aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/common
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/common')
-rw-r--r--kubernetes/common/cassandra/values.yaml2
-rw-r--r--kubernetes/common/common/Chart.yaml2
-rw-r--r--kubernetes/common/common/templates/_ingress.tpl6
-rw-r--r--kubernetes/common/common/templates/_labels.tpl6
-rw-r--r--kubernetes/common/common/templates/_pod.tpl6
-rw-r--r--kubernetes/common/common/templates/_secret.tpl9
-rw-r--r--kubernetes/common/common/templates/_serviceMonitor.tpl6
-rw-r--r--kubernetes/common/common/templates/_strimzikafka.tpl2
-rw-r--r--kubernetes/common/mariadb-galera/Chart.yaml2
-rw-r--r--kubernetes/common/mariadb-galera/templates/statefulset.yaml48
-rw-r--r--kubernetes/common/mariadb-galera/values.yaml7
-rw-r--r--kubernetes/common/serviceAccount/Chart.yaml2
-rw-r--r--kubernetes/common/serviceAccount/templates/role.yaml93
-rw-r--r--kubernetes/common/serviceAccount/values.yaml117
14 files changed, 161 insertions, 147 deletions
diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml
index 842c268c8a..e69d30592e 100644
--- a/kubernetes/common/cassandra/values.yaml
+++ b/kubernetes/common/cassandra/values.yaml
@@ -29,7 +29,7 @@ global: # global defaults
enableServiceAccount: false
k8ssandraOperator:
- cassandraVersion: 4.1.3
+ cassandraVersion: 4.1.6
persistence:
#storageClassName: default
size: 10Gi
diff --git a/kubernetes/common/common/Chart.yaml b/kubernetes/common/common/Chart.yaml
index 6fa292639e..591f24f4ee 100644
--- a/kubernetes/common/common/Chart.yaml
+++ b/kubernetes/common/common/Chart.yaml
@@ -17,4 +17,4 @@
apiVersion: v2
description: Common templates for inclusion in other charts
name: common
-version: 13.2.6
+version: 13.2.10
diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl
index ca23c75896..4d762c72f5 100644
--- a/kubernetes/common/common/templates/_ingress.tpl
+++ b/kubernetes/common/common/templates/_ingress.tpl
@@ -744,11 +744,7 @@ metadata:
name: {{ include "common.fullname" $dot }}-ingress
annotations:
{{ include "ingress.config.annotations" $dot }}
- labels:
- app: {{ $dot.Chart.Name }}
- chart: {{ $dot.Chart.Name }}-{{ $dot.Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" $dot }}
- heritage: {{ $dot.Release.Service }}
+ labels: {{- include "common.labels" $dot | nindent 4 }}
spec:
rules:
{{ include "ingress.config.port" $dot | trim }}
diff --git a/kubernetes/common/common/templates/_labels.tpl b/kubernetes/common/common/templates/_labels.tpl
index a690acd141..df5cab932d 100644
--- a/kubernetes/common/common/templates/_labels.tpl
+++ b/kubernetes/common/common/templates/_labels.tpl
@@ -22,11 +22,13 @@ Common labels
The function takes several arguments (inside a dictionary):
- .dot : environment (.)
- .labels : labels to add (dict)
+ - .suffix : name suffix
*/}}
{{- define "common.labels" -}}
{{- $dot := default . .dot -}}
-app.kubernetes.io/name: {{ include "common.name" $dot }}
-app: {{ include "common.name" $dot }}
+{{- $suffix := .suffix -}}
+app.kubernetes.io/name: {{ include "common.name" (dict "dot" $dot "suffix" $suffix) }}
+app: {{ include "common.name" (dict "dot" $dot "suffix" $suffix) }}
{{- if $dot.Chart.AppVersion }}
version: "{{ $dot.Chart.AppVersion | replace "+" "_" }}"
{{- else }}
diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl
index 743e3db1df..6feb91bd0c 100644
--- a/kubernetes/common/common/templates/_pod.tpl
+++ b/kubernetes/common/common/templates/_pod.tpl
@@ -98,12 +98,12 @@ securityContext:
privileged: {{ hasKey .Values.containerSecurityContext "privileged" | ternary .Values.containerSecurityContext.privileged false }}
allowPrivilegeEscalation: {{ hasKey .Values.containerSecurityContext "allowPrivilegeEscalation" | ternary .Values.containerSecurityContext.allowPrivilegeEscalation false }}
runAsNonRoot: {{ hasKey .Values.containerSecurityContext "runAsNonRoot" | ternary .Values.containerSecurityContext.runAsNonRoot true }}
-{{- if .Values.containerSecurityContext.runAsUser }}
+{{- if hasKey .Values.containerSecurityContext "runAsUser" }}
runAsUser: {{ .Values.containerSecurityContext.runAsUser }}
{{- end }}
-{{- if .Values.containerSecurityContext.runAsGroup }}
+{{- if hasKey .Values.containerSecurityContext "runAsGroup" }}
runAsGroup: {{ .Values.containerSecurityContext.runAsGroup }}
-{{ end }}
+{{- end }}
{{- end }}
capabilities:
drop:
diff --git a/kubernetes/common/common/templates/_secret.tpl b/kubernetes/common/common/templates/_secret.tpl
index 9d284de500..9eb47d7093 100644
--- a/kubernetes/common/common/templates/_secret.tpl
+++ b/kubernetes/common/common/templates/_secret.tpl
@@ -19,7 +19,7 @@
Generates a secret header with given name and desired labels.
- The template takes two arguments:
+ The template takes three arguments:
- .global: environment (.)
- .name: name of the secret
- .annotations: annotations which should be used
@@ -29,17 +29,14 @@
*/}}
{{- define "common.secret._header" -}}
{{- $global := .global }}
+
{{- $name := .name }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $name }}
namespace: {{ include "common.namespace" $global }}
- labels:
- app: {{ include "common.name" $global }}
- chart: {{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" $global }}
- heritage: {{ $global.Release.Service }}
+ labels: {{- include "common.labels" $global | nindent 4 }}
{{- if .annotations }}
annotations: {{- include "common.tplValue" (dict "value" .annotations "context" $global) | nindent 4 }}
{{- end }}
diff --git a/kubernetes/common/common/templates/_serviceMonitor.tpl b/kubernetes/common/common/templates/_serviceMonitor.tpl
index 907d9c6a9c..5b80c18ac4 100644
--- a/kubernetes/common/common/templates/_serviceMonitor.tpl
+++ b/kubernetes/common/common/templates/_serviceMonitor.tpl
@@ -52,11 +52,7 @@
## ServiceMonitor selector labels
## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration
##
- selector:
- app: '{{ include "common.name" . }}'
- chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}'
- release: '{{ include "common.release" . }}'
- heritage: '{{ .Release.Service }}'
+ selector: {{- include "common.matchLabels" . | nindent 4 }}
## RelabelConfigs to apply to samples before scraping
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
diff --git a/kubernetes/common/common/templates/_strimzikafka.tpl b/kubernetes/common/common/templates/_strimzikafka.tpl
index a2e9c90a4f..a48b444cfc 100644
--- a/kubernetes/common/common/templates/_strimzikafka.tpl
+++ b/kubernetes/common/common/templates/_strimzikafka.tpl
@@ -56,6 +56,7 @@ kind: KafkaUser
metadata:
name: {{ include "common.name" . }}-ku
labels:
+ {{- include "common.labels" . | nindent 4 }}
strimzi.io/cluster: {{ include "common.release" . }}-strimzi
spec:
authentication:
@@ -118,6 +119,7 @@ metadata:
name: {{ ($topic.name) | lower }}-kt
{{- end }}
labels:
+ {{- include "common.labels" $ | nindent 4 }}
strimzi.io/cluster: {{ include "common.release" $ }}-strimzi
spec:
{{- if (hasKey $topic "partitions") }}
diff --git a/kubernetes/common/mariadb-galera/Chart.yaml b/kubernetes/common/mariadb-galera/Chart.yaml
index 41d11a646e..552f6cc67d 100644
--- a/kubernetes/common/mariadb-galera/Chart.yaml
+++ b/kubernetes/common/mariadb-galera/Chart.yaml
@@ -18,7 +18,7 @@
apiVersion: v2
description: Chart for MariaDB Galera cluster
name: mariadb-galera
-version: 13.2.2
+version: 13.2.3
keywords:
- mariadb
- mysql
diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
index 66ce8abc6e..3011d93e5a 100644
--- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml
+++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
@@ -39,50 +39,24 @@ spec:
initContainers:
# we shouldn't need this but for unknown reason, it's fsGroup is not
# applied
- - name: fix-permission
+ {{- if .Values.mariadbConfiguration }}
+ - name: copy-config
command:
- /bin/sh
args:
- -c
- |
- chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /data
- chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /bootstrap/
- chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /tmp/
- {{- if .Values.mariadbConfiguration }}
cp /config/my.cnf /actual/my.cnf
- chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /actual
- {{- end }}
image: {{ include "repositoryGenerator.image.busybox" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- - CAP_NET_RAW
- add:
- - CHOWN
- - SYS_CHROOT
- runAsGroup: {{ .Values.securityContext.group_id }}
- readOnlyRootFilesystem: false
- runAsUser: 0
- runAsNonRoot: false
- seccompProfile:
- type: RuntimeDefault
+ {{ include "common.containerSecurityContext" . | indent 10 | trim }}
volumeMounts:
- - name: previous-boot
- mountPath: /bootstrap
- - name: mariadb-tmp-folder
- mountPath: /tmp
- - name: {{ include "common.fullname" . }}
- mountPath: /data
- {{- if .Values.mariadbConfiguration }}
- name: mariadb-galera-starting-config
mountPath: /config/my.cnf
subPath: my.cnf
- name: mariadb-galera-actual-config
mountPath: /actual
- {{- end }}
+ {{- end }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}
@@ -185,6 +159,8 @@ spec:
{{ include "common.containerSecurityContext" . | indent 10 | trim }}
resources: {{ include "common.resources" . | nindent 12 }}
volumeMounts:
+ - name: tmp
+ mountPath: /tmp
- name: previous-boot
mountPath: /opt/bitnami/mariadb/.bootstrap
- name: {{ include "common.fullname" . }}
@@ -258,13 +234,19 @@ spec:
tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
{{- end }}
volumes:
+ - name: tmp
+ emptyDir:
+ sizeLimit: {{ .Values.volumes.tmpSizeLimit }}
- name: previous-boot
- emptyDir: {}
+ emptyDir:
+ sizeLimit: {{ .Values.volumes.bootSizeLimit }}
- name: mariadb-tmp-folder
- emptyDir: {}
+ emptyDir:
+ sizeLimit: {{ .Values.volumes.tmpMariaDBSizeLimit }}
{{- if .Values.mariadbConfiguration }}
- name: mariadb-galera-actual-config
- emptyDir: {}
+ emptyDir:
+ sizeLimit: {{ .Values.volumes.configSizeLimit }}
- name: mariadb-galera-starting-config
configMap:
name: {{ printf "%s-configuration" (include "common.fullname" .) }}
diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml
index faab7af1b3..6684d6dcb3 100644
--- a/kubernetes/common/mariadb-galera/values.yaml
+++ b/kubernetes/common/mariadb-galera/values.yaml
@@ -609,6 +609,12 @@ resources:
memory: "3Gi"
unlimited: {}
+volumes:
+ bootSizeLimit: 50Mi
+ tmpSizeLimit: 200Mi
+ configSizeLimit: 50Mi
+ tmpMariaDBSizeLimit: 100Mi
+
## MariaDB Galera containers' liveness and readiness probes
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
@@ -689,6 +695,7 @@ metrics:
requests:
cpu: "0.5"
memory: "200Mi"
+
## MariaDB Galera metrics container's liveness and readiness probes
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml
index b691c40903..3e0e6c2eaa 100644
--- a/kubernetes/common/serviceAccount/Chart.yaml
+++ b/kubernetes/common/serviceAccount/Chart.yaml
@@ -18,7 +18,7 @@
apiVersion: v2
description: Template used to create the right Service Accounts / Role / RoleBinding
name: serviceAccount
-version: 13.0.1
+version: 13.0.2
dependencies:
- name: common
diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml
index d6d041f916..90708854ff 100644
--- a/kubernetes/common/serviceAccount/templates/role.yaml
+++ b/kubernetes/common/serviceAccount/templates/role.yaml
@@ -47,95 +47,14 @@ metadata:
namespace: {{ include "common.namespace" $dot }}
rules:
{{- if eq $role_type "read" }}
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- - batch
- - extensions
- resources:
- - endpoints
- - services
- - nodes
- - pods
- - deployments
- - deployments/status
- - jobs
- - jobs/status
- - statefulsets
- - replicasets
- - replicasets/status
- - daemonsets
- verbs:
- - get
- - watch
- - list
+{{- with $dot.Values.role.read }}
+ {{- toYaml . | nindent 2 }}
+{{- end }}
{{- else }}
{{- if eq $role_type "create" }}
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- - batch
- - extensions
- resources:
- - pods
- - deployments
- - deployments/status
- - jobs
- - jobs/status
- - statefulsets
- - replicasets
- - replicasets/status
- - daemonsets
- - secrets
- - services
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- resources:
- - statefulsets
- - configmaps
- verbs:
- - patch
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- resources:
- - deployments
- - secrets
- - services
- - pods
- verbs:
- - create
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- resources:
- - pods
- - persistentvolumeclaims
- - secrets
- - deployments
- - services
- verbs:
- - delete
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- resources:
- - pods/exec
- verbs:
- - create
- - get
-- apiGroups:
- - cert-manager.io
- resources:
- - certificates
- verbs:
- - create
- - delete
+{{- with $dot.Values.role.create }}
+ {{- toYaml . | nindent 2 }}
+{{- end }}
{{- else }}
# if you don't match read or create, then you're not allowed to use API
# except to see basic information about yourself
diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml
index 4c9f75f38d..5d20e45f58 100644
--- a/kubernetes/common/serviceAccount/values.yaml
+++ b/kubernetes/common/serviceAccount/values.yaml
@@ -22,8 +22,8 @@ global:
# if "createDefaultRoles=false"
roles:
- nothing
-# - read
-# - create
+ # - read
+ # - create
# Flag to enable the creation of default roles instead of using
# common roles-wrapper
@@ -43,3 +43,116 @@ new_roles_definitions: {}
# - "get"
# - "watch"
# - "list"
+
+role:
+ read:
+ - apiGroups:
+ - "" # "" indicates the core API group
+ resources:
+ - services
+ - pods
+ - endpoints
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - batch
+ resources:
+ - jobs
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - batch
+ resources:
+ - jobs/status
+ verbs:
+ - get
+ - apiGroups:
+ - apps
+ resources:
+ - statefulsets
+ - replicasets
+ - deployments
+ - statefulsets
+ - daemonsets
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - apps
+ resources:
+ - replicasets/status
+ - deployments/status
+ - statefulsets/status
+ verbs:
+ - get
+ create:
+ - apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ - batchs
+ - extensions
+ resources:
+ - pods
+ - deployments
+ - deployments/status
+ - jobs
+ - jobs/status
+ - statefulsets
+ - replicasets
+ - replicasets/status
+ - daemonsets
+ - secrets
+ - services
+ verbs:
+ - get
+ - watch
+ - list
+ - apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - statefulsets
+ - configmaps
+ verbs:
+ - patch
+ - apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - deployments
+ - secrets
+ - services
+ - pods
+ verbs:
+ - create
+ - apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - pods
+ - persistentvolumeclaims
+ - secrets
+ - deployments
+ - services
+ verbs:
+ - delete
+ - apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - pods/exec
+ verbs:
+ - create
+ - get
+ - apiGroups:
+ - cert-manager.io
+ resources:
+ - certificates
+ verbs:
+ - create
+ - delete