diff options
Diffstat (limited to 'kubernetes/common')
-rw-r--r-- | kubernetes/common/cassandra/values.yaml | 2 | ||||
-rw-r--r-- | kubernetes/common/common/Chart.yaml | 2 | ||||
-rw-r--r-- | kubernetes/common/common/templates/_ingress.tpl | 6 | ||||
-rw-r--r-- | kubernetes/common/common/templates/_labels.tpl | 6 | ||||
-rw-r--r-- | kubernetes/common/common/templates/_pod.tpl | 6 | ||||
-rw-r--r-- | kubernetes/common/common/templates/_secret.tpl | 9 | ||||
-rw-r--r-- | kubernetes/common/common/templates/_serviceMonitor.tpl | 6 | ||||
-rw-r--r-- | kubernetes/common/common/templates/_strimzikafka.tpl | 2 | ||||
-rw-r--r-- | kubernetes/common/mariadb-galera/Chart.yaml | 2 | ||||
-rw-r--r-- | kubernetes/common/mariadb-galera/templates/statefulset.yaml | 48 | ||||
-rw-r--r-- | kubernetes/common/mariadb-galera/values.yaml | 7 | ||||
-rw-r--r-- | kubernetes/common/serviceAccount/Chart.yaml | 2 | ||||
-rw-r--r-- | kubernetes/common/serviceAccount/templates/role.yaml | 93 | ||||
-rw-r--r-- | kubernetes/common/serviceAccount/values.yaml | 117 |
14 files changed, 161 insertions, 147 deletions
diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml index 842c268c8a..e69d30592e 100644 --- a/kubernetes/common/cassandra/values.yaml +++ b/kubernetes/common/cassandra/values.yaml @@ -29,7 +29,7 @@ global: # global defaults enableServiceAccount: false k8ssandraOperator: - cassandraVersion: 4.1.3 + cassandraVersion: 4.1.6 persistence: #storageClassName: default size: 10Gi diff --git a/kubernetes/common/common/Chart.yaml b/kubernetes/common/common/Chart.yaml index 6fa292639e..591f24f4ee 100644 --- a/kubernetes/common/common/Chart.yaml +++ b/kubernetes/common/common/Chart.yaml @@ -17,4 +17,4 @@ apiVersion: v2 description: Common templates for inclusion in other charts name: common -version: 13.2.6 +version: 13.2.10 diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl index ca23c75896..4d762c72f5 100644 --- a/kubernetes/common/common/templates/_ingress.tpl +++ b/kubernetes/common/common/templates/_ingress.tpl @@ -744,11 +744,7 @@ metadata: name: {{ include "common.fullname" $dot }}-ingress annotations: {{ include "ingress.config.annotations" $dot }} - labels: - app: {{ $dot.Chart.Name }} - chart: {{ $dot.Chart.Name }}-{{ $dot.Chart.Version | replace "+" "_" }} - release: {{ include "common.release" $dot }} - heritage: {{ $dot.Release.Service }} + labels: {{- include "common.labels" $dot | nindent 4 }} spec: rules: {{ include "ingress.config.port" $dot | trim }} diff --git a/kubernetes/common/common/templates/_labels.tpl b/kubernetes/common/common/templates/_labels.tpl index a690acd141..df5cab932d 100644 --- a/kubernetes/common/common/templates/_labels.tpl +++ b/kubernetes/common/common/templates/_labels.tpl @@ -22,11 +22,13 @@ Common labels The function takes several arguments (inside a dictionary): - .dot : environment (.) - .labels : labels to add (dict) + - .suffix : name suffix */}} {{- define "common.labels" -}} {{- $dot := default . .dot -}} -app.kubernetes.io/name: {{ include "common.name" $dot }} -app: {{ include "common.name" $dot }} +{{- $suffix := .suffix -}} +app.kubernetes.io/name: {{ include "common.name" (dict "dot" $dot "suffix" $suffix) }} +app: {{ include "common.name" (dict "dot" $dot "suffix" $suffix) }} {{- if $dot.Chart.AppVersion }} version: "{{ $dot.Chart.AppVersion | replace "+" "_" }}" {{- else }} diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl index 743e3db1df..6feb91bd0c 100644 --- a/kubernetes/common/common/templates/_pod.tpl +++ b/kubernetes/common/common/templates/_pod.tpl @@ -98,12 +98,12 @@ securityContext: privileged: {{ hasKey .Values.containerSecurityContext "privileged" | ternary .Values.containerSecurityContext.privileged false }} allowPrivilegeEscalation: {{ hasKey .Values.containerSecurityContext "allowPrivilegeEscalation" | ternary .Values.containerSecurityContext.allowPrivilegeEscalation false }} runAsNonRoot: {{ hasKey .Values.containerSecurityContext "runAsNonRoot" | ternary .Values.containerSecurityContext.runAsNonRoot true }} -{{- if .Values.containerSecurityContext.runAsUser }} +{{- if hasKey .Values.containerSecurityContext "runAsUser" }} runAsUser: {{ .Values.containerSecurityContext.runAsUser }} {{- end }} -{{- if .Values.containerSecurityContext.runAsGroup }} +{{- if hasKey .Values.containerSecurityContext "runAsGroup" }} runAsGroup: {{ .Values.containerSecurityContext.runAsGroup }} -{{ end }} +{{- end }} {{- end }} capabilities: drop: diff --git a/kubernetes/common/common/templates/_secret.tpl b/kubernetes/common/common/templates/_secret.tpl index 9d284de500..9eb47d7093 100644 --- a/kubernetes/common/common/templates/_secret.tpl +++ b/kubernetes/common/common/templates/_secret.tpl @@ -19,7 +19,7 @@ Generates a secret header with given name and desired labels. - The template takes two arguments: + The template takes three arguments: - .global: environment (.) - .name: name of the secret - .annotations: annotations which should be used @@ -29,17 +29,14 @@ */}} {{- define "common.secret._header" -}} {{- $global := .global }} + {{- $name := .name }} apiVersion: v1 kind: Secret metadata: name: {{ $name }} namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.name" $global }} - chart: {{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }} - release: {{ include "common.release" $global }} - heritage: {{ $global.Release.Service }} + labels: {{- include "common.labels" $global | nindent 4 }} {{- if .annotations }} annotations: {{- include "common.tplValue" (dict "value" .annotations "context" $global) | nindent 4 }} {{- end }} diff --git a/kubernetes/common/common/templates/_serviceMonitor.tpl b/kubernetes/common/common/templates/_serviceMonitor.tpl index 907d9c6a9c..5b80c18ac4 100644 --- a/kubernetes/common/common/templates/_serviceMonitor.tpl +++ b/kubernetes/common/common/templates/_serviceMonitor.tpl @@ -52,11 +52,7 @@ ## ServiceMonitor selector labels ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration ## - selector: - app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + selector: {{- include "common.matchLabels" . | nindent 4 }} ## RelabelConfigs to apply to samples before scraping ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig diff --git a/kubernetes/common/common/templates/_strimzikafka.tpl b/kubernetes/common/common/templates/_strimzikafka.tpl index a2e9c90a4f..a48b444cfc 100644 --- a/kubernetes/common/common/templates/_strimzikafka.tpl +++ b/kubernetes/common/common/templates/_strimzikafka.tpl @@ -56,6 +56,7 @@ kind: KafkaUser metadata: name: {{ include "common.name" . }}-ku labels: + {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: @@ -118,6 +119,7 @@ metadata: name: {{ ($topic.name) | lower }}-kt {{- end }} labels: + {{- include "common.labels" $ | nindent 4 }} strimzi.io/cluster: {{ include "common.release" $ }}-strimzi spec: {{- if (hasKey $topic "partitions") }} diff --git a/kubernetes/common/mariadb-galera/Chart.yaml b/kubernetes/common/mariadb-galera/Chart.yaml index 41d11a646e..552f6cc67d 100644 --- a/kubernetes/common/mariadb-galera/Chart.yaml +++ b/kubernetes/common/mariadb-galera/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Chart for MariaDB Galera cluster name: mariadb-galera -version: 13.2.2 +version: 13.2.3 keywords: - mariadb - mysql diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index 66ce8abc6e..3011d93e5a 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -39,50 +39,24 @@ spec: initContainers: # we shouldn't need this but for unknown reason, it's fsGroup is not # applied - - name: fix-permission + {{- if .Values.mariadbConfiguration }} + - name: copy-config command: - /bin/sh args: - -c - | - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /data - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /bootstrap/ - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /tmp/ - {{- if .Values.mariadbConfiguration }} cp /config/my.cnf /actual/my.cnf - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /actual - {{- end }} image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - - CAP_NET_RAW - add: - - CHOWN - - SYS_CHROOT - runAsGroup: {{ .Values.securityContext.group_id }} - readOnlyRootFilesystem: false - runAsUser: 0 - runAsNonRoot: false - seccompProfile: - type: RuntimeDefault + {{ include "common.containerSecurityContext" . | indent 10 | trim }} volumeMounts: - - name: previous-boot - mountPath: /bootstrap - - name: mariadb-tmp-folder - mountPath: /tmp - - name: {{ include "common.fullname" . }} - mountPath: /data - {{- if .Values.mariadbConfiguration }} - name: mariadb-galera-starting-config mountPath: /config/my.cnf subPath: my.cnf - name: mariadb-galera-actual-config mountPath: /actual - {{- end }} + {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -185,6 +159,8 @@ spec: {{ include "common.containerSecurityContext" . | indent 10 | trim }} resources: {{ include "common.resources" . | nindent 12 }} volumeMounts: + - name: tmp + mountPath: /tmp - name: previous-boot mountPath: /opt/bitnami/mariadb/.bootstrap - name: {{ include "common.fullname" . }} @@ -258,13 +234,19 @@ spec: tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" .) | nindent 8 }} {{- end }} volumes: + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} - name: previous-boot - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.bootSizeLimit }} - name: mariadb-tmp-folder - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.tmpMariaDBSizeLimit }} {{- if .Values.mariadbConfiguration }} - name: mariadb-galera-actual-config - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.configSizeLimit }} - name: mariadb-galera-starting-config configMap: name: {{ printf "%s-configuration" (include "common.fullname" .) }} diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index faab7af1b3..6684d6dcb3 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -609,6 +609,12 @@ resources: memory: "3Gi" unlimited: {} +volumes: + bootSizeLimit: 50Mi + tmpSizeLimit: 200Mi + configSizeLimit: 50Mi + tmpMariaDBSizeLimit: 100Mi + ## MariaDB Galera containers' liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## @@ -689,6 +695,7 @@ metrics: requests: cpu: "0.5" memory: "200Mi" + ## MariaDB Galera metrics container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml index b691c40903..3e0e6c2eaa 100644 --- a/kubernetes/common/serviceAccount/Chart.yaml +++ b/kubernetes/common/serviceAccount/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Template used to create the right Service Accounts / Role / RoleBinding name: serviceAccount -version: 13.0.1 +version: 13.0.2 dependencies: - name: common diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml index d6d041f916..90708854ff 100644 --- a/kubernetes/common/serviceAccount/templates/role.yaml +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -47,95 +47,14 @@ metadata: namespace: {{ include "common.namespace" $dot }} rules: {{- if eq $role_type "read" }} -- apiGroups: - - "" # "" indicates the core API group - - apps - - batch - - extensions - resources: - - endpoints - - services - - nodes - - pods - - deployments - - deployments/status - - jobs - - jobs/status - - statefulsets - - replicasets - - replicasets/status - - daemonsets - verbs: - - get - - watch - - list +{{- with $dot.Values.role.read }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- else }} {{- if eq $role_type "create" }} -- apiGroups: - - "" # "" indicates the core API group - - apps - - batch - - extensions - resources: - - pods - - deployments - - deployments/status - - jobs - - jobs/status - - statefulsets - - replicasets - - replicasets/status - - daemonsets - - secrets - - services - verbs: - - get - - watch - - list -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - statefulsets - - configmaps - verbs: - - patch -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - deployments - - secrets - - services - - pods - verbs: - - create -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - pods - - persistentvolumeclaims - - secrets - - deployments - - services - verbs: - - delete -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - pods/exec - verbs: - - create - - get -- apiGroups: - - cert-manager.io - resources: - - certificates - verbs: - - create - - delete +{{- with $dot.Values.role.create }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- else }} # if you don't match read or create, then you're not allowed to use API # except to see basic information about yourself diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml index 4c9f75f38d..5d20e45f58 100644 --- a/kubernetes/common/serviceAccount/values.yaml +++ b/kubernetes/common/serviceAccount/values.yaml @@ -22,8 +22,8 @@ global: # if "createDefaultRoles=false" roles: - nothing -# - read -# - create + # - read + # - create # Flag to enable the creation of default roles instead of using # common roles-wrapper @@ -43,3 +43,116 @@ new_roles_definitions: {} # - "get" # - "watch" # - "list" + +role: + read: + - apiGroups: + - "" # "" indicates the core API group + resources: + - services + - pods + - endpoints + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - jobs/status + verbs: + - get + - apiGroups: + - apps + resources: + - statefulsets + - replicasets + - deployments + - statefulsets + - daemonsets + verbs: + - get + - watch + - list + - apiGroups: + - apps + resources: + - replicasets/status + - deployments/status + - statefulsets/status + verbs: + - get + create: + - apiGroups: + - "" # "" indicates the core API group + - apps + - batchs + - extensions + resources: + - pods + - deployments + - deployments/status + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + - secrets + - services + verbs: + - get + - watch + - list + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - statefulsets + - configmaps + verbs: + - patch + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - deployments + - secrets + - services + - pods + verbs: + - create + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods + - persistentvolumeclaims + - secrets + - deployments + - services + verbs: + - delete + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods/exec + verbs: + - create + - get + - apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete |