From adaa5bb71a437cf9f2b13341e9b9d18198bf9a36 Mon Sep 17 00:00:00 2001 From: robot Date: Sun, 8 Dec 2024 20:12:30 +0000 Subject: [PATCH] robot: project wordpress chart upgrades from 15.2.39 to 24.0.10 Signed-off-by: robot --- charts/wordpress/config | 2 +- charts/wordpress/wordpress/Chart.yaml | 20 +- charts/wordpress/wordpress/README.md | 906 ++++++++++------- .../wordpress/charts/wordpress/.helmignore | 4 + .../wordpress/charts/wordpress/Chart.lock | 16 +- .../wordpress/charts/wordpress/Chart.yaml | 28 +- .../wordpress/charts/wordpress/README.md | 906 ++++++++++------- .../wordpress/charts/common/.helmignore | 4 + .../charts/wordpress/charts/common/Chart.yaml | 11 +- .../charts/wordpress/charts/common/README.md | 152 +-- .../charts/common/templates/_affinities.tpl | 57 +- .../charts/common/templates/_capabilities.tpl | 131 ++- .../common/templates/_compatibility.tpl | 46 + .../charts/common/templates/_errors.tpl | 5 + .../charts/common/templates/_images.tpl | 77 +- .../charts/common/templates/_ingress.tpl | 5 + .../charts/common/templates/_labels.tpl | 30 +- .../charts/common/templates/_names.tpl | 5 + .../charts/common/templates/_resources.tpl | 50 + .../charts/common/templates/_secrets.tpl | 83 +- .../charts/common/templates/_storage.tpl | 18 +- .../charts/common/templates/_tplvalues.tpl | 53 +- .../charts/common/templates/_utils.tpl | 15 + .../charts/common/templates/_warnings.tpl | 97 +- .../templates/validations/_cassandra.tpl | 27 +- .../common/templates/validations/_mariadb.tpl | 5 + .../common/templates/validations/_mongodb.tpl | 47 +- .../common/templates/validations/_mysql.tpl | 42 +- .../templates/validations/_postgresql.tpl | 30 +- .../common/templates/validations/_redis.tpl | 34 +- .../templates/validations/_validations.tpl | 5 + .../wordpress/charts/common/values.yaml | 3 + .../wordpress/charts/mariadb/.helmignore | 4 + .../wordpress/charts/mariadb/Chart.lock | 8 +- .../wordpress/charts/mariadb/Chart.yaml | 21 +- .../charts/wordpress/charts/mariadb/README.md | 944 +++++++++++------- .../charts/mariadb/charts/common/.helmignore | 4 + .../charts/mariadb/charts/common/Chart.yaml | 12 +- .../charts/mariadb/charts/common/README.md | 154 +-- .../charts/common/templates/_affinities.tpl | 57 +- .../charts/common/templates/_capabilities.tpl | 133 ++- .../common/templates/_compatibility.tpl | 46 + .../charts/common/templates/_errors.tpl | 5 + .../charts/common/templates/_images.tpl | 77 +- .../charts/common/templates/_ingress.tpl | 5 + .../charts/common/templates/_labels.tpl | 30 +- .../charts/common/templates/_names.tpl | 5 + .../charts/common/templates/_resources.tpl | 50 + .../charts/common/templates/_secrets.tpl | 83 +- .../charts/common/templates/_storage.tpl | 18 +- .../charts/common/templates/_tplvalues.tpl | 53 +- .../charts/common/templates/_utils.tpl | 15 + .../charts/common/templates/_warnings.tpl | 97 +- .../templates/validations/_cassandra.tpl | 27 +- .../common/templates/validations/_mariadb.tpl | 5 + .../common/templates/validations/_mongodb.tpl | 47 +- .../common/templates/validations/_mysql.tpl | 42 +- .../templates/validations/_postgresql.tpl | 30 +- .../common/templates/validations/_redis.tpl | 34 +- .../templates/validations/_validations.tpl | 5 + .../charts/mariadb/charts/common/values.yaml | 3 + .../charts/mariadb/templates/NOTES.txt | 4 +- .../charts/mariadb/templates/_helpers.tpl | 74 +- .../charts/mariadb/templates/ca-cert.yaml | 56 ++ .../charts/mariadb/templates/cert.yaml | 48 + .../charts/mariadb/templates/extra-list.yaml | 5 + .../mariadb/templates/headless-svc.yaml | 36 + .../templates/networkpolicy-egress.yaml | 33 - .../mariadb/templates/networkpolicy.yaml | 77 ++ .../mariadb/templates/primary/configmap.yaml | 15 +- .../primary/initialization-configmap.yaml | 13 +- .../primary/networkpolicy-ingress.yaml | 56 -- .../charts/mariadb/templates/primary/pdb.yaml | 20 +- .../templates/primary/statefulset.yaml | 133 ++- .../charts/mariadb/templates/primary/svc.yaml | 26 +- .../mariadb/templates/prometheusrules.yaml | 17 +- .../charts/mariadb/templates/role.yaml | 13 +- .../charts/mariadb/templates/rolebinding.yaml | 13 +- .../templates/secondary/configmap.yaml | 15 +- .../secondary/networkpolicy-ingress.yaml | 49 - .../mariadb/templates/secondary/pdb.yaml | 20 +- .../templates/secondary/statefulset.yaml | 133 ++- .../mariadb/templates/secondary/svc.yaml | 27 +- .../charts/mariadb/templates/secrets.yaml | 94 +- .../mariadb/templates/serviceaccount.yaml | 24 +- .../mariadb/templates/servicemonitor.yaml | 25 +- .../charts/mariadb/templates/tls-secret.yaml | 51 + .../templates/update-password/job.yaml | 243 +++++ .../templates/update-password/new-secret.yaml | 28 + .../update-password/previous-secret.yaml | 28 + .../wordpress/charts/mariadb/values.yaml | 612 ++++++++---- .../wordpress/charts/memcached/.helmignore | 4 + .../wordpress/charts/memcached/Chart.lock | 8 +- .../wordpress/charts/memcached/Chart.yaml | 21 +- .../wordpress/charts/memcached/README.md | 540 +++++----- .../memcached/charts/common/.helmignore | 4 + .../charts/memcached/charts/common/Chart.yaml | 12 +- .../charts/memcached/charts/common/README.md | 154 +-- .../charts/common/templates/_affinities.tpl | 57 +- .../charts/common/templates/_capabilities.tpl | 131 ++- .../common/templates/_compatibility.tpl | 46 + .../charts/common/templates/_errors.tpl | 5 + .../charts/common/templates/_images.tpl | 77 +- .../charts/common/templates/_ingress.tpl | 5 + .../charts/common/templates/_labels.tpl | 30 +- .../charts/common/templates/_names.tpl | 5 + .../charts/common/templates/_resources.tpl | 50 + .../charts/common/templates/_secrets.tpl | 83 +- .../charts/common/templates/_storage.tpl | 18 +- .../charts/common/templates/_tplvalues.tpl | 53 +- .../charts/common/templates/_utils.tpl | 15 + .../charts/common/templates/_warnings.tpl | 97 +- .../templates/validations/_cassandra.tpl | 27 +- .../common/templates/validations/_mariadb.tpl | 5 + .../common/templates/validations/_mongodb.tpl | 47 +- .../common/templates/validations/_mysql.tpl | 42 +- .../templates/validations/_postgresql.tpl | 30 +- .../common/templates/validations/_redis.tpl | 34 +- .../templates/validations/_validations.tpl | 5 + .../memcached/charts/common/values.yaml | 3 + .../charts/memcached/templates/NOTES.txt | 2 + .../charts/memcached/templates/_helpers.tpl | 5 + .../memcached/templates/deployment.yaml | 67 +- .../memcached/templates/extra-list.yaml | 5 + .../charts/memcached/templates/hpa.yaml | 10 +- .../memcached/templates/metrics-svc.yaml | 24 +- .../memcached/templates/networkpolicy.yaml | 74 ++ .../charts/memcached/templates/pdb.yaml | 19 +- .../charts/memcached/templates/secrets.yaml | 10 +- .../charts/memcached/templates/service.yaml | 25 +- .../memcached/templates/serviceaccount.yaml | 21 +- .../memcached/templates/servicemonitor.yaml | 22 +- .../memcached/templates/statefulset.yaml | 84 +- .../wordpress/charts/memcached/values.yaml | 277 +++-- .../charts/wordpress/templates/NOTES.txt | 2 + .../charts/wordpress/templates/_helpers.tpl | 5 + .../wordpress/templates/config-secret.yaml | 10 +- .../wordpress/templates/deployment.yaml | 149 ++- .../templates/externaldb-secrets.yaml | 10 +- .../wordpress/templates/extra-list.yaml | 5 + .../charts/wordpress/templates/hpa.yaml | 10 +- .../wordpress/templates/httpd-configmap.yaml | 10 +- .../templates/ingress-secondary.yaml | 62 ++ .../charts/wordpress/templates/ingress.yaml | 33 +- .../wordpress/templates/metrics-svc.yaml | 22 +- .../networkpolicy-backend-ingress.yaml | 28 - .../templates/networkpolicy-egress.yaml | 33 - .../templates/networkpolicy-ingress.yaml | 61 -- .../wordpress/templates/networkpolicy.yaml | 92 ++ .../charts/wordpress/templates/pdb.yaml | 17 +- .../templates/postinit-configmap.yaml | 12 +- .../charts/wordpress/templates/pvc.yaml | 22 +- .../charts/wordpress/templates/secrets.yaml | 10 +- .../wordpress/templates/serviceaccount.yaml | 21 +- .../wordpress/templates/servicemonitor.yaml | 16 +- .../charts/wordpress/templates/svc.yaml | 22 +- .../wordpress/templates/tls-secrets.yaml | 15 +- .../charts/wordpress/values.schema.json | 31 + .../wordpress/charts/wordpress/values.yaml | 545 ++++++---- charts/wordpress/wordpress/values.schema.json | 31 + charts/wordpress/wordpress/values.yaml | 537 ++++++---- 161 files changed, 7127 insertions(+), 3853 deletions(-) create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_compatibility.tpl create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_resources.tpl create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_compatibility.tpl create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_resources.tpl create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/ca-cert.yaml create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/cert.yaml create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/headless-svc.yaml delete mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/networkpolicy-egress.yaml create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/networkpolicy.yaml delete mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/networkpolicy-ingress.yaml delete mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/networkpolicy-ingress.yaml create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/tls-secret.yaml create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/update-password/job.yaml create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/update-password/new-secret.yaml create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/update-password/previous-secret.yaml create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_compatibility.tpl create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_resources.tpl create mode 100644 charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/networkpolicy.yaml create mode 100644 charts/wordpress/wordpress/charts/wordpress/templates/ingress-secondary.yaml delete mode 100644 charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy-backend-ingress.yaml delete mode 100644 charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy-egress.yaml delete mode 100644 charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy-ingress.yaml create mode 100644 charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy.yaml diff --git a/charts/wordpress/config b/charts/wordpress/config index e54ad76bb..9d5f6c518 100644 --- a/charts/wordpress/config +++ b/charts/wordpress/config @@ -4,7 +4,7 @@ export USE_OPENSOURCE_CHART=false export REPO_URL=https://charts.bitnami.com/bitnami export REPO_NAME=bitnami export CHART_NAME=wordpress -export VERSION=15.2.39 +export VERSION=24.0.10 # pr, issue, none export UPGRADE_METHOD=pr diff --git a/charts/wordpress/wordpress/Chart.yaml b/charts/wordpress/wordpress/Chart.yaml index b433a80dc..4055ceaa5 100644 --- a/charts/wordpress/wordpress/Chart.yaml +++ b/charts/wordpress/wordpress/Chart.yaml @@ -1,10 +1,17 @@ annotations: category: CMS + images: | + - name: apache-exporter + image: docker.io/bitnami/apache-exporter:1.0.9-debian-12-r4 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r33 + - name: wordpress + image: docker.io/bitnami/wordpress:6.7.1-debian-12-r3 licenses: Apache-2.0 apiVersion: v2 -appVersion: 6.1.1 +appVersion: 6.7.1 description: WordPress is the world's most popular blogging and content management platform. Powerful yet simple, everyone from students to global corporations use it to build beautiful, functional websites. -home: https://github.com/bitnami/charts/tree/main/bitnami/wordpress +home: https://bitnami.com icon: https://bitnami.com/assets/stacks/wordpress/img/wordpress-stack-220x234.png keywords: - application @@ -15,14 +22,13 @@ keywords: - web - wordpress maintainers: - - name: Bitnami + - name: Broadcom, Inc. All Rights Reserved. url: https://github.com/bitnami/charts name: wordpress sources: - - https://github.com/bitnami/containers/tree/main/bitnami/wordpress - - https://wordpress.org/ -version: 15.2.39 + - https://github.com/bitnami/charts/tree/main/bitnami/wordpress +version: 24.0.10 dependencies: - name: wordpress - version: "15.2.39" + version: "24.0.10" repository: "https://charts.bitnami.com/bitnami" diff --git a/charts/wordpress/wordpress/README.md b/charts/wordpress/wordpress/README.md index 31c346bf7..491200022 100644 --- a/charts/wordpress/wordpress/README.md +++ b/charts/wordpress/wordpress/README.md @@ -1,20 +1,19 @@ -# WordPress packaged by Bitnami +# Bitnami package for WordPress WordPress is the world's most popular blogging and content management platform. Powerful yet simple, everyone from students to global corporations use it to build beautiful, functional websites. [Overview of WordPress](http://www.wordpress.org) - - ## TL;DR ```console -$ helm repo add my-repo https://charts.bitnami.com/bitnami -$ helm install my-release my-repo/wordpress +helm install my-release oci://registry-1.docker.io/bitnamicharts/wordpress ``` +Looking to use WordPress in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + ## Introduction This chart bootstraps a [WordPress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. @@ -25,8 +24,8 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment ## Prerequisites -- Kubernetes 1.19+ -- Helm 3.2.0+ +- Kubernetes 1.23+ +- Helm 3.8.0+ - PV provisioner support in the underlying infrastructure - ReadWriteMany volumes for deployment scaling @@ -35,34 +34,253 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment To install the chart with the release name `my-release`: ```console -$ helm repo add my-repo https://charts.bitnami.com/bitnami -$ helm install my-release my-repo/wordpress +helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/wordpress ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + The command deploys WordPress on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### Update credentials + +Bitnami charts configure credentials at first boot. Any further change in the secrets or credentials require manual intervention. Follow these instructions: + +- Update the user password following [the upstream documentation](https://wordpress.org/documentation/) +- Update the password secret with the new values (replace the SECRET_NAME, PASSWORD and SMTP_PASSWORD placeholders) + +```shell +kubectl create secret generic SECRET_NAME --from-literal=wordpress-password=PASSWORD --from-literal=smtp-password=SMTP_PASSWORD --dry-run -o yaml | kubectl apply -f - +``` + +### Prometheus metrics + +This chart can be integrated with Prometheus by setting `metrics.enabled` to `true`. This will deploy a sidecar container with [apache-exporter](https://github.com/Lusitaniae/apache_exporter) in all pods and a `metrics` service, which can be configured under the `metrics.service` section. This `metrics` service will have the necessary annotations to be automatically scraped by Prometheus. + +#### Prometheus requirements + +It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the [Bitnami Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/prometheus) or the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) to easily have a working Prometheus in your cluster. -To uninstall/delete the `my-release` deployment: +#### Integration with Prometheus Operator + +The chart can deploy `ServiceMonitor` objects for integration with Prometheus Operator installations. To do so, set the value `metrics.serviceMonitor.enabled=true`. Ensure that the Prometheus Operator `CustomResourceDefinitions` are installed in the cluster or it will fail with the following error: + +```text +no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1" +``` + +Install the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) for having the necessary CRDs and the Prometheus Operator. + +### [Rolling VS Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Known limitations + +When performing admin operations that require activating the maintenance mode (such as updating a plugin or theme), it's activated in only one replica (see: [bug report](https://core.trac.wordpress.org/ticket/50797)). This implies that WP could be attending requests on other replicas while performing admin operations, with unpredictable consequences. + +To avoid that, you can manually activate/deactivate the maintenance mode on every replica using the WP CLI. For instance, if you installed WP with three replicas, you can run the commands below to activate the maintenance mode in all of them (assuming that the release name is `wordpress`): ```console -$ helm delete my-release +kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[0].metadata.name}') -c wordpress -- wp maintenance-mode activate +kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[1].metadata.name}') -c wordpress -- wp maintenance-mode activate +kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[2].metadata.name}') -c wordpress -- wp maintenance-mode activate +``` + +### External database support + +You may want to have WordPress connect to an external database rather than installing one inside your cluster. Typical reasons for this are to use a managed database service, or to share a common database server for all your applications. To achieve this, the chart allows you to specify credentials for an external database with the [`externalDatabase` parameter](#database-parameters). You should also disable the MariaDB installation with the `mariadb.enabled` option. Here is an example: + +```console +mariadb.enabled=false +externalDatabase.host=myexternalhost +externalDatabase.user=myuser +externalDatabase.password=mypassword +externalDatabase.database=mydatabase +externalDatabase.port=3306 +``` + +If the database already contains data from a previous WordPress installation, set the `wordpressSkipInstall` parameter to `true`. This parameter forces the container to skip the WordPress installation wizard. Otherwise, the container will assume it is a fresh installation and execute the installation wizard, potentially modifying or resetting the data in the existing database. + +[Refer to the container documentation for more information](https://github.com/bitnami/containers/tree/main/bitnami/wordpress#connect-wordpress-container-to-an-existing-database). + +### Memcached + +This chart provides support for using Memcached to cache database queries and objects improving the website performance. To enable this feature, set `wordpressConfigureCache` and `memcached.enabled` parameters to `true`. + +When this feature is enabled, a Memcached server will be deployed in your K8s cluster using the Bitnami Memcached chart and the [W3 Total Cache](https://wordpress.org/plugins/w3-total-cache/) plugin will be activated and configured to use the Memcached server for database caching. + +It is also possible to use an external cache server rather than installing one inside your cluster. To achieve this, the chart allows you to specify credentials for an external cache server with the [`externalCache` parameter](#database-parameters). You should also disable the Memcached installation with the `memcached.enabled` option. Here is an example: + +```console +wordpressConfigureCache=true +memcached.enabled=false +externalCache.host=myexternalcachehost +externalCache.port=11211 ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +### Ingress + +This chart provides support for Ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress-controller](https://github.com/bitnami/charts/tree/main/bitnami/nginx-ingress-controller) or [contour](https://github.com/bitnami/charts/tree/main/bitnami/contour) you can utilize the ingress controller to serve your application.To enable Ingress integration, set `ingress.enabled` to `true`. + +The most common scenario is to have one host name mapped to the deployment. In this case, the `ingress.hostname` property can be used to set the host name. The `ingress.tls` parameter can be used to add the TLS configuration for this host. + +However, it is also possible to have more than one host. To facilitate this, the `ingress.extraHosts` parameter (if available) can be set with the host names specified as an array. The `ingress.extraTLS` parameter (if available) can also be used to add the TLS configuration for extra hosts. + +> NOTE: For each host specified in the `ingress.extraHosts` parameter, it is necessary to set a name, path, and any annotations that the Ingress controller should know about. Not all annotations are supported by all Ingress controllers, but [this annotation reference document](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) lists the annotations supported by many popular Ingress controllers. + +Adding the TLS parameter (where available) will cause the chart to generate HTTPS URLs, and the application will be available on port 443. The actual TLS secrets do not have to be generated by this chart. However, if TLS is enabled, the Ingress record will not work until the TLS secret exists. + +[Learn more about Ingress controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/). + +### Securing traffic using TLS + +This chart facilitates the creation of TLS secrets for use with the Ingress controller (although this is not mandatory). There are several common use cases: + +- Generate certificate secrets based on chart parameters. +- Enable externally generated certificates. +- Manage application certificates via an external service (like [cert-manager](https://github.com/jetstack/cert-manager/)). +- Create self-signed certificates within the chart (if supported). + +In the first two cases, a certificate and a key are needed. Files are expected in `.pem` format. + +Here is an example of a certificate file: + +> NOTE: There may be more than one certificate if there is a certificate chain. + +```text +-----BEGIN CERTIFICATE----- +MIID6TCCAtGgAwIBAgIJAIaCwivkeB5EMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +... +jScrvkiBO65F46KioCL9h5tDvomdU1aqpI/CBzhvZn1c0ZTf87tGQR8NK7v7 +-----END CERTIFICATE----- +``` + +Here is an example of a certificate key: + +```text +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAvLYcyu8f3skuRyUgeeNpeDvYBCDcgq+LsWap6zbX5f8oLqp4 +... +wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc= +-----END RSA PRIVATE KEY----- +``` + +- If using Helm to manage the certificates based on the parameters, copy these values into the `certificate` and `key` values for a given `*.ingress.secrets` entry. +- If managing TLS secrets separately, it is necessary to create a TLS secret with name `INGRESS_HOSTNAME-tls` (where INGRESS_HOSTNAME is a placeholder to be replaced with the hostname you set using the `*.ingress.hostname` parameter). +- If your cluster has a [cert-manager](https://github.com/jetstack/cert-manager) add-on to automate the management and issuance of TLS certificates, add to `*.ingress.annotations` the [corresponding ones](https://cert-manager.io/docs/usage/ingress/#supported-annotations) for cert-manager. +- If using self-signed certificates created by Helm, set both `*.ingress.tls` and `*.ingress.selfSigned` to `true`. + +### `.htaccess` files + +For performance and security reasons, it is a good practice to configure Apache with the `AllowOverride None` directive. Instead of using `.htaccess` files, Apache will load the same directives at boot time. These directives are located in `/opt/bitnami/wordpress/wordpress-htaccess.conf`. + +By default, the container image includes all the default `.htaccess` files in WordPress (together with the default plugins). To enable this feature, install the chart with the value `allowOverrideNone=yes`. + +However, some plugins may include `.htaccess` directives that will not be loaded when `AllowOverride` is set to `None`. To make them work, create a custom `wordpress-htaccess.conf` file with all the required directives. After creating it, create a Kubernetes ConfigMap with it (for example, named `custom-htaccess`) and install the chart with the correct parameters as shown below: + +```text + allowOverrideNone=true + customHTAccessCM=custom-htaccess +``` + +Some plugins permit editing the `.htaccess` file and it may be necessary to persist it in order to keep those edits. To make these plugins work, set the `htaccessPersistenceEnabled` parameter as shown below: + +```text + allowOverrideNone=false + htaccessPersistenceEnabled=true +``` + +### Backup and restore + +To back up and restore Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. Find the instructions for using Velero in [this guide](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-backup-restore-deployments-velero-index.html). + +## Persistence + +The [Bitnami WordPress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress) image stores the WordPress data and configurations at the `/bitnami` path of the container. Persistent Volume Claims are used to keep the data across deployments. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +### Additional environment variables + +In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property. + +```yaml +wordpress: + extraEnvVars: + - name: LOG_LEVEL + value: error +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values. + +### Sidecars + +If additional containers are needed in the same pod as WordPress (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +### Pod affinity + +This chart allows you to set your custom affinity using the `affinity` parameter. Learn more about Pod affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. ## Parameters ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | - +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -79,19 +297,16 @@ The command removes all the Kubernetes components associated with the chart and | `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | | `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | - ### WordPress Image parameters -| Name | Description | Value | -| ------------------- | --------------------------------------------------------------------------------------------------------- | --------------------- | -| `image.registry` | WordPress image registry | `docker.io` | -| `image.repository` | WordPress image repository | `bitnami/wordpress` | -| `image.tag` | WordPress image tag (immutable tags are recommended) | `6.1.1-debian-11-r42` | -| `image.digest` | WordPress image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | WordPress image pull policy | `IfNotPresent` | -| `image.pullSecrets` | WordPress image pull secrets | `[]` | -| `image.debug` | Specify if debug values should be set | `false` | - +| Name | Description | Value | +| ------------------- | --------------------------------------------------------------------------------------------------------- | --------------------------- | +| `image.registry` | WordPress image registry | `REGISTRY_NAME` | +| `image.repository` | WordPress image repository | `REPOSITORY_NAME/wordpress` | +| `image.digest` | WordPress image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | WordPress image pull policy | `IfNotPresent` | +| `image.pullSecrets` | WordPress image pull secrets | `[]` | +| `image.debug` | Specify if debug values should be set | `false` | ### WordPress Configuration parameters @@ -120,6 +335,8 @@ The command removes all the Kubernetes components associated with the chart and | `smtpUser` | SMTP username | `""` | | `smtpPassword` | SMTP user password | `""` | | `smtpProtocol` | SMTP protocol | `""` | +| `smtpFromEmail` | SMTP from email (default is `smtpUser`) | `""` | +| `smtpFromName` | SMTP from name (default is `wordpressFirstName` and `wordpressLastName`) | `""` | | `smtpExistingSecret` | The name of an existing secret with SMTP credentials | `""` | | `allowEmptyPassword` | Allow the container to be started with blank passwords | `true` | | `allowOverrideNone` | Configure Apache to prohibit overriding directives with htaccess files | `false` | @@ -132,7 +349,6 @@ The command removes all the Kubernetes components associated with the chart and | `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | | `extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` | - ### WordPress Multisite Configuration parameters | Name | Description | Value | @@ -142,259 +358,279 @@ The command removes all the Kubernetes components associated with the chart and | `multisite.networkType` | WordPress Multisite network type to enable. Allowed values: `subfolder`, `subdirectory` or `subdomain`. | `subdomain` | | `multisite.enableNipIoRedirect` | Whether to enable IP address redirection to nip.io wildcard DNS. Useful when running on an IP address with subdomain network type. | `false` | - ### WordPress deployment parameters -| Name | Description | Value | -| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ---------------- | -| `replicaCount` | Number of WordPress replicas to deploy | `1` | -| `updateStrategy.type` | WordPress deployment strategy type | `RollingUpdate` | -| `updateStrategy.rollingUpdate` | WordPress deployment rolling update configuration parameters | `{}` | -| `schedulerName` | Alternate scheduler | `""` | -| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `priorityClassName` | Name of the existing priority class to be used by WordPress pods, priority class needs to be created beforehand | `""` | -| `hostAliases` | WordPress pod host aliases | `[]` | -| `extraVolumes` | Optionally specify extra list of additional volumes for WordPress pods | `[]` | -| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for WordPress container(s) | `[]` | -| `sidecars` | Add additional sidecar containers to the WordPress pod | `[]` | -| `initContainers` | Add additional init containers to the WordPress pods | `[]` | -| `podLabels` | Extra labels for WordPress pods | `{}` | -| `podAnnotations` | Annotations for WordPress pods | `{}` | -| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | -| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | -| `affinity` | Affinity for pod assignment | `{}` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `tolerations` | Tolerations for pod assignment | `[]` | -| `resources.limits` | The resources limits for the WordPress containers | `{}` | -| `resources.requests.memory` | The requested memory for the WordPress containers | `512Mi` | -| `resources.requests.cpu` | The requested cpu for the WordPress containers | `300m` | -| `containerPorts.http` | WordPress HTTP container port | `8080` | -| `containerPorts.https` | WordPress HTTPS container port | `8443` | -| `extraContainerPorts` | Optionally specify extra list of additional ports for WordPress container(s) | `[]` | -| `podSecurityContext.enabled` | Enabled WordPress pods' Security Context | `true` | -| `podSecurityContext.fsGroup` | Set WordPress pod's Security Context fsGroup | `1001` | -| `podSecurityContext.seccompProfile.type` | Set WordPress container's Security Context seccomp profile | `RuntimeDefault` | -| `containerSecurityContext.enabled` | Enabled WordPress containers' Security Context | `true` | -| `containerSecurityContext.runAsUser` | Set WordPress container's Security Context runAsUser | `1001` | -| `containerSecurityContext.runAsNonRoot` | Set WordPress container's Security Context runAsNonRoot | `true` | -| `containerSecurityContext.allowPrivilegeEscalation` | Set WordPress container's privilege escalation | `false` | -| `containerSecurityContext.capabilities.drop` | Set WordPress container's Security Context runAsNonRoot | `["ALL"]` | -| `livenessProbe.enabled` | Enable livenessProbe on WordPress containers | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `readinessProbe.enabled` | Enable readinessProbe on WordPress containers | `true` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `startupProbe.enabled` | Enable startupProbe on WordPress containers | `false` | -| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | -| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | -| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `lifecycleHooks` | for the WordPress container(s) to automate configuration before or after startup | `{}` | - +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `replicaCount` | Number of WordPress replicas to deploy | `1` | +| `updateStrategy.type` | WordPress deployment strategy type | `RollingUpdate` | +| `schedulerName` | Alternate scheduler | `""` | +| `terminationGracePeriodSeconds` | In seconds, time given to the WordPress pod to terminate gracefully | `""` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `priorityClassName` | Name of the existing priority class to be used by WordPress pods, priority class needs to be created beforehand | `""` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hostAliases` | WordPress pod host aliases | `[]` | +| `extraVolumes` | Optionally specify extra list of additional volumes for WordPress pods | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for WordPress container(s) | `[]` | +| `sidecars` | Add additional sidecar containers to the WordPress pod | `[]` | +| `initContainers` | Add additional init containers to the WordPress pods | `[]` | +| `podLabels` | Extra labels for WordPress pods | `{}` | +| `podAnnotations` | Annotations for WordPress pods | `{}` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `containerPorts.http` | WordPress HTTP container port | `8080` | +| `containerPorts.https` | WordPress HTTPS container port | `8443` | +| `extraContainerPorts` | Optionally specify extra list of additional ports for WordPress container(s) | `[]` | +| `podSecurityContext.enabled` | Enabled WordPress pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Set WordPress pod's Security Context fsGroup | `1001` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `livenessProbe.enabled` | Enable livenessProbe on WordPress containers | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe on WordPress containers | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe on WordPress containers | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `lifecycleHooks` | for the WordPress container(s) to automate configuration before or after startup | `{}` | ### Traffic Exposure Parameters -| Name | Description | Value | -| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `service.type` | WordPress service type | `LoadBalancer` | -| `service.ports.http` | WordPress service HTTP port | `80` | -| `service.ports.https` | WordPress service HTTPS port | `443` | -| `service.httpsTargetPort` | Target port for HTTPS | `https` | -| `service.nodePorts.http` | Node port for HTTP | `""` | -| `service.nodePorts.https` | Node port for HTTPS | `""` | -| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `service.clusterIP` | WordPress service Cluster IP | `""` | -| `service.loadBalancerIP` | WordPress service Load Balancer IP | `""` | -| `service.loadBalancerSourceRanges` | WordPress service Load Balancer sources | `[]` | -| `service.externalTrafficPolicy` | WordPress service external traffic policy | `Cluster` | -| `service.annotations` | Additional custom annotations for WordPress service | `{}` | -| `service.extraPorts` | Extra port to expose on WordPress service | `[]` | -| `ingress.enabled` | Enable ingress record generation for WordPress | `false` | -| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | -| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | -| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `ingress.hostname` | Default host for the ingress record | `wordpress.local` | -| `ingress.path` | Default path for the ingress record | `/` | -| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | -| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | -| `ingress.tlsWwwPrefix` | Adds www subdomain to default cert | `false` | -| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | -| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | -| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | -| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | -| `ingress.secrets` | Custom TLS certificates as secrets | `[]` | -| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | - +| Name | Description | Value | +| ----------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `service.type` | WordPress service type | `LoadBalancer` | +| `service.ports.http` | WordPress service HTTP port | `80` | +| `service.ports.https` | WordPress service HTTPS port | `443` | +| `service.httpsTargetPort` | Target port for HTTPS | `https` | +| `service.nodePorts.http` | Node port for HTTP | `""` | +| `service.nodePorts.https` | Node port for HTTPS | `""` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.clusterIP` | WordPress service Cluster IP | `""` | +| `service.loadBalancerIP` | WordPress service Load Balancer IP | `""` | +| `service.loadBalancerSourceRanges` | WordPress service Load Balancer sources | `[]` | +| `service.externalTrafficPolicy` | WordPress service external traffic policy | `Cluster` | +| `service.annotations` | Additional custom annotations for WordPress service | `{}` | +| `service.extraPorts` | Extra port to expose on WordPress service | `[]` | +| `ingress.enabled` | Enable ingress record generation for WordPress | `false` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `ingress.hostname` | Default host for the ingress record. The hostname is templated and thus can contain other variable references. | `wordpress.local` | +| `ingress.path` | Default path for the ingress record | `/` | +| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | +| `ingress.tlsWwwPrefix` | Adds www subdomain to default cert | `false` | +| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record. The host names are templated and thus can contain other variable references. | `[]` | +| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `ingress.secrets` | Custom TLS certificates as secrets | `[]` | +| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| `secondaryIngress.enabled` | Enable ingress record generation for WordPress | `false` | +| `secondaryIngress.pathType` | Ingress path type | `ImplementationSpecific` | +| `secondaryIngress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `secondaryIngress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `secondaryIngress.hostname` | Default host for the ingress record. The hostname is templated and thus can contain other variable references. | `wordpress.local` | +| `secondaryIngress.path` | Default path for the ingress record | `/` | +| `secondaryIngress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `secondaryIngress.tls` | Enable TLS configuration for the host defined at `secondaryIngress.hostname` parameter | `false` | +| `secondaryIngress.tlsWwwPrefix` | Adds www subdomain to default cert | `false` | +| `secondaryIngress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `secondaryIngress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record. The host names are templated and thus can contain other variable references. | `[]` | +| `secondaryIngress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `secondaryIngress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `secondaryIngress.secrets` | Custom TLS certificates as secrets | `[]` | +| `secondaryIngress.extraRules` | Additional rules to be covered with this ingress record | `[]` | ### Persistence Parameters -| Name | Description | Value | -| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------- | ----------------------- | -| `persistence.enabled` | Enable persistence using Persistent Volume Claims | `true` | -| `persistence.storageClass` | Persistent Volume storage class | `""` | -| `persistence.accessModes` | Persistent Volume access modes | `[]` | -| `persistence.accessMode` | Persistent Volume access mode (DEPRECATED: use `persistence.accessModes` instead) | `ReadWriteOnce` | -| `persistence.size` | Persistent Volume size | `10Gi` | -| `persistence.dataSource` | Custom PVC data source | `{}` | -| `persistence.existingClaim` | The name of an existing PVC to use for persistence | `""` | -| `persistence.selector` | Selector to match an existing Persistent Volume for WordPress data PVC | `{}` | -| `persistence.annotations` | Persistent Volume Claim annotations | `{}` | -| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | Bitnami Shell image registry | `docker.io` | -| `volumePermissions.image.repository` | Bitnami Shell image repository | `bitnami/bitnami-shell` | -| `volumePermissions.image.tag` | Bitnami Shell image tag (immutable tags are recommended) | `11-debian-11-r81` | -| `volumePermissions.image.digest` | Bitnami Shell image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Bitnami Shell image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Bitnami Shell image pull secrets | `[]` | -| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | -| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | -| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | - +| Name | Description | Value | +| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `persistence.enabled` | Enable persistence using Persistent Volume Claims | `true` | +| `persistence.storageClass` | Persistent Volume storage class | `""` | +| `persistence.accessModes` | Persistent Volume access modes | `[]` | +| `persistence.accessMode` | Persistent Volume access mode (DEPRECATED: use `persistence.accessModes` instead) | `ReadWriteOnce` | +| `persistence.size` | Persistent Volume size | `10Gi` | +| `persistence.dataSource` | Custom PVC data source | `{}` | +| `persistence.existingClaim` | The name of an existing PVC to use for persistence | `""` | +| `persistence.selector` | Selector to match an existing Persistent Volume for WordPress data PVC | `{}` | +| `persistence.annotations` | Persistent Volume Claim annotations | `{}` | +| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | ### Other Parameters -| Name | Description | Value | -| --------------------------------------------- | ---------------------------------------------------------------------- | ------- | -| `serviceAccount.create` | Enable creation of ServiceAccount for WordPress pod | `false` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | -| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | -| `pdb.create` | Enable a Pod Disruption Budget creation | `false` | -| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `1` | -| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `""` | -| `autoscaling.enabled` | Enable Horizontal POD autoscaling for WordPress | `false` | -| `autoscaling.minReplicas` | Minimum number of WordPress replicas | `1` | -| `autoscaling.maxReplicas` | Maximum number of WordPress replicas | `11` | -| `autoscaling.targetCPU` | Target CPU utilization percentage | `50` | -| `autoscaling.targetMemory` | Target Memory utilization percentage | `50` | - +| Name | Description | Value | +| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceAccount.create` | Enable creation of ServiceAccount for WordPress pod | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | +| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| `pdb.create` | Enable a Pod Disruption Budget creation | `true` | +| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | +| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. | `""` | +| `autoscaling.enabled` | Enable Horizontal POD autoscaling for WordPress | `false` | +| `autoscaling.minReplicas` | Minimum number of WordPress replicas | `1` | +| `autoscaling.maxReplicas` | Maximum number of WordPress replicas | `11` | +| `autoscaling.targetCPU` | Target CPU utilization percentage | `50` | +| `autoscaling.targetMemory` | Target Memory utilization percentage | `50` | ### Metrics Parameters -| Name | Description | Value | -| -------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | ------------------------- | -| `metrics.enabled` | Start a sidecar prometheus exporter to expose metrics | `false` | -| `metrics.image.registry` | Apache exporter image registry | `docker.io` | -| `metrics.image.repository` | Apache exporter image repository | `bitnami/apache-exporter` | -| `metrics.image.tag` | Apache exporter image tag (immutable tags are recommended) | `0.11.0-debian-11-r90` | -| `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Apache exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Apache exporter image pull secrets | `[]` | -| `metrics.containerPorts.metrics` | Prometheus exporter container port | `9117` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe on Prometheus exporter containers | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe on Prometheus exporter containers | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.startupProbe.enabled` | Enable startupProbe on Prometheus exporter containers | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.resources.limits` | The resources limits for the Prometheus exporter container | `{}` | -| `metrics.resources.requests` | The requested resources for the Prometheus exporter container | `{}` | -| `metrics.service.ports.metrics` | Prometheus metrics service port | `9150` | -| `metrics.service.annotations` | Additional custom annotations for Metrics service | `{}` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | -| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | -| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | - +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | +| `metrics.enabled` | Start a sidecar prometheus exporter to expose metrics | `false` | +| `metrics.image.registry` | Apache exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Apache exporter image repository | `REPOSITORY_NAME/apache-exporter` | +| `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Apache exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Apache exporter image pull secrets | `[]` | +| `metrics.containerPorts.metrics` | Prometheus exporter container port | `9117` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on Prometheus exporter containers | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on Prometheus exporter containers | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe on Prometheus exporter containers | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `metrics.service.ports.metrics` | Prometheus metrics service port | `9150` | +| `metrics.service.annotations` | Additional custom annotations for Metrics service | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | ### NetworkPolicy parameters -| Name | Description | Value | -| ------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | ------- | -| `networkPolicy.enabled` | Enable network policies | `false` | -| `networkPolicy.metrics.enabled` | Enable network policy for metrics (prometheus) | `false` | -| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` | -| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` | -| `networkPolicy.ingress.enabled` | Enable network policy for Ingress Proxies | `false` | -| `networkPolicy.ingress.namespaceSelector` | Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. | `{}` | -| `networkPolicy.ingress.podSelector` | Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. | `{}` | -| `networkPolicy.ingressRules.backendOnlyAccessibleByFrontend` | Enable ingress rule that makes the backend (mariadb) only accessible by testlink's pods. | `false` | -| `networkPolicy.ingressRules.customBackendSelector` | Backend selector labels. These labels will be used to identify the backend pods. | `{}` | -| `networkPolicy.ingressRules.accessOnlyFrom.enabled` | Enable ingress rule that makes testlink only accessible from a particular origin | `false` | -| `networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access testlink. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.accessOnlyFrom.podSelector` | Pods selector label that is allowed to access testlink. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.customRules` | Custom network policy ingress rule | `{}` | -| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` | -| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | - +| Name | Description | Value | +| --------------------------------------- | --------------------------------------------------------------- | ------ | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Database Parameters -| Name | Description | Value | -| ------------------------------------------ | --------------------------------------------------------------------------------- | ------------------- | -| `mariadb.enabled` | Deploy a MariaDB server to satisfy the applications database requirements | `true` | -| `mariadb.architecture` | MariaDB architecture. Allowed values: `standalone` or `replication` | `standalone` | -| `mariadb.auth.rootPassword` | MariaDB root password | `""` | -| `mariadb.auth.database` | MariaDB custom database | `bitnami_wordpress` | -| `mariadb.auth.username` | MariaDB custom user name | `bn_wordpress` | -| `mariadb.auth.password` | MariaDB custom user password | `""` | -| `mariadb.primary.persistence.enabled` | Enable persistence on MariaDB using PVC(s) | `true` | -| `mariadb.primary.persistence.storageClass` | Persistent Volume storage class | `""` | -| `mariadb.primary.persistence.accessModes` | Persistent Volume access modes | `[]` | -| `mariadb.primary.persistence.size` | Persistent Volume size | `8Gi` | -| `externalDatabase.host` | External Database server host | `localhost` | -| `externalDatabase.port` | External Database server port | `3306` | -| `externalDatabase.user` | External Database username | `bn_wordpress` | -| `externalDatabase.password` | External Database user password | `""` | -| `externalDatabase.database` | External Database database name | `bitnami_wordpress` | -| `externalDatabase.existingSecret` | The name of an existing secret with database credentials. Evaluated as a template | `""` | -| `memcached.enabled` | Deploy a Memcached server for caching database queries | `false` | -| `memcached.auth.enabled` | Enable Memcached authentication | `false` | -| `memcached.auth.username` | Memcached admin user | `""` | -| `memcached.auth.password` | Memcached admin password | `""` | -| `memcached.service.port` | Memcached service port | `11211` | -| `externalCache.host` | External cache server host | `localhost` | -| `externalCache.port` | External cache server port | `11211` | - - -The above parameters map to the env variables defined in [bitnami/wordpress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress). For more information please refer to the [bitnami/wordpress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress) image documentation. +| Name | Description | Value | +| ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `mariadb.enabled` | Deploy a MariaDB server to satisfy the applications database requirements | `true` | +| `mariadb.architecture` | MariaDB architecture. Allowed values: `standalone` or `replication` | `standalone` | +| `mariadb.auth.rootPassword` | MariaDB root password | `""` | +| `mariadb.auth.database` | MariaDB custom database | `bitnami_wordpress` | +| `mariadb.auth.username` | MariaDB custom user name | `bn_wordpress` | +| `mariadb.auth.password` | MariaDB custom user password | `""` | +| `mariadb.primary.persistence.enabled` | Enable persistence on MariaDB using PVC(s) | `true` | +| `mariadb.primary.persistence.storageClass` | Persistent Volume storage class | `""` | +| `mariadb.primary.persistence.accessModes` | Persistent Volume access modes | `[]` | +| `mariadb.primary.persistence.size` | Persistent Volume size | `8Gi` | +| `mariadb.primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `micro` | +| `mariadb.primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalDatabase.host` | External Database server host | `localhost` | +| `externalDatabase.port` | External Database server port | `3306` | +| `externalDatabase.user` | External Database username | `bn_wordpress` | +| `externalDatabase.password` | External Database user password | `""` | +| `externalDatabase.database` | External Database database name | `bitnami_wordpress` | +| `externalDatabase.existingSecret` | The name of an existing secret with database credentials. Evaluated as a template | `""` | +| `memcached.enabled` | Deploy a Memcached server for caching database queries | `false` | +| `memcached.auth.enabled` | Enable Memcached authentication | `false` | +| `memcached.auth.username` | Memcached admin user | `""` | +| `memcached.auth.password` | Memcached admin password | `""` | +| `memcached.auth.existingPasswordSecret` | Existing secret with Memcached credentials (must contain a value for `memcached-password` key) | `""` | +| `memcached.service.port` | Memcached service port | `11211` | +| `memcached.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` | +| `memcached.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalCache.host` | External cache server host | `localhost` | +| `externalCache.port` | External cache server port | `11211` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, ```console -$ helm install my-release \ +helm install my-release \ --set wordpressUsername=admin \ --set wordpressPassword=password \ --set mariadb.auth.rootPassword=secretpassword \ - my-repo/wordpress + oci://REGISTRY_NAME/REPOSITORY_NAME/wordpress ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + The above command sets the WordPress administrator account username and password to `admin` and `password` respectively. Additionally, it sets the MariaDB `root` user password to `secretpassword`. > NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. @@ -402,131 +638,85 @@ The above command sets the WordPress administrator account username and password Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, ```console -$ helm install my-release -f values.yaml my-repo/wordpress +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/wordpress ``` -> **Tip**: You can use the default [values.yaml](values.yaml) - -## Configuration and installation details - -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/wordpress/values.yaml) -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. +## Troubleshooting -### Known limitations +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). -When performing admin operations that require activating the maintenance mode (such as updating a plugin or theme), it's activated in only one replica (see: [bug report](https://core.trac.wordpress.org/ticket/50797)). This implies that WP could be attending requests on other replicas while performing admin operations, with unpredictable consequences. +## Notable changes -To avoid that, you can manually activate/deactivate the maintenance mode on every replica using the WP CLI. For instance, if you installed WP with three replicas, you can run the commands below to activate the maintenance mode in all of them (assuming that the release name is `wordpress`): +### 13.2.0 -```console -$ kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[0].metadata.name}') -c wordpress -- wp maintenance-mode activate -$ kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[1].metadata.name}') -c wordpress -- wp maintenance-mode activate -$ kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[2].metadata.name}') -c wordpress -- wp maintenance-mode activate -``` +Removed support for limiting auto-updates to WordPress core via the `wordpressAutoUpdateLevel` option. To update WordPress core, we recommend you use the `helm upgrade` command to update your deployment instead of using the built-in update functionality. -### External database support +### 11.0.0 -You may want to have WordPress connect to an external database rather than installing one inside your cluster. Typical reasons for this are to use a managed database service, or to share a common database server for all your applications. To achieve this, the chart allows you to specify credentials for an external database with the [`externalDatabase` parameter](#database-parameters). You should also disable the MariaDB installation with the `mariadb.enabled` option. Here is an example: +The [Bitnami WordPress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress) image was refactored and now the source code is published in GitHub in the `rootfs` folder of the container image. -```console -mariadb.enabled=false -externalDatabase.host=myexternalhost -externalDatabase.user=myuser -externalDatabase.password=mypassword -externalDatabase.database=mydatabase -externalDatabase.port=3306 -``` +In addition, several new features have been implemented: -Refer to the [documentation on using an external database with WordPress](https://docs.bitnami.com/kubernetes/apps/wordpress/configuration/use-external-database/) and the [tutorial on integrating WordPress with a managed cloud database](https://docs.bitnami.com/tutorials/secure-wordpress-kubernetes-managed-database-ssl-upgrades/) for more information. +- Multisite mode is now supported via `multisite.*` options. +- Plugins can be installed and activated on the first deployment via the `wordpressPlugins` option. +- Added support for limiting auto-updates to WordPress core via the `wordpressAutoUpdateLevel` option. In addition, auto-updates have been disabled by default. To update WordPress core, we recommend to swap the container image version for your deployment instead of using the built-in update functionality. -### Memcached +To enable the new features, it is not possible to do it by upgrading an existing deployment. Instead, it is necessary to perform a fresh deploy. -This chart provides support for using Memcached to cache database queries and objects improving the website performance. To enable this feature, set `wordpressConfigureCache` and `memcached.enabled` parameters to `true`. +## Upgrading -When this feature is enabled, a Memcached server will be deployed in your K8s cluster using the Bitnami Memcached chart and the [W3 Total Cache](https://wordpress.org/plugins/w3-total-cache/) plugin will be activated and configured to use the Memcached server for database caching. +### To 24.0.0 -It is also possible to use an external cache server rather than installing one inside your cluster. To achieve this, the chart allows you to specify credentials for an external cache server with the [`externalCache` parameter](#database-parameters). You should also disable the Memcached installation with the `memcached.enabled` option. Here is an example: +This major bump updates the MariaDB subchart to version 20.0.0. This subchart updates the StatefulSet objects `serviceName` to use a headless service, as the current non-headless service attached to it was not providing DNS entries. This will cause an upgrade issue because it changes "immutable fields". To workaround it, delete the StatefulSet objects as follows (replace the RELEASE_NAME placeholder): -```console -wordpressConfigureCache=true -memcached.enabled=false -externalCache.host=myexternalcachehost -externalCache.port=11211 +```shell +kubectl delete sts RELEASE_NAME-mariadb --cascade=false ``` -### Ingress - -This chart provides support for Ingress resources. If an Ingress controller, such as nginx-ingress or traefik, that Ingress controller can be used to serve WordPress. - -To enable Ingress integration, set `ingress.enabled` to `true`. The `ingress.hostname` property can be used to set the host name. The `ingress.tls` parameter can be used to add the TLS configuration for this host. It is also possible to have more than one host, with a separate TLS configuration for each host. [Learn more about configuring and using Ingress](https://docs.bitnami.com/kubernetes/apps/wordpress/configuration/configure-ingress/). - -### TLS secrets - -The chart also facilitates the creation of TLS secrets for use with the Ingress controller, with different options for certificate management. [Learn more about TLS secrets](https://docs.bitnami.com/kubernetes/apps/wordpress/administration/enable-tls-ingress/). - -### `.htaccess` files - -For performance and security reasons, it is a good practice to configure Apache with the `AllowOverride None` directive. Instead of using `.htaccess` files, Apache will load the same directives at boot time. These directives are located in `/opt/bitnami/wordpress/wordpress-htaccess.conf`. - -By default, the container image includes all the default `.htaccess` files in WordPress (together with the default plugins). To enable this feature, install the chart with the value `allowOverrideNone=yes`. - -[Learn more about working with `.htaccess` files](https://docs.bitnami.com/kubernetes/apps/wordpress/configuration/understand-htaccess/). - -## Persistence - -The [Bitnami WordPress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress) image stores the WordPress data and configurations at the `/bitnami` path of the container. Persistent Volume Claims are used to keep the data across deployments. - -If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). - -### Additional environment variables +Then execute `helm upgrade` as usual. -In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property. +### To 23.0.0 -```yaml -wordpress: - extraEnvVars: - - name: LOG_LEVEL - value: error -``` +This major release bumps the MariaDB version to 11.4. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-11-3-to-mariadb-11-4/) for upgrading from MariaDB 11.3 to 11.4. No major issues are expected during the upgrade. -Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values. +### To 22.0.0 -### Sidecars +This major release bumps the MariaDB chart version to [18.x.x](https://github.com/bitnami/charts/pull/24804); no major issues are expected during the upgrade. -If additional containers are needed in the same pod as WordPress (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter. [Learn more about configuring and using sidecar containers](https://docs.bitnami.com/kubernetes/apps/wordpress/configuration/configure-sidecar-init-containers/). +### To 21.0.0 -### Pod affinity +This major bump changes the following security defaults: -This chart allows you to set your custom affinity using the `affinity` parameter. Learn more about Pod affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. +- The `networkPolicy` section has been normalized amongst all Bitnami charts. Compared to the previous approach, the values section has been simplified (check the Parameters section) and now it set to `enabled=true` by default. Egress traffic is allowed by default and ingress traffic is allowed by all pods but only to the ports set in `containerPorts` and `extraContainerPorts`. -As an alternative, use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. - -## Troubleshooting +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. -Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). +### To 20.0.0 -## Notable changes +This major release bumps the MariaDB chart version to [16.x.x](https://github.com/bitnami/charts/pull/23054); no major issues are expected during the upgrade. -### 13.2.0 +### To 19.0.0 -Removed support for limiting auto-updates to WordPress core via the `wordpressAutoUpdateLevel` option. To update WordPress core, we recommend you use the `helm upgrade` command to update your deployment instead of using the built-in update functionality. +This major release bumps the MariaDB version to 11.2. No major issues are expected during the upgrade. -### 11.0.0 +### To 18.0.0 -The [Bitnami WordPress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress) image was refactored and now the source code is published in GitHub in the `rootfs` folder of the container image. +This major release bumps the MariaDB version to 11.1. No major issues are expected during the upgrade. -In addition, several new features have been implemented: +### To 17.0.0 -- Multisite mode is now supported via `multisite.*` options. -- Plugins can be installed and activated on the first deployment via the `wordpressPlugins` option. -- Added support for limiting auto-updates to WordPress core via the `wordpressAutoUpdateLevel` option. In addition, auto-updates have been disabled by default. To update WordPress core, we recommend to swap the container image version for your deployment instead of using the built-in update functionality. +This major release bumps the MariaDB version to 11.0. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-0/) for upgrading from MariaDB 10.11 to 11.0. No major issues are expected during the upgrade. -To enable the new features, it is not possible to do it by upgrading an existing deployment. Instead, it is necessary to perform a fresh deploy. +### To 16.0.0 -## Upgrading +This major release bumps the MariaDB version to 10.11. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for upgrading from MariaDB 10.6 to 10.11. No major issues are expected during the upgrade. ### To 14.0.0 @@ -558,8 +748,6 @@ Compatibility is not guaranteed due to the amount of involved changes, however n [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/apps/wordpress/administration/upgrade-helm3/). - #### Additional upgrade notes - MariaDB dependency version was bumped to a new major version that introduces several incompatibilities. Therefore, backwards compatibility is not guaranteed unless an external database is used. Check [MariaDB Upgrading Notes](https://github.com/bitnami/charts/tree/main/bitnami/mariadb#to-800) for more information. @@ -572,24 +760,28 @@ Compatibility is not guaranteed due to the amount of involved changes, however n Obtain the credentials and the name of the PVC used to hold the MariaDB data on your current release: ```console -$ export WORDPRESS_PASSWORD=$(kubectl get secret --namespace default wordpress -o jsonpath="{.data.wordpress-password}" | base64 -d) -$ export MARIADB_ROOT_PASSWORD=$(kubectl get secret --namespace default wordpress-mariadb -o jsonpath="{.data.mariadb-root-password}" | base64 -d) -$ export MARIADB_PASSWORD=$(kubectl get secret --namespace default wordpress-mariadb -o jsonpath="{.data.mariadb-password}" | base64 -d) -$ export MARIADB_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=wordpress,app.kubernetes.io/name=mariadb,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}") +export WORDPRESS_PASSWORD=$(kubectl get secret --namespace default wordpress -o jsonpath="{.data.wordpress-password}" | base64 -d) +export MARIADB_ROOT_PASSWORD=$(kubectl get secret --namespace default wordpress-mariadb -o jsonpath="{.data.mariadb-root-password}" | base64 -d) +export MARIADB_PASSWORD=$(kubectl get secret --namespace default wordpress-mariadb -o jsonpath="{.data.mariadb-password}" | base64 -d) +export MARIADB_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=wordpress,app.kubernetes.io/name=mariadb,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}") ``` Upgrade your release (maintaining the version) disabling MariaDB and scaling WordPress replicas to 0: ```console -$ helm upgrade wordpress my-repo/wordpress --set wordpressPassword=$WORDPRESS_PASSWORD --set replicaCount=0 --set mariadb.enabled=false --version 9.6.4 +helm upgrade wordpress oci://REGISTRY_NAME/REPOSITORY_NAME/wordpress --set wordpressPassword=$WORDPRESS_PASSWORD --set replicaCount=0 --set mariadb.enabled=false --version 9.6.4 ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + Finally, upgrade you release to `10.0.0` reusing the existing PVC, and enabling back MariaDB: ```console -$ helm upgrade wordpress my-repo/wordpress --set mariadb.primary.persistence.existingClaim=$MARIADB_PVC --set mariadb.auth.rootPassword=$MARIADB_ROOT_PASSWORD --set mariadb.auth.password=$MARIADB_PASSWORD --set wordpressPassword=$WORDPRESS_PASSWORD +helm upgrade wordpress oci://REGISTRY_NAME/REPOSITORY_NAME/wordpress --set mariadb.primary.persistence.existingClaim=$MARIADB_PVC --set mariadb.auth.rootPassword=$MARIADB_ROOT_PASSWORD --set mariadb.auth.password=$MARIADB_PASSWORD --set wordpressPassword=$WORDPRESS_PASSWORD ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + You should see the lines below in MariaDB container logs: ```console @@ -617,7 +809,7 @@ To upgrade to `9.0.0`, it's recommended to install a new WordPress chart, and mi Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec. -In https://github.com/helm/charts/pulls/12642 the `apiVersion` of the deployment resources was updated to `apps/v1` in tune with the API's deprecated, resulting in compatibility breakage. +In the `apiVersion` of the deployment resources was updated to `apps/v1` in tune with the API's deprecated, resulting in compatibility breakage. This major version signifies this change. @@ -627,19 +819,19 @@ Backwards compatibility is not guaranteed unless you modify the labels used on t Use the workaround below to upgrade from versions previous to `3.0.0`. The following example assumes that the release name is `wordpress`: ```console -$ kubectl patch deployment wordpress-wordpress --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' -$ kubectl delete statefulset wordpress-mariadb --cascade=false +kubectl patch deployment wordpress-wordpress --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' +kubectl delete statefulset wordpress-mariadb --cascade=false ``` ## License -Copyright © 2023 Bitnami +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/charts/wordpress/wordpress/charts/wordpress/.helmignore b/charts/wordpress/wordpress/charts/wordpress/.helmignore index f0c131944..207983f36 100644 --- a/charts/wordpress/wordpress/charts/wordpress/.helmignore +++ b/charts/wordpress/wordpress/charts/wordpress/.helmignore @@ -19,3 +19,7 @@ .project .idea/ *.tmproj +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/charts/wordpress/wordpress/charts/wordpress/Chart.lock b/charts/wordpress/wordpress/charts/wordpress/Chart.lock index 4263d5602..c0e685406 100644 --- a/charts/wordpress/wordpress/charts/wordpress/Chart.lock +++ b/charts/wordpress/wordpress/charts/wordpress/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: memcached - repository: https://charts.bitnami.com/bitnami - version: 6.3.5 + repository: oci://registry-1.docker.io/bitnamicharts + version: 7.5.3 - name: mariadb - repository: https://charts.bitnami.com/bitnami - version: 11.4.6 + repository: oci://registry-1.docker.io/bitnamicharts + version: 20.1.1 - name: common - repository: https://charts.bitnami.com/bitnami - version: 2.2.3 -digest: sha256:9f9822d7b2d3da42ea081de9c548a5e6a31a977ef213e3607b9cbb686ed62ff7 -generated: "2023-02-07T23:22:27.684602109Z" + repository: oci://registry-1.docker.io/bitnamicharts + version: 2.27.2 +digest: sha256:13c9c1f9eafa7d4a9edf5febf5975cccca69b19840e0fab29d9a98e21ee58515 +generated: "2024-12-03T15:57:28.120379949Z" diff --git a/charts/wordpress/wordpress/charts/wordpress/Chart.yaml b/charts/wordpress/wordpress/charts/wordpress/Chart.yaml index b477cfbc9..e8ce8ab9f 100644 --- a/charts/wordpress/wordpress/charts/wordpress/Chart.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/Chart.yaml @@ -1,26 +1,33 @@ annotations: category: CMS + images: | + - name: apache-exporter + image: docker.io/bitnami/apache-exporter:1.0.9-debian-12-r4 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r33 + - name: wordpress + image: docker.io/bitnami/wordpress:6.7.1-debian-12-r3 licenses: Apache-2.0 apiVersion: v2 -appVersion: 6.1.1 +appVersion: 6.7.1 dependencies: - condition: memcached.enabled name: memcached - repository: https://charts.bitnami.com/bitnami - version: 6.x.x + repository: oci://registry-1.docker.io/bitnamicharts + version: 7.x.x - condition: mariadb.enabled name: mariadb - repository: https://charts.bitnami.com/bitnami - version: 11.x.x + repository: oci://registry-1.docker.io/bitnamicharts + version: 20.x.x - name: common - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts tags: - bitnami-common version: 2.x.x description: WordPress is the world's most popular blogging and content management platform. Powerful yet simple, everyone from students to global corporations use it to build beautiful, functional websites. -home: https://github.com/bitnami/charts/tree/main/bitnami/wordpress +home: https://bitnami.com icon: https://bitnami.com/assets/stacks/wordpress/img/wordpress-stack-220x234.png keywords: - application @@ -31,10 +38,9 @@ keywords: - web - wordpress maintainers: -- name: Bitnami +- name: Broadcom, Inc. All Rights Reserved. url: https://github.com/bitnami/charts name: wordpress sources: -- https://github.com/bitnami/containers/tree/main/bitnami/wordpress -- https://wordpress.org/ -version: 15.2.39 +- https://github.com/bitnami/charts/tree/main/bitnami/wordpress +version: 24.0.10 diff --git a/charts/wordpress/wordpress/charts/wordpress/README.md b/charts/wordpress/wordpress/charts/wordpress/README.md index 31c346bf7..491200022 100644 --- a/charts/wordpress/wordpress/charts/wordpress/README.md +++ b/charts/wordpress/wordpress/charts/wordpress/README.md @@ -1,20 +1,19 @@ -# WordPress packaged by Bitnami +# Bitnami package for WordPress WordPress is the world's most popular blogging and content management platform. Powerful yet simple, everyone from students to global corporations use it to build beautiful, functional websites. [Overview of WordPress](http://www.wordpress.org) - - ## TL;DR ```console -$ helm repo add my-repo https://charts.bitnami.com/bitnami -$ helm install my-release my-repo/wordpress +helm install my-release oci://registry-1.docker.io/bitnamicharts/wordpress ``` +Looking to use WordPress in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + ## Introduction This chart bootstraps a [WordPress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. @@ -25,8 +24,8 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment ## Prerequisites -- Kubernetes 1.19+ -- Helm 3.2.0+ +- Kubernetes 1.23+ +- Helm 3.8.0+ - PV provisioner support in the underlying infrastructure - ReadWriteMany volumes for deployment scaling @@ -35,34 +34,253 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment To install the chart with the release name `my-release`: ```console -$ helm repo add my-repo https://charts.bitnami.com/bitnami -$ helm install my-release my-repo/wordpress +helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/wordpress ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + The command deploys WordPress on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### Update credentials + +Bitnami charts configure credentials at first boot. Any further change in the secrets or credentials require manual intervention. Follow these instructions: + +- Update the user password following [the upstream documentation](https://wordpress.org/documentation/) +- Update the password secret with the new values (replace the SECRET_NAME, PASSWORD and SMTP_PASSWORD placeholders) + +```shell +kubectl create secret generic SECRET_NAME --from-literal=wordpress-password=PASSWORD --from-literal=smtp-password=SMTP_PASSWORD --dry-run -o yaml | kubectl apply -f - +``` + +### Prometheus metrics + +This chart can be integrated with Prometheus by setting `metrics.enabled` to `true`. This will deploy a sidecar container with [apache-exporter](https://github.com/Lusitaniae/apache_exporter) in all pods and a `metrics` service, which can be configured under the `metrics.service` section. This `metrics` service will have the necessary annotations to be automatically scraped by Prometheus. + +#### Prometheus requirements + +It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the [Bitnami Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/prometheus) or the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) to easily have a working Prometheus in your cluster. -To uninstall/delete the `my-release` deployment: +#### Integration with Prometheus Operator + +The chart can deploy `ServiceMonitor` objects for integration with Prometheus Operator installations. To do so, set the value `metrics.serviceMonitor.enabled=true`. Ensure that the Prometheus Operator `CustomResourceDefinitions` are installed in the cluster or it will fail with the following error: + +```text +no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1" +``` + +Install the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) for having the necessary CRDs and the Prometheus Operator. + +### [Rolling VS Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Known limitations + +When performing admin operations that require activating the maintenance mode (such as updating a plugin or theme), it's activated in only one replica (see: [bug report](https://core.trac.wordpress.org/ticket/50797)). This implies that WP could be attending requests on other replicas while performing admin operations, with unpredictable consequences. + +To avoid that, you can manually activate/deactivate the maintenance mode on every replica using the WP CLI. For instance, if you installed WP with three replicas, you can run the commands below to activate the maintenance mode in all of them (assuming that the release name is `wordpress`): ```console -$ helm delete my-release +kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[0].metadata.name}') -c wordpress -- wp maintenance-mode activate +kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[1].metadata.name}') -c wordpress -- wp maintenance-mode activate +kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[2].metadata.name}') -c wordpress -- wp maintenance-mode activate +``` + +### External database support + +You may want to have WordPress connect to an external database rather than installing one inside your cluster. Typical reasons for this are to use a managed database service, or to share a common database server for all your applications. To achieve this, the chart allows you to specify credentials for an external database with the [`externalDatabase` parameter](#database-parameters). You should also disable the MariaDB installation with the `mariadb.enabled` option. Here is an example: + +```console +mariadb.enabled=false +externalDatabase.host=myexternalhost +externalDatabase.user=myuser +externalDatabase.password=mypassword +externalDatabase.database=mydatabase +externalDatabase.port=3306 +``` + +If the database already contains data from a previous WordPress installation, set the `wordpressSkipInstall` parameter to `true`. This parameter forces the container to skip the WordPress installation wizard. Otherwise, the container will assume it is a fresh installation and execute the installation wizard, potentially modifying or resetting the data in the existing database. + +[Refer to the container documentation for more information](https://github.com/bitnami/containers/tree/main/bitnami/wordpress#connect-wordpress-container-to-an-existing-database). + +### Memcached + +This chart provides support for using Memcached to cache database queries and objects improving the website performance. To enable this feature, set `wordpressConfigureCache` and `memcached.enabled` parameters to `true`. + +When this feature is enabled, a Memcached server will be deployed in your K8s cluster using the Bitnami Memcached chart and the [W3 Total Cache](https://wordpress.org/plugins/w3-total-cache/) plugin will be activated and configured to use the Memcached server for database caching. + +It is also possible to use an external cache server rather than installing one inside your cluster. To achieve this, the chart allows you to specify credentials for an external cache server with the [`externalCache` parameter](#database-parameters). You should also disable the Memcached installation with the `memcached.enabled` option. Here is an example: + +```console +wordpressConfigureCache=true +memcached.enabled=false +externalCache.host=myexternalcachehost +externalCache.port=11211 ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +### Ingress + +This chart provides support for Ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress-controller](https://github.com/bitnami/charts/tree/main/bitnami/nginx-ingress-controller) or [contour](https://github.com/bitnami/charts/tree/main/bitnami/contour) you can utilize the ingress controller to serve your application.To enable Ingress integration, set `ingress.enabled` to `true`. + +The most common scenario is to have one host name mapped to the deployment. In this case, the `ingress.hostname` property can be used to set the host name. The `ingress.tls` parameter can be used to add the TLS configuration for this host. + +However, it is also possible to have more than one host. To facilitate this, the `ingress.extraHosts` parameter (if available) can be set with the host names specified as an array. The `ingress.extraTLS` parameter (if available) can also be used to add the TLS configuration for extra hosts. + +> NOTE: For each host specified in the `ingress.extraHosts` parameter, it is necessary to set a name, path, and any annotations that the Ingress controller should know about. Not all annotations are supported by all Ingress controllers, but [this annotation reference document](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) lists the annotations supported by many popular Ingress controllers. + +Adding the TLS parameter (where available) will cause the chart to generate HTTPS URLs, and the application will be available on port 443. The actual TLS secrets do not have to be generated by this chart. However, if TLS is enabled, the Ingress record will not work until the TLS secret exists. + +[Learn more about Ingress controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/). + +### Securing traffic using TLS + +This chart facilitates the creation of TLS secrets for use with the Ingress controller (although this is not mandatory). There are several common use cases: + +- Generate certificate secrets based on chart parameters. +- Enable externally generated certificates. +- Manage application certificates via an external service (like [cert-manager](https://github.com/jetstack/cert-manager/)). +- Create self-signed certificates within the chart (if supported). + +In the first two cases, a certificate and a key are needed. Files are expected in `.pem` format. + +Here is an example of a certificate file: + +> NOTE: There may be more than one certificate if there is a certificate chain. + +```text +-----BEGIN CERTIFICATE----- +MIID6TCCAtGgAwIBAgIJAIaCwivkeB5EMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +... +jScrvkiBO65F46KioCL9h5tDvomdU1aqpI/CBzhvZn1c0ZTf87tGQR8NK7v7 +-----END CERTIFICATE----- +``` + +Here is an example of a certificate key: + +```text +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAvLYcyu8f3skuRyUgeeNpeDvYBCDcgq+LsWap6zbX5f8oLqp4 +... +wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc= +-----END RSA PRIVATE KEY----- +``` + +- If using Helm to manage the certificates based on the parameters, copy these values into the `certificate` and `key` values for a given `*.ingress.secrets` entry. +- If managing TLS secrets separately, it is necessary to create a TLS secret with name `INGRESS_HOSTNAME-tls` (where INGRESS_HOSTNAME is a placeholder to be replaced with the hostname you set using the `*.ingress.hostname` parameter). +- If your cluster has a [cert-manager](https://github.com/jetstack/cert-manager) add-on to automate the management and issuance of TLS certificates, add to `*.ingress.annotations` the [corresponding ones](https://cert-manager.io/docs/usage/ingress/#supported-annotations) for cert-manager. +- If using self-signed certificates created by Helm, set both `*.ingress.tls` and `*.ingress.selfSigned` to `true`. + +### `.htaccess` files + +For performance and security reasons, it is a good practice to configure Apache with the `AllowOverride None` directive. Instead of using `.htaccess` files, Apache will load the same directives at boot time. These directives are located in `/opt/bitnami/wordpress/wordpress-htaccess.conf`. + +By default, the container image includes all the default `.htaccess` files in WordPress (together with the default plugins). To enable this feature, install the chart with the value `allowOverrideNone=yes`. + +However, some plugins may include `.htaccess` directives that will not be loaded when `AllowOverride` is set to `None`. To make them work, create a custom `wordpress-htaccess.conf` file with all the required directives. After creating it, create a Kubernetes ConfigMap with it (for example, named `custom-htaccess`) and install the chart with the correct parameters as shown below: + +```text + allowOverrideNone=true + customHTAccessCM=custom-htaccess +``` + +Some plugins permit editing the `.htaccess` file and it may be necessary to persist it in order to keep those edits. To make these plugins work, set the `htaccessPersistenceEnabled` parameter as shown below: + +```text + allowOverrideNone=false + htaccessPersistenceEnabled=true +``` + +### Backup and restore + +To back up and restore Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. Find the instructions for using Velero in [this guide](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-backup-restore-deployments-velero-index.html). + +## Persistence + +The [Bitnami WordPress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress) image stores the WordPress data and configurations at the `/bitnami` path of the container. Persistent Volume Claims are used to keep the data across deployments. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +### Additional environment variables + +In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property. + +```yaml +wordpress: + extraEnvVars: + - name: LOG_LEVEL + value: error +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values. + +### Sidecars + +If additional containers are needed in the same pod as WordPress (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +### Pod affinity + +This chart allows you to set your custom affinity using the `affinity` parameter. Learn more about Pod affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. ## Parameters ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | - +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -79,19 +297,16 @@ The command removes all the Kubernetes components associated with the chart and | `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | | `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | - ### WordPress Image parameters -| Name | Description | Value | -| ------------------- | --------------------------------------------------------------------------------------------------------- | --------------------- | -| `image.registry` | WordPress image registry | `docker.io` | -| `image.repository` | WordPress image repository | `bitnami/wordpress` | -| `image.tag` | WordPress image tag (immutable tags are recommended) | `6.1.1-debian-11-r42` | -| `image.digest` | WordPress image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | WordPress image pull policy | `IfNotPresent` | -| `image.pullSecrets` | WordPress image pull secrets | `[]` | -| `image.debug` | Specify if debug values should be set | `false` | - +| Name | Description | Value | +| ------------------- | --------------------------------------------------------------------------------------------------------- | --------------------------- | +| `image.registry` | WordPress image registry | `REGISTRY_NAME` | +| `image.repository` | WordPress image repository | `REPOSITORY_NAME/wordpress` | +| `image.digest` | WordPress image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | WordPress image pull policy | `IfNotPresent` | +| `image.pullSecrets` | WordPress image pull secrets | `[]` | +| `image.debug` | Specify if debug values should be set | `false` | ### WordPress Configuration parameters @@ -120,6 +335,8 @@ The command removes all the Kubernetes components associated with the chart and | `smtpUser` | SMTP username | `""` | | `smtpPassword` | SMTP user password | `""` | | `smtpProtocol` | SMTP protocol | `""` | +| `smtpFromEmail` | SMTP from email (default is `smtpUser`) | `""` | +| `smtpFromName` | SMTP from name (default is `wordpressFirstName` and `wordpressLastName`) | `""` | | `smtpExistingSecret` | The name of an existing secret with SMTP credentials | `""` | | `allowEmptyPassword` | Allow the container to be started with blank passwords | `true` | | `allowOverrideNone` | Configure Apache to prohibit overriding directives with htaccess files | `false` | @@ -132,7 +349,6 @@ The command removes all the Kubernetes components associated with the chart and | `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | | `extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` | - ### WordPress Multisite Configuration parameters | Name | Description | Value | @@ -142,259 +358,279 @@ The command removes all the Kubernetes components associated with the chart and | `multisite.networkType` | WordPress Multisite network type to enable. Allowed values: `subfolder`, `subdirectory` or `subdomain`. | `subdomain` | | `multisite.enableNipIoRedirect` | Whether to enable IP address redirection to nip.io wildcard DNS. Useful when running on an IP address with subdomain network type. | `false` | - ### WordPress deployment parameters -| Name | Description | Value | -| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ---------------- | -| `replicaCount` | Number of WordPress replicas to deploy | `1` | -| `updateStrategy.type` | WordPress deployment strategy type | `RollingUpdate` | -| `updateStrategy.rollingUpdate` | WordPress deployment rolling update configuration parameters | `{}` | -| `schedulerName` | Alternate scheduler | `""` | -| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `priorityClassName` | Name of the existing priority class to be used by WordPress pods, priority class needs to be created beforehand | `""` | -| `hostAliases` | WordPress pod host aliases | `[]` | -| `extraVolumes` | Optionally specify extra list of additional volumes for WordPress pods | `[]` | -| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for WordPress container(s) | `[]` | -| `sidecars` | Add additional sidecar containers to the WordPress pod | `[]` | -| `initContainers` | Add additional init containers to the WordPress pods | `[]` | -| `podLabels` | Extra labels for WordPress pods | `{}` | -| `podAnnotations` | Annotations for WordPress pods | `{}` | -| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | -| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | -| `affinity` | Affinity for pod assignment | `{}` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `tolerations` | Tolerations for pod assignment | `[]` | -| `resources.limits` | The resources limits for the WordPress containers | `{}` | -| `resources.requests.memory` | The requested memory for the WordPress containers | `512Mi` | -| `resources.requests.cpu` | The requested cpu for the WordPress containers | `300m` | -| `containerPorts.http` | WordPress HTTP container port | `8080` | -| `containerPorts.https` | WordPress HTTPS container port | `8443` | -| `extraContainerPorts` | Optionally specify extra list of additional ports for WordPress container(s) | `[]` | -| `podSecurityContext.enabled` | Enabled WordPress pods' Security Context | `true` | -| `podSecurityContext.fsGroup` | Set WordPress pod's Security Context fsGroup | `1001` | -| `podSecurityContext.seccompProfile.type` | Set WordPress container's Security Context seccomp profile | `RuntimeDefault` | -| `containerSecurityContext.enabled` | Enabled WordPress containers' Security Context | `true` | -| `containerSecurityContext.runAsUser` | Set WordPress container's Security Context runAsUser | `1001` | -| `containerSecurityContext.runAsNonRoot` | Set WordPress container's Security Context runAsNonRoot | `true` | -| `containerSecurityContext.allowPrivilegeEscalation` | Set WordPress container's privilege escalation | `false` | -| `containerSecurityContext.capabilities.drop` | Set WordPress container's Security Context runAsNonRoot | `["ALL"]` | -| `livenessProbe.enabled` | Enable livenessProbe on WordPress containers | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `readinessProbe.enabled` | Enable readinessProbe on WordPress containers | `true` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `startupProbe.enabled` | Enable startupProbe on WordPress containers | `false` | -| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | -| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | -| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `lifecycleHooks` | for the WordPress container(s) to automate configuration before or after startup | `{}` | - +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `replicaCount` | Number of WordPress replicas to deploy | `1` | +| `updateStrategy.type` | WordPress deployment strategy type | `RollingUpdate` | +| `schedulerName` | Alternate scheduler | `""` | +| `terminationGracePeriodSeconds` | In seconds, time given to the WordPress pod to terminate gracefully | `""` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `priorityClassName` | Name of the existing priority class to be used by WordPress pods, priority class needs to be created beforehand | `""` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hostAliases` | WordPress pod host aliases | `[]` | +| `extraVolumes` | Optionally specify extra list of additional volumes for WordPress pods | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for WordPress container(s) | `[]` | +| `sidecars` | Add additional sidecar containers to the WordPress pod | `[]` | +| `initContainers` | Add additional init containers to the WordPress pods | `[]` | +| `podLabels` | Extra labels for WordPress pods | `{}` | +| `podAnnotations` | Annotations for WordPress pods | `{}` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `containerPorts.http` | WordPress HTTP container port | `8080` | +| `containerPorts.https` | WordPress HTTPS container port | `8443` | +| `extraContainerPorts` | Optionally specify extra list of additional ports for WordPress container(s) | `[]` | +| `podSecurityContext.enabled` | Enabled WordPress pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Set WordPress pod's Security Context fsGroup | `1001` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `livenessProbe.enabled` | Enable livenessProbe on WordPress containers | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe on WordPress containers | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe on WordPress containers | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `lifecycleHooks` | for the WordPress container(s) to automate configuration before or after startup | `{}` | ### Traffic Exposure Parameters -| Name | Description | Value | -| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `service.type` | WordPress service type | `LoadBalancer` | -| `service.ports.http` | WordPress service HTTP port | `80` | -| `service.ports.https` | WordPress service HTTPS port | `443` | -| `service.httpsTargetPort` | Target port for HTTPS | `https` | -| `service.nodePorts.http` | Node port for HTTP | `""` | -| `service.nodePorts.https` | Node port for HTTPS | `""` | -| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `service.clusterIP` | WordPress service Cluster IP | `""` | -| `service.loadBalancerIP` | WordPress service Load Balancer IP | `""` | -| `service.loadBalancerSourceRanges` | WordPress service Load Balancer sources | `[]` | -| `service.externalTrafficPolicy` | WordPress service external traffic policy | `Cluster` | -| `service.annotations` | Additional custom annotations for WordPress service | `{}` | -| `service.extraPorts` | Extra port to expose on WordPress service | `[]` | -| `ingress.enabled` | Enable ingress record generation for WordPress | `false` | -| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | -| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | -| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `ingress.hostname` | Default host for the ingress record | `wordpress.local` | -| `ingress.path` | Default path for the ingress record | `/` | -| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | -| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | -| `ingress.tlsWwwPrefix` | Adds www subdomain to default cert | `false` | -| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | -| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | -| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | -| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | -| `ingress.secrets` | Custom TLS certificates as secrets | `[]` | -| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | - +| Name | Description | Value | +| ----------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `service.type` | WordPress service type | `LoadBalancer` | +| `service.ports.http` | WordPress service HTTP port | `80` | +| `service.ports.https` | WordPress service HTTPS port | `443` | +| `service.httpsTargetPort` | Target port for HTTPS | `https` | +| `service.nodePorts.http` | Node port for HTTP | `""` | +| `service.nodePorts.https` | Node port for HTTPS | `""` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.clusterIP` | WordPress service Cluster IP | `""` | +| `service.loadBalancerIP` | WordPress service Load Balancer IP | `""` | +| `service.loadBalancerSourceRanges` | WordPress service Load Balancer sources | `[]` | +| `service.externalTrafficPolicy` | WordPress service external traffic policy | `Cluster` | +| `service.annotations` | Additional custom annotations for WordPress service | `{}` | +| `service.extraPorts` | Extra port to expose on WordPress service | `[]` | +| `ingress.enabled` | Enable ingress record generation for WordPress | `false` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `ingress.hostname` | Default host for the ingress record. The hostname is templated and thus can contain other variable references. | `wordpress.local` | +| `ingress.path` | Default path for the ingress record | `/` | +| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | +| `ingress.tlsWwwPrefix` | Adds www subdomain to default cert | `false` | +| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record. The host names are templated and thus can contain other variable references. | `[]` | +| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `ingress.secrets` | Custom TLS certificates as secrets | `[]` | +| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| `secondaryIngress.enabled` | Enable ingress record generation for WordPress | `false` | +| `secondaryIngress.pathType` | Ingress path type | `ImplementationSpecific` | +| `secondaryIngress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `secondaryIngress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `secondaryIngress.hostname` | Default host for the ingress record. The hostname is templated and thus can contain other variable references. | `wordpress.local` | +| `secondaryIngress.path` | Default path for the ingress record | `/` | +| `secondaryIngress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `secondaryIngress.tls` | Enable TLS configuration for the host defined at `secondaryIngress.hostname` parameter | `false` | +| `secondaryIngress.tlsWwwPrefix` | Adds www subdomain to default cert | `false` | +| `secondaryIngress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `secondaryIngress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record. The host names are templated and thus can contain other variable references. | `[]` | +| `secondaryIngress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `secondaryIngress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `secondaryIngress.secrets` | Custom TLS certificates as secrets | `[]` | +| `secondaryIngress.extraRules` | Additional rules to be covered with this ingress record | `[]` | ### Persistence Parameters -| Name | Description | Value | -| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------- | ----------------------- | -| `persistence.enabled` | Enable persistence using Persistent Volume Claims | `true` | -| `persistence.storageClass` | Persistent Volume storage class | `""` | -| `persistence.accessModes` | Persistent Volume access modes | `[]` | -| `persistence.accessMode` | Persistent Volume access mode (DEPRECATED: use `persistence.accessModes` instead) | `ReadWriteOnce` | -| `persistence.size` | Persistent Volume size | `10Gi` | -| `persistence.dataSource` | Custom PVC data source | `{}` | -| `persistence.existingClaim` | The name of an existing PVC to use for persistence | `""` | -| `persistence.selector` | Selector to match an existing Persistent Volume for WordPress data PVC | `{}` | -| `persistence.annotations` | Persistent Volume Claim annotations | `{}` | -| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | Bitnami Shell image registry | `docker.io` | -| `volumePermissions.image.repository` | Bitnami Shell image repository | `bitnami/bitnami-shell` | -| `volumePermissions.image.tag` | Bitnami Shell image tag (immutable tags are recommended) | `11-debian-11-r81` | -| `volumePermissions.image.digest` | Bitnami Shell image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Bitnami Shell image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Bitnami Shell image pull secrets | `[]` | -| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | -| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | -| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | - +| Name | Description | Value | +| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `persistence.enabled` | Enable persistence using Persistent Volume Claims | `true` | +| `persistence.storageClass` | Persistent Volume storage class | `""` | +| `persistence.accessModes` | Persistent Volume access modes | `[]` | +| `persistence.accessMode` | Persistent Volume access mode (DEPRECATED: use `persistence.accessModes` instead) | `ReadWriteOnce` | +| `persistence.size` | Persistent Volume size | `10Gi` | +| `persistence.dataSource` | Custom PVC data source | `{}` | +| `persistence.existingClaim` | The name of an existing PVC to use for persistence | `""` | +| `persistence.selector` | Selector to match an existing Persistent Volume for WordPress data PVC | `{}` | +| `persistence.annotations` | Persistent Volume Claim annotations | `{}` | +| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | ### Other Parameters -| Name | Description | Value | -| --------------------------------------------- | ---------------------------------------------------------------------- | ------- | -| `serviceAccount.create` | Enable creation of ServiceAccount for WordPress pod | `false` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | -| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | -| `pdb.create` | Enable a Pod Disruption Budget creation | `false` | -| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `1` | -| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `""` | -| `autoscaling.enabled` | Enable Horizontal POD autoscaling for WordPress | `false` | -| `autoscaling.minReplicas` | Minimum number of WordPress replicas | `1` | -| `autoscaling.maxReplicas` | Maximum number of WordPress replicas | `11` | -| `autoscaling.targetCPU` | Target CPU utilization percentage | `50` | -| `autoscaling.targetMemory` | Target Memory utilization percentage | `50` | - +| Name | Description | Value | +| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceAccount.create` | Enable creation of ServiceAccount for WordPress pod | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | +| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| `pdb.create` | Enable a Pod Disruption Budget creation | `true` | +| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | +| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. | `""` | +| `autoscaling.enabled` | Enable Horizontal POD autoscaling for WordPress | `false` | +| `autoscaling.minReplicas` | Minimum number of WordPress replicas | `1` | +| `autoscaling.maxReplicas` | Maximum number of WordPress replicas | `11` | +| `autoscaling.targetCPU` | Target CPU utilization percentage | `50` | +| `autoscaling.targetMemory` | Target Memory utilization percentage | `50` | ### Metrics Parameters -| Name | Description | Value | -| -------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | ------------------------- | -| `metrics.enabled` | Start a sidecar prometheus exporter to expose metrics | `false` | -| `metrics.image.registry` | Apache exporter image registry | `docker.io` | -| `metrics.image.repository` | Apache exporter image repository | `bitnami/apache-exporter` | -| `metrics.image.tag` | Apache exporter image tag (immutable tags are recommended) | `0.11.0-debian-11-r90` | -| `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Apache exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Apache exporter image pull secrets | `[]` | -| `metrics.containerPorts.metrics` | Prometheus exporter container port | `9117` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe on Prometheus exporter containers | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe on Prometheus exporter containers | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.startupProbe.enabled` | Enable startupProbe on Prometheus exporter containers | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.resources.limits` | The resources limits for the Prometheus exporter container | `{}` | -| `metrics.resources.requests` | The requested resources for the Prometheus exporter container | `{}` | -| `metrics.service.ports.metrics` | Prometheus metrics service port | `9150` | -| `metrics.service.annotations` | Additional custom annotations for Metrics service | `{}` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | -| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | -| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | - +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | +| `metrics.enabled` | Start a sidecar prometheus exporter to expose metrics | `false` | +| `metrics.image.registry` | Apache exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Apache exporter image repository | `REPOSITORY_NAME/apache-exporter` | +| `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Apache exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Apache exporter image pull secrets | `[]` | +| `metrics.containerPorts.metrics` | Prometheus exporter container port | `9117` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on Prometheus exporter containers | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on Prometheus exporter containers | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe on Prometheus exporter containers | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `metrics.service.ports.metrics` | Prometheus metrics service port | `9150` | +| `metrics.service.annotations` | Additional custom annotations for Metrics service | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | ### NetworkPolicy parameters -| Name | Description | Value | -| ------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | ------- | -| `networkPolicy.enabled` | Enable network policies | `false` | -| `networkPolicy.metrics.enabled` | Enable network policy for metrics (prometheus) | `false` | -| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` | -| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` | -| `networkPolicy.ingress.enabled` | Enable network policy for Ingress Proxies | `false` | -| `networkPolicy.ingress.namespaceSelector` | Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. | `{}` | -| `networkPolicy.ingress.podSelector` | Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. | `{}` | -| `networkPolicy.ingressRules.backendOnlyAccessibleByFrontend` | Enable ingress rule that makes the backend (mariadb) only accessible by testlink's pods. | `false` | -| `networkPolicy.ingressRules.customBackendSelector` | Backend selector labels. These labels will be used to identify the backend pods. | `{}` | -| `networkPolicy.ingressRules.accessOnlyFrom.enabled` | Enable ingress rule that makes testlink only accessible from a particular origin | `false` | -| `networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access testlink. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.accessOnlyFrom.podSelector` | Pods selector label that is allowed to access testlink. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.customRules` | Custom network policy ingress rule | `{}` | -| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` | -| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | - +| Name | Description | Value | +| --------------------------------------- | --------------------------------------------------------------- | ------ | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Database Parameters -| Name | Description | Value | -| ------------------------------------------ | --------------------------------------------------------------------------------- | ------------------- | -| `mariadb.enabled` | Deploy a MariaDB server to satisfy the applications database requirements | `true` | -| `mariadb.architecture` | MariaDB architecture. Allowed values: `standalone` or `replication` | `standalone` | -| `mariadb.auth.rootPassword` | MariaDB root password | `""` | -| `mariadb.auth.database` | MariaDB custom database | `bitnami_wordpress` | -| `mariadb.auth.username` | MariaDB custom user name | `bn_wordpress` | -| `mariadb.auth.password` | MariaDB custom user password | `""` | -| `mariadb.primary.persistence.enabled` | Enable persistence on MariaDB using PVC(s) | `true` | -| `mariadb.primary.persistence.storageClass` | Persistent Volume storage class | `""` | -| `mariadb.primary.persistence.accessModes` | Persistent Volume access modes | `[]` | -| `mariadb.primary.persistence.size` | Persistent Volume size | `8Gi` | -| `externalDatabase.host` | External Database server host | `localhost` | -| `externalDatabase.port` | External Database server port | `3306` | -| `externalDatabase.user` | External Database username | `bn_wordpress` | -| `externalDatabase.password` | External Database user password | `""` | -| `externalDatabase.database` | External Database database name | `bitnami_wordpress` | -| `externalDatabase.existingSecret` | The name of an existing secret with database credentials. Evaluated as a template | `""` | -| `memcached.enabled` | Deploy a Memcached server for caching database queries | `false` | -| `memcached.auth.enabled` | Enable Memcached authentication | `false` | -| `memcached.auth.username` | Memcached admin user | `""` | -| `memcached.auth.password` | Memcached admin password | `""` | -| `memcached.service.port` | Memcached service port | `11211` | -| `externalCache.host` | External cache server host | `localhost` | -| `externalCache.port` | External cache server port | `11211` | - - -The above parameters map to the env variables defined in [bitnami/wordpress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress). For more information please refer to the [bitnami/wordpress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress) image documentation. +| Name | Description | Value | +| ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `mariadb.enabled` | Deploy a MariaDB server to satisfy the applications database requirements | `true` | +| `mariadb.architecture` | MariaDB architecture. Allowed values: `standalone` or `replication` | `standalone` | +| `mariadb.auth.rootPassword` | MariaDB root password | `""` | +| `mariadb.auth.database` | MariaDB custom database | `bitnami_wordpress` | +| `mariadb.auth.username` | MariaDB custom user name | `bn_wordpress` | +| `mariadb.auth.password` | MariaDB custom user password | `""` | +| `mariadb.primary.persistence.enabled` | Enable persistence on MariaDB using PVC(s) | `true` | +| `mariadb.primary.persistence.storageClass` | Persistent Volume storage class | `""` | +| `mariadb.primary.persistence.accessModes` | Persistent Volume access modes | `[]` | +| `mariadb.primary.persistence.size` | Persistent Volume size | `8Gi` | +| `mariadb.primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `micro` | +| `mariadb.primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalDatabase.host` | External Database server host | `localhost` | +| `externalDatabase.port` | External Database server port | `3306` | +| `externalDatabase.user` | External Database username | `bn_wordpress` | +| `externalDatabase.password` | External Database user password | `""` | +| `externalDatabase.database` | External Database database name | `bitnami_wordpress` | +| `externalDatabase.existingSecret` | The name of an existing secret with database credentials. Evaluated as a template | `""` | +| `memcached.enabled` | Deploy a Memcached server for caching database queries | `false` | +| `memcached.auth.enabled` | Enable Memcached authentication | `false` | +| `memcached.auth.username` | Memcached admin user | `""` | +| `memcached.auth.password` | Memcached admin password | `""` | +| `memcached.auth.existingPasswordSecret` | Existing secret with Memcached credentials (must contain a value for `memcached-password` key) | `""` | +| `memcached.service.port` | Memcached service port | `11211` | +| `memcached.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` | +| `memcached.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalCache.host` | External cache server host | `localhost` | +| `externalCache.port` | External cache server port | `11211` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, ```console -$ helm install my-release \ +helm install my-release \ --set wordpressUsername=admin \ --set wordpressPassword=password \ --set mariadb.auth.rootPassword=secretpassword \ - my-repo/wordpress + oci://REGISTRY_NAME/REPOSITORY_NAME/wordpress ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + The above command sets the WordPress administrator account username and password to `admin` and `password` respectively. Additionally, it sets the MariaDB `root` user password to `secretpassword`. > NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. @@ -402,131 +638,85 @@ The above command sets the WordPress administrator account username and password Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, ```console -$ helm install my-release -f values.yaml my-repo/wordpress +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/wordpress ``` -> **Tip**: You can use the default [values.yaml](values.yaml) - -## Configuration and installation details - -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/wordpress/values.yaml) -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. +## Troubleshooting -### Known limitations +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). -When performing admin operations that require activating the maintenance mode (such as updating a plugin or theme), it's activated in only one replica (see: [bug report](https://core.trac.wordpress.org/ticket/50797)). This implies that WP could be attending requests on other replicas while performing admin operations, with unpredictable consequences. +## Notable changes -To avoid that, you can manually activate/deactivate the maintenance mode on every replica using the WP CLI. For instance, if you installed WP with three replicas, you can run the commands below to activate the maintenance mode in all of them (assuming that the release name is `wordpress`): +### 13.2.0 -```console -$ kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[0].metadata.name}') -c wordpress -- wp maintenance-mode activate -$ kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[1].metadata.name}') -c wordpress -- wp maintenance-mode activate -$ kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[2].metadata.name}') -c wordpress -- wp maintenance-mode activate -``` +Removed support for limiting auto-updates to WordPress core via the `wordpressAutoUpdateLevel` option. To update WordPress core, we recommend you use the `helm upgrade` command to update your deployment instead of using the built-in update functionality. -### External database support +### 11.0.0 -You may want to have WordPress connect to an external database rather than installing one inside your cluster. Typical reasons for this are to use a managed database service, or to share a common database server for all your applications. To achieve this, the chart allows you to specify credentials for an external database with the [`externalDatabase` parameter](#database-parameters). You should also disable the MariaDB installation with the `mariadb.enabled` option. Here is an example: +The [Bitnami WordPress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress) image was refactored and now the source code is published in GitHub in the `rootfs` folder of the container image. -```console -mariadb.enabled=false -externalDatabase.host=myexternalhost -externalDatabase.user=myuser -externalDatabase.password=mypassword -externalDatabase.database=mydatabase -externalDatabase.port=3306 -``` +In addition, several new features have been implemented: -Refer to the [documentation on using an external database with WordPress](https://docs.bitnami.com/kubernetes/apps/wordpress/configuration/use-external-database/) and the [tutorial on integrating WordPress with a managed cloud database](https://docs.bitnami.com/tutorials/secure-wordpress-kubernetes-managed-database-ssl-upgrades/) for more information. +- Multisite mode is now supported via `multisite.*` options. +- Plugins can be installed and activated on the first deployment via the `wordpressPlugins` option. +- Added support for limiting auto-updates to WordPress core via the `wordpressAutoUpdateLevel` option. In addition, auto-updates have been disabled by default. To update WordPress core, we recommend to swap the container image version for your deployment instead of using the built-in update functionality. -### Memcached +To enable the new features, it is not possible to do it by upgrading an existing deployment. Instead, it is necessary to perform a fresh deploy. -This chart provides support for using Memcached to cache database queries and objects improving the website performance. To enable this feature, set `wordpressConfigureCache` and `memcached.enabled` parameters to `true`. +## Upgrading -When this feature is enabled, a Memcached server will be deployed in your K8s cluster using the Bitnami Memcached chart and the [W3 Total Cache](https://wordpress.org/plugins/w3-total-cache/) plugin will be activated and configured to use the Memcached server for database caching. +### To 24.0.0 -It is also possible to use an external cache server rather than installing one inside your cluster. To achieve this, the chart allows you to specify credentials for an external cache server with the [`externalCache` parameter](#database-parameters). You should also disable the Memcached installation with the `memcached.enabled` option. Here is an example: +This major bump updates the MariaDB subchart to version 20.0.0. This subchart updates the StatefulSet objects `serviceName` to use a headless service, as the current non-headless service attached to it was not providing DNS entries. This will cause an upgrade issue because it changes "immutable fields". To workaround it, delete the StatefulSet objects as follows (replace the RELEASE_NAME placeholder): -```console -wordpressConfigureCache=true -memcached.enabled=false -externalCache.host=myexternalcachehost -externalCache.port=11211 +```shell +kubectl delete sts RELEASE_NAME-mariadb --cascade=false ``` -### Ingress - -This chart provides support for Ingress resources. If an Ingress controller, such as nginx-ingress or traefik, that Ingress controller can be used to serve WordPress. - -To enable Ingress integration, set `ingress.enabled` to `true`. The `ingress.hostname` property can be used to set the host name. The `ingress.tls` parameter can be used to add the TLS configuration for this host. It is also possible to have more than one host, with a separate TLS configuration for each host. [Learn more about configuring and using Ingress](https://docs.bitnami.com/kubernetes/apps/wordpress/configuration/configure-ingress/). - -### TLS secrets - -The chart also facilitates the creation of TLS secrets for use with the Ingress controller, with different options for certificate management. [Learn more about TLS secrets](https://docs.bitnami.com/kubernetes/apps/wordpress/administration/enable-tls-ingress/). - -### `.htaccess` files - -For performance and security reasons, it is a good practice to configure Apache with the `AllowOverride None` directive. Instead of using `.htaccess` files, Apache will load the same directives at boot time. These directives are located in `/opt/bitnami/wordpress/wordpress-htaccess.conf`. - -By default, the container image includes all the default `.htaccess` files in WordPress (together with the default plugins). To enable this feature, install the chart with the value `allowOverrideNone=yes`. - -[Learn more about working with `.htaccess` files](https://docs.bitnami.com/kubernetes/apps/wordpress/configuration/understand-htaccess/). - -## Persistence - -The [Bitnami WordPress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress) image stores the WordPress data and configurations at the `/bitnami` path of the container. Persistent Volume Claims are used to keep the data across deployments. - -If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). - -### Additional environment variables +Then execute `helm upgrade` as usual. -In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property. +### To 23.0.0 -```yaml -wordpress: - extraEnvVars: - - name: LOG_LEVEL - value: error -``` +This major release bumps the MariaDB version to 11.4. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-11-3-to-mariadb-11-4/) for upgrading from MariaDB 11.3 to 11.4. No major issues are expected during the upgrade. -Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values. +### To 22.0.0 -### Sidecars +This major release bumps the MariaDB chart version to [18.x.x](https://github.com/bitnami/charts/pull/24804); no major issues are expected during the upgrade. -If additional containers are needed in the same pod as WordPress (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter. [Learn more about configuring and using sidecar containers](https://docs.bitnami.com/kubernetes/apps/wordpress/configuration/configure-sidecar-init-containers/). +### To 21.0.0 -### Pod affinity +This major bump changes the following security defaults: -This chart allows you to set your custom affinity using the `affinity` parameter. Learn more about Pod affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. +- The `networkPolicy` section has been normalized amongst all Bitnami charts. Compared to the previous approach, the values section has been simplified (check the Parameters section) and now it set to `enabled=true` by default. Egress traffic is allowed by default and ingress traffic is allowed by all pods but only to the ports set in `containerPorts` and `extraContainerPorts`. -As an alternative, use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. - -## Troubleshooting +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. -Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). +### To 20.0.0 -## Notable changes +This major release bumps the MariaDB chart version to [16.x.x](https://github.com/bitnami/charts/pull/23054); no major issues are expected during the upgrade. -### 13.2.0 +### To 19.0.0 -Removed support for limiting auto-updates to WordPress core via the `wordpressAutoUpdateLevel` option. To update WordPress core, we recommend you use the `helm upgrade` command to update your deployment instead of using the built-in update functionality. +This major release bumps the MariaDB version to 11.2. No major issues are expected during the upgrade. -### 11.0.0 +### To 18.0.0 -The [Bitnami WordPress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress) image was refactored and now the source code is published in GitHub in the `rootfs` folder of the container image. +This major release bumps the MariaDB version to 11.1. No major issues are expected during the upgrade. -In addition, several new features have been implemented: +### To 17.0.0 -- Multisite mode is now supported via `multisite.*` options. -- Plugins can be installed and activated on the first deployment via the `wordpressPlugins` option. -- Added support for limiting auto-updates to WordPress core via the `wordpressAutoUpdateLevel` option. In addition, auto-updates have been disabled by default. To update WordPress core, we recommend to swap the container image version for your deployment instead of using the built-in update functionality. +This major release bumps the MariaDB version to 11.0. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-0/) for upgrading from MariaDB 10.11 to 11.0. No major issues are expected during the upgrade. -To enable the new features, it is not possible to do it by upgrading an existing deployment. Instead, it is necessary to perform a fresh deploy. +### To 16.0.0 -## Upgrading +This major release bumps the MariaDB version to 10.11. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for upgrading from MariaDB 10.6 to 10.11. No major issues are expected during the upgrade. ### To 14.0.0 @@ -558,8 +748,6 @@ Compatibility is not guaranteed due to the amount of involved changes, however n [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/apps/wordpress/administration/upgrade-helm3/). - #### Additional upgrade notes - MariaDB dependency version was bumped to a new major version that introduces several incompatibilities. Therefore, backwards compatibility is not guaranteed unless an external database is used. Check [MariaDB Upgrading Notes](https://github.com/bitnami/charts/tree/main/bitnami/mariadb#to-800) for more information. @@ -572,24 +760,28 @@ Compatibility is not guaranteed due to the amount of involved changes, however n Obtain the credentials and the name of the PVC used to hold the MariaDB data on your current release: ```console -$ export WORDPRESS_PASSWORD=$(kubectl get secret --namespace default wordpress -o jsonpath="{.data.wordpress-password}" | base64 -d) -$ export MARIADB_ROOT_PASSWORD=$(kubectl get secret --namespace default wordpress-mariadb -o jsonpath="{.data.mariadb-root-password}" | base64 -d) -$ export MARIADB_PASSWORD=$(kubectl get secret --namespace default wordpress-mariadb -o jsonpath="{.data.mariadb-password}" | base64 -d) -$ export MARIADB_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=wordpress,app.kubernetes.io/name=mariadb,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}") +export WORDPRESS_PASSWORD=$(kubectl get secret --namespace default wordpress -o jsonpath="{.data.wordpress-password}" | base64 -d) +export MARIADB_ROOT_PASSWORD=$(kubectl get secret --namespace default wordpress-mariadb -o jsonpath="{.data.mariadb-root-password}" | base64 -d) +export MARIADB_PASSWORD=$(kubectl get secret --namespace default wordpress-mariadb -o jsonpath="{.data.mariadb-password}" | base64 -d) +export MARIADB_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=wordpress,app.kubernetes.io/name=mariadb,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}") ``` Upgrade your release (maintaining the version) disabling MariaDB and scaling WordPress replicas to 0: ```console -$ helm upgrade wordpress my-repo/wordpress --set wordpressPassword=$WORDPRESS_PASSWORD --set replicaCount=0 --set mariadb.enabled=false --version 9.6.4 +helm upgrade wordpress oci://REGISTRY_NAME/REPOSITORY_NAME/wordpress --set wordpressPassword=$WORDPRESS_PASSWORD --set replicaCount=0 --set mariadb.enabled=false --version 9.6.4 ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + Finally, upgrade you release to `10.0.0` reusing the existing PVC, and enabling back MariaDB: ```console -$ helm upgrade wordpress my-repo/wordpress --set mariadb.primary.persistence.existingClaim=$MARIADB_PVC --set mariadb.auth.rootPassword=$MARIADB_ROOT_PASSWORD --set mariadb.auth.password=$MARIADB_PASSWORD --set wordpressPassword=$WORDPRESS_PASSWORD +helm upgrade wordpress oci://REGISTRY_NAME/REPOSITORY_NAME/wordpress --set mariadb.primary.persistence.existingClaim=$MARIADB_PVC --set mariadb.auth.rootPassword=$MARIADB_ROOT_PASSWORD --set mariadb.auth.password=$MARIADB_PASSWORD --set wordpressPassword=$WORDPRESS_PASSWORD ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + You should see the lines below in MariaDB container logs: ```console @@ -617,7 +809,7 @@ To upgrade to `9.0.0`, it's recommended to install a new WordPress chart, and mi Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec. -In https://github.com/helm/charts/pulls/12642 the `apiVersion` of the deployment resources was updated to `apps/v1` in tune with the API's deprecated, resulting in compatibility breakage. +In the `apiVersion` of the deployment resources was updated to `apps/v1` in tune with the API's deprecated, resulting in compatibility breakage. This major version signifies this change. @@ -627,19 +819,19 @@ Backwards compatibility is not guaranteed unless you modify the labels used on t Use the workaround below to upgrade from versions previous to `3.0.0`. The following example assumes that the release name is `wordpress`: ```console -$ kubectl patch deployment wordpress-wordpress --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' -$ kubectl delete statefulset wordpress-mariadb --cascade=false +kubectl patch deployment wordpress-wordpress --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' +kubectl delete statefulset wordpress-mariadb --cascade=false ``` ## License -Copyright © 2023 Bitnami +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/.helmignore b/charts/wordpress/wordpress/charts/wordpress/charts/common/.helmignore index 50af03172..d0e10845d 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/.helmignore +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/.helmignore @@ -20,3 +20,7 @@ .idea/ *.tmproj .vscode/ +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/Chart.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/common/Chart.yaml index 031ee0fd4..ee87ae1af 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/Chart.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/Chart.yaml @@ -2,10 +2,10 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.2.3 +appVersion: 2.27.2 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. -home: https://github.com/bitnami/charts/tree/main/bitnami/common +home: https://bitnami.com icon: https://bitnami.com/downloads/logos/bitnami-mark.png keywords: - common @@ -14,11 +14,10 @@ keywords: - function - bitnami maintainers: -- name: Bitnami +- name: Broadcom, Inc. All Rights Reserved. url: https://github.com/bitnami/charts name: common sources: -- https://github.com/bitnami/charts -- https://www.bitnami.com/ +- https://github.com/bitnami/charts/tree/main/bitnami/common type: library -version: 2.2.3 +version: 2.27.2 diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/README.md b/charts/wordpress/wordpress/charts/wordpress/charts/common/README.md index 8f3bda37d..3943ed04b 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/README.md +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/README.md @@ -1,18 +1,18 @@ # Bitnami Common Library Chart -A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. ## TL;DR ```yaml dependencies: - name: common - version: 1.x.x - repository: https://charts.bitnami.com/bitnami + version: 2.x.x + repository: oci://registry-1.docker.io/bitnamicharts ``` ```console -$ helm dependency update +helm dependency update ``` ```yaml @@ -24,6 +24,8 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. @@ -32,129 +34,11 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment ## Prerequisites -- Kubernetes 1.19+ -- Helm 3.2.0+ +- Kubernetes 1.23+ +- Helm 3.8.0+ ## Parameters -The following table lists the helpers available in the library which are scoped in different sections. - -### Affinities - -| Helper identifier | Description | Expected Input | -|-------------------------------|------------------------------------------------------|------------------------------------------------| -| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | -| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | -| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | -| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | -| `common.affinities.topologyKey` | Return a topologyKey definition | `dict "topologyKey" "FOO"` | - -### Capabilities - -| Helper identifier | Description | Expected Input | -|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| -| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | -| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | -| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | -| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | -| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | -| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | -| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | -| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | -| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | -| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context | -| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context | -| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | - -### Errors - -| Helper identifier | Description | Expected Input | -|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| -| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | - -### Images - -| Helper identifier | Description | Expected Input | -|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| -| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | -| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | -| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | - -### Ingress - -| Helper identifier | Description | Expected Input | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | -| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | -| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | -| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | - -### Labels - -| Helper identifier | Description | Expected Input | -|-----------------------------|-----------------------------------------------------------------------------|-------------------| -| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | -| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context | - -### Names - -| Helper identifier | Description | Expected Input | -|-----------------------------------|-----------------------------------------------------------------------|-------------------| -| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | -| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | -| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context | -| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context | -| `common.names.chart` | Chart name plus version | `.` Chart context | - -### Secrets - -| Helper identifier | Description | Expected Input | -|-----------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | -| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | -| `common.secrets.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | -| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | - -### Storage - -| Helper identifier | Description | Expected Input | -|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| -| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | - -### TplValues - -| Helper identifier | Description | Expected Input | -|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | - -### Utils - -| Helper identifier | Description | Expected Input | -|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| -| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | -| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | -| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | -| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | - -### Validations - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | -| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | -| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | -| `common.validations.values.mysql.passwords` | This helper will ensure required password for MySQL are not empty. It returns a shared error for all the values. | `dict "secret" "mysql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mysql chart and the helper. | -| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | -| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis® are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | -| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | -| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | - -### Warnings - -| Helper identifier | Description | Expected Input | -|------------------------------|----------------------------------|------------------------------------------------------------| -| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | - ## Special input schemas ### ImageRoot @@ -177,7 +61,7 @@ tag: pullPolicy: type: string - description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + description: Specify a imagePullPolicy.' pullSecrets: type: array @@ -300,7 +184,7 @@ keyMapping: If we force those values to be empty we will see some alerts ```console -$ helm install test mychart --set path.to.value00="",path.to.value01="" +helm install test mychart --set path.to.value00="",path.to.value01="" 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) @@ -316,33 +200,33 @@ $ helm install test mychart --set path.to.value00="",path.to.value01="" [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -**What changes were introduced in this major version?** +#### What changes were introduced in this major version? - Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. - Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. - The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts -**Considerations when upgrading to this version** +#### Considerations when upgrading to this version - If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues - If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore - If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 -**Useful links** +#### Useful links -- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ -- https://helm.sh/docs/topics/v2_v3_migration/ -- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ +- +- +- ## License -Copyright © 2023 Bitnami +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_affinities.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_affinities.tpl index 81902a681..d387dbe63 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_affinities.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_affinities.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* @@ -55,42 +60,86 @@ Return a topologyKey definition {{/* Return a soft podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}} +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} */}} {{- define "common.affinities.pods.soft" -}} {{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} {{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +{{- $extraNamespaces := default (list) .extraNamespaces -}} preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }} {{- if not (empty $component) }} {{ printf "app.kubernetes.io/component: %s" $component }} {{- end }} {{- range $key, $value := $extraMatchLabels }} {{ $key }}: {{ $value | quote }} {{- end }} + {{- if $extraNamespaces }} + namespaces: + - {{ .context.Release.Namespace }} + {{- with $extraNamespaces }} + {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} weight: 1 + {{- range $extraPodAffinityTerms }} + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: {{ .weight | default 1 -}} + {{- end -}} {{- end -}} {{/* Return a hard podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}} +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} */}} {{- define "common.affinities.pods.hard" -}} {{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} {{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +{{- $extraNamespaces := default (list) .extraNamespaces -}} requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }} {{- if not (empty $component) }} {{ printf "app.kubernetes.io/component: %s" $component }} {{- end }} {{- range $key, $value := $extraMatchLabels }} {{ $key }}: {{ $value | quote }} {{- end }} + {{- if $extraNamespaces }} + namespaces: + - {{ .context.Release.Namespace }} + {{- with $extraNamespaces }} + {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- range $extraPodAffinityTerms }} + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- end -}} {{- end -}} {{/* diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_capabilities.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_capabilities.tpl index 9d9b76004..bfff3489d 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_capabilities.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_capabilities.tpl @@ -1,25 +1,23 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Return the target Kubernetes version */}} {{- define "common.capabilities.kubeVersion" -}} -{{- if .Values.global }} - {{- if .Values.global.kubeVersion }} - {{- .Values.global.kubeVersion -}} - {{- else }} - {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} - {{- end -}} -{{- else }} -{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} -{{- end -}} +{{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}} {{- end -}} {{/* Return the appropriate apiVersion for poddisruptionbudget. */}} {{- define "common.capabilities.policy.apiVersion" -}} -{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} {{- print "policy/v1beta1" -}} {{- else -}} {{- print "policy/v1" -}} @@ -30,7 +28,8 @@ Return the appropriate apiVersion for poddisruptionbudget. Return the appropriate apiVersion for networkpolicy. */}} {{- define "common.capabilities.networkPolicy.apiVersion" -}} -{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.7-0" $kubeVersion) -}} {{- print "extensions/v1beta1" -}} {{- else -}} {{- print "networking.k8s.io/v1" -}} @@ -41,18 +40,32 @@ Return the appropriate apiVersion for networkpolicy. Return the appropriate apiVersion for cronjob. */}} {{- define "common.capabilities.cronjob.apiVersion" -}} -{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} {{- print "batch/v1beta1" -}} {{- else -}} {{- print "batch/v1" -}} {{- end -}} {{- end -}} +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "common.capabilities.daemonset.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + {{/* Return the appropriate apiVersion for deployment. */}} {{- define "common.capabilities.deployment.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} {{- print "extensions/v1beta1" -}} {{- else -}} {{- print "apps/v1" -}} @@ -63,7 +76,8 @@ Return the appropriate apiVersion for deployment. Return the appropriate apiVersion for statefulset. */}} {{- define "common.capabilities.statefulset.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} {{- print "apps/v1beta1" -}} {{- else -}} {{- print "apps/v1" -}} @@ -74,30 +88,24 @@ Return the appropriate apiVersion for statefulset. Return the appropriate apiVersion for ingress. */}} {{- define "common.capabilities.ingress.apiVersion" -}} -{{- if .Values.ingress -}} -{{- if .Values.ingress.apiVersion -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if (.Values.ingress).apiVersion -}} {{- .Values.ingress.apiVersion -}} -{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} {{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} {{- print "networking.k8s.io/v1beta1" -}} {{- else -}} {{- print "networking.k8s.io/v1" -}} {{- end }} -{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} {{- end -}} {{/* Return the appropriate apiVersion for RBAC resources. */}} {{- define "common.capabilities.rbac.apiVersion" -}} -{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.17-0" $kubeVersion) -}} {{- print "rbac.authorization.k8s.io/v1beta1" -}} {{- else -}} {{- print "rbac.authorization.k8s.io/v1" -}} @@ -108,7 +116,8 @@ Return the appropriate apiVersion for RBAC resources. Return the appropriate apiVersion for CRDs. */}} {{- define "common.capabilities.crd.apiVersion" -}} -{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} {{- print "apiextensions.k8s.io/v1beta1" -}} {{- else -}} {{- print "apiextensions.k8s.io/v1" -}} @@ -119,7 +128,8 @@ Return the appropriate apiVersion for CRDs. Return the appropriate apiVersion for APIService. */}} {{- define "common.capabilities.apiService.apiVersion" -}} -{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.10-0" $kubeVersion) -}} {{- print "apiregistration.k8s.io/v1beta1" -}} {{- else -}} {{- print "apiregistration.k8s.io/v1" -}} @@ -130,7 +140,8 @@ Return the appropriate apiVersion for APIService. Return the appropriate apiVersion for Horizontal Pod Autoscaler. */}} {{- define "common.capabilities.hpa.apiVersion" -}} -{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} {{- if .beta2 -}} {{- print "autoscaling/v2beta2" -}} {{- else -}} @@ -141,6 +152,68 @@ Return the appropriate apiVersion for Horizontal Pod Autoscaler. {{- end -}} {{- end -}} +{{/* +Return the appropriate apiVersion for Vertical Pod Autoscaler. +*/}} +{{- define "common.capabilities.vpa.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.11-0" $kubeVersion) -}} +{{- print "autoscaling/v1beta1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "autoscaling/v1beta2" -}} +{{- else -}} +{{- print "autoscaling/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if PodSecurityPolicy is supported +*/}} +{{- define "common.capabilities.psp.supported" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (semverCompare "<1.25-0" $kubeVersion) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if AdmissionConfiguration is supported +*/}} +{{- define "common.capabilities.admissionConfiguration.supported" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (not (semverCompare "<1.23-0" $kubeVersion)) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for AdmissionConfiguration. +*/}} +{{- define "common.capabilities.admissionConfiguration.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- print "apiserver.config.k8s.io/v1alpha1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "apiserver.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiserver.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for PodSecurityConfiguration. +*/}} +{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "pod-security.admission.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "pod-security.admission.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + {{/* Returns true if the used Helm version is 3.3+. A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_compatibility.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..a61588d68 --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_compatibility.tpl @@ -0,0 +1,46 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} + +{{- if (((.context.Values.global).compatibility).openshift) -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{/* Remove empty seLinuxOptions object if global.compatibility.omitEmptySeLinuxOptions is set to true */}} +{{- if and (((.context.Values.global).compatibility).omitEmptySeLinuxOptions) (not .secContext.seLinuxOptions) -}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} +{{- end -}} +{{/* Remove fields that are disregarded when running the container in privileged mode */}} +{{- if $adaptedContext.privileged -}} + {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_errors.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_errors.tpl index a79cc2e32..e96536519 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_errors.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_errors.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Through error when upgrading using empty passwords values that must not be empty. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_images.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_images.tpl index b06071492..76bb7ce44 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_images.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_images.tpl @@ -1,23 +1,34 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* -Return the proper image name -{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }} +Return the proper image name. +If image tag and digest are not defined, termination fallbacks to chart appVersion. +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "chart" .Chart ) }} */}} {{- define "common.images.image" -}} -{{- $registryName := .imageRoot.registry -}} +{{- $registryName := default .imageRoot.registry ((.global).imageRegistry) -}} {{- $repositoryName := .imageRoot.repository -}} {{- $separator := ":" -}} {{- $termination := .imageRoot.tag | toString -}} -{{- if .global }} - {{- if .global.imageRegistry }} - {{- $registryName = .global.imageRegistry -}} - {{- end -}} + +{{- if not .imageRoot.tag }} + {{- if .chart }} + {{- $termination = .chart.AppVersion | toString -}} + {{- end -}} {{- end -}} {{- if .imageRoot.digest }} {{- $separator = "@" -}} {{- $termination = .imageRoot.digest | toString -}} {{- end -}} -{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} {{- end -}} {{/* @@ -27,21 +38,27 @@ Return the proper Docker Image Registry Secret Names (deprecated: use common.ima {{- define "common.images.pullSecrets" -}} {{- $pullSecrets := list }} - {{- if .global }} - {{- range .global.imagePullSecrets -}} + {{- range ((.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} {{- $pullSecrets = append $pullSecrets . -}} - {{- end -}} + {{- end }} {{- end -}} {{- range .images -}} {{- range .pullSecrets -}} - {{- $pullSecrets = append $pullSecrets . -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} {{- end -}} {{- end -}} - {{- if (not (empty $pullSecrets)) }} + {{- if (not (empty $pullSecrets)) -}} imagePullSecrets: - {{- range $pullSecrets }} + {{- range $pullSecrets | uniq }} - name: {{ . }} {{- end }} {{- end }} @@ -55,22 +72,44 @@ Return the proper Docker Image Registry Secret Names evaluating values as templa {{- $pullSecrets := list }} {{- $context := .context }} - {{- if $context.Values.global }} - {{- range $context.Values.global.imagePullSecrets -}} + {{- range (($context.Values.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} {{- end -}} {{- end -}} {{- range .images -}} {{- range .pullSecrets -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} {{- end -}} {{- end -}} - {{- if (not (empty $pullSecrets)) }} + {{- if (not (empty $pullSecrets)) -}} imagePullSecrets: - {{- range $pullSecrets }} + {{- range $pullSecrets | uniq }} - name: {{ . }} {{- end }} {{- end }} {{- end -}} + +{{/* +Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion) +{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }} +*/}} +{{- define "common.images.version" -}} +{{- $imageTag := .imageRoot.tag | toString -}} +{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}} +{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}} + {{- $version := semver $imageTag -}} + {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}} +{{- else -}} + {{- print .chart.AppVersion -}} +{{- end -}} +{{- end -}} + diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_ingress.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_ingress.tpl index 831da9caa..7d2b87985 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_ingress.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_ingress.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_labels.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_labels.tpl index 252066c7e..0a0cc5488 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_labels.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_labels.tpl @@ -1,18 +1,46 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} + {{/* Kubernetes standard labels +{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}} */}} {{- define "common.labels.standard" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}} +{{- with .context.Chart.AppVersion -}} +{{- $_ := set $default "app.kubernetes.io/version" . -}} +{{- end -}} +{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }} +{{- else -}} app.kubernetes.io/name: {{ include "common.names.name" . }} helm.sh/chart: {{ include "common.names.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Chart.AppVersion }} +app.kubernetes.io/version: {{ . | quote }} +{{- end -}} +{{- end -}} {{- end -}} {{/* -Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector +{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}} + +We don't want to loop over custom labels appending them to the selector +since it's very likely that it will break deployments, services, etc. +However, it's important to overwrite the standard labels if the user +overwrote them on metadata.labels fields. */}} {{- define "common.labels.matchLabels" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }} +{{- else -}} app.kubernetes.io/name: {{ include "common.names.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} +{{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_names.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_names.tpl index 617a23489..ba8395685 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_names.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_names.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Expand the name of the chart. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_resources.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_resources.tpl new file mode 100644 index 000000000..d8a43e1c2 --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi") + ) + "xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_secrets.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_secrets.tpl index a1708b2e8..bfef46978 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_secrets.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_secrets.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Generate secret name. @@ -62,7 +67,7 @@ Params: Generate secret password or retrieve one if already created. Usage: -{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $) }} Params: - secret - String - Required - Name of the 'Secret' resource where the password is stored. @@ -72,13 +77,18 @@ Params: - strong - Boolean - Optional - Whether to add symbols to the generated random password. - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - + - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. + - honorProvidedValues - Boolean - Optional - Default to false. If set to true, the values in providedValues have higher priority than an existing secret The order in which this function returns a secret password: - 1. Already existing 'Secret' resource + 1. Password provided via the values.yaml if honorProvidedValues = true + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 2. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) - 2. Password provided via the values.yaml + 3. Password provided via the values.yaml if honorProvidedValues = false (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) - 3. Randomly generated secret password + 4. Randomly generated secret password (A new random secret password with the length specified in the 'length' parameter will be generated and returned) */}} @@ -93,33 +103,49 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} {{- end -}} -{{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} -{{- else }} - - {{- if .context.Values.enabled }} - {{- $subchart = $chartName }} - {{- end -}} +{{- end }} - {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} - {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} - {{- $passwordValidationErrors := list $requiredPasswordError -}} - {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} +{{- if and $providedPasswordValue .honorProvidedValues }} + {{- $password = $providedPasswordValue | toString }} +{{- end }} - {{- if .strong }} - {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} - {{- $password = randAscii $passwordLength }} - {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} +{{- if not $password }} + {{- if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} - {{- end }} + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- if not (eq .failOnNew false) }} + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + {{- end }} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} + {{- else }} + {{- $password = randAlphaNum $passwordLength }} + {{- end }} + {{- end -}} +{{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} {{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* @@ -137,15 +163,16 @@ Params: */}} {{- define "common.secrets.lookup" -}} {{- $value := "" -}} -{{- $defaultValue := required "\n'common.secrets.lookup': Argument 'defaultValue' missing or empty" .defaultValue -}} {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} {{- if and $secretData (hasKey $secretData .key) -}} {{- $value = index $secretData .key -}} -{{- else -}} - {{- $value = $defaultValue | toString | b64enc -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} {{- end -}} +{{- if $value -}} {{- printf "%s" $value -}} {{- end -}} +{{- end -}} {{/* Returns whether a previous generated secret already exists diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_storage.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_storage.tpl index 60e2a844f..aa75856c0 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_storage.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_storage.tpl @@ -1,23 +1,21 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} + {{/* Return the proper Storage Class {{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} */}} {{- define "common.storage.class" -}} - -{{- $storageClass := .persistence.storageClass -}} -{{- if .global -}} - {{- if .global.storageClass -}} - {{- $storageClass = .global.storageClass -}} - {{- end -}} -{{- end -}} - +{{- $storageClass := (.global).storageClass | default .persistence.storageClass | default (.global).defaultStorageClass | default "" -}} {{- if $storageClass -}} {{- if (eq "-" $storageClass) -}} {{- printf "storageClassName: \"\"" -}} - {{- else }} + {{- else -}} {{- printf "storageClassName: %s" $storageClass -}} {{- end -}} {{- end -}} - {{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_tplvalues.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_tplvalues.tpl index 2db166851..a04f4c1eb 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_tplvalues.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_tplvalues.tpl @@ -1,13 +1,52 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* -Renders a value that contains template. +Renders a value that contains template perhaps with scope if the scope is present. Usage: -{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} */}} {{- define "common.tplvalues.render" -}} - {{- if typeIs "string" .value }} - {{- tpl .value .context }} - {{- else }} - {{- tpl (.value | toYaml) .context }} - {{- end }} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge +Usage: +{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with https://masterminds.github.io/sprig/dicts.html#mergeoverwrite-mustmergeoverwrite +Usage: +{{ include "common.tplvalues.merge-overwrite" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge-overwrite" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | mergeOverwrite $dst -}} +{{- end -}} +{{ $dst | toYaml }} {{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_utils.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_utils.tpl index b1ead50cf..d53c74aa2 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_utils.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_utils.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Print instructions to get a secret value. @@ -60,3 +65,13 @@ Usage: {{- end -}} {{- printf "%s" $key -}} {{- end -}} + +{{/* +Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376). +Usage: +{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }} +*/}} +{{- define "common.utils.checksumTemplate" -}} +{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}} +{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }} +{{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_warnings.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_warnings.tpl index ae10fa41e..62c44dfca 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_warnings.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/_warnings.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Warning about using rolling tag. @@ -8,7 +13,97 @@ Usage: {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ ++info https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html {{- end }} +{{- end -}} +{{/* +Warning about replaced images from the original. +Usage: +{{ include "common.warnings.modifiedImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} +*/}} +{{- define "common.warnings.modifiedImages" -}} +{{- $affectedImages := list -}} +{{- $printMessage := false -}} +{{- $originalImages := .context.Chart.Annotations.images -}} +{{- range .images -}} + {{- $fullImageName := printf (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- if not (contains $fullImageName $originalImages) }} + {{- $affectedImages = append $affectedImages (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- $printMessage = true -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +âš  SECURITY WARNING: Original containers have been substituted. This Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables. + +Substituted images detected: +{{- range $affectedImages }} + - {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} {{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_cassandra.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_cassandra.tpl index ded1ae3bc..f8fd213bc 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_cassandra.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_cassandra.tpl @@ -1,30 +1,9 @@ -{{/* vim: set filetype=mustache: */}} {{/* -Validate Cassandra required passwords are not empty. - -Usage: -{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.cassandra.passwords" -}} - {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} - {{- $enabled := include "common.cassandra.values.enabled" . -}} - {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} - {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to get the right value for existingSecret. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_mariadb.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_mariadb.tpl index b6906ff77..6ea8c0f45 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_mariadb.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_mariadb.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Validate MariaDB required passwords are not empty. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_mongodb.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_mongodb.tpl index f820ec107..e678a6de8 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_mongodb.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_mongodb.tpl @@ -1,50 +1,9 @@ -{{/* vim: set filetype=mustache: */}} {{/* -Validate MongoDB® required passwords are not empty. - -Usage: -{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" - - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.mongodb.passwords" -}} - {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mongodb.values.enabled" . -}} - {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} - {{- $architecture := include "common.mongodb.values.architecture" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} - {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} - - {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} - {{- if and $valueUsername $valueDatabase -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replicaset") -}} - {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to get the right value for existingSecret. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_mysql.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_mysql.tpl index 74472a061..fbb65c338 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_mysql.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_mysql.tpl @@ -1,45 +1,9 @@ -{{/* vim: set filetype=mustache: */}} {{/* -Validate MySQL required passwords are not empty. - -Usage: -{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret" - - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.mysql.passwords" -}} - {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mysql.values.enabled" . -}} - {{- $architecture := include "common.mysql.values.architecture" . -}} - {{- $authPrefix := include "common.mysql.values.key.auth" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- if not (empty $valueUsername) -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replication") -}} - {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to get the right value for existingSecret. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_postgresql.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_postgresql.tpl index 164ec0d01..51d47162e 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_postgresql.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_postgresql.tpl @@ -1,33 +1,9 @@ -{{/* vim: set filetype=mustache: */}} {{/* -Validate PostgreSQL required passwords are not empty. - -Usage: -{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.postgresql.passwords" -}} - {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} - {{- $enabled := include "common.postgresql.values.enabled" . -}} - {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} - {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} - - {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} - {{- if (eq $enabledReplication "true") -}} - {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to decide whether evaluate global values. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_redis.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_redis.tpl index dcccfc1ae..9fedfef9d 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_redis.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_redis.tpl @@ -1,38 +1,10 @@ - -{{/* vim: set filetype=mustache: */}} {{/* -Validate Redis® required passwords are not empty. - -Usage: -{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" - - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.redis.passwords" -}} - {{- $enabled := include "common.redis.values.enabled" . -}} - {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} - {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} - - {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} - {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} - {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} - {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} - {{- if eq $useAuth "true" -}} - {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to get the right value for enabled redis. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_validations.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_validations.tpl index 9a814cf40..7cdee6170 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_validations.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/templates/validations/_validations.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Validate values must not be empty. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/common/values.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/common/values.yaml index f2df68e5e..de2cac57d 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/common/values.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/common/values.yaml @@ -1,3 +1,6 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + ## bitnami/common ## It is required by CI/CD tools and processes. ## @skip exampleValue diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/.helmignore b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/.helmignore index f0c131944..207983f36 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/.helmignore +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/.helmignore @@ -19,3 +19,7 @@ .project .idea/ *.tmproj +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/Chart.lock b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/Chart.lock index 5d7370abc..2e226ea90 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/Chart.lock +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common - repository: https://charts.bitnami.com/bitnami - version: 2.2.2 -digest: sha256:49ca75cf23ba5eb7df4becef52580f98c8bd8194eb80368b9d7b875f6eefa8e5 -generated: "2022-12-15T08:09:23.256191892Z" + repository: oci://registry-1.docker.io/bitnamicharts + version: 2.27.0 +digest: sha256:b711ab5874abf868a0c64353a790f17771758cee6f802acb9819be004c8460af +generated: "2024-11-07T11:44:05.529563646+01:00" diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/Chart.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/Chart.yaml index 9d4da6135..667bd6488 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/Chart.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/Chart.yaml @@ -1,18 +1,25 @@ annotations: category: Database + images: | + - name: mariadb + image: docker.io/bitnami/mariadb:11.4.4-debian-12-r0 + - name: mysqld-exporter + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-12-r36 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r32 licenses: Apache-2.0 apiVersion: v2 -appVersion: 10.6.12 +appVersion: 11.4.4 dependencies: - name: common - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts tags: - bitnami-common version: 2.x.x description: MariaDB is an open source, community-developed SQL database server that is widely in use around the world due to its enterprise features, flexibility, and collaboration with leading tech firms. -home: https://github.com/bitnami/charts/tree/main/bitnami/mariadb +home: https://bitnami.com icon: https://bitnami.com/assets/stacks/mariadb/img/mariadb-stack-220x234.png keywords: - mariadb @@ -21,11 +28,9 @@ keywords: - sql - prometheus maintainers: -- name: Bitnami +- name: Broadcom, Inc. All Rights Reserved. url: https://github.com/bitnami/charts name: mariadb sources: -- https://github.com/bitnami/containers/tree/main/bitnami/mariadb -- https://github.com/prometheus/mysqld_exporter -- https://mariadb.org -version: 11.4.6 +- https://github.com/bitnami/charts/tree/main/bitnami/mariadb +version: 20.1.1 diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/README.md b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/README.md index 17b097298..e42f9937e 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/README.md +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/README.md @@ -1,20 +1,21 @@ -# MariaDB packaged by Bitnami +# Bitnami package for MariaDB MariaDB is an open source, community-developed SQL database server that is widely in use around the world due to its enterprise features, flexibility, and collaboration with leading tech firms. [Overview of MariaDB](https://mariadb.org/) Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. - + ## TL;DR ```console -$ helm repo add my-repo https://charts.bitnami.com/bitnami -$ helm install my-release my-repo/mariadb +helm install my-release oci://registry-1.docker.io/bitnamicharts/mariadb ``` +Looking to use MariaDB in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + ## Introduction This chart bootstraps a [MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) replication cluster deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. @@ -25,8 +26,8 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment ## Prerequisites -- Kubernetes 1.19+ -- Helm 3.2.0+ +- Kubernetes 1.23+ +- Helm 3.8.0+ - PV provisioner support in the underlying infrastructure ## Installing the Chart @@ -34,264 +35,455 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment To install the chart with the release name `my-release`: ```console -$ helm repo add my-repo https://charts.bitnami.com/bitnami -$ helm install my-release my-repo/mariadb +helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + The command deploys MariaDB on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcesPreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling VS Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Change MariaDB version + +To modify the MariaDB version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/mariadb/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +### Update credentials + +Bitnami charts, with its default settings, configure credentials at first boot. Any further change in the secrets or credentials can be done using one of the following methods: + +### Manual update of the passwords and secrets + +- Update the user password following [the upstream documentation](https://milvus.io/docs/authenticate.md#Update-user-password) +- Update the password secret with the new values (replace the SECRET_NAME, PASSWORD and ROOT_PASSWORD placeholders) + +```shell +kubectl create secret generic SECRET_NAME --from-literal=password=PASSWORD --from-literal=root-password=ROOT_PASSWORD --dry-run -o yaml | kubectl apply -f - +``` + +### Automated update using a password update job + +The Bitnami MariaDB provides a password update job that will automatically change the MariaDB passwords when running helm upgrade. To enable the job set `passwordUpdateJob.enabled=true`. This job requires: + +- The new passwords: this is configured using either `auth.rootPassword`, `auth.password` and `auth.replicationPassword` (if applicable) or setting `auth.existingSecret`. +- The previous passwords: This value is taken automatically from already deployed secret object. If you are using `auth.existingSecret` or `helm template` instead of `helm upgrade`, then set either `passwordUpdate.job.previousPasswords.rootPassword`, `passwordUpdate.job.previousPasswords.password`, `passwordUpdate.job.previousPasswords.replicationPassword` (when applicable), setting `auth.existingSecret`. + +In the following example we update the password via values.yaml in a mariadb installation with replication + +```yaml +architecture: "replication" + +auth: + user: "user" + rootPassword: "newRootPassword123" + password: "newUserPassword123" + replicationPassword: "newReplicationPassword123" + +passwordUpdateJob: + enabled: true +``` + +In this example we use two existing secrets (`new-password-secret` and `previous-password-secret`) to update the passwords: -To uninstall/delete the `my-release` deployment: +```yaml +auth: + existingSecret: new-password-secret + +passwordUpdateJob: + enabled: true + previousPasswords: + existingSecret: previous-password-secret +``` + +You can add extra update commands using the `passwordUpdateJob.extraCommands` value. + +### Initialize a fresh instance + +The [Bitnami MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image allows you to use your custom scripts to initialize a fresh instance. Custom scripts may be specified using the `initdbScripts` parameter. Alternatively, an external ConfigMap may be created with all the initialization scripts and the ConfigMap passed to the chart via the `initdbScriptsConfigMap` parameter. Note that this will override the `initdbScripts` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +These scripts are treated differently depending on their extension. While `.sh` scripts are executed on all the nodes, `.sql` and `.sql.gz` scripts are only executed on the primary nodes. This is because `.sh` scripts support conditional tests to identify the type of node they are running on, while such tests are not supported in `.sql` or `.sql.gz` files. + +When using a `.sh` script, you may wish to perform a "one-time" action like creating a database. This can be achieved by adding a condition in the script to ensure that it is executed only on one node, as shown in the example below: + +```yaml +initdbScripts: + my_init_script.sh: | + #!/bin/sh + if [[ $(hostname) == *primary* ]]; then + echo "Primary node" + mysql -P 3306 -uroot -prandompassword -e "create database new_database"; + else + echo "No primary node" + fi +``` + +### TLS + +This chart supports encrypting communications using TLS. To enable this feature, set the `tls.enabled`. + +It is necessary to create a secret containing the TLS certificates and pass it to the chart via the `tls.existingSecret` parameter. Every secret should contain a `tls.crt` and `tls.key` keys including the certificate and key files respectively and, optionally, a `ca.crt` key including the CA certificate. For example: create the secret with the certificates files: ```console -$ helm delete my-release +kubectl create secret generic tls-secret --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt +``` + +You can manually create the required TLS certificates or relying on the chart auto-generation capabilities. The chart supports two different ways to auto-generate the required certificates: + +- Using Helm capabilities. Enable this feature by setting `tls.autoGenerated.enabled` to `true` and `tls.autoGenerated.engine` to `helm`. +- Relying on CertManager (please note it's required to have CertManager installed in your K8s cluster). Enable this feature by setting `tls.autoGenerated.enabled` to `true` and `tls.autoGenerated.engine` to `cert-manager`. Please note it's supported to use an existing Issuer/ClusterIssuer for issuing the TLS certificates by setting the `tls.autoGenerated.certManager.existingIssuer` and `tls.autoGenerated.certManager.existingIssuerKind` parameters. + +### Sidecars and Init Containers + +If additional containers are needed in the same pod as MariaDB (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +## Persistence + +The [Bitnami MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image stores the MariaDB data and configurations at the `/bitnami/mariadb` path of the container. + +The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) volume at this location. The volume is created using dynamic volume provisioning, by default. An existing PersistentVolumeClaim can also be defined. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +### Adjust permissions of persistent volume mountpoint + +As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it. + +By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. + +As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination. You can enable this initContainer by setting `volumePermissions.enabled` to `true`. ## Parameters ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker Image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global storage class for dynamic provisioning | `""` | - +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker Image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters -| Name | Description | Value | -| ------------------------ | --------------------------------------------------------------------------------------- | --------------- | -| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | -| `nameOverride` | String to partially override mariadb.fullname | `""` | -| `fullnameOverride` | String to fully override mariadb.fullname | `""` | -| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` | -| `commonAnnotations` | Common annotations to add to all MariaDB resources (sub-charts are not considered) | `{}` | -| `commonLabels` | Common labels to add to all MariaDB resources (sub-charts are not considered) | `{}` | -| `schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | -| `runtimeClassName` | Name of the Runtime Class for all MariaDB pods | `""` | -| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` | -| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | -| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | -| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | - +| Name | Description | Value | +| ------------------------- | --------------------------------------------------------------------------------------- | --------------- | +| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | +| `nameOverride` | String to partially override mariadb.fullname | `""` | +| `fullnameOverride` | String to fully override mariadb.fullname | `""` | +| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` | +| `commonAnnotations` | Common annotations to add to all MariaDB resources (sub-charts are not considered) | `{}` | +| `commonLabels` | Common labels to add to all MariaDB resources (sub-charts are not considered) | `{}` | +| `schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `runtimeClassName` | Name of the Runtime Class for all MariaDB pods | `""` | +| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | +| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | ### MariaDB common parameters -| Name | Description | Value | -| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -| `image.registry` | MariaDB image registry | `docker.io` | -| `image.repository` | MariaDB image repository | `bitnami/mariadb` | -| `image.tag` | MariaDB image tag (immutable tags are recommended) | `10.6.12-debian-11-r0` | -| `image.digest` | MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | MariaDB image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `image.debug` | Specify if debug logs should be enabled | `false` | -| `architecture` | MariaDB architecture (`standalone` or `replication`) | `standalone` | -| `auth.rootPassword` | Password for the `root` user. Ignored if existing secret is provided. | `""` | -| `auth.database` | Name for a custom database to create | `my_database` | -| `auth.username` | Name for a custom user to create | `""` | -| `auth.password` | Password for the new user. Ignored if existing secret is provided | `""` | -| `auth.replicationUser` | MariaDB replication user | `replicator` | -| `auth.replicationPassword` | MariaDB replication user password. Ignored if existing secret is provided | `""` | -| `auth.existingSecret` | Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` | `""` | -| `auth.forcePassword` | Force users to specify required passwords | `false` | -| `auth.usePasswordFiles` | Mount credentials as files instead of using environment variables | `false` | -| `auth.customPasswordFiles` | Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` | `{}` | -| `initdbScripts` | Dictionary of initdb scripts | `{}` | -| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `""` | - +| Name | Description | Value | +| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `image.registry` | MariaDB image registry | `REGISTRY_NAME` | +| `image.repository` | MariaDB image repository | `REPOSITORY_NAME/mariadb` | +| `image.digest` | MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | MariaDB image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Specify if debug logs should be enabled | `false` | +| `architecture` | MariaDB architecture (`standalone` or `replication`) | `standalone` | +| `auth.rootPassword` | Password for the `root` user. Ignored if existing secret is provided. | `""` | +| `auth.database` | Name for a custom database to create | `my_database` | +| `auth.username` | Name for a custom user to create | `""` | +| `auth.password` | Password for the new user. Ignored if existing secret is provided | `""` | +| `auth.replicationUser` | MariaDB replication user | `replicator` | +| `auth.replicationPassword` | MariaDB replication user password. Ignored if existing secret is provided | `""` | +| `auth.existingSecret` | Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` | `""` | +| `auth.forcePassword` | Force users to specify required passwords | `false` | +| `auth.usePasswordFiles` | Mount credentials as files instead of using environment variables | `false` | +| `auth.customPasswordFiles` | Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` | `{}` | +| `initdbScripts` | Dictionary of initdb scripts | `{}` | +| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `""` | + +### TLS/SSL parameters + +| Name | Description | Value | +| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | --------- | +| `tls.enabled` | Enable TLS in MariaDB | `false` | +| `tls.existingSecret` | Existing secret that contains TLS certificates | `""` | +| `tls.certFilename` | The secret key from the existingSecret if 'cert' key different from the default (tls.crt) | `tls.crt` | +| `tls.certKeyFilename` | The secret key from the existingSecret if 'key' key different from the default (tls.key) | `tls.key` | +| `tls.certCAFilename` | The secret key from the existingSecret if 'ca' key different from the default (tls.crt) | `""` | +| `tls.ca` | CA certificate for TLS. Ignored if `tls.existingSecret` is set | `""` | +| `tls.cert` | TLS certificate for Airflow webserver. Ignored if `tls.master.existingSecret` is set | `""` | +| `tls.key` | TLS key for Airflow webserver. Ignored if `tls.master.existingSecret` is set | `""` | +| `tls.autoGenerated.enabled` | Enable automatic generation of certificates for TLS | `true` | +| `tls.autoGenerated.engine` | Mechanism to generate the certificates (allowed values: helm, cert-manager) | `helm` | +| `tls.autoGenerated.certManager.existingIssuer` | The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine) | `""` | +| `tls.autoGenerated.certManager.existingIssuerKind` | Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine) | `""` | +| `tls.autoGenerated.certManager.keyAlgorithm` | Key algorithm for the certificates (only for `cert-manager` engine) | `RSA` | +| `tls.autoGenerated.certManager.keySize` | Key size for the certificates (only for `cert-manager` engine) | `2048` | +| `tls.autoGenerated.certManager.duration` | Duration for the certificates (only for `cert-manager` engine) | `2160h` | +| `tls.autoGenerated.certManager.renewBefore` | Renewal period for the certificates (only for `cert-manager` engine) | `360h` | ### MariaDB Primary parameters -| Name | Description | Value | -| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------- | -| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | -| `primary.command` | Override default container command on MariaDB Primary container(s) (useful when using custom images) | `[]` | -| `primary.args` | Override default container args on MariaDB Primary container(s) (useful when using custom images) | `[]` | -| `primary.lifecycleHooks` | for the MariaDB Primary container(s) to automate configuration before or after startup | `{}` | -| `primary.hostAliases` | Add deployment host aliases | `[]` | -| `primary.configuration` | MariaDB Primary configuration to be injected as ConfigMap | `""` | -| `primary.existingConfigmap` | Name of existing ConfigMap with MariaDB Primary configuration. | `""` | -| `primary.updateStrategy.type` | MariaDB primary statefulset strategy type | `RollingUpdate` | -| `primary.rollingUpdatePartition` | Partition update strategy for Mariadb Primary statefulset | `""` | -| `primary.podAnnotations` | Additional pod annotations for MariaDB primary pods | `{}` | -| `primary.podLabels` | Extra labels for MariaDB primary pods | `{}` | -| `primary.podAffinityPreset` | MariaDB primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.podAntiAffinityPreset` | MariaDB primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `primary.nodeAffinityPreset.type` | MariaDB primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.nodeAffinityPreset.key` | MariaDB primary node label key to match Ignored if `primary.affinity` is set. | `""` | -| `primary.nodeAffinityPreset.values` | MariaDB primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | -| `primary.affinity` | Affinity for MariaDB primary pods assignment | `{}` | -| `primary.nodeSelector` | Node labels for MariaDB primary pods assignment | `{}` | -| `primary.tolerations` | Tolerations for MariaDB primary pods assignment | `[]` | -| `primary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `primary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB primary pods | `""` | -| `primary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB primary pods assignment | `[]` | -| `primary.priorityClassName` | Priority class for MariaDB primary pods assignment | `""` | -| `primary.runtimeClassName` | Runtime Class for MariaDB primary pods | `""` | -| `primary.podSecurityContext.enabled` | Enable security context for MariaDB primary pods | `true` | -| `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | -| `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` | -| `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` | -| `primary.containerSecurityContext.runAsNonRoot` | Set primary container's Security Context runAsNonRoot | `true` | -| `primary.containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` | -| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` | -| `primary.resources.limits` | The resources limits for MariaDB primary containers | `{}` | -| `primary.resources.requests` | The requested resources for MariaDB primary containers | `{}` | -| `primary.startupProbe.enabled` | Enable startupProbe | `false` | -| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | -| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | -| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | -| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `primary.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | -| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | -| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `primary.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | -| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `primary.customStartupProbe` | Override default startup probe for MariaDB primary containers | `{}` | -| `primary.customLivenessProbe` | Override default liveness probe for MariaDB primary containers | `{}` | -| `primary.customReadinessProbe` | Override default readiness probe for MariaDB primary containers | `{}` | -| `primary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB primary containers | `{}` | -| `primary.extraFlags` | MariaDB primary additional command line flags | `""` | -| `primary.extraEnvVars` | Extra environment variables to be set on MariaDB primary containers | `[]` | -| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB primary containers | `""` | -| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB primary containers | `""` | -| `primary.persistence.enabled` | Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | `true` | -| `primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas | `""` | -| `primary.persistence.subPath` | Subdirectory of the volume to mount at | `""` | -| `primary.persistence.storageClass` | MariaDB primary persistent volume storage Class | `""` | -| `primary.persistence.annotations` | MariaDB primary persistent volume claim annotations | `{}` | -| `primary.persistence.accessModes` | MariaDB primary persistent volume access Modes | `["ReadWriteOnce"]` | -| `primary.persistence.size` | MariaDB primary persistent volume size | `8Gi` | -| `primary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | -| `primary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB Primary pod(s) | `[]` | -| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB Primary container(s) | `[]` | -| `primary.initContainers` | Add additional init containers for the MariaDB Primary pod(s) | `[]` | -| `primary.sidecars` | Add additional sidecar containers for the MariaDB Primary pod(s) | `[]` | -| `primary.service.type` | MariaDB Primary Kubernetes service type | `ClusterIP` | -| `primary.service.ports.mysql` | MariaDB Primary Kubernetes service port for MariaDB | `3306` | -| `primary.service.ports.metrics` | MariaDB Primary Kubernetes service port for metrics | `9104` | -| `primary.service.nodePorts.mysql` | MariaDB Primary Kubernetes service node port | `""` | -| `primary.service.clusterIP` | MariaDB Primary Kubernetes service clusterIP IP | `""` | -| `primary.service.loadBalancerIP` | MariaDB Primary loadBalancerIP if service type is `LoadBalancer` | `""` | -| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `primary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB Primary service is LoadBalancer | `[]` | -| `primary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `primary.service.annotations` | Provide any additional annotations which may be required | `{}` | -| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `primary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB primary pods | `false` | -| `primary.pdb.minAvailable` | Minimum number/percentage of MariaDB primary pods that must still be available after the eviction | `1` | -| `primary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction | `""` | -| `primary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` | - +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | +| `primary.command` | Override default container command on MariaDB Primary container(s) (useful when using custom images) | `[]` | +| `primary.args` | Override default container args on MariaDB Primary container(s) (useful when using custom images) | `[]` | +| `primary.lifecycleHooks` | for the MariaDB Primary container(s) to automate configuration before or after startup | `{}` | +| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `primary.hostAliases` | Add deployment host aliases | `[]` | +| `primary.containerPorts.mysql` | Container port for mysql | `3306` | +| `primary.configuration` | MariaDB Primary configuration to be injected as ConfigMap | `""` | +| `primary.existingConfigmap` | Name of existing ConfigMap with MariaDB Primary configuration. | `""` | +| `primary.updateStrategy.type` | MariaDB primary statefulset strategy type | `RollingUpdate` | +| `primary.rollingUpdatePartition` | Partition update strategy for Mariadb Primary statefulset | `""` | +| `primary.podAnnotations` | Additional pod annotations for MariaDB primary pods | `{}` | +| `primary.podLabels` | Extra labels for MariaDB primary pods | `{}` | +| `primary.podAffinityPreset` | MariaDB primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.podAntiAffinityPreset` | MariaDB primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `primary.nodeAffinityPreset.type` | MariaDB primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.nodeAffinityPreset.key` | MariaDB primary node label key to match Ignored if `primary.affinity` is set. | `""` | +| `primary.nodeAffinityPreset.values` | MariaDB primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `primary.affinity` | Affinity for MariaDB primary pods assignment | `{}` | +| `primary.nodeSelector` | Node labels for MariaDB primary pods assignment | `{}` | +| `primary.tolerations` | Tolerations for MariaDB primary pods assignment | `[]` | +| `primary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `primary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB primary pods | `""` | +| `primary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB primary pods assignment | `[]` | +| `primary.priorityClassName` | Priority class for MariaDB primary pods assignment | `""` | +| `primary.runtimeClassName` | Runtime Class for MariaDB primary pods | `""` | +| `primary.podSecurityContext.enabled` | Enable security context for MariaDB primary pods | `true` | +| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | +| `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` | +| `primary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB primary container | `1001` | +| `primary.containerSecurityContext.runAsNonRoot` | Set primary container's Security Context runAsNonRoot | `true` | +| `primary.containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` | +| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` | +| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `micro` | +| `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `primary.startupProbe.enabled` | Enable startupProbe | `false` | +| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | +| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | +| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | +| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `primary.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `primary.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `primary.customStartupProbe` | Override default startup probe for MariaDB primary containers | `{}` | +| `primary.customLivenessProbe` | Override default liveness probe for MariaDB primary containers | `{}` | +| `primary.customReadinessProbe` | Override default readiness probe for MariaDB primary containers | `{}` | +| `primary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB primary containers | `{}` | +| `primary.extraFlags` | MariaDB primary additional command line flags | `""` | +| `primary.extraEnvVars` | Extra environment variables to be set on MariaDB primary containers | `[]` | +| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB primary containers | `""` | +| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB primary containers | `""` | +| `primary.persistence.enabled` | Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | `true` | +| `primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas | `""` | +| `primary.persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `primary.persistence.storageClass` | MariaDB primary persistent volume storage Class | `""` | +| `primary.persistence.labels` | Labels for the PVC | `{}` | +| `primary.persistence.annotations` | MariaDB primary persistent volume claim annotations | `{}` | +| `primary.persistence.accessModes` | MariaDB primary persistent volume access Modes | `["ReadWriteOnce"]` | +| `primary.persistence.size` | MariaDB primary persistent volume size | `8Gi` | +| `primary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | +| `primary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB Primary pod(s) | `[]` | +| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB Primary container(s) | `[]` | +| `primary.initContainers` | Add additional init containers for the MariaDB Primary pod(s) | `[]` | +| `primary.sidecars` | Add additional sidecar containers for the MariaDB Primary pod(s) | `[]` | +| `primary.service.type` | MariaDB Primary Kubernetes service type | `ClusterIP` | +| `primary.service.ports.mysql` | MariaDB Primary Kubernetes service port for MariaDB | `3306` | +| `primary.service.ports.metrics` | MariaDB Primary Kubernetes service port for metrics | `9104` | +| `primary.service.nodePorts.mysql` | MariaDB Primary Kubernetes service node port | `""` | +| `primary.service.clusterIP` | MariaDB Primary Kubernetes service clusterIP IP | `""` | +| `primary.service.loadBalancerIP` | MariaDB Primary loadBalancerIP if service type is `LoadBalancer` | `""` | +| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `primary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB Primary service is LoadBalancer | `[]` | +| `primary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `primary.service.annotations` | Provide any additional annotations which may be required | `{}` | +| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `primary.service.headless.annotations` | Annotations of the headless service | `{}` | +| `primary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB primary pods | `true` | +| `primary.pdb.minAvailable` | Minimum number/percentage of MariaDB primary pods that must still be available after the eviction | `""` | +| `primary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction. Defaults to `1` if both `primary.pdb.minAvailable` and `primary.pdb.maxUnavailable` are empty. | `""` | +| `primary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` | ### MariaDB Secondary parameters -| Name | Description | Value | -| ------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------- | -| `secondary.name` | Name of the secondary database (eg secondary, slave, ...) | `secondary` | -| `secondary.replicaCount` | Number of MariaDB secondary replicas | `1` | -| `secondary.command` | Override default container command on MariaDB Secondary container(s) (useful when using custom images) | `[]` | -| `secondary.args` | Override default container args on MariaDB Secondary container(s) (useful when using custom images) | `[]` | -| `secondary.lifecycleHooks` | for the MariaDB Secondary container(s) to automate configuration before or after startup | `{}` | -| `secondary.hostAliases` | Add deployment host aliases | `[]` | -| `secondary.configuration` | MariaDB Secondary configuration to be injected as ConfigMap | `""` | -| `secondary.existingConfigmap` | Name of existing ConfigMap with MariaDB Secondary configuration. | `""` | -| `secondary.updateStrategy.type` | MariaDB secondary statefulset strategy type | `RollingUpdate` | -| `secondary.rollingUpdatePartition` | Partition update strategy for Mariadb Secondary statefulset | `""` | -| `secondary.podAnnotations` | Additional pod annotations for MariaDB secondary pods | `{}` | -| `secondary.podLabels` | Extra labels for MariaDB secondary pods | `{}` | -| `secondary.podAffinityPreset` | MariaDB secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `secondary.podAntiAffinityPreset` | MariaDB secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `secondary.nodeAffinityPreset.type` | MariaDB secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `secondary.nodeAffinityPreset.key` | MariaDB secondary node label key to match Ignored if `secondary.affinity` is set. | `""` | -| `secondary.nodeAffinityPreset.values` | MariaDB secondary node label values to match. Ignored if `secondary.affinity` is set. | `[]` | -| `secondary.affinity` | Affinity for MariaDB secondary pods assignment | `{}` | -| `secondary.nodeSelector` | Node labels for MariaDB secondary pods assignment | `{}` | -| `secondary.tolerations` | Tolerations for MariaDB secondary pods assignment | `[]` | -| `secondary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB secondary pods assignment | `[]` | -| `secondary.priorityClassName` | Priority class for MariaDB secondary pods assignment | `""` | -| `secondary.runtimeClassName` | Runtime Class for MariaDB secondary pods | `""` | -| `secondary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `secondary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB secondary pods | `""` | -| `secondary.podSecurityContext.enabled` | Enable security context for MariaDB secondary pods | `true` | -| `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | -| `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` | -| `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` | -| `secondary.containerSecurityContext.runAsNonRoot` | Set secondary container's Security Context runAsNonRoot | `true` | -| `secondary.containerSecurityContext.privileged` | Set secondary container's Security Context privileged | `false` | -| `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set secondary container's Security Context allowPrivilegeEscalation | `false` | -| `secondary.resources.limits` | The resources limits for MariaDB secondary containers | `{}` | -| `secondary.resources.requests` | The requested resources for MariaDB secondary containers | `{}` | -| `secondary.startupProbe.enabled` | Enable startupProbe | `false` | -| `secondary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | -| `secondary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | -| `secondary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `secondary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | -| `secondary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `secondary.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `secondary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | -| `secondary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `secondary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | -| `secondary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `secondary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `secondary.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `secondary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | -| `secondary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `secondary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `secondary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `secondary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `secondary.customStartupProbe` | Override default startup probe for MariaDB secondary containers | `{}` | -| `secondary.customLivenessProbe` | Override default liveness probe for MariaDB secondary containers | `{}` | -| `secondary.customReadinessProbe` | Override default readiness probe for MariaDB secondary containers | `{}` | -| `secondary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB secondary containers | `{}` | -| `secondary.extraFlags` | MariaDB secondary additional command line flags | `""` | -| `secondary.extraEnvVars` | Extra environment variables to be set on MariaDB secondary containers | `[]` | -| `secondary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB secondary containers | `""` | -| `secondary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB secondary containers | `""` | -| `secondary.persistence.enabled` | Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` | `true` | -| `secondary.persistence.subPath` | Subdirectory of the volume to mount at | `""` | -| `secondary.persistence.storageClass` | MariaDB secondary persistent volume storage Class | `""` | -| `secondary.persistence.annotations` | MariaDB secondary persistent volume claim annotations | `{}` | -| `secondary.persistence.accessModes` | MariaDB secondary persistent volume access Modes | `["ReadWriteOnce"]` | -| `secondary.persistence.size` | MariaDB secondary persistent volume size | `8Gi` | -| `secondary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | -| `secondary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB secondary pod(s) | `[]` | -| `secondary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB secondary container(s) | `[]` | -| `secondary.initContainers` | Add additional init containers for the MariaDB secondary pod(s) | `[]` | -| `secondary.sidecars` | Add additional sidecar containers for the MariaDB secondary pod(s) | `[]` | -| `secondary.service.type` | MariaDB secondary Kubernetes service type | `ClusterIP` | -| `secondary.service.ports.mysql` | MariaDB secondary Kubernetes service port for MariaDB | `3306` | -| `secondary.service.ports.metrics` | MariaDB secondary Kubernetes service port for metrics | `9104` | -| `secondary.service.nodePorts.mysql` | MariaDB secondary Kubernetes service node port | `""` | -| `secondary.service.clusterIP` | MariaDB secondary Kubernetes service clusterIP IP | `""` | -| `secondary.service.loadBalancerIP` | MariaDB secondary loadBalancerIP if service type is `LoadBalancer` | `""` | -| `secondary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `secondary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB secondary service is LoadBalancer | `[]` | -| `secondary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `secondary.service.annotations` | Provide any additional annotations which may be required | `{}` | -| `secondary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `secondary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `secondary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods | `false` | -| `secondary.pdb.minAvailable` | Minimum number/percentage of MariaDB secondary pods that should remain scheduled | `1` | -| `secondary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB secondary pods that may be made unavailable | `""` | -| `secondary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` | - +| Name | Description | Value | +| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `secondary.name` | Name of the secondary database (eg secondary, slave, ...) | `secondary` | +| `secondary.replicaCount` | Number of MariaDB secondary replicas | `1` | +| `secondary.command` | Override default container command on MariaDB Secondary container(s) (useful when using custom images) | `[]` | +| `secondary.args` | Override default container args on MariaDB Secondary container(s) (useful when using custom images) | `[]` | +| `secondary.lifecycleHooks` | for the MariaDB Secondary container(s) to automate configuration before or after startup | `{}` | +| `secondary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `secondary.hostAliases` | Add deployment host aliases | `[]` | +| `secondary.containerPorts.mysql` | Container port for mysql | `3306` | +| `secondary.configuration` | MariaDB Secondary configuration to be injected as ConfigMap | `""` | +| `secondary.existingConfigmap` | Name of existing ConfigMap with MariaDB Secondary configuration. | `""` | +| `secondary.updateStrategy.type` | MariaDB secondary statefulset strategy type | `RollingUpdate` | +| `secondary.rollingUpdatePartition` | Partition update strategy for Mariadb Secondary statefulset | `""` | +| `secondary.podAnnotations` | Additional pod annotations for MariaDB secondary pods | `{}` | +| `secondary.podLabels` | Extra labels for MariaDB secondary pods | `{}` | +| `secondary.podAffinityPreset` | MariaDB secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `secondary.podAntiAffinityPreset` | MariaDB secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `secondary.nodeAffinityPreset.type` | MariaDB secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `secondary.nodeAffinityPreset.key` | MariaDB secondary node label key to match Ignored if `secondary.affinity` is set. | `""` | +| `secondary.nodeAffinityPreset.values` | MariaDB secondary node label values to match. Ignored if `secondary.affinity` is set. | `[]` | +| `secondary.affinity` | Affinity for MariaDB secondary pods assignment | `{}` | +| `secondary.nodeSelector` | Node labels for MariaDB secondary pods assignment | `{}` | +| `secondary.tolerations` | Tolerations for MariaDB secondary pods assignment | `[]` | +| `secondary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB secondary pods assignment | `[]` | +| `secondary.priorityClassName` | Priority class for MariaDB secondary pods assignment | `""` | +| `secondary.runtimeClassName` | Runtime Class for MariaDB secondary pods | `""` | +| `secondary.schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `secondary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB secondary pods | `""` | +| `secondary.podSecurityContext.enabled` | Enable security context for MariaDB secondary pods | `true` | +| `secondary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `secondary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | +| `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` | +| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` | +| `secondary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB secondary container | `1001` | +| `secondary.containerSecurityContext.runAsNonRoot` | Set secondary container's Security Context runAsNonRoot | `true` | +| `secondary.containerSecurityContext.privileged` | Set secondary container's Security Context privileged | `false` | +| `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set secondary container's Security Context allowPrivilegeEscalation | `false` | +| `secondary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `secondary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `secondary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `secondary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). | `micro` | +| `secondary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `secondary.startupProbe.enabled` | Enable startupProbe | `false` | +| `secondary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | +| `secondary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` | +| `secondary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `secondary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | +| `secondary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `secondary.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `secondary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `secondary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `secondary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `secondary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `secondary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `secondary.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `secondary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `secondary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `secondary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `secondary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `secondary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `secondary.customStartupProbe` | Override default startup probe for MariaDB secondary containers | `{}` | +| `secondary.customLivenessProbe` | Override default liveness probe for MariaDB secondary containers | `{}` | +| `secondary.customReadinessProbe` | Override default readiness probe for MariaDB secondary containers | `{}` | +| `secondary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB secondary containers | `{}` | +| `secondary.extraFlags` | MariaDB secondary additional command line flags | `""` | +| `secondary.extraEnvVars` | Extra environment variables to be set on MariaDB secondary containers | `[]` | +| `secondary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB secondary containers | `""` | +| `secondary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB secondary containers | `""` | +| `secondary.persistence.enabled` | Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` | `true` | +| `secondary.persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `secondary.persistence.storageClass` | MariaDB secondary persistent volume storage Class | `""` | +| `secondary.persistence.labels` | Labels for the PVC | `{}` | +| `secondary.persistence.annotations` | MariaDB secondary persistent volume claim annotations | `{}` | +| `secondary.persistence.accessModes` | MariaDB secondary persistent volume access Modes | `["ReadWriteOnce"]` | +| `secondary.persistence.size` | MariaDB secondary persistent volume size | `8Gi` | +| `secondary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | +| `secondary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB secondary pod(s) | `[]` | +| `secondary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB secondary container(s) | `[]` | +| `secondary.initContainers` | Add additional init containers for the MariaDB secondary pod(s) | `[]` | +| `secondary.sidecars` | Add additional sidecar containers for the MariaDB secondary pod(s) | `[]` | +| `secondary.service.type` | MariaDB secondary Kubernetes service type | `ClusterIP` | +| `secondary.service.ports.mysql` | MariaDB secondary Kubernetes service port for MariaDB | `3306` | +| `secondary.service.ports.metrics` | MariaDB secondary Kubernetes service port for metrics | `9104` | +| `secondary.service.nodePorts.mysql` | MariaDB secondary Kubernetes service node port | `""` | +| `secondary.service.clusterIP` | MariaDB secondary Kubernetes service clusterIP IP | `""` | +| `secondary.service.loadBalancerIP` | MariaDB secondary loadBalancerIP if service type is `LoadBalancer` | `""` | +| `secondary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `secondary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB secondary service is LoadBalancer | `[]` | +| `secondary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `secondary.service.annotations` | Provide any additional annotations which may be required | `{}` | +| `secondary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `secondary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `secondary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods | `true` | +| `secondary.pdb.minAvailable` | Minimum number/percentage of MariaDB secondary pods that should remain scheduled | `""` | +| `secondary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB secondary pods that may be made unavailable. Defaults to `1` if both `secondary.pdb.minAvailable` and `secondary.pdb.maxUnavailable` are empty. | `""` | +| `secondary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` | ### RBAC parameters @@ -303,99 +495,141 @@ The command removes all the Kubernetes components associated with the chart and | `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` | | `rbac.create` | Whether to create and use RBAC resources or not | `false` | +### Password update job + +| Name | Description | Value | +| --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `passwordUpdateJob.enabled` | Enable password update job | `false` | +| `passwordUpdateJob.backoffLimit` | set backoff limit of the job | `10` | +| `passwordUpdateJob.command` | Override default container command on MariaDB Primary container(s) (useful when using custom images) | `[]` | +| `passwordUpdateJob.args` | Override default container args on MariaDB Primary container(s) (useful when using custom images) | `[]` | +| `passwordUpdateJob.extraCommands` | Extra commands to pass to the generation job | `""` | +| `passwordUpdateJob.previousPasswords.rootPassword` | Previous root password (set if the password secret was already changed) | `""` | +| `passwordUpdateJob.previousPasswords.password` | Previous password (set if the password secret was already changed) | `""` | +| `passwordUpdateJob.previousPasswords.replicationPassword` | Previous replication password (set if the password secret was already changed) | `""` | +| `passwordUpdateJob.previousPasswords.existingSecret` | Name of a secret containing the previous passwords (set if the password secret was already changed) | `""` | +| `passwordUpdateJob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `passwordUpdateJob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `passwordUpdateJob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `passwordUpdateJob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `passwordUpdateJob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `passwordUpdateJob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `passwordUpdateJob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `passwordUpdateJob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `passwordUpdateJob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `passwordUpdateJob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `passwordUpdateJob.podSecurityContext.enabled` | Enabled credential init job pods' Security Context | `true` | +| `passwordUpdateJob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `passwordUpdateJob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `passwordUpdateJob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `passwordUpdateJob.podSecurityContext.fsGroup` | Set credential init job pod's Security Context fsGroup | `1001` | +| `passwordUpdateJob.extraEnvVars` | Array containing extra env vars to configure the credential init job | `[]` | +| `passwordUpdateJob.extraEnvVarsCM` | ConfigMap containing extra env vars to configure the credential init job | `""` | +| `passwordUpdateJob.extraEnvVarsSecret` | Secret containing extra env vars to configure the credential init job (in case of sensitive data) | `""` | +| `passwordUpdateJob.extraVolumes` | Optionally specify extra list of additional volumes for the credential init job | `[]` | +| `passwordUpdateJob.extraVolumeMounts` | Array of extra volume mounts to be added to the jwt Container (evaluated as template). Normally used with `extraVolumes`. | `[]` | +| `passwordUpdateJob.initContainers` | Add additional init containers for the MariaDB Primary pod(s) | `[]` | +| `passwordUpdateJob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if passwordUpdateJob.resources is set (passwordUpdateJob.resources is recommended for production). | `micro` | +| `passwordUpdateJob.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `passwordUpdateJob.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `passwordUpdateJob.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `passwordUpdateJob.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `passwordUpdateJob.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `passwordUpdateJob.hostAliases` | Add deployment host aliases | `[]` | +| `passwordUpdateJob.annotations` | Add annotations to the job | `{}` | +| `passwordUpdateJob.podLabels` | Additional pod labels | `{}` | +| `passwordUpdateJob.podAnnotations` | Additional pod annotations | `{}` | ### Volume Permissions parameters -| Name | Description | Value | -| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | -| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r80` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | -| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | - +| Name | Description | Value | +| ------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | ### Metrics parameters -| Name | Description | Value | -| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | -| `metrics.enabled` | Start a side-car prometheus exporter | `false` | -| `metrics.image.registry` | Exporter image registry | `docker.io` | -| `metrics.image.repository` | Exporter image repository | `bitnami/mysqld-exporter` | -| `metrics.image.tag` | Exporter image tag (immutable tags are recommended) | `0.14.0-debian-11-r86` | -| `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.annotations` | Annotations for the Exporter pod | `{}` | -| `metrics.extraArgs` | Extra args to be passed to mysqld_exporter | `{}` | -| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` | -| `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` | -| `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | -| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` | -| `metrics.resources.limits` | The resources limits for MariaDB prometheus exporter containers | `{}` | -| `metrics.resources.requests` | The requested resources for MariaDB prometheus exporter containers | `{}` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | -| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | -| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | -| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | -| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` | -| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | -| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | -| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | -| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | - +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | +| `metrics.enabled` | Start a side-car prometheus exporter | `false` | +| `metrics.image.registry` | Exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Exporter image repository | `REPOSITORY_NAME/mysqld-exporter` | +| `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.annotations` | Annotations for the Exporter pod | `{}` | +| `metrics.extraArgs` | Extra args to be passed to mysqld_exporter | `{}` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` | +| `metrics.containerPorts.http` | Container port for http | `9104` | +| `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.runAsUser` | User ID for the MariaDB metrics container | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Group ID for the MariaDB metrics container | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set metrics container's Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | +| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` | +| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` | +| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | ### NetworkPolicy parameters -| Name | Description | Value | -| ---------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `networkPolicy.enabled` | Enable network policies | `false` | -| `networkPolicy.metrics.enabled` | Enable network policy for metrics (prometheus) | `false` | -| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` | -| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. | `false` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the primary node. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the primary node. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the primary node. | `{}` | -| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled` | Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. | `false` | -| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to acces the secondary nodes. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the secondary nodes. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules` | Custom network policy for the secondary nodes. | `{}` | -| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` | -| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | - +| Name | Description | Value | +| --------------------------------------- | --------------------------------------------------------------- | ------ | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | +| `networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | The above parameters map to the env variables defined in [bitnami/mariadb](https://github.com/bitnami/containers/tree/main/bitnami/mariadb). For more information please refer to the [bitnami/mariadb](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image documentation. Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, ```console -$ helm install my-release \ +helm install my-release \ --set auth.rootPassword=secretpassword,auth.database=app_database \ - my-repo/mariadb + oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + The above command sets the MariaDB `root` account password to `secretpassword`. Additionally it creates a database named `my_database`. > NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. @@ -403,70 +637,76 @@ The above command sets the MariaDB `root` account password to `secretpassword`. Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, ```console -$ helm install my-release -f values.yaml my-repo/mariadb +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb ``` -> **Tip**: You can use the default [values.yaml](values.yaml) - -## Configuration and installation details +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/mariadb/values.yaml) -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +## Troubleshooting -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. +## Upgrading -### Change MariaDB version +It's necessary to set the `auth.rootPassword` parameter when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Administrator credentials' section. Please note down the password and run the command below to upgrade your chart: -To modify the MariaDB version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/mariadb/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. +```console +helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb --set auth.rootPassword=[ROOT_PASSWORD] +``` -### Initialize a fresh instance +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -The [Bitnami MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image allows you to use your custom scripts to initialize a fresh instance. Custom scripts may be specified using the `initdbScripts` parameter. Alternatively, an external ConfigMap may be created with all the initialization scripts and the ConfigMap passed to the chart via the `initdbScriptsConfigMap` parameter. Note that this will override the `initdbScripts` parameter. +| Note: you need to substitute the placeholder _[ROOT_PASSWORD]_ with the value obtained in the installation notes. -The allowed extensions are `.sh`, `.sql` and `.sql.gz`. +### To 20.0.0 -These scripts are treated differently depending on their extension. While `.sh` scripts are executed on all the nodes, `.sql` and `.sql.gz` scripts are only executed on the primary nodes. This is because `.sh` scripts support conditional tests to identify the type of node they are running on, while such tests are not supported in `.sql` or `.sql.gz` files. +This major bump updates the StatefulSet objects `serviceName` to use a headless service, as the current non-headless service attached to it was not providing DNS entries. This will cause an upgrade issue because it changes "immutable fields". To workaround it, delete the StatefulSet objects as follows (replace the RELEASE_NAME placeholder): -[Refer to the chart documentation for more information and a usage example](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/configuration/customize-new-instance/). +```shell -### Sidecars and Init Containers +# If architecture = "standalone" +kubectl delete sts RELEASE_NAME --cascade=false -If additional containers are needed in the same pod as MariaDB (such as additional metrics or logging exporters), they can be defined using the sidecars parameter. +# If architecture = "replication" +kubectl delete sts RELEASE_NAME-primary --cascade=false +kubectl delete sts RELEASE_NAME-secondary --cascade=false +``` -The Helm chart already includes sidecar containers for the Prometheus exporters. These can be activated by adding the `--set enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. [See an example of configuring and using sidecar containers](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/configuration/configure-sidecar-init-containers/). +Then execute `helm upgrade` as usual. -Similarly, additional containers can be added to MariaDB pods using the `initContainers` parameter. [See an example of configuring and using init containers](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/configuration/configure-sidecar-init-containers/). +Additionally, this new major provides a new, optional, password update job for automating this second-day operation in the chart. See the [Update credential](#password-update-job) for detailed instructions. -## Persistence +### To 19.0.0 -The [Bitnami MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image stores the MariaDB data and configurations at the `/bitnami/mariadb` path of the container. +This major release bumps the MariaDB version to 11.4. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-between-minor-versions-on-linux/) for upgrading from MariaDB 11.3 to 11.4. No major issues are expected during the upgrade. -The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) volume at this location. The volume is created using dynamic volume provisioning, by default. An existing PersistentVolumeClaim can also be defined. +### To 18.0.0 -If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). +This major release bumps the MariaDB version to 11.3. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-between-minor-versions-on-linux/) for upgrading from MariaDB 11.2 to 11.3. No major issues are expected during the upgrade. -### Adjust permissions of persistent volume mountpoint +### To 17.0.0 -As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it. +This major bump changes the following security defaults: -By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. -As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination. You can enable this initContainer by setting `volumePermissions.enabled` to `true`. +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. -## Troubleshooting +### To 16.0.0 -Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). +This section enables NetworkPolicies by default to increase security of the application. It also adapts the values in the `networkPolicy` section to the current Bitnami standards. The removed sections are `networkPolicy.metrics.*`, `networkPolicy.ingressRules.*` and `networkPolicy.egressRules.*`. Check the Parameters table for the new structure. -## Upgrading +### To 14.0.0 -It's necessary to set the `auth.rootPassword` parameter when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Administrator credentials' section. Please note down the password and run the command below to upgrade your chart: +This major release bumps the MariaDB version to 11.1. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-between-minor-versions-on-linux/) for upgrading from MariaDB 11.0 to 11.1. No major issues are expected during the upgrade. -```console -$ helm upgrade my-release my-repo/mariadb --set auth.rootPassword=[ROOT_PASSWORD] -``` +### To 13.0.0 -| Note: you need to substitute the placeholder _[ROOT_PASSWORD]_ with the value obtained in the installation notes. +This major release bumps the MariaDB version to 11.0. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-0/) for upgrading from MariaDB 10.11 to 11.0. No major issues are expected during the upgrade. ### To 11.0.0 @@ -497,8 +737,6 @@ Affected values: [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/administration/upgrade-helm3/). - ### To 8.0.0 - Several parameters were renamed or disappeared in favor of new ones on this major version: @@ -520,16 +758,18 @@ Backwards compatibility is not guaranteed. To upgrade to `8.0.0`, install a new - Reuse the PVC used to hold the master data on your previous release. To do so, use the `primary.persistence.existingClaim` parameter. The following example assumes that the release name is `mariadb`: ```console -$ helm install mariadb my-repo/mariadb --set auth.rootPassword=[ROOT_PASSWORD] --set primary.persistence.existingClaim=[EXISTING_PVC] +helm install mariadb oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb --set auth.rootPassword=[ROOT_PASSWORD] --set primary.persistence.existingClaim=[EXISTING_PVC] ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + | Note: you need to substitute the placeholder _[EXISTING_PVC]_ with the name of the PVC used on your previous release, and _[ROOT_PASSWORD]_ with the root password used in your previous release. ### To 7.0.0 Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec. -In https://github.com/helm/charts/pull/17308 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage. +In the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage. This major version bump signifies this change. @@ -546,18 +786,18 @@ Backwards compatibility is not guaranteed unless you modify the labels used on t Use the workaround below to upgrade from versions previous to 5.0.0. The following example assumes that the release name is mariadb: ```console -$ kubectl delete statefulset opencart-mariadb --cascade=false +kubectl delete statefulset opencart-mariadb --cascade=false ``` ## License -Copyright © 2023 Bitnami +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/.helmignore b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/.helmignore index 50af03172..d0e10845d 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/.helmignore +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/.helmignore @@ -20,3 +20,7 @@ .idea/ *.tmproj .vscode/ +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/Chart.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/Chart.yaml index f9ba944c8..7205cfeff 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/Chart.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/Chart.yaml @@ -1,10 +1,11 @@ annotations: category: Infrastructure + licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.2.2 +appVersion: 2.27.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. -home: https://github.com/bitnami/charts/tree/main/bitnami/common +home: https://bitnami.com icon: https://bitnami.com/downloads/logos/bitnami-mark.png keywords: - common @@ -13,11 +14,10 @@ keywords: - function - bitnami maintainers: -- name: Bitnami +- name: Broadcom, Inc. All Rights Reserved. url: https://github.com/bitnami/charts name: common sources: -- https://github.com/bitnami/charts -- https://www.bitnami.com/ +- https://github.com/bitnami/charts/tree/main/bitnami/common type: library -version: 2.2.2 +version: 2.27.0 diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/README.md b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/README.md index ec43a5fab..3943ed04b 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/README.md +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/README.md @@ -1,18 +1,18 @@ # Bitnami Common Library Chart -A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. ## TL;DR ```yaml dependencies: - name: common - version: 1.x.x - repository: https://charts.bitnami.com/bitnami + version: 2.x.x + repository: oci://registry-1.docker.io/bitnamicharts ``` -```bash -$ helm dependency update +```console +helm dependency update ``` ```yaml @@ -24,6 +24,8 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. @@ -32,129 +34,11 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment ## Prerequisites -- Kubernetes 1.19+ -- Helm 3.2.0+ +- Kubernetes 1.23+ +- Helm 3.8.0+ ## Parameters -The following table lists the helpers available in the library which are scoped in different sections. - -### Affinities - -| Helper identifier | Description | Expected Input | -|-------------------------------|------------------------------------------------------|------------------------------------------------| -| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | -| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | -| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | -| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | -| `common.affinities.topologyKey` | Return a topologyKey definition | `dict "topologyKey" "FOO"` | - -### Capabilities - -| Helper identifier | Description | Expected Input | -|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| -| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | -| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | -| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | -| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | -| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | -| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | -| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | -| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | -| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | -| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context | -| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context | -| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | - -### Errors - -| Helper identifier | Description | Expected Input | -|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| -| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | - -### Images - -| Helper identifier | Description | Expected Input | -|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| -| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | -| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | -| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | - -### Ingress - -| Helper identifier | Description | Expected Input | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | -| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | -| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | -| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | - -### Labels - -| Helper identifier | Description | Expected Input | -|-----------------------------|-----------------------------------------------------------------------------|-------------------| -| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | -| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context | - -### Names - -| Helper identifier | Description | Expected Input | -|-----------------------------------|-----------------------------------------------------------------------|-------------------| -| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | -| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | -| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context | -| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context | -| `common.names.chart` | Chart name plus version | `.` Chart context | - -### Secrets - -| Helper identifier | Description | Expected Input | -|-----------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | -| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | -| `common.secrets.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | -| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | - -### Storage - -| Helper identifier | Description | Expected Input | -|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| -| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | - -### TplValues - -| Helper identifier | Description | Expected Input | -|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | - -### Utils - -| Helper identifier | Description | Expected Input | -|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| -| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | -| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | -| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | -| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | - -### Validations - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | -| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | -| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | -| `common.validations.values.mysql.passwords` | This helper will ensure required password for MySQL are not empty. It returns a shared error for all the values. | `dict "secret" "mysql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mysql chart and the helper. | -| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | -| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis® are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | -| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | -| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | - -### Warnings - -| Helper identifier | Description | Expected Input | -|------------------------------|----------------------------------|------------------------------------------------------------| -| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | - ## Special input schemas ### ImageRoot @@ -177,7 +61,7 @@ tag: pullPolicy: type: string - description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + description: Specify a imagePullPolicy.' pullSecrets: type: array @@ -300,7 +184,7 @@ keyMapping: If we force those values to be empty we will see some alerts ```console -$ helm install test mychart --set path.to.value00="",path.to.value01="" +helm install test mychart --set path.to.value00="",path.to.value01="" 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) @@ -316,33 +200,33 @@ $ helm install test mychart --set path.to.value00="",path.to.value01="" [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -**What changes were introduced in this major version?** +#### What changes were introduced in this major version? - Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. - Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. - The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts -**Considerations when upgrading to this version** +#### Considerations when upgrading to this version - If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues - If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore - If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 -**Useful links** +#### Useful links -- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ -- https://helm.sh/docs/topics/v2_v3_migration/ -- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ +- +- +- ## License -Copyright © 2022 Bitnami +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_affinities.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_affinities.tpl index 81902a681..d387dbe63 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_affinities.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_affinities.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* @@ -55,42 +60,86 @@ Return a topologyKey definition {{/* Return a soft podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}} +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} */}} {{- define "common.affinities.pods.soft" -}} {{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} {{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +{{- $extraNamespaces := default (list) .extraNamespaces -}} preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }} {{- if not (empty $component) }} {{ printf "app.kubernetes.io/component: %s" $component }} {{- end }} {{- range $key, $value := $extraMatchLabels }} {{ $key }}: {{ $value | quote }} {{- end }} + {{- if $extraNamespaces }} + namespaces: + - {{ .context.Release.Namespace }} + {{- with $extraNamespaces }} + {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} weight: 1 + {{- range $extraPodAffinityTerms }} + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: {{ .weight | default 1 -}} + {{- end -}} {{- end -}} {{/* Return a hard podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}} +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} */}} {{- define "common.affinities.pods.hard" -}} {{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} {{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +{{- $extraNamespaces := default (list) .extraNamespaces -}} requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }} {{- if not (empty $component) }} {{ printf "app.kubernetes.io/component: %s" $component }} {{- end }} {{- range $key, $value := $extraMatchLabels }} {{ $key }}: {{ $value | quote }} {{- end }} + {{- if $extraNamespaces }} + namespaces: + - {{ .context.Release.Namespace }} + {{- with $extraNamespaces }} + {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- range $extraPodAffinityTerms }} + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- end -}} {{- end -}} {{/* diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_capabilities.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_capabilities.tpl index 9d9b76004..2fe81d32d 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_capabilities.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_capabilities.tpl @@ -1,25 +1,23 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Return the target Kubernetes version */}} {{- define "common.capabilities.kubeVersion" -}} -{{- if .Values.global }} - {{- if .Values.global.kubeVersion }} - {{- .Values.global.kubeVersion -}} - {{- else }} - {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} - {{- end -}} -{{- else }} -{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} -{{- end -}} +{{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}} {{- end -}} {{/* Return the appropriate apiVersion for poddisruptionbudget. */}} {{- define "common.capabilities.policy.apiVersion" -}} -{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} {{- print "policy/v1beta1" -}} {{- else -}} {{- print "policy/v1" -}} @@ -30,7 +28,8 @@ Return the appropriate apiVersion for poddisruptionbudget. Return the appropriate apiVersion for networkpolicy. */}} {{- define "common.capabilities.networkPolicy.apiVersion" -}} -{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.7-0" $kubeVersion) -}} {{- print "extensions/v1beta1" -}} {{- else -}} {{- print "networking.k8s.io/v1" -}} @@ -41,18 +40,32 @@ Return the appropriate apiVersion for networkpolicy. Return the appropriate apiVersion for cronjob. */}} {{- define "common.capabilities.cronjob.apiVersion" -}} -{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} {{- print "batch/v1beta1" -}} {{- else -}} {{- print "batch/v1" -}} {{- end -}} {{- end -}} +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "common.capabilities.daemonset.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + {{/* Return the appropriate apiVersion for deployment. */}} {{- define "common.capabilities.deployment.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} {{- print "extensions/v1beta1" -}} {{- else -}} {{- print "apps/v1" -}} @@ -63,7 +76,8 @@ Return the appropriate apiVersion for deployment. Return the appropriate apiVersion for statefulset. */}} {{- define "common.capabilities.statefulset.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} {{- print "apps/v1beta1" -}} {{- else -}} {{- print "apps/v1" -}} @@ -74,30 +88,24 @@ Return the appropriate apiVersion for statefulset. Return the appropriate apiVersion for ingress. */}} {{- define "common.capabilities.ingress.apiVersion" -}} -{{- if .Values.ingress -}} -{{- if .Values.ingress.apiVersion -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if (.Values.ingress).apiVersion -}} {{- .Values.ingress.apiVersion -}} -{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} {{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} {{- print "networking.k8s.io/v1beta1" -}} {{- else -}} {{- print "networking.k8s.io/v1" -}} {{- end }} -{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} {{- end -}} {{/* Return the appropriate apiVersion for RBAC resources. */}} {{- define "common.capabilities.rbac.apiVersion" -}} -{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.17-0" $kubeVersion) -}} {{- print "rbac.authorization.k8s.io/v1beta1" -}} {{- else -}} {{- print "rbac.authorization.k8s.io/v1" -}} @@ -108,7 +116,8 @@ Return the appropriate apiVersion for RBAC resources. Return the appropriate apiVersion for CRDs. */}} {{- define "common.capabilities.crd.apiVersion" -}} -{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} {{- print "apiextensions.k8s.io/v1beta1" -}} {{- else -}} {{- print "apiextensions.k8s.io/v1" -}} @@ -119,7 +128,8 @@ Return the appropriate apiVersion for CRDs. Return the appropriate apiVersion for APIService. */}} {{- define "common.capabilities.apiService.apiVersion" -}} -{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.10-0" $kubeVersion) -}} {{- print "apiregistration.k8s.io/v1beta1" -}} {{- else -}} {{- print "apiregistration.k8s.io/v1" -}} @@ -130,7 +140,8 @@ Return the appropriate apiVersion for APIService. Return the appropriate apiVersion for Horizontal Pod Autoscaler. */}} {{- define "common.capabilities.hpa.apiVersion" -}} -{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} {{- if .beta2 -}} {{- print "autoscaling/v2beta2" -}} {{- else -}} @@ -141,6 +152,70 @@ Return the appropriate apiVersion for Horizontal Pod Autoscaler. {{- end -}} {{- end -}} +{{/* +Return the appropriate apiVersion for Vertical Pod Autoscaler. +*/}} +{{- define "common.capabilities.vpa.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if PodSecurityPolicy is supported +*/}} +{{- define "common.capabilities.psp.supported" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (semverCompare "<1.25-0" $kubeVersion) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if AdmissionConfiguration is supported +*/}} +{{- define "common.capabilities.admissionConfiguration.supported" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (not (semverCompare "<1.23-0" $kubeVersion)) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for AdmissionConfiguration. +*/}} +{{- define "common.capabilities.admissionConfiguration.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- print "apiserver.config.k8s.io/v1alpha1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "apiserver.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiserver.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for PodSecurityConfiguration. +*/}} +{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "pod-security.admission.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "pod-security.admission.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + {{/* Returns true if the used Helm version is 3.3+. A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_compatibility.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..a61588d68 --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_compatibility.tpl @@ -0,0 +1,46 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} + +{{- if (((.context.Values.global).compatibility).openshift) -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{/* Remove empty seLinuxOptions object if global.compatibility.omitEmptySeLinuxOptions is set to true */}} +{{- if and (((.context.Values.global).compatibility).omitEmptySeLinuxOptions) (not .secContext.seLinuxOptions) -}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} +{{- end -}} +{{/* Remove fields that are disregarded when running the container in privileged mode */}} +{{- if $adaptedContext.privileged -}} + {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_errors.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_errors.tpl index a79cc2e32..e96536519 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_errors.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_errors.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Through error when upgrading using empty passwords values that must not be empty. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_images.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_images.tpl index 46c659e79..76bb7ce44 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_images.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_images.tpl @@ -1,23 +1,34 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* -Return the proper image name -{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +Return the proper image name. +If image tag and digest are not defined, termination fallbacks to chart appVersion. +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "chart" .Chart ) }} */}} {{- define "common.images.image" -}} -{{- $registryName := .imageRoot.registry -}} +{{- $registryName := default .imageRoot.registry ((.global).imageRegistry) -}} {{- $repositoryName := .imageRoot.repository -}} {{- $separator := ":" -}} {{- $termination := .imageRoot.tag | toString -}} -{{- if .global }} - {{- if .global.imageRegistry }} - {{- $registryName = .global.imageRegistry -}} - {{- end -}} + +{{- if not .imageRoot.tag }} + {{- if .chart }} + {{- $termination = .chart.AppVersion | toString -}} + {{- end -}} {{- end -}} {{- if .imageRoot.digest }} {{- $separator = "@" -}} {{- $termination = .imageRoot.digest | toString -}} {{- end -}} -{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} {{- end -}} {{/* @@ -27,21 +38,27 @@ Return the proper Docker Image Registry Secret Names (deprecated: use common.ima {{- define "common.images.pullSecrets" -}} {{- $pullSecrets := list }} - {{- if .global }} - {{- range .global.imagePullSecrets -}} + {{- range ((.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} {{- $pullSecrets = append $pullSecrets . -}} - {{- end -}} + {{- end }} {{- end -}} {{- range .images -}} {{- range .pullSecrets -}} - {{- $pullSecrets = append $pullSecrets . -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} {{- end -}} {{- end -}} - {{- if (not (empty $pullSecrets)) }} + {{- if (not (empty $pullSecrets)) -}} imagePullSecrets: - {{- range $pullSecrets }} + {{- range $pullSecrets | uniq }} - name: {{ . }} {{- end }} {{- end }} @@ -55,22 +72,44 @@ Return the proper Docker Image Registry Secret Names evaluating values as templa {{- $pullSecrets := list }} {{- $context := .context }} - {{- if $context.Values.global }} - {{- range $context.Values.global.imagePullSecrets -}} + {{- range (($context.Values.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} {{- end -}} {{- end -}} {{- range .images -}} {{- range .pullSecrets -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} {{- end -}} {{- end -}} - {{- if (not (empty $pullSecrets)) }} + {{- if (not (empty $pullSecrets)) -}} imagePullSecrets: - {{- range $pullSecrets }} + {{- range $pullSecrets | uniq }} - name: {{ . }} {{- end }} {{- end }} {{- end -}} + +{{/* +Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion) +{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }} +*/}} +{{- define "common.images.version" -}} +{{- $imageTag := .imageRoot.tag | toString -}} +{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}} +{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}} + {{- $version := semver $imageTag -}} + {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}} +{{- else -}} + {{- print .chart.AppVersion -}} +{{- end -}} +{{- end -}} + diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_ingress.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_ingress.tpl index 831da9caa..7d2b87985 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_ingress.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_ingress.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_labels.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_labels.tpl index 252066c7e..0a0cc5488 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_labels.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_labels.tpl @@ -1,18 +1,46 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} + {{/* Kubernetes standard labels +{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}} */}} {{- define "common.labels.standard" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}} +{{- with .context.Chart.AppVersion -}} +{{- $_ := set $default "app.kubernetes.io/version" . -}} +{{- end -}} +{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }} +{{- else -}} app.kubernetes.io/name: {{ include "common.names.name" . }} helm.sh/chart: {{ include "common.names.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Chart.AppVersion }} +app.kubernetes.io/version: {{ . | quote }} +{{- end -}} +{{- end -}} {{- end -}} {{/* -Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector +{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}} + +We don't want to loop over custom labels appending them to the selector +since it's very likely that it will break deployments, services, etc. +However, it's important to overwrite the standard labels if the user +overwrote them on metadata.labels fields. */}} {{- define "common.labels.matchLabels" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }} +{{- else -}} app.kubernetes.io/name: {{ include "common.names.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} +{{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_names.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_names.tpl index 617a23489..ba8395685 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_names.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_names.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Expand the name of the chart. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_resources.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_resources.tpl new file mode 100644 index 000000000..d8a43e1c2 --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi") + ) + "xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_secrets.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_secrets.tpl index a1708b2e8..bfef46978 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_secrets.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_secrets.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Generate secret name. @@ -62,7 +67,7 @@ Params: Generate secret password or retrieve one if already created. Usage: -{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $) }} Params: - secret - String - Required - Name of the 'Secret' resource where the password is stored. @@ -72,13 +77,18 @@ Params: - strong - Boolean - Optional - Whether to add symbols to the generated random password. - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - + - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. + - honorProvidedValues - Boolean - Optional - Default to false. If set to true, the values in providedValues have higher priority than an existing secret The order in which this function returns a secret password: - 1. Already existing 'Secret' resource + 1. Password provided via the values.yaml if honorProvidedValues = true + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 2. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) - 2. Password provided via the values.yaml + 3. Password provided via the values.yaml if honorProvidedValues = false (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) - 3. Randomly generated secret password + 4. Randomly generated secret password (A new random secret password with the length specified in the 'length' parameter will be generated and returned) */}} @@ -93,33 +103,49 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} {{- end -}} -{{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} -{{- else }} - - {{- if .context.Values.enabled }} - {{- $subchart = $chartName }} - {{- end -}} +{{- end }} - {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} - {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} - {{- $passwordValidationErrors := list $requiredPasswordError -}} - {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} +{{- if and $providedPasswordValue .honorProvidedValues }} + {{- $password = $providedPasswordValue | toString }} +{{- end }} - {{- if .strong }} - {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} - {{- $password = randAscii $passwordLength }} - {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} +{{- if not $password }} + {{- if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} - {{- end }} + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- if not (eq .failOnNew false) }} + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + {{- end }} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} + {{- else }} + {{- $password = randAlphaNum $passwordLength }} + {{- end }} + {{- end -}} +{{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} {{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* @@ -137,15 +163,16 @@ Params: */}} {{- define "common.secrets.lookup" -}} {{- $value := "" -}} -{{- $defaultValue := required "\n'common.secrets.lookup': Argument 'defaultValue' missing or empty" .defaultValue -}} {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} {{- if and $secretData (hasKey $secretData .key) -}} {{- $value = index $secretData .key -}} -{{- else -}} - {{- $value = $defaultValue | toString | b64enc -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} {{- end -}} +{{- if $value -}} {{- printf "%s" $value -}} {{- end -}} +{{- end -}} {{/* Returns whether a previous generated secret already exists diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_storage.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_storage.tpl index 60e2a844f..aa75856c0 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_storage.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_storage.tpl @@ -1,23 +1,21 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} + {{/* Return the proper Storage Class {{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} */}} {{- define "common.storage.class" -}} - -{{- $storageClass := .persistence.storageClass -}} -{{- if .global -}} - {{- if .global.storageClass -}} - {{- $storageClass = .global.storageClass -}} - {{- end -}} -{{- end -}} - +{{- $storageClass := (.global).storageClass | default .persistence.storageClass | default (.global).defaultStorageClass | default "" -}} {{- if $storageClass -}} {{- if (eq "-" $storageClass) -}} {{- printf "storageClassName: \"\"" -}} - {{- else }} + {{- else -}} {{- printf "storageClassName: %s" $storageClass -}} {{- end -}} {{- end -}} - {{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_tplvalues.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_tplvalues.tpl index 2db166851..a04f4c1eb 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_tplvalues.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_tplvalues.tpl @@ -1,13 +1,52 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* -Renders a value that contains template. +Renders a value that contains template perhaps with scope if the scope is present. Usage: -{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} */}} {{- define "common.tplvalues.render" -}} - {{- if typeIs "string" .value }} - {{- tpl .value .context }} - {{- else }} - {{- tpl (.value | toYaml) .context }} - {{- end }} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge +Usage: +{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with https://masterminds.github.io/sprig/dicts.html#mergeoverwrite-mustmergeoverwrite +Usage: +{{ include "common.tplvalues.merge-overwrite" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge-overwrite" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | mergeOverwrite $dst -}} +{{- end -}} +{{ $dst | toYaml }} {{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_utils.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_utils.tpl index b1ead50cf..d53c74aa2 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_utils.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_utils.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Print instructions to get a secret value. @@ -60,3 +65,13 @@ Usage: {{- end -}} {{- printf "%s" $key -}} {{- end -}} + +{{/* +Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376). +Usage: +{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }} +*/}} +{{- define "common.utils.checksumTemplate" -}} +{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}} +{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }} +{{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_warnings.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_warnings.tpl index ae10fa41e..62c44dfca 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_warnings.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/_warnings.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Warning about using rolling tag. @@ -8,7 +13,97 @@ Usage: {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ ++info https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html {{- end }} +{{- end -}} +{{/* +Warning about replaced images from the original. +Usage: +{{ include "common.warnings.modifiedImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} +*/}} +{{- define "common.warnings.modifiedImages" -}} +{{- $affectedImages := list -}} +{{- $printMessage := false -}} +{{- $originalImages := .context.Chart.Annotations.images -}} +{{- range .images -}} + {{- $fullImageName := printf (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- if not (contains $fullImageName $originalImages) }} + {{- $affectedImages = append $affectedImages (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- $printMessage = true -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +âš  SECURITY WARNING: Original containers have been substituted. This Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables. + +Substituted images detected: +{{- range $affectedImages }} + - {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} {{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_cassandra.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_cassandra.tpl index ded1ae3bc..f8fd213bc 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_cassandra.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_cassandra.tpl @@ -1,30 +1,9 @@ -{{/* vim: set filetype=mustache: */}} {{/* -Validate Cassandra required passwords are not empty. - -Usage: -{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.cassandra.passwords" -}} - {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} - {{- $enabled := include "common.cassandra.values.enabled" . -}} - {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} - {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to get the right value for existingSecret. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_mariadb.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_mariadb.tpl index b6906ff77..6ea8c0f45 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_mariadb.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_mariadb.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Validate MariaDB required passwords are not empty. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_mongodb.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_mongodb.tpl index f820ec107..e678a6de8 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_mongodb.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_mongodb.tpl @@ -1,50 +1,9 @@ -{{/* vim: set filetype=mustache: */}} {{/* -Validate MongoDB® required passwords are not empty. - -Usage: -{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" - - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.mongodb.passwords" -}} - {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mongodb.values.enabled" . -}} - {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} - {{- $architecture := include "common.mongodb.values.architecture" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} - {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} - - {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} - {{- if and $valueUsername $valueDatabase -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replicaset") -}} - {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to get the right value for existingSecret. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_mysql.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_mysql.tpl index 74472a061..fbb65c338 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_mysql.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_mysql.tpl @@ -1,45 +1,9 @@ -{{/* vim: set filetype=mustache: */}} {{/* -Validate MySQL required passwords are not empty. - -Usage: -{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret" - - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.mysql.passwords" -}} - {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mysql.values.enabled" . -}} - {{- $architecture := include "common.mysql.values.architecture" . -}} - {{- $authPrefix := include "common.mysql.values.key.auth" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- if not (empty $valueUsername) -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replication") -}} - {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to get the right value for existingSecret. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_postgresql.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_postgresql.tpl index 164ec0d01..51d47162e 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_postgresql.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_postgresql.tpl @@ -1,33 +1,9 @@ -{{/* vim: set filetype=mustache: */}} {{/* -Validate PostgreSQL required passwords are not empty. - -Usage: -{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.postgresql.passwords" -}} - {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} - {{- $enabled := include "common.postgresql.values.enabled" . -}} - {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} - {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} - - {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} - {{- if (eq $enabledReplication "true") -}} - {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to decide whether evaluate global values. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_redis.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_redis.tpl index dcccfc1ae..9fedfef9d 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_redis.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_redis.tpl @@ -1,38 +1,10 @@ - -{{/* vim: set filetype=mustache: */}} {{/* -Validate Redis® required passwords are not empty. - -Usage: -{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" - - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.redis.passwords" -}} - {{- $enabled := include "common.redis.values.enabled" . -}} - {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} - {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} - - {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} - {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} - {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} - {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} - {{- if eq $useAuth "true" -}} - {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to get the right value for enabled redis. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_validations.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_validations.tpl index 9a814cf40..7cdee6170 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_validations.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/templates/validations/_validations.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Validate values must not be empty. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/values.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/values.yaml index f2df68e5e..de2cac57d 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/values.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/charts/common/values.yaml @@ -1,3 +1,6 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + ## bitnami/common ## It is required by CI/CD tools and processes. ## @skip exampleValue diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/NOTES.txt b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/NOTES.txt index c1039e6ff..c5e111029 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/NOTES.txt +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/NOTES.txt @@ -62,7 +62,7 @@ To upgrade this helm chart: 1. Obtain the password as described on the 'Administrator credentials' section and set the 'auth.rootPassword' parameter as shown below: ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "mariadb.secretName" . }} -o jsonpath="{.data.mariadb-root-password}" | base64 -d) - helm upgrade --namespace {{ .Release.Namespace }} {{ .Release.Name }} my-repo/mariadb --set auth.rootPassword=$ROOT_PASSWORD + helm upgrade --namespace {{ .Release.Namespace }} {{ .Release.Name }} oci://registry-1.docker.io/bitnamicharts/mariadb --set auth.rootPassword=$ROOT_PASSWORD {{- include "common.warnings.rollingTag" .Values.image }} {{- include "common.warnings.rollingTag" .Values.metrics.image }} @@ -73,3 +73,5 @@ To upgrade this helm chart: {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}} {{- end }} {{- end }} +{{- include "common.warnings.resources" (dict "sections" (list "metrics" "primary" "secondary" "volumePermissions") "context" $) }} +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} \ No newline at end of file diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/_helpers.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/_helpers.tpl index 49cb4a475..583bb2b2e 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/_helpers.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/_helpers.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{- define "mariadb.primary.fullname" -}} @@ -63,6 +68,25 @@ Create the name of the service account to use {{- end -}} {{- end -}} +{{/* +Return the MariaDB TLS credentials secret +*/}} +{{- define "mariadb.tlsSecretName" -}} +{{- if .Values.tls.existingSecret -}} + {{- print (tpl .Values.tls.existingSecret $) -}} +{{- else -}} + {{- printf "%s-crt" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "mariadb.tlsCACert" -}} +{{- if or (eq .Values.tls.autoGenerated.engine "helm") (and (not .Values.tls.autoGenerated.enabled) (empty .Values.tls.existingSecret) .Values.tls.ca) -}} + {{- printf "/opt/bitnami/mariadb/certs/%s" "ca.crt" -}} +{{- else }} + {{- ternary "" (printf "/opt/bitnami/mariadb/certs/%s" .Values.tls.certCAFilename) (empty .Values.tls.certCAFilename) }} +{{- end -}} +{{- end -}} + {{/* Return the configmap with the MariaDB Primary configuration */}} @@ -112,7 +136,36 @@ Return the secret with MariaDB credentials {{- if .Values.auth.existingSecret -}} {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} {{- else -}} - {{- printf "%s" (include "common.names.fullname" .) -}} + {{- include "common.names.fullname" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return the secret with previous MariaDB credentials +*/}} +{{- define "mariadb.update-job.previousSecretName" -}} + {{- if .Values.passwordUpdateJob.previousPasswords.existingSecret -}} + {{- /* The secret with the new password is managed externally */ -}} + {{- tpl .Values.passwordUpdateJob.previousPasswords.existingSecret $ -}} + {{- else if .Values.passwordUpdateJob.previousPasswords.rootPassword -}} + {{- /* The secret with the new password is managed externally */ -}} + {{- printf "%s-previous-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} + {{- else -}} + {{- /* The secret with the new password is managed by the helm chart. We use the current secret name as it has the old password */ -}} + {{- include "common.names.fullname" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return the secret with new MariaDB credentials +*/}} +{{- define "mariadb.update-job.newSecretName" -}} + {{- if and (not .Values.passwordUpdateJob.previousPasswords.existingSecret) (not .Values.passwordUpdateJob.previousPasswords.rootPassword) -}} + {{- /* The secret with the new password is managed by the helm chart. We create a new secret as the current one has the old password */ -}} + {{- printf "%s-new-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} + {{- else -}} + {{- /* The secret with the new password is managed externally */ -}} + {{- include "mariadb.secretName" . -}} {{- end -}} {{- end -}} @@ -125,6 +178,15 @@ Return true if a secret object should be created for MariaDB {{- end -}} {{- end -}} +{{/* +Return true if a secret object should be created for MariaDB +*/}} +{{- define "mariadb.createPreviousSecret" -}} +{{- if and .Values.passwordUpdateJob.previousPasswords.rootPassword (not .Values.passwordUpdateJob.previousPasswords.existingSecret) }} + {{- true -}} +{{- end -}} +{{- end -}} + {{/* Compile all warnings into a single message, and call fail. */}} @@ -147,3 +209,13 @@ mariadb: architecture "replication". Please set a valid architecture (--set architecture="xxxx") {{- end -}} {{- end -}} + +{{/* +Get existing password to access MariaDB +*/}} +{{- define "mariadb.secret.existPassword" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "mariadb.secretName" .)).data -}} +{{- if hasKey $secret "mariadb-password" }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/ca-cert.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/ca-cert.yaml new file mode 100644 index 000000000..930ac3c1a --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/ca-cert.yaml @@ -0,0 +1,56 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.tls.enabled .Values.tls.autoGenerated.enabled (eq .Values.tls.autoGenerated.engine "cert-manager") }} +{{- if empty .Values.tls.autoGenerated.certManager.existingIssuer }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ printf "%s-clusterissuer" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb + app.kubernetes.io/component: mariadb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + selfSigned: {} +--- +{{- end }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb + app.kubernetes.io/component: mariadb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + secretName: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }} + commonName: {{ printf "%s-ca" (include "common.names.fullname" .) }} + isCA: true + issuerRef: + name: {{ default (printf "%s-clusterissuer" (include "common.names.fullname" .)) .Values.tls.autoGenerated.certManager.existingIssuer }} + kind: {{ default "Issuer" .Values.tls.autoGenerated.certManager.existingIssuerKind }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ printf "%s-ca-issuer" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb + app.kubernetes.io/component: mariadb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + ca: + secretName: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }} +{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/cert.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/cert.yaml new file mode 100644 index 000000000..52761fa7f --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/cert.yaml @@ -0,0 +1,48 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.tls.enabled .Values.tls.autoGenerated.enabled (eq .Values.tls.autoGenerated.engine "cert-manager") }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ printf "%s-crt" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb + app.kubernetes.io/component: mariadb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + secretName: {{ printf "%s-crt" (include "common.names.fullname" .) }} + commonName: {{ printf "%s.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" .) .Values.clusterDomain }} + issuerRef: + name: {{ printf "%s-ca-issuer" (include "common.names.fullname" .) }} + kind: Issuer + subject: + organizations: + - "MariaDB" + dnsNames: + - '*.{{ include "common.names.namespace" . }}' + - '*.{{ include "common.names.namespace" . }}.svc' + - '*.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}' + - '*.{{ include "mariadb.primary.fullname" . }}' + - '*.{{ include "mariadb.primary.fullname" . }}.{{ include "common.names.namespace" . }}' + - '*.{{ include "mariadb.primary.fullname" . }}.{{ include "common.names.namespace" . }}.svc' + - '*.{{ include "mariadb.primary.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}' + - '*.{{ include "mariadb.secondary.fullname" . }}' + - '*.{{ include "mariadb.secondary.fullname" . }}.{{ include "common.names.namespace" . }}' + - '*.{{ include "mariadb.secondary.fullname" . }}.{{ include "common.names.namespace" . }}.svc' + - '*.{{ include "mariadb.secondary.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}' + - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}' + - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}.{{ include "common.names.namespace" . }}' + - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}.{{ include "common.names.namespace" . }}.svc' + - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}' + privateKey: + algorithm: {{ .Values.tls.autoGenerated.certManager.keyAlgorithm }} + size: {{ int .Values.tls.autoGenerated.certManager.keySize }} + duration: {{ .Values.tls.autoGenerated.certManager.duration }} + renewBefore: {{ .Values.tls.autoGenerated.certManager.renewBefore }} +{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/extra-list.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/extra-list.yaml index 9ac65f9e1..329f5c653 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/extra-list.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/extra-list.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- range .Values.extraDeploy }} --- {{ include "common.tplvalues.render" (dict "value" . "context" $) }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/headless-svc.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/headless-svc.yaml new file mode 100644 index 000000000..9c032777b --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/headless-svc.yaml @@ -0,0 +1,36 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb + {{- if or .Values.primary.service.headless.annotations .Values.commonAnnotations }} + annotations: + {{- if or .Values.primary.service.headless.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: ClusterIP + publishNotReadyAddresses: true + clusterIP: None + ports: + - name: mysql + port: {{ .Values.primary.containerPorts.mysql }} + protocol: TCP + targetPort: mysql + {{- if .Values.metrics.enabled }} + - name: metrics + port: {{ .Values.metrics.containerPorts.http }} + protocol: TCP + targetPort: metrics + {{- end }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/networkpolicy-egress.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/networkpolicy-egress.yaml deleted file mode 100644 index 84f5d839f..000000000 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/networkpolicy-egress.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-egress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - {{- include "common.labels.standard" . | nindent 6 }} - policyTypes: - - Egress - egress: - {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} - - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - - to: - - namespaceSelector: {} - {{- end }} - {{- if .Values.networkPolicy.egressRules.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/networkpolicy.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/networkpolicy.yaml new file mode 100644 index 000000000..a019b8e92 --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/networkpolicy.yaml @@ -0,0 +1,77 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow connection to other cluster pods + - ports: + - port: {{ .Values.primary.containerPorts.mysql }} + - port: {{ .Values.secondary.containerPorts.mysql }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.primary.containerPorts.mysql }} + - port: {{ .Values.secondary.containerPorts.mysql }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.http }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/configmap.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/configmap.yaml index ae4d5b17e..47e20ca3a 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/configmap.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/configmap.yaml @@ -1,18 +1,21 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if (include "mariadb.primary.createConfigmap" .) }} apiVersion: v1 kind: ConfigMap metadata: name: {{ include "mariadb.primary.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: primary - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} data: my.cnf: |- -{{ .Values.primary.configuration | indent 4 }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }} {{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/initialization-configmap.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/initialization-configmap.yaml index f85903c30..31888955c 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/initialization-configmap.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/initialization-configmap.yaml @@ -1,11 +1,20 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if and .Values.initdbScripts (not .Values.initdbScriptsConfigMap) }} apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-init-scripts" (include "mariadb.primary.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: primary + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} data: {{- include "common.tplvalues.render" (dict "value" .Values.initdbScripts "context" .) | nindent 2 }} {{ end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/networkpolicy-ingress.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/networkpolicy-ingress.yaml deleted file mode 100644 index 125d0dda9..000000000 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/networkpolicy-ingress.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-ingress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - app.kubernetes.io/component: primary - {{- include "common.labels.standard" . | nindent 6 }} - ingress: - {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} - - from: - {{- if .Values.networkPolicy.metrics.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.metrics.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }} - - from: - - podSelector: - matchLabels: - app.kubernetes.io/component: secondary - {{- include "common.labels.standard" . | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/pdb.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/pdb.yaml index d92305869..75617269a 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/pdb.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/pdb.yaml @@ -1,14 +1,17 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.primary.pdb.create }} apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ include "mariadb.primary.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: primary - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -16,10 +19,11 @@ spec: {{- if .Values.primary.pdb.minAvailable }} minAvailable: {{ .Values.primary.pdb.minAvailable }} {{- end }} - {{- if .Values.primary.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.primary.pdb.maxUnavailable }} + {{- if or .Values.primary.pdb.maxUnavailable (not .Values.primary.pdb.minAvailable) }} + maxUnavailable: {{ .Values.primary.pdb.maxUnavailable | default 1 }} {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: primary {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/statefulset.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/statefulset.yaml index fd2608900..6f9d88e47 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/statefulset.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/statefulset.yaml @@ -1,23 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} kind: StatefulSet metadata: name: {{ include "mariadb.primary.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: primary - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: replicas: 1 revisionHistoryLimit: {{ .Values.primary.revisionHistoryLimit }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: primary - serviceName: {{ include "mariadb.primary.fullname" . }} + serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} {{- if .Values.primary.updateStrategy }} updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }} {{- end }} @@ -27,19 +32,18 @@ spec: {{- if (include "mariadb.primary.createConfigmap" .) }} checksum/configuration: {{ include (print $.Template.BasePath "/primary/configmap.yaml") . | sha256sum }} {{- end }} + {{- if .Values.passwordUpdateJob.enabled }} + charts.bitnami.com/password-last-update: {{ now | date "20060102150405" | quote }} + {{- end }} {{- if .Values.primary.podAnnotations }} {{- include "common.tplvalues.render" (dict "value" .Values.primary.podAnnotations "context" $) | nindent 8 }} {{- end }} - labels: {{- include "common.labels.standard" . | nindent 8 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: primary - {{- if .Values.primary.podLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.primary.podLabels "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} - {{- end }} spec: {{- include "mariadb.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.primary.automountServiceAccountToken }} {{- if .Values.primary.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -51,8 +55,8 @@ spec: affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }} {{- else }} affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "context" $) | nindent 10 }} + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }} nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }} {{- end }} {{- if .Values.primary.nodeSelector }} @@ -78,13 +82,35 @@ spec: runtimeClassName: {{ .Values.runtimeClassName | quote }} {{- end }} {{- if .Values.primary.podSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.podSecurityContext "context" $) | nindent 8 }} {{- end }} - {{- if or .Values.primary.initContainers (and .Values.primary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.primary.persistence.enabled) }} initContainers: - {{- if .Values.primary.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.primary.initContainers "context" $) | nindent 8 }} - {{- end }} + - name: preserve-logs-symlinks + image: {{ include "mariadb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.primary.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.primary.resources }} + resources: {{ toYaml .Values.primary.resources | nindent 12 }} + {{- else if ne .Values.primary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }} + {{- end }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + + . /opt/bitnami/scripts/libfs.sh + # We copy the logs folder because it has symlinks to stdout and stderr + if ! is_dir_empty /opt/bitnami/mariadb/logs; then + cp -r /opt/bitnami/mariadb/logs /emptydir/app-logs-dir + fi + volumeMounts: + - name: empty-dir + mountPath: /emptydir {{- if and .Values.primary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.primary.persistence.enabled }} - name: volume-permissions image: {{ include "mariadb.volumePermissions.image" . }} @@ -98,6 +124,8 @@ spec: runAsUser: 0 {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data @@ -105,14 +133,19 @@ spec: {{- if .Values.primary.persistence.subPath }} subPath: {{ .Values.primary.persistence.subPath }} {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- end }} + {{- if .Values.primary.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.initContainers "context" $) | nindent 8 }} {{- end }} - {{- end }} containers: - name: mariadb image: {{ include "mariadb.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.primary.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -156,6 +189,12 @@ spec: {{- end }} - name: MARIADB_DATABASE value: {{ .Values.auth.database | quote }} + - name: MARIADB_ENABLE_SSL + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if and .Values.tls.enabled (include "mariadb.tlsCACert" .) }} + - name: MYSQL_CLIENT_CA_FILE + value: {{ include "mariadb.tlsCACert" . | quote }} + {{- end }} {{- if eq .Values.architecture "replication" }} - name: MARIADB_REPLICATION_MODE value: "master" @@ -198,7 +237,7 @@ spec: {{- end }} ports: - name: mysql - containerPort: 3306 + containerPort: {{ .Values.primary.containerPorts.mysql }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.primary.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }} @@ -213,7 +252,7 @@ spec: if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") fi - mysqladmin status -uroot -p"${password_aux}" + mariadb-admin ping -uroot -p"${password_aux}" {{- end }} {{- if .Values.primary.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }} @@ -228,7 +267,7 @@ spec: if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") fi - mysqladmin status -uroot -p"${password_aux}" + mariadb-admin status -uroot -p"${password_aux}" {{- end }} {{- if .Values.primary.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }} @@ -243,11 +282,13 @@ spec: if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") fi - mysqladmin status -uroot -p"${password_aux}" + mariadb-admin ping -uroot -p"${password_aux}" {{- end }} {{- end }} {{- if .Values.primary.resources }} resources: {{ toYaml .Values.primary.resources | nindent 12 }} + {{- else if ne .Values.primary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data @@ -268,6 +309,22 @@ spec: - name: mariadb-credentials mountPath: /opt/bitnami/mariadb/secrets/ {{- end }} + {{- if .Values.tls.enabled }} + - name: cert + mountPath: /opt/bitnami/mariadb/certs + {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mariadb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mariadb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mariadb/logs + subPath: app-logs-dir {{- if .Values.primary.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -276,7 +333,7 @@ spec: image: {{ include "mariadb.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: {{- if .Values.auth.usePasswordFiles }} @@ -301,11 +358,11 @@ spec: if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") fi - DATA_SOURCE_NAME="root:${password_aux}@(localhost:3306)/" /bin/mysqld_exporter {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} + MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:{{ .Values.primary.containerPorts.mysql }} --mysqld.username=root --web.listen-address=:{{ .Values.metrics.containerPorts.http }} {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} {{- end }} ports: - name: metrics - containerPort: 9104 + containerPort: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.metrics.livenessProbe.enabled }} livenessProbe: {{- omit .Values.metrics.livenessProbe "enabled" | toYaml | nindent 12 }} @@ -322,8 +379,13 @@ spec: {{- end }} {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} - name: mariadb-credentials mountPath: /opt/bitnami/mysqld-exporter/secrets/ @@ -336,6 +398,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.primary.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if or .Values.primary.configuration .Values.primary.existingConfigmap }} - name: config configMap: @@ -360,6 +424,12 @@ spec: path: mariadb-replication-password {{- end }} {{- end }} + {{- if .Values.tls.enabled }} + - name: cert + secret: + secretName: {{ include "mariadb.tlsSecretName" . }} + defaultMode: 256 + {{- end }} {{- if .Values.primary.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumes "context" $) | nindent 8 }} {{- end }} @@ -374,7 +444,8 @@ spec: volumeClaimTemplates: - metadata: name: data - labels: {{ include "common.labels.matchLabels" . | nindent 10 }} + {{- $claimLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.persistence.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.matchLabels" ( dict "customLabels" $claimLabels "context" $ ) | nindent 10 }} app.kubernetes.io/component: primary {{- if .Values.primary.persistence.annotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.primary.persistence.annotations "context" $ ) | nindent 10 }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/svc.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/svc.yaml index 85d31562e..f42579037 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/svc.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/primary/svc.yaml @@ -1,19 +1,20 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + apiVersion: v1 kind: Service metadata: name: {{ include "mariadb.primary.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: primary - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.primary.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.service.annotations "context" $ ) | nindent 4 }} + {{- if or .Values.primary.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.annotations .Values.commonAnnotations ) "context" . ) }} + {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} {{- end }} {{- if and .Values.metrics.enabled .Values.metrics.annotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.annotations "context" $ ) | nindent 4 }} @@ -27,7 +28,7 @@ spec: externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }} {{- end }} {{- if and (eq .Values.primary.service.type "LoadBalancer") .Values.primary.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: {{ .Values.primary.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.primary.service.loadBalancerSourceRanges | nindent 4 }} {{ end }} {{- if (and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerIP))) }} loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }} @@ -57,5 +58,6 @@ spec: {{- if .Values.primary.service.extraPorts }} {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }} {{- end }} - selector: {{ include "common.labels.matchLabels" . | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: primary diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/prometheusrules.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/prometheusrules.yaml index 523e533b0..75bc1a5d0 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/prometheusrules.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/prometheusrules.yaml @@ -1,18 +1,17 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: {{ include "common.names.fullname" . }} - {{- if .Values.metrics.prometheusRule.namespace }} - namespace: {{ .Values.metrics.prometheusRule.namespace }} - {{- else }} - namespace: {{ .Release.Namespace | quote }} - {{- end }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: metrics - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if .Values.metrics.prometheusRule.additionalLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $ ) | nindent 4 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/role.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/role.yaml index a561f51cc..0db435b67 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/role.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/role.yaml @@ -1,13 +1,16 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if and .Values.serviceAccount.create .Values.rbac.create }} apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: Role metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/rolebinding.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/rolebinding.yaml index 671aa6efd..bc91f61df 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/rolebinding.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/rolebinding.yaml @@ -1,13 +1,16 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if and .Values.serviceAccount.create .Values.rbac.create }} kind: RoleBinding apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/configmap.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/configmap.yaml index 4cfec646a..9d4544d58 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/configmap.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/configmap.yaml @@ -1,18 +1,21 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if (include "mariadb.secondary.createConfigmap" .) }} apiVersion: v1 kind: ConfigMap metadata: name: {{ include "mariadb.secondary.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: secondary - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} data: my.cnf: |- -{{ .Values.secondary.configuration | indent 4 }} + {{- include "common.tplvalues.render" ( dict "value" .Values.secondary.configuration "context" $ ) | nindent 4 }} {{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/networkpolicy-ingress.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/networkpolicy-ingress.yaml deleted file mode 100644 index 51a88855e..000000000 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/networkpolicy-ingress.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-ingress-secondary" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - app.kubernetes.io/component: secondary - {{- include "common.labels.standard" . | nindent 6 }} - ingress: - {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} - - from: - {{- if .Values.networkPolicy.metrics.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.metrics.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/pdb.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/pdb.yaml index cae28ffdd..e79580e8f 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/pdb.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/pdb.yaml @@ -1,14 +1,17 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if and (eq .Values.architecture "replication") .Values.secondary.pdb.create }} apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ include "mariadb.secondary.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: secondary - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -16,10 +19,11 @@ spec: {{- if .Values.secondary.pdb.minAvailable }} minAvailable: {{ .Values.secondary.pdb.minAvailable }} {{- end }} - {{- if .Values.secondary.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.secondary.pdb.maxUnavailable }} + {{- if or .Values.secondary.pdb.maxUnavailable (not .Values.secondary.pdb.minAvailable) }} + maxUnavailable: {{ .Values.secondary.pdb.maxUnavailable | default 1 }} {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondary.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: secondary {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/statefulset.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/statefulset.yaml index c88d4ad6f..33a88e81b 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/statefulset.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/statefulset.yaml @@ -1,24 +1,29 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if eq .Values.architecture "replication" }} apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} kind: StatefulSet metadata: name: {{ include "mariadb.secondary.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: secondary - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: replicas: {{ .Values.secondary.replicaCount }} revisionHistoryLimit: {{ .Values.secondary.revisionHistoryLimit }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondary.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: secondary - serviceName: {{ include "mariadb.secondary.fullname" . }} + serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} podManagementPolicy: {{ .Values.secondary.podManagementPolicy }} {{- if .Values.secondary.updateStrategy }} updateStrategy: {{- toYaml .Values.secondary.updateStrategy | nindent 4 }} @@ -29,23 +34,22 @@ spec: {{- if (include "mariadb.secondary.createConfigmap" .) }} checksum/configuration: {{ include (print $.Template.BasePath "/secondary/configmap.yaml") . | sha256sum }} {{- end }} + {{- if .Values.passwordUpdateJob.enabled }} + charts.bitnami.com/password-last-update: {{ now | date "20060102150405" | quote }} + {{- end }} {{- if .Values.secondary.podAnnotations }} {{- include "common.tplvalues.render" (dict "value" .Values.secondary.podAnnotations "context" $) | nindent 8 }} {{- end }} - labels: {{- include "common.labels.standard" . | nindent 8 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: secondary - {{- if .Values.secondary.podLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.secondary.podLabels "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} - {{- end }} spec: {{- include "mariadb.imagePullSecrets" . | nindent 6 }} {{- if or .Values.secondary.schedulerName .Values.schedulerName }} schedulerName: {{ (coalesce .Values.secondary.schedulerName .Values.schedulerName) | quote }} {{- end }} serviceAccountName: {{ template "mariadb.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.secondary.automountServiceAccountToken }} {{- if .Values.secondary.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -53,8 +57,8 @@ spec: affinity: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.affinity "context" $) | nindent 8 }} {{- else }} affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.secondary.podAffinityPreset "component" "secondary" "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.secondary.podAntiAffinityPreset "component" "secondary" "context" $) | nindent 10 }} + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.secondary.podAffinityPreset "component" "secondary" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.secondary.podAntiAffinityPreset "component" "secondary" "customLabels" $podLabels "context" $) | nindent 10 }} nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.secondary.nodeAffinityPreset.type "key" .Values.secondary.nodeAffinityPreset.key "values" .Values.secondary.nodeAffinityPreset.values) | nindent 10 }} {{- end }} {{- if .Values.secondary.nodeSelector }} @@ -77,13 +81,35 @@ spec: runtimeClassName: {{ .Values.runtimeClassName | quote }} {{- end }} {{- if .Values.secondary.podSecurityContext.enabled }} - securityContext: {{- omit .Values.secondary.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.secondary.podSecurityContext "context" $) | nindent 8 }} {{- end }} - {{- if or .Values.secondary.initContainers (and .Values.secondary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.secondary.persistence.enabled) }} initContainers: - {{- if .Values.secondary.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.secondary.initContainers "context" $) | nindent 8 }} - {{- end }} + - name: preserve-logs-symlinks + image: {{ include "mariadb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.secondary.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.secondary.resources }} + resources: {{ toYaml .Values.secondary.resources | nindent 12 }} + {{- else if ne .Values.secondary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.secondary.resourcesPreset) | nindent 12 }} + {{- end }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + + . /opt/bitnami/scripts/libfs.sh + # We copy the logs folder because it has symlinks to stdout and stderr + if ! is_dir_empty /opt/bitnami/mariadb/logs; then + cp -r /opt/bitnami/mariadb/logs /emptydir/app-logs-dir + fi + volumeMounts: + - name: empty-dir + mountPath: /emptydir {{- if and .Values.secondary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.secondary.persistence.enabled }} - name: volume-permissions image: {{ include "mariadb.volumePermissions.image" . }} @@ -97,6 +123,8 @@ spec: runAsUser: 0 {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data @@ -104,14 +132,19 @@ spec: {{- if .Values.secondary.persistence.subPath }} subPath: {{ .Values.secondary.persistence.subPath }} {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- end }} + {{- if .Values.secondary.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.secondary.initContainers "context" $) | nindent 8 }} {{- end }} - {{- end }} containers: - name: mariadb image: {{ include "mariadb.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.secondary.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.secondary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.secondary.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -169,6 +202,12 @@ spec: - name: MARIADB_STARTUP_WAIT_SLEEP_TIME value: "{{ .Values.secondary.startupWaitOptions.sleepTime | default 2 }}" {{- end }} + - name: MARIADB_ENABLE_SSL + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if and .Values.tls.enabled (include "mariadb.tlsCACert" .) }} + - name: MYSQL_CLIENT_CA_FILE + value: {{ include "mariadb.tlsCACert" . | quote }} + {{- end }} {{- if .Values.secondary.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraEnvVars "context" $) | nindent 12 }} {{- end }} @@ -185,7 +224,7 @@ spec: {{- end }} ports: - name: mysql - containerPort: 3306 + containerPort: {{ .Values.secondary.containerPorts.mysql }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.secondary.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.customStartupProbe "context" $) | nindent 12 }} @@ -200,7 +239,7 @@ spec: if [[ -f "${MARIADB_MASTER_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MARIADB_MASTER_ROOT_PASSWORD_FILE") fi - mysqladmin status -uroot -p"${password_aux}" + mariadb-admin ping -uroot -p"${password_aux}" {{- end }} {{- if .Values.secondary.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.customLivenessProbe "context" $) | nindent 12 }} @@ -215,7 +254,7 @@ spec: if [[ -f "${MARIADB_MASTER_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MARIADB_MASTER_ROOT_PASSWORD_FILE") fi - mysqladmin status -uroot -p"${password_aux}" + mariadb-admin status -uroot -p"${password_aux}" {{- end }} {{- if .Values.secondary.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.customReadinessProbe "context" $) | nindent 12 }} @@ -230,11 +269,13 @@ spec: if [[ -f "${MARIADB_MASTER_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MARIADB_MASTER_ROOT_PASSWORD_FILE") fi - mysqladmin status -uroot -p"${password_aux}" + mariadb-admin ping -uroot -p"${password_aux}" {{- end }} {{- end }} {{- if .Values.secondary.resources }} resources: {{ toYaml .Values.secondary.resources | nindent 12 }} + {{- else if ne .Values.secondary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.secondary.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data @@ -254,12 +295,28 @@ spec: {{- if .Values.secondary.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mariadb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mariadb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mariadb/logs + subPath: app-logs-dir + {{- if .Values.tls.enabled }} + - name: cert + mountPath: /opt/bitnami/mariadb/certs + {{- end }} {{- if .Values.metrics.enabled }} - name: metrics image: {{ include "mariadb.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: {{- if .Values.auth.usePasswordFiles }} @@ -284,11 +341,11 @@ spec: if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") fi - DATA_SOURCE_NAME="root:${password_aux}@(localhost:3306)/" /bin/mysqld_exporter {{- range .Values.metrics.extraArgs.secondary }} {{ . }} {{- end }} + MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:{{ .Values.secondary.containerPorts.mysql }} --mysqld.username=root --web.listen-address=:{{ .Values.metrics.containerPorts.http }} {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} {{- end }} ports: - name: metrics - containerPort: 9104 + containerPort: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.metrics.livenessProbe.enabled }} livenessProbe: {{- omit .Values.metrics.livenessProbe "enabled" | toYaml | nindent 12 }} @@ -305,12 +362,17 @@ spec: {{- end }} {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: {{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }} - name: mariadb-credentials mountPath: /opt/bitnami/mysqld-exporter/secrets/ {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: app-tmp-dir {{- if .Values.metrics.extraVolumeMounts.secondary }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts.secondary "context" $) | nindent 12 }} {{- end }} @@ -334,6 +396,14 @@ spec: - key: mariadb-replication-password path: mariadb-replication-password {{- end }} + {{- if .Values.tls.enabled }} + - name: cert + secret: + secretName: {{ include "mariadb.tlsSecretName" . }} + defaultMode: 256 + {{- end }} + - name: empty-dir + emptyDir: {} {{- if .Values.secondary.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraVolumes "context" $) | nindent 8 }} {{- end }} @@ -344,7 +414,8 @@ spec: volumeClaimTemplates: - metadata: name: data - labels: {{ include "common.labels.matchLabels" . | nindent 10 }} + {{- $claimLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondary.persistence.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.matchLabels" ( dict "customLabels" $claimLabels "context" $ ) | nindent 10 }} app.kubernetes.io/component: secondary {{- if .Values.secondary.persistence.annotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.secondary.persistence.annotations "context" $ ) | nindent 10 }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/svc.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/svc.yaml index 3d72171b3..1c73dd04f 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/svc.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secondary/svc.yaml @@ -1,20 +1,21 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if eq .Values.architecture "replication" }} apiVersion: v1 kind: Service metadata: name: {{ include "mariadb.secondary.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: secondary - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.secondary.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.secondary.service.annotations "context" $ ) | nindent 4 }} + {{- if or .Values.secondary.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondary.service.annotations .Values.commonAnnotations ) "context" . ) }} + {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} {{- end }} {{- if and .Values.metrics.enabled .Values.metrics.annotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.annotations "context" $ ) | nindent 4 }} @@ -28,7 +29,7 @@ spec: externalTrafficPolicy: {{ .Values.secondary.service.externalTrafficPolicy | quote }} {{- end }} {{- if and (eq .Values.secondary.service.type "LoadBalancer") .Values.secondary.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: {{ .Values.secondary.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.secondary.service.loadBalancerSourceRanges | nindent 4 }} {{ end }} {{- if and (eq .Values.secondary.service.type "LoadBalancer") (not (empty .Values.secondary.service.loadBalancerIP)) }} loadBalancerIP: {{ .Values.secondary.service.loadBalancerIP }} @@ -58,6 +59,8 @@ spec: {{- if .Values.secondary.service.extraPorts }} {{- include "common.tplvalues.render" (dict "value" .Values.secondary.service.extraPorts "context" $) | nindent 4 }} {{- end }} - selector: {{ include "common.labels.matchLabels" . | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondary.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb app.kubernetes.io/component: secondary {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secrets.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secrets.yaml index 2ff62edd2..bcf20dea4 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secrets.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/secrets.yaml @@ -1,35 +1,101 @@ -{{- if eq (include "mariadb.createSecret" .) "true" }} +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $host := include "mariadb.primary.fullname" . }} +{{- $port := print .Values.primary.service.ports.mysql }} +{{- $rootPassword := include "common.secrets.passwords.manage" ( dict "secret" ( include "mariadb.secretName" . ) "key" "mariadb-root-password" "providedValues" ( list "auth.rootPassword" ) "honorProvidedValues" true "context" $ ) | trimAll "\"" | b64dec }} +{{- $password := .Values.auth.password }} +{{- if and .Values.auth.username ( include "mariadb.secret.existPassword" . ) }} +{{- $password = include "common.secrets.passwords.manage" ( dict "secret" ( include "mariadb.secretName" . ) "key" "mariadb-password" "providedValues" ( list "auth.password" ) "honorProvidedValues" true "context" $ ) | trimAll "\"" | b64dec }} +{{- else if ( and .Values.auth.username ( not .Values.auth.forcePassword ) ( empty .Values.auth.password ) ) }} +{{- $password = randAlphaNum 10 }} +{{- end }} +{{- if (include "mariadb.createSecret" .) }} apiVersion: v1 kind: Secret metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} type: Opaque data: - {{- if (not .Values.auth.forcePassword) }} - mariadb-root-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "mariadb-root-password" "providedValues" (list "auth.rootPassword") "context" $) }} + {{- if ( not .Values.auth.forcePassword ) }} + mariadb-root-password: {{ print $rootPassword | b64enc | quote }} {{- else }} mariadb-root-password: {{ required "A MariaDB Root Password is required!" .Values.auth.rootPassword | b64enc | quote }} {{- end }} - {{- if (not (empty .Values.auth.username)) }} - {{- if (not .Values.auth.forcePassword) }} - mariadb-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "mariadb-password" "providedValues" (list "auth.password") "context" $) }} + {{- if .Values.auth.username }} + {{- if ( not .Values.auth.forcePassword ) }} + mariadb-password: {{ print $password | b64enc | quote }} {{- else }} - mariadb-password: {{ required "A MariaDB Database Password is required!" .Values.auth.password | b64enc | quote }} + mariadb-password: {{ required "A MariaDB Database Password is required!" $password | b64enc | quote }} {{- end }} {{- end }} {{- if eq .Values.architecture "replication" }} - {{- if (not .Values.auth.forcePassword) }} - mariadb-replication-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "mariadb-replication-password" "providedValues" (list "auth.replicationPassword") "context" $) }} + {{- if ( not .Values.auth.forcePassword ) }} + mariadb-replication-password: {{ include "common.secrets.passwords.manage" ( dict "secret" ( include "common.names.fullname" . ) "key" "mariadb-replication-password" "providedValues" ( list "auth.replicationPassword" ) "honorProvidedValues" true "context" $ ) }} {{- else }} mariadb-replication-password: {{ required "A MariaDB Replication Password is required!" .Values.auth.replicationPassword | b64enc | quote }} {{- end }} {{- end }} {{- end }} + +{{- if .Values.serviceBindings.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-svcbind-root + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/mysql +data: + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "mysql" | b64enc | quote }} + host: {{ print $host | b64enc | quote }} + port: {{ print $port | b64enc | quote }} + username: {{ print "root" | b64enc | quote }} + password: {{ print $rootPassword | b64enc | quote }} + uri: {{ printf "mysql://root:%s@%s:%s" $rootPassword $host $port | b64enc | quote }} + +{{- if .Values.auth.username }} +{{- $database := .Values.auth.database }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-svcbind-custom-user + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/mysql +data: + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "mysql" | b64enc | quote }} + host: {{ print $host | b64enc | quote }} + port: {{ print $port | b64enc | quote }} + username: {{ print .Values.auth.username | b64enc | quote }} + {{- if $database }} + database: {{ print $database | b64enc | quote }} + {{- end }} + {{- if and .Values.auth.forcePassword ( empty $password ) }} + password: {{ required "A MariaDB Database Password is required!" $password | b64enc | quote }} + {{- else }} + password: {{ print $password | b64enc | quote }} + {{- end }} + uri: {{ printf "mysql://%s:%s@%s:%s/%s" .Values.auth.username $password $host $port $database | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/serviceaccount.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/serviceaccount.yaml index 03a6b4e99..c16772747 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/serviceaccount.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/serviceaccount.yaml @@ -1,19 +1,19 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "mariadb.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - annotations: - {{- if .Values.serviceAccount.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/servicemonitor.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/servicemonitor.yaml index ca5bf7caa..58e2fed64 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/servicemonitor.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/servicemonitor.yaml @@ -1,20 +1,17 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ include "common.names.fullname" . }} - {{- if .Values.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.metrics.serviceMonitor.namespace }} - {{- else }} - namespace: {{ .Release.Namespace | quote }} - {{- end }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.labels }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.labels "context" $) | nindent 4 }} - {{- end }} + namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -39,9 +36,9 @@ spec: {{- end }} namespaceSelector: matchNames: - - {{ .Release.Namespace | quote }} + - {{ include "common.names.namespace" . | quote }} selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} {{- if .Values.metrics.serviceMonitor.selector }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/tls-secret.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/tls-secret.yaml new file mode 100644 index 000000000..813303c10 --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/tls-secret.yaml @@ -0,0 +1,51 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- if and .Values.tls.enabled (eq .Values.tls.autoGenerated.engine "helm") }} +{{- $ca := genCA "mariadb-ca" 365 }} +{{- $releaseNamespace := include "common.names.namespace" . }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $primaryServiceName := include "mariadb.primary.fullname" . }} +{{- $secondaryServiceName := include "mariadb.secondary.fullname" . }} +{{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- $altNames := list (printf "*.%s.%s.svc.%s" $primaryServiceName $secondaryServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $secondaryServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (include "common.names.fullname" .) "localhost" "127.0.0.1" }} +{{- $cert := genSignedCert $primaryServiceName nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb + app.kubernetes.io/component: mariadb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} + tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} + tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} +{{- else if and .Values.tls.enabled (not .Values.tls.autoGenerated.enabled) (empty .Values.tls.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb + app.kubernetes.io/component: mariadb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + {{- if .Values.tls.ca }} + ca.crt: {{ .Values.tls.ca | b64enc | quote }} + {{- end -}} + tls.crt: {{ required "A valid .Values.tls.cert entry required!" .Values.tls.cert | b64enc | quote }} + tls.key: {{ required "A valid .Values.tls.key entry required!" .Values.tls.key | b64enc | quote }} +{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/update-password/job.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/update-password/job.yaml new file mode 100644 index 000000000..f5f104c00 --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/update-password/job.yaml @@ -0,0 +1,243 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.passwordUpdateJob.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-password-update" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mariadb + app.kubernetes.io/component: update-job + {{- $defaultAnnotations := dict "helm.sh/hook" "pre-upgrade" "helm.sh/hook-delete-policy" "hook-succeeded" }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonAnnotations $defaultAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} +spec: + backoffLimit: {{ .Values.passwordUpdateJob.backoffLimit }} + template: + metadata: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.passwordUpdateJob.podLabels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/part-of: mariadb + app.kubernetes.io/component: update-job + {{- if .Values.passwordUpdateJob.podAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.podAnnotations "context" $) | nindent 8 }} + {{- end }} + spec: + {{- include "mariadb.imagePullSecrets" . | nindent 6 }} + restartPolicy: OnFailure + {{- if .Values.passwordUpdateJob.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.passwordUpdateJob.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.passwordUpdateJob.automountServiceAccountToken }} + {{- if .Values.passwordUpdateJob.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.hostAliases "context" $) | nindent 8 }} + {{- end }} + initContainers: + {{- if .Values.passwordUpdateJob.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: update-credentials + image: {{ template "mariadb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.passwordUpdateJob.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.passwordUpdateJob.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + {{- if .Values.usePasswordFiles }} + # We need to load all the secret env vars to the system + for file in $(find /bitnami/mariadb/secrets -type f); do + env_var_name="$(basename $file)" + echo "Exporting $env_var_name" + export $env_var_name="$(< $file)" + done + {{- end }} + + . /opt/bitnami/scripts/mariadb-env.sh + . /opt/bitnami/scripts/libmariadb.sh + . /opt/bitnami/scripts/liblog.sh + + primary_host={{ include "mariadb.primary.fullname" . }}-0.{{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + info "Starting password update job" + if [[ -f /job-status/root-password-changed ]]; then + info "Root password already updated. Skipping" + else + info "Updating root password" + echo "SET PASSWORD for 'root'@'%' = PASSWORD('$MARIADB_NEW_ROOT_PASSWORD');" | mysql_remote_execute $primary_host {{ .Values.primary.containerPorts.mysql }} "" root $MARIADB_PREVIOUS_ROOT_PASSWORD + touch /job-status/root-password-changed + info "Root password successfully updated" + fi + {{- if not (empty .Values.auth.username) }} + if [[ -f /job-status/password-changed ]]; then + info "User password already updated. Skipping" + else + info "Updating user password" + echo "SET PASSWORD for '$MARIADB_USER'@'%' = PASSWORD('$MARIADB_NEW_PASSWORD');" | mysql_remote_execute $primary_host {{ .Values.primary.containerPorts.mysql }} "" $MARIADB_USER $MARIADB_PREVIOUS_PASSWORD + touch /job-status/password-changed + info "User password successfully updated" + fi + {{- end }} + {{- if eq .Values.architecture "replication" }} + if [[ -f /job-status/replication-password-changed ]]; then + info "Replication password already updated. Skipping" + else + info "Updating replication password" + echo "SET PASSWORD for '$MARIADB_REPLICATION_USER'@'%' = PASSWORD('$MARIADB_NEW_REPLICATION_PASSWORD');" | mysql_remote_execute $primary_host {{ .Values.primary.containerPorts.mysql }} "" $MARIADB_REPLICATION_USER $MARIADB_PREVIOUS_REPLICATION_PASSWORD + touch /job-status/replication-password-changed + info "Replication password successfully updated" + fi + + for i in $(seq 0 {{ sub .Values.secondary.replicaCount 1 }}); do + if [[ -f /job-status/replica-$i-changed ]]; then + info "Replica $i already updated. Skipping" + else + replica_host={{ include "mariadb.secondary.fullname" . }}-$i.{{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + info "Updating primary password in replica $i" + echo "STOP SLAVE; CHANGE MASTER TO MASTER_PASSWORD='$MARIADB_NEW_REPLICATION_PASSWORD'; START SLAVE;" | mysql_remote_execute $replica_host {{ .Values.secondary.containerPorts.mysql }} "" root $MARIADB_NEW_ROOT_PASSWORD + touch /job-status/replica-$i-changed + info "Replica $i updated" + fi + done + {{- end }} + {{- if .Values.passwordUpdateJob.extraCommands }} + info "Running extra commmands" + {{- include "common.tplValues.render" (dict "value" .Values.passwordUpdateJob.extraCommands "context" $) | nindent 14 }} + {{- end }} + info "Password update job finished successfully" + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + {{- if not .Values.auth.usePasswordFiles }} + - name: MARIADB_PREVIOUS_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mariadb.update-job.previousSecretName" . }} + key: mariadb-root-password + - name: MARIADB_NEW_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mariadb.update-job.newSecretName" . }} + key: mariadb-root-password + {{- end }} + {{- if not (empty .Values.auth.username) }} + - name: MARIADB_USER + value: {{ .Values.auth.username | quote }} + {{- if not .Values.auth.usePasswordFiles }} + - name: MARIADB_PREVIOUS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mariadb.update-job.previousSecretName" . }} + key: mariadb-password + - name: MARIADB_NEW_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mariadb.update-job.newSecretName" . }} + key: mariadb-password + {{- end }} + {{- end }} + {{- if eq .Values.architecture "replication" }} + - name: MARIADB_REPLICATION_USER + value: {{ .Values.auth.replicationUser | quote }} + {{- if not .Values.auth.usePasswordFiles }} + - name: MARIADB_PREVIOUS_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mariadb.update-job.previousSecretName" . }} + key: mariadb-replication-password + - name: MARIADB_NEW_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mariadb.update-job.newSecretName" . }} + key: mariadb-replication-password + {{- end }} + {{- end }} + {{- if .Values.passwordUpdateJob.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.passwordUpdateJob.extraEnvVarsCM .Values.passwordUpdateJob.extraEnvVarsSecret }} + envFrom: + {{- if .Values.passwordUpdateJob.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.passwordUpdateJob.extraEnvVarsCM }} + {{- end }} + {{- if .Values.passwordUpdateJob.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.passwordUpdateJob.extraEnvVarsSecret }} + {{- end }} + {{- end }} + {{- if .Values.passwordUpdateJob.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.passwordUpdateJob.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.passwordUpdateJob.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.passwordUpdateJob.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.passwordUpdateJob.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /job-status + subPath: job-dir + {{- if .Values.usePasswordFiles }} + - name: mariadb-previous-credentials + mountPath: /bitnami/mariadb/secrets/previous + - name: mariadb-new-credentials + mountPath: /bitnami/mariadb/secrets/new + {{- end }} + {{- if .Values.passwordUpdateJob.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.passwordUpdateJob.resources }} + resources: {{- toYaml .Values.passwordUpdateJob.resources | nindent 12 }} + {{- else if ne .Values.passwordUpdateJob.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.passwordUpdateJob.resourcesPreset) | nindent 12 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + {{- if and .Values.auth.usePasswordFiles }} + - name: mariadb-previous-credentials + secret: + secretName: {{ template "mariadb.update-job.previousSecretName" . }} + items: + - key: mariadb-root-password + path: MARIADB_PREVIOUS_ROOT_PASSWORD + - key: mariadb-password + path: MARIADB_PREVIOUS_PASSWORD + {{- if eq .Values.architecture "replication" }} + - key: mariadb-replication-password + path: MARIADB_PREVIOUS_REPLICATION_PASSWORD + {{- end }} + - name: mariadb-new-credentials + secret: + secretName: {{ template "mariadb.update-job.newSecretName" . }} + items: + - key: mariadb-root-password + path: MARIADB_NEW_ROOT_PASSWORD + - key: mariadb-password + path: MARIADB_NEW_PASSWORD + {{- if eq .Values.architecture "replication" }} + - key: mariadb-replication-password + path: MARIADB_NEW_REPLICATION_PASSWORD + {{- end }} + {{- end }} + {{- if .Values.passwordUpdateJob.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraVolumes "context" $) | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/update-password/new-secret.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/update-password/new-secret.yaml new file mode 100644 index 000000000..01626b562 --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/update-password/new-secret.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.passwordUpdateJob.enabled (include "mariadb.createSecret" .) (not ( include "mariadb.createPreviousSecret" . )) (not .Values.passwordUpdateJob.previousPasswords.existingSecret) }} +{{- $rootPassword := .Values.auth.rootPassword }} +{{- $password := .Values.auth.password }} +{{- $replicationPassword := .Values.auth.replicationPassword }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-new-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- $defaultAnnotations := dict "helm.sh/hook" "pre-upgrade" "helm.sh/hook-delete-policy" "hook-succeeded" }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonAnnotations $defaultAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} +type: Opaque +data: + mariadb-root-password: {{ required "The new root password is required!" $rootPassword | b64enc | quote }} + {{- if .Values.auth.username }} + mariadb-password: {{ required "The new user password is required!" $password | b64enc | quote }} + {{- end }} + {{- if eq .Values.architecture "replication" }} + mariadb-replication-password: {{ required "The new replication password is required!" $replicationPassword | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/update-password/previous-secret.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/update-password/previous-secret.yaml new file mode 100644 index 000000000..58feb7ccd --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/templates/update-password/previous-secret.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.passwordUpdateJob.enabled (eq ( include "mariadb.createPreviousSecret" . ) "true") }} +{{- $rootPassword := .Values.passwordUpdateJob.previousPasswords.rootPassword }} +{{- $password := .Values.passwordUpdateJob.previousPasswords.password }} +{{- $replicationPassword := .Values.passwordUpdateJob.previousPasswords.replicationPassword }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-previous-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- $defaultAnnotations := dict "helm.sh/hook" "pre-upgrade" "helm.sh/hook-delete-policy" "hook-succeeded" }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonAnnotations $defaultAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} +type: Opaque +data: + mariadb-root-password: {{ required "The previous root password is required!" $rootPassword | b64enc | quote }} + {{- if .Values.auth.username }} + mariadb-password: {{ required "The previous user password is required!" $password | b64enc | quote }} + {{- end }} + {{- if eq .Values.architecture "replication" }} + mariadb-replication-password: {{ required "The previous replication password is required!" $replicationPassword | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/values.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/values.yaml index f95a0b011..ea8ad55fe 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/values.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/mariadb/values.yaml @@ -1,3 +1,6 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + ## @section Global parameters ## Global Docker image parameters ## Please, note that this will override the image parameters, including dependencies, configured to use the global value @@ -6,7 +9,7 @@ ## @param global.imageRegistry Global Docker Image registry ## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.storageClass Global storage class for dynamic provisioning +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) ## global: imageRegistry: "" @@ -15,8 +18,16 @@ global: ## - myRegistryKeySecretName ## imagePullSecrets: [] - storageClass: "" - + defaultStorageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto ## @section Common parameters ## @@ -49,7 +60,6 @@ runtimeClassName: "" ## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) ## extraDeploy: [] - ## Enable diagnostic mode in the deployment ## diagnosticMode: @@ -64,15 +74,19 @@ diagnosticMode: ## args: - infinity - +## @param serviceBindings.enabled Create secret for service binding (Experimental) +## Ref: https://servicebinding.io/service-provider/ +## +serviceBindings: + enabled: false ## @section MariaDB common parameters ## ## Bitnami MariaDB image ## ref: https://hub.docker.com/r/bitnami/mariadb/tags/ -## @param image.registry MariaDB image registry -## @param image.repository MariaDB image repository -## @param image.tag MariaDB image tag (immutable tags are recommended) +## @param image.registry [default: REGISTRY_NAME] MariaDB image registry +## @param image.repository [default: REPOSITORY_NAME/mariadb] MariaDB image repository +## @skip image.tag MariaDB image tag (immutable tags are recommended) ## @param image.digest MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param image.pullPolicy MariaDB image pull policy ## @param image.pullSecrets Specify docker-registry secret names as an array @@ -81,11 +95,10 @@ diagnosticMode: image: registry: docker.m.daocloud.io repository: bitnami/mariadb - tag: 10.6.12-debian-11-r0 + tag: 11.4.4-debian-12-r0 digest: "" ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -158,6 +171,45 @@ initdbScripts: {} ## initdbScriptsConfigMap: "" +## @section TLS/SSL parameters +## +## @param tls.enabled Enable TLS in MariaDB +## @param tls.existingSecret Existing secret that contains TLS certificates +## @param tls.certFilename The secret key from the existingSecret if 'cert' key different from the default (tls.crt) +## @param tls.certKeyFilename The secret key from the existingSecret if 'key' key different from the default (tls.key) +## @param tls.certCAFilename The secret key from the existingSecret if 'ca' key different from the default (tls.crt) +## @param tls.ca CA certificate for TLS. Ignored if `tls.existingSecret` is set +## @param tls.cert TLS certificate for Airflow webserver. Ignored if `tls.master.existingSecret` is set +## @param tls.key TLS key for Airflow webserver. Ignored if `tls.master.existingSecret` is set +## +tls: + enabled: false + existingSecret: "" + certFilename: tls.crt + certKeyFilename: tls.key + certCAFilename: "" + ca: "" + cert: "" + key: "" + ## @param tls.autoGenerated.enabled Enable automatic generation of certificates for TLS + ## @param tls.autoGenerated.engine Mechanism to generate the certificates (allowed values: helm, cert-manager) + autoGenerated: + enabled: true + engine: helm + ## @param tls.autoGenerated.certManager.existingIssuer The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine) + ## @param tls.autoGenerated.certManager.existingIssuerKind Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine) + ## @param tls.autoGenerated.certManager.keyAlgorithm Key algorithm for the certificates (only for `cert-manager` engine) + ## @param tls.autoGenerated.certManager.keySize Key size for the certificates (only for `cert-manager` engine) + ## @param tls.autoGenerated.certManager.duration Duration for the certificates (only for `cert-manager` engine) + ## @param tls.autoGenerated.certManager.renewBefore Renewal period for the certificates (only for `cert-manager` engine) + certManager: + existingIssuer: "" + existingIssuerKind: "" + keySize: 2048 + keyAlgorithm: RSA + duration: 2160h + renewBefore: 360h + ## @section MariaDB Primary parameters ## @@ -176,10 +228,17 @@ primary: ## @param primary.lifecycleHooks for the MariaDB Primary container(s) to automate configuration before or after startup ## lifecycleHooks: {} + ## @param primary.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param primary.hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## hostAliases: [] + ## @param primary.containerPorts.mysql Container port for mysql + ## + containerPorts: + mysql: 3306 ## @param primary.configuration [string] MariaDB Primary configuration to be injected as ConfigMap ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file ## @@ -188,8 +247,9 @@ primary: skip-name-resolve explicit_defaults_for_timestamp basedir=/opt/bitnami/mariadb + datadir=/bitnami/mariadb/data plugin_dir=/opt/bitnami/mariadb/plugin - port=3306 + port={{ .Values.primary.containerPorts.mysql }} socket=/opt/bitnami/mariadb/tmp/mysql.sock tmpdir=/opt/bitnami/mariadb/tmp max_allowed_packet=16M @@ -199,9 +259,15 @@ primary: character-set-server=UTF8 collation-server=utf8_general_ci slow_query_log=0 - slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log long_query_time=10.0 - + binlog_expire_logs_seconds=2592000 + {{- if .Values.tls.enabled }} + ssl_cert=/opt/bitnami/mariadb/certs/{{ .Values.tls.certFilename }} + ssl_key=/opt/bitnami/mariadb/certs/{{ .Values.tls.certKeyFilename }} + {{- if (include "mariadb.tlsCACert" .) }} + ssl_ca={{ include "mariadb.tlsCACert" . }} + {{- end }} + {{- end }} [client] port=3306 socket=/opt/bitnami/mariadb/tmp/mysql.sock @@ -269,7 +335,7 @@ primary: ## affinity: {} ## @param primary.nodeSelector Node labels for MariaDB primary pods assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param primary.tolerations Tolerations for MariaDB primary pods assignment @@ -304,47 +370,64 @@ primary: ## MariaDB primary Pod security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param primary.podSecurityContext.enabled Enable security context for MariaDB primary pods + ## @param primary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param primary.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param primary.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param primary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## MariaDB primary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param primary.containerSecurityContext.enabled MariaDB primary container securityContext + ## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser User ID for the MariaDB primary container + ## @param primary.containerSecurityContext.runAsGroup Group ID for the MariaDB primary container ## @param primary.containerSecurityContext.runAsNonRoot Set primary container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.privileged Set primary container's Security Context privileged ## @param primary.containerSecurityContext.allowPrivilegeEscalation Set primary container's Security Context allowPrivilegeEscalation + ## @param primary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param primary.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param primary.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## MariaDB primary container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param primary.resources.limits The resources limits for MariaDB primary containers - ## @param primary.resources.requests The requested resources for MariaDB primary containers + ## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 256Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 256Mi - ## - requests: {} + resourcesPreset: "micro" + ## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure extra options for MariaDB primary containers' liveness, readiness and startup probes ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) ## @param primary.startupProbe.enabled Enable startupProbe @@ -431,7 +514,7 @@ primary: ## extraEnvVarsSecret: "" ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param primary.persistence.enabled Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir @@ -452,6 +535,9 @@ primary: ## GKE, AWS & OpenStack) ## storageClass: "" + ## @param primary.persistence.labels Labels for the PVC + ## + labels: {} ## @param primary.persistence.annotations MariaDB primary persistent volume claim annotations ## annotations: {} @@ -533,23 +619,26 @@ primary: ## timeoutSeconds: 300 ## sessionAffinityConfig: {} + ## @param primary.service.headless.annotations Annotations of the headless service + ## + headless: + annotations: {} ## MariaDB primary Pod Disruption Budget configuration ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## pdb: ## @param primary.pdb.create Enable/disable a Pod Disruption Budget creation for MariaDB primary pods ## - create: false + create: true ## @param primary.pdb.minAvailable Minimum number/percentage of MariaDB primary pods that must still be available after the eviction ## - minAvailable: 1 - ## @param primary.pdb.maxUnavailable Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction + minAvailable: "" + ## @param primary.pdb.maxUnavailable Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction. Defaults to `1` if both `primary.pdb.minAvailable` and `primary.pdb.maxUnavailable` are empty. ## maxUnavailable: "" ## @param primary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet ## revisionHistoryLimit: 10 - ## @section MariaDB Secondary parameters ## @@ -571,10 +660,17 @@ secondary: ## @param secondary.lifecycleHooks for the MariaDB Secondary container(s) to automate configuration before or after startup ## lifecycleHooks: {} + ## @param secondary.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param secondary.hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## hostAliases: [] + ## @param secondary.containerPorts.mysql Container port for mysql + ## + containerPorts: + mysql: 3306 ## @param secondary.configuration [string] MariaDB Secondary configuration to be injected as ConfigMap ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file ## @@ -583,7 +679,8 @@ secondary: skip-name-resolve explicit_defaults_for_timestamp basedir=/opt/bitnami/mariadb - port=3306 + datadir=/bitnami/mariadb/data + port={{ .Values.secondary.containerPorts.mysql }} socket=/opt/bitnami/mariadb/tmp/mysql.sock tmpdir=/opt/bitnami/mariadb/tmp max_allowed_packet=16M @@ -593,8 +690,15 @@ secondary: character-set-server=UTF8 collation-server=utf8_general_ci slow_query_log=0 - slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log long_query_time=10.0 + binlog_expire_logs_seconds=2592000 + {{- if .Values.tls.enabled }} + ssl_cert=/opt/bitnami/mariadb/certs/{{ .Values.tls.certFilename }} + ssl_key=/opt/bitnami/mariadb/certs/{{ .Values.tls.certKeyFilename }} + {{- if (include "mariadb.tlsCACert" .) }} + ssl_ca={{ include "mariadb.tlsCACert" . }} + {{- end }} + {{- end }} [client] port=3306 @@ -662,7 +766,7 @@ secondary: ## affinity: {} ## @param secondary.nodeSelector Node labels for MariaDB secondary pods assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param secondary.tolerations Tolerations for MariaDB secondary pods assignment @@ -697,47 +801,64 @@ secondary: ## MariaDB secondary Pod security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param secondary.podSecurityContext.enabled Enable security context for MariaDB secondary pods + ## @param secondary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param secondary.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param secondary.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param secondary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## MariaDB secondary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param secondary.containerSecurityContext.enabled MariaDB secondary container securityContext + ## @param secondary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param secondary.containerSecurityContext.runAsUser User ID for the MariaDB secondary container + ## @param secondary.containerSecurityContext.runAsGroup Group ID for the MariaDB secondary container ## @param secondary.containerSecurityContext.runAsNonRoot Set secondary container's Security Context runAsNonRoot ## @param secondary.containerSecurityContext.privileged Set secondary container's Security Context privileged ## @param secondary.containerSecurityContext.allowPrivilegeEscalation Set secondary container's Security Context allowPrivilegeEscalation + ## @param secondary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param secondary.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param secondary.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## MariaDB secondary container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param secondary.resources.limits The resources limits for MariaDB secondary containers - ## @param secondary.resources.requests The requested resources for MariaDB secondary containers + ## @param secondary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 256Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 256Mi - ## - requests: {} + resourcesPreset: "micro" + ## @param secondary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure extra options for MariaDB Secondary containers' liveness, readiness and startup probes ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) ## @param secondary.startupProbe.enabled Enable startupProbe @@ -824,7 +945,7 @@ secondary: ## extraEnvVarsSecret: "" ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param secondary.persistence.enabled Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` @@ -841,6 +962,9 @@ secondary: ## GKE, AWS & OpenStack) ## storageClass: "" + ## @param secondary.persistence.labels Labels for the PVC + ## + labels: {} ## @param secondary.persistence.annotations MariaDB secondary persistent volume claim annotations ## annotations: {} @@ -930,11 +1054,11 @@ secondary: pdb: ## @param secondary.pdb.create Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods ## - create: false + create: true ## @param secondary.pdb.minAvailable Minimum number/percentage of MariaDB secondary pods that should remain scheduled ## - minAvailable: 1 - ## @param secondary.pdb.maxUnavailable Maximum number/percentage of MariaDB secondary pods that may be made unavailable + minAvailable: "" + ## @param secondary.pdb.maxUnavailable Maximum number/percentage of MariaDB secondary pods that may be made unavailable. Defaults to `1` if both `secondary.pdb.minAvailable` and `secondary.pdb.maxUnavailable` are empty. ## maxUnavailable: "" ## @param secondary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet @@ -969,6 +1093,140 @@ rbac: ## create: false +## @section Password update job +## +passwordUpdateJob: + ## @param passwordUpdateJob.enabled Enable password update job + ## + enabled: false + ## @param passwordUpdateJob.backoffLimit set backoff limit of the job + ## + backoffLimit: 10 + ## @param passwordUpdateJob.command Override default container command on MariaDB Primary container(s) (useful when using custom images) + ## + command: [] + ## @param passwordUpdateJob.args Override default container args on MariaDB Primary container(s) (useful when using custom images) + ## + args: [] + ## @param passwordUpdateJob.extraCommands Extra commands to pass to the generation job + ## + extraCommands: "" + ## @param passwordUpdateJob.previousPasswords.rootPassword Previous root password (set if the password secret was already changed) + ## @param passwordUpdateJob.previousPasswords.password Previous password (set if the password secret was already changed) + ## @param passwordUpdateJob.previousPasswords.replicationPassword Previous replication password (set if the password secret was already changed) + ## @param passwordUpdateJob.previousPasswords.existingSecret Name of a secret containing the previous passwords (set if the password secret was already changed) + previousPasswords: + rootPassword: "" + password: "" + replicationPassword: "" + existingSecret: "" + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param passwordUpdateJob.containerSecurityContext.enabled Enabled containers' Security Context + ## @param passwordUpdateJob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param passwordUpdateJob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param passwordUpdateJob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param passwordUpdateJob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param passwordUpdateJob.containerSecurityContext.privileged Set container's Security Context privileged + ## @param passwordUpdateJob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param passwordUpdateJob.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param passwordUpdateJob.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param passwordUpdateJob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param passwordUpdateJob.podSecurityContext.enabled Enabled credential init job pods' Security Context + ## @param passwordUpdateJob.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param passwordUpdateJob.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param passwordUpdateJob.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param passwordUpdateJob.podSecurityContext.fsGroup Set credential init job pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## @param passwordUpdateJob.extraEnvVars Array containing extra env vars to configure the credential init job + ## For example: + ## extraEnvVars: + ## - name: GF_DEFAULT_INSTANCE_NAME + ## value: my-instance + ## + extraEnvVars: [] + ## @param passwordUpdateJob.extraEnvVarsCM ConfigMap containing extra env vars to configure the credential init job + ## + extraEnvVarsCM: "" + ## @param passwordUpdateJob.extraEnvVarsSecret Secret containing extra env vars to configure the credential init job (in case of sensitive data) + ## + extraEnvVarsSecret: "" + ## @param passwordUpdateJob.extraVolumes Optionally specify extra list of additional volumes for the credential init job + ## + extraVolumes: [] + ## @param passwordUpdateJob.extraVolumeMounts Array of extra volume mounts to be added to the jwt Container (evaluated as template). Normally used with `extraVolumes`. + ## + extraVolumeMounts: [] + ## @param passwordUpdateJob.initContainers Add additional init containers for the MariaDB Primary pod(s) + ## + initContainers: [] + ## Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param passwordUpdateJob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if passwordUpdateJob.resources is set (passwordUpdateJob.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param passwordUpdateJob.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param passwordUpdateJob.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param passwordUpdateJob.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param passwordUpdateJob.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param passwordUpdateJob.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## @param passwordUpdateJob.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param passwordUpdateJob.annotations [object] Add annotations to the job + ## + annotations: {} + ## @param passwordUpdateJob.podLabels Additional pod labels + ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param passwordUpdateJob.podAnnotations Additional pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @section Volume Permissions parameters ## @@ -979,17 +1237,17 @@ volumePermissions: ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` ## enabled: false - ## @param volumePermissions.image.registry Init container volume-permissions image registry - ## @param volumePermissions.image.repository Init container volume-permissions image repository - ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository + ## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array ## image: registry: docker.m.daocloud.io - repository: bitnami/bitnami-shell - tag: 11-debian-11-r80 + repository: bitnami/os-shell + tag: 12-debian-12-r32 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -999,13 +1257,21 @@ volumePermissions: ## - myRegistryKeySecretName ## pullSecrets: [] - ## @param volumePermissions.resources.limits Init container volume-permissions resource limits - ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - limits: {} - requests: {} - + resourcesPreset: "nano" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## @section Metrics parameters ## @@ -1015,9 +1281,9 @@ metrics: ## @param metrics.enabled Start a side-car prometheus exporter ## enabled: false - ## @param metrics.image.registry Exporter image registry - ## @param metrics.image.repository Exporter image repository - ## @param metrics.image.tag Exporter image tag (immutable tags are recommended) + ## @param metrics.image.registry [default: REGISTRY_NAME] Exporter image registry + ## @param metrics.image.repository [default: REPOSITORY_NAME/mysqld-exporter] Exporter image repository + ## @skip metrics.image.tag Exporter image tag (immutable tags are recommended) ## @param metrics.image.digest Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param metrics.image.pullPolicy Exporter image pull policy ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array @@ -1025,7 +1291,7 @@ metrics: image: registry: docker.m.daocloud.io repository: bitnami/mysqld-exporter - tag: 0.14.0-debian-11-r86 + tag: 0.15.1-debian-12-r36 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1086,11 +1352,22 @@ metrics: extraVolumeMounts: primary: [] secondary: [] + ## @param metrics.containerPorts.http Container port for http + ## + containerPorts: + http: 9104 ## MariaDB metrics container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enable security context for MariaDB metrics container + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param metrics.containerSecurityContext.runAsUser User ID for the MariaDB metrics container + ## @param metrics.containerSecurityContext.runAsGroup Group ID for the MariaDB metrics container + ## @param metrics.containerSecurityContext.runAsNonRoot Set metrics container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set metrics container's Security Context privileged ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set metrics container's Security Context allowPrivilegeEscalation + ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param metrics.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## Example: ## containerSecurityContext: ## enabled: true @@ -1101,29 +1378,37 @@ metrics: containerSecurityContext: enabled: false privileged: false + runAsNonRoot: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + readOnlyRootFilesystem: true allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## Mysqld Prometheus exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param metrics.resources.limits The resources limits for MariaDB prometheus exporter containers - ## @param metrics.resources.requests The requested resources for MariaDB prometheus exporter containers + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 256Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 256Mi - ## - requests: {} + resourcesPreset: "nano" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure extra options for liveness probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @param metrics.livenessProbe.enabled Enable livenessProbe @@ -1222,102 +1507,57 @@ metrics: ## summary: MariaDB instance is down ## rules: [] - ## @section NetworkPolicy parameters -## - -## Add networkpolicies +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## networkPolicy: - ## @param networkPolicy.enabled Enable network policies - ## - enabled: false - ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus) - ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. - ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. - ## - metrics: - enabled: false - ## e.g: - ## podSelector: - ## label: monitoring - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: monitoring - ## - namespaceSelector: {} - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the primary node. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the primary node. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules [object] Custom network policy for the primary node. - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to acces the secondary nodes. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the secondary nodes. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules [object] Custom network policy for the secondary nodes. - ## - ingressRules: - ## Allow access to the primary node only from the indicated: - ## - primaryAccessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## customRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: {} - - ## Allow access to the secondary node only from the indicated: - ## - secondaryAccessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## CustomRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: {} - - ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). - ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule - ## - egressRules: - # Deny connections to external. This is not compatible with an external database. - denyConnectionsToExternal: false - ## Additional custom egress rules - ## e.g: - ## customRules: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: {} + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources + ## + enabled: true + ## @param networkPolicy.allowExternal The Policy model to apply + ## When set to false, only pods with the correct client label will have network access to the ports MariaDB is + ## listening on. When true, MariaDB will accept connections from any source (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/.helmignore b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/.helmignore index f0c131944..207983f36 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/.helmignore +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/.helmignore @@ -19,3 +19,7 @@ .project .idea/ *.tmproj +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/Chart.lock b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/Chart.lock index 7f62809a8..942e004c3 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/Chart.lock +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common - repository: https://charts.bitnami.com/bitnami - version: 2.2.2 -digest: sha256:49ca75cf23ba5eb7df4becef52580f98c8bd8194eb80368b9d7b875f6eefa8e5 -generated: "2023-01-09T00:44:00.187048639Z" + repository: oci://registry-1.docker.io/bitnamicharts + version: 2.27.2 +digest: sha256:6fd86cc5a4b5094abca1f23c8ec064e75e51eceaded94a5e20977274b2abb576 +generated: "2024-11-30T00:27:50.830798368Z" diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/Chart.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/Chart.yaml index 50a5786aa..84f4f789f 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/Chart.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/Chart.yaml @@ -1,26 +1,33 @@ annotations: category: Infrastructure + images: | + - name: memcached + image: docker.io/bitnami/memcached:1.6.32-debian-12-r2 + - name: memcached-exporter + image: docker.io/bitnami/memcached-exporter:0.15.0-debian-12-r2 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r33 + licenses: Apache-2.0 apiVersion: v2 -appVersion: 1.6.18 +appVersion: 1.6.32 dependencies: - name: common - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts tags: - bitnami-common version: 2.x.x description: Memcached is an high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. -home: https://github.com/bitnami/charts/tree/main/bitnami/memcached +home: https://bitnami.com icon: https://bitnami.com/assets/stacks/memcached/img/memcached-stack-220x234.png keywords: - memcached - cache maintainers: -- name: Bitnami +- name: Broadcom, Inc. All Rights Reserved. url: https://github.com/bitnami/charts name: memcached sources: -- https://github.com/bitnami/containers/tree/main/bitnami/memcached -- http://memcached.org/ -version: 6.3.5 +- https://github.com/bitnami/charts/tree/main/bitnami/memcached +version: 7.5.3 diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/README.md b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/README.md index 00bbfa271..8d631d3e7 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/README.md +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/README.md @@ -1,20 +1,21 @@ -# Memcached packaged by Bitnami +# Bitnami package for Memcached Memcached is an high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. [Overview of Memcached](http://memcached.org) Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. - + ## TL;DR ```console -$ helm repo add my-repo https://charts.bitnami.com/bitnami -$ helm install my-release my-repo/memcached +helm install my-release oci://registry-1.docker.io/bitnamicharts/memcached ``` +Looking to use Memcached in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + ## Introduction This chart bootstraps a [Memcached](https://github.com/bitnami/containers/tree/main/bitnami/memcached) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. @@ -23,42 +24,129 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment ## Prerequisites -- Kubernetes 1.19+ -- Helm 3.2.0+ +- Kubernetes 1.23+ +- Helm 3.8.0+ ## Installing the Chart To install the chart with the release name `my-release`: ```console -$ helm repo add my-repo https://charts.bitnami.com/bitnami -$ helm install my-release my-repo/memcached +helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/memcached ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + These commands deploy Memcached on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details -To uninstall/delete the `my-release` deployment: +### Resource requests and limits -```console -$ helm delete my-release +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### Prometheus metrics + +This chart can be integrated with Prometheus by setting `metrics.enabled` to `true`. This will deploy a sidecar container with [memcached_exporter](https://github.com/prometheus/memcached_exporter) in all pods and a `metrics` service, which can be configured under the `metrics.service` section. This `metrics` service will have the necessary annotations to be automatically scraped by Prometheus. + +#### Prometheus requirements + +It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the [Bitnami Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/prometheus) or the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) to easily have a working Prometheus in your cluster. + +#### Integration with Prometheus Operator + +The chart can deploy `ServiceMonitor` objects for integration with Prometheus Operator installations. To do so, set the value `metrics.serviceMonitor.enabled=true`. Ensure that the Prometheus Operator `CustomResourceDefinitions` are installed in the cluster or it will fail with the following error: + +```text +no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1" ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +Install the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) for having the necessary CRDs and the Prometheus Operator. + +### [Rolling vs Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Update credentials + +The Bitnami Memcached chart, when upgrading, reuses the secret previously rendered by the chart or the one specified in `auth.existingPasswordSecret`. To update credentials, use one of the following: + +- Run `helm upgrade` specifying a new password in `auth.password` +- Run `helm upgrade` specifying a new secret in `auth.existingPasswordSecret` + +### Use Sidecars and Init Containers + +If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +### Set Pod affinity + +This chart allows you to set your custom affinity using the `affinity` parameter(s). Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. + +## Persistence + +When using `architecture: "high-availability"` the [Bitnami Memcached](https://github.com/bitnami/containers/tree/main/bitnami/memcached) image stores the cache-state at the `/cache-state` path of the container if enabled. + +Persistent Volume Claims (PVCs) are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. + +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). ## Parameters ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | - +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | +| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -75,125 +163,140 @@ The command removes all the Kubernetes components associated with the chart and | `diagnosticMode.command` | Command to override all containers in the deployment/statefulset | `["sleep"]` | | `diagnosticMode.args` | Args to override all containers in the deployment/statefulset | `["infinity"]` | - ### Memcached parameters -| Name | Description | Value | -| ----------------------------- | --------------------------------------------------------------------------------------------------------- | --------------------- | -| `image.registry` | Memcached image registry | `docker.io` | -| `image.repository` | Memcached image repository | `bitnami/memcached` | -| `image.tag` | Memcached image tag (immutable tags are recommended) | `1.6.18-debian-11-r0` | -| `image.digest` | Memcached image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | Memcached image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `image.debug` | Specify if debug values should be set | `false` | -| `architecture` | Memcached architecture. Allowed values: standalone or high-availability | `standalone` | -| `auth.enabled` | Enable Memcached authentication | `false` | -| `auth.username` | Memcached admin user | `""` | -| `auth.password` | Memcached admin password | `""` | -| `auth.existingPasswordSecret` | Existing secret with Memcached credentials (must contain a value for `memcached-password` key) | `""` | -| `command` | Override default container command (useful when using custom images) | `[]` | -| `args` | Override default container args (useful when using custom images) | `[]` | -| `extraEnvVars` | Array with extra environment variables to add to Memcached nodes | `[]` | -| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Memcached nodes | `""` | -| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Memcached nodes | `""` | - +| Name | Description | Value | +| ----------------------------- | --------------------------------------------------------------------------------------------------------- | --------------------------- | +| `image.registry` | Memcached image registry | `REGISTRY_NAME` | +| `image.repository` | Memcached image repository | `REPOSITORY_NAME/memcached` | +| `image.digest` | Memcached image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | Memcached image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Specify if debug values should be set | `false` | +| `architecture` | Memcached architecture. Allowed values: standalone or high-availability | `standalone` | +| `auth.enabled` | Enable Memcached authentication | `false` | +| `auth.username` | Memcached admin user | `""` | +| `auth.password` | Memcached admin password | `""` | +| `auth.existingPasswordSecret` | Existing secret with Memcached credentials (must contain a value for `memcached-password` key) | `""` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `extraEnvVars` | Array with extra environment variables to add to Memcached nodes | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Memcached nodes | `""` | +| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Memcached nodes | `""` | ### Deployment/Statefulset parameters -| Name | Description | Value | -| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- | -| `replicaCount` | Number of Memcached nodes | `1` | -| `containerPorts.memcached` | Memcached container port | `11211` | -| `livenessProbe.enabled` | Enable livenessProbe on Memcached containers | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `readinessProbe.enabled` | Enable readinessProbe on Memcached containers | `true` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | -| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `startupProbe.enabled` | Enable startupProbe on Memcached containers | `false` | -| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | -| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `lifecycleHooks` | for the Memcached container(s) to automate configuration before or after startup | `{}` | -| `resources.limits` | The resources limits for the Memcached containers | `{}` | -| `resources.requests.memory` | The requested memory for the Memcached containers | `256Mi` | -| `resources.requests.cpu` | The requested cpu for the Memcached containers | `250m` | -| `podSecurityContext.enabled` | Enabled Memcached pods' Security Context | `true` | -| `podSecurityContext.fsGroup` | Set Memcached pod's Security Context fsGroup | `1001` | -| `containerSecurityContext.enabled` | Enabled Memcached containers' Security Context | `true` | -| `containerSecurityContext.runAsUser` | Set Memcached containers' Security Context runAsUser | `1001` | -| `containerSecurityContext.runAsNonRoot` | Set Memcached containers' Security Context runAsNonRoot | `true` | -| `hostAliases` | Add deployment host aliases | `[]` | -| `podLabels` | Extra labels for Memcached pods | `{}` | -| `podAnnotations` | Annotations for Memcached pods | `{}` | -| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | -| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | -| `affinity` | Affinity for pod assignment | `{}` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `tolerations` | Tolerations for pod assignment | `[]` | -| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `podManagementPolicy` | StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: `OrderedReady` and `Parallel` | `Parallel` | -| `priorityClassName` | Name of the existing priority class to be used by Memcached pods, priority class needs to be created beforehand | `""` | -| `schedulerName` | Kubernetes pod scheduler registry | `""` | -| `terminationGracePeriodSeconds` | In seconds, time the given to the memcached pod needs to terminate gracefully | `""` | -| `updateStrategy.type` | Memcached statefulset strategy type | `RollingUpdate` | -| `updateStrategy.rollingUpdate` | Memcached statefulset rolling update configuration parameters | `{}` | -| `extraVolumes` | Optionally specify extra list of additional volumes for the Memcached pod(s) | `[]` | -| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Memcached container(s) | `[]` | -| `sidecars` | Add additional sidecar containers to the Memcached pod(s) | `[]` | -| `initContainers` | Add additional init containers to the Memcached pod(s) | `[]` | -| `autoscaling.enabled` | Enable memcached statefulset autoscaling (requires architecture: "high-availability") | `false` | -| `autoscaling.minReplicas` | memcached statefulset autoscaling minimum number of replicas | `3` | -| `autoscaling.maxReplicas` | memcached statefulset autoscaling maximum number of replicas | `6` | -| `autoscaling.targetCPU` | memcached statefulset autoscaling target CPU percentage | `50` | -| `autoscaling.targetMemory` | memcached statefulset autoscaling target CPU memory | `50` | -| `pdb.create` | Deploy a pdb object for the Memcached pod | `false` | -| `pdb.minAvailable` | Minimum available Memcached replicas | `""` | -| `pdb.maxUnavailable` | Maximum unavailable Memcached replicas | `1` | - +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `replicaCount` | Number of Memcached nodes | `1` | +| `containerPorts.memcached` | Memcached container port | `11211` | +| `livenessProbe.enabled` | Enable livenessProbe on Memcached containers | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe on Memcached containers | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe on Memcached containers | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `lifecycleHooks` | for the Memcached container(s) to automate configuration before or after startup | `{}` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `podSecurityContext.enabled` | Enabled Memcached pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Set Memcached pod's Security Context fsGroup | `1001` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hostAliases` | Add deployment host aliases | `[]` | +| `podLabels` | Extra labels for Memcached pods | `{}` | +| `podAnnotations` | Annotations for Memcached pods | `{}` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `podManagementPolicy` | StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: `OrderedReady` and `Parallel` | `Parallel` | +| `priorityClassName` | Name of the existing priority class to be used by Memcached pods, priority class needs to be created beforehand | `""` | +| `schedulerName` | Kubernetes pod scheduler registry | `""` | +| `terminationGracePeriodSeconds` | In seconds, time the given to the memcached pod needs to terminate gracefully | `""` | +| `updateStrategy.type` | Memcached statefulset strategy type | `RollingUpdate` | +| `updateStrategy.rollingUpdate` | Memcached statefulset rolling update configuration parameters | `{}` | +| `emptyDir.medium` | Override emptyDir Volume type, defaults to emptyDir: {} | `""` | +| `extraVolumes` | Optionally specify extra list of additional volumes for the Memcached pod(s) | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Memcached container(s) | `[]` | +| `sidecars` | Add additional sidecar containers to the Memcached pod(s) | `[]` | +| `initContainers` | Add additional init containers to the Memcached pod(s) | `[]` | +| `enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `autoscaling.enabled` | Enable memcached statefulset autoscaling (requires architecture: "high-availability") | `false` | +| `autoscaling.minReplicas` | memcached statefulset autoscaling minimum number of replicas | `3` | +| `autoscaling.maxReplicas` | memcached statefulset autoscaling maximum number of replicas | `6` | +| `autoscaling.targetCPU` | memcached statefulset autoscaling target CPU percentage | `50` | +| `autoscaling.targetMemory` | memcached statefulset autoscaling target CPU memory | `50` | +| `pdb.create` | Deploy a pdb object for the Memcached pod | `true` | +| `pdb.minAvailable` | Minimum available Memcached replicas | `""` | +| `pdb.maxUnavailable` | Maximum unavailable Memcached replicas | `""` | ### Traffic Exposure parameters -| Name | Description | Value | -| ---------------------------------- | --------------------------------------------------------------------------------------- | ----------- | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.ports.memcached` | Memcached service port | `11211` | -| `service.nodePorts.memcached` | Node port for Memcached | `""` | -| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `service.clusterIP` | Memcached service Cluster IP | `""` | -| `service.loadBalancerIP` | Memcached service Load Balancer IP | `""` | -| `service.loadBalancerSourceRanges` | Memcached service Load Balancer sources | `[]` | -| `service.externalTrafficPolicy` | Memcached service external traffic policy | `Cluster` | -| `service.annotations` | Additional custom annotations for Memcached service | `{}` | -| `service.extraPorts` | Extra ports to expose in the Memcached service (normally used with the `sidecar` value) | `[]` | - +| Name | Description | Value | +| --------------------------------------- | ------------------------------------------------------------------------------------------------------------- | ----------- | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.ports.memcached` | Memcached service port | `11211` | +| `service.nodePorts.memcached` | Node port for Memcached | `""` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `""` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.clusterIP` | Memcached service Cluster IP | `""` | +| `service.loadBalancerIP` | Memcached service Load Balancer IP | `""` | +| `service.loadBalancerSourceRanges` | Memcached service Load Balancer sources | `[]` | +| `service.externalTrafficPolicy` | Memcached service external traffic policy | `Cluster` | +| `service.annotations` | Additional custom annotations for Memcached service | `{}` | +| `service.extraPorts` | Extra ports to expose in the Memcached service (normally used with the `sidecar` value) | `[]` | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | +| `networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` | ### Other Parameters | Name | Description | Value | | --------------------------------------------- | ---------------------------------------------------------------------- | ------- | -| `serviceAccount.create` | Enable creation of ServiceAccount for Memcached pod | `false` | +| `serviceAccount.create` | Enable creation of ServiceAccount for Memcached pod | `true` | | `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | | `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | - ### Persistence parameters | Name | Description | Value | @@ -203,82 +306,89 @@ The command removes all the Kubernetes components associated with the chart and | `persistence.accessModes` | PVC Access modes | `["ReadWriteOnce"]` | | `persistence.size` | PVC Storage Request for Memcached data volume | `8Gi` | | `persistence.annotations` | Annotations for the PVC | `{}` | +| `persistence.labels` | Labels for the PVC | `{}` | | `persistence.selector` | Selector to match an existing Persistent Volume for Memcached's data PVC | `{}` | - ### Volume Permissions parameters -| Name | Description | Value | -| ------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | -| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r70` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | -| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | -| `metrics.enabled` | Start a side-car prometheus exporter | `false` | -| `metrics.image.registry` | Memcached exporter image registry | `docker.io` | -| `metrics.image.repository` | Memcached exporter image repository | `bitnami/memcached-exporter` | -| `metrics.image.tag` | Memcached exporter image tag (immutable tags are recommended) | `0.10.0-debian-11-r72` | -| `metrics.image.digest` | Memcached exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.containerPorts.metrics` | Memcached Prometheus Exporter container port | `9150` | -| `metrics.resources.limits` | Init container volume-permissions resource limits | `{}` | -| `metrics.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `metrics.containerSecurityContext.enabled` | Enabled Metrics containers' Security Context | `true` | -| `metrics.containerSecurityContext.runAsUser` | Set Metrics containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set Metrics containers' Security Context runAsNonRoot | `true` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe on Memcached Prometheus exporter containers | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe on Memcached Prometheus exporter containers | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.startupProbe.enabled` | Enable startupProbe on Memcached Prometheus exporter containers | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.podAnnotations` | Memcached Prometheus exporter pod Annotation and Labels | `{}` | -| `metrics.service.ports.metrics` | Prometheus metrics service port | `9150` | -| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | -| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `metrics.service.annotations` | Annotations for the Prometheus metrics service | `{}` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | -| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | -| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | - +| Name | Description | Value | +| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | +| `metrics.enabled` | Start a side-car prometheus exporter | `false` | +| `metrics.image.registry` | Memcached exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Memcached exporter image repository | `REPOSITORY_NAME/memcached-exporter` | +| `metrics.image.digest` | Memcached exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.containerPorts.metrics` | Memcached Prometheus Exporter container port | `9150` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on Memcached Prometheus exporter containers | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on Memcached Prometheus exporter containers | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe on Memcached Prometheus exporter containers | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.podAnnotations` | Memcached Prometheus exporter pod Annotation and Labels | `{}` | +| `metrics.service.ports.metrics` | Prometheus metrics service port | `9150` | +| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `metrics.service.annotations` | Annotations for the Prometheus metrics service | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | The above parameters map to the environment variables defined in the [bitnami/memcached](https://github.com/bitnami/containers/tree/main/bitnami/memcached) container image. For more information please refer to the [bitnami/memcached](https://github.com/bitnami/containers/tree/main/bitnami/memcached) container image documentation. Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, ```console -$ helm install my-release --set auth.username=user,auth.password=password my-repo/memcached +helm install my-release --set auth.username=user,auth.password=password oci://REGISTRY_NAME/REPOSITORY_NAME/memcached ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + The above command sets the Memcached admin account username and password to `user` and `password` respectively. > NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. @@ -286,46 +396,28 @@ The above command sets the Memcached admin account username and password to `use Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, ```console -$ helm install my-release -f values.yaml my-repo/memcached +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/memcached ``` -> **Tip**: You can use the default [values.yaml](values.yaml) - -## Configuration and installation details - -### [Rolling vs Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Use Sidecars and Init Containers +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/memcached/values.yaml) -If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. Similarly, extra init containers can be added using the `initContainers` parameter. - -Refer to the chart documentation for more information on, and examples of, configuring and using [sidecars and init containers](https://docs.bitnami.com/kubernetes/infrastructure/memcached/configuration/configure-sidecar-init-containers/). - -### Set Pod affinity - -This chart allows you to set your custom affinity using the `affinity` parameter(s). Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). - -As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. - -## Persistence - -When using `architecture: "high-availability"` the [Bitnami Memcached](https://github.com/bitnami/containers/tree/main/bitnami/memcached) image stores the cache-state at the `/cache-state` path of the container if enabled. +## Troubleshooting -Persistent Volume Claims (PVCs) are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). -See the [Parameters](#parameters) section to configure the PVC or to disable persistence. +## Upgrading -If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). +### To 7.0.0 -## Troubleshooting +This major bump changes the following security defaults: -Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. -## Upgrading +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. ### To 6.0.0 @@ -349,18 +441,18 @@ This version introduces `bitnami/common`, a [library chart](https://helm.sh/docs [On November 13, 2020, Helm v2 support formally ended](https://github.com/helm/charts#status-of-the-project). This major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/memcached/administration/upgrade-helm3/). - ### To 4.0.0 Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments. Use the workaround below to upgrade from versions previous to 4.0.0. The following example assumes that the release name is memcached: ```console -$ kubectl delete deployment memcached --cascade=false -$ helm upgrade memcached my-repo/memcached +kubectl delete deployment memcached --cascade=false +helm upgrade memcached oci://REGISTRY_NAME/REPOSITORY_NAME/memcached ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + ### To 3.0.0 This release uses the new bash based `bitnami/memcached` container which uses bash scripts for the start up logic of the container and is smaller in size. @@ -371,18 +463,18 @@ Backwards compatibility is not guaranteed unless you modify the labels used on t Use the workaround below to upgrade from versions previous to 1.0.0. The following example assumes that the release name is memcached: ```console -$ kubectl patch deployment memcached --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' +kubectl patch deployment memcached --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' ``` ## License -Copyright © 2022 Bitnami +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/.helmignore b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/.helmignore index 50af03172..d0e10845d 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/.helmignore +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/.helmignore @@ -20,3 +20,7 @@ .idea/ *.tmproj .vscode/ +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/Chart.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/Chart.yaml index f9ba944c8..ee87ae1af 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/Chart.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/Chart.yaml @@ -1,10 +1,11 @@ annotations: category: Infrastructure + licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.2.2 +appVersion: 2.27.2 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. -home: https://github.com/bitnami/charts/tree/main/bitnami/common +home: https://bitnami.com icon: https://bitnami.com/downloads/logos/bitnami-mark.png keywords: - common @@ -13,11 +14,10 @@ keywords: - function - bitnami maintainers: -- name: Bitnami +- name: Broadcom, Inc. All Rights Reserved. url: https://github.com/bitnami/charts name: common sources: -- https://github.com/bitnami/charts -- https://www.bitnami.com/ +- https://github.com/bitnami/charts/tree/main/bitnami/common type: library -version: 2.2.2 +version: 2.27.2 diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/README.md b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/README.md index ec43a5fab..3943ed04b 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/README.md +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/README.md @@ -1,18 +1,18 @@ # Bitnami Common Library Chart -A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. ## TL;DR ```yaml dependencies: - name: common - version: 1.x.x - repository: https://charts.bitnami.com/bitnami + version: 2.x.x + repository: oci://registry-1.docker.io/bitnamicharts ``` -```bash -$ helm dependency update +```console +helm dependency update ``` ```yaml @@ -24,6 +24,8 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. @@ -32,129 +34,11 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment ## Prerequisites -- Kubernetes 1.19+ -- Helm 3.2.0+ +- Kubernetes 1.23+ +- Helm 3.8.0+ ## Parameters -The following table lists the helpers available in the library which are scoped in different sections. - -### Affinities - -| Helper identifier | Description | Expected Input | -|-------------------------------|------------------------------------------------------|------------------------------------------------| -| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | -| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | -| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | -| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | -| `common.affinities.topologyKey` | Return a topologyKey definition | `dict "topologyKey" "FOO"` | - -### Capabilities - -| Helper identifier | Description | Expected Input | -|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| -| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | -| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | -| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | -| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | -| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | -| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | -| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | -| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | -| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | -| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context | -| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context | -| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | - -### Errors - -| Helper identifier | Description | Expected Input | -|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| -| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | - -### Images - -| Helper identifier | Description | Expected Input | -|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| -| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | -| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | -| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | - -### Ingress - -| Helper identifier | Description | Expected Input | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | -| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | -| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | -| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | - -### Labels - -| Helper identifier | Description | Expected Input | -|-----------------------------|-----------------------------------------------------------------------------|-------------------| -| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | -| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context | - -### Names - -| Helper identifier | Description | Expected Input | -|-----------------------------------|-----------------------------------------------------------------------|-------------------| -| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | -| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | -| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context | -| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context | -| `common.names.chart` | Chart name plus version | `.` Chart context | - -### Secrets - -| Helper identifier | Description | Expected Input | -|-----------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | -| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | -| `common.secrets.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | -| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | - -### Storage - -| Helper identifier | Description | Expected Input | -|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| -| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | - -### TplValues - -| Helper identifier | Description | Expected Input | -|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | - -### Utils - -| Helper identifier | Description | Expected Input | -|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| -| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | -| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | -| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | -| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | - -### Validations - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | -| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | -| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | -| `common.validations.values.mysql.passwords` | This helper will ensure required password for MySQL are not empty. It returns a shared error for all the values. | `dict "secret" "mysql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mysql chart and the helper. | -| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | -| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis® are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | -| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | -| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | - -### Warnings - -| Helper identifier | Description | Expected Input | -|------------------------------|----------------------------------|------------------------------------------------------------| -| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | - ## Special input schemas ### ImageRoot @@ -177,7 +61,7 @@ tag: pullPolicy: type: string - description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + description: Specify a imagePullPolicy.' pullSecrets: type: array @@ -300,7 +184,7 @@ keyMapping: If we force those values to be empty we will see some alerts ```console -$ helm install test mychart --set path.to.value00="",path.to.value01="" +helm install test mychart --set path.to.value00="",path.to.value01="" 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) @@ -316,33 +200,33 @@ $ helm install test mychart --set path.to.value00="",path.to.value01="" [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -**What changes were introduced in this major version?** +#### What changes were introduced in this major version? - Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. - Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. - The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts -**Considerations when upgrading to this version** +#### Considerations when upgrading to this version - If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues - If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore - If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 -**Useful links** +#### Useful links -- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ -- https://helm.sh/docs/topics/v2_v3_migration/ -- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ +- +- +- ## License -Copyright © 2022 Bitnami +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_affinities.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_affinities.tpl index 81902a681..d387dbe63 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_affinities.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_affinities.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* @@ -55,42 +60,86 @@ Return a topologyKey definition {{/* Return a soft podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}} +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} */}} {{- define "common.affinities.pods.soft" -}} {{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} {{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +{{- $extraNamespaces := default (list) .extraNamespaces -}} preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }} {{- if not (empty $component) }} {{ printf "app.kubernetes.io/component: %s" $component }} {{- end }} {{- range $key, $value := $extraMatchLabels }} {{ $key }}: {{ $value | quote }} {{- end }} + {{- if $extraNamespaces }} + namespaces: + - {{ .context.Release.Namespace }} + {{- with $extraNamespaces }} + {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} weight: 1 + {{- range $extraPodAffinityTerms }} + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: {{ .weight | default 1 -}} + {{- end -}} {{- end -}} {{/* Return a hard podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}} +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} */}} {{- define "common.affinities.pods.hard" -}} {{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} {{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +{{- $extraNamespaces := default (list) .extraNamespaces -}} requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }} {{- if not (empty $component) }} {{ printf "app.kubernetes.io/component: %s" $component }} {{- end }} {{- range $key, $value := $extraMatchLabels }} {{ $key }}: {{ $value | quote }} {{- end }} + {{- if $extraNamespaces }} + namespaces: + - {{ .context.Release.Namespace }} + {{- with $extraNamespaces }} + {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- range $extraPodAffinityTerms }} + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- end -}} {{- end -}} {{/* diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_capabilities.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_capabilities.tpl index 9d9b76004..bfff3489d 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_capabilities.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_capabilities.tpl @@ -1,25 +1,23 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Return the target Kubernetes version */}} {{- define "common.capabilities.kubeVersion" -}} -{{- if .Values.global }} - {{- if .Values.global.kubeVersion }} - {{- .Values.global.kubeVersion -}} - {{- else }} - {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} - {{- end -}} -{{- else }} -{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} -{{- end -}} +{{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}} {{- end -}} {{/* Return the appropriate apiVersion for poddisruptionbudget. */}} {{- define "common.capabilities.policy.apiVersion" -}} -{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} {{- print "policy/v1beta1" -}} {{- else -}} {{- print "policy/v1" -}} @@ -30,7 +28,8 @@ Return the appropriate apiVersion for poddisruptionbudget. Return the appropriate apiVersion for networkpolicy. */}} {{- define "common.capabilities.networkPolicy.apiVersion" -}} -{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.7-0" $kubeVersion) -}} {{- print "extensions/v1beta1" -}} {{- else -}} {{- print "networking.k8s.io/v1" -}} @@ -41,18 +40,32 @@ Return the appropriate apiVersion for networkpolicy. Return the appropriate apiVersion for cronjob. */}} {{- define "common.capabilities.cronjob.apiVersion" -}} -{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} {{- print "batch/v1beta1" -}} {{- else -}} {{- print "batch/v1" -}} {{- end -}} {{- end -}} +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "common.capabilities.daemonset.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + {{/* Return the appropriate apiVersion for deployment. */}} {{- define "common.capabilities.deployment.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} {{- print "extensions/v1beta1" -}} {{- else -}} {{- print "apps/v1" -}} @@ -63,7 +76,8 @@ Return the appropriate apiVersion for deployment. Return the appropriate apiVersion for statefulset. */}} {{- define "common.capabilities.statefulset.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} {{- print "apps/v1beta1" -}} {{- else -}} {{- print "apps/v1" -}} @@ -74,30 +88,24 @@ Return the appropriate apiVersion for statefulset. Return the appropriate apiVersion for ingress. */}} {{- define "common.capabilities.ingress.apiVersion" -}} -{{- if .Values.ingress -}} -{{- if .Values.ingress.apiVersion -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if (.Values.ingress).apiVersion -}} {{- .Values.ingress.apiVersion -}} -{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} {{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} {{- print "networking.k8s.io/v1beta1" -}} {{- else -}} {{- print "networking.k8s.io/v1" -}} {{- end }} -{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} {{- end -}} {{/* Return the appropriate apiVersion for RBAC resources. */}} {{- define "common.capabilities.rbac.apiVersion" -}} -{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.17-0" $kubeVersion) -}} {{- print "rbac.authorization.k8s.io/v1beta1" -}} {{- else -}} {{- print "rbac.authorization.k8s.io/v1" -}} @@ -108,7 +116,8 @@ Return the appropriate apiVersion for RBAC resources. Return the appropriate apiVersion for CRDs. */}} {{- define "common.capabilities.crd.apiVersion" -}} -{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} {{- print "apiextensions.k8s.io/v1beta1" -}} {{- else -}} {{- print "apiextensions.k8s.io/v1" -}} @@ -119,7 +128,8 @@ Return the appropriate apiVersion for CRDs. Return the appropriate apiVersion for APIService. */}} {{- define "common.capabilities.apiService.apiVersion" -}} -{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.10-0" $kubeVersion) -}} {{- print "apiregistration.k8s.io/v1beta1" -}} {{- else -}} {{- print "apiregistration.k8s.io/v1" -}} @@ -130,7 +140,8 @@ Return the appropriate apiVersion for APIService. Return the appropriate apiVersion for Horizontal Pod Autoscaler. */}} {{- define "common.capabilities.hpa.apiVersion" -}} -{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} {{- if .beta2 -}} {{- print "autoscaling/v2beta2" -}} {{- else -}} @@ -141,6 +152,68 @@ Return the appropriate apiVersion for Horizontal Pod Autoscaler. {{- end -}} {{- end -}} +{{/* +Return the appropriate apiVersion for Vertical Pod Autoscaler. +*/}} +{{- define "common.capabilities.vpa.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.11-0" $kubeVersion) -}} +{{- print "autoscaling/v1beta1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "autoscaling/v1beta2" -}} +{{- else -}} +{{- print "autoscaling/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if PodSecurityPolicy is supported +*/}} +{{- define "common.capabilities.psp.supported" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (semverCompare "<1.25-0" $kubeVersion) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if AdmissionConfiguration is supported +*/}} +{{- define "common.capabilities.admissionConfiguration.supported" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (not (semverCompare "<1.23-0" $kubeVersion)) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for AdmissionConfiguration. +*/}} +{{- define "common.capabilities.admissionConfiguration.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- print "apiserver.config.k8s.io/v1alpha1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "apiserver.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiserver.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for PodSecurityConfiguration. +*/}} +{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "pod-security.admission.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "pod-security.admission.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + {{/* Returns true if the used Helm version is 3.3+. A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_compatibility.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..a61588d68 --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_compatibility.tpl @@ -0,0 +1,46 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} + +{{- if (((.context.Values.global).compatibility).openshift) -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{/* Remove empty seLinuxOptions object if global.compatibility.omitEmptySeLinuxOptions is set to true */}} +{{- if and (((.context.Values.global).compatibility).omitEmptySeLinuxOptions) (not .secContext.seLinuxOptions) -}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} +{{- end -}} +{{/* Remove fields that are disregarded when running the container in privileged mode */}} +{{- if $adaptedContext.privileged -}} + {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_errors.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_errors.tpl index a79cc2e32..e96536519 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_errors.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_errors.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Through error when upgrading using empty passwords values that must not be empty. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_images.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_images.tpl index 46c659e79..76bb7ce44 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_images.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_images.tpl @@ -1,23 +1,34 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* -Return the proper image name -{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +Return the proper image name. +If image tag and digest are not defined, termination fallbacks to chart appVersion. +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "chart" .Chart ) }} */}} {{- define "common.images.image" -}} -{{- $registryName := .imageRoot.registry -}} +{{- $registryName := default .imageRoot.registry ((.global).imageRegistry) -}} {{- $repositoryName := .imageRoot.repository -}} {{- $separator := ":" -}} {{- $termination := .imageRoot.tag | toString -}} -{{- if .global }} - {{- if .global.imageRegistry }} - {{- $registryName = .global.imageRegistry -}} - {{- end -}} + +{{- if not .imageRoot.tag }} + {{- if .chart }} + {{- $termination = .chart.AppVersion | toString -}} + {{- end -}} {{- end -}} {{- if .imageRoot.digest }} {{- $separator = "@" -}} {{- $termination = .imageRoot.digest | toString -}} {{- end -}} -{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} {{- end -}} {{/* @@ -27,21 +38,27 @@ Return the proper Docker Image Registry Secret Names (deprecated: use common.ima {{- define "common.images.pullSecrets" -}} {{- $pullSecrets := list }} - {{- if .global }} - {{- range .global.imagePullSecrets -}} + {{- range ((.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} {{- $pullSecrets = append $pullSecrets . -}} - {{- end -}} + {{- end }} {{- end -}} {{- range .images -}} {{- range .pullSecrets -}} - {{- $pullSecrets = append $pullSecrets . -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} {{- end -}} {{- end -}} - {{- if (not (empty $pullSecrets)) }} + {{- if (not (empty $pullSecrets)) -}} imagePullSecrets: - {{- range $pullSecrets }} + {{- range $pullSecrets | uniq }} - name: {{ . }} {{- end }} {{- end }} @@ -55,22 +72,44 @@ Return the proper Docker Image Registry Secret Names evaluating values as templa {{- $pullSecrets := list }} {{- $context := .context }} - {{- if $context.Values.global }} - {{- range $context.Values.global.imagePullSecrets -}} + {{- range (($context.Values.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} {{- end -}} {{- end -}} {{- range .images -}} {{- range .pullSecrets -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} {{- end -}} {{- end -}} - {{- if (not (empty $pullSecrets)) }} + {{- if (not (empty $pullSecrets)) -}} imagePullSecrets: - {{- range $pullSecrets }} + {{- range $pullSecrets | uniq }} - name: {{ . }} {{- end }} {{- end }} {{- end -}} + +{{/* +Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion) +{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }} +*/}} +{{- define "common.images.version" -}} +{{- $imageTag := .imageRoot.tag | toString -}} +{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}} +{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}} + {{- $version := semver $imageTag -}} + {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}} +{{- else -}} + {{- print .chart.AppVersion -}} +{{- end -}} +{{- end -}} + diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_ingress.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_ingress.tpl index 831da9caa..7d2b87985 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_ingress.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_ingress.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_labels.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_labels.tpl index 252066c7e..0a0cc5488 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_labels.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_labels.tpl @@ -1,18 +1,46 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} + {{/* Kubernetes standard labels +{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}} */}} {{- define "common.labels.standard" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}} +{{- with .context.Chart.AppVersion -}} +{{- $_ := set $default "app.kubernetes.io/version" . -}} +{{- end -}} +{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }} +{{- else -}} app.kubernetes.io/name: {{ include "common.names.name" . }} helm.sh/chart: {{ include "common.names.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Chart.AppVersion }} +app.kubernetes.io/version: {{ . | quote }} +{{- end -}} +{{- end -}} {{- end -}} {{/* -Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector +{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}} + +We don't want to loop over custom labels appending them to the selector +since it's very likely that it will break deployments, services, etc. +However, it's important to overwrite the standard labels if the user +overwrote them on metadata.labels fields. */}} {{- define "common.labels.matchLabels" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }} +{{- else -}} app.kubernetes.io/name: {{ include "common.names.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} +{{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_names.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_names.tpl index 617a23489..ba8395685 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_names.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_names.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Expand the name of the chart. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_resources.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_resources.tpl new file mode 100644 index 000000000..d8a43e1c2 --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi") + ) + "xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_secrets.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_secrets.tpl index a1708b2e8..bfef46978 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_secrets.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_secrets.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Generate secret name. @@ -62,7 +67,7 @@ Params: Generate secret password or retrieve one if already created. Usage: -{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $) }} Params: - secret - String - Required - Name of the 'Secret' resource where the password is stored. @@ -72,13 +77,18 @@ Params: - strong - Boolean - Optional - Whether to add symbols to the generated random password. - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - + - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. + - honorProvidedValues - Boolean - Optional - Default to false. If set to true, the values in providedValues have higher priority than an existing secret The order in which this function returns a secret password: - 1. Already existing 'Secret' resource + 1. Password provided via the values.yaml if honorProvidedValues = true + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 2. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) - 2. Password provided via the values.yaml + 3. Password provided via the values.yaml if honorProvidedValues = false (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) - 3. Randomly generated secret password + 4. Randomly generated secret password (A new random secret password with the length specified in the 'length' parameter will be generated and returned) */}} @@ -93,33 +103,49 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} {{- end -}} -{{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} -{{- else }} - - {{- if .context.Values.enabled }} - {{- $subchart = $chartName }} - {{- end -}} +{{- end }} - {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} - {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} - {{- $passwordValidationErrors := list $requiredPasswordError -}} - {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} +{{- if and $providedPasswordValue .honorProvidedValues }} + {{- $password = $providedPasswordValue | toString }} +{{- end }} - {{- if .strong }} - {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} - {{- $password = randAscii $passwordLength }} - {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} +{{- if not $password }} + {{- if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} - {{- end }} + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- if not (eq .failOnNew false) }} + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + {{- end }} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} + {{- else }} + {{- $password = randAlphaNum $passwordLength }} + {{- end }} + {{- end -}} +{{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} {{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* @@ -137,15 +163,16 @@ Params: */}} {{- define "common.secrets.lookup" -}} {{- $value := "" -}} -{{- $defaultValue := required "\n'common.secrets.lookup': Argument 'defaultValue' missing or empty" .defaultValue -}} {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} {{- if and $secretData (hasKey $secretData .key) -}} {{- $value = index $secretData .key -}} -{{- else -}} - {{- $value = $defaultValue | toString | b64enc -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} {{- end -}} +{{- if $value -}} {{- printf "%s" $value -}} {{- end -}} +{{- end -}} {{/* Returns whether a previous generated secret already exists diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_storage.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_storage.tpl index 60e2a844f..aa75856c0 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_storage.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_storage.tpl @@ -1,23 +1,21 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} + {{/* Return the proper Storage Class {{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} */}} {{- define "common.storage.class" -}} - -{{- $storageClass := .persistence.storageClass -}} -{{- if .global -}} - {{- if .global.storageClass -}} - {{- $storageClass = .global.storageClass -}} - {{- end -}} -{{- end -}} - +{{- $storageClass := (.global).storageClass | default .persistence.storageClass | default (.global).defaultStorageClass | default "" -}} {{- if $storageClass -}} {{- if (eq "-" $storageClass) -}} {{- printf "storageClassName: \"\"" -}} - {{- else }} + {{- else -}} {{- printf "storageClassName: %s" $storageClass -}} {{- end -}} {{- end -}} - {{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_tplvalues.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_tplvalues.tpl index 2db166851..a04f4c1eb 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_tplvalues.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_tplvalues.tpl @@ -1,13 +1,52 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* -Renders a value that contains template. +Renders a value that contains template perhaps with scope if the scope is present. Usage: -{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} */}} {{- define "common.tplvalues.render" -}} - {{- if typeIs "string" .value }} - {{- tpl .value .context }} - {{- else }} - {{- tpl (.value | toYaml) .context }} - {{- end }} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge +Usage: +{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with https://masterminds.github.io/sprig/dicts.html#mergeoverwrite-mustmergeoverwrite +Usage: +{{ include "common.tplvalues.merge-overwrite" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge-overwrite" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | mergeOverwrite $dst -}} +{{- end -}} +{{ $dst | toYaml }} {{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_utils.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_utils.tpl index b1ead50cf..d53c74aa2 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_utils.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_utils.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Print instructions to get a secret value. @@ -60,3 +65,13 @@ Usage: {{- end -}} {{- printf "%s" $key -}} {{- end -}} + +{{/* +Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376). +Usage: +{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }} +*/}} +{{- define "common.utils.checksumTemplate" -}} +{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}} +{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }} +{{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_warnings.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_warnings.tpl index ae10fa41e..62c44dfca 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_warnings.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/_warnings.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Warning about using rolling tag. @@ -8,7 +13,97 @@ Usage: {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ ++info https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html {{- end }} +{{- end -}} +{{/* +Warning about replaced images from the original. +Usage: +{{ include "common.warnings.modifiedImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} +*/}} +{{- define "common.warnings.modifiedImages" -}} +{{- $affectedImages := list -}} +{{- $printMessage := false -}} +{{- $originalImages := .context.Chart.Annotations.images -}} +{{- range .images -}} + {{- $fullImageName := printf (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- if not (contains $fullImageName $originalImages) }} + {{- $affectedImages = append $affectedImages (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- $printMessage = true -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +âš  SECURITY WARNING: Original containers have been substituted. This Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables. + +Substituted images detected: +{{- range $affectedImages }} + - {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} {{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_cassandra.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_cassandra.tpl index ded1ae3bc..f8fd213bc 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_cassandra.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_cassandra.tpl @@ -1,30 +1,9 @@ -{{/* vim: set filetype=mustache: */}} {{/* -Validate Cassandra required passwords are not empty. - -Usage: -{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.cassandra.passwords" -}} - {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} - {{- $enabled := include "common.cassandra.values.enabled" . -}} - {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} - {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to get the right value for existingSecret. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_mariadb.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_mariadb.tpl index b6906ff77..6ea8c0f45 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_mariadb.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_mariadb.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Validate MariaDB required passwords are not empty. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_mongodb.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_mongodb.tpl index f820ec107..e678a6de8 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_mongodb.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_mongodb.tpl @@ -1,50 +1,9 @@ -{{/* vim: set filetype=mustache: */}} {{/* -Validate MongoDB® required passwords are not empty. - -Usage: -{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" - - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.mongodb.passwords" -}} - {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mongodb.values.enabled" . -}} - {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} - {{- $architecture := include "common.mongodb.values.architecture" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} - {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} - - {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} - {{- if and $valueUsername $valueDatabase -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replicaset") -}} - {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to get the right value for existingSecret. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_mysql.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_mysql.tpl index 74472a061..fbb65c338 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_mysql.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_mysql.tpl @@ -1,45 +1,9 @@ -{{/* vim: set filetype=mustache: */}} {{/* -Validate MySQL required passwords are not empty. - -Usage: -{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret" - - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.mysql.passwords" -}} - {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mysql.values.enabled" . -}} - {{- $architecture := include "common.mysql.values.architecture" . -}} - {{- $authPrefix := include "common.mysql.values.key.auth" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- if not (empty $valueUsername) -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replication") -}} - {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to get the right value for existingSecret. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_postgresql.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_postgresql.tpl index 164ec0d01..51d47162e 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_postgresql.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_postgresql.tpl @@ -1,33 +1,9 @@ -{{/* vim: set filetype=mustache: */}} {{/* -Validate PostgreSQL required passwords are not empty. - -Usage: -{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.postgresql.passwords" -}} - {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} - {{- $enabled := include "common.postgresql.values.enabled" . -}} - {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} - {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} - - {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} - {{- if (eq $enabledReplication "true") -}} - {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to decide whether evaluate global values. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_redis.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_redis.tpl index dcccfc1ae..9fedfef9d 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_redis.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_redis.tpl @@ -1,38 +1,10 @@ - -{{/* vim: set filetype=mustache: */}} {{/* -Validate Redis® required passwords are not empty. - -Usage: -{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" - - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 */}} -{{- define "common.validations.values.redis.passwords" -}} - {{- $enabled := include "common.redis.values.enabled" . -}} - {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} - {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} - - {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} - {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} - {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} - {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} - {{- if eq $useAuth "true" -}} - {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - {{- end -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} {{/* Auxiliary function to get the right value for enabled redis. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_validations.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_validations.tpl index 9a814cf40..7cdee6170 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_validations.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/templates/validations/_validations.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Validate values must not be empty. diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/values.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/values.yaml index f2df68e5e..de2cac57d 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/values.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/charts/common/values.yaml @@ -1,3 +1,6 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + ## bitnami/common ## It is required by CI/CD tools and processes. ## @skip exampleValue diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/NOTES.txt b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/NOTES.txt index a62e8f50f..b24a225d7 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/NOTES.txt +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/NOTES.txt @@ -41,3 +41,5 @@ To access the Memcached Prometheus metrics from outside the cluster execute the {{- include "memcached.validateValues" . }} {{- include "memcached.checkRollingTags" . }} +{{- include "common.warnings.resources" (dict "sections" (list "metrics" "" "volumePermissions") "context" $) }} +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} \ No newline at end of file diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/_helpers.tpl b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/_helpers.tpl index 4a540dd59..5bc78e156 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/_helpers.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/_helpers.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/deployment.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/deployment.yaml index 73d4e73f0..8bea8a46f 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/deployment.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/deployment.yaml @@ -1,29 +1,29 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if eq .Values.architecture "standalone" }} apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ template "common.names.fullname" . }} namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} replicas: {{ .Values.replicaCount }} {{- if .Values.updateStrategy }} strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} {{- end }} template: metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - {{- if .Values.podLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} annotations: {{- if .Values.auth.enabled }} checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} @@ -36,6 +36,7 @@ spec: {{- end }} spec: {{- include "memcached.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -43,8 +44,8 @@ spec: affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }} {{- else }} affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "context" $) | nindent 10 }} + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} {{- end }} {{- if .Values.nodeSelector }} @@ -63,12 +64,13 @@ spec: schedulerName: {{ .Values.schedulerName }} {{- end }} {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- end }} serviceAccountName: {{ template "memcached.serviceAccountName" . }} + enableServiceLinks: {{ .Values.enableServiceLinks }} {{- if .Values.initContainers }} initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} @@ -77,7 +79,7 @@ spec: image: {{ template "memcached.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -125,8 +127,10 @@ spec: livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} {{- else if .Values.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} - tcpSocket: - port: memcache + exec: + command: + - pgrep + - memcached {{- end }} {{- if .Values.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} @@ -147,11 +151,17 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} {{- end }} {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.resources "context" $) | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - - name: tmp + - name: empty-dir + mountPath: /opt/bitnami/memcached/conf + subPath: app-conf-dir + - name: empty-dir mountPath: /tmp + subPath: tmp-dir {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} @@ -160,7 +170,7 @@ spec: image: {{ template "memcached.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} ports: - name: metrics @@ -170,8 +180,7 @@ spec: livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} {{- else if .Values.metrics.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: /metrics + tcpSocket: port: {{ .Values.metrics.containerPorts.metrics }} {{- end }} {{- if .Values.metrics.customReadinessProbe }} @@ -190,15 +199,29 @@ spec: {{- end }} {{- end }} {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.resources "context" $) | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} {{- end }} {{- if .Values.sidecars }} {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: - - name: tmp + - name: empty-dir + {{- if eq .Values.emptyDir.medium "Memory" }} + emptyDir: + medium: "Memory" + {{- else }} emptyDir: {} + {{- end }} {{- if .Values.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/extra-list.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/extra-list.yaml index 9ac65f9e1..329f5c653 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/extra-list.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/extra-list.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- range .Values.extraDeploy }} --- {{ include "common.tplvalues.render" (dict "value" . "context" $) }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/hpa.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/hpa.yaml index f631fbb48..dab3bca27 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/hpa.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/hpa.yaml @@ -1,13 +1,15 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if and .Values.autoscaling.enabled (eq .Values.architecture "high-availability") }} apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} kind: HorizontalPodAutoscaler metadata: name: {{ template "common.names.fullname" . }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/metrics-svc.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/metrics-svc.yaml index fc3199e1f..a7823a43c 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/metrics-svc.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/metrics-svc.yaml @@ -1,21 +1,20 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.metrics.enabled }} apiVersion: v1 kind: Service metadata: name: {{ printf "%s-metrics" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: metrics - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.metrics.service.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.annotations "context" $) | nindent 4 }} - {{- end }} + {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: type: ClusterIP sessionAffinity: {{ .Values.metrics.service.sessionAffinity }} @@ -26,5 +25,6 @@ spec: - name: metrics port: {{ .Values.metrics.service.ports.metrics }} targetPort: metrics - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/networkpolicy.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/networkpolicy.yaml new file mode 100644 index 000000000..2fba52bd5 --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/networkpolicy.yaml @@ -0,0 +1,74 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow connection to other cluster pods + - ports: + - port: {{ .Values.containerPorts.memcached }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.memcached }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.metrics }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.addExternalClientAccess }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- end }} + {{- if .Values.networkPolicy.ingressPodMatchLabels }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressNSMatchLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressNSPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/pdb.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/pdb.yaml index e73a31cf9..f2310d504 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/pdb.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/pdb.yaml @@ -1,17 +1,26 @@ -{{- if and .Values.pdb.create (eq .Values.architecture "high-availability") }} +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.pdb.create }} apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ include "common.names.fullname" . }} namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: {{- if .Values.pdb.minAvailable }} minAvailable: {{ .Values.pdb.minAvailable }} {{- end }} - {{- if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- if or .Values.pdb.maxUnavailable ( not .Values.pdb.minAvailable ) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/secrets.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/secrets.yaml index cb3f0822d..1caa1f9c9 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/secrets.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/secrets.yaml @@ -1,13 +1,15 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if and (.Values.auth.enabled) (not .Values.auth.existingPasswordSecret) }} apiVersion: v1 kind: Secret metadata: name: {{ template "common.names.fullname" . }} namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/service.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/service.yaml index 27695a4c1..7d9ce56c4 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/service.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/service.yaml @@ -1,19 +1,18 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + apiVersion: v1 kind: Service metadata: name: {{ include "common.names.fullname" . }} namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.service.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.service.annotations "context" $) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: type: {{ .Values.service.type }} {{- if .Values.service.sessionAffinity }} @@ -46,4 +45,6 @@ spec: {{- if .Values.service.extraPorts }} {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + publishNotReadyAddresses: true + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/serviceaccount.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/serviceaccount.yaml index d1508a795..a6bc23a56 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/serviceaccount.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/serviceaccount.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount @@ -5,15 +10,9 @@ automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountT metadata: name: {{ template "memcached.serviceAccountName" . }} namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.serviceAccount.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/servicemonitor.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/servicemonitor.yaml index 208196c92..b1d64f308 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/servicemonitor.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/servicemonitor.yaml @@ -1,20 +1,16 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ template "common.names.fullname" . }} - {{- if .Values.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.metrics.serviceMonitor.namespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.labels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $ ) | nindent 4 }} - {{- end }} + namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- end }} @@ -23,7 +19,7 @@ spec: jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} {{- end }} selector: - matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} {{- if .Values.metrics.serviceMonitor.selector }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/statefulset.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/statefulset.yaml index ece789962..94fc205e1 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/statefulset.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/templates/statefulset.yaml @@ -1,20 +1,25 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if eq .Values.architecture "high-availability" }} apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} kind: StatefulSet metadata: name: {{ template "common.names.fullname" . }} namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + {{- if not (and .Values.autoscaling.enabled (eq .Values.architecture "high-availability")) }} replicas: {{ .Values.replicaCount }} + {{- end }} {{- if .Values.podManagementPolicy }} podManagementPolicy: {{ .Values.podManagementPolicy | quote }} {{- end }} @@ -24,10 +29,7 @@ spec: {{- end }} template: metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - {{- if .Values.podLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} annotations: {{- if .Values.auth.enabled }} checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} @@ -40,6 +42,7 @@ spec: {{- end }} spec: {{- include "memcached.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -47,8 +50,8 @@ spec: affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }} {{- else }} affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "context" $) | nindent 10 }} + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} {{- end }} {{- if .Values.nodeSelector }} @@ -67,12 +70,13 @@ spec: schedulerName: {{ .Values.schedulerName }} {{- end }} {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- end }} serviceAccountName: {{ template "memcached.serviceAccountName" . }} + enableServiceLinks: {{ .Values.enableServiceLinks }} {{- if or .Values.persistence.enabled .Values.initContainers }} initContainers: {{- if and .Values.persistence.enabled .Values.volumePermissions.enabled }} @@ -90,11 +94,16 @@ spec: securityContext: runAsUser: {{ .Values.volumePermissions.containerSecurityContext.runAsUser }} {{- if .Values.volumePermissions.resources }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.volumePermissions.resources "context" $) | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data mountPath: /cache-state + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} @@ -105,7 +114,7 @@ spec: image: {{ template "memcached.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -157,8 +166,10 @@ spec: livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} {{- else if .Values.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} - tcpSocket: - port: memcache + exec: + command: + - pgrep + - memcached {{- end }} {{- if .Values.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} @@ -189,15 +200,21 @@ spec: sleep 60s {{- end }} {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.resources "context" $) | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: {{- if .Values.persistence.enabled }} - name: data mountPath: /cache-state {{- end }} - - name: tmp + - name: empty-dir + mountPath: /opt/bitnami/memcached/conf + subPath: app-conf-dir + - name: empty-dir mountPath: /tmp + subPath: tmp-dir {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} @@ -205,6 +222,9 @@ spec: - name: metrics image: {{ template "memcached.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} ports: - name: metrics containerPort: {{ .Values.metrics.containerPorts.metrics }} @@ -213,8 +233,7 @@ spec: livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} {{- else if .Values.metrics.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: /metrics + tcpSocket: port: {{ .Values.metrics.containerPorts.metrics }} {{- end }} {{- if .Values.metrics.customReadinessProbe }} @@ -234,15 +253,22 @@ spec: {{- end }} {{- end }} {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.resources "context" $) | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} {{- end }} {{- if .Values.sidecars }} {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $ ) | nindent 8 }} {{- end }} volumes: - - name: tmp + - name: empty-dir + {{- if eq .Values.emptyDir.medium "Memory" }} + emptyDir: + medium: "Memory" + {{- else }} emptyDir: {} + {{- end }} {{- if .Values.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} {{- end }} @@ -250,15 +276,11 @@ spec: volumeClaimTemplates: - metadata: name: data - annotations: - {{- if .Values.persistence.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 10 }} - {{- end }} - {{- if .Values.commonLabels }} - labels: {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 10 }} + {{- $claimLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.persistence.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.matchLabels" ( dict "customLabels" $claimLabels "context" $ ) | nindent 10 }} + {{- if or .Values.persistence.annotations .Values.commonAnnotations }} + {{- $claimAnnotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.persistence.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $claimAnnotations "context" $) | nindent 10 }} {{- end }} spec: accessModes: diff --git a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/values.yaml b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/values.yaml index f0c9f8161..27bea3a64 100644 --- a/charts/wordpress/wordpress/charts/wordpress/charts/memcached/values.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/charts/memcached/values.yaml @@ -1,3 +1,6 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + ## @section Global parameters ## Global Docker image parameters ## Please, note that this will override the image parameters, including dependencies, configured to use the global value @@ -5,7 +8,8 @@ ## @param global.imageRegistry Global Docker image registry ## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.storageClass Global StorageClass for Persistent Volume(s) +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) +## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead ## global: imageRegistry: "" @@ -14,8 +18,17 @@ global: ## - myRegistryKeySecretName ## imagePullSecrets: [] + defaultStorageClass: "" storageClass: "" - + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto ## @section Common parameters ## @param kubeVersion Override Kubernetes version @@ -39,7 +52,6 @@ commonLabels: {} ## @param commonAnnotations Add annotations to all the deployed resources ## commonAnnotations: {} - ## Enable diagnostic mode in the deployment/statefulset ## diagnosticMode: @@ -54,14 +66,13 @@ diagnosticMode: ## args: - infinity - ## @section Memcached parameters ## Bitnami Memcached image version ## ref: https://hub.docker.com/r/bitnami/memcached/tags/ -## @param image.registry Memcached image registry -## @param image.repository Memcached image repository -## @param image.tag Memcached image tag (immutable tags are recommended) +## @param image.registry [default: REGISTRY_NAME] Memcached image registry +## @param image.repository [default: REPOSITORY_NAME/memcached] Memcached image repository +## @skip image.tag Memcached image tag (immutable tags are recommended) ## @param image.digest Memcached image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param image.pullPolicy Memcached image pull policy ## @param image.pullSecrets Specify docker-registry secret names as an array @@ -70,11 +81,10 @@ diagnosticMode: image: registry: docker.m.daocloud.io repository: bitnami/memcached - tag: 1.6.18-debian-11-r0 + tag: 1.6.32-debian-12-r2 digest: "" ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -132,7 +142,6 @@ extraEnvVarsCM: "" ## @param extraEnvVarsSecret Name of existing Secret containing extra env vars for Memcached nodes ## extraEnvVarsSecret: "" - ## @section Deployment/Statefulset parameters ## @param replicaCount Number of Memcached nodes @@ -199,34 +208,65 @@ customStartupProbe: {} ## lifecycleHooks: {} ## Memcached resource requests and limits -## ref: https://kubernetes.io/docs/user-guide/compute-resources/ -## @param resources.limits The resources limits for the Memcached containers -## @param resources.requests.memory The requested memory for the Memcached containers -## @param resources.requests.cpu The requested cpu for the Memcached containers -## -resources: - limits: {} - requests: - memory: 256Mi - cpu: 250m +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "nano" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enabled Memcached pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Set Memcached pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -## @param containerSecurityContext.enabled Enabled Memcached containers' Security Context -## @param containerSecurityContext.runAsUser Set Memcached containers' Security Context runAsUser -## @param containerSecurityContext.runAsNonRoot Set Memcached containers' Security Context runAsNonRoot +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false ## @param hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -272,7 +312,7 @@ nodeAffinityPreset: ## affinity: {} ## @param nodeSelector Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param tolerations Tolerations for pod assignment @@ -306,6 +346,10 @@ terminationGracePeriodSeconds: "" updateStrategy: type: RollingUpdate rollingUpdate: {} +## @param emptyDir.medium Override emptyDir Volume type, defaults to emptyDir: {} +## Possible values: "Memory", "" +emptyDir: + medium: "" ## @param extraVolumes Optionally specify extra list of additional volumes for the Memcached pod(s) ## Example Use Case: mount certificates to enable TLS ## e.g: @@ -354,6 +398,11 @@ sidecars: [] ## containerPort: 1234 ## initContainers: [] +## @param enableServiceLinks Whether information about services should be injected into pod's environment variable +## The environment variables injected by service links are not used, but can lead to slow boot times or slow running of the scripts when there are many services in the current namespace. +## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. +## +enableServiceLinks: true ## Memcached Autoscaling ## @param autoscaling.enabled Enable memcached statefulset autoscaling (requires architecture: "high-availability") ## @param autoscaling.minReplicas memcached statefulset autoscaling minimum number of replicas @@ -374,12 +423,10 @@ autoscaling: ## @param pdb.maxUnavailable Maximum unavailable Memcached replicas ## pdb: - create: false + create: true minAvailable: "" - maxUnavailable: 1 - + maxUnavailable: "" ## @section Traffic Exposure parameters - service: ## @param service.type Kubernetes Service type ## @@ -396,9 +443,9 @@ service: memcached: "" ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## - sessionAffinity: None + sessionAffinity: "" ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity ## sessionAffinityConfig: ## clientIP: @@ -411,7 +458,7 @@ service: ## clusterIP: "" ## @param service.loadBalancerIP Memcached service Load Balancer IP - ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer ## loadBalancerIP: "" ## @param service.loadBalancerSourceRanges Memcached service Load Balancer sources @@ -431,7 +478,69 @@ service: ## @param service.extraPorts Extra ports to expose in the Memcached service (normally used with the `sidecar` value) ## extraPorts: [] - +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources + ## + enabled: true + ## @param networkPolicy.allowExternal The Policy model to apply + ## When set to false, only pods with the correct client label will have network access to the ports Memcached is + ## listening on. When true, Memcached will accept connections from any source (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Other Parameters ## Service account for Memcached to use. @@ -440,7 +549,7 @@ service: serviceAccount: ## @param serviceAccount.create Enable creation of ServiceAccount for Memcached pod ## - create: false + create: true ## @param serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## @@ -448,15 +557,14 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} - ## @section Persistence parameters ## Enable persistence using Persistent Volume Claims -## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param persistence.enabled Enable Memcached data persistence using PVC. If false, use emptyDir @@ -480,6 +588,9 @@ persistence: ## @param persistence.annotations Annotations for the PVC ## annotations: {} + ## @param persistence.labels Labels for the PVC + ## + labels: {} ## @param persistence.selector Selector to match an existing Persistent Volume for Memcached's data PVC ## If set, the PVC can't have a PV dynamically provisioned for it ## E.g. @@ -488,7 +599,6 @@ persistence: ## app: my-app ## selector: {} - ## @section Volume Permissions parameters ## @@ -499,17 +609,17 @@ volumePermissions: ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume ## enabled: false - ## @param volumePermissions.image.registry Init container volume-permissions image registry - ## @param volumePermissions.image.repository Init container volume-permissions image repository - ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository + ## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets ## image: registry: docker.m.daocloud.io - repository: bitnami/bitnami-shell - tag: 11-debian-11-r70 + repository: bitnami/os-shell + tag: 12-debian-12-r33 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -521,21 +631,31 @@ volumePermissions: ## pullSecrets: [] ## Init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param volumePermissions.resources.limits Init container volume-permissions resource limits - ## @param volumePermissions.resources.requests Init container volume-permissions resource requests - ## - resources: - limits: {} - requests: {} + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: + seLinuxOptions: {} runAsUser: 0 - ## Prometheus Exporter / Metrics ## metrics: @@ -544,9 +664,9 @@ metrics: enabled: false ## Bitnami Memcached Prometheus Exporter image ## ref: https://hub.docker.com/r/bitnami/memcached-exporter/tags/ - ## @param metrics.image.registry Memcached exporter image registry - ## @param metrics.image.repository Memcached exporter image repository - ## @param metrics.image.tag Memcached exporter image tag (immutable tags are recommended) + ## @param metrics.image.registry [default: REGISTRY_NAME] Memcached exporter image registry + ## @param metrics.image.repository [default: REPOSITORY_NAME/memcached-exporter] Memcached exporter image repository + ## @skip metrics.image.tag Memcached exporter image tag (immutable tags are recommended) ## @param metrics.image.digest Memcached exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param metrics.image.pullPolicy Image pull policy ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array @@ -554,7 +674,7 @@ metrics: image: registry: docker.m.daocloud.io repository: bitnami/memcached-exporter - tag: 0.10.0-debian-11-r72 + tag: 0.15.0-debian-12-r2 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -570,23 +690,48 @@ metrics: containerPorts: metrics: 9150 ## Memcached Prometheus exporter container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param metrics.resources.limits Init container volume-permissions resource limits - ## @param metrics.resources.requests Init container volume-permissions resource requests - ## - resources: - limits: {} - requests: {} + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Configure Metrics Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param metrics.containerSecurityContext.enabled Enabled Metrics containers' Security Context - ## @param metrics.containerSecurityContext.runAsUser Set Metrics containers' Security Context runAsUser - ## @param metrics.containerSecurityContext.runAsNonRoot Set Metrics containers' Security Context runAsNonRoot + ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged + ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param metrics.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## Configure extra options for Memcached Prometheus exporter containers' liveness, readiness and startup probes ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes ## @param metrics.livenessProbe.enabled Enable livenessProbe on Memcached Prometheus exporter containers @@ -659,7 +804,7 @@ metrics: clusterIP: "" ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param metrics.service.annotations [object] Annotations for the Prometheus metrics service diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/NOTES.txt b/charts/wordpress/wordpress/charts/wordpress/templates/NOTES.txt index 0a5c5a580..ca6e571a8 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/NOTES.txt +++ b/charts/wordpress/wordpress/charts/wordpress/templates/NOTES.txt @@ -93,3 +93,5 @@ You can access Apache Prometheus metrics following the steps below: {{- include "common.warnings.rollingTag" .Values.image }} {{- include "common.warnings.rollingTag" .Values.metrics.image }} {{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} +{{- include "common.warnings.resources" (dict "sections" (list "metrics" "" "volumePermissions") "context" $) }} +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} \ No newline at end of file diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/_helpers.tpl b/charts/wordpress/wordpress/charts/wordpress/templates/_helpers.tpl index 6ab5bb318..9a88d8943 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/_helpers.tpl +++ b/charts/wordpress/wordpress/charts/wordpress/templates/_helpers.tpl @@ -1,3 +1,8 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{/* vim: set filetype=mustache: */}} {{/* diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/config-secret.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/config-secret.yaml index 2d2c46962..e809be0db 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/config-secret.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/config-secret.yaml @@ -1,13 +1,15 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if (include "wordpress.createConfigSecret" .) }} apiVersion: v1 kind: Secret metadata: name: {{ printf "%s-configuration" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/deployment.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/deployment.yaml index fb73e145f..323ad899b 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/deployment.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/deployment.yaml @@ -1,18 +1,21 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: name: {{ include "common.names.fullname" . }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} {{- if .Values.updateStrategy }} strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} {{- end }} @@ -21,10 +24,7 @@ spec: {{- end }} template: metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - {{- if .Values.podLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} {{- if or .Values.podAnnotations .Values.metrics.enabled (include "wordpress.createConfigSecret" .) }} annotations: {{- if .Values.podAnnotations }} @@ -39,6 +39,7 @@ spec: {{- end }} spec: {{- include "wordpress.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.hostAliases }} # yamllint disable rule:indentation hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} @@ -48,8 +49,8 @@ spec: affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} {{- else }} affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "context" $) | nindent 10 }} + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} {{- end }} {{- if .Values.nodeSelector }} @@ -65,13 +66,15 @@ spec: schedulerName: {{ .Values.schedulerName | quote }} {{- end }} {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} {{- end }} serviceAccountName: {{ include "wordpress.serviceAccountName" .}} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} {{- if .Values.topologySpreadConstraints }} topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} {{- end }} - {{- if or (and .Values.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.persistence.enabled) (.Values.initContainers) }} initContainers: {{- if and .Values.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.persistence.enabled }} - name: volume-permissions @@ -95,16 +98,68 @@ spec: {{- end }} {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - mountPath: /bitnami/wordpress name: wordpress-data subPath: wordpress {{- end }} + - name: prepare-base-dir + image: {{ include "wordpress.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + + . /opt/bitnami/scripts/liblog.sh + . /opt/bitnami/scripts/libfs.sh + + info "Copying base dir to empty dir" + # In order to not break the application functionality (such as upgrades or plugins) we need + # to make the base directory writable, so we need to copy it to an empty dir volume + cp -r --preserve=mode /opt/bitnami/wordpress /emptydir/app-base-dir + + info "Copying symlinks to stdout/stderr" + # We copy the logs folder because it has symlinks to stdout and stderr + if ! is_dir_empty /opt/bitnami/apache/logs; then + cp -r /opt/bitnami/apache/logs /emptydir/apache-logs-dir + fi + {{- if and (not .Values.allowOverrideNone) .Values.customHTAccessCM }} + # HACK: To avoid issues with ConfigMap mount permissions, we need to create the + # conf/vhosts/htaccess folder when mounting a custom htaccess. Otherwise, the vhosts + # folder will have read-only permissions, causing the initialization logic to fail + info "Custom htaccess mounted, creating folder in volume" + mkdir -p /emptydir/apache-conf-dir/vhosts/htaccess + {{- end }} + + info "Copying default PHP config" + cp -r --preserve=mode /opt/bitnami/php/etc /emptydir/php-conf-dir + + info "Copying php var directory" + if ! is_dir_empty /opt/bitnami/php/var; then + cp -r /opt/bitnami/php/var /emptydir/php-var-dir + fi + + info "Copy operation completed" + volumeMounts: + - name: empty-dir + mountPath: /emptydir {{- if .Values.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} - {{- end }} containers: - name: wordpress image: {{ include "wordpress.image" . }} @@ -120,13 +175,21 @@ spec: args: {{- include "common.tplvalues.render" ( dict "value" .Values.args "context" $) | nindent 12 }} {{- end }} {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: - name: BITNAMI_DEBUG value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - name: ALLOW_EMPTY_PASSWORD value: {{ ternary "yes" "no" .Values.allowEmptyPassword | quote }} + - name: WORDPRESS_SKIP_BOOTSTRAP + value: {{ ternary "yes" "no" .Values.wordpressSkipInstall | quote }} + {{- if or .Values.wordpressConfiguration .Values.existingWordPressConfigurationSecret }} + # Override the default data to persist omiting wp-config.php from the list since + # it is mounted as a read-only file from a Secret + - name: WORDPRESS_DATA_TO_PERSIST + value: "wp-content" + {{- else }} - name: MARIADB_HOST value: {{ include "wordpress.databaseHost" . | quote }} - name: MARIADB_PORT_NUMBER @@ -159,8 +222,6 @@ spec: value: {{ ternary "yes" "no" .Values.htaccessPersistenceEnabled | quote }} - name: WORDPRESS_BLOG_NAME value: {{ .Values.wordpressBlogName | quote }} - - name: WORDPRESS_SKIP_BOOTSTRAP - value: {{ ternary "yes" "no" .Values.wordpressSkipInstall | quote }} - name: WORDPRESS_TABLE_PREFIX value: {{ .Values.wordpressTablePrefix | quote }} - name: WORDPRESS_SCHEME @@ -169,13 +230,8 @@ spec: value: {{ .Values.wordpressExtraConfigContent | quote }} - name: WORDPRESS_PLUGINS value: {{ join "," .Values.wordpressPlugins | quote }} - - name: APACHE_HTTP_PORT_NUMBER - value: {{ .Values.containerPorts.http | quote }} - - name: APACHE_HTTPS_PORT_NUMBER - value: {{ .Values.containerPorts.https | quote }} - {{- if .Values.overrideDatabaseSettings }} - name: WORDPRESS_OVERRIDE_DATABASE_SETTINGS - value: "yes" + value: {{ ternary "yes" "no" .Values.overrideDatabaseSettings | quote }} {{- end }} {{- if .Values.multisite.enable }} - name: WORDPRESS_ENABLE_MULTISITE @@ -214,6 +270,18 @@ spec: - name: SMTP_PROTOCOL value: {{ .Values.smtpProtocol | quote }} {{- end }} + {{- if .Values.smtpFromEmail }} + - name: WORDPRESS_SMTP_FROM_EMAIL + value: {{ .Values.smtpFromEmail | quote }} + {{- end }} + {{- if .Values.smtpFromName }} + - name: WORDPRESS_SMTP_FROM_NAME + value: {{ .Values.smtpFromName | quote }} + {{- end }} + - name: APACHE_HTTP_PORT_NUMBER + value: {{ .Values.containerPorts.http | quote }} + - name: APACHE_HTTPS_PORT_NUMBER + value: {{ .Values.containerPorts.https | quote }} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} @@ -256,8 +324,34 @@ spec: {{- end }} {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /opt/bitnami/apache/conf + subPath: apache-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/apache/logs + subPath: apache-logs-dir + - name: empty-dir + mountPath: /opt/bitnami/apache/var/run + subPath: apache-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/php/etc + subPath: php-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/php/tmp + subPath: php-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/php/var + subPath: php-var-dir + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/wordpress + subPath: app-base-dir - mountPath: /bitnami/wordpress name: wordpress-data subPath: wordpress @@ -327,12 +421,19 @@ spec: {{- end }} {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- end }} {{- if .Values.sidecars }} {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if or .Values.wordpressConfiguration .Values.existingWordPressConfigurationSecret }} - name: wordpress-config secret: diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/externaldb-secrets.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/externaldb-secrets.yaml index a34894f6d..daba98ed6 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/externaldb-secrets.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/externaldb-secrets.yaml @@ -1,13 +1,15 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if not (or .Values.mariadb.enabled .Values.externalDatabase.existingSecret) }} apiVersion: v1 kind: Secret metadata: name: {{ printf "%s-externaldb" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/extra-list.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/extra-list.yaml index 9ac65f9e1..329f5c653 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/extra-list.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/extra-list.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- range .Values.extraDeploy }} --- {{ include "common.tplvalues.render" (dict "value" . "context" $) }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/hpa.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/hpa.yaml index 4f6a9ab26..373ce297d 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/hpa.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/hpa.yaml @@ -1,13 +1,15 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.autoscaling.enabled }} apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} kind: HorizontalPodAutoscaler metadata: name: {{ include "common.names.fullname" . }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/httpd-configmap.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/httpd-configmap.yaml index 2a1ffe47c..c621a30d2 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/httpd-configmap.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/httpd-configmap.yaml @@ -1,13 +1,15 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if (include "wordpress.apache.createConfigmap" .) }} apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-apache-configuration" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/ingress-secondary.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/ingress-secondary.yaml new file mode 100644 index 000000000..4fd4d6b9e --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/templates/ingress-secondary.yaml @@ -0,0 +1,62 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.secondaryIngress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ include "common.names.fullname" . }}-secondary + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.secondaryIngress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondaryIngress.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.secondaryIngress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.secondaryIngress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.secondaryIngress.hostname }} + - host: {{ tpl .Values.secondaryIngress.hostname $ | quote }} + http: + paths: + {{- if .Values.secondaryIngress.extraPaths }} + {{- toYaml .Values.secondaryIngress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.secondaryIngress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.secondaryIngress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.secondaryIngress.extraHosts }} + - host: {{ tpl .name $ | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.secondaryIngress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.secondaryIngress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.secondaryIngress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.secondaryIngress.annotations )) .Values.secondaryIngress.selfSigned)) .Values.secondaryIngress.extraTls }} + tls: + {{- if and .Values.secondaryIngress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.secondaryIngress.annotations )) .Values.secondaryIngress.selfSigned) }} + - hosts: + - {{ tpl .Values.secondaryIngress.hostname $ | quote }} + {{- if or (.Values.secondaryIngress.tlsWwwPrefix) (eq (index .Values.secondaryIngress.annotations "nginx.ingress.kubernetes.io/from-to-www-redirect") "true" ) }} + - {{ printf "www.%s" (tpl .Values.secondaryIngress.hostname $) | quote }} + {{- end }} + secretName: {{ printf "%s-tls" (tpl .Values.secondaryIngress.hostname $) }} + {{- end }} + {{- if .Values.secondaryIngress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.secondaryIngress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/ingress.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/ingress.yaml index 66ae284d4..4237147ce 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/ingress.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/ingress.yaml @@ -1,27 +1,26 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.ingress.enabled }} apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ include "common.names.fullname" . }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - annotations: - {{- if .Values.ingress.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.ingress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} ingressClassName: {{ .Values.ingress.ingressClassName | quote }} {{- end }} rules: {{- if .Values.ingress.hostname }} - - host: {{ .Values.ingress.hostname | quote }} + - host: {{ tpl .Values.ingress.hostname $ | quote }} http: paths: {{- if .Values.ingress.extraPaths }} @@ -34,7 +33,7 @@ spec: backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} {{- end }} {{- range .Values.ingress.extraHosts }} - - host: {{ .name | quote }} + - host: {{ tpl .name $ | quote }} http: paths: - path: {{ default "/" .path }} @@ -50,11 +49,11 @@ spec: tls: {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned) }} - hosts: - - {{ .Values.ingress.hostname | quote }} - {{- if or (.Values.ingress.tlsWwwPrefix) (eq (index .Values.ingress.annotations "nginx.ingress.kubernetes.io/from-to-www-redirect") "true" ) }} - - {{ printf "www.%s" .Values.ingress.hostname | quote }} + - {{ tpl .Values.ingress.hostname $ | quote }} + {{- if and (or (.Values.ingress.tlsWwwPrefix) (eq (index .Values.ingress.annotations "nginx.ingress.kubernetes.io/from-to-www-redirect") "true" )) (not (contains "www." .Values.ingress.hostname)) }} + - {{ printf "www.%s" (tpl .Values.ingress.hostname $) | quote }} {{- end }} - secretName: {{ printf "%s-tls" .Values.ingress.hostname }} + secretName: {{ printf "%s-tls" (tpl .Values.ingress.hostname $) }} {{- end }} {{- if .Values.ingress.extraTls }} {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/metrics-svc.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/metrics-svc.yaml index 303fcd836..b6d51a42e 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/metrics-svc.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/metrics-svc.yaml @@ -1,22 +1,19 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.metrics.enabled }} apiVersion: v1 kind: Service metadata: name: {{ printf "%s-metrics" (include "common.names.fullname" .) }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: metrics - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.metrics.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} {{- end }} spec: type: ClusterIP @@ -25,5 +22,6 @@ spec: port: {{ .Values.metrics.service.ports.metrics }} protocol: TCP targetPort: metrics - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy-backend-ingress.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy-backend-ingress.yaml deleted file mode 100644 index e69a024e7..000000000 --- a/charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy-backend-ingress.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if and .Values.networkPolicy.enabled .Values.networkPolicy.ingressRules.backendOnlyAccessibleByFrontend }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-backend" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - {{- if .Values.networkPolicy.ingressRules.customBackendSelector }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customBackendSelector "context" $) | nindent 6 }} - {{- else }} - app.kubernetes.io/name: mariadb - app.kubernetes.io/instance: {{ .Release.Name }} - {{- end }} - ingress: - - from: - - podSelector: - matchLabels: - {{- include "common.labels.matchLabels" . | nindent 14 }} -{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy-egress.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy-egress.yaml deleted file mode 100644 index d908e9b88..000000000 --- a/charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy-egress.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-egress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - app.kubernetes.io/instance: {{ .Release.Name }} - policyTypes: - - Egress - egress: - {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} - - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - - to: - - namespaceSelector: {} - {{- end }} - {{- if .Values.networkPolicy.egressRules.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy-ingress.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy-ingress.yaml deleted file mode 100644 index 27cbbbb21..000000000 --- a/charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy-ingress.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.ingress.enabled .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.accessOnlyFrom.enabled) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-ingress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - {{- include "common.labels.standard" . | nindent 6 }} - ingress: - {{- if and .Values.ingress.enabled .Values.networkPolicy.ingress.enabled (or .Values.networkPolicy.ingress.namespaceSelector .Values.networkPolicy.ingress.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingress.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingress.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingress.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingress.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} - - from: - {{- if .Values.networkPolicy.metrics.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.metrics.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.accessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy.yaml new file mode 100644 index 000000000..23f0fc83e --- /dev/null +++ b/charts/wordpress/wordpress/charts/wordpress/templates/networkpolicy.yaml @@ -0,0 +1,92 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to MariaDB + - ports: + - port: {{ include "wordpress.databasePort" . }} + {{- if .Values.mariadb.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: mariadb + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.wordpressConfigureCache }} + # Allow outbound connections to Memcached + - ports: + - port: {{ include "wordpress.cachePort" . }} + {{- if .Values.memcached.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: memcached + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.http }} + - port: {{ .Values.containerPorts.https }} + {{- range .Values.extraContainerPorts }} + - port: {{ . }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/pdb.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/pdb.yaml index 2760f3494..25c8dead4 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/pdb.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/pdb.yaml @@ -1,13 +1,15 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.pdb.create }} apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ include "common.names.fullname" . }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -15,9 +17,10 @@ spec: {{- if .Values.pdb.minAvailable }} minAvailable: {{ .Values.pdb.minAvailable }} {{- end }} - {{- if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/postinit-configmap.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/postinit-configmap.yaml index a07085ef0..4d62189bf 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/postinit-configmap.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/postinit-configmap.yaml @@ -1,13 +1,15 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if or .Values.customPostInitScripts .Values.wordpressConfigureCache }} apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-postinit" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -36,7 +38,7 @@ data: wp total-cache flush all # Revoke permissions to edit wp-config.php - chmod a-w bitnami/wordpress/wp-config.php + chmod a-w /bitnami/wordpress/wp-config.php {{- end }} {{- if .Values.customPostInitScripts }} {{- include "common.tplvalues.render" (dict "value" .Values.customPostInitScripts "context" $) | nindent 2 }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/pvc.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/pvc.yaml index d82b65104..72a0c262b 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/pvc.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/pvc.yaml @@ -1,21 +1,18 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ include "common.names.fullname" . }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.persistence.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.persistence.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.persistence.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.persistence.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} {{- end }} spec: accessModes: @@ -30,6 +27,9 @@ spec: requests: storage: {{ .Values.persistence.size | quote }} {{- include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) | nindent 2 }} + {{- if .Values.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 4 }} + {{- end -}} {{- if .Values.persistence.dataSource }} dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.dataSource "context" $) | nindent 4 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/secrets.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/secrets.yaml index 7ed022ec7..f2b3b46d9 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/secrets.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/secrets.yaml @@ -1,13 +1,15 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if or (not .Values.existingSecret) (and (not .Values.smtpExistingSecret) .Values.smtpPassword) }} apiVersion: v1 kind: Secret metadata: name: {{ include "common.names.fullname" . }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/serviceaccount.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/serviceaccount.yaml index 60d2fb285..4926a50fa 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/serviceaccount.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/serviceaccount.yaml @@ -1,19 +1,18 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "wordpress.serviceAccountName" . }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - annotations: - {{- if .Values.serviceAccount.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.serviceAccount.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} {{- end -}} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/servicemonitor.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/servicemonitor.yaml index 933f737eb..a7041ca0d 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/servicemonitor.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/servicemonitor.yaml @@ -1,17 +1,17 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ include "common.names.fullname" . }} namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: metrics - {{- if .Values.metrics.serviceMonitor.labels }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.labels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -38,6 +38,6 @@ spec: matchNames: - {{ .Release.Namespace | quote }} selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: metrics {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/svc.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/svc.yaml index dc84dc17b..99a18bbc3 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/svc.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/svc.yaml @@ -1,20 +1,17 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + apiVersion: v1 kind: Service metadata: name: {{ include "common.names.fullname" . }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.service.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.service.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.service.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} {{- end }} spec: type: {{ .Values.service.type }} @@ -58,4 +55,5 @@ spec: {{- if .Values.service.extraPorts }} {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} diff --git a/charts/wordpress/wordpress/charts/wordpress/templates/tls-secrets.yaml b/charts/wordpress/wordpress/charts/wordpress/templates/tls-secrets.yaml index 0805d18eb..626fac851 100644 --- a/charts/wordpress/wordpress/charts/wordpress/templates/tls-secrets.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/templates/tls-secrets.yaml @@ -1,3 +1,8 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + {{- if .Values.ingress.enabled }} {{- if .Values.ingress.secrets }} {{- range .Values.ingress.secrets }} @@ -6,10 +11,7 @@ kind: Secret metadata: name: {{ .name }} namespace: {{ $.Release.Namespace | quote }} - labels: {{- include "common.labels.standard" $ | nindent 4 }} - {{- if $.Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} {{- if $.Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -29,10 +31,7 @@ kind: Secret metadata: name: {{ $secretName }} namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/charts/wordpress/wordpress/charts/wordpress/values.schema.json b/charts/wordpress/wordpress/charts/wordpress/values.schema.json index 0e2466a97..6949a4f81 100644 --- a/charts/wordpress/wordpress/charts/wordpress/values.schema.json +++ b/charts/wordpress/wordpress/charts/wordpress/values.schema.json @@ -142,6 +142,37 @@ } } }, + "secondaryIngress": { + "type": "object", + "form": true, + "title": "Ingress Configuration", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Use a custom hostname", + "description": "Enable the ingress resource that allows you to access the WordPress installation." + }, + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "hidden": { + "value": false, + "path": "ingress/enabled" + } + }, + "tls": { + "type": "boolean", + "form": true, + "title": "Create a TLS secret", + "hidden": { + "value": false, + "path": "ingress/enabled" + } + } + } + }, "service": { "type": "object", "form": true, diff --git a/charts/wordpress/wordpress/charts/wordpress/values.yaml b/charts/wordpress/wordpress/charts/wordpress/values.yaml index bc2809733..07181191b 100644 --- a/charts/wordpress/wordpress/charts/wordpress/values.yaml +++ b/charts/wordpress/wordpress/charts/wordpress/values.yaml @@ -1,3 +1,6 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + ## @section Global parameters ## Global Docker image parameters ## Please, note that this will override the image parameters, including dependencies, configured to use the global value @@ -6,7 +9,7 @@ ## @param global.imageRegistry Global Docker image registry ## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.storageClass Global StorageClass for Persistent Volume(s) +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) ## global: imageRegistry: "" @@ -15,8 +18,16 @@ global: ## - myRegistryKeySecretName ## imagePullSecrets: [] - storageClass: "" - + defaultStorageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto ## @section Common parameters ## @@ -41,7 +52,6 @@ clusterDomain: cluster.local ## @param extraDeploy Array of extra objects to deploy with the release ## extraDeploy: [] - ## Enable diagnostic mode in the deployment ## diagnosticMode: @@ -56,15 +66,14 @@ diagnosticMode: ## args: - infinity - ## @section WordPress Image parameters ## ## Bitnami WordPress image ## ref: https://hub.docker.com/r/bitnami/wordpress/tags/ -## @param image.registry WordPress image registry -## @param image.repository WordPress image repository -## @param image.tag WordPress image tag (immutable tags are recommended) +## @param image.registry [default: REGISTRY_NAME] WordPress image registry +## @param image.repository [default: REPOSITORY_NAME/wordpress] WordPress image repository +## @skip image.tag WordPress image tag (immutable tags are recommended) ## @param image.digest WordPress image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param image.pullPolicy WordPress image pull policy ## @param image.pullSecrets WordPress image pull secrets @@ -73,11 +82,10 @@ diagnosticMode: image: registry: docker.io repository: bitnami/wordpress - tag: 6.1.1-debian-11-r42 + tag: 6.7.1-debian-12-r3 digest: "" ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -91,7 +99,6 @@ image: ## Enable debug mode ## debug: false - ## @section WordPress Configuration parameters ## WordPress settings based on environment variables ## ref: https://github.com/bitnami/containers/tree/main/bitnami/wordpress#environment-variables @@ -188,12 +195,16 @@ customPostInitScripts: {} ## @param smtpUser SMTP username ## @param smtpPassword SMTP user password ## @param smtpProtocol SMTP protocol +## @param smtpFromEmail SMTP from email (default is `smtpUser`) +## @param smtpFromName SMTP from name (default is `wordpressFirstName` and `wordpressLastName`) ## smtpHost: "" smtpPort: "" smtpUser: "" smtpPassword: "" smtpProtocol: "" +smtpFromEmail: "" +smtpFromName: "" ## @param smtpExistingSecret The name of an existing secret with SMTP credentials ## NOTE: Must contain key `smtp-password` ## NOTE: When it's set, the `smtpPassword` parameter is ignored @@ -237,7 +248,6 @@ extraEnvVarsCM: "" ## @param extraEnvVarsSecret Name of existing Secret containing extra env vars ## extraEnvVarsSecret: "" - ## @section WordPress Multisite Configuration parameters ## ref: https://github.com/bitnami/containers/tree/main/bitnami/wordpress#multisite-configuration ## @@ -252,7 +262,6 @@ multisite: host: "" networkType: subdomain enableNipIoRedirect: false - ## @section WordPress deployment parameters ## @@ -261,7 +270,6 @@ multisite: ## replicaCount: 1 ## @param updateStrategy.type WordPress deployment strategy type -## @param updateStrategy.rollingUpdate WordPress deployment rolling update configuration parameters ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy ## NOTE: Set it to `Recreate` if you use a PV that cannot be mounted on multiple pods ## e.g: @@ -273,11 +281,14 @@ replicaCount: 1 ## updateStrategy: type: RollingUpdate - rollingUpdate: {} ## @param schedulerName Alternate scheduler ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## schedulerName: "" +## @param terminationGracePeriodSeconds In seconds, time given to the WordPress pod to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +terminationGracePeriodSeconds: "" ## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods ## @@ -286,6 +297,9 @@ topologySpreadConstraints: [] ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ ## priorityClassName: "" +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false ## @param hostAliases [array] WordPress pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -361,7 +375,7 @@ nodeAffinityPreset: ## affinity: {} ## @param nodeSelector Node labels for pod assignment -## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param tolerations Tolerations for pod assignment @@ -369,16 +383,22 @@ nodeSelector: {} ## tolerations: [] ## WordPress containers' resource requests and limits -## ref: https://kubernetes.io/docs/user-guide/compute-resources/ -## @param resources.limits The resources limits for the WordPress containers -## @param resources.requests.memory The requested memory for the WordPress containers -## @param resources.requests.cpu The requested cpu for the WordPress containers -## -resources: - limits: {} - requests: - memory: 512Mi - cpu: 300m +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "micro" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} ## Container ports ## @param containerPorts.http WordPress HTTP container port ## @param containerPorts.https WordPress HTTPS container port @@ -396,33 +416,47 @@ extraContainerPorts: [] ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enabled WordPress pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Set WordPress pod's Security Context fsGroup -## @param podSecurityContext.seccompProfile.type Set WordPress container's Security Context seccomp profile ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 - seccompProfile: - type: "RuntimeDefault" ## Configure Container Security Context (only main container) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -## @param containerSecurityContext.enabled Enabled WordPress containers' Security Context -## @param containerSecurityContext.runAsUser Set WordPress container's Security Context runAsUser -## @param containerSecurityContext.runAsNonRoot Set WordPress container's Security Context runAsNonRoot -## @param containerSecurityContext.allowPrivilegeEscalation Set WordPress container's privilege escalation -## @param containerSecurityContext.capabilities.drop Set WordPress container's Security Context runAsNonRoot +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## Configure extra options for WordPress containers' liveness, readiness and startup probes ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes ## @param livenessProbe.enabled Enable livenessProbe on WordPress containers -## @skip livenessProbe.httpGet +## @skip livenessProbe.tcpSocket ## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe ## @param livenessProbe.periodSeconds Period seconds for livenessProbe ## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe @@ -431,20 +465,8 @@ containerSecurityContext: ## livenessProbe: enabled: true - httpGet: - path: /wp-admin/install.php - port: '{{ .Values.wordpressScheme }}' - scheme: '{{ .Values.wordpressScheme | upper }}' - ## If using an HTTPS-terminating load-balancer, the probes may need to behave - ## like the balancer to prevent HTTP 302 responses. According to the Kubernetes - ## docs, 302 should be considered "successful", but this issue on GitHub - ## (https://github.com/kubernetes/kubernetes/issues/47893) shows that it isn't. - ## E.g. - ## httpHeaders: - ## - name: X-Forwarded-Proto - ## value: https - ## - httpHeaders: [] + tcpSocket: + port: http initialDelaySeconds: 120 periodSeconds: 10 timeoutSeconds: 5 @@ -520,7 +542,6 @@ customStartupProbe: {} ## @param lifecycleHooks for the WordPress container(s) to automate configuration before or after startup ## lifecycleHooks: {} - ## @section Traffic Exposure Parameters ## @@ -549,7 +570,7 @@ service: https: "" ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity @@ -602,7 +623,7 @@ ingress: ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ ## ingressClassName: "" - ## @param ingress.hostname Default host for the ingress record + ## @param ingress.hostname Default host for the ingress record. The hostname is templated and thus can contain other variable references. ## hostname: wordpress.local ## @param ingress.path Default path for the ingress record @@ -611,7 +632,7 @@ ingress: path: / ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md ## Use this parameter to set the required annotations for cert-manager, see ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations ## @@ -636,7 +657,7 @@ ingress: ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm ## selfSigned: false - ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record. The host names are templated and thus can contain other variable references. ## e.g: ## extraHosts: ## - name: wordpress.local @@ -696,11 +717,123 @@ ingress: ## extraRules: [] +## Configure second ingress resource that allows you to access the WordPress installation +## This may be used to secure /wp-admin behind authentication or IP restrictions +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +secondaryIngress: + ## @param secondaryIngress.enabled Enable ingress record generation for WordPress + ## + enabled: false + ## @param secondaryIngress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param secondaryIngress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param secondaryIngress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param secondaryIngress.hostname Default host for the ingress record. The hostname is templated and thus can contain other variable references. + ## + hostname: wordpress.local + ## @param secondaryIngress.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @param secondaryIngress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param secondaryIngress.tls Enable TLS configuration for the host defined at `secondaryIngress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.secondaryIngress.hostname }}` + ## You can: + ## - Use the `secondaryIngress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: false + ## @param secondaryIngress.tlsWwwPrefix Adds www subdomain to default cert + ## Creates tls host with secondaryIngress.hostname: {{ print "www.%s" .Values.secondaryIngress.hostname }} + ## Is enabled if "nginx.ingress.kubernetes.io/from-to-www-redirect" is "true" + tlsWwwPrefix: false + ## @param secondaryIngress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param secondaryIngress.extraHosts An array with additional hostname(s) to be covered with the ingress record. The host names are templated and thus can contain other variable references. + ## e.g: + ## extraHosts: + ## - name: wordpress.local + ## path: / + ## + extraHosts: [] + ## @param secondaryIngress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param secondaryIngress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - wordpress.local + ## secretName: wordpress.local-tls + ## + extraTls: [] + ## @param secondaryIngress.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: wordpress.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param secondaryIngress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: wordpress.local + ## http: + ## path: / + ## backend: + ## service: + ## name: wordpress-svc + ## port: + ## name: http + ## + extraRules: [] ## @section Persistence Parameters ## ## Persistence Parameters -## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param persistence.enabled Enable persistence using Persistent Volume Claims @@ -739,7 +872,6 @@ persistence: ## @param persistence.annotations Persistent Volume Claim annotations ## annotations: {} - ## Init containers parameters: ## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node ## @@ -747,19 +879,19 @@ volumePermissions: ## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` ## enabled: false - ## Bitnami Shell image - ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ - ## @param volumePermissions.image.registry Bitnami Shell image registry - ## @param volumePermissions.image.repository Bitnami Shell image repository - ## @param volumePermissions.image.tag Bitnami Shell image tag (immutable tags are recommended) - ## @param volumePermissions.image.digest Bitnami Shell image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag - ## @param volumePermissions.image.pullPolicy Bitnami Shell image pull policy - ## @param volumePermissions.image.pullSecrets Bitnami Shell image pull secrets + ## OS Shell + Utility image + ## ref: https://hub.docker.com/r/bitnami/os-shell/tags/ + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] OS Shell + Utility image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] OS Shell + Utility image repository + ## @skip volumePermissions.image.tag OS Shell + Utility image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy OS Shell + Utility image pull policy + ## @param volumePermissions.image.pullSecrets OS Shell + Utility image pull secrets ## image: registry: docker.io - repository: bitnami/bitnami-shell - tag: 11-debian-11-r81 + repository: bitnami/os-shell + tag: 12-debian-12-r33 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -771,21 +903,31 @@ volumePermissions: ## pullSecrets: [] ## Init container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param volumePermissions.resources.limits The resources limits for the init container - ## @param volumePermissions.resources.requests The requested resources for the init container - ## - resources: - limits: {} - requests: {} + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: + seLinuxOptions: {} runAsUser: 0 - ## @section Other Parameters ## @@ -795,7 +937,7 @@ volumePermissions: serviceAccount: ## @param serviceAccount.create Enable creation of ServiceAccount for WordPress pod ## - create: false + create: true ## @param serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## @@ -803,7 +945,7 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -811,11 +953,11 @@ serviceAccount: ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## @param pdb.create Enable a Pod Disruption Budget creation ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled -## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable +## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. ## pdb: - create: false - minAvailable: 1 + create: true + minAvailable: "" maxUnavailable: "" ## WordPress Autoscaling configuration ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ @@ -831,7 +973,6 @@ autoscaling: maxReplicas: 11 targetCPU: 50 targetMemory: 50 - ## @section Metrics Parameters ## @@ -843,9 +984,9 @@ metrics: enabled: false ## Bitnami Apache exporter image ## ref: https://hub.docker.com/r/bitnami/apache-exporter/tags/ - ## @param metrics.image.registry Apache exporter image registry - ## @param metrics.image.repository Apache exporter image repository - ## @param metrics.image.tag Apache exporter image tag (immutable tags are recommended) + ## @param metrics.image.registry [default: REGISTRY_NAME] Apache exporter image registry + ## @param metrics.image.repository [default: REPOSITORY_NAME/apache-exporter] Apache exporter image repository + ## @skip metrics.image.tag Apache exporter image tag (immutable tags are recommended) ## @param metrics.image.digest Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param metrics.image.pullPolicy Apache exporter image pull policy ## @param metrics.image.pullSecrets Apache exporter image pull secrets @@ -853,7 +994,7 @@ metrics: image: registry: docker.io repository: bitnami/apache-exporter - tag: 0.11.0-debian-11-r90 + tag: 1.0.9-debian-12-r4 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -922,13 +1063,48 @@ metrics: ## customStartupProbe: {} ## Prometheus exporter container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param metrics.resources.limits The resources limits for the Prometheus exporter container - ## @param metrics.resources.requests The requested resources for the Prometheus exporter container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged + ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param metrics.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## - resources: - limits: {} - requests: {} + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## Prometheus exporter service parameters ## service: @@ -977,107 +1153,64 @@ metrics: ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. ## jobLabel: "" - ## @section NetworkPolicy parameters ## -## Add networkpolicies +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## networkPolicy: - ## @param networkPolicy.enabled Enable network policies - ## If ingress.enabled or metrics.enabled are true, configure networkPolicy.ingress and networkPolicy.metrics selectors respectively to allow communication + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created ## - enabled: false - ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus) - ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. - ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). ## - metrics: - enabled: false - ## e.g: - ## podSelector: - ## label: monitoring - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: monitoring - ## - namespaceSelector: {} - ## @param networkPolicy.ingress.enabled Enable network policy for Ingress Proxies - ## @param networkPolicy.ingress.namespaceSelector [object] Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. - ## @param networkPolicy.ingress.podSelector [object] Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## - ingress: - enabled: false - ## e.g: - ## podSelector: - ## label: ingress - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## @param networkPolicy.ingressRules.backendOnlyAccessibleByFrontend Enable ingress rule that makes the backend (mariadb) only accessible by testlink's pods. - ## @param networkPolicy.ingressRules.customBackendSelector [object] Backend selector labels. These labels will be used to identify the backend pods. - ## @param networkPolicy.ingressRules.accessOnlyFrom.enabled Enable ingress rule that makes testlink only accessible from a particular origin - ## @param networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access testlink. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.accessOnlyFrom.podSelector [object] Pods selector label that is allowed to access testlink. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.customRules [object] Custom network policy ingress rule - ## - ingressRules: - ## mariadb backend only can be accessed from testlink - ## - backendOnlyAccessibleByFrontend: false - ## Additional custom backend selector - ## e.g: - ## customBackendSelector: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customBackendSelector: {} - ## Allow only from the indicated: - ## - accessOnlyFrom: - enabled: false - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: access - ## - namespaceSelector: {} - ## custom ingress rules - ## e.g: - ## customRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: {} - ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). - ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule - ## - egressRules: - # Deny connections to external. This is not compatible with an external database. - denyConnectionsToExternal: false - ## Additional custom egress rules - ## e.g: - ## customRules: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: {} + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Database Parameters ## @@ -1111,7 +1244,7 @@ mariadb: ## primary: ## MariaDB Primary Persistence parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## @param mariadb.primary.persistence.enabled Enable persistence on MariaDB using PVC(s) ## @param mariadb.primary.persistence.storageClass Persistent Volume storage class ## @param mariadb.primary.persistence.accessModes [array] Persistent Volume access modes @@ -1123,6 +1256,27 @@ mariadb: accessModes: - ReadWriteOnce size: 8Gi + ## MariaDB primary container's resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param mariadb.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param mariadb.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## External Database Configuration ## All of these values are only used if `mariadb.enabled=false` ## @@ -1167,12 +1321,33 @@ memcached: ## @param memcached.auth.password Memcached admin password ## password: "" + ## @param memcached.auth.existingPasswordSecret Existing secret with Memcached credentials (must contain a value for `memcached-password` key) + ## + existingPasswordSecret: "" ## Service parameters ## service: ## @param memcached.service.port Memcached service port ## port: 11211 + ## Memcached resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param memcached.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param memcached.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## External Memcached Configuration ## All of these values are only used if `memcached.enabled=false` ## diff --git a/charts/wordpress/wordpress/values.schema.json b/charts/wordpress/wordpress/values.schema.json index ba4be5445..ad1c08845 100644 --- a/charts/wordpress/wordpress/values.schema.json +++ b/charts/wordpress/wordpress/values.schema.json @@ -148,6 +148,37 @@ } } }, + "secondaryIngress": { + "type": "object", + "form": true, + "title": "Ingress Configuration", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Use a custom hostname", + "description": "Enable the ingress resource that allows you to access the WordPress installation." + }, + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "hidden": { + "value": false, + "path": "ingress/enabled" + } + }, + "tls": { + "type": "boolean", + "form": true, + "title": "Create a TLS secret", + "hidden": { + "value": false, + "path": "ingress/enabled" + } + } + } + }, "service": { "type": "object", "form": true, diff --git a/charts/wordpress/wordpress/values.yaml b/charts/wordpress/wordpress/values.yaml index fd2cec870..cb369efe4 100644 --- a/charts/wordpress/wordpress/values.yaml +++ b/charts/wordpress/wordpress/values.yaml @@ -1,5 +1,8 @@ # child values wordpress: + # Copyright Broadcom, Inc. All Rights Reserved. + # SPDX-License-Identifier: APACHE-2.0 + ## @section Global parameters ## Global Docker image parameters ## Please, note that this will override the image parameters, including dependencies, configured to use the global value @@ -8,7 +11,7 @@ wordpress: ## @param global.imageRegistry Global Docker image registry ## @param global.imagePullSecrets Global Docker registry secret names as an array - ## @param global.storageClass Global StorageClass for Persistent Volume(s) + ## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) ## global: imageRegistry: "" @@ -17,7 +20,16 @@ wordpress: ## - myRegistryKeySecretName ## imagePullSecrets: [] - storageClass: "" + defaultStorageClass: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto ## @section Common parameters ## @@ -61,9 +73,9 @@ wordpress: ## Bitnami WordPress image ## ref: https://hub.docker.com/r/bitnami/wordpress/tags/ - ## @param image.registry WordPress image registry - ## @param image.repository WordPress image repository - ## @param image.tag WordPress image tag (immutable tags are recommended) + ## @param image.registry [default: REGISTRY_NAME] WordPress image registry + ## @param image.repository [default: REPOSITORY_NAME/wordpress] WordPress image repository + ## @skip image.tag WordPress image tag (immutable tags are recommended) ## @param image.digest WordPress image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param image.pullPolicy WordPress image pull policy ## @param image.pullSecrets WordPress image pull secrets @@ -72,11 +84,10 @@ wordpress: image: registry: docker.m.daocloud.io repository: bitnami/wordpress - tag: 6.1.1-debian-11-r42 + tag: 6.7.1-debian-12-r3 digest: "" ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -186,12 +197,16 @@ wordpress: ## @param smtpUser SMTP username ## @param smtpPassword SMTP user password ## @param smtpProtocol SMTP protocol + ## @param smtpFromEmail SMTP from email (default is `smtpUser`) + ## @param smtpFromName SMTP from name (default is `wordpressFirstName` and `wordpressLastName`) ## smtpHost: "" smtpPort: "" smtpUser: "" smtpPassword: "" smtpProtocol: "" + smtpFromEmail: "" + smtpFromName: "" ## @param smtpExistingSecret The name of an existing secret with SMTP credentials ## NOTE: Must contain key `smtp-password` ## NOTE: When it's set, the `smtpPassword` parameter is ignored @@ -257,7 +272,6 @@ wordpress: ## replicaCount: 1 ## @param updateStrategy.type WordPress deployment strategy type - ## @param updateStrategy.rollingUpdate WordPress deployment rolling update configuration parameters ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy ## NOTE: Set it to `Recreate` if you use a PV that cannot be mounted on multiple pods ## e.g: @@ -269,11 +283,14 @@ wordpress: ## updateStrategy: type: RollingUpdate - rollingUpdate: {} ## @param schedulerName Alternate scheduler ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## schedulerName: "" + ## @param terminationGracePeriodSeconds In seconds, time given to the WordPress pod to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" ## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods ## @@ -282,6 +299,9 @@ wordpress: ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ ## priorityClassName: "" + ## @param automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param hostAliases [array] WordPress pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -357,7 +377,7 @@ wordpress: ## affinity: {} ## @param nodeSelector Node labels for pod assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param tolerations Tolerations for pod assignment @@ -365,16 +385,22 @@ wordpress: ## tolerations: [] ## WordPress containers' resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param resources.limits The resources limits for the WordPress containers - ## @param resources.requests.memory The requested memory for the WordPress containers - ## @param resources.requests.cpu The requested cpu for the WordPress containers - ## - resources: - limits: {} - requests: - memory: 512Mi - cpu: 300m + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Container ports ## @param containerPorts.http WordPress HTTP container port ## @param containerPorts.https WordPress HTTPS container port @@ -392,33 +418,47 @@ wordpress: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enabled WordPress pods' Security Context + ## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Set WordPress pod's Security Context fsGroup - ## @param podSecurityContext.seccompProfile.type Set WordPress container's Security Context seccomp profile ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 - seccompProfile: - type: "RuntimeDefault" ## Configure Container Security Context (only main container) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param containerSecurityContext.enabled Enabled WordPress containers' Security Context - ## @param containerSecurityContext.runAsUser Set WordPress container's Security Context runAsUser - ## @param containerSecurityContext.runAsNonRoot Set WordPress container's Security Context runAsNonRoot - ## @param containerSecurityContext.allowPrivilegeEscalation Set WordPress container's privilege escalation - ## @param containerSecurityContext.capabilities.drop Set WordPress container's Security Context runAsNonRoot + ## @param containerSecurityContext.enabled Enabled containers' Security Context + ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param containerSecurityContext.privileged Set container's Security Context privileged + ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## Configure extra options for WordPress containers' liveness, readiness and startup probes ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes ## @param livenessProbe.enabled Enable livenessProbe on WordPress containers - ## @skip livenessProbe.httpGet + ## @skip livenessProbe.tcpSocket ## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe ## @param livenessProbe.periodSeconds Period seconds for livenessProbe ## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe @@ -427,20 +467,8 @@ wordpress: ## livenessProbe: enabled: true - httpGet: - path: /wp-admin/install.php - port: '{{ .Values.wordpressScheme }}' - scheme: '{{ .Values.wordpressScheme | upper }}' - ## If using an HTTPS-terminating load-balancer, the probes may need to behave - ## like the balancer to prevent HTTP 302 responses. According to the Kubernetes - ## docs, 302 should be considered "successful", but this issue on GitHub - ## (https://github.com/kubernetes/kubernetes/issues/47893) shows that it isn't. - ## E.g. - ## httpHeaders: - ## - name: X-Forwarded-Proto - ## value: https - ## - httpHeaders: [] + tcpSocket: + port: http initialDelaySeconds: 120 periodSeconds: 10 timeoutSeconds: 5 @@ -544,7 +572,7 @@ wordpress: https: "" ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity @@ -597,7 +625,7 @@ wordpress: ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ ## ingressClassName: "" - ## @param ingress.hostname Default host for the ingress record + ## @param ingress.hostname Default host for the ingress record. The hostname is templated and thus can contain other variable references. ## hostname: wordpress.local ## @param ingress.path Default path for the ingress record @@ -606,7 +634,7 @@ wordpress: path: / ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md ## Use this parameter to set the required annotations for cert-manager, see ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations ## @@ -631,7 +659,7 @@ wordpress: ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm ## selfSigned: false - ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record. The host names are templated and thus can contain other variable references. ## e.g: ## extraHosts: ## - name: wordpress.local @@ -690,11 +718,123 @@ wordpress: ## name: http ## extraRules: [] + ## Configure second ingress resource that allows you to access the WordPress installation + ## This may be used to secure /wp-admin behind authentication or IP restrictions + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ## + secondaryIngress: + ## @param secondaryIngress.enabled Enable ingress record generation for WordPress + ## + enabled: false + ## @param secondaryIngress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param secondaryIngress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param secondaryIngress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param secondaryIngress.hostname Default host for the ingress record. The hostname is templated and thus can contain other variable references. + ## + hostname: wordpress.local + ## @param secondaryIngress.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @param secondaryIngress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param secondaryIngress.tls Enable TLS configuration for the host defined at `secondaryIngress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.secondaryIngress.hostname }}` + ## You can: + ## - Use the `secondaryIngress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: false + ## @param secondaryIngress.tlsWwwPrefix Adds www subdomain to default cert + ## Creates tls host with secondaryIngress.hostname: {{ print "www.%s" .Values.secondaryIngress.hostname }} + ## Is enabled if "nginx.ingress.kubernetes.io/from-to-www-redirect" is "true" + tlsWwwPrefix: false + ## @param secondaryIngress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param secondaryIngress.extraHosts An array with additional hostname(s) to be covered with the ingress record. The host names are templated and thus can contain other variable references. + ## e.g: + ## extraHosts: + ## - name: wordpress.local + ## path: / + ## + extraHosts: [] + ## @param secondaryIngress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param secondaryIngress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - wordpress.local + ## secretName: wordpress.local-tls + ## + extraTls: [] + ## @param secondaryIngress.secrets Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: wordpress.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## @param secondaryIngress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: wordpress.local + ## http: + ## path: / + ## backend: + ## service: + ## name: wordpress-svc + ## port: + ## name: http + ## + extraRules: [] ## @section Persistence Parameters ## ## Persistence Parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param persistence.enabled Enable persistence using Persistent Volume Claims @@ -740,19 +880,19 @@ wordpress: ## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` ## enabled: false - ## Bitnami Shell image - ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ - ## @param volumePermissions.image.registry Bitnami Shell image registry - ## @param volumePermissions.image.repository Bitnami Shell image repository - ## @param volumePermissions.image.tag Bitnami Shell image tag (immutable tags are recommended) - ## @param volumePermissions.image.digest Bitnami Shell image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag - ## @param volumePermissions.image.pullPolicy Bitnami Shell image pull policy - ## @param volumePermissions.image.pullSecrets Bitnami Shell image pull secrets + ## OS Shell + Utility image + ## ref: https://hub.docker.com/r/bitnami/os-shell/tags/ + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] OS Shell + Utility image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] OS Shell + Utility image repository + ## @skip volumePermissions.image.tag OS Shell + Utility image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy OS Shell + Utility image pull policy + ## @param volumePermissions.image.pullSecrets OS Shell + Utility image pull secrets ## image: registry: docker.m.daocloud.io - repository: bitnami/bitnami-shell - tag: 11-debian-11-r81 + repository: bitnami/os-shell + tag: 12-debian-12-r33 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -764,19 +904,30 @@ wordpress: ## pullSecrets: [] ## Init container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param volumePermissions.resources.limits The resources limits for the init container - ## @param volumePermissions.resources.requests The requested resources for the init container - ## - resources: - limits: {} - requests: {} + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: + seLinuxOptions: {} runAsUser: 0 ## @section Other Parameters ## @@ -787,7 +938,7 @@ wordpress: serviceAccount: ## @param serviceAccount.create Enable creation of ServiceAccount for WordPress pod ## - create: false + create: true ## @param serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## @@ -795,7 +946,7 @@ wordpress: ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -803,11 +954,11 @@ wordpress: ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## @param pdb.create Enable a Pod Disruption Budget creation ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled - ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable + ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. ## pdb: - create: false - minAvailable: 1 + create: true + minAvailable: "" maxUnavailable: "" ## WordPress Autoscaling configuration ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ @@ -834,9 +985,9 @@ wordpress: enabled: false ## Bitnami Apache exporter image ## ref: https://hub.docker.com/r/bitnami/apache-exporter/tags/ - ## @param metrics.image.registry Apache exporter image registry - ## @param metrics.image.repository Apache exporter image repository - ## @param metrics.image.tag Apache exporter image tag (immutable tags are recommended) + ## @param metrics.image.registry [default: REGISTRY_NAME] Apache exporter image registry + ## @param metrics.image.repository [default: REPOSITORY_NAME/apache-exporter] Apache exporter image repository + ## @skip metrics.image.tag Apache exporter image tag (immutable tags are recommended) ## @param metrics.image.digest Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param metrics.image.pullPolicy Apache exporter image pull policy ## @param metrics.image.pullSecrets Apache exporter image pull secrets @@ -844,7 +995,7 @@ wordpress: image: registry: docker.m.daocloud.io repository: bitnami/apache-exporter - tag: 0.11.0-debian-11-r90 + tag: 1.0.9-debian-12-r4 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -913,13 +1064,48 @@ wordpress: ## customStartupProbe: {} ## Prometheus exporter container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param metrics.resources.limits The resources limits for the Prometheus exporter container - ## @param metrics.resources.requests The requested resources for the Prometheus exporter container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged + ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param metrics.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## - resources: - limits: {} - requests: {} + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## Prometheus exporter service parameters ## service: @@ -971,103 +1157,61 @@ wordpress: ## @section NetworkPolicy parameters ## - ## Add networkpolicies + ## Network Policy configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## networkPolicy: - ## @param networkPolicy.enabled Enable network policies - ## If ingress.enabled or metrics.enabled are true, configure networkPolicy.ingress and networkPolicy.metrics selectors respectively to allow communication + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created ## - enabled: false - ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus) - ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. - ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). ## - metrics: - enabled: false - ## e.g: - ## podSelector: - ## label: monitoring - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: monitoring - ## - namespaceSelector: {} - ## @param networkPolicy.ingress.enabled Enable network policy for Ingress Proxies - ## @param networkPolicy.ingress.namespaceSelector [object] Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. - ## @param networkPolicy.ingress.podSelector [object] Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## - ingress: - enabled: false - ## e.g: - ## podSelector: - ## label: ingress - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## @param networkPolicy.ingressRules.backendOnlyAccessibleByFrontend Enable ingress rule that makes the backend (mariadb) only accessible by testlink's pods. - ## @param networkPolicy.ingressRules.customBackendSelector [object] Backend selector labels. These labels will be used to identify the backend pods. - ## @param networkPolicy.ingressRules.accessOnlyFrom.enabled Enable ingress rule that makes testlink only accessible from a particular origin - ## @param networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access testlink. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.accessOnlyFrom.podSelector [object] Pods selector label that is allowed to access testlink. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.customRules [object] Custom network policy ingress rule - ## - ingressRules: - ## mariadb backend only can be accessed from testlink - ## - backendOnlyAccessibleByFrontend: false - ## Additional custom backend selector - ## e.g: - ## customBackendSelector: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customBackendSelector: {} - ## Allow only from the indicated: - ## - accessOnlyFrom: - enabled: false - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: access - ## - namespaceSelector: {} - ## custom ingress rules - ## e.g: - ## customRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: {} - ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). - ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule - ## - egressRules: - # Deny connections to external. This is not compatible with an external database. - denyConnectionsToExternal: false - ## Additional custom egress rules - ## e.g: - ## customRules: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: {} + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Database Parameters ## @@ -1100,7 +1244,7 @@ wordpress: ## primary: ## MariaDB Primary Persistence parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## @param mariadb.primary.persistence.enabled Enable persistence on MariaDB using PVC(s) ## @param mariadb.primary.persistence.storageClass Persistent Volume storage class ## @param mariadb.primary.persistence.accessModes [array] Persistent Volume access modes @@ -1112,10 +1256,31 @@ wordpress: accessModes: - ReadWriteOnce size: 8Gi + ## MariaDB primary container's resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param mariadb.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param mariadb.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} image: registry: docker.m.daocloud.io repository: bitnami/mariadb - tag: 10.6.12-debian-11-r0 + tag: 11.4.4-debian-12-r0 ## External Database Configuration ## All of these values are only used if `mariadb.enabled=false` ## @@ -1160,16 +1325,36 @@ wordpress: ## @param memcached.auth.password Memcached admin password ## password: "" + ## @param memcached.auth.existingPasswordSecret Existing secret with Memcached credentials (must contain a value for `memcached-password` key) + ## + existingPasswordSecret: "" ## Service parameters ## service: ## @param memcached.service.port Memcached service port ## port: 11211 + ## Memcached resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param memcached.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param memcached.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} image: registry: docker.m.daocloud.io repository: bitnami/memcached - tag: 1.6.18-debian-11-r0 + tag: 1.6.32-debian-12-r2 ## External Memcached Configuration ## All of these values are only used if `memcached.enabled=false` ##