAlphaNum 10 -}}
{{- else -}}
{{ required "An Access Key is required!" .Values.accessKey.password }}
{{- end -}}
{{- end -}}
{{/*
Return MinIO secretKey
*/}}
{{- define "minio.secretKey" -}}
{{- $secretKey := coalesce .Values.global.minio.secretKey .Values.secretKey.password -}}
{{- if $secretKey }}
{{- $secretKey -}}
{{- else if (not .Values.secretKey.forcePassword) }}
{{- randAlphaNum 40 -}}
{{- else -}}
{{ required "A Secret Key is required!" .Values.secretKey.password }}
{{- end -}}
{{- end -}}
{{/*
Get the credentials secret.
*/}}
{{- define "minio.secretName" -}}
{{- if .Values.global.minio.existingSecret }}
{{- printf "%s" .Values.global.minio.existingSecret -}}
{{- else if .Values.existingSecret -}}
{{- printf "%s" .Values.existingSecret -}}
{{- else -}}
{{- printf "%s" (include "minio.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a secret object should be created
*/}}
{{- define "minio.createSecret" -}}
{{- if .Values.global.minio.existingSecret }}
{{- else if .Values.existingSecret -}}
{{- else -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message, and call fail.
*/}}
{{- define "minio.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "minio.validateValues.mode" .) -}}
{{- $messages := append $messages (include "minio.validateValues.replicaCount" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/* Validate values of MinIO - must provide a valid mode ("distributed" or "standalone") */}}
{{- define "minio.validateValues.mode" -}}
{{- if and (ne .Values.mode "distributed") (ne .Values.mode "standalone") -}}
minio: mode
Invalid mode selected. Valid values are "distributed" and
"standalone". Please set a valid mode (--set mode="xxxx")
{{- end -}}
{{- end -}}
{{/* Validate values of MinIO - number of replicas must be even, greater than 4 and lower than 32 */}}
{{- define "minio.validateValues.replicaCount" -}}
{{- $replicaCount := int .Values.statefulset.replicaCount }}
{{- if and (eq .Values.mode "distributed") (or (eq (mod $replicaCount 2) 1) (lt $replicaCount 4) (gt $replicaCount 32)) -}}
minio: replicaCount
Number of replicas must be even, greater than 4 and lower than 32!!
Please set a valid number of replicas (--set statefulset.replicaCount=X)
{{- end -}}
{{- end -}}
{{/* Check if there are rolling tags in the images */}}
{{- define "minio.checkRollingTags" -}}
{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- if and (contains "bitnami/" .Values.clientImage.repository) (not (.Values.clientImage.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .Values.clientImage.repository }}:{{ .Values.clientImage.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- end -}}
{{/*
Return the proper image name (for the init container volume-permissions image)
*/}}
{{- define "minio.volumePermissions.image" -}}
{{- $registryName := .Values.volumePermissions.image.registry -}}
{{- $repositoryName := .Values.volumePermissions.image.repository -}}
{{- $tag := .Values.volumePermissions.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Storage Class
*/}}
{{- define "minio.storageClass" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
*/}}
{{- if .Values.global -}}
{{- if .Values.global.storageClass -}}
{{- if (eq "-" .Values.global.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.global.storageClass -}}
{{- end -}}
{{- else -}}
{{- if .Values.persistence.storageClass -}}
{{- if (eq "-" .Values.persistence.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.persistence.storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- else -}}
{{- if .Values.persistence.storageClass -}}
{{- if (eq "-" .Values.persistence.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.persistence.storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Renders a value that contains template.
Usage:
{{ include "minio.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "minio.tplValue" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}
{{/*
Returns the proper service account name depending if an explicit service account name is set
in the values file. If the name is not set it will default to either minio.fullname if serviceAccount.create
is true or default otherwise.
*/}}
{{- define "minio.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "minio.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

160
scripts/helm/helm/databases/charts/minio/templates/deployment-standalone.yaml Executable file
View file

@ -0,0 +1,160 @@
{{- if eq .Values.mode "standalone" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "minio.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "minio.labels" . | nindent 4 }}
spec:
{{- if .Values.deployment.updateStrategy }}
strategy: {{ toYaml .Values.deployment.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels: {{- include "minio.matchLabels" . | nindent 6 }}
template:
metadata:
labels: {{- include "minio.labels" . | nindent 8 }}
{{- if or .Values.podAnnotations (include "minio.createSecret" .) }}
annotations:
{{- if (include "minio.createSecret" .) }}
checksum/credentials-secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- include "minio.tplValue" ( dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
{{- end }}
{{- end }}
spec:
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName }}
{{- end }}
serviceAccountName: {{ template "minio.serviceAccountName" . }}
{{- include "minio.imagePullSecrets" . | nindent 6 }}
{{- if .Values.affinity }}
affinity: {{- include "minio.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{- include "minio.tplValue" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{- include "minio.tplValue" (dict "value" .Values.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- end }}
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
initContainers:
- name: volume-permissions
image: {{ template "minio.volumePermissions.image" . }}
imagePullPolicy: {{ default "" .Values.volumePermissions.image.pullPolicy | quote }}
command:
- /bin/bash
- -ec
- |
chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }}
securityContext:
runAsUser: 0
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
{{- end }}
volumeMounts:
- name: data
mountPath: {{ .Values.persistence.mountPath }}
{{- end }}
containers:
- name: minio
image: {{ include "minio.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.image.debug | quote }}
- name: MINIO_FORCE_NEW_KEYS
value: {{ ternary "yes" "no" .Values.forceNewKeys | quote }}
{{- if .Values.useCredentialsFile }}
- name: MINIO_ACCESS_KEY_FILE
value: "/opt/bitnami/minio/secrets/access-key"
{{- else }}
- name: MINIO_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ include "minio.secretName" . }}
key: access-key
{{- end }}
{{- if .Values.useCredentialsFile }}
- name: MINIO_SECRET_KEY_FILE
value: "/opt/bitnami/minio/secrets/secret-key"
{{- else }}
- name: MINIO_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ include "minio.secretName" . }}
key: secret-key
{{- end }}
{{- if .Values.defaultBuckets }}
- name: MINIO_DEFAULT_BUCKETS
value: {{ .Values.defaultBuckets }}
{{- end }}
- name: MINIO_BROWSER
value: {{ ternary "off" "on" .Values.disableWebUI | quote }}
{{- if .Values.prometheusAuthType }}
- name: MINIO_PROMETHEUS_AUTH_TYPE
value: {{ .Values.prometheusAuthType }}
{{- end }}
{{- if .Values.extraEnv }}
{{- toYaml .Values.extraEnv | nindent 12 }}
{{- end }}
{{ if .Values.command }}
command: {{- toYaml .Values.command | nindent 12 }}
{{- end }}
ports:
- name: minio
containerPort: 9000
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
httpGet:
path: /minio/health/live
port: minio
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
tcpSocket:
port: minio
{{- end }}
{{- if .Values.resources }}
resources: {{ toYaml .Values.resources | nindent 12 }}
{{- end }}
volumeMounts:
{{- if .Values.useCredentialsFile }}
- name: minio-credentials
mountPath: /opt/bitnami/minio/secrets/
{{- end }}
- name: "data"
mountPath: {{ .Values.persistence.mountPath }}
volumes:
{{- if .Values.useCredentialsFile }}
- name: minio-credentials
secret:
secretName: {{ include "minio.secretName" . }}
{{- end }}
- name: data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ include "minio.fullname" . }}{{- end }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}

43
scripts/helm/helm/databases/charts/minio/templates/ingress.yaml Executable file
View file

@ -0,0 +1,43 @@
{{- if and .Values.ingress.enabled (not .Values.disableWebUI ) -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ include "minio.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "minio.labels" . | nindent 4 }}
{{- range $key, $value := .Values.ingress.labels }}
{{ $key }}: {{ $value }}
{{- end }}
annotations:
{{- if .Values.ingress.certManager }}
kubernetes.io/tls-acme: "true"
{{- end }}
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .name }}
http:
paths:
- path: {{ default "/" .path }}
backend:
serviceName: {{ include "minio.fullname" $ }}
servicePort: minio
{{- end }}
tls:
{{- range .Values.ingress.hosts }}
{{- if .tls }}
- hosts:
{{- if .tlsHosts }}
{{- range $host := .tlsHosts }}
- {{ $host }}
{{- end }}
{{- else }}
- {{ .name }}
{{- end }}
secretName: {{ .tlsSecret }}
{{- end }}
{{- end }}
{{- end }}

23
scripts/helm/helm/databases/charts/minio/templates/networkpolicy.yaml Executable file
View file

@ -0,0 +1,23 @@
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ include "minio.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "minio.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ include "minio.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
ingress:
# Allow inbound connections
- ports:
- port: 9000
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ include "minio.fullname" . }}-client: "true"
{{- end }}
{{- end }}

17
scripts/helm/helm/databases/charts/minio/templates/pvc-standalone.yaml Executable file
View file

@ -0,0 +1,17 @@
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.mode "standalone") }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ include "minio.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "minio.labels" . | nindent 4 }}
spec:
accessModes:
{{- range .Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{ include "minio.storageClass" . }}
{{- end }}

12
scripts/helm/helm/databases/charts/minio/templates/secrets.yaml Executable file
View file

@ -0,0 +1,12 @@
{{- if (include "minio.createSecret" .) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "minio.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "minio.labels" . | nindent 4 }}
type: Opaque
data:
access-key: {{ include "minio.accessKey" . | b64enc | quote }}
secret-key: {{ include "minio.secretKey" . | b64enc | quote }}
{{- end }}

24
scripts/helm/helm/databases/charts/minio/templates/service.yaml Executable file
View file

@ -0,0 +1,24 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "minio.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "minio.labels" . | nindent 4 }}
{{- if .Values.service.annotations }}
annotations: {{- include "minio.tplValue" ( dict "value" .Values.service.annotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
ports:
- name: minio
port: {{ .Values.service.port }}
targetPort: minio
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePort)) }}
nodePort: {{ .Values.service.nodePort }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
selector: {{- include "minio.matchLabels" . | nindent 4 }}

10
scripts/helm/helm/databases/charts/minio/templates/serviceaccount.yaml Executable file
View file

@ -0,0 +1,10 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "minio.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "minio.labels" . | nindent 4 }}
secrets:
- name: {{ include "minio.fullname" . }}
{{- end }}

181
scripts/helm/helm/databases/charts/minio/templates/statefulset.yaml Executable file
View file

@ -0,0 +1,181 @@
{{- if eq .Values.mode "distributed" }}
{{- $replicaCount := int .Values.statefulset.replicaCount }}
{{- if and (eq (mod $replicaCount 2) 0) (gt $replicaCount 3) (lt $replicaCount 33) }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "minio.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "minio.labels" . | nindent 4 }}
spec:
selector:
matchLabels: {{- include "minio.matchLabels" . | nindent 6 }}
serviceName: {{ include "minio.fullname" . }}-headless
replicas: {{ .Values.statefulset.replicaCount }}
podManagementPolicy: {{ .Values.statefulset.podManagementPolicy }}
updateStrategy:
type: {{ .Values.statefulset.updateStrategy }}
{{- if (eq "Recreate" .Values.statefulset.updateStrategy) }}
rollingUpdate: null
{{- end }}
template:
metadata:
labels: {{- include "minio.labels" . | nindent 8 }}
{{- if or .Values.podAnnotations (include "minio.createSecret" .) }}
annotations:
{{- if (include "minio.createSecret" .) }}
checksum/credentials-secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- include "minio.tplValue" ( dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
{{- end }}
{{- end }}
spec:
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName }}
{{- end }}
serviceAccountName: {{ template "minio.serviceAccountName" . }}
{{- include "minio.imagePullSecrets" . | nindent 6 }}
{{- if .Values.affinity }}
affinity: {{- include "minio.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{- include "minio.tplValue" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{- include "minio.tplValue" (dict "value" .Values.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- end }}
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
initContainers:
- name: volume-permissions
image: {{ template "minio.volumePermissions.image" . }}
imagePullPolicy: {{ default "" .Values.volumePermissions.image.pullPolicy | quote }}
command:
- /bin/bash
- -ec
- |
chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }}
securityContext:
runAsUser: 0
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
{{- end }}
volumeMounts:
- name: data
mountPath: {{ .Values.persistence.mountPath }}
{{- end }}
containers:
- name: minio
image: {{ include "minio.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.image.debug | quote }}
- name: MINIO_DISTRIBUTED_MODE_ENABLED
value: "yes"
- name: MINIO_SKIP_CLIENT
value: "yes"
- name: MINIO_DISTRIBUTED_NODES
{{- $minioFullname := include "minio.fullname" . }}
{{- $minioHeadlessServiceName := printf "%s-%s" $minioFullname "headless" | trunc 63 }}
{{- $releaseNamespace := .Release.Namespace }}
value: {{range $i, $e := until $replicaCount }}{{ $minioFullname }}-{{ $e }}.{{ $minioHeadlessServiceName }}.{{ $releaseNamespace }}.svc.{{ $.Values.clusterDomain }},{{ end }}
- name: MINIO_FORCE_NEW_KEYS
value: {{ ternary "yes" "no" .Values.forceNewKeys | quote }}
{{- if .Values.useCredentialsFile }}
- name: MINIO_ACCESS_KEY_FILE
value: "/opt/bitnami/minio/secrets/access-key"
{{- else }}
- name: MINIO_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ include "minio.secretName" . }}
key: access-key
{{- end }}
{{- if .Values.useCredentialsFile }}
- name: MINIO_SECRET_KEY_FILE
value: "/opt/bitnami/minio/secrets/secret-key"
{{- else }}
- name: MINIO_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ include "minio.secretName" . }}
key: secret-key
{{- end }}
- name: MINIO_BROWSER
value: {{ ternary "off" "on" .Values.disableWebUI | quote }}
{{- if .Values.prometheusAuthType }}
- name: MINIO_PROMETHEUS_AUTH_TYPE
value: {{ .Values.prometheusAuthType }}
{{- end }}
{{- if .Values.extraEnv }}
{{- toYaml .Values.extraEnv | nindent 12 }}
{{- end }}
ports:
- name: minio
containerPort: 9000
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
httpGet:
path: /minio/health/live
port: minio
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
tcpSocket:
port: minio
{{- end }}
{{- if .Values.resources }}
resources: {{ toYaml .Values.resources | nindent 12 }}
{{- end }}
volumeMounts:
{{- if .Values.useCredentialsFile }}
- name: minio-credentials
mountPath: /opt/bitnami/minio/secrets/
{{- end }}
- name: data
mountPath: {{ .Values.persistence.mountPath }}
volumes:
{{- if .Values.useCredentialsFile }}
- name: minio-credentials
secret:
secretName: {{ include "minio.secretName" . }}
{{- end }}
{{- if not .Values.persistence.enabled }}
- name: data
emptyDir: {}
{{- else }}
volumeClaimTemplates:
- metadata:
name: data
labels: {{- include "minio.matchLabels" . | nindent 10 }}
{{- if .Values.persistence.annotations }}
annotations: {{- include "minio.tplValue" ( dict "value" .Values.persistence.annotations "context" $) | nindent 10 }}
{{- end }}
spec:
accessModes: {{ toYaml .Values.persistence.accessModes | nindent 10 }}
{{ include "minio.storageClass" . }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- end }}
{{- end }}
{{- end }}

16
scripts/helm/helm/databases/charts/minio/templates/svc-headless.yaml Executable file
View file

@ -0,0 +1,16 @@
{{- if eq .Values.mode "distributed" }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "minio.fullname" . }}-headless
namespace: {{ .Release.Namespace }}
labels: {{- include "minio.labels" . | nindent 4 }}
spec:
type: ClusterIP
clusterIP: None
ports:
- name: minio
port: {{ .Values.service.port }}
targetPort: minio
selector: {{- include "minio.matchLabels" . | nindent 4 }}
{{- end }}

14
scripts/helm/helm/databases/charts/minio/templates/tls-secrets.yaml Executable file
View file

@ -0,0 +1,14 @@
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.secrets }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .name }}
namespace: {{ .Release.Namespace }}
labels: {{- include "minio.labels" $ | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ .certificate | b64enc }}
tls.key: {{ .key | b64enc }}
{{- end }}
{{- end }}

389
scripts/helm/helm/databases/charts/minio/values-production.yaml Executable file
View file

@ -0,0 +1,389 @@
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry and imagePullSecrets
##
global:
minio: {}
# minio:
# existingSecret: ""
# accessKey: ""
# secretKey: ""
# imageRegistry: myRegistryName
# imagePullSecrets:
# - myRegistryKeySecretName
# storageClass: myStorageClass
## Bitnami MinIO image version
## ref: https://hub.docker.com/r/bitnami/minio/tags/
##
image:
registry: docker.io
repository: bitnami/minio
tag: 2020.10.9-debian-10-r6
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Set to true if you would like to see extra information on logs
## It turns BASH and NAMI debugging in minideb
## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging
debug: false
## String to partially override minio.fullname template (will maintain the release name)
##
# nameOverride:
## String to fully override minio.fullname template
##
# fullnameOverride:
## Scheduler name
## https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
# schedulerName: stork
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template
name:
## Cluster domain
##
clusterDomain: cluster.local
## Bitnami MinIO Client image version
## ref: https://hub.docker.com/r/bitnami/minio-client/tags/
##
clientImage:
registry: docker.io
repository: bitnami/minio-client
tag: 2020.10.3-debian-10-r9
## Init containers parameters:
## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section.
##
volumePermissions:
enabled: false
image:
registry: docker.io
repository: bitnami/minideb
tag: buster
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Init container' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 100m
# memory: 128Mi
requests: {}
# cpu: 100m
# memory: 128Mi
## MinIO server mode. Allowed values: standalone or distributed.
## Distributed Minio ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide
##
mode: distributed
## MinIO deployment parameters
## Only when mode is 'standalone'
##
deployment:
## Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to makesure the pods is destroyed first.
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
## Example:
## updateStrategy:
## type: RollingUpdate
## rollingUpdate:
## maxSurge: 25%
## maxUnavailable: 25%
##
updateStrategy:
type: Recreate
## MinIO statefulset parameters
## Only when mode is 'distributed'
##
statefulset:
## Update strategy, can be set to RollingUpdate or OnDelete by default.
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
##
updateStrategy: RollingUpdate
## StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
##
podManagementPolicy: Parallel
## Number of replicas, it must even and greater than 4
##
replicaCount: 4
## Use existing secret (ignores accessKey, and secretKey passwords)
##
# existingSecret:
## Mount MinIO secret as a file instead of passing environment variable
##
useCredentialsFile: false
## Force reconfiguring new keys whenever the credentials change
##
forceNewKeys: false
## MinIO credentials
##
accessKey:
## MinIO Access Key
## ref: https://github.com/bitnami/bitnami-docker-minio/#setting-up-minio-in-distributed-mode
##
password:
## Option to force users to specify a password. That is required for 'helm upgrade' to work properly.
## If it is not force, a random password will be generated.
##
forcePassword: false
secretKey:
## MinIO Secret Key
## ref: https://github.com/bitnami/bitnami-docker-minio/#setting-up-minio-in-distributed-mode
##
password:
## Option to force users to specify a password. That is required for 'helm upgrade' to work properly.
## If it is not force, a random password will be generated.
##
forcePassword: false
## Comma, semi-colon or space separated list of buckets to create at initialization (only in standalone mode)
##
# defaultBuckets: "my-bucket, my-second-bucket"
## Disable MinIO Web UI
## ref: https://github.com/minio/minio/tree/master/docs/config/#browser
##
disableWebUI: true
## Define custom environment variables to pass to the image here
##
extraEnv: {}
## Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
securityContext:
enabled: true
fsGroup: 1001
runAsUser: 1001
## Pod annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/path: "/minio/prometheus/metric"
prometheus.io/port: "9000"
## Affinity for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}
## Node labels for pod assignment. Evaluated as a template.
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## Tolerations for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## MinIO containers' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 250m
# memory: 256Mi
requests:
cpu: 250m
memory: 256Mi
## MinIO containers' liveness and readiness probes
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
livenessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
readinessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 5
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
persistence:
## If true, use a Persistent Volume Claim, If false, use emptyDir
##
enabled: true
## Enable persistence using an existing PVC (only in standalone mode)
##
# existingClaim:
## Data volume mount path
##
mountPath: /data
## Persistent Volume Access Mode
##
accessModes:
- ReadWriteOnce
## Persistent Volume size
##
size: 8Gi
## Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
## Persistent Volume Claim annotations
##
annotations: {}
## MinIO Service properties
##
service:
## MinIO Service type
##
type: ClusterIP
## MinIO Service port
##
port: 9000
## Specify the nodePort value for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
# nodePort:
## Provide any additional annotations which may be required. This can be used to
## set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
annotations: {}
## loadBalancerIP for the PrestaShop Service (optional, cloud specific)
## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer
##
# loadBalancerIP:
## Configure the ingress resource that allows you to access the
## MinIO web browser. Set up the URL
## ref: http://kubernetes.io/docs/user-guide/ingress/
##
ingress:
## Set to true to enable ingress record generation
enabled: false
## Set this to true in order to add the corresponding annotations for cert-manager
certManager: false
## Ingress annotations done as key:value pairs
## For a full list of possible ingress annotations, please see
## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md
##
## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set
## If certManager is set to true, annotation kubernetes.io/tls-acme: "true" will automatically be set
# annotations:
# kubernetes.io/ingress.class: nginx
## Ingress additional labels done as key:value pairs
labels: {}
## The list of hostnames to be covered with this ingress record.
## Most likely this will be just one host, but in the event more hosts are needed, this is an array
hosts:
- name: minio.local
path: /
## Set this to true in order to enable TLS on the ingress record
tls: false
## Optionally specify the TLS hosts for the ingress record
## Useful when the Ingress controller supports www-redirection
## If not specified, the above host name will be used
# tlsHosts:
# - www.minio.local
# - minio.local
## If TLS is set to true, you must declare what secret will store the key/certificate for TLS
tlsSecret: minio.local-tls
secrets:
## If you're providing your own certificates, please use this to add the certificates as secrets
## key and certificate should start with -----BEGIN CERTIFICATE----- or
## -----BEGIN RSA PRIVATE KEY-----
##
## name should line up with a tlsSecret set further up
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
##
## It is also possible to create and manage the certificates outside of this helm chart
## Please see README.md for more information
# - name: minio.local-tls
# key:
# certificate:
## NetworkPolicy parameters
##
networkPolicy:
## Specifies whether a NetworkPolicy should be created
##
enabled: true
## The Policy model to apply. When set to false, only pods with the correct
## client label will have network access to the port MinIO is listening
## on. When true, MinIO will accept connections from any source
## (with the correct destination port).
##
allowExternal: false
## MinIO supports two authentication modes for Prometheus either jwt or public, by default MinIO runs in jwt mode.
## To allow public access without authentication for prometheus metrics set environment as follows.
prometheusAuthType: jwt

391
scripts/helm/helm/databases/charts/minio/values.yaml Executable file
View file

@ -0,0 +1,391 @@
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry and imagePullSecrets
##
global:
minio: {}
# accessKey: "minios3AccessKeyS3cr3t"
# secretKey: "m1n10s3CretK3yPassw0rd"
# minio: {}
# existingSecret: ""
# accessKey: ""
# secretKey: ""
# imageRegistry: myRegistryName
# imagePullSecrets:
# - myRegistryKeySecretName
# storageClass: myStorageClass
## Bitnami MinIO image version
## ref: https://hub.docker.com/r/bitnami/minio/tags/
##
image:
registry: docker.io
repository: bitnami/minio
tag: 2020.10.9-debian-10-r6
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Set to true if you would like to see extra information on logs
## It turns BASH and NAMI debugging in minideb
## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging
debug: false
## String to partially override minio.fullname template (will maintain the release name)
##
# nameOverride:
## String to fully override minio.fullname template
##
# fullnameOverride:
## Scheduler name
## https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
# schedulerName: stork
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template
name:
## Cluster domain
##
clusterDomain: cluster.local
## Bitnami MinIO Client image version
## ref: https://hub.docker.com/r/bitnami/minio-client/tags/
##
clientImage:
registry: docker.io
repository: bitnami/minio-client
tag: 2020.10.3-debian-10-r9
## Init containers parameters:
## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section.
##
volumePermissions:
enabled: false
image:
registry: docker.io
repository: bitnami/minideb
tag: buster
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Init container' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 100m
# memory: 128Mi
requests: {}
# cpu: 100m
# memory: 128Mi
## MinIO server mode. Allowed values: standalone or distributed.
## Distributed Minio ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide
##
mode: standalone
## MinIO deployment parameters
## Only when mode is 'standalone'
##
deployment:
## Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to makesure the pods is destroyed first.
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
## Example:
## updateStrategy:
## type: RollingUpdate
## rollingUpdate:
## maxSurge: 25%
## maxUnavailable: 25%
##
updateStrategy:
type: Recreate
## MinIO statefulset parameters
## Only when mode is 'distributed'
##
statefulset:
## Update strategy, can be set to RollingUpdate or OnDelete by default.
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
##
updateStrategy: RollingUpdate
## StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
##
podManagementPolicy: Parallel
## Number of replicas, it must even and greater than 4
##
replicaCount: 4
## Use existing secret (ignores accessKey, and secretKey passwords)
##
# existingSecret:
## Mount MinIO secret as a file instead of passing environment variable
##
useCredentialsFile: false
## Force reconfiguring new keys whenever the credentials change
##
forceNewKeys: false
## MinIO credentials
##
accessKey:
## MinIO Access Key
## ref: https://github.com/bitnami/bitnami-docker-minio/#setting-up-minio-in-distributed-mode
##
password:
## Option to force users to specify a password. That is required for 'helm upgrade' to work properly.
## If it is not force, a random password will be generated.
##
forcePassword: false
secretKey:
## MinIO Secret Key
## ref: https://github.com/bitnami/bitnami-docker-minio/#setting-up-minio-in-distributed-mode
##
password:
## Option to force users to specify a password. That is required for 'helm upgrade' to work properly.
## If it is not force, a random password will be generated.
##
forcePassword: false
## Comma, semi-colon or space separated list of buckets to create at initialization (only in standalone mode)
##
# defaultBuckets: "my-bucket, my-second-bucket"
## Disable MinIO Web UI
## ref: https://github.com/minio/minio/tree/master/docs/config/#browser
##
disableWebUI: false
## Define custom environment variables to pass to the image here
##
extraEnv: {}
## Define a custom command for the minio container
command: {}
## Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
securityContext:
enabled: true
fsGroup: 1001
runAsUser: 1001
## Pod annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## Affinity for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}
## Node labels for pod assignment. Evaluated as a template.
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## Tolerations for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## MinIO containers' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits: {}
# cpu: 250m
# memory: 256Mi
requests: {}
# cpu: 250m
# memory: 256Mi
## MinIO containers' liveness and readiness probes
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
livenessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
readinessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 5
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
persistence:
## If true, use a Persistent Volume Claim, If false, use emptyDir
##
enabled: true
## Enable persistence using an existing PVC (only in standalone mode)
##
# existingClaim:
## Data volume mount path
##
mountPath: /data
## Persistent Volume Access Mode
##
accessModes:
- ReadWriteOnce
## Persistent Volume size
##
size: 50Gi
## Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
## Persistent Volume Claim annotations
##
annotations: {}
## MinIO Service properties
##
service:
## MinIO Service type
##
type: ClusterIP
## MinIO Service port
##
port: 9000
## Specify the nodePort value for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
# nodePort:
## Provide any additional annotations which may be required. This can be used to
## set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
annotations: {}
## loadBalancerIP for the PrestaShop Service (optional, cloud specific)
## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer
##
# loadBalancerIP:
## Configure the ingress resource that allows you to access the
## MinIO web browser. Set up the URL
## ref: http://kubernetes.io/docs/user-guide/ingress/
##
ingress:
## Set to true to enable ingress record generation
enabled: false
## Set this to true in order to add the corresponding annotations for cert-manager
certManager: false
## Ingress annotations done as key:value pairs
## For a full list of possible ingress annotations, please see
## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md
##
## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set
## If certManager is set to true, annotation kubernetes.io/tls-acme: "true" will automatically be set
# annotations:
# kubernetes.io/ingress.class: nginx
## Ingress additional labels done as key:value pairs
labels: {}
## The list of hostnames to be covered with this ingress record.
## Most likely this will be just one host, but in the event more hosts are needed, this is an array
hosts:
- name: minio.local
path: /
## Set this to true in order to enable TLS on the ingress record
tls: false
## Optionally specify the TLS hosts for the ingress record
## Useful when the Ingress controller supports www-redirection
## If not specified, the above host name will be used
# tlsHosts:
# - www.minio.local
# - minio.local
## If TLS is set to true, you must declare what secret will store the key/certificate for TLS
tlsSecret: minio.local-tls
secrets:
## If you're providing your own certificates, please use this to add the certificates as secrets
## key and certificate should start with -----BEGIN CERTIFICATE----- or
## -----BEGIN RSA PRIVATE KEY-----
##
## name should line up with a tlsSecret set further up
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
##
## It is also possible to create and manage the certificates outside of this helm chart
## Please see README.md for more information
# - name: minio.local-tls
# key:
# certificate:
## NetworkPolicy parameters
##
networkPolicy:
## Specifies whether a NetworkPolicy should be created
##
enabled: false
## The Policy model to apply. When set to false, only pods with the correct
## client label will have network access to the port MinIO is listening
## on. When true, MinIO will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## MinIO supports two authentication modes for Prometheus either jwt or public, by default MinIO runs in jwt mode.
## To allow public access without authentication for prometheus metrics set environment as follows.
prometheusAuthType: public

21
scripts/helm/helm/databases/charts/postgresql/.helmignore Executable file
View file

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

26
scripts/helm/helm/databases/charts/postgresql/Chart.yaml Executable file
View file

@ -0,0 +1,26 @@
annotations:
category: Database
apiVersion: v1
appVersion: 11.9.0
description: Chart for PostgreSQL, an object-relational database management system
(ORDBMS) with an emphasis on extensibility and on standards-compliance.
engine: gotpl
home: https://github.com/bitnami/charts/tree/master/bitnami/postgresql
icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-110x117.png
keywords:
- postgresql
- postgres
- database
- sql
- replication
- cluster
maintainers:
- email: containers@bitnami.com
name: Bitnami
- email: cedric@desaintmartin.fr
name: desaintmartin
name: postgresql
sources:
- https://github.com/bitnami/bitnami-docker-postgresql
- https://www.postgresql.org/
version: 9.8.2

707
scripts/helm/helm/databases/charts/postgresql/README.md Executable file
View file

@ -0,0 +1,707 @@
# PostgreSQL
[PostgreSQL](https://www.postgresql.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance.
For HA, please see [this repo](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha)
## TL;DR
```console
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/postgresql
```
## Introduction
This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/).
## Prerequisites
- Kubernetes 1.12+
- Helm 2.12+ or Helm 3.0-beta3+
- PV provisioner support in the underlying infrastructure
## Installing the Chart
To install the chart with the release name `my-release`:
```console
$ helm install my-release bitnami/postgresql
```
The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
$ helm delete my-release
```
The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release.
To delete the PVC's associated with `my-release`:
```console
$ kubectl delete pvc -l release=my-release
```
> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it.
## Parameters
The following tables lists the configurable parameters of the PostgreSQL chart and their default values.
| Parameter | Description | Default |
|-----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------|
| `global.imageRegistry` | Global Docker Image registry | `nil` |
| `global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides `postgresqlDatabase`) | `nil` |
| `global.postgresql.postgresqlUsername` | PostgreSQL username (overrides `postgresqlUsername`) | `nil` |
| `global.postgresql.existingSecret` | Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`) | `nil` |
| `global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides `postgresqlPassword`) | `nil` |
| `global.postgresql.servicePort` | PostgreSQL port (overrides `service.port`) | `nil` |
| `global.postgresql.replicationPassword` | Replication user password (overrides `replication.password`) | `nil` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `global.storageClass` | Global storage class for dynamic provisioning | `nil` |
| `image.registry` | PostgreSQL Image registry | `docker.io` |
| `image.repository` | PostgreSQL Image name | `bitnami/postgresql` |
| `image.tag` | PostgreSQL Image tag | `{TAG_NAME}` |
| `image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) |
| `image.debug` | Specify if debug values should be set | `false` |
| `nameOverride` | String to partially override postgresql.fullname template with a string (will prepend the release name) | `nil` |
| `fullnameOverride` | String to fully override postgresql.fullname template with a string | `nil` |
| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` |
| `volumePermissions.securityContext.*` | Other container security context to be included as-is in the container spec | `{}` |
| `volumePermissions.securityContext.runAsUser` | User ID for the init container (when facing issues in OpenShift or uid unknown, try value "auto") | `0` |
| `usePasswordFile` | Have the secrets mounted as a file instead of env vars | `false` |
| `ldap.enabled` | Enable LDAP support | `false` |
| `ldap.existingSecret` | Name of existing secret to use for LDAP passwords | `nil` |
| `ldap.url` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn[?[attribute][?[scope][?[filter]]]]` | `nil` |
| `ldap.server` | IP address or name of the LDAP server. | `nil` |
| `ldap.port` | Port number on the LDAP server to connect to | `nil` |
| `ldap.scheme` | Set to `ldaps` to use LDAPS. | `nil` |
| `ldap.tls` | Set to `1` to use TLS encryption | `nil` |
| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `nil` |
| `ldap.suffix` | String to append to the user name when forming the DN to bind | `nil` |
| `ldap.search_attr` | Attribute to match agains the user name in the search | `nil` |
| `ldap.search_filter` | The search filter to use when doing search+bind authentication | `nil` |
| `ldap.baseDN` | Root DN to begin the search for the user in | `nil` |
| `ldap.bindDN` | DN of user to bind to LDAP | `nil` |
| `ldap.bind_password` | Password for the user to bind to LDAP | `nil` |
| `replication.enabled` | Enable replication | `false` |
| `replication.user` | Replication user | `repl_user` |
| `replication.password` | Replication user password | `repl_password` |
| `replication.slaveReplicas` | Number of slaves replicas | `1` |
| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` |
| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.slaveReplicas`. | `0` |
| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` |
| `existingSecret` | Name of existing secret to use for PostgreSQL passwords. The secret has to contain the keys `postgresql-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-postgres-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be sed to authenticate on LDAP. The value is evaluated as a template. | `nil` |
| `postgresqlPostgresPassword` | PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`, in which case`postgres` is the admin username). | _random 10 character alphanumeric string_ |
| `postgresqlUsername` | PostgreSQL user (creates a non-admin user when `postgresqlUsername` is not `postgres`) | `postgres` |
| `postgresqlPassword` | PostgreSQL user password | _random 10 character alphanumeric string_ |
| `postgresqlDatabase` | PostgreSQL database | `nil` |
| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql` (same value as persistence.mountPath) |
| `extraEnv` | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `[]` |
| `extraEnvVarsCM` | Name of a Config Map containing extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `nil` |
| `postgresqlInitdbArgs` | PostgreSQL initdb extra arguments | `nil` |
| `postgresqlInitdbWalDir` | PostgreSQL location for transaction log | `nil` |
| `postgresqlConfiguration` | Runtime Config Parameters | `nil` |
| `postgresqlExtendedConf` | Extended Runtime Config Parameters (appended to main or default configuration) | `nil` |
| `pgHbaConfiguration` | Content of pg_hba.conf | `nil (do not create pg_hba.conf)` |
| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` |
| `postgresqlMaxConnections` | Maximum total connections | `nil` |
| `postgresqlPostgresConnectionLimit` | Maximum total connections for the postgres user | `nil` |
| `postgresqlDbUserConnectionLimit` | Maximum total connections for the non-admin user | `nil` |
| `postgresqlTcpKeepalivesInterval` | TCP keepalives interval | `nil` |
| `postgresqlTcpKeepalivesIdle` | TCP keepalives idle | `nil` |
| `postgresqlTcpKeepalivesCount` | TCP keepalives count | `nil` |
| `postgresqlStatementTimeout` | Statement timeout | `nil` |
| `postgresqlPghbaRemoveFilters` | Comma-separated list of patterns to remove from the pg_hba.conf file | `nil` |
| `customLivenessProbe` | Override default liveness probe | `nil` |
| `customReadinessProbe` | Override default readiness probe | `nil` |
| `audit.logHostname` | Add client hostnames to the log file | `false` |
| `audit.logConnections` | Add client log-in operations to the log file | `false` |
| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` |
| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `nil` |
| `audit.clientMinMessages` | Message log level to share with the user | `nil` |
| `audit.logLinePrefix` | Template string for the log line prefix | `nil` |
| `audit.logTimezone` | Timezone for the log timestamps | `nil` |
| `configurationConfigMap` | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`). The value is evaluated as a template. | `nil` |
| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template. | `nil` |
| `initdbScripts` | Dictionary of initdb scripts | `nil` |
| `initdbUser` | PostgreSQL user to execute the .sql and sql.gz scripts | `nil` |
| `initdbPassword` | Password for the user specified in `initdbUser` | `nil` |
| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` |
| `initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil` |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.port` | PostgreSQL port | `5432` |
| `service.nodePort` | Kubernetes Service nodePort | `nil` |
| `service.annotations` | Annotations for PostgreSQL service | `{}` (evaluated as a template) |
| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` |
| `service.loadBalancerSourceRanges` | Address that are allowed when svc is LoadBalancer | `[]` (evaluated as a template) |
| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` |
| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for master and slave(s) Pod(s) | `true` |
| `shmVolume.chmod.enabled` | Run at init chmod 777 of the /dev/shm (ignored if `volumePermissions.enabled` is `false`) | `true` |
| `persistence.enabled` | Enable persistence using PVC | `true` |
| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. | `nil` |
| `persistence.mountPath` | Path to mount the volume at | `/bitnami/postgresql` |
| `persistence.subPath` | Subdirectory of the volume to mount at | `""` |
| `persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `nil` |
| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `[ReadWriteOnce]` |
| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
| `persistence.annotations` | Annotations for the PVC | `{}` |
| `commonAnnotations` | Annotations to be added to all deployed resources (rendered as a template) | `{}` |
| `master.nodeSelector` | Node labels for pod assignment (postgresql master) | `{}` |
| `master.affinity` | Affinity labels for pod assignment (postgresql master) | `{}` |
| `master.tolerations` | Toleration labels for pod assignment (postgresql master) | `[]` |
| `master.anotations` | Map of annotations to add to the statefulset (postgresql master) | `{}` |
| `master.labels` | Map of labels to add to the statefulset (postgresql master) | `{}` |
| `master.podAnnotations` | Map of annotations to add to the pods (postgresql master) | `{}` |
| `master.podLabels` | Map of labels to add to the pods (postgresql master) | `{}` |
| `master.priorityClassName` | Priority Class to use for each pod (postgresql master) | `nil` |
| `master.extraInitContainers` | Additional init containers to add to the pods (postgresql master) | `[]` |
| `master.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql master) | `[]` |
| `master.extraVolumes` | Additional volumes to add to the pods (postgresql master) | `[]` |
| `master.sidecars` | Add additional containers to the pod | `[]` |
| `master.service.type` | Allows using a different service type for Master | `nil` |
| `master.service.nodePort` | Allows using a different nodePort for Master | `nil` |
| `master.service.clusterIP` | Allows using a different clusterIP for Master | `nil` |
| `masterAsStandBy.enabled` | Whether to enable current cluster's Master as standby server of another cluster or not. | `false` |
| `masterAsStandBy.masterHost` | The Host of replication Master in the other cluster. | `nil` |
| `masterAsStandBy.masterPort ` | The Port of replication Master in the other cluster. | `nil` |
| `slave.nodeSelector` | Node labels for pod assignment (postgresql slave) | `{}` |
| `slave.affinity` | Affinity labels for pod assignment (postgresql slave) | `{}` |
| `slave.tolerations` | Toleration labels for pod assignment (postgresql slave) | `[]` |
| `slave.anotations` | Map of annotations to add to the statefulsets (postgresql slave) | `{}` |
| `slave.resources` | CPU/Memory resource requests/limits override for slaves. Will fallback to `values.resources` if not defined. | `{}` |
| `slave.labels` | Map of labels to add to the statefulsets (postgresql slave) | `{}` |
| `slave.podAnnotations` | Map of annotations to add to the pods (postgresql slave) | `{}` |
| `slave.podLabels` | Map of labels to add to the pods (postgresql slave) | `{}` |
| `slave.priorityClassName` | Priority Class to use for each pod (postgresql slave) | `nil` |
| `slave.extraInitContainers` | Additional init containers to add to the pods (postgresql slave) | `[]` |
| `slave.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql slave) | `[]` |
| `slave.extraVolumes` | Additional volumes to add to the pods (postgresql slave) | `[]` |
| `slave.sidecars` | Add additional containers to the pod | `[]` |
| `slave.service.type` | Allows using a different service type for Slave | `nil` |
| `slave.service.nodePort` | Allows using a different nodePort for Slave | `nil` |
| `slave.service.clusterIP` | Allows using a different clusterIP for Slave | `nil` |
| `slave.persistence.enabled` | Whether to enable slave replicas persistence | `true` |
| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` |
| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` |
| `securityContext.*` | Other pod security context to be included as-is in the pod spec | `{}` |
| `securityContext.enabled` | Enable security context | `true` |
| `securityContext.fsGroup` | Group ID for the pod | `1001` |
| `containerSecurityContext.*` | Other container security context to be included as-is in the container spec | `{}` |
| `containerSecurityContext.enabled` | Enable container security context | `true` |
| `containerSecurityContext.runAsUser` | User ID for the container | `1001` |
| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` |
| `serviceAccount.name` | Name of existing service account | `nil` |
| `livenessProbe.enabled` | Would you like a livenessProbe to be enabled | `true` |
| `networkPolicy.enabled` | Enable NetworkPolicy | `false` |
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed | `{}` |
| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 |
| `livenessProbe.periodSeconds` | How often to perform the probe | 10 |
| `livenessProbe.timeoutSeconds` | When the probe times out | 5 |
| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
| `readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` |
| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 5 |
| `readinessProbe.periodSeconds` | How often to perform the probe | 10 |
| `readinessProbe.timeoutSeconds` | When the probe times out | 5 |
| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
| `tls.enabled` | Enable TLS traffic support | `false` |
| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` |
| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `nil` |
| `tls.certFilename` | Certificate filename | `""` |
| `tls.certKeyFilename` | Certificate key filename | `""` |
| `tls.certCAFilename` | CA Certificate filename. If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate. | `nil` |
| `tls.crlFilename` | File containing a Certificate Revocation List | `nil` |
| `metrics.enabled` | Start a prometheus exporter | `false` |
| `metrics.service.type` | Kubernetes Service type | `ClusterIP` |
| `service.clusterIP` | Static clusterIP or None for headless services | `nil` |
| `metrics.service.annotations` | Additional annotations for metrics exporter pod | `{ prometheus.io/scrape: "true", prometheus.io/port: "9187"}` |
| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` |
| `metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` |
| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` |
| `metrics.serviceMonitor.namespace` | Optional namespace in which to create ServiceMonitor | `nil` |
| `metrics.serviceMonitor.interval` | Scrape interval. If not set, the Prometheus default scrape interval is used | `nil` |
| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout. If not set, the Prometheus default scrape timeout is used | `nil` |
| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` |
| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` |
| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | the same namespace as postgresql |
| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` |
| `metrics.image.registry` | PostgreSQL Exporter Image registry | `docker.io` |
| `metrics.image.repository` | PostgreSQL Exporter Image name | `bitnami/postgres-exporter` |
| `metrics.image.tag` | PostgreSQL Exporter Image tag | `{TAG_NAME}` |
| `metrics.image.pullPolicy` | PostgreSQL Exporter Image pull policy | `IfNotPresent` |
| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) |
| `metrics.customMetrics` | Additional custom metrics | `nil` |
| `metrics.extraEnvVars` | Extra environment variables to add to exporter | `{}` (evaluated as a template) |
| `metrics.securityContext.*` | Other container security context to be included as-is in the container spec | `{}` |
| `metrics.securityContext.enabled` | Enable security context for metrics | `false` |
| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` |
| `metrics.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 |
| `metrics.livenessProbe.periodSeconds` | How often to perform the probe | 10 |
| `metrics.livenessProbe.timeoutSeconds` | When the probe times out | 5 |
| `metrics.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
| `metrics.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
| `metrics.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` |
| `metrics.readinessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 5 |
| `metrics.readinessProbe.periodSeconds` | How often to perform the probe | 10 |
| `metrics.readinessProbe.timeoutSeconds` | When the probe times out | 5 |
| `metrics.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
| `metrics.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
| `updateStrategy` | Update strategy policy | `{type: "RollingUpdate"}` |
| `psp.create` | Create Pod Security Policy | `false` |
| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` |
| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template). | `nil` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
$ helm install my-release \
--set postgresqlPassword=secretpassword,postgresqlDatabase=my-database \
bitnami/postgresql
```
The above command sets the PostgreSQL `postgres` account password to `secretpassword`. Additionally it creates a database named `my-database`.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```console
$ helm install my-release -f values.yaml bitnami/postgresql
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Configuration and installation details
### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Production configuration and horizontal scaling
This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one.
- Enable replication:
```diff
- replication.enabled: false
+ replication.enabled: true
```
- Number of slaves replicas:
```diff
- replication.slaveReplicas: 1
+ replication.slaveReplicas: 2
```
- Set synchronous commit mode:
```diff
- replication.synchronousCommit: "off"
+ replication.synchronousCommit: "on"
```
- Number of replicas that will have synchronous replication:
```diff
- replication.numSynchronousReplicas: 0
+ replication.numSynchronousReplicas: 1
```
- Start a prometheus exporter:
```diff
- metrics.enabled: false
+ metrics.enabled: true
```
To horizontally scale this chart, you can use the `--replicas` flag to modify the number of nodes in your PostgreSQL deployment. Also you can use the `values-production.yaml` file or modify the parameters shown above.
### Customizing Master and Slave services in a replicated configuration
At the top level, there is a service object which defines the services for both master and slave. For deeper customization, there are service objects for both the master and slave types individually. This allows you to override the values in the top level service object so that the master and slave can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the master and slave to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the master.service or slave.service objects will take precedence over the top level service object.
### Change PostgreSQL version
To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters.
### postgresql.conf / pg_hba.conf files as configMap
This helm chart also supports to customize the whole configuration file.
Add your custom file to "files/postgresql.conf" in your working directory. This file will be mounted as configMap to the containers and it will be used for configuring the PostgreSQL server.
Alternatively, you can specify PostgreSQL configuration parameters using the `postgresqlConfiguration` parameter as a dict, using camelCase, e.g. {"sharedBuffers": "500MB"}.
In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `configurationConfigMap` parameter. Note that this will override the two previous options.
### Allow settings to be loaded from files other than the default `postgresql.conf`
If you don't want to provide the whole PostgreSQL configuration file and only specify certain parameters, you can add your extended `.conf` files to "files/conf.d/" in your working directory.
Those files will be mounted as configMap to the containers adding/overwriting the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`.
Alternatively, you can also set an external ConfigMap with all the extra configuration files. This is done by setting the `extendedConfConfigMap` parameter. Note that this will override the previous option.
### Initialize a fresh instance
The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, they must be located inside the chart folder `files/docker-entrypoint-initdb.d` so they can be consumed as a ConfigMap.
Alternatively, you can specify custom scripts using the `initdbScripts` parameter as dict.
In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `initdbScriptsSecret` parameter.
The allowed extensions are `.sh`, `.sql` and `.sql.gz`.
### Securing traffic using TLS
TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart:
- `tls.enabled`: Enable TLS support. Defaults to `false`
- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults.
- `tls.certFilename`: Certificate filename. No defaults.
- `tls.certKeyFilename`: Certificate key filename. No defaults.
For example:
* First, create the secret with the cetificates files:
```console
kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt
```
* Then, use the following parameters:
```console
volumePermissions.enabled=true
tls.enabled=true
tls.certificatesSecret="certificates-tls-secret"
tls.certFilename="cert.crt"
tls.certKeyFilename="cert.key"
```
> Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected.
### Sidecars
If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
```yaml
# For the PostgreSQL master
master:
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
# For the PostgreSQL replicas
slave:
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
### Metrics
The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml).
The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details.
### Use of global variables
In more complex scenarios, we may have the following tree of dependencies
```
+--------------+
| |
+------------+ Chart 1 +-----------+
| | | |
| --------+------+ |
| | |
| | |
| | |
| | |
v v v
+-------+------+ +--------+------+ +--------+------+
| | | | | |
| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 |
| | | | | |
+--------------+ +---------------+ +---------------+
```
The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters:
```
postgresql.postgresqlPassword=testtest
subchart1.postgresql.postgresqlPassword=testtest
subchart2.postgresql.postgresqlPassword=testtest
postgresql.postgresqlDatabase=db1
subchart1.postgresql.postgresqlDatabase=db1
subchart2.postgresql.postgresqlDatabase=db1
```
If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows:
```
global.postgresql.postgresqlPassword=testtest
global.postgresql.postgresqlDatabase=db1
```
This way, the credentials will be available in all of the subcharts.
## Persistence
The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container.
Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube.
See the [Parameters](#parameters) section to configure the PVC or to disable persistence.
If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished.
## NetworkPolicy
To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`.
For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace:
```console
$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
```
With NetworkPolicy enabled, traffic will be limited to just port 5432.
For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL.
This label will be displayed in the output of a successful install.
## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image
- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image.
- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift.
- For OpenShift, one may either define the runAsUser and fsGroup accordingly, or try this more dynamic option: volumePermissions.securityContext.runAsUser="auto",securityContext.enabled=false,containerSecurityContext.enabled=false,shmVolume.chmod.enabled=false
### Deploy chart using Docker Official PostgreSQL Image
From chart version 4.0.0, it is possible to use this chart with the Docker Official PostgreSQL image.
Besides specifying the new Docker repository and tag, it is important to modify the PostgreSQL data directory and volume mount point. Basically, the PostgreSQL data dir cannot be the mount point directly, it has to be a subdirectory.
```
image.repository=postgres
image.tag=10.6
postgresqlDataDir=/data/pgdata
persistence.mountPath=/data/
```
## Upgrade
It's necessary to specify the existing passwords while performing an upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresqlPassword` and `replication.password` parameters when upgrading the chart:
```bash
$ helm upgrade my-release stable/postgresql \
--set postgresqlPassword=[POSTGRESQL_PASSWORD] \
--set replication.password=[REPLICATION_PASSWORD]
```
> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes.
## 9.0.0
In this version the chart was adapted to follow the Helm label best practices, see [PR 3021](https://github.com/bitnami/charts/pull/3021). That means the backward compatibility is not guarantee when upgrading the chart to this major version.
As a workaround, you can delete the existing statefulset (using the `--cascade=false` flag pods are not deleted) before upgrade the chart. For example, this can be a valid workflow:
- Deploy an old version (8.X.X)
```console
$ helm install postgresql bitnami/postgresql --version 8.10.14
```
- Old version is up and running
```console
$ helm ls
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
postgresql default 1 2020-08-04 13:39:54.783480286 +0000 UTC deployed postgresql-8.10.14 11.8.0
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
postgresql-postgresql-0 1/1 Running 0 76s
```
- The upgrade to the latest one (9.X.X) is going to fail
```console
$ helm upgrade postgresql bitnami/postgresql
Error: UPGRADE FAILED: cannot patch "postgresql-postgresql" with kind StatefulSet: StatefulSet.apps "postgresql-postgresql" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden
```
- Delete the statefulset
```console
$ kubectl delete statefulsets.apps --cascade=false postgresql-postgresql
statefulset.apps "postgresql-postgresql" deleted
```
- Now the upgrade works
```cosnole
$ helm upgrade postgresql bitnami/postgresql
$ helm ls
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
postgresql default 3 2020-08-04 13:42:08.020385884 +0000 UTC deployed postgresql-9.1.2 11.8.0
```
- We can kill the existing pod and the new statefulset is going to create a new one:
```console
$ kubectl delete pod postgresql-postgresql-0
pod "postgresql-postgresql-0" deleted
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
postgresql-postgresql-0 1/1 Running 0 19s
```
Please, note that without the `--cascade=false` both objects (statefulset and pod) are going to be removed and both objects will be deployed again with the `helm upgrade` command
## 8.0.0
Prefixes the port names with their protocols to comply with Istio conventions.
If you depend on the port names in your setup, make sure to update them to reflect this change.
## 7.1.0
Adds support for LDAP configuration.
## 7.0.0
Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec.
In https://github.com/helm/charts/pull/17281 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage.
This major version bump signifies this change.
## 6.5.7
In this version, the chart will use PostgreSQL with the Postgis extension included. The version used with Postgresql version 10, 11 and 12 is Postgis 2.5. It has been compiled with the following dependencies:
- protobuf
- protobuf-c
- json-c
- geos
- proj
## 5.0.0
In this version, the **chart is using PostgreSQL 11 instead of PostgreSQL 10**. You can find the main difference and notable changes in the following links: [https://www.postgresql.org/about/news/1894/](https://www.postgresql.org/about/news/1894/) and [https://www.postgresql.org/about/featurematrix/](https://www.postgresql.org/about/featurematrix/).
For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs:
```console
Welcome to the Bitnami postgresql container
Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql
Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues
Send us your feedback at containers@bitnami.com
INFO ==> ** Starting PostgreSQL setup **
NFO ==> Validating settings in POSTGRESQL_* env vars..
INFO ==> Initializing PostgreSQL database...
INFO ==> postgresql.conf file not detected. Generating it...
INFO ==> pg_hba.conf file not detected. Generating it...
INFO ==> Deploying PostgreSQL with persisted data...
INFO ==> Configuring replication parameters
INFO ==> Loading custom scripts...
INFO ==> Enabling remote connections
INFO ==> Stopping PostgreSQL...
INFO ==> ** PostgreSQL setup finished! **
INFO ==> ** Starting PostgreSQL **
[1] FATAL: database files are incompatible with server
[1] DETAIL: The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3.
```
In this case, you should migrate the data from the old chart to the new one following an approach similar to that described in [this section](https://www.postgresql.org/docs/current/upgrading.html#UPGRADING-VIA-PGDUMPALL) from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one.
### 4.0.0
This chart will use by default the Bitnami PostgreSQL container starting from version `10.7.0-r68`. This version moves the initialization logic from node.js to bash. This new version of the chart requires setting the `POSTGRES_PASSWORD` in the slaves as well, in order to properly configure the `pg_hba.conf` file. Users from previous versions of the chart are advised to upgrade immediately.
IMPORTANT: If you do not want to upgrade the chart version then make sure you use the `10.7.0-r68` version of the container. Otherwise, you will get this error
```
The POSTGRESQL_PASSWORD environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development
```
### 3.0.0
This releases make it possible to specify different nodeSelector, affinity and tolerations for master and slave pods.
It also fixes an issue with `postgresql.master.fullname` helper template not obeying fullnameOverride.
#### Breaking changes
- `affinty` has been renamed to `master.affinity` and `slave.affinity`.
- `tolerations` has been renamed to `master.tolerations` and `slave.tolerations`.
- `nodeSelector` has been renamed to `master.nodeSelector` and `slave.nodeSelector`.
### 2.0.0
In order to upgrade from the `0.X.X` branch to `1.X.X`, you should follow the below steps:
- Obtain the service name (`SERVICE_NAME`) and password (`OLD_PASSWORD`) of the existing postgresql chart. You can find the instructions to obtain the password in the NOTES.txt, the service name can be obtained by running
```console
$ kubectl get svc
```
- Install (not upgrade) the new version
```console
$ helm repo update
$ helm install my-release bitnami/postgresql
```
- Connect to the new pod (you can obtain the name by running `kubectl get pods`):
```console
$ kubectl exec -it NAME bash
```
- Once logged in, create a dump file from the previous database using `pg_dump`, for that we should connect to the previous postgresql chart:
```console
$ pg_dump -h SERVICE_NAME -U postgres DATABASE_NAME > /tmp/backup.sql
```
After run above command you should be prompted for a password, this password is the previous chart password (`OLD_PASSWORD`).
This operation could take some time depending on the database size.
- Once you have the backup file, you can restore it with a command like the one below:
```console
$ psql -U postgres DATABASE_NAME < /tmp/backup.sql
```
In this case, you are accessing to the local postgresql, so the password should be the new one (you can find it in NOTES.txt).
If you want to restore the database and the database schema does not exist, it is necessary to first follow the steps described below.
```console
$ psql -U postgres
postgres=# drop database DATABASE_NAME;
postgres=# create database DATABASE_NAME;
postgres=# create user USER_NAME;
postgres=# alter role USER_NAME with password 'BITNAMI_USER_PASSWORD';
postgres=# grant all privileges on database DATABASE_NAME to USER_NAME;
postgres=# alter database DATABASE_NAME owner to USER_NAME;
```

22
scripts/helm/helm/databases/charts/postgresql/charts/common/.helmignore Executable file
View file

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

22
scripts/helm/helm/databases/charts/postgresql/charts/common/Chart.yaml Executable file
View file

@ -0,0 +1,22 @@
annotations:
category: Infrastructure
apiVersion: v1
appVersion: 0.8.1
description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself.
home: https://github.com/bitnami/charts/tree/master/bitnami/common
icon: https://bitnami.com/downloads/logos/bitnami-mark.png
keywords:
- common
- helper
- template
- function
- bitnami
maintainers:
- email: containers@bitnami.com
name: Bitnami
name: common
sources:
- https://github.com/bitnami/charts
- http://www.bitnami.com/
version: 0.8.1

286
scripts/helm/helm/databases/charts/postgresql/charts/common/README.md Executable file
View file

@ -0,0 +1,286 @@
# Bitnami Common Library Chart
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts.
## TL;DR
```yaml
dependencies:
- name: common
version: 0.x.x
repository: https://charts.bitnami.com/bitnami
```
```bash
$ helm dependency update
```
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "common.names.fullname" . }}
data:
myvalue: "Hello World"
```
## Introduction
This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.
## Prerequisites
- Kubernetes 1.12+
- Helm 2.12+ or Helm 3.0-beta3+
## Parameters
The following table lists the helpers available in the library which are scoped in different sections.
### Affinities
| Helper identifier | Description | Expected Input |
|-------------------------------------|-----------------------------------------------------------------|------------------------------------------------------------------|
| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
| `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
### Capabilities
| Helper identifier | Description | Expected Input |
|------------------------------------------------|-----------------------------------------------------------------|----------------------------|
| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context |
| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context |
| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context |
### Errors
| Helper identifier | Description | Expected Input |
|------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|
| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` |
### Images
| Helper identifier | Description | Expected Input |
|--------------------------------|-----------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------|
| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. |
| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` |
### Labels
| Helper identifier | Description | Expected Input |
|--------------------------------|-----------------------------------------------------------------|-----------------------------|
| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context |
| `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context |
### Names
| Helper identifier | Description | Expected Input |
|--------------------------------|-----------------------------------------------------------------|-----------------------------|
| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context |
| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context |
| `common.names.chart` | Chart name plus version | `.` Chart context |
### Secrets
| Helper identifier | Description | Expected Input |
|--------------------------------|-----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. |
| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. |
### Storage
| Helper identifier | Description | Expected Input |
|--------------------------------|-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. |
### TplValues
| Helper identifier | Description | Expected Input |
|--------------------------------|-----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frecuently is the chart context `$` or `.` |
### Utils
| Helper identifier | Description | Expected Input |
|--------------------------------|-----------------------------------------------------------------|------------------------------------------------------------------------|
| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` |
| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` |
| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` |
### Validations
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "context" $` secret and field are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) |
| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) |
| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. |
| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. |
### Warnings
| Helper identifier | Description | Expected Input |
|--------------------------------|-----------------------------------------------------------------|------------------------------------------------------------------|
| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
## Special input schemas
### ImageRoot
```yaml
registry:
type: string
description: Docker registry where the image is located
example: docker.io
repository:
type: string
description: Repository and image name
example: bitnami/nginx
tag:
type: string
description: image tag
example: 1.16.1-debian-10-r63
pullPolicy:
type: string
description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
pullSecrets:
type: array
items:
type: string
description: Optionally specify an array of imagePullSecrets.
debug:
type: boolean
description: Set to true if you would like to see extra information on logs
example: false
## An instance would be:
# registry: docker.io
# repository: bitnami/nginx
# tag: 1.16.1-debian-10-r63
# pullPolicy: IfNotPresent
# debug: false
```
### Persistence
```yaml
enabled:
type: boolean
description: Whether enable persistence.
example: true
storageClass:
type: string
description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning.
example: "-"
accessMode:
type: string
description: Access mode for the Persistent Volume Storage.
example: ReadWriteOnce
size:
type: string
description: Size the Persistent Volume Storage.
example: 8Gi
path:
type: string
description: Path to be persisted.
example: /bitnami
## An instance would be:
# enabled: true
# storageClass: "-"
# accessMode: ReadWriteOnce
# size: 8Gi
# path: /bitnami
```
### ExistingSecret
```yaml
name:
type: string
description: Name of the existing secret.
example: mySecret
keyMapping:
description: Mapping between the expected key name and the name of the key in the existing secret.
type: object
## An instance would be:
# name: mySecret
# keyMapping:
# password: myPasswordKey
```
#### Example of use
When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets.
```yaml
# templates/secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}
labels:
app: {{ include "common.names.fullname" . }}
type: Opaque
data:
password: {{ .Values.password | b64enc | quote }}
# templates/dpl.yaml
---
...
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }}
...
# values.yaml
---
name: mySecret
keyMapping:
password: myPasswordKey
```
### ValidateValue
#### NOTES.txt
```console
{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}}
{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}}
{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
```
If we force those values to be empty we will see some alerts
```console
$ helm install test mychart --set path.to.value00="",path.to.value01=""
'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value:
export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode)
'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value:
export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode)
```
## Notable changes
N/A

94
scripts/helm/helm/databases/charts/postgresql/charts/common/templates/_affinities.tpl Executable file
View file

@ -0,0 +1,94 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return a soft nodeAffinity definition
{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes.soft" -}}
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
key: {{ .key }}
operator: In
values:
{{- range .values }}
- {{ . }}
{{- end }}
weight: 1
{{- end -}}
{{/*
Return a hard nodeAffinity definition
{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes.hard" -}}
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
key: {{ .key }}
operator: In
values:
{{- range .values }}
- {{ . }}
{{- end }}
{{- end -}}
{{/*
Return a nodeAffinity definition
{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes" -}}
{{- if eq .type "soft" }}
{{- include "common.affinities.nodes.soft" . -}}
{{- else if eq .type "hard" }}
{{- include "common.affinities.nodes.hard" . -}}
{{- end -}}
{{- end -}}
{{/*
Return a soft podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods.soft" (dict "component" "FOO" "context" $) -}}
*/}}
{{- define "common.affinities.pods.soft" -}}
{{- $component := default "" .component -}}
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
namespaces:
- {{ .context.Release.Namespace }}
topologyKey: kubernetes.io/hostname
weight: 1
{{- end -}}
{{/*
Return a hard podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods.hard" (dict "component" "FOO" "context" $) -}}
*/}}
{{- define "common.affinities.pods.hard" -}}
{{- $component := default "" .component -}}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
namespaces:
- {{ .context.Release.Namespace }}
topologyKey: kubernetes.io/hostname
{{- end -}}
{{/*
Return a podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.pods" -}}
{{- if eq .type "soft" }}
{{- include "common.affinities.pods.soft" . -}}
{{- else if eq .type "hard" }}
{{- include "common.affinities.pods.hard" . -}}
{{- end -}}
{{- end -}}

33
scripts/helm/helm/databases/charts/postgresql/charts/common/templates/_capabilities.tpl Executable file
View file

@ -0,0 +1,33 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "common.capabilities.deployment.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "common.capabilities.statefulset.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "apps/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "common.capabilities.ingress.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- end -}}
{{- end -}}

20
scripts/helm/helm/databases/charts/postgresql/charts/common/templates/_errors.tpl Executable file
View file

@ -0,0 +1,20 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Through error when upgrading using empty passwords values that must not be empty.
Usage:
{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
Required password params:
- validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
- context - Context - Required. Parent context.
*/}}
{{- define "common.errors.upgrade.passwords.empty" -}}
{{- $validationErrors := join "" .validationErrors -}}
{{- if and $validationErrors .context.Release.IsUpgrade -}}
{{- $errorString := "\nPASSWORDS ERROR: you must provide your current passwords when upgrade the release%s" -}}
{{- printf $errorString $validationErrors | fail -}}
{{- end -}}
{{- end -}}

43
scripts/helm/helm/databases/charts/postgresql/charts/common/templates/_images.tpl Executable file
View file

@ -0,0 +1,43 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper image name
{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }}
*/}}
{{- define "common.images.image" -}}
{{- $registryName := .imageRoot.registry -}}
{{- $repositoryName := .imageRoot.repository -}}
{{- $tag := .imageRoot.tag | toString -}}
{{- if .global }}
{{- if .global.imageRegistry }}
{{- $registryName = .global.imageRegistry -}}
{{- end -}}
{{- end -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
*/}}
{{- define "common.images.pullSecrets" -}}
{{- $pullSecrets := list }}
{{- if .global }}
{{- range .global.imagePullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}
{{- range .images -}}
{{- range .pullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}
{{- if (not (empty $pullSecrets)) }}
imagePullSecrets:
{{- range $pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end -}}

18
scripts/helm/helm/databases/charts/postgresql/charts/common/templates/_labels.tpl Executable file
View file

@ -0,0 +1,18 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Kubernetes standard labels
*/}}
{{- define "common.labels.standard" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
helm.sh/chart: {{ include "common.names.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
*/}}
{{- define "common.labels.matchLabels" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}

32
scripts/helm/helm/databases/charts/postgresql/charts/common/templates/_names.tpl Executable file
View file

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "common.names.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "common.names.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "common.names.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

49
scripts/helm/helm/databases/charts/postgresql/charts/common/templates/_secrets.tpl Executable file
View file

@ -0,0 +1,49 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Generate secret name.
Usage:
{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
Params:
- existingSecret - ExistingSecret - Optional. The path to the existing secrets in the values.yaml given by the user
to be used istead of the default one. +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
- defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
- context - Dict - Required. The context for the template evaluation.
*/}}
{{- define "common.secrets.name" -}}
{{- $name := (include "common.names.fullname" .context) -}}
{{- if .defaultNameSuffix -}}
{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- with .existingSecret -}}
{{- $name = .name -}}
{{- end -}}
{{- printf "%s" $name -}}
{{- end -}}
{{/*
Generate secret key.
Usage:
{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
Params:
- existingSecret - ExistingSecret - Optional. The path to the existing secrets in the values.yaml given by the user
to be used istead of the default one. +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
- key - String - Required. Name of the key in the secret.
*/}}
{{- define "common.secrets.key" -}}
{{- $key := .key -}}
{{- if .existingSecret -}}
{{- if .existingSecret.keyMapping -}}
{{- $key = index .existingSecret.keyMapping $.key -}}
{{- end -}}
{{- end -}}
{{- printf "%s" $key -}}
{{- end -}}

23
scripts/helm/helm/databases/charts/postgresql/charts/common/templates/_storage.tpl Executable file
View file

@ -0,0 +1,23 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper Storage Class
{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
*/}}
{{- define "common.storage.class" -}}
{{- $storageClass := .persistence.storageClass -}}
{{- if .global -}}
{{- if .global.storageClass -}}
{{- $storageClass = .global.storageClass -}}
{{- end -}}
{{- end -}}
{{- if $storageClass -}}
{{- if (eq "-" $storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" $storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}

13
scripts/helm/helm/databases/charts/postgresql/charts/common/templates/_tplvalues.tpl Executable file
View file

@ -0,0 +1,13 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Renders a value that contains template.
Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "common.tplvalues.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}

45
scripts/helm/helm/databases/charts/postgresql/charts/common/templates/_utils.tpl Executable file
View file

@ -0,0 +1,45 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Print instructions to get a secret value.
Usage:
{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }}
*/}}
{{- define "common.utils.secret.getvalue" -}}
{{- $varname := include "common.utils.fieldToEnvVar" . -}}
export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode)
{{- end -}}
{{/*
Build env var name given a field
Usage:
{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }}
*/}}
{{- define "common.utils.fieldToEnvVar" -}}
{{- $fieldNameSplit := splitList "-" .field -}}
{{- $upperCaseFieldNameSplit := list -}}
{{- range $fieldNameSplit -}}
{{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}}
{{- end -}}
{{ join "_" $upperCaseFieldNameSplit }}
{{- end -}}
{{/*
Gets a value from .Values given
Usage:
{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }}
*/}}
{{- define "common.utils.getValueFromKey" -}}
{{- $splitKey := splitList "." .key -}}
{{- $value := "" -}}
{{- $latestObj := $.context.Values -}}
{{- range $splitKey -}}
{{- if not $latestObj -}}
{{- printf "please review the entire path of '%s' exists in values" $.key | fail -}}
{{- end -}}
{{- $value = ( index $latestObj . ) -}}
{{- $latestObj = $value -}}
{{- end -}}
{{- printf "%v" (default "" $value) -}}
{{- end -}}

278
scripts/helm/helm/databases/charts/postgresql/charts/common/templates/_validations.tpl Executable file
View file

@ -0,0 +1,278 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate values must not be empty.
Usage:
{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}}
{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}}
{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
Validate value params:
- valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
- secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
- field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
*/}}
{{- define "common.validations.values.multiple.empty" -}}
{{- range .required -}}
{{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}}
{{- end -}}
{{- end -}}
{{/*
Validate a value must not be empty.
Usage:
{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "context" $) }}
Validate value params:
- valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
- secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
- field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
*/}}
{{- define "common.validations.values.single.empty" -}}
{{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }}
{{- if not $value -}}
{{- $varname := "my-value" -}}
{{- $getCurrentValue := "" -}}
{{- if and .secret .field -}}
{{- $varname = include "common.utils.fieldToEnvVar" . -}}
{{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}}
{{- end -}}
{{- printf "\n '%s' must not be empty, please add '--set %s=$%s' to the command.%s" .valueKey .valueKey $varname $getCurrentValue -}}
{{- end -}}
{{- end -}}
{{/*
Validate MariaDB required passwords are not empty.
Usage:
{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret"
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.mariadb.passwords" -}}
{{- $existingSecret := include "common.mariadb.values.existingSecret" . -}}
{{- $enabled := include "common.mariadb.values.enabled" . -}}
{{- $architecture := include "common.mariadb.values.architecture" . -}}
{{- $authPrefix := include "common.mariadb.values.key.auth" . -}}
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
{{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
{{- if and (not $existingSecret) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
{{- if not (empty $valueUsername) -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- end -}}
{{- if (eq $architecture "replication") -}}
{{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for existingSecret.
Usage:
{{ include "common.mariadb.values.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.mariadb.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for enabled mariadb.
Usage:
{{ include "common.mariadb.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.mariadb.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.mariadb.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for architecture
Usage:
{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.architecture" -}}
{{- if .subchart -}}
{{- .context.Values.mariadb.architecture -}}
{{- else -}}
{{- .context.Values.architecture -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for the key auth
Usage:
{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.key.auth" -}}
{{- if .subchart -}}
mariadb.auth
{{- else -}}
auth
{{- end -}}
{{- end -}}
{{/*
Validate PostgreSQL required passwords are not empty.
Usage:
{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where postgresql values are stored, e.g: "mysql-passwords-secret"
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.postgresql.passwords" -}}
{{- $existingSecret := include "common.postgresql.values.existingSecret" . -}}
{{- $enabled := include "common.postgresql.values.enabled" . -}}
{{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}}
{{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}}
{{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}}
{{- if and (not $existingSecret) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}}
{{- if (eq $enabledReplication "true") -}}
{{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to decide whether evaluate global values.
Usage:
{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }}
Params:
- key - String - Required. Field to be evaluated within global, e.g: "existingSecret"
*/}}
{{- define "common.postgresql.values.use.global" -}}
{{- if .context.Values.global -}}
{{- if .context.Values.global.postgresql -}}
{{- index .context.Values.global.postgresql .key | quote -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for existingSecret.
Usage:
{{ include "common.postgresql.values.existingSecret" (dict "context" $) }}
*/}}
{{- define "common.postgresql.values.existingSecret" -}}
{{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}}
{{- if .subchart -}}
{{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}}
{{- else -}}
{{- default (.context.Values.existingSecret | quote) $globalValue -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for enabled postgresql.
Usage:
{{ include "common.postgresql.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.postgresql.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.postgresql.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for the key postgressPassword.
Usage:
{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.key.postgressPassword" -}}
{{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}}
{{- if not $globalValue -}}
{{- if .subchart -}}
postgresql.postgresqlPassword
{{- else -}}
postgresqlPassword
{{- end -}}
{{- else -}}
global.postgresql.postgresqlPassword
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for enabled.replication.
Usage:
{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.enabled.replication" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.postgresql.replication.enabled -}}
{{- else -}}
{{- printf "%v" .context.Values.replication.enabled -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for the key replication.password.
Usage:
{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.key.replicationPassword" -}}
{{- if .subchart -}}
postgresql.replication.password
{{- else -}}
replication.password
{{- end -}}
{{- end -}}

14
scripts/helm/helm/databases/charts/postgresql/charts/common/templates/_warnings.tpl Executable file
View file

@ -0,0 +1,14 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Warning about using rolling tag.
Usage:
{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }}
*/}}
{{- define "common.warnings.rollingTag" -}}
{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- end -}}

3
scripts/helm/helm/databases/charts/postgresql/charts/common/values.yaml Executable file
View file

@ -0,0 +1,3 @@
## bitnami/common
## It is required by CI/CD tools and processes.
exampleValue: common-chart

3
scripts/helm/helm/databases/charts/postgresql/ci/commonAnnotations.yaml Executable file
View file

@ -0,0 +1,3 @@
commonAnnotations:
helm.sh/hook: 'pre-install, pre-upgrade'
helm.sh/hook-weight: '-1'

1
scripts/helm/helm/databases/charts/postgresql/ci/default-values.yaml Executable file
View file

@ -0,0 +1 @@
# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml.

2
scripts/helm/helm/databases/charts/postgresql/ci/shmvolume-disabled-values.yaml Executable file
View file

@ -0,0 +1,2 @@
shmVolume:
enabled: false

1
scripts/helm/helm/databases/charts/postgresql/files/README.md Executable file
View file

@ -0,0 +1 @@
Copy here your postgresql.conf and/or pg_hba.conf files to use it as a config map.

Some files were not shown because too many files have changed in this diff Show more