matrix
This commit is contained in:
parent
5536b90ffa
commit
e00474109d
matrix
dendrite
.helm-docs
Chart.lockChart.yamlREADME.mdREADME.md.gotmplcharts/postgresql
.helmignoreChart.lockChart.yamlREADME.md
charts/common
.helmignoreChart.yamlREADME.md
templates
_affinities.tpl_capabilities.tpl_errors.tpl_images.tpl_ingress.tpl_labels.tpl_names.tpl_resources.tpl_secrets.tpl_storage.tpl_tplvalues.tpl_utils.tpl_warnings.tpl
values.yamlvalidations
templates
NOTES.txt_helpers.tpl
values.schema.jsonvalues.yamlbackup
extra-list.yamlprimary
configmap.yamlextended-configmap.yamlinitialization-configmap.yamlmetrics-configmap.yamlmetrics-svc.yamlnetworkpolicy.yamlservicemonitor.yamlstatefulset.yamlsvc-headless.yamlsvc.yaml
prometheusrule.yamlpsp.yamlread
extended-configmap.yamlmetrics-configmap.yamlmetrics-svc.yamlnetworkpolicy.yamlservicemonitor.yamlstatefulset.yamlsvc-headless.yamlsvc.yaml
role.yamlrolebinding.yamlsecrets.yamlserviceaccount.yamltls-secrets.yamlci
grafana_dashboards
templates
_helpers.tpl_overrides.yamlconfigmap_grafana_dashboards.yamldeployment.yamlingress.yamljobs.yamlprometheus-rules.yamlpvc.yamlsecrets.yamlservice.yamlservicemonitor.yaml
values.yamltests
5
matrix/dendrite/.helm-docs/about.gotmpl
Normal file
5
matrix/dendrite/.helm-docs/about.gotmpl
Normal file
@ -0,0 +1,5 @@
|
||||
{{ define "chart.about" }}
|
||||
## About
|
||||
|
||||
This chart creates a monolith deployment, including an optionally enabled PostgreSQL dependency to connect to.
|
||||
{{ end }}
|
5
matrix/dendrite/.helm-docs/appservices.gotmpl
Normal file
5
matrix/dendrite/.helm-docs/appservices.gotmpl
Normal file
@ -0,0 +1,5 @@
|
||||
{{ define "chart.appservices" }}
|
||||
## Usage with appservices
|
||||
|
||||
Create a folder `appservices` and place your configurations in there. The configurations will be read and placed in a secret `dendrite-appservices-conf`.
|
||||
{{ end }}
|
18
matrix/dendrite/.helm-docs/database.gotmpl
Normal file
18
matrix/dendrite/.helm-docs/database.gotmpl
Normal file
@ -0,0 +1,18 @@
|
||||
{{ define "chart.dbCreation" }}
|
||||
## Manual database creation
|
||||
|
||||
(You can skip this, if you're deploying the PostgreSQL dependency)
|
||||
|
||||
You'll need to create the following database before starting Dendrite (see [installation](https://matrix-org.github.io/dendrite/installation/database#single-database-creation)):
|
||||
|
||||
```postgres
|
||||
create database dendrite
|
||||
```
|
||||
|
||||
or
|
||||
|
||||
```bash
|
||||
sudo -u postgres createdb -O dendrite -E UTF-8 dendrite
|
||||
```
|
||||
|
||||
{{ end }}
|
27
matrix/dendrite/.helm-docs/monitoring.gotmpl
Normal file
27
matrix/dendrite/.helm-docs/monitoring.gotmpl
Normal file
@ -0,0 +1,27 @@
|
||||
{{ define "chart.monitoringSection" }}
|
||||
## Monitoring
|
||||
|
||||

|
||||
|
||||
* Works well with [Prometheus Operator](https://prometheus-operator.dev/) ([Helmchart](https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack)) and their setup of [Grafana](https://grafana.com/grafana/), by enabling the following values:
|
||||
```yaml
|
||||
dendrite_config:
|
||||
global:
|
||||
metrics:
|
||||
enabled: true
|
||||
|
||||
prometheus:
|
||||
servicemonitor:
|
||||
enabled: true
|
||||
labels:
|
||||
release: "kube-prometheus-stack"
|
||||
rules:
|
||||
enabled: true # will deploy alert rules
|
||||
labels:
|
||||
release: "kube-prometheus-stack"
|
||||
grafana:
|
||||
dashboards:
|
||||
enabled: true # will deploy default dashboards
|
||||
```
|
||||
PS: The label `release=kube-prometheus-stack` is setup with the helmchart of the Prometheus Operator. For Grafana Dashboards it may be necessary to enable scanning in the correct namespaces (or ALL), enabled by `sidecar.dashboards.searchNamespace` in [Helmchart of grafana](https://artifacthub.io/packages/helm/grafana/grafana) (which is part of PrometheusOperator, so `grafana.sidecar.dashboards.searchNamespace`)
|
||||
{{ end }}
|
3
matrix/dendrite/.helm-docs/state.gotmpl
Normal file
3
matrix/dendrite/.helm-docs/state.gotmpl
Normal file
@ -0,0 +1,3 @@
|
||||
{{ define "chart.state" }}
|
||||
Status: **NOT PRODUCTION READY**
|
||||
{{ end }}
|
6
matrix/dendrite/Chart.lock
Normal file
6
matrix/dendrite/Chart.lock
Normal file
@ -0,0 +1,6 @@
|
||||
dependencies:
|
||||
- name: postgresql
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
version: 14.2.3
|
||||
digest: sha256:9a752ef85baa3c754e9569b2cd08cb15bf8e9d182716f0296e853ce15e918c27
|
||||
generated: "2024-04-09T08:24:44.156192866Z"
|
20
matrix/dendrite/Chart.yaml
Normal file
20
matrix/dendrite/Chart.yaml
Normal file
@ -0,0 +1,20 @@
|
||||
apiVersion: v2
|
||||
appVersion: 0.13.7
|
||||
dependencies:
|
||||
- condition: postgresql.enabled
|
||||
name: postgresql
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
version: 14.2.3
|
||||
description: Dendrite Matrix Homeserver
|
||||
home: https://github.com/matrix-org/dendrite
|
||||
icon: https://avatars.githubusercontent.com/u/8418310?s=48&v=4
|
||||
keywords:
|
||||
- matrix
|
||||
- chat
|
||||
- homeserver
|
||||
- dendrite
|
||||
name: dendrite
|
||||
sources:
|
||||
- https://github.com/matrix-org/dendrite
|
||||
type: application
|
||||
version: 0.14.1
|
193
matrix/dendrite/README.md
Normal file
193
matrix/dendrite/README.md
Normal file
@ -0,0 +1,193 @@
|
||||
|
||||
# dendrite
|
||||
|
||||
  
|
||||
Dendrite Matrix Homeserver
|
||||
|
||||
Status: **NOT PRODUCTION READY**
|
||||
|
||||
## About
|
||||
|
||||
This chart creates a monolith deployment, including an optionally enabled PostgreSQL dependency to connect to.
|
||||
|
||||
## Manual database creation
|
||||
|
||||
(You can skip this, if you're deploying the PostgreSQL dependency)
|
||||
|
||||
You'll need to create the following database before starting Dendrite (see [installation](https://matrix-org.github.io/dendrite/installation/database#single-database-creation)):
|
||||
|
||||
```postgres
|
||||
create database dendrite
|
||||
```
|
||||
|
||||
or
|
||||
|
||||
```bash
|
||||
sudo -u postgres createdb -O dendrite -E UTF-8 dendrite
|
||||
```
|
||||
|
||||
## Usage with appservices
|
||||
|
||||
Create a folder `appservices` and place your configurations in there. The configurations will be read and placed in a secret `dendrite-appservices-conf`.
|
||||
|
||||
## Source Code
|
||||
|
||||
* <https://github.com/matrix-org/dendrite>
|
||||
## Requirements
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://charts.bitnami.com/bitnami | postgresql | 14.2.3 |
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| image.repository | string | `"ghcr.io/matrix-org/dendrite-monolith"` | Docker repository/image to use |
|
||||
| image.pullPolicy | string | `"IfNotPresent"` | Kubernetes pullPolicy |
|
||||
| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
|
||||
| signing_key.create | bool | `true` | Create a new signing key, if not exists |
|
||||
| signing_key.existingSecret | string | `""` | Use an existing secret |
|
||||
| resources | object | sets some sane default values | Default resource requests/limits. |
|
||||
| persistence.storageClass | string | `nil` | The storage class to use for volume claims. Used unless specified at the specific component. Defaults to the cluster default storage class. If defined, storageClassName: <storageClass> If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. (gp2 on AWS, standard on GKE, AWS & OpenStack) |
|
||||
| persistence.jetstream.existingClaim | string | `""` | Use an existing volume claim for jetstream |
|
||||
| persistence.jetstream.capacity | string | `"1Gi"` | PVC Storage Request for the jetstream volume |
|
||||
| persistence.jetstream.storageClass | string | `nil` | The storage class to use for volume claims. Defaults to persistence.storageClass If defined, storageClassName: <storageClass> If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. (gp2 on AWS, standard on GKE, AWS & OpenStack) |
|
||||
| persistence.media.existingClaim | string | `""` | Use an existing volume claim for media files |
|
||||
| persistence.media.capacity | string | `"1Gi"` | PVC Storage Request for the media volume |
|
||||
| persistence.media.storageClass | string | `nil` | The storage class to use for volume claims. Defaults to persistence.storageClass If defined, storageClassName: <storageClass> If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. (gp2 on AWS, standard on GKE, AWS & OpenStack) |
|
||||
| persistence.search.existingClaim | string | `""` | Use an existing volume claim for the fulltext search index |
|
||||
| persistence.search.capacity | string | `"1Gi"` | PVC Storage Request for the search volume |
|
||||
| persistence.search.storageClass | string | `nil` | The storage class to use for volume claims. Defaults to persistence.storageClass If defined, storageClassName: <storageClass> If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. (gp2 on AWS, standard on GKE, AWS & OpenStack) |
|
||||
| extraVolumes | list | `[]` | Add additional volumes to the Dendrite Pod |
|
||||
| extraVolumeMounts | list | `[]` | Configure additional mount points volumes in the Dendrite Pod |
|
||||
| strategy.type | string | `"Recreate"` | Strategy to use for rolling updates (e.g. Recreate, RollingUpdate) If you are using ReadWriteOnce volumes, you should probably use Recreate |
|
||||
| strategy.rollingUpdate.maxUnavailable | string | `"25%"` | Maximum number of pods that can be unavailable during the update process |
|
||||
| strategy.rollingUpdate.maxSurge | string | `"25%"` | Maximum number of pods that can be scheduled above the desired number of pods |
|
||||
| dendrite_config.version | int | `2` | |
|
||||
| dendrite_config.global.server_name | string | `""` | **REQUIRED** Servername for this Dendrite deployment. |
|
||||
| dendrite_config.global.private_key | string | `"/etc/dendrite/secrets/signing.key"` | The private key to use. (**NOTE**: This is overriden in Helm) |
|
||||
| dendrite_config.global.well_known_server_name | string | `""` | The server name to delegate server-server communications to, with optional port e.g. localhost:443 |
|
||||
| dendrite_config.global.well_known_client_name | string | `""` | The server name to delegate client-server communications to, with optional port e.g. localhost:443 |
|
||||
| dendrite_config.global.trusted_third_party_id_servers | list | `["matrix.org","vector.im"]` | Lists of domains that the server will trust as identity servers to verify third party identifiers such as phone numbers and email addresses. |
|
||||
| dendrite_config.global.old_private_keys | string | `nil` | The paths and expiry timestamps (as a UNIX timestamp in millisecond precision) to old signing keys that were formerly in use on this domain name. These keys will not be used for federation request or event signing, but will be provided to any other homeserver that asks when trying to verify old events. |
|
||||
| dendrite_config.global.disable_federation | bool | `false` | Disable federation. Dendrite will not be able to make any outbound HTTP requests to other servers and the federation API will not be exposed. |
|
||||
| dendrite_config.global.key_validity_period | string | `"168h0m0s"` | |
|
||||
| dendrite_config.global.database.connection_string | string | `""` | The connection string for connections to Postgres. This will be set automatically if using the Postgres dependency |
|
||||
| dendrite_config.global.database.max_open_conns | int | `90` | Default database maximum open connections |
|
||||
| dendrite_config.global.database.max_idle_conns | int | `5` | Default database maximum idle connections |
|
||||
| dendrite_config.global.database.conn_max_lifetime | int | `-1` | Default database maximum lifetime |
|
||||
| dendrite_config.global.jetstream.storage_path | string | `"/data/jetstream"` | Persistent directory to store JetStream streams in. |
|
||||
| dendrite_config.global.jetstream.addresses | list | `[]` | NATS JetStream server addresses if not using internal NATS. |
|
||||
| dendrite_config.global.jetstream.topic_prefix | string | `"Dendrite"` | The prefix for JetStream streams |
|
||||
| dendrite_config.global.jetstream.in_memory | bool | `false` | Keep all data in memory. (**NOTE**: This is overriden in Helm to `false`) |
|
||||
| dendrite_config.global.jetstream.disable_tls_validation | bool | `true` | Disables TLS validation. This should **NOT** be used in production. |
|
||||
| dendrite_config.global.cache.max_size_estimated | string | `"1gb"` | The estimated maximum size for the global cache in bytes, or in terabytes, gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or 'kb' suffix is specified. Note that this is not a hard limit, nor is it a memory limit for the entire process. A cache that is too small may ultimately provide little or no benefit. |
|
||||
| dendrite_config.global.cache.max_age | string | `"1h"` | The maximum amount of time that a cache entry can live for in memory before it will be evicted and/or refreshed from the database. Lower values result in easier admission of new cache entries but may also increase database load in comparison to higher values, so adjust conservatively. Higher values may make it harder for new items to make it into the cache, e.g. if new rooms suddenly become popular. |
|
||||
| dendrite_config.global.report_stats.enabled | bool | `false` | Configures phone-home statistics reporting. These statistics contain the server name, number of active users and some information on your deployment config. We use this information to understand how Dendrite is being used in the wild. |
|
||||
| dendrite_config.global.report_stats.endpoint | string | `"https://matrix.org/report-usage-stats/push"` | Endpoint to report statistics to. |
|
||||
| dendrite_config.global.presence.enable_inbound | bool | `false` | Controls whether we receive presence events from other servers |
|
||||
| dendrite_config.global.presence.enable_outbound | bool | `false` | Controls whether we send presence events for our local users to other servers. (_May increase CPU/memory usage_) |
|
||||
| dendrite_config.global.server_notices.enabled | bool | `false` | Server notices allows server admins to send messages to all users on the server. |
|
||||
| dendrite_config.global.server_notices.local_part | string | `"_server"` | The local part for the user sending server notices. |
|
||||
| dendrite_config.global.server_notices.display_name | string | `"Server Alerts"` | The display name for the user sending server notices. |
|
||||
| dendrite_config.global.server_notices.avatar_url | string | `""` | The avatar URL (as a mxc:// URL) name for the user sending server notices. |
|
||||
| dendrite_config.global.server_notices.room_name | string | `"Server Alerts"` | |
|
||||
| dendrite_config.global.metrics.enabled | bool | `false` | Whether or not Prometheus metrics are enabled. |
|
||||
| dendrite_config.global.metrics.basic_auth.user | string | `"metrics"` | HTTP basic authentication username |
|
||||
| dendrite_config.global.metrics.basic_auth.password | string | `"metrics"` | HTTP basic authentication password |
|
||||
| dendrite_config.global.dns_cache.enabled | bool | `false` | Whether or not the DNS cache is enabled. |
|
||||
| dendrite_config.global.dns_cache.cache_size | int | `256` | Maximum number of entries to hold in the DNS cache |
|
||||
| dendrite_config.global.dns_cache.cache_lifetime | string | `"10m"` | Duration for how long DNS cache items should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more) |
|
||||
| dendrite_config.global.profiling.enabled | bool | `false` | Enable pprof. You will need to manually create a port forwarding to the deployment to access PPROF, as it will only listen on localhost and the defined port. e.g. `kubectl port-forward deployments/dendrite 65432:65432` |
|
||||
| dendrite_config.global.profiling.port | int | `65432` | pprof port, if enabled |
|
||||
| dendrite_config.mscs | object | `{"mscs":[]}` | Configuration for experimental MSC's. (Valid values are: msc2836) |
|
||||
| dendrite_config.app_service_api.disable_tls_validation | bool | `false` | Disable the validation of TLS certificates of appservices. This is not recommended in production since it may allow appservice traffic to be sent to an insecure endpoint. |
|
||||
| dendrite_config.app_service_api.config_files | list | `[]` | Appservice config files to load on startup. (**NOTE**: This is overriden by Helm, if a folder `./appservices/` exists) |
|
||||
| dendrite_config.client_api.registration_disabled | bool | `true` | Prevents new users from being able to register on this homeserver, except when using the registration shared secret below. |
|
||||
| dendrite_config.client_api.guests_disabled | bool | `true` | |
|
||||
| dendrite_config.client_api.registration_shared_secret | string | `""` | If set, allows registration by anyone who knows the shared secret, regardless of whether registration is otherwise disabled. |
|
||||
| dendrite_config.client_api.enable_registration_captcha | bool | `false` | enable reCAPTCHA registration |
|
||||
| dendrite_config.client_api.recaptcha_public_key | string | `""` | reCAPTCHA public key |
|
||||
| dendrite_config.client_api.recaptcha_private_key | string | `""` | reCAPTCHA private key |
|
||||
| dendrite_config.client_api.recaptcha_bypass_secret | string | `""` | reCAPTCHA bypass secret |
|
||||
| dendrite_config.client_api.recaptcha_siteverify_api | string | `""` | |
|
||||
| dendrite_config.client_api.turn.turn_user_lifetime | string | `"24h"` | Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more) |
|
||||
| dendrite_config.client_api.turn.turn_uris | list | `[]` | |
|
||||
| dendrite_config.client_api.turn.turn_shared_secret | string | `""` | |
|
||||
| dendrite_config.client_api.turn.turn_username | string | `""` | The TURN username |
|
||||
| dendrite_config.client_api.turn.turn_password | string | `""` | The TURN password |
|
||||
| dendrite_config.client_api.rate_limiting.enabled | bool | `true` | Enable rate limiting |
|
||||
| dendrite_config.client_api.rate_limiting.threshold | int | `20` | After how many requests a rate limit should be activated |
|
||||
| dendrite_config.client_api.rate_limiting.cooloff_ms | int | `500` | Cooloff time in milliseconds |
|
||||
| dendrite_config.client_api.rate_limiting.exempt_user_ids | string | `nil` | Users which should be exempt from rate limiting |
|
||||
| dendrite_config.federation_api.send_max_retries | int | `16` | Federation failure threshold. How many consecutive failures that we should tolerate when sending federation requests to a specific server. The backoff is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds, etc. The default value is 16 if not specified, which is circa 18 hours. |
|
||||
| dendrite_config.federation_api.disable_tls_validation | bool | `false` | Disable TLS validation. This should **NOT** be used in production. |
|
||||
| dendrite_config.federation_api.prefer_direct_fetch | bool | `false` | |
|
||||
| dendrite_config.federation_api.disable_http_keepalives | bool | `false` | Prevents Dendrite from keeping HTTP connections open for reuse for future requests. Connections will be closed quicker but we may spend more time on TLS handshakes instead. |
|
||||
| dendrite_config.federation_api.key_perspectives | list | See value.yaml | Perspective keyservers, to use as a backup when direct key fetch requests don't succeed. |
|
||||
| dendrite_config.media_api.base_path | string | `"/data/media_store"` | The path to store media files (e.g. avatars) in |
|
||||
| dendrite_config.media_api.max_file_size_bytes | int | `10485760` | The max file size for uploaded media files |
|
||||
| dendrite_config.media_api.dynamic_thumbnails | bool | `false` | |
|
||||
| dendrite_config.media_api.max_thumbnail_generators | int | `10` | The maximum number of simultaneous thumbnail generators to run. |
|
||||
| dendrite_config.media_api.thumbnail_sizes | list | See value.yaml | A list of thumbnail sizes to be generated for media content. |
|
||||
| dendrite_config.sync_api.real_ip_header | string | `"X-Real-IP"` | This option controls which HTTP header to inspect to find the real remote IP address of the client. This is likely required if Dendrite is running behind a reverse proxy server. |
|
||||
| dendrite_config.sync_api.search | object | `{"enabled":true,"index_path":"/data/search","language":"en"}` | Configuration for the full-text search engine. |
|
||||
| dendrite_config.sync_api.search.enabled | bool | `true` | Whether fulltext search is enabled. |
|
||||
| dendrite_config.sync_api.search.index_path | string | `"/data/search"` | The path to store the search index in. |
|
||||
| dendrite_config.sync_api.search.language | string | `"en"` | The language most likely to be used on the server - used when indexing, to ensure the returned results match expectations. A full list of possible languages can be found [here](https://github.com/matrix-org/dendrite/blob/76db8e90defdfb9e61f6caea8a312c5d60bcc005/internal/fulltext/bleve.go#L25-L46) |
|
||||
| dendrite_config.user_api.bcrypt_cost | int | `10` | bcrypt cost to use when hashing passwords. (ranges from 4-31; 4 being least secure, 31 being most secure; _NOTE: Using a too high value can cause clients to timeout and uses more CPU._) |
|
||||
| dendrite_config.user_api.openid_token_lifetime_ms | int | `3600000` | OpenID Token lifetime in milliseconds. |
|
||||
| dendrite_config.user_api.push_gateway_disable_tls_validation | bool | `false` | |
|
||||
| dendrite_config.user_api.auto_join_rooms | list | `[]` | Rooms to join users to after registration |
|
||||
| dendrite_config.logging | list | `[{"level":"info","type":"std"}]` | Default logging configuration |
|
||||
| postgresql.enabled | bool | See value.yaml | Enable and configure postgres as the database for dendrite. |
|
||||
| postgresql.image.repository | string | `"bitnami/postgresql"` | |
|
||||
| postgresql.image.tag | string | `"16.2.0"` | |
|
||||
| postgresql.auth.username | string | `"dendrite"` | |
|
||||
| postgresql.auth.password | string | `"changeme"` | |
|
||||
| postgresql.auth.database | string | `"dendrite"` | |
|
||||
| postgresql.persistence.enabled | bool | `false` | |
|
||||
| ingress.enabled | bool | `false` | Create an ingress for the deployment |
|
||||
| ingress.className | string | `""` | The ingressClass to use. Will be converted to annotation if not yet supported. |
|
||||
| ingress.annotations | object | `{}` | Extra, custom annotations |
|
||||
| ingress.hostName | string | `""` | The ingress hostname for your matrix server. Should align with the server_name and well_known_* hosts. If not set, generated from the dendrite_config values. |
|
||||
| ingress.tls | list | `[]` | TLS configuration. Should contain information for the server_name and well-known hosts. Alternatively, set tls.generate=true to generate defaults based on the dendrite_config. |
|
||||
| service.type | string | `"ClusterIP"` | |
|
||||
| service.port | int | `8008` | |
|
||||
| prometheus.servicemonitor.enabled | bool | `false` | Enable ServiceMonitor for Prometheus-Operator for scrape metric-endpoint |
|
||||
| prometheus.servicemonitor.labels | object | `{}` | Extra Labels on ServiceMonitor for selector of Prometheus Instance |
|
||||
| prometheus.rules.enabled | bool | `false` | Enable PrometheusRules for Prometheus-Operator for setup alerting |
|
||||
| prometheus.rules.labels | object | `{}` | Extra Labels on PrometheusRules for selector of Prometheus Instance |
|
||||
| prometheus.rules.additionalRules | list | `[]` | additional alertrules (no default alertrules are provided) |
|
||||
| grafana.dashboards.enabled | bool | `false` | |
|
||||
| grafana.dashboards.labels | object | `{"grafana_dashboard":"1"}` | Extra Labels on ConfigMap for selector of grafana sidecar |
|
||||
| grafana.dashboards.annotations | object | `{}` | Extra Annotations on ConfigMap additional config in grafana sidecar |
|
||||
|
||||
## Monitoring
|
||||
|
||||

|
||||
|
||||
* Works well with [Prometheus Operator](https://prometheus-operator.dev/) ([Helmchart](https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack)) and their setup of [Grafana](https://grafana.com/grafana/), by enabling the following values:
|
||||
```yaml
|
||||
dendrite_config:
|
||||
global:
|
||||
metrics:
|
||||
enabled: true
|
||||
|
||||
prometheus:
|
||||
servicemonitor:
|
||||
enabled: true
|
||||
labels:
|
||||
release: "kube-prometheus-stack"
|
||||
rules:
|
||||
enabled: true # will deploy alert rules
|
||||
labels:
|
||||
release: "kube-prometheus-stack"
|
||||
grafana:
|
||||
dashboards:
|
||||
enabled: true # will deploy default dashboards
|
||||
```
|
||||
PS: The label `release=kube-prometheus-stack` is setup with the helmchart of the Prometheus Operator. For Grafana Dashboards it may be necessary to enable scanning in the correct namespaces (or ALL), enabled by `sidecar.dashboards.searchNamespace` in [Helmchart of grafana](https://artifacthub.io/packages/helm/grafana/grafana) (which is part of PrometheusOperator, so `grafana.sidecar.dashboards.searchNamespace`)
|
||||
|
||||
----------------------------------------------
|
||||
Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
|
14
matrix/dendrite/README.md.gotmpl
Normal file
14
matrix/dendrite/README.md.gotmpl
Normal file
@ -0,0 +1,14 @@
|
||||
{{ template "chart.header" . }}
|
||||
{{ template "chart.deprecationWarning" . }}
|
||||
{{ template "chart.badgesSection" . }}
|
||||
{{ template "chart.description" . }}
|
||||
{{ template "chart.state" . }}
|
||||
{{ template "chart.about" . }}
|
||||
{{ template "chart.dbCreation" . }}
|
||||
{{ template "chart.appservices" . }}
|
||||
{{ template "chart.maintainersSection" . }}
|
||||
{{ template "chart.sourcesSection" . }}
|
||||
{{ template "chart.requirementsSection" . }}
|
||||
{{ template "chart.valuesSection" . }}
|
||||
{{ template "chart.monitoringSection" . }}
|
||||
{{ template "helm-docs.versionFooter" . }}
|
23
matrix/dendrite/charts/postgresql/.helmignore
Normal file
23
matrix/dendrite/charts/postgresql/.helmignore
Normal file
@ -0,0 +1,23 @@
|
||||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
# img folder
|
||||
img/
|
6
matrix/dendrite/charts/postgresql/Chart.lock
Normal file
6
matrix/dendrite/charts/postgresql/Chart.lock
Normal file
@ -0,0 +1,6 @@
|
||||
dependencies:
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.16.1
|
||||
digest: sha256:f808a6fdc9c374d158ad7ff2f2c53a6c409e41da778d768b232dd20f86ef8b47
|
||||
generated: "2024-02-21T14:25:43.74084307Z"
|
37
matrix/dendrite/charts/postgresql/Chart.yaml
Normal file
37
matrix/dendrite/charts/postgresql/Chart.yaml
Normal file
@ -0,0 +1,37 @@
|
||||
annotations:
|
||||
category: Database
|
||||
images: |
|
||||
- name: os-shell
|
||||
image: docker.io/bitnami/os-shell:12-debian-12-r16
|
||||
- name: postgres-exporter
|
||||
image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r13
|
||||
- name: postgresql
|
||||
image: docker.io/bitnami/postgresql:16.2.0-debian-12-r5
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 16.2.0
|
||||
dependencies:
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
tags:
|
||||
- bitnami-common
|
||||
version: 2.x.x
|
||||
description: PostgreSQL (Postgres) is an open source object-relational database known
|
||||
for reliability and data integrity. ACID-compliant, it supports foreign keys, joins,
|
||||
views, triggers and stored procedures.
|
||||
home: https://bitnami.com
|
||||
icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png
|
||||
keywords:
|
||||
- postgresql
|
||||
- postgres
|
||||
- database
|
||||
- sql
|
||||
- replication
|
||||
- cluster
|
||||
maintainers:
|
||||
- name: VMware, Inc.
|
||||
url: https://github.com/bitnami/charts
|
||||
name: postgresql
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/postgresql
|
||||
version: 14.2.3
|
1007
matrix/dendrite/charts/postgresql/README.md
Normal file
1007
matrix/dendrite/charts/postgresql/README.md
Normal file
File diff suppressed because it is too large
Load Diff
24
matrix/dendrite/charts/postgresql/charts/common/.helmignore
Normal file
24
matrix/dendrite/charts/postgresql/charts/common/.helmignore
Normal file
@ -0,0 +1,24 @@
|
||||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
# img folder
|
||||
img/
|
23
matrix/dendrite/charts/postgresql/charts/common/Chart.yaml
Normal file
23
matrix/dendrite/charts/postgresql/charts/common/Chart.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
annotations:
|
||||
category: Infrastructure
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 2.16.1
|
||||
description: A Library Helm Chart for grouping common logic between bitnami charts.
|
||||
This chart is not deployable by itself.
|
||||
home: https://bitnami.com
|
||||
icon: https://bitnami.com/downloads/logos/bitnami-mark.png
|
||||
keywords:
|
||||
- common
|
||||
- helper
|
||||
- template
|
||||
- function
|
||||
- bitnami
|
||||
maintainers:
|
||||
- name: VMware, Inc.
|
||||
url: https://github.com/bitnami/charts
|
||||
name: common
|
||||
sources:
|
||||
- https://github.com/bitnami/charts
|
||||
type: library
|
||||
version: 2.16.1
|
235
matrix/dendrite/charts/postgresql/charts/common/README.md
Normal file
235
matrix/dendrite/charts/postgresql/charts/common/README.md
Normal file
@ -0,0 +1,235 @@
|
||||
# Bitnami Common Library Chart
|
||||
|
||||
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts.
|
||||
|
||||
## TL;DR
|
||||
|
||||
```yaml
|
||||
dependencies:
|
||||
- name: common
|
||||
version: 2.x.x
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
```
|
||||
|
||||
```console
|
||||
helm dependency update
|
||||
```
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
data:
|
||||
myvalue: "Hello World"
|
||||
```
|
||||
|
||||
Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
|
||||
|
||||
## Introduction
|
||||
|
||||
This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
|
||||
|
||||
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Kubernetes 1.23+
|
||||
- Helm 3.8.0+
|
||||
|
||||
## Parameters
|
||||
|
||||
## Special input schemas
|
||||
|
||||
### ImageRoot
|
||||
|
||||
```yaml
|
||||
registry:
|
||||
type: string
|
||||
description: Docker registry where the image is located
|
||||
example: docker.io
|
||||
|
||||
repository:
|
||||
type: string
|
||||
description: Repository and image name
|
||||
example: bitnami/nginx
|
||||
|
||||
tag:
|
||||
type: string
|
||||
description: image tag
|
||||
example: 1.16.1-debian-10-r63
|
||||
|
||||
pullPolicy:
|
||||
type: string
|
||||
description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
||||
|
||||
pullSecrets:
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
description: Optionally specify an array of imagePullSecrets (evaluated as templates).
|
||||
|
||||
debug:
|
||||
type: boolean
|
||||
description: Set to true if you would like to see extra information on logs
|
||||
example: false
|
||||
|
||||
## An instance would be:
|
||||
# registry: docker.io
|
||||
# repository: bitnami/nginx
|
||||
# tag: 1.16.1-debian-10-r63
|
||||
# pullPolicy: IfNotPresent
|
||||
# debug: false
|
||||
```
|
||||
|
||||
### Persistence
|
||||
|
||||
```yaml
|
||||
enabled:
|
||||
type: boolean
|
||||
description: Whether enable persistence.
|
||||
example: true
|
||||
|
||||
storageClass:
|
||||
type: string
|
||||
description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning.
|
||||
example: "-"
|
||||
|
||||
accessMode:
|
||||
type: string
|
||||
description: Access mode for the Persistent Volume Storage.
|
||||
example: ReadWriteOnce
|
||||
|
||||
size:
|
||||
type: string
|
||||
description: Size the Persistent Volume Storage.
|
||||
example: 8Gi
|
||||
|
||||
path:
|
||||
type: string
|
||||
description: Path to be persisted.
|
||||
example: /bitnami
|
||||
|
||||
## An instance would be:
|
||||
# enabled: true
|
||||
# storageClass: "-"
|
||||
# accessMode: ReadWriteOnce
|
||||
# size: 8Gi
|
||||
# path: /bitnami
|
||||
```
|
||||
|
||||
### ExistingSecret
|
||||
|
||||
```yaml
|
||||
name:
|
||||
type: string
|
||||
description: Name of the existing secret.
|
||||
example: mySecret
|
||||
keyMapping:
|
||||
description: Mapping between the expected key name and the name of the key in the existing secret.
|
||||
type: object
|
||||
|
||||
## An instance would be:
|
||||
# name: mySecret
|
||||
# keyMapping:
|
||||
# password: myPasswordKey
|
||||
```
|
||||
|
||||
#### Example of use
|
||||
|
||||
When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets.
|
||||
|
||||
```yaml
|
||||
# templates/secret.yaml
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "common.names.fullname" . }}
|
||||
type: Opaque
|
||||
data:
|
||||
password: {{ .Values.password | b64enc | quote }}
|
||||
|
||||
# templates/dpl.yaml
|
||||
---
|
||||
...
|
||||
env:
|
||||
- name: PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }}
|
||||
...
|
||||
|
||||
# values.yaml
|
||||
---
|
||||
name: mySecret
|
||||
keyMapping:
|
||||
password: myPasswordKey
|
||||
```
|
||||
|
||||
### ValidateValue
|
||||
|
||||
#### NOTES.txt
|
||||
|
||||
```console
|
||||
{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}}
|
||||
{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}}
|
||||
|
||||
{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
|
||||
```
|
||||
|
||||
If we force those values to be empty we will see some alerts
|
||||
|
||||
```console
|
||||
helm install test mychart --set path.to.value00="",path.to.value01=""
|
||||
'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value:
|
||||
|
||||
export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d)
|
||||
|
||||
'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value:
|
||||
|
||||
export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d)
|
||||
```
|
||||
|
||||
## Upgrading
|
||||
|
||||
### To 1.0.0
|
||||
|
||||
[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
|
||||
|
||||
#### What changes were introduced in this major version?
|
||||
|
||||
- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
|
||||
- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information.
|
||||
- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
|
||||
|
||||
#### Considerations when upgrading to this version
|
||||
|
||||
- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues
|
||||
- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
|
||||
- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3
|
||||
|
||||
#### Useful links
|
||||
|
||||
- <https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/>
|
||||
- <https://helm.sh/docs/topics/v2_v3_migration/>
|
||||
- <https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/>
|
||||
|
||||
## License
|
||||
|
||||
Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
<http://www.apache.org/licenses/LICENSE-2.0>
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
@ -0,0 +1,139 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
|
||||
{{/*
|
||||
Return a soft nodeAffinity definition
|
||||
{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
|
||||
*/}}
|
||||
{{- define "common.affinities.nodes.soft" -}}
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- preference:
|
||||
matchExpressions:
|
||||
- key: {{ .key }}
|
||||
operator: In
|
||||
values:
|
||||
{{- range .values }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
weight: 1
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return a hard nodeAffinity definition
|
||||
{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
|
||||
*/}}
|
||||
{{- define "common.affinities.nodes.hard" -}}
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: {{ .key }}
|
||||
operator: In
|
||||
values:
|
||||
{{- range .values }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return a nodeAffinity definition
|
||||
{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
|
||||
*/}}
|
||||
{{- define "common.affinities.nodes" -}}
|
||||
{{- if eq .type "soft" }}
|
||||
{{- include "common.affinities.nodes.soft" . -}}
|
||||
{{- else if eq .type "hard" }}
|
||||
{{- include "common.affinities.nodes.hard" . -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return a topologyKey definition
|
||||
{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}}
|
||||
*/}}
|
||||
{{- define "common.affinities.topologyKey" -}}
|
||||
{{ .topologyKey | default "kubernetes.io/hostname" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return a soft podAffinity/podAntiAffinity definition
|
||||
{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
|
||||
*/}}
|
||||
{{- define "common.affinities.pods.soft" -}}
|
||||
{{- $component := default "" .component -}}
|
||||
{{- $customLabels := default (dict) .customLabels -}}
|
||||
{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
|
||||
{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }}
|
||||
{{- if not (empty $component) }}
|
||||
{{ printf "app.kubernetes.io/component: %s" $component }}
|
||||
{{- end }}
|
||||
{{- range $key, $value := $extraMatchLabels }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
|
||||
weight: 1
|
||||
{{- range $extraPodAffinityTerms }}
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }}
|
||||
{{- if not (empty $component) }}
|
||||
{{ printf "app.kubernetes.io/component: %s" $component }}
|
||||
{{- end }}
|
||||
{{- range $key, $value := .extraMatchLabels }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
|
||||
weight: {{ .weight | default 1 -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return a hard podAffinity/podAntiAffinity definition
|
||||
{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
|
||||
*/}}
|
||||
{{- define "common.affinities.pods.hard" -}}
|
||||
{{- $component := default "" .component -}}
|
||||
{{- $customLabels := default (dict) .customLabels -}}
|
||||
{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
|
||||
{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
- labelSelector:
|
||||
matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }}
|
||||
{{- if not (empty $component) }}
|
||||
{{ printf "app.kubernetes.io/component: %s" $component }}
|
||||
{{- end }}
|
||||
{{- range $key, $value := $extraMatchLabels }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
|
||||
{{- range $extraPodAffinityTerms }}
|
||||
- labelSelector:
|
||||
matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }}
|
||||
{{- if not (empty $component) }}
|
||||
{{ printf "app.kubernetes.io/component: %s" $component }}
|
||||
{{- end }}
|
||||
{{- range $key, $value := .extraMatchLabels }}
|
||||
{{ $key }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return a podAffinity/podAntiAffinity definition
|
||||
{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
|
||||
*/}}
|
||||
{{- define "common.affinities.pods" -}}
|
||||
{{- if eq .type "soft" }}
|
||||
{{- include "common.affinities.pods.soft" . -}}
|
||||
{{- else if eq .type "hard" }}
|
||||
{{- include "common.affinities.pods.hard" . -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,229 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
|
||||
{{/*
|
||||
Return the target Kubernetes version
|
||||
*/}}
|
||||
{{- define "common.capabilities.kubeVersion" -}}
|
||||
{{- if .Values.global }}
|
||||
{{- if .Values.global.kubeVersion }}
|
||||
{{- .Values.global.kubeVersion -}}
|
||||
{{- else }}
|
||||
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
|
||||
{{- end -}}
|
||||
{{- else }}
|
||||
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for poddisruptionbudget.
|
||||
*/}}
|
||||
{{- define "common.capabilities.policy.apiVersion" -}}
|
||||
{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "policy/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "policy/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for networkpolicy.
|
||||
*/}}
|
||||
{{- define "common.capabilities.networkPolicy.apiVersion" -}}
|
||||
{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "extensions/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "networking.k8s.io/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for cronjob.
|
||||
*/}}
|
||||
{{- define "common.capabilities.cronjob.apiVersion" -}}
|
||||
{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "batch/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "batch/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for daemonset.
|
||||
*/}}
|
||||
{{- define "common.capabilities.daemonset.apiVersion" -}}
|
||||
{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "extensions/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "apps/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for deployment.
|
||||
*/}}
|
||||
{{- define "common.capabilities.deployment.apiVersion" -}}
|
||||
{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "extensions/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "apps/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for statefulset.
|
||||
*/}}
|
||||
{{- define "common.capabilities.statefulset.apiVersion" -}}
|
||||
{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "apps/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "apps/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for ingress.
|
||||
*/}}
|
||||
{{- define "common.capabilities.ingress.apiVersion" -}}
|
||||
{{- if .Values.ingress -}}
|
||||
{{- if .Values.ingress.apiVersion -}}
|
||||
{{- .Values.ingress.apiVersion -}}
|
||||
{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "extensions/v1beta1" -}}
|
||||
{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "networking.k8s.io/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "networking.k8s.io/v1" -}}
|
||||
{{- end }}
|
||||
{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "extensions/v1beta1" -}}
|
||||
{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "networking.k8s.io/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "networking.k8s.io/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for RBAC resources.
|
||||
*/}}
|
||||
{{- define "common.capabilities.rbac.apiVersion" -}}
|
||||
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "rbac.authorization.k8s.io/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "rbac.authorization.k8s.io/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for CRDs.
|
||||
*/}}
|
||||
{{- define "common.capabilities.crd.apiVersion" -}}
|
||||
{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "apiextensions.k8s.io/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "apiextensions.k8s.io/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for APIService.
|
||||
*/}}
|
||||
{{- define "common.capabilities.apiService.apiVersion" -}}
|
||||
{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "apiregistration.k8s.io/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "apiregistration.k8s.io/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for Horizontal Pod Autoscaler.
|
||||
*/}}
|
||||
{{- define "common.capabilities.hpa.apiVersion" -}}
|
||||
{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
|
||||
{{- if .beta2 -}}
|
||||
{{- print "autoscaling/v2beta2" -}}
|
||||
{{- else -}}
|
||||
{{- print "autoscaling/v2beta1" -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- print "autoscaling/v2" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for Vertical Pod Autoscaler.
|
||||
*/}}
|
||||
{{- define "common.capabilities.vpa.apiVersion" -}}
|
||||
{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
|
||||
{{- if .beta2 -}}
|
||||
{{- print "autoscaling/v2beta2" -}}
|
||||
{{- else -}}
|
||||
{{- print "autoscaling/v2beta1" -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- print "autoscaling/v2" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Returns true if PodSecurityPolicy is supported
|
||||
*/}}
|
||||
{{- define "common.capabilities.psp.supported" -}}
|
||||
{{- if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Returns true if AdmissionConfiguration is supported
|
||||
*/}}
|
||||
{{- define "common.capabilities.admissionConfiguration.supported" -}}
|
||||
{{- if semverCompare ">=1.23-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for AdmissionConfiguration.
|
||||
*/}}
|
||||
{{- define "common.capabilities.admissionConfiguration.apiVersion" -}}
|
||||
{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "apiserver.config.k8s.io/v1alpha1" -}}
|
||||
{{- else if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "apiserver.config.k8s.io/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "apiserver.config.k8s.io/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for PodSecurityConfiguration.
|
||||
*/}}
|
||||
{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}}
|
||||
{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}}
|
||||
{{- else if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "pod-security.admission.config.k8s.io/v1beta1" -}}
|
||||
{{- else -}}
|
||||
{{- print "pod-security.admission.config.k8s.io/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Returns true if the used Helm version is 3.3+.
|
||||
A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure.
|
||||
This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error.
|
||||
**To be removed when the catalog's minimun Helm version is 3.3**
|
||||
*/}}
|
||||
{{- define "common.capabilities.supportsHelmVersion" -}}
|
||||
{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,28 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Through error when upgrading using empty passwords values that must not be empty.
|
||||
|
||||
Usage:
|
||||
{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
|
||||
{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
|
||||
{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
|
||||
|
||||
Required password params:
|
||||
- validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
|
||||
- context - Context - Required. Parent context.
|
||||
*/}}
|
||||
{{- define "common.errors.upgrade.passwords.empty" -}}
|
||||
{{- $validationErrors := join "" .validationErrors -}}
|
||||
{{- if and $validationErrors .context.Release.IsUpgrade -}}
|
||||
{{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}}
|
||||
{{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}}
|
||||
{{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}}
|
||||
{{- $errorString = print $errorString "\n%s" -}}
|
||||
{{- printf $errorString $validationErrors | fail -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,117 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Return the proper image name
|
||||
{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }}
|
||||
*/}}
|
||||
{{- define "common.images.image" -}}
|
||||
{{- $registryName := .imageRoot.registry -}}
|
||||
{{- $repositoryName := .imageRoot.repository -}}
|
||||
{{- $separator := ":" -}}
|
||||
{{- $termination := .imageRoot.tag | toString -}}
|
||||
{{- if .global }}
|
||||
{{- if .global.imageRegistry }}
|
||||
{{- $registryName = .global.imageRegistry -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- if .imageRoot.digest }}
|
||||
{{- $separator = "@" -}}
|
||||
{{- $termination = .imageRoot.digest | toString -}}
|
||||
{{- end -}}
|
||||
{{- if $registryName }}
|
||||
{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s%s%s" $repositoryName $separator $termination -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead)
|
||||
{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
|
||||
*/}}
|
||||
{{- define "common.images.pullSecrets" -}}
|
||||
{{- $pullSecrets := list }}
|
||||
|
||||
{{- if .global }}
|
||||
{{- range .global.imagePullSecrets -}}
|
||||
{{- if kindIs "map" . -}}
|
||||
{{- $pullSecrets = append $pullSecrets .name -}}
|
||||
{{- else -}}
|
||||
{{- $pullSecrets = append $pullSecrets . -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- range .images -}}
|
||||
{{- range .pullSecrets -}}
|
||||
{{- if kindIs "map" . -}}
|
||||
{{- $pullSecrets = append $pullSecrets .name -}}
|
||||
{{- else -}}
|
||||
{{- $pullSecrets = append $pullSecrets . -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if (not (empty $pullSecrets)) }}
|
||||
imagePullSecrets:
|
||||
{{- range $pullSecrets | uniq }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper Docker Image Registry Secret Names evaluating values as templates
|
||||
{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }}
|
||||
*/}}
|
||||
{{- define "common.images.renderPullSecrets" -}}
|
||||
{{- $pullSecrets := list }}
|
||||
{{- $context := .context }}
|
||||
|
||||
{{- if $context.Values.global }}
|
||||
{{- range $context.Values.global.imagePullSecrets -}}
|
||||
{{- if kindIs "map" . -}}
|
||||
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}}
|
||||
{{- else -}}
|
||||
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- range .images -}}
|
||||
{{- range .pullSecrets -}}
|
||||
{{- if kindIs "map" . -}}
|
||||
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}}
|
||||
{{- else -}}
|
||||
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if (not (empty $pullSecrets)) }}
|
||||
imagePullSecrets:
|
||||
{{- range $pullSecrets | uniq }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion)
|
||||
{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }}
|
||||
*/}}
|
||||
{{- define "common.images.version" -}}
|
||||
{{- $imageTag := .imageRoot.tag | toString -}}
|
||||
{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}}
|
||||
{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}}
|
||||
{{- $version := semver $imageTag -}}
|
||||
{{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}}
|
||||
{{- else -}}
|
||||
{{- print .chart.AppVersion -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
@ -0,0 +1,73 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
|
||||
{{/*
|
||||
Generate backend entry that is compatible with all Kubernetes API versions.
|
||||
|
||||
Usage:
|
||||
{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}
|
||||
|
||||
Params:
|
||||
- serviceName - String. Name of an existing service backend
|
||||
- servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer.
|
||||
- context - Dict - Required. The context for the template evaluation.
|
||||
*/}}
|
||||
{{- define "common.ingress.backend" -}}
|
||||
{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}}
|
||||
{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}}
|
||||
serviceName: {{ .serviceName }}
|
||||
servicePort: {{ .servicePort }}
|
||||
{{- else -}}
|
||||
service:
|
||||
name: {{ .serviceName }}
|
||||
port:
|
||||
{{- if typeIs "string" .servicePort }}
|
||||
name: {{ .servicePort }}
|
||||
{{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }}
|
||||
number: {{ .servicePort | int }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Print "true" if the API pathType field is supported
|
||||
Usage:
|
||||
{{ include "common.ingress.supportsPathType" . }}
|
||||
*/}}
|
||||
{{- define "common.ingress.supportsPathType" -}}
|
||||
{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}}
|
||||
{{- print "false" -}}
|
||||
{{- else -}}
|
||||
{{- print "true" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Returns true if the ingressClassname field is supported
|
||||
Usage:
|
||||
{{ include "common.ingress.supportsIngressClassname" . }}
|
||||
*/}}
|
||||
{{- define "common.ingress.supportsIngressClassname" -}}
|
||||
{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}}
|
||||
{{- print "false" -}}
|
||||
{{- else -}}
|
||||
{{- print "true" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if cert-manager required annotations for TLS signed
|
||||
certificates are set in the Ingress annotations
|
||||
Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
|
||||
Usage:
|
||||
{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }}
|
||||
*/}}
|
||||
{{- define "common.ingress.certManagerRequest" -}}
|
||||
{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,46 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
|
||||
{{/*
|
||||
Kubernetes standard labels
|
||||
{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}}
|
||||
*/}}
|
||||
{{- define "common.labels.standard" -}}
|
||||
{{- if and (hasKey . "customLabels") (hasKey . "context") -}}
|
||||
{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}}
|
||||
{{- with .context.Chart.AppVersion -}}
|
||||
{{- $_ := set $default "app.kubernetes.io/version" . -}}
|
||||
{{- end -}}
|
||||
{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }}
|
||||
{{- else -}}
|
||||
app.kubernetes.io/name: {{ include "common.names.name" . }}
|
||||
helm.sh/chart: {{ include "common.names.chart" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- with .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ . | quote }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector
|
||||
{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}}
|
||||
|
||||
We don't want to loop over custom labels appending them to the selector
|
||||
since it's very likely that it will break deployments, services, etc.
|
||||
However, it's important to overwrite the standard labels if the user
|
||||
overwrote them on metadata.labels fields.
|
||||
*/}}
|
||||
{{- define "common.labels.matchLabels" -}}
|
||||
{{- if and (hasKey . "customLabels") (hasKey . "context") -}}
|
||||
{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }}
|
||||
{{- else -}}
|
||||
app.kubernetes.io/name: {{ include "common.names.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,71 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "common.names.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "common.names.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "common.names.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified dependency name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
Usage:
|
||||
{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }}
|
||||
*/}}
|
||||
{{- define "common.names.dependency.fullname" -}}
|
||||
{{- if .chartValues.fullnameOverride -}}
|
||||
{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .chartName .chartValues.nameOverride -}}
|
||||
{{- if contains $name .context.Release.Name -}}
|
||||
{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Allow the release namespace to be overridden for multi-namespace deployments in combined charts.
|
||||
*/}}
|
||||
{{- define "common.names.namespace" -}}
|
||||
{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a fully qualified app name adding the installation's namespace.
|
||||
*/}}
|
||||
{{- define "common.names.fullname.namespace" -}}
|
||||
{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
@ -0,0 +1,50 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
|
||||
{{/*
|
||||
Return a resource request/limit object based on a given preset.
|
||||
These presets are for basic testing and not meant to be used in production
|
||||
{{ include "common.resources.preset" (dict "type" "nano") -}}
|
||||
*/}}
|
||||
{{- define "common.resources.preset" -}}
|
||||
{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}}
|
||||
{{- $presets := dict
|
||||
"nano" (dict
|
||||
"requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"micro" (dict
|
||||
"requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"small" (dict
|
||||
"requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"medium" (dict
|
||||
"requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"large" (dict
|
||||
"requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"xlarge" (dict
|
||||
"requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
"2xlarge" (dict
|
||||
"requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi")
|
||||
"limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi")
|
||||
)
|
||||
}}
|
||||
{{- if hasKey $presets .type -}}
|
||||
{{- index $presets .type | toYaml -}}
|
||||
{{- else -}}
|
||||
{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,182 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Generate secret name.
|
||||
|
||||
Usage:
|
||||
{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
|
||||
|
||||
Params:
|
||||
- existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
|
||||
to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
|
||||
+info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
|
||||
- defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
|
||||
- context - Dict - Required. The context for the template evaluation.
|
||||
*/}}
|
||||
{{- define "common.secrets.name" -}}
|
||||
{{- $name := (include "common.names.fullname" .context) -}}
|
||||
|
||||
{{- if .defaultNameSuffix -}}
|
||||
{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- with .existingSecret -}}
|
||||
{{- if not (typeIs "string" .) -}}
|
||||
{{- with .name -}}
|
||||
{{- $name = . -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- $name = . -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- printf "%s" $name -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Generate secret key.
|
||||
|
||||
Usage:
|
||||
{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
|
||||
|
||||
Params:
|
||||
- existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
|
||||
to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
|
||||
+info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
|
||||
- key - String - Required. Name of the key in the secret.
|
||||
*/}}
|
||||
{{- define "common.secrets.key" -}}
|
||||
{{- $key := .key -}}
|
||||
|
||||
{{- if .existingSecret -}}
|
||||
{{- if not (typeIs "string" .existingSecret) -}}
|
||||
{{- if .existingSecret.keyMapping -}}
|
||||
{{- $key = index .existingSecret.keyMapping $.key -}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- printf "%s" $key -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Generate secret password or retrieve one if already created.
|
||||
|
||||
Usage:
|
||||
{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }}
|
||||
|
||||
Params:
|
||||
- secret - String - Required - Name of the 'Secret' resource where the password is stored.
|
||||
- key - String - Required - Name of the key in the secret.
|
||||
- providedValues - List<String> - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
|
||||
- length - int - Optional - Length of the generated random password.
|
||||
- strong - Boolean - Optional - Whether to add symbols to the generated random password.
|
||||
- chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart.
|
||||
- context - Context - Required - Parent context.
|
||||
- failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets.
|
||||
- skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted.
|
||||
- skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret.
|
||||
The order in which this function returns a secret password:
|
||||
1. Already existing 'Secret' resource
|
||||
(If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
|
||||
2. Password provided via the values.yaml
|
||||
(If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
|
||||
3. Randomly generated secret password
|
||||
(A new random secret password with the length specified in the 'length' parameter will be generated and returned)
|
||||
|
||||
*/}}
|
||||
{{- define "common.secrets.passwords.manage" -}}
|
||||
|
||||
{{- $password := "" }}
|
||||
{{- $subchart := "" }}
|
||||
{{- $chartName := default "" .chartName }}
|
||||
{{- $passwordLength := default 10 .length }}
|
||||
{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }}
|
||||
{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }}
|
||||
{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }}
|
||||
{{- if $secretData }}
|
||||
{{- if hasKey $secretData .key }}
|
||||
{{- $password = index $secretData .key | b64dec }}
|
||||
{{- else if not (eq .failOnNew false) }}
|
||||
{{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}}
|
||||
{{- else if $providedPasswordValue }}
|
||||
{{- $password = $providedPasswordValue | toString }}
|
||||
{{- end -}}
|
||||
{{- else if $providedPasswordValue }}
|
||||
{{- $password = $providedPasswordValue | toString }}
|
||||
{{- else }}
|
||||
|
||||
{{- if .context.Values.enabled }}
|
||||
{{- $subchart = $chartName }}
|
||||
{{- end -}}
|
||||
|
||||
{{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
|
||||
{{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
|
||||
{{- $passwordValidationErrors := list $requiredPasswordError -}}
|
||||
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
|
||||
|
||||
{{- if .strong }}
|
||||
{{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
|
||||
{{- $password = randAscii $passwordLength }}
|
||||
{{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
|
||||
{{- $password = printf "%s%s" $subStr $password | toString | shuffle }}
|
||||
{{- else }}
|
||||
{{- $password = randAlphaNum $passwordLength }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- if not .skipB64enc }}
|
||||
{{- $password = $password | b64enc }}
|
||||
{{- end -}}
|
||||
{{- if .skipQuote -}}
|
||||
{{- printf "%s" $password -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s" $password | quote -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Reuses the value from an existing secret, otherwise sets its value to a default value.
|
||||
|
||||
Usage:
|
||||
{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }}
|
||||
|
||||
Params:
|
||||
- secret - String - Required - Name of the 'Secret' resource where the password is stored.
|
||||
- key - String - Required - Name of the key in the secret.
|
||||
- defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
|
||||
- context - Context - Required - Parent context.
|
||||
|
||||
*/}}
|
||||
{{- define "common.secrets.lookup" -}}
|
||||
{{- $value := "" -}}
|
||||
{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}}
|
||||
{{- if and $secretData (hasKey $secretData .key) -}}
|
||||
{{- $value = index $secretData .key -}}
|
||||
{{- else if .defaultValue -}}
|
||||
{{- $value = .defaultValue | toString | b64enc -}}
|
||||
{{- end -}}
|
||||
{{- if $value -}}
|
||||
{{- printf "%s" $value -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Returns whether a previous generated secret already exists
|
||||
|
||||
Usage:
|
||||
{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }}
|
||||
|
||||
Params:
|
||||
- secret - String - Required - Name of the 'Secret' resource where the password is stored.
|
||||
- context - Context - Required - Parent context.
|
||||
*/}}
|
||||
{{- define "common.secrets.exists" -}}
|
||||
{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }}
|
||||
{{- if $secret }}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,28 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Return the proper Storage Class
|
||||
{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
|
||||
*/}}
|
||||
{{- define "common.storage.class" -}}
|
||||
|
||||
{{- $storageClass := .persistence.storageClass -}}
|
||||
{{- if .global -}}
|
||||
{{- if .global.storageClass -}}
|
||||
{{- $storageClass = .global.storageClass -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if $storageClass -}}
|
||||
{{- if (eq "-" $storageClass) -}}
|
||||
{{- printf "storageClassName: \"\"" -}}
|
||||
{{- else }}
|
||||
{{- printf "storageClassName: %s" $storageClass -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- end -}}
|
@ -0,0 +1,38 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Renders a value that contains template perhaps with scope if the scope is present.
|
||||
Usage:
|
||||
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }}
|
||||
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }}
|
||||
*/}}
|
||||
{{- define "common.tplvalues.render" -}}
|
||||
{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }}
|
||||
{{- if contains "{{" (toJson .value) }}
|
||||
{{- if .scope }}
|
||||
{{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }}
|
||||
{{- else }}
|
||||
{{- tpl $value .context }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
{{- $value }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Merge a list of values that contains template after rendering them.
|
||||
Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge
|
||||
Usage:
|
||||
{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }}
|
||||
*/}}
|
||||
{{- define "common.tplvalues.merge" -}}
|
||||
{{- $dst := dict -}}
|
||||
{{- range .values -}}
|
||||
{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}}
|
||||
{{- end -}}
|
||||
{{ $dst | toYaml }}
|
||||
{{- end -}}
|
@ -0,0 +1,77 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Print instructions to get a secret value.
|
||||
Usage:
|
||||
{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }}
|
||||
*/}}
|
||||
{{- define "common.utils.secret.getvalue" -}}
|
||||
{{- $varname := include "common.utils.fieldToEnvVar" . -}}
|
||||
export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d)
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Build env var name given a field
|
||||
Usage:
|
||||
{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }}
|
||||
*/}}
|
||||
{{- define "common.utils.fieldToEnvVar" -}}
|
||||
{{- $fieldNameSplit := splitList "-" .field -}}
|
||||
{{- $upperCaseFieldNameSplit := list -}}
|
||||
|
||||
{{- range $fieldNameSplit -}}
|
||||
{{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{ join "_" $upperCaseFieldNameSplit }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Gets a value from .Values given
|
||||
Usage:
|
||||
{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }}
|
||||
*/}}
|
||||
{{- define "common.utils.getValueFromKey" -}}
|
||||
{{- $splitKey := splitList "." .key -}}
|
||||
{{- $value := "" -}}
|
||||
{{- $latestObj := $.context.Values -}}
|
||||
{{- range $splitKey -}}
|
||||
{{- if not $latestObj -}}
|
||||
{{- printf "please review the entire path of '%s' exists in values" $.key | fail -}}
|
||||
{{- end -}}
|
||||
{{- $value = ( index $latestObj . ) -}}
|
||||
{{- $latestObj = $value -}}
|
||||
{{- end -}}
|
||||
{{- printf "%v" (default "" $value) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Returns first .Values key with a defined value or first of the list if all non-defined
|
||||
Usage:
|
||||
{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }}
|
||||
*/}}
|
||||
{{- define "common.utils.getKeyFromList" -}}
|
||||
{{- $key := first .keys -}}
|
||||
{{- $reverseKeys := reverse .keys }}
|
||||
{{- range $reverseKeys }}
|
||||
{{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }}
|
||||
{{- if $value -}}
|
||||
{{- $key = . }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- printf "%s" $key -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376).
|
||||
Usage:
|
||||
{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }}
|
||||
*/}}
|
||||
{{- define "common.utils.checksumTemplate" -}}
|
||||
{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}}
|
||||
{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }}
|
||||
{{- end -}}
|
@ -0,0 +1,82 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Warning about using rolling tag.
|
||||
Usage:
|
||||
{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }}
|
||||
*/}}
|
||||
{{- define "common.warnings.rollingTag" -}}
|
||||
|
||||
{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
|
||||
WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
|
||||
+info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Warning about not setting the resource object in all deployments.
|
||||
Usage:
|
||||
{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }}
|
||||
Example:
|
||||
{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }}
|
||||
The list in the example assumes that the following values exist:
|
||||
- csiProvider.provider.resources
|
||||
- server.resources
|
||||
- volumePermissions.resources
|
||||
- resources
|
||||
*/}}
|
||||
{{- define "common.warnings.resources" -}}
|
||||
{{- $values := .context.Values -}}
|
||||
{{- $printMessage := false -}}
|
||||
{{ $affectedSections := list -}}
|
||||
{{- range .sections -}}
|
||||
{{- if eq . "" -}}
|
||||
{{/* Case where the resources section is at the root (one main deployment in the chart) */}}
|
||||
{{- if not (index $values "resources") -}}
|
||||
{{- $affectedSections = append $affectedSections "resources" -}}
|
||||
{{- $printMessage = true -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}}
|
||||
{{- $keys := split "." . -}}
|
||||
{{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}}
|
||||
{{- $section := $values -}}
|
||||
{{- range $keys -}}
|
||||
{{- $section = index $section . -}}
|
||||
{{- end -}}
|
||||
{{- if not (index $section "resources") -}}
|
||||
{{/* If the section has enabled=false or replicaCount=0, do not include it */}}
|
||||
{{- if and (hasKey $section "enabled") -}}
|
||||
{{- if index $section "enabled" -}}
|
||||
{{/* enabled=true */}}
|
||||
{{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
|
||||
{{- $printMessage = true -}}
|
||||
{{- end -}}
|
||||
{{- else if and (hasKey $section "replicaCount") -}}
|
||||
{{/* We need a casting to int because number 0 is not treated as an int by default */}}
|
||||
{{- if (gt (index $section "replicaCount" | int) 0) -}}
|
||||
{{/* replicaCount > 0 */}}
|
||||
{{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
|
||||
{{- $printMessage = true -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{/* Default case, add it to the affected sections */}}
|
||||
{{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
|
||||
{{- $printMessage = true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- if $printMessage }}
|
||||
|
||||
WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs:
|
||||
{{- range $affectedSections }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
+info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,77 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Validate Cassandra required passwords are not empty.
|
||||
|
||||
Usage:
|
||||
{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
|
||||
Params:
|
||||
- secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret"
|
||||
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.validations.values.cassandra.passwords" -}}
|
||||
{{- $existingSecret := include "common.cassandra.values.existingSecret" . -}}
|
||||
{{- $enabled := include "common.cassandra.values.enabled" . -}}
|
||||
{{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}}
|
||||
{{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}}
|
||||
|
||||
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
|
||||
{{- $requiredPasswords := list -}}
|
||||
|
||||
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}}
|
||||
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
|
||||
|
||||
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
|
||||
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for existingSecret.
|
||||
|
||||
Usage:
|
||||
{{ include "common.cassandra.values.existingSecret" (dict "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.cassandra.values.existingSecret" -}}
|
||||
{{- if .subchart -}}
|
||||
{{- .context.Values.cassandra.dbUser.existingSecret | quote -}}
|
||||
{{- else -}}
|
||||
{{- .context.Values.dbUser.existingSecret | quote -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for enabled cassandra.
|
||||
|
||||
Usage:
|
||||
{{ include "common.cassandra.values.enabled" (dict "context" $) }}
|
||||
*/}}
|
||||
{{- define "common.cassandra.values.enabled" -}}
|
||||
{{- if .subchart -}}
|
||||
{{- printf "%v" .context.Values.cassandra.enabled -}}
|
||||
{{- else -}}
|
||||
{{- printf "%v" (not .context.Values.enabled) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for the key dbUser
|
||||
|
||||
Usage:
|
||||
{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.cassandra.values.key.dbUser" -}}
|
||||
{{- if .subchart -}}
|
||||
cassandra.dbUser
|
||||
{{- else -}}
|
||||
dbUser
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,108 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Validate MariaDB required passwords are not empty.
|
||||
|
||||
Usage:
|
||||
{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
|
||||
Params:
|
||||
- secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret"
|
||||
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.validations.values.mariadb.passwords" -}}
|
||||
{{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}}
|
||||
{{- $enabled := include "common.mariadb.values.enabled" . -}}
|
||||
{{- $architecture := include "common.mariadb.values.architecture" . -}}
|
||||
{{- $authPrefix := include "common.mariadb.values.key.auth" . -}}
|
||||
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
|
||||
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
|
||||
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
|
||||
{{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
|
||||
|
||||
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
|
||||
{{- $requiredPasswords := list -}}
|
||||
|
||||
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}}
|
||||
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
|
||||
|
||||
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
|
||||
{{- if not (empty $valueUsername) -}}
|
||||
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}}
|
||||
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if (eq $architecture "replication") -}}
|
||||
{{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}}
|
||||
{{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
|
||||
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for existingSecret.
|
||||
|
||||
Usage:
|
||||
{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.mariadb.values.auth.existingSecret" -}}
|
||||
{{- if .subchart -}}
|
||||
{{- .context.Values.mariadb.auth.existingSecret | quote -}}
|
||||
{{- else -}}
|
||||
{{- .context.Values.auth.existingSecret | quote -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for enabled mariadb.
|
||||
|
||||
Usage:
|
||||
{{ include "common.mariadb.values.enabled" (dict "context" $) }}
|
||||
*/}}
|
||||
{{- define "common.mariadb.values.enabled" -}}
|
||||
{{- if .subchart -}}
|
||||
{{- printf "%v" .context.Values.mariadb.enabled -}}
|
||||
{{- else -}}
|
||||
{{- printf "%v" (not .context.Values.enabled) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for architecture
|
||||
|
||||
Usage:
|
||||
{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.mariadb.values.architecture" -}}
|
||||
{{- if .subchart -}}
|
||||
{{- .context.Values.mariadb.architecture -}}
|
||||
{{- else -}}
|
||||
{{- .context.Values.architecture -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for the key auth
|
||||
|
||||
Usage:
|
||||
{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.mariadb.values.key.auth" -}}
|
||||
{{- if .subchart -}}
|
||||
mariadb.auth
|
||||
{{- else -}}
|
||||
auth
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,113 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Validate MongoDB® required passwords are not empty.
|
||||
|
||||
Usage:
|
||||
{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
|
||||
Params:
|
||||
- secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret"
|
||||
- subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.validations.values.mongodb.passwords" -}}
|
||||
{{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}}
|
||||
{{- $enabled := include "common.mongodb.values.enabled" . -}}
|
||||
{{- $authPrefix := include "common.mongodb.values.key.auth" . -}}
|
||||
{{- $architecture := include "common.mongodb.values.architecture" . -}}
|
||||
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
|
||||
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
|
||||
{{- $valueKeyDatabase := printf "%s.database" $authPrefix -}}
|
||||
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
|
||||
{{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}}
|
||||
{{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}}
|
||||
|
||||
{{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}}
|
||||
|
||||
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}}
|
||||
{{- $requiredPasswords := list -}}
|
||||
|
||||
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}}
|
||||
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
|
||||
|
||||
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
|
||||
{{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }}
|
||||
{{- if and $valueUsername $valueDatabase -}}
|
||||
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}}
|
||||
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if (eq $architecture "replicaset") -}}
|
||||
{{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}}
|
||||
{{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
|
||||
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for existingSecret.
|
||||
|
||||
Usage:
|
||||
{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.mongodb.values.auth.existingSecret" -}}
|
||||
{{- if .subchart -}}
|
||||
{{- .context.Values.mongodb.auth.existingSecret | quote -}}
|
||||
{{- else -}}
|
||||
{{- .context.Values.auth.existingSecret | quote -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for enabled mongodb.
|
||||
|
||||
Usage:
|
||||
{{ include "common.mongodb.values.enabled" (dict "context" $) }}
|
||||
*/}}
|
||||
{{- define "common.mongodb.values.enabled" -}}
|
||||
{{- if .subchart -}}
|
||||
{{- printf "%v" .context.Values.mongodb.enabled -}}
|
||||
{{- else -}}
|
||||
{{- printf "%v" (not .context.Values.enabled) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for the key auth
|
||||
|
||||
Usage:
|
||||
{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.mongodb.values.key.auth" -}}
|
||||
{{- if .subchart -}}
|
||||
mongodb.auth
|
||||
{{- else -}}
|
||||
auth
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for architecture
|
||||
|
||||
Usage:
|
||||
{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.mongodb.values.architecture" -}}
|
||||
{{- if .subchart -}}
|
||||
{{- .context.Values.mongodb.architecture -}}
|
||||
{{- else -}}
|
||||
{{- .context.Values.architecture -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,108 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Validate MySQL required passwords are not empty.
|
||||
|
||||
Usage:
|
||||
{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
|
||||
Params:
|
||||
- secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret"
|
||||
- subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.validations.values.mysql.passwords" -}}
|
||||
{{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}}
|
||||
{{- $enabled := include "common.mysql.values.enabled" . -}}
|
||||
{{- $architecture := include "common.mysql.values.architecture" . -}}
|
||||
{{- $authPrefix := include "common.mysql.values.key.auth" . -}}
|
||||
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
|
||||
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
|
||||
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
|
||||
{{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
|
||||
|
||||
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
|
||||
{{- $requiredPasswords := list -}}
|
||||
|
||||
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}}
|
||||
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
|
||||
|
||||
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
|
||||
{{- if not (empty $valueUsername) -}}
|
||||
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}}
|
||||
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if (eq $architecture "replication") -}}
|
||||
{{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}}
|
||||
{{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
|
||||
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for existingSecret.
|
||||
|
||||
Usage:
|
||||
{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.mysql.values.auth.existingSecret" -}}
|
||||
{{- if .subchart -}}
|
||||
{{- .context.Values.mysql.auth.existingSecret | quote -}}
|
||||
{{- else -}}
|
||||
{{- .context.Values.auth.existingSecret | quote -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for enabled mysql.
|
||||
|
||||
Usage:
|
||||
{{ include "common.mysql.values.enabled" (dict "context" $) }}
|
||||
*/}}
|
||||
{{- define "common.mysql.values.enabled" -}}
|
||||
{{- if .subchart -}}
|
||||
{{- printf "%v" .context.Values.mysql.enabled -}}
|
||||
{{- else -}}
|
||||
{{- printf "%v" (not .context.Values.enabled) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for architecture
|
||||
|
||||
Usage:
|
||||
{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.mysql.values.architecture" -}}
|
||||
{{- if .subchart -}}
|
||||
{{- .context.Values.mysql.architecture -}}
|
||||
{{- else -}}
|
||||
{{- .context.Values.architecture -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for the key auth
|
||||
|
||||
Usage:
|
||||
{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.mysql.values.key.auth" -}}
|
||||
{{- if .subchart -}}
|
||||
mysql.auth
|
||||
{{- else -}}
|
||||
auth
|
||||
{{- end -}}
|
||||
{{- end -}}
|
134
matrix/dendrite/charts/postgresql/charts/common/templates/validations/_postgresql.tpl
Normal file
134
matrix/dendrite/charts/postgresql/charts/common/templates/validations/_postgresql.tpl
Normal file
@ -0,0 +1,134 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Validate PostgreSQL required passwords are not empty.
|
||||
|
||||
Usage:
|
||||
{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
|
||||
Params:
|
||||
- secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret"
|
||||
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.validations.values.postgresql.passwords" -}}
|
||||
{{- $existingSecret := include "common.postgresql.values.existingSecret" . -}}
|
||||
{{- $enabled := include "common.postgresql.values.enabled" . -}}
|
||||
{{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}}
|
||||
{{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}}
|
||||
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
|
||||
{{- $requiredPasswords := list -}}
|
||||
{{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}}
|
||||
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}}
|
||||
|
||||
{{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}}
|
||||
{{- if (eq $enabledReplication "true") -}}
|
||||
{{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}}
|
||||
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to decide whether evaluate global values.
|
||||
|
||||
Usage:
|
||||
{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }}
|
||||
Params:
|
||||
- key - String - Required. Field to be evaluated within global, e.g: "existingSecret"
|
||||
*/}}
|
||||
{{- define "common.postgresql.values.use.global" -}}
|
||||
{{- if .context.Values.global -}}
|
||||
{{- if .context.Values.global.postgresql -}}
|
||||
{{- index .context.Values.global.postgresql .key | quote -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for existingSecret.
|
||||
|
||||
Usage:
|
||||
{{ include "common.postgresql.values.existingSecret" (dict "context" $) }}
|
||||
*/}}
|
||||
{{- define "common.postgresql.values.existingSecret" -}}
|
||||
{{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}}
|
||||
|
||||
{{- if .subchart -}}
|
||||
{{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}}
|
||||
{{- else -}}
|
||||
{{- default (.context.Values.existingSecret | quote) $globalValue -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for enabled postgresql.
|
||||
|
||||
Usage:
|
||||
{{ include "common.postgresql.values.enabled" (dict "context" $) }}
|
||||
*/}}
|
||||
{{- define "common.postgresql.values.enabled" -}}
|
||||
{{- if .subchart -}}
|
||||
{{- printf "%v" .context.Values.postgresql.enabled -}}
|
||||
{{- else -}}
|
||||
{{- printf "%v" (not .context.Values.enabled) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for the key postgressPassword.
|
||||
|
||||
Usage:
|
||||
{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.postgresql.values.key.postgressPassword" -}}
|
||||
{{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}}
|
||||
|
||||
{{- if not $globalValue -}}
|
||||
{{- if .subchart -}}
|
||||
postgresql.postgresqlPassword
|
||||
{{- else -}}
|
||||
postgresqlPassword
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
global.postgresql.postgresqlPassword
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for enabled.replication.
|
||||
|
||||
Usage:
|
||||
{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.postgresql.values.enabled.replication" -}}
|
||||
{{- if .subchart -}}
|
||||
{{- printf "%v" .context.Values.postgresql.replication.enabled -}}
|
||||
{{- else -}}
|
||||
{{- printf "%v" .context.Values.replication.enabled -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for the key replication.password.
|
||||
|
||||
Usage:
|
||||
{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.postgresql.values.key.replicationPassword" -}}
|
||||
{{- if .subchart -}}
|
||||
postgresql.replication.password
|
||||
{{- else -}}
|
||||
replication.password
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,81 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Validate Redis® required passwords are not empty.
|
||||
|
||||
Usage:
|
||||
{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
|
||||
Params:
|
||||
- secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret"
|
||||
- subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.validations.values.redis.passwords" -}}
|
||||
{{- $enabled := include "common.redis.values.enabled" . -}}
|
||||
{{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}}
|
||||
{{- $standarizedVersion := include "common.redis.values.standarized.version" . }}
|
||||
|
||||
{{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }}
|
||||
{{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }}
|
||||
|
||||
{{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }}
|
||||
{{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }}
|
||||
|
||||
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
|
||||
{{- $requiredPasswords := list -}}
|
||||
|
||||
{{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}}
|
||||
{{- if eq $useAuth "true" -}}
|
||||
{{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}}
|
||||
{{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right value for enabled redis.
|
||||
|
||||
Usage:
|
||||
{{ include "common.redis.values.enabled" (dict "context" $) }}
|
||||
*/}}
|
||||
{{- define "common.redis.values.enabled" -}}
|
||||
{{- if .subchart -}}
|
||||
{{- printf "%v" .context.Values.redis.enabled -}}
|
||||
{{- else -}}
|
||||
{{- printf "%v" (not .context.Values.enabled) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Auxiliary function to get the right prefix path for the values
|
||||
|
||||
Usage:
|
||||
{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }}
|
||||
Params:
|
||||
- subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
|
||||
*/}}
|
||||
{{- define "common.redis.values.keys.prefix" -}}
|
||||
{{- if .subchart -}}redis.{{- else -}}{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Checks whether the redis chart's includes the standarizations (version >= 14)
|
||||
|
||||
Usage:
|
||||
{{ include "common.redis.values.standarized.version" (dict "context" $) }}
|
||||
*/}}
|
||||
{{- define "common.redis.values.standarized.version" -}}
|
||||
|
||||
{{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}}
|
||||
{{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }}
|
||||
|
||||
{{- if $standarizedAuthValues -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
51
matrix/dendrite/charts/postgresql/charts/common/templates/validations/_validations.tpl
Normal file
51
matrix/dendrite/charts/postgresql/charts/common/templates/validations/_validations.tpl
Normal file
@ -0,0 +1,51 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Validate values must not be empty.
|
||||
|
||||
Usage:
|
||||
{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}}
|
||||
{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}}
|
||||
{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
|
||||
|
||||
Validate value params:
|
||||
- valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
|
||||
- secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
|
||||
- field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
|
||||
*/}}
|
||||
{{- define "common.validations.values.multiple.empty" -}}
|
||||
{{- range .required -}}
|
||||
{{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Validate a value must not be empty.
|
||||
|
||||
Usage:
|
||||
{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }}
|
||||
|
||||
Validate value params:
|
||||
- valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
|
||||
- secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
|
||||
- field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
|
||||
- subchart - String - Optional - Name of the subchart that the validated password is part of.
|
||||
*/}}
|
||||
{{- define "common.validations.values.single.empty" -}}
|
||||
{{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }}
|
||||
{{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }}
|
||||
|
||||
{{- if not $value -}}
|
||||
{{- $varname := "my-value" -}}
|
||||
{{- $getCurrentValue := "" -}}
|
||||
{{- if and .secret .field -}}
|
||||
{{- $varname = include "common.utils.fieldToEnvVar" . -}}
|
||||
{{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}}
|
||||
{{- end -}}
|
||||
{{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,8 @@
|
||||
# Copyright VMware, Inc.
|
||||
# SPDX-License-Identifier: APACHE-2.0
|
||||
|
||||
## bitnami/common
|
||||
## It is required by CI/CD tools and processes.
|
||||
## @skip exampleValue
|
||||
##
|
||||
exampleValue: common-chart
|
116
matrix/dendrite/charts/postgresql/templates/NOTES.txt
Normal file
116
matrix/dendrite/charts/postgresql/templates/NOTES.txt
Normal file
@ -0,0 +1,116 @@
|
||||
CHART NAME: {{ .Chart.Name }}
|
||||
CHART VERSION: {{ .Chart.Version }}
|
||||
APP VERSION: {{ .Chart.AppVersion }}
|
||||
|
||||
** Please be patient while the chart is being deployed **
|
||||
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with:
|
||||
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }}
|
||||
|
||||
Get the list of pods by executing:
|
||||
|
||||
kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
|
||||
|
||||
Access the pod you want to debug by executing
|
||||
|
||||
kubectl exec --namespace {{ .Release.Namespace }} -ti <NAME OF THE POD> -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash
|
||||
|
||||
In order to replicate the container startup scripts execute this command:
|
||||
|
||||
/opt/bitnami/scripts/postgresql/entrypoint.sh /opt/bitnami/scripts/postgresql/run.sh
|
||||
|
||||
{{- else }}
|
||||
|
||||
{{- $customUser := include "postgresql.v1.username" . }}
|
||||
{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary .Values.auth.postgresPassword .Values.auth.password (eq $customUser "postgres")) "context" $) -}}
|
||||
{{- $authEnabled := and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
|
||||
{{- if not $authEnabled }}
|
||||
|
||||
WARNING: PostgreSQL has been configured without authentication, this is not recommended for production environments.
|
||||
{{- end }}
|
||||
|
||||
PostgreSQL can be accessed via port {{ include "postgresql.v1.service.port" . }} on the following DNS names from within your cluster:
|
||||
|
||||
{{ include "postgresql.v1.primary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection
|
||||
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
|
||||
{{ include "postgresql.v1.readReplica.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read only connection
|
||||
|
||||
{{- end }}
|
||||
|
||||
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
|
||||
To get the password for "postgres" run:
|
||||
|
||||
export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{include "postgresql.v1.adminPasswordKey" .}}}" | base64 -d)
|
||||
{{- end }}
|
||||
|
||||
To get the password for "{{ $customUser }}" run:
|
||||
|
||||
export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{include "postgresql.v1.userPasswordKey" .}}}" | base64 -d)
|
||||
{{- else }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
|
||||
To get the password for "{{ default "postgres" $customUser }}" run:
|
||||
|
||||
export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{ ternary "password" (include "postgresql.v1.adminPasswordKey" .) (and (not (empty $customUser)) (ne $customUser "postgres")) }}}" | base64 -d)
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
To connect to your database run the following command:
|
||||
{{- if $authEnabled }}
|
||||
|
||||
kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.v1.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" \
|
||||
--command -- psql --host {{ include "postgresql.v1.primary.fullname" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
|
||||
{{- else }}
|
||||
|
||||
kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.v1.image" . }} \
|
||||
--command -- psql --host {{ include "postgresql.v1.primary.fullname" . }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
|
||||
{{- end }}
|
||||
|
||||
> NOTE: If you access the container using bash, make sure that you execute "/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash" in order to avoid the error "psql: local user with ID {{ .Values.primary.containerSecurityContext.runAsUser }}} does not exist"
|
||||
|
||||
To connect to your database from outside the cluster execute the following commands:
|
||||
|
||||
{{- if contains "NodePort" .Values.primary.service.type }}
|
||||
|
||||
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
||||
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "postgresql.v1.primary.fullname" . }})
|
||||
{{- if $authEnabled }}
|
||||
PGPASSWORD="$POSTGRES_PASSWORD" psql --host $NODE_IP --port $NODE_PORT -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
|
||||
{{- else }}
|
||||
psql --host $NODE_IP --port $NODE_PORT -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
|
||||
{{- end }}
|
||||
{{- else if contains "LoadBalancer" .Values.primary.service.type }}
|
||||
|
||||
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
||||
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "postgresql.v1.primary.fullname" . }}'
|
||||
|
||||
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.primary.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
|
||||
{{- if $authEnabled }}
|
||||
PGPASSWORD="$POSTGRES_PASSWORD" psql --host $SERVICE_IP --port {{ include "postgresql.v1.service.port" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
|
||||
{{- else }}
|
||||
psql --host $SERVICE_IP --port {{ include "postgresql.v1.service.port" . }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
|
||||
{{- end }}
|
||||
{{- else if contains "ClusterIP" .Values.primary.service.type }}
|
||||
|
||||
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "postgresql.v1.primary.fullname" . }} {{ include "postgresql.v1.service.port" . }}:{{ include "postgresql.v1.service.port" . }} &
|
||||
{{- if $authEnabled }}
|
||||
PGPASSWORD="$POSTGRES_PASSWORD" psql --host 127.0.0.1 -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
|
||||
{{- else }}
|
||||
psql --host 127.0.0.1 -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
WARNING: The configured password will be ignored on new installation in case when previous PostgreSQL release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue.
|
||||
|
||||
{{- include "postgresql.v1.validateValues" . -}}
|
||||
{{- include "common.warnings.rollingTag" .Values.image -}}
|
||||
{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
|
||||
{{- include "common.warnings.resources" (dict "sections" (list "metrics" "primary" "readReplicas" "volumePermissions") "context" $) }}
|
406
matrix/dendrite/charts/postgresql/templates/_helpers.tpl
Normal file
406
matrix/dendrite/charts/postgresql/templates/_helpers.tpl
Normal file
@ -0,0 +1,406 @@
|
||||
{{/*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name for PostgreSQL Primary objects
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "postgresql.v1.primary.fullname" -}}
|
||||
{{- if eq .Values.architecture "replication" -}}
|
||||
{{- printf "%s-%s" (include "common.names.fullname" .) .Values.primary.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- include "common.names.fullname" . -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name for PostgreSQL read-only replicas objects
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "postgresql.v1.readReplica.fullname" -}}
|
||||
{{- printf "%s-%s" (include "common.names.fullname" .) .Values.readReplicas.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the default FQDN for PostgreSQL primary headless service
|
||||
We truncate at 63 chars because of the DNS naming spec.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.primary.svc.headless" -}}
|
||||
{{- printf "%s-hl" (include "postgresql.v1.primary.fullname" .) | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the default FQDN for PostgreSQL read-only replicas headless service
|
||||
We truncate at 63 chars because of the DNS naming spec.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.readReplica.svc.headless" -}}
|
||||
{{- printf "%s-hl" (include "postgresql.v1.readReplica.fullname" .) | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper PostgreSQL image name
|
||||
*/}}
|
||||
{{- define "postgresql.v1.image" -}}
|
||||
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper PostgreSQL metrics image name
|
||||
*/}}
|
||||
{{- define "postgresql.v1.metrics.image" -}}
|
||||
{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper image name (for the init container volume-permissions image)
|
||||
*/}}
|
||||
{{- define "postgresql.v1.volumePermissions.image" -}}
|
||||
{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper Docker Image Registry Secret Names
|
||||
*/}}
|
||||
{{- define "postgresql.v1.imagePullSecrets" -}}
|
||||
{{ include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "context" $) }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the name for a custom user to create
|
||||
*/}}
|
||||
{{- define "postgresql.v1.username" -}}
|
||||
{{- if .Values.global.postgresql.auth.username -}}
|
||||
{{- .Values.global.postgresql.auth.username -}}
|
||||
{{- else -}}
|
||||
{{- .Values.auth.username -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the name for a custom database to create
|
||||
*/}}
|
||||
{{- define "postgresql.v1.database" -}}
|
||||
{{- if .Values.global.postgresql.auth.database -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.database $) -}}
|
||||
{{- else if .Values.auth.database -}}
|
||||
{{- printf "%s" (tpl .Values.auth.database $) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the password secret.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.secretName" -}}
|
||||
{{- if .Values.global.postgresql.auth.existingSecret -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.existingSecret $) -}}
|
||||
{{- else if .Values.auth.existingSecret -}}
|
||||
{{- printf "%s" (tpl .Values.auth.existingSecret $) -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s" (include "common.names.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the replication-password key.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.replicationPasswordKey" -}}
|
||||
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
|
||||
{{- if .Values.global.postgresql.auth.secretKeys.replicationPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.replicationPasswordKey $) -}}
|
||||
{{- else if .Values.auth.secretKeys.replicationPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.auth.secretKeys.replicationPasswordKey $) -}}
|
||||
{{- else -}}
|
||||
{{- "replication-password" -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- "replication-password" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the admin-password key.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.adminPasswordKey" -}}
|
||||
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
|
||||
{{- if .Values.global.postgresql.auth.secretKeys.adminPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.adminPasswordKey $) -}}
|
||||
{{- else if .Values.auth.secretKeys.adminPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.auth.secretKeys.adminPasswordKey $) -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- "postgres-password" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the user-password key.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.userPasswordKey" -}}
|
||||
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
|
||||
{{- if or (empty (include "postgresql.v1.username" .)) (eq (include "postgresql.v1.username" .) "postgres") -}}
|
||||
{{- printf "%s" (include "postgresql.v1.adminPasswordKey" .) -}}
|
||||
{{- else -}}
|
||||
{{- if .Values.global.postgresql.auth.secretKeys.userPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.userPasswordKey $) -}}
|
||||
{{- else if .Values.auth.secretKeys.userPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.auth.secretKeys.userPasswordKey $) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- "password" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a secret object should be created
|
||||
*/}}
|
||||
{{- define "postgresql.v1.createSecret" -}}
|
||||
{{- $customUser := include "postgresql.v1.username" . -}}
|
||||
{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword .Values.global.postgresql.auth.password .Values.auth.password) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) -}}
|
||||
{{- if and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres")) (eq .Values.architecture "replication") (and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw))) -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return PostgreSQL service port
|
||||
*/}}
|
||||
{{- define "postgresql.v1.service.port" -}}
|
||||
{{- if .Values.global.postgresql.service.ports.postgresql -}}
|
||||
{{- .Values.global.postgresql.service.ports.postgresql -}}
|
||||
{{- else -}}
|
||||
{{- .Values.primary.service.ports.postgresql -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return PostgreSQL service port
|
||||
*/}}
|
||||
{{- define "postgresql.v1.readReplica.service.port" -}}
|
||||
{{- if .Values.global.postgresql.service.ports.postgresql -}}
|
||||
{{- .Values.global.postgresql.service.ports.postgresql -}}
|
||||
{{- else -}}
|
||||
{{- .Values.readReplicas.service.ports.postgresql -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the PostgreSQL primary configuration ConfigMap name.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.primary.configmapName" -}}
|
||||
{{- if .Values.primary.existingConfigmap -}}
|
||||
{{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-configuration" (include "postgresql.v1.primary.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a configmap object should be created for PostgreSQL primary with the configuration
|
||||
*/}}
|
||||
{{- define "postgresql.v1.primary.createConfigmap" -}}
|
||||
{{- if and (or .Values.primary.configuration .Values.primary.pgHbaConfiguration) (not .Values.primary.existingConfigmap) -}}
|
||||
{{- true -}}
|
||||
{{- else -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the PostgreSQL primary extended configuration ConfigMap name.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.primary.extendedConfigmapName" -}}
|
||||
{{- if .Values.primary.existingExtendedConfigmap -}}
|
||||
{{- printf "%s" (tpl .Values.primary.existingExtendedConfigmap $) -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-extended-configuration" (include "postgresql.v1.primary.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the PostgreSQL read replica extended configuration ConfigMap name.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.readReplicas.extendedConfigmapName" -}}
|
||||
{{- printf "%s-extended-configuration" (include "postgresql.v1.readReplica.fullname" .) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a configmap object should be created for PostgreSQL primary with the extended configuration
|
||||
*/}}
|
||||
{{- define "postgresql.v1.primary.createExtendedConfigmap" -}}
|
||||
{{- if and .Values.primary.extendedConfiguration (not .Values.primary.existingExtendedConfigmap) -}}
|
||||
{{- true -}}
|
||||
{{- else -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a configmap object should be created for PostgreSQL read replica with the extended configuration
|
||||
*/}}
|
||||
{{- define "postgresql.v1.readReplicas.createExtendedConfigmap" -}}
|
||||
{{- if .Values.readReplicas.extendedConfiguration -}}
|
||||
{{- true -}}
|
||||
{{- else -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "postgresql.v1.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a configmap should be mounted with PostgreSQL configuration
|
||||
*/}}
|
||||
{{- define "postgresql.v1.mountConfigurationCM" -}}
|
||||
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the initialization scripts ConfigMap name.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.initdb.scriptsCM" -}}
|
||||
{{- if .Values.primary.initdb.scriptsConfigMap -}}
|
||||
{{- printf "%s" (tpl .Values.primary.initdb.scriptsConfigMap $) -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-init-scripts" (include "postgresql.v1.primary.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if TLS is enabled for LDAP connection
|
||||
*/}}
|
||||
{{- define "postgresql.v1.ldap.tls.enabled" -}}
|
||||
{{- if and (kindIs "string" .Values.ldap.tls) (not (empty .Values.ldap.tls)) -}}
|
||||
{{- true -}}
|
||||
{{- else if and (kindIs "map" .Values.ldap.tls) .Values.ldap.tls.enabled -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get the readiness probe command
|
||||
*/}}
|
||||
{{- define "postgresql.v1.readinessProbeCommand" -}}
|
||||
{{- $customUser := include "postgresql.v1.username" . -}}
|
||||
- |
|
||||
{{- if (include "postgresql.v1.database" .) }}
|
||||
exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if .Values.tls.enabled }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- else }}
|
||||
exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if .Values.tls.enabled }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- end }}
|
||||
{{- if contains "bitnami/" .Values.image.repository }}
|
||||
[ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Compile all warnings into a single message, and call fail.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.validateValues" -}}
|
||||
{{- $messages := list -}}
|
||||
{{- $messages := append $messages (include "postgresql.v1.validateValues.ldapConfigurationMethod" .) -}}
|
||||
{{- $messages := append $messages (include "postgresql.v1.validateValues.psp" .) -}}
|
||||
{{- $messages := without $messages "" -}}
|
||||
{{- $message := join "\n" $messages -}}
|
||||
|
||||
{{- if $message -}}
|
||||
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap
|
||||
*/}}
|
||||
{{- define "postgresql.v1.validateValues.ldapConfigurationMethod" -}}
|
||||
{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) -}}
|
||||
postgresql: ldap.url, ldap.server
|
||||
You cannot set both `ldap.url` and `ldap.server` at the same time.
|
||||
Please provide a unique way to configure LDAP.
|
||||
More info at https://www.postgresql.org/docs/current/auth-ldap.html
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Validate values of Postgresql - If PSP is enabled RBAC should be enabled too
|
||||
*/}}
|
||||
{{- define "postgresql.v1.validateValues.psp" -}}
|
||||
{{- if and .Values.psp.create (not .Values.rbac.create) -}}
|
||||
postgresql: psp.create, rbac.create
|
||||
RBAC should be enabled if PSP is enabled in order for PSP to work.
|
||||
More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the path to the cert file.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.tlsCert" -}}
|
||||
{{- if .Values.tls.autoGenerated -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/tls.crt" -}}
|
||||
{{- else -}}
|
||||
{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the path to the cert key file.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.tlsCertKey" -}}
|
||||
{{- if .Values.tls.autoGenerated -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/tls.key" -}}
|
||||
{{- else -}}
|
||||
{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the path to the CA cert file.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.tlsCACert" -}}
|
||||
{{- if .Values.tls.autoGenerated -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/ca.crt" -}}
|
||||
{{- else -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the path to the CRL file.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.tlsCRL" -}}
|
||||
{{- if .Values.tls.crlFilename -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a TLS credentials secret object should be created
|
||||
*/}}
|
||||
{{- define "postgresql.v1.createTlsSecret" -}}
|
||||
{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the path to the CA cert file.
|
||||
*/}}
|
||||
{{- define "postgresql.v1.tlsSecretName" -}}
|
||||
{{- if .Values.tls.autoGenerated -}}
|
||||
{{- printf "%s-crt" (include "common.names.fullname" .) -}}
|
||||
{{- else -}}
|
||||
{{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
119
matrix/dendrite/charts/postgresql/templates/backup/cronjob.yaml
Normal file
119
matrix/dendrite/charts/postgresql/templates/backup/cronjob.yaml
Normal file
@ -0,0 +1,119 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.backup.enabled }}
|
||||
{{- $customUser := include "postgresql.v1.username" . }}
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: pg_dumpall
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
{{- if $annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
schedule: {{ quote .Values.backup.cronjob.schedule }}
|
||||
{{- if .Values.backup.cronjob.timezone }}
|
||||
timeZone: {{ .Values.backup.cronjob.timezone | quote }}
|
||||
{{- end }}
|
||||
concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }}
|
||||
failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }}
|
||||
successfulJobsHistoryLimit: {{ .Values.backup.cronjob.successfulJobsHistoryLimit }}
|
||||
{{- if .Values.backup.cronjob.startingDeadlineSeconds }}
|
||||
startingDeadlineSeconds: {{ .Values.backup.cronjob.startingDeadlineSeconds }}
|
||||
{{- end }}
|
||||
jobTemplate:
|
||||
spec:
|
||||
{{- if .Values.backup.cronjob.ttlSecondsAfterFinished }}
|
||||
ttlSecondsAfterFinished: {{ .Values.backup.cronjob.ttlSecondsAfterFinished }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 12 }}
|
||||
app.kubernetes.io/component: pg_dumpall
|
||||
{{- if $annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include "postgresql.v1.imagePullSecrets" . | nindent 10 }}
|
||||
{{- if .Values.backup.cronjob.nodeSelector }}
|
||||
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.nodeSelector "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||
image: {{ include "postgresql.v1.image" . }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||
env:
|
||||
- name: PGUSER
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
value: postgres
|
||||
{{- else }}
|
||||
value: {{ $customUser | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: PGPASSFILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: PGPASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||
{{- end }}
|
||||
- name: PGHOST
|
||||
value: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
- name: PGPORT
|
||||
value: {{ include "postgresql.v1.service.port" . | quote }}
|
||||
- name: PGDUMP_DIR
|
||||
value: {{ .Values.backup.cronjob.storage.mountPath }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: PGSSLROOTCERT
|
||||
{{- if .Values.tls.autoGenerated }}
|
||||
value: /tmp/certs/ca.crt
|
||||
{{- else }}
|
||||
value: {{- printf "/tmp/certs/%s" .Values.tls.certCAFilename -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }}
|
||||
volumeMounts:
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: certs
|
||||
mountPath: /certs
|
||||
{{- end }}
|
||||
- name: datadir
|
||||
mountPath: {{ .Values.backup.cronjob.storage.mountPath }}
|
||||
subPath: {{ .Values.backup.cronjob.storage.subPath }}
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if .Values.backup.cronjob.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.backup.cronjob.containerSecurityContext "enabled" | toYaml | nindent 14 }}
|
||||
{{- end }}
|
||||
restartPolicy: {{ .Values.backup.cronjob.restartPolicy }}
|
||||
{{- if .Values.backup.cronjob.podSecurityContext.enabled }}
|
||||
securityContext:
|
||||
fsGroup: {{ .Values.backup.cronjob.podSecurityContext.fsGroup }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: raw-certificates
|
||||
emptyDir: /tmp/certs
|
||||
{{- end }}
|
||||
{{- if .Values.backup.cronjob.storage.existingClaim }}
|
||||
- name: datadir
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ printf "%s" (tpl .Values.backup.cronjob.storage.existingClaim .) }}
|
||||
{{- else }}
|
||||
- name: datadir
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||
{{- end }}
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
{{- end }}
|
34
matrix/dendrite/charts/postgresql/templates/backup/pvc.yaml
Normal file
34
matrix/dendrite/charts/postgresql/templates/backup/pvc.yaml
Normal file
@ -0,0 +1,34 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.backup.enabled (not .Values.backup.cronjob.storage.existingClaim) -}}
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: pg_dumpall
|
||||
{{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations .Values.backup.cronjob.storage.resourcePolicy }}
|
||||
annotations:
|
||||
{{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.backup.cronjob.storage.resourcePolicy }}
|
||||
helm.sh/resource-policy: {{ .Values.backup.cronjob.storage.resourcePolicy | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{- range .Values.backup.cronjob.storage.accessModes }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.backup.cronjob.storage.size | quote }}
|
||||
{{ include "common.storage.class" (dict "persistence" .Values.backup.cronjob.storage "global" .Values.global) }}
|
||||
{{- end }}
|
@ -0,0 +1,9 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- range .Values.extraDeploy }}
|
||||
---
|
||||
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
|
||||
{{- end }}
|
@ -0,0 +1,26 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if (include "postgresql.v1.primary.createConfigmap" .) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-configuration" (include "postgresql.v1.primary.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
{{- if .Values.primary.configuration }}
|
||||
postgresql.conf: |
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.pgHbaConfiguration }}
|
||||
pg_hba.conf: |
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.pgHbaConfiguration "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,20 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if (include "postgresql.v1.primary.createExtendedConfigmap" .) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-extended-configuration" (include "postgresql.v1.primary.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
override.conf: |-
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.extendedConfiguration "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
@ -0,0 +1,17 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.primary.initdb.scripts (not .Values.primary.initdb.scriptsConfigMap) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-init-scripts" (include "postgresql.v1.primary.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.initdb.scripts "context" .) | nindent 2 }}
|
||||
{{- end }}
|
@ -0,0 +1,18 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
|
||||
{{- end }}
|
@ -0,0 +1,31 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.metrics.enabled }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: metrics
|
||||
{{- if or .Values.commonAnnotations .Values.metrics.service.annotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
|
||||
{{- if .Values.metrics.service.clusterIP }}
|
||||
clusterIP: {{ .Values.metrics.service.clusterIP }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http-metrics
|
||||
port: {{ .Values.metrics.service.ports.metrics }}
|
||||
targetPort: http-metrics
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- end }}
|
@ -0,0 +1,78 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.primary.networkPolicy.enabled }}
|
||||
kind: NetworkPolicy
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: primary
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
{{- if .Values.primary.networkPolicy.allowExternalEgress }}
|
||||
egress:
|
||||
- {}
|
||||
{{- else }}
|
||||
egress:
|
||||
# Allow dns resolution
|
||||
- ports:
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
# Allow outbound connections to read-replicas
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.postgresql }}
|
||||
to:
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if .Values.primary.networkPolicy.extraEgress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ingress:
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.postgresql }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- port: {{ .Values.metrics.containerPorts.metrics }}
|
||||
{{- end }}
|
||||
{{- if not .Values.primary.networkPolicy.allowExternal }}
|
||||
from:
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
{{ template "postgresql.v1.primary.fullname" . }}-client: "true"
|
||||
{{- if .Values.primary.networkPolicy.ingressNSMatchLabels }}
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
{{- range $key, $value := .Values.primary.networkPolicy.ingressNSMatchLabels }}
|
||||
{{ $key | quote }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.networkPolicy.ingressNSPodMatchLabels }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- range $key, $value := .Values.primary.networkPolicy.ingressNSPodMatchLabels }}
|
||||
{{ $key | quote }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.networkPolicy.extraIngress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,46 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: metrics
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.metrics.serviceMonitor.jobLabel }}
|
||||
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{- $svcLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.selector .Values.commonLabels ) "context" . ) }}
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $svcLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: metrics
|
||||
endpoints:
|
||||
- port: http-metrics
|
||||
{{- if .Values.metrics.serviceMonitor.interval }}
|
||||
interval: {{ .Values.metrics.serviceMonitor.interval }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.relabelings }}
|
||||
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
|
||||
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.honorLabels }}
|
||||
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
|
||||
{{- end }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ .Release.Namespace | quote }}
|
||||
{{- end }}
|
@ -0,0 +1,691 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- $customUser := include "postgresql.v1.username" . }}
|
||||
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if or .Values.commonAnnotations .Values.primary.annotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: 1
|
||||
serviceName: {{ include "postgresql.v1.primary.svc.headless" . }}
|
||||
{{- if .Values.primary.updateStrategy }}
|
||||
updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: primary
|
||||
template:
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if or (include "postgresql.v1.primary.createConfigmap" .) (include "postgresql.v1.primary.createExtendedConfigmap" .) .Values.primary.podAnnotations }}
|
||||
annotations:
|
||||
{{- if (include "postgresql.v1.primary.createConfigmap" .) }}
|
||||
checksum/configuration: {{ pick (include (print $.Template.BasePath "/primary/configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if (include "postgresql.v1.primary.createExtendedConfigmap" .) }}
|
||||
checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.podAnnotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.podAnnotations "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.primary.extraPodSpec }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }}
|
||||
{{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }}
|
||||
automountServiceAccountToken: {{ .Values.primary.automountServiceAccountToken }}
|
||||
{{- if .Values.primary.hostAliases }}
|
||||
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.affinity }}
|
||||
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }}
|
||||
{{- else }}
|
||||
affinity:
|
||||
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }}
|
||||
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }}
|
||||
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.nodeSelector }}
|
||||
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.tolerations }}
|
||||
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.topologySpreadConstraints }}
|
||||
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" .) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.priorityClassName }}
|
||||
priorityClassName: {{ .Values.primary.priorityClassName }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.schedulerName }}
|
||||
schedulerName: {{ .Values.primary.schedulerName | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.terminationGracePeriodSeconds }}
|
||||
terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
hostNetwork: {{ .Values.primary.hostNetwork }}
|
||||
hostIPC: {{ .Values.primary.hostIPC }}
|
||||
{{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled)) .Values.primary.initContainers }}
|
||||
initContainers:
|
||||
{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
|
||||
- name: copy-certs
|
||||
image: {{ include "postgresql.v1.volumePermissions.image" . }}
|
||||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
{{- if .Values.primary.resources }}
|
||||
resources: {{- toYaml .Values.primary.resources | nindent 12 }}
|
||||
{{- else if ne .Values.primary.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
# We don't require a privileged container in this case
|
||||
{{- if .Values.primary.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- -ec
|
||||
- |
|
||||
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: raw-certificates
|
||||
mountPath: /tmp/certs
|
||||
- name: postgresql-certificates
|
||||
mountPath: /opt/bitnami/postgresql/certs
|
||||
{{- else if and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled) }}
|
||||
- name: init-chmod-data
|
||||
image: {{ include "postgresql.v1.volumePermissions.image" . }}
|
||||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
{{- if .Values.volumePermissions.resources }}
|
||||
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
|
||||
{{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- -ec
|
||||
- |
|
||||
{{- if .Values.primary.persistence.enabled }}
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.primary.persistence.mountPath }}
|
||||
{{- else }}
|
||||
chown {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} {{ .Values.primary.persistence.mountPath }}
|
||||
{{- end }}
|
||||
mkdir -p {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }}
|
||||
chmod 700 {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }}
|
||||
find {{ .Values.primary.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.v1.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
xargs -r chown -R `id -u`:`id -G | cut -d " " -f2`
|
||||
{{- else }}
|
||||
xargs -r chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
chmod -R 777 /dev/shm
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
|
||||
{{- else }}
|
||||
chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/
|
||||
{{- end }}
|
||||
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
|
||||
{{- end }}
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
|
||||
{{- else }}
|
||||
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: data
|
||||
mountPath: {{ .Values.primary.persistence.mountPath }}
|
||||
{{- if .Values.primary.persistence.subPath }}
|
||||
subPath: {{ .Values.primary.persistence.subPath }}
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
- name: dshm
|
||||
mountPath: /dev/shm
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: raw-certificates
|
||||
mountPath: /tmp/certs
|
||||
- name: postgresql-certificates
|
||||
mountPath: /opt/bitnami/postgresql/certs
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initContainers }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.initContainers "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: postgresql
|
||||
image: {{ include "postgresql.v1.image" . }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||
{{- if .Values.primary.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
{{- else if .Values.primary.command }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else if .Values.primary.args }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: BITNAMI_DEBUG
|
||||
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
|
||||
- name: POSTGRESQL_PORT_NUMBER
|
||||
value: {{ .Values.containerPorts.postgresql | quote }}
|
||||
- name: POSTGRESQL_VOLUME_DIR
|
||||
value: {{ .Values.primary.persistence.mountPath | quote }}
|
||||
{{- if .Values.primary.persistence.mountPath }}
|
||||
- name: PGDATA
|
||||
value: {{ .Values.postgresqlDataDir | quote }}
|
||||
{{- end }}
|
||||
# Authentication
|
||||
{{- if or (eq $customUser "postgres") (empty $customUser) }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- name: ALLOW_EMPTY_PASSWORD
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_USER
|
||||
value: {{ $customUser | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.userPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if (include "postgresql.v1.database" .) }}
|
||||
- name: POSTGRES_DATABASE
|
||||
value: {{ (include "postgresql.v1.database" .) | quote }}
|
||||
{{- end }}
|
||||
# Replication
|
||||
{{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }}
|
||||
- name: POSTGRES_REPLICATION_MODE
|
||||
value: {{ ternary "slave" "master" .Values.primary.standby.enabled | quote }}
|
||||
- name: POSTGRES_REPLICATION_USER
|
||||
value: {{ .Values.auth.replicationUsername | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_REPLICATION_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.replicationPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_REPLICATION_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.replicationPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- if ne .Values.replication.synchronousCommit "off" }}
|
||||
- name: POSTGRES_SYNCHRONOUS_COMMIT_MODE
|
||||
value: {{ .Values.replication.synchronousCommit | quote }}
|
||||
- name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS
|
||||
value: {{ .Values.replication.numSynchronousReplicas | quote }}
|
||||
{{- end }}
|
||||
- name: POSTGRES_CLUSTER_APP_NAME
|
||||
value: {{ .Values.replication.applicationName }}
|
||||
{{- end }}
|
||||
# Initdb
|
||||
{{- if .Values.primary.initdb.args }}
|
||||
- name: POSTGRES_INITDB_ARGS
|
||||
value: {{ .Values.primary.initdb.args | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initdb.postgresqlWalDir }}
|
||||
- name: POSTGRES_INITDB_WALDIR
|
||||
value: {{ .Values.primary.initdb.postgresqlWalDir | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initdb.user }}
|
||||
- name: POSTGRES_INITSCRIPTS_USERNAME
|
||||
value: {{ .Values.primary.initdb.user }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initdb.password }}
|
||||
- name: POSTGRES_INITSCRIPTS_PASSWORD
|
||||
value: {{ .Values.primary.initdb.password | quote }}
|
||||
{{- end }}
|
||||
# Standby
|
||||
{{- if .Values.primary.standby.enabled }}
|
||||
- name: POSTGRES_MASTER_HOST
|
||||
value: {{ .Values.primary.standby.primaryHost }}
|
||||
- name: POSTGRES_MASTER_PORT_NUMBER
|
||||
value: {{ .Values.primary.standby.primaryPort | quote }}
|
||||
{{- end }}
|
||||
# LDAP
|
||||
- name: POSTGRESQL_ENABLE_LDAP
|
||||
value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }}
|
||||
{{- if .Values.ldap.enabled }}
|
||||
{{- if or .Values.ldap.url .Values.ldap.uri }}
|
||||
- name: POSTGRESQL_LDAP_URL
|
||||
value: {{ coalesce .Values.ldap.url .Values.ldap.uri }}
|
||||
{{- else }}
|
||||
- name: POSTGRESQL_LDAP_SERVER
|
||||
value: {{ .Values.ldap.server }}
|
||||
- name: POSTGRESQL_LDAP_PORT
|
||||
value: {{ .Values.ldap.port | quote }}
|
||||
- name: POSTGRESQL_LDAP_SCHEME
|
||||
value: {{ .Values.ldap.scheme }}
|
||||
{{- if (include "postgresql.v1.ldap.tls.enabled" .) }}
|
||||
- name: POSTGRESQL_LDAP_TLS
|
||||
value: "1"
|
||||
{{- end }}
|
||||
- name: POSTGRESQL_LDAP_PREFIX
|
||||
value: {{ .Values.ldap.prefix | quote }}
|
||||
- name: POSTGRESQL_LDAP_SUFFIX
|
||||
value: {{ .Values.ldap.suffix | quote }}
|
||||
- name: POSTGRESQL_LDAP_BASE_DN
|
||||
value: {{ coalesce .Values.ldap.baseDN .Values.ldap.basedn }}
|
||||
- name: POSTGRESQL_LDAP_BIND_DN
|
||||
value: {{ coalesce .Values.ldap.bindDN .Values.ldap.binddn}}
|
||||
{{- if or (not (empty .Values.ldap.bind_password)) (not (empty .Values.ldap.bindpw)) }}
|
||||
- name: POSTGRESQL_LDAP_BIND_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: ldap-password
|
||||
{{- end }}
|
||||
- name: POSTGRESQL_LDAP_SEARCH_ATTR
|
||||
value: {{ coalesce .Values.ldap.search_attr .Values.ldap.searchAttribute }}
|
||||
- name: POSTGRESQL_LDAP_SEARCH_FILTER
|
||||
value: {{ coalesce .Values.ldap.search_filter .Values.ldap.searchFilter }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
# TLS
|
||||
- name: POSTGRESQL_ENABLE_TLS
|
||||
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
|
||||
value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
|
||||
- name: POSTGRESQL_TLS_CERT_FILE
|
||||
value: {{ include "postgresql.v1.tlsCert" . }}
|
||||
- name: POSTGRESQL_TLS_KEY_FILE
|
||||
value: {{ include "postgresql.v1.tlsCertKey" . }}
|
||||
{{- if .Values.tls.certCAFilename }}
|
||||
- name: POSTGRESQL_TLS_CA_FILE
|
||||
value: {{ include "postgresql.v1.tlsCACert" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.crlFilename }}
|
||||
- name: POSTGRESQL_TLS_CRL_FILE
|
||||
value: {{ include "postgresql.v1.tlsCRL" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
# Audit
|
||||
- name: POSTGRESQL_LOG_HOSTNAME
|
||||
value: {{ .Values.audit.logHostname | quote }}
|
||||
- name: POSTGRESQL_LOG_CONNECTIONS
|
||||
value: {{ .Values.audit.logConnections | quote }}
|
||||
- name: POSTGRESQL_LOG_DISCONNECTIONS
|
||||
value: {{ .Values.audit.logDisconnections | quote }}
|
||||
{{- if .Values.audit.logLinePrefix }}
|
||||
- name: POSTGRESQL_LOG_LINE_PREFIX
|
||||
value: {{ .Values.audit.logLinePrefix | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.audit.logTimezone }}
|
||||
- name: POSTGRESQL_LOG_TIMEZONE
|
||||
value: {{ .Values.audit.logTimezone | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.audit.pgAuditLog }}
|
||||
- name: POSTGRESQL_PGAUDIT_LOG
|
||||
value: {{ .Values.audit.pgAuditLog | quote }}
|
||||
{{- end }}
|
||||
- name: POSTGRESQL_PGAUDIT_LOG_CATALOG
|
||||
value: {{ .Values.audit.pgAuditLogCatalog | quote }}
|
||||
# Others
|
||||
- name: POSTGRESQL_CLIENT_MIN_MESSAGES
|
||||
value: {{ .Values.audit.clientMinMessages | quote }}
|
||||
- name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
|
||||
value: {{ .Values.postgresqlSharedPreloadLibraries | quote }}
|
||||
{{- if .Values.primary.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }}
|
||||
envFrom:
|
||||
{{- if .Values.primary.extraEnvVarsCM }}
|
||||
- configMapRef:
|
||||
name: {{ .Values.primary.extraEnvVarsCM }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.extraEnvVarsSecret }}
|
||||
- secretRef:
|
||||
name: {{ .Values.primary.extraEnvVarsSecret }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
containerPort: {{ .Values.containerPorts.postgresql }}
|
||||
{{- if not .Values.diagnosticMode.enabled }}
|
||||
{{- if .Values.primary.customStartupProbe }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.primary.startupProbe.enabled }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
{{- if (include "postgresql.v1.database" .) }}
|
||||
- exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- else }}
|
||||
- exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.customLivenessProbe }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.primary.livenessProbe.enabled }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
{{- if (include "postgresql.v1.database" .) }}
|
||||
- exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- else }}
|
||||
- exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.customReadinessProbe }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.primary.readinessProbe.enabled }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- -e
|
||||
{{- include "postgresql.v1.readinessProbeCommand" . | nindent 16 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.resources }}
|
||||
resources: {{- toYaml .Values.primary.resources | nindent 12 }}
|
||||
{{- else if ne .Values.primary.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.lifecycleHooks }}
|
||||
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/conf
|
||||
subPath: app-conf-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/tmp
|
||||
subPath: app-tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/logs
|
||||
subPath: app-logs-dir
|
||||
{{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }}
|
||||
- name: custom-init-scripts
|
||||
mountPath: /docker-entrypoint-initdb.d/
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initdb.scriptsSecret }}
|
||||
- name: custom-init-scripts-secret
|
||||
mountPath: /docker-entrypoint-initdb.d/secret
|
||||
{{- end }}
|
||||
{{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }}
|
||||
- name: postgresql-extended-config
|
||||
mountPath: {{ .Values.primary.persistence.mountPath }}/conf/conf.d/
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
mountPath: /opt/bitnami/postgresql/secrets/
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: postgresql-certificates
|
||||
mountPath: /opt/bitnami/postgresql/certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
- name: dshm
|
||||
mountPath: /dev/shm
|
||||
{{- end }}
|
||||
{{- if .Values.primary.persistence.enabled }}
|
||||
- name: data
|
||||
mountPath: {{ .Values.primary.persistence.mountPath }}
|
||||
{{- if .Values.primary.persistence.subPath }}
|
||||
subPath: {{ .Values.primary.persistence.subPath }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
|
||||
- name: postgresql-config
|
||||
mountPath: {{ .Values.primary.persistence.mountPath }}/conf
|
||||
{{- end }}
|
||||
{{- if .Values.primary.extraVolumeMounts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- name: metrics
|
||||
image: {{ include "postgresql.v1.metrics.image" . }}
|
||||
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
|
||||
{{- if .Values.metrics.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else if or .Values.metrics.customMetrics .Values.metrics.collectors }}
|
||||
args:
|
||||
{{- if .Values.metrics.customMetrics }}
|
||||
- --extend.query-path
|
||||
- /conf/custom-metrics.yaml
|
||||
{{- end }}
|
||||
{{- range $name, $enabled := .Values.metrics.collectors }}
|
||||
- --{{ if not $enabled }}no-{{ end }}collector.{{ $name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
env:
|
||||
{{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.v1.database" .) }}
|
||||
- name: DATA_SOURCE_URI
|
||||
value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.v1.service.port" .)) $database }}
|
||||
{{- $pwdKey := ternary (include "postgresql.v1.adminPasswordKey" .) (include "postgresql.v1.userPasswordKey" .) (or (eq $customUser "postgres") (empty $customUser)) }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: DATA_SOURCE_PASS_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" $pwdKey }}
|
||||
{{- else }}
|
||||
- name: DATA_SOURCE_PASS
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ $pwdKey }}
|
||||
{{- end }}
|
||||
- name: DATA_SOURCE_USER
|
||||
value: {{ default "postgres" $customUser | quote }}
|
||||
{{- if .Values.metrics.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http-metrics
|
||||
containerPort: {{ .Values.metrics.containerPorts.metrics }}
|
||||
{{- if not .Values.diagnosticMode.enabled }}
|
||||
{{- if .Values.metrics.customStartupProbe }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.metrics.startupProbe.enabled }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||
tcpSocket:
|
||||
port: http-metrics
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.customLivenessProbe }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.metrics.livenessProbe.enabled }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||
httpGet:
|
||||
path: /
|
||||
port: http-metrics
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.customReadinessProbe }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.metrics.readinessProbe.enabled }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||
httpGet:
|
||||
path: /
|
||||
port: http-metrics
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
mountPath: /opt/bitnami/postgresql/secrets/
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.customMetrics }}
|
||||
- name: custom-metrics
|
||||
mountPath: /conf
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.resources }}
|
||||
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
|
||||
{{- else if ne .Values.metrics.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.sidecars }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
|
||||
- name: postgresql-config
|
||||
configMap:
|
||||
name: {{ include "postgresql.v1.primary.configmapName" . }}
|
||||
{{- end }}
|
||||
{{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }}
|
||||
- name: postgresql-extended-config
|
||||
configMap:
|
||||
name: {{ include "postgresql.v1.primary.extendedConfigmapName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
secret:
|
||||
secretName: {{ include "postgresql.v1.secretName" . }}
|
||||
{{- end }}
|
||||
{{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }}
|
||||
- name: custom-init-scripts
|
||||
configMap:
|
||||
name: {{ include "postgresql.v1.initdb.scriptsCM" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initdb.scriptsSecret }}
|
||||
- name: custom-init-scripts-secret
|
||||
secret:
|
||||
secretName: {{ tpl .Values.primary.initdb.scriptsSecret $ }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: raw-certificates
|
||||
secret:
|
||||
secretName: {{ include "postgresql.v1.tlsSecretName" . }}
|
||||
- name: postgresql-certificates
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.extraVolumes }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraVolumes "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
|
||||
- name: custom-metrics
|
||||
configMap:
|
||||
name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }}
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
- name: dshm
|
||||
emptyDir:
|
||||
medium: Memory
|
||||
{{- if .Values.shmVolume.sizeLimit }}
|
||||
sizeLimit: {{ .Values.shmVolume.sizeLimit }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }}
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ tpl .Values.primary.persistence.existingClaim $ }}
|
||||
{{- else if not .Values.primary.persistence.enabled }}
|
||||
- name: data
|
||||
emptyDir: {}
|
||||
{{- else }}
|
||||
{{- if .Values.primary.persistentVolumeClaimRetentionPolicy.enabled }}
|
||||
persistentVolumeClaimRetentionPolicy:
|
||||
whenDeleted: {{ .Values.primary.persistentVolumeClaimRetentionPolicy.whenDeleted }}
|
||||
whenScaled: {{ .Values.primary.persistentVolumeClaimRetentionPolicy.whenScaled }}
|
||||
{{- end }}
|
||||
volumeClaimTemplates:
|
||||
- apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: data
|
||||
{{- if .Values.primary.persistence.annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.annotations "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.persistence.labels }}
|
||||
labels: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.labels "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{- range .Values.primary.persistence.accessModes }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.persistence.dataSource }}
|
||||
dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.dataSource "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.primary.persistence.size | quote }}
|
||||
{{- if .Values.primary.persistence.selector }}
|
||||
selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) | nindent 8 }}
|
||||
{{- end }}
|
@ -0,0 +1,36 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.svc.headless" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
annotations:
|
||||
{{- if or .Values.primary.service.headless.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.headless.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
# Use this annotation in addition to the actual publishNotReadyAddresses
|
||||
# field below because the annotation will stop being respected soon but the
|
||||
# field is broken in some versions of Kubernetes:
|
||||
# https://github.com/kubernetes/kubernetes/issues/58662
|
||||
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
|
||||
spec:
|
||||
type: ClusterIP
|
||||
clusterIP: None
|
||||
# We want all pods in the StatefulSet to have their addresses published for
|
||||
# the sake of the other Postgresql pods even before they're ready, since they
|
||||
# have to be able to talk to each other in order to become ready.
|
||||
publishNotReadyAddresses: true
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
port: {{ template "postgresql.v1.service.port" . }}
|
||||
targetPort: tcp-postgresql
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
51
matrix/dendrite/charts/postgresql/templates/primary/svc.yaml
Normal file
51
matrix/dendrite/charts/postgresql/templates/primary/svc.yaml
Normal file
@ -0,0 +1,51 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if or .Values.commonAnnotations .Values.primary.service.annotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: {{ .Values.primary.service.type }}
|
||||
{{- if or (eq .Values.primary.service.type "LoadBalancer") (eq .Values.primary.service.type "NodePort") }}
|
||||
externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }}
|
||||
{{- end }}
|
||||
{{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerSourceRanges)) }}
|
||||
loadBalancerSourceRanges: {{ .Values.primary.service.loadBalancerSourceRanges | toJson}}
|
||||
{{- end }}
|
||||
{{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerIP)) }}
|
||||
loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }}
|
||||
{{- end }}
|
||||
{{- if and .Values.primary.service.clusterIP (eq .Values.primary.service.type "ClusterIP") }}
|
||||
clusterIP: {{ .Values.primary.service.clusterIP }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.service.sessionAffinity }}
|
||||
sessionAffinity: {{ .Values.primary.service.sessionAffinity }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.service.sessionAffinityConfig }}
|
||||
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.sessionAffinityConfig "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
port: {{ template "postgresql.v1.service.port" . }}
|
||||
targetPort: tcp-postgresql
|
||||
{{- if and (or (eq .Values.primary.service.type "NodePort") (eq .Values.primary.service.type "LoadBalancer")) (not (empty .Values.primary.service.nodePorts.postgresql)) }}
|
||||
nodePort: {{ .Values.primary.service.nodePorts.postgresql }}
|
||||
{{- else if eq .Values.primary.service.type "ClusterIP" }}
|
||||
nodePort: null
|
||||
{{- end }}
|
||||
{{- if .Values.primary.service.extraPorts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: primary
|
@ -0,0 +1,22 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PrometheusRule
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.prometheusRule.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: metrics
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
groups:
|
||||
- name: {{ include "common.names.fullname" . }}
|
||||
rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
42
matrix/dendrite/charts/postgresql/templates/psp.yaml
Normal file
42
matrix/dendrite/charts/postgresql/templates/psp.yaml
Normal file
@ -0,0 +1,42 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and (include "common.capabilities.psp.supported" .) .Values.psp.create }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
privileged: false
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'secret'
|
||||
- 'persistentVolumeClaim'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'RunAsAny'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1
|
||||
max: 65535
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1
|
||||
max: 65535
|
||||
readOnlyRootFilesystem: false
|
||||
{{- end }}
|
@ -0,0 +1,20 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-extended-configuration" (include "postgresql.v1.readReplica.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
override.conf: |-
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extendedConfiguration "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
@ -0,0 +1,18 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics (eq .Values.architecture "replication") }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
|
||||
{{- end }}
|
@ -0,0 +1,31 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.metrics.enabled (eq .Values.architecture "replication") }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: metrics-read
|
||||
{{- if or .Values.commonAnnotations .Values.metrics.service.annotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
|
||||
{{- if .Values.metrics.service.clusterIP }}
|
||||
clusterIP: {{ .Values.metrics.service.clusterIP }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http-metrics
|
||||
port: {{ .Values.metrics.service.ports.metrics }}
|
||||
targetPort: http-metrics
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- end }}
|
@ -0,0 +1,80 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
{{- if .Values.readReplicas.networkPolicy.enabled }}
|
||||
kind: NetworkPolicy
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: read
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
{{- if .Values.readReplicas.networkPolicy.allowExternalEgress }}
|
||||
egress:
|
||||
- {}
|
||||
{{- else }}
|
||||
egress:
|
||||
# Allow dns resolution
|
||||
- ports:
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
# Allow outbound connections to primary
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.postgresql }}
|
||||
to:
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
|
||||
app.kubernetes.io/component: primary
|
||||
{{- if .Values.readReplicas.networkPolicy.extraEgress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ingress:
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.postgresql }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- port: {{ .Values.metrics.containerPorts.metrics }}
|
||||
{{- end }}
|
||||
{{- if not .Values.readReplicas.networkPolicy.allowExternal }}
|
||||
from:
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
{{ template "postgresql.v1.readReplica.fullname" . }}-client: "true"
|
||||
{{- if .Values.readReplicas.networkPolicy.ingressNSMatchLabels }}
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
{{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSMatchLabels }}
|
||||
{{ $key | quote }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }}
|
||||
{{ $key | quote }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.networkPolicy.extraIngress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,46 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled (eq .Values.architecture "replication") }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||
namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: metrics-read
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.metrics.serviceMonitor.jobLabel }}
|
||||
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{- $svcLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.selector .Values.commonLabels ) "context" . ) }}
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $svcLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: metrics-read
|
||||
endpoints:
|
||||
- port: http-metrics
|
||||
{{- if .Values.metrics.serviceMonitor.interval }}
|
||||
interval: {{ .Values.metrics.serviceMonitor.interval }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.relabelings }}
|
||||
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
|
||||
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.honorLabels }}
|
||||
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
|
||||
{{- end }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ .Release.Namespace | quote }}
|
||||
{{- end }}
|
@ -0,0 +1,584 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
{{- $customUser := include "postgresql.v1.username" . }}
|
||||
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.labels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if or .Values.commonAnnotations .Values.readReplicas.annotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
replicas: {{ .Values.readReplicas.replicaCount }}
|
||||
serviceName: {{ include "postgresql.v1.readReplica.svc.headless" . }}
|
||||
{{- if .Values.readReplicas.updateStrategy }}
|
||||
updateStrategy: {{- toYaml .Values.readReplicas.updateStrategy | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: read
|
||||
template:
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if or (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) .Values.readReplicas.podAnnotations }}
|
||||
annotations:
|
||||
{{- if (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) }}
|
||||
checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.podAnnotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podAnnotations "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.readReplicas.extraPodSpec }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraPodSpec "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }}
|
||||
{{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }}
|
||||
automountServiceAccountToken: {{ .Values.readReplicas.automountServiceAccountToken }}
|
||||
{{- if .Values.readReplicas.hostAliases }}
|
||||
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.hostAliases "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.affinity }}
|
||||
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }}
|
||||
{{- else }}
|
||||
affinity:
|
||||
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "customLabels" $podLabels "context" $) | nindent 10 }}
|
||||
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "customLabels" $podLabels "context" $) | nindent 10 }}
|
||||
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.nodeSelector }}
|
||||
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.tolerations }}
|
||||
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.topologySpreadConstraints }}
|
||||
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.topologySpreadConstraints "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.priorityClassName }}
|
||||
priorityClassName: {{ .Values.readReplicas.priorityClassName }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.schedulerName }}
|
||||
schedulerName: {{ .Values.readReplicas.schedulerName | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.terminationGracePeriodSeconds }}
|
||||
terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.readReplicas.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
hostNetwork: {{ .Values.readReplicas.hostNetwork }}
|
||||
hostIPC: {{ .Values.readReplicas.hostIPC }}
|
||||
{{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled)) .Values.readReplicas.initContainers }}
|
||||
initContainers:
|
||||
{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
|
||||
- name: copy-certs
|
||||
image: {{ include "postgresql.v1.volumePermissions.image" . }}
|
||||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
{{- if .Values.readReplicas.resources }}
|
||||
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
|
||||
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
# We don't require a privileged container in this case
|
||||
{{- if .Values.readReplicas.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- -ec
|
||||
- |
|
||||
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: raw-certificates
|
||||
mountPath: /tmp/certs
|
||||
- name: postgresql-certificates
|
||||
mountPath: /opt/bitnami/postgresql/certs
|
||||
{{- else if and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled) }}
|
||||
- name: init-chmod-data
|
||||
image: {{ include "postgresql.v1.volumePermissions.image" . }}
|
||||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
|
||||
{{- if .Values.readReplicas.resources }}
|
||||
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
|
||||
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- -ec
|
||||
- |
|
||||
{{- if .Values.readReplicas.persistence.enabled }}
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.readReplicas.persistence.mountPath }}
|
||||
{{- else }}
|
||||
chown {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} {{ .Values.readReplicas.persistence.mountPath }}
|
||||
{{- end }}
|
||||
mkdir -p {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }}
|
||||
chmod 700 {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }}
|
||||
find {{ .Values.readReplicas.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.v1.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
xargs -r chown -R `id -u`:`id -G | cut -d " " -f2`
|
||||
{{- else }}
|
||||
xargs -r chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
chmod -R 777 /dev/shm
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
|
||||
{{- else }}
|
||||
chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/
|
||||
{{- end }}
|
||||
chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
|
||||
{{- end }}
|
||||
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
|
||||
securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
|
||||
{{- else }}
|
||||
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: data
|
||||
mountPath: {{ .Values.readReplicas.persistence.mountPath }}
|
||||
{{- if .Values.readReplicas.persistence.subPath }}
|
||||
subPath: {{ .Values.readReplicas.persistence.subPath }}
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
- name: dshm
|
||||
mountPath: /dev/shm
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: raw-certificates
|
||||
mountPath: /tmp/certs
|
||||
- name: postgresql-certificates
|
||||
mountPath: /opt/bitnami/postgresql/certs
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.initContainers }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.initContainers "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: postgresql
|
||||
image: {{ include "postgresql.v1.image" . }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||
{{- if .Values.readReplicas.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
{{- else if .Values.readReplicas.command }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.command "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else if .Values.readReplicas.args }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.args "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: BITNAMI_DEBUG
|
||||
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
|
||||
- name: POSTGRESQL_PORT_NUMBER
|
||||
value: {{ .Values.containerPorts.postgresql | quote }}
|
||||
- name: POSTGRESQL_VOLUME_DIR
|
||||
value: {{ .Values.readReplicas.persistence.mountPath | quote }}
|
||||
{{- if .Values.readReplicas.persistence.mountPath }}
|
||||
- name: PGDATA
|
||||
value: {{ .Values.postgresqlDataDir | quote }}
|
||||
{{- end }}
|
||||
# Authentication
|
||||
{{- if or (eq $customUser "postgres") (empty $customUser) }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- name: ALLOW_EMPTY_PASSWORD
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_USER
|
||||
value: {{ $customUser | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.userPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
# Replication
|
||||
- name: POSTGRES_REPLICATION_MODE
|
||||
value: "slave"
|
||||
- name: POSTGRES_REPLICATION_USER
|
||||
value: {{ .Values.auth.replicationUsername | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_REPLICATION_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.replicationPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_REPLICATION_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.replicationPasswordKey" . }}
|
||||
{{- end }}
|
||||
- name: POSTGRES_CLUSTER_APP_NAME
|
||||
value: {{ .Values.replication.applicationName }}
|
||||
- name: POSTGRES_MASTER_HOST
|
||||
value: {{ include "postgresql.v1.primary.fullname" . }}
|
||||
- name: POSTGRES_MASTER_PORT_NUMBER
|
||||
value: {{ include "postgresql.v1.service.port" . | quote }}
|
||||
# TLS
|
||||
- name: POSTGRESQL_ENABLE_TLS
|
||||
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
|
||||
value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
|
||||
- name: POSTGRESQL_TLS_CERT_FILE
|
||||
value: {{ include "postgresql.v1.tlsCert" . }}
|
||||
- name: POSTGRESQL_TLS_KEY_FILE
|
||||
value: {{ include "postgresql.v1.tlsCertKey" . }}
|
||||
{{- if .Values.tls.certCAFilename }}
|
||||
- name: POSTGRESQL_TLS_CA_FILE
|
||||
value: {{ include "postgresql.v1.tlsCACert" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.crlFilename }}
|
||||
- name: POSTGRESQL_TLS_CRL_FILE
|
||||
value: {{ include "postgresql.v1.tlsCRL" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
# Audit
|
||||
- name: POSTGRESQL_LOG_HOSTNAME
|
||||
value: {{ .Values.audit.logHostname | quote }}
|
||||
- name: POSTGRESQL_LOG_CONNECTIONS
|
||||
value: {{ .Values.audit.logConnections | quote }}
|
||||
- name: POSTGRESQL_LOG_DISCONNECTIONS
|
||||
value: {{ .Values.audit.logDisconnections | quote }}
|
||||
{{- if .Values.audit.logLinePrefix }}
|
||||
- name: POSTGRESQL_LOG_LINE_PREFIX
|
||||
value: {{ .Values.audit.logLinePrefix | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.audit.logTimezone }}
|
||||
- name: POSTGRESQL_LOG_TIMEZONE
|
||||
value: {{ .Values.audit.logTimezone | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.audit.pgAuditLog }}
|
||||
- name: POSTGRESQL_PGAUDIT_LOG
|
||||
value: {{ .Values.audit.pgAuditLog | quote }}
|
||||
{{- end }}
|
||||
- name: POSTGRESQL_PGAUDIT_LOG_CATALOG
|
||||
value: {{ .Values.audit.pgAuditLogCatalog | quote }}
|
||||
# Others
|
||||
- name: POSTGRESQL_CLIENT_MIN_MESSAGES
|
||||
value: {{ .Values.audit.clientMinMessages | quote }}
|
||||
- name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
|
||||
value: {{ .Values.postgresqlSharedPreloadLibraries | quote }}
|
||||
{{- if .Values.readReplicas.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.readReplicas.extraEnvVarsCM .Values.readReplicas.extraEnvVarsSecret }}
|
||||
envFrom:
|
||||
{{- if .Values.readReplicas.extraEnvVarsCM }}
|
||||
- configMapRef:
|
||||
name: {{ .Values.readReplicas.extraEnvVarsCM }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.extraEnvVarsSecret }}
|
||||
- secretRef:
|
||||
name: {{ .Values.readReplicas.extraEnvVarsSecret }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
containerPort: {{ .Values.containerPorts.postgresql }}
|
||||
{{- if not .Values.diagnosticMode.enabled }}
|
||||
{{- if .Values.readReplicas.customStartupProbe }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customStartupProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.readReplicas.startupProbe.enabled }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
{{- if (include "postgresql.v1.database" .) }}
|
||||
- exec pg_isready -U {{ default "postgres" $customUser| quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- else }}
|
||||
- exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.customLivenessProbe }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customLivenessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.readReplicas.livenessProbe.enabled }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
{{- if (include "postgresql.v1.database" .) }}
|
||||
- exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- else }}
|
||||
- exec pg_isready -U {{default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.customReadinessProbe }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customReadinessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.readReplicas.readinessProbe.enabled }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- -e
|
||||
{{- include "postgresql.v1.readinessProbeCommand" . | nindent 16 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.resources }}
|
||||
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
|
||||
{{- else if ne .Values.readReplicas.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.lifecycleHooks }}
|
||||
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/conf
|
||||
subPath: app-conf-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/tmp
|
||||
subPath: app-tmp-dir
|
||||
- name: empty-dir
|
||||
mountPath: /opt/bitnami/postgresql/logs
|
||||
subPath: app-logs-dir
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
mountPath: /opt/bitnami/postgresql/secrets/
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.extendedConfiguration }}
|
||||
- name: postgresql-extended-config
|
||||
mountPath: {{ .Values.readReplicas.persistence.mountPath }}/conf/conf.d/
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: postgresql-certificates
|
||||
mountPath: /opt/bitnami/postgresql/certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
- name: dshm
|
||||
mountPath: /dev/shm
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.persistence.enabled }}
|
||||
- name: data
|
||||
mountPath: {{ .Values.readReplicas.persistence.mountPath }}
|
||||
{{- if .Values.readReplicas.persistence.subPath }}
|
||||
subPath: {{ .Values.readReplicas.persistence.subPath }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.extraVolumeMounts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraVolumeMounts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- name: metrics
|
||||
image: {{ include "postgresql.v1.metrics.image" . }}
|
||||
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
|
||||
{{- if .Values.metrics.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else if .Values.metrics.customMetrics }}
|
||||
args: [ "--extend.query-path", "/conf/custom-metrics.yaml" ]
|
||||
{{- end }}
|
||||
env:
|
||||
{{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.v1.database" .) }}
|
||||
- name: DATA_SOURCE_URI
|
||||
value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.v1.service.port" .)) $database }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: DATA_SOURCE_PASS_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: DATA_SOURCE_PASS
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.v1.secretName" . }}
|
||||
key: {{ include "postgresql.v1.userPasswordKey" . }}
|
||||
{{- end }}
|
||||
- name: DATA_SOURCE_USER
|
||||
value: {{ default "postgres" $customUser | quote }}
|
||||
{{- if .Values.metrics.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http-metrics
|
||||
containerPort: {{ .Values.metrics.containerPorts.metrics }}
|
||||
{{- if not .Values.diagnosticMode.enabled }}
|
||||
{{- if .Values.metrics.customStartupProbe }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.metrics.startupProbe.enabled }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||
tcpSocket:
|
||||
port: http-metrics
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.customLivenessProbe }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.metrics.livenessProbe.enabled }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||
httpGet:
|
||||
path: /
|
||||
port: http-metrics
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.customReadinessProbe }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.metrics.readinessProbe.enabled }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||
httpGet:
|
||||
path: /
|
||||
port: http-metrics
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
mountPath: /opt/bitnami/postgresql/secrets/
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.customMetrics }}
|
||||
- name: custom-metrics
|
||||
mountPath: /conf
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.resources }}
|
||||
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
|
||||
{{- else if ne .Values.metrics.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.sidecars }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if .Values.readReplicas.extendedConfiguration }}
|
||||
- name: postgresql-extended-config
|
||||
configMap:
|
||||
name: {{ include "postgresql.v1.readReplicas.extendedConfigmapName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: postgresql-password
|
||||
secret:
|
||||
secretName: {{ include "postgresql.v1.secretName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: raw-certificates
|
||||
secret:
|
||||
secretName: {{ include "postgresql.v1.tlsSecretName" . }}
|
||||
- name: postgresql-certificates
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
|
||||
- name: custom-metrics
|
||||
configMap:
|
||||
name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }}
|
||||
{{- end }}
|
||||
{{- if .Values.shmVolume.enabled }}
|
||||
- name: dshm
|
||||
emptyDir:
|
||||
medium: Memory
|
||||
{{- if .Values.shmVolume.sizeLimit }}
|
||||
sizeLimit: {{ .Values.shmVolume.sizeLimit }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
{{- if .Values.readReplicas.extraVolumes }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.readReplicas.persistence.enabled .Values.readReplicas.persistence.existingClaim }}
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ tpl .Values.readReplicas.persistence.existingClaim $ }}
|
||||
{{- else if not .Values.readReplicas.persistence.enabled }}
|
||||
- name: data
|
||||
emptyDir: {}
|
||||
{{- else }}
|
||||
{{- if .Values.readReplicas.persistentVolumeClaimRetentionPolicy.enabled }}
|
||||
persistentVolumeClaimRetentionPolicy:
|
||||
whenDeleted: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted }}
|
||||
whenScaled: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled }}
|
||||
{{- end }}
|
||||
volumeClaimTemplates:
|
||||
- apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: data
|
||||
{{- if .Values.readReplicas.persistence.annotations }}
|
||||
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.persistence.labels }}
|
||||
labels: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.labels "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
accessModes:
|
||||
{{- range .Values.readReplicas.persistence.accessModes }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.persistence.dataSource }}
|
||||
dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.dataSource "context" $) | nindent 10 }}
|
||||
{{- end }}
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.readReplicas.persistence.size | quote }}
|
||||
{{- if .Values.readReplicas.persistence.selector }}
|
||||
selector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.selector "context" $) | nindent 10 }}
|
||||
{{- end -}}
|
||||
{{- include "common.storage.class" (dict "persistence" .Values.readReplicas.persistence "global" .Values.global) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,38 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.readReplica.svc.headless" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
annotations:
|
||||
{{- if or .Values.readReplicas.service.headless.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.service.headless.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
# Use this annotation in addition to the actual publishNotReadyAddresses
|
||||
# field below because the annotation will stop being respected soon but the
|
||||
# field is broken in some versions of Kubernetes:
|
||||
# https://github.com/kubernetes/kubernetes/issues/58662
|
||||
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
|
||||
spec:
|
||||
type: ClusterIP
|
||||
clusterIP: None
|
||||
# We want all pods in the StatefulSet to have their addresses published for
|
||||
# the sake of the other Postgresql pods even before they're ready, since they
|
||||
# have to be able to talk to each other in order to become ready.
|
||||
publishNotReadyAddresses: true
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
port: {{ include "postgresql.v1.readReplica.service.port" . }}
|
||||
targetPort: tcp-postgresql
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- end }}
|
53
matrix/dendrite/charts/postgresql/templates/read/svc.yaml
Normal file
53
matrix/dendrite/charts/postgresql/templates/read/svc.yaml
Normal file
@ -0,0 +1,53 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.readReplica.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- if or .Values.commonAnnotations .Values.readReplicas.service.annotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.service.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: {{ .Values.readReplicas.service.type }}
|
||||
{{- if or (eq .Values.readReplicas.service.type "LoadBalancer") (eq .Values.readReplicas.service.type "NodePort") }}
|
||||
externalTrafficPolicy: {{ .Values.readReplicas.service.externalTrafficPolicy | quote }}
|
||||
{{- end }}
|
||||
{{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerSourceRanges)) }}
|
||||
loadBalancerSourceRanges: {{ .Values.readReplicas.service.loadBalancerSourceRanges }}
|
||||
{{- end }}
|
||||
{{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerIP)) }}
|
||||
loadBalancerIP: {{ .Values.readReplicas.service.loadBalancerIP }}
|
||||
{{- end }}
|
||||
{{- if and .Values.readReplicas.service.clusterIP (eq .Values.readReplicas.service.type "ClusterIP") }}
|
||||
clusterIP: {{ .Values.readReplicas.service.clusterIP }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.service.sessionAffinity }}
|
||||
sessionAffinity: {{ .Values.readReplicas.service.sessionAffinity }}
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.service.sessionAffinityConfig }}
|
||||
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.sessionAffinityConfig "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
port: {{ include "postgresql.v1.readReplica.service.port" . }}
|
||||
targetPort: tcp-postgresql
|
||||
{{- if and (or (eq .Values.readReplicas.service.type "NodePort") (eq .Values.readReplicas.service.type "LoadBalancer")) (not (empty .Values.readReplicas.service.nodePorts.postgresql)) }}
|
||||
nodePort: {{ .Values.readReplicas.service.nodePorts.postgresql }}
|
||||
{{- else if eq .Values.readReplicas.service.type "ClusterIP" }}
|
||||
nodePort: null
|
||||
{{- end }}
|
||||
{{- if .Values.readReplicas.service.extraPorts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.extraPorts "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/component: read
|
||||
{{- end }}
|
32
matrix/dendrite/charts/postgresql/templates/role.yaml
Normal file
32
matrix/dendrite/charts/postgresql/templates/role.yaml
Normal file
@ -0,0 +1,32 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.rbac.create }}
|
||||
kind: Role
|
||||
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
# yamllint disable rule:indentation
|
||||
rules:
|
||||
{{- if and (include "common.capabilities.psp.supported" .) .Values.psp.create }}
|
||||
- apiGroups:
|
||||
- 'policy'
|
||||
resources:
|
||||
- 'podsecuritypolicies'
|
||||
verbs:
|
||||
- 'use'
|
||||
resourceNames:
|
||||
- {{ include "common.names.fullname" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.rbac.rules }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
|
||||
{{- end }}
|
||||
# yamllint enable rule:indentation
|
||||
{{- end }}
|
24
matrix/dendrite/charts/postgresql/templates/rolebinding.yaml
Normal file
24
matrix/dendrite/charts/postgresql/templates/rolebinding.yaml
Normal file
@ -0,0 +1,24 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.rbac.create }}
|
||||
kind: RoleBinding
|
||||
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "postgresql.v1.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- end }}
|
99
matrix/dendrite/charts/postgresql/templates/secrets.yaml
Normal file
99
matrix/dendrite/charts/postgresql/templates/secrets.yaml
Normal file
@ -0,0 +1,99 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- $host := include "postgresql.v1.primary.fullname" . }}
|
||||
{{- $port := include "postgresql.v1.service.port" . }}
|
||||
{{- $customUser := include "postgresql.v1.username" . }}
|
||||
{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.adminPasswordKey .Values.auth.secretKeys.adminPasswordKey) "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.password .Values.auth.password .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) | trimAll "\"" | b64dec }}
|
||||
{{- if and (not $postgresPassword) .Values.auth.enablePostgresUser }}
|
||||
{{- $postgresPassword = randAlphaNum 10 }}
|
||||
{{- end }}
|
||||
{{- $replicationPassword := "" }}
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
{{- $replicationPassword = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.replicationPasswordKey .Values.auth.secretKeys.replicationPasswordKey) "providedValues" (list "auth.replicationPassword") "context" $) | trimAll "\"" | b64dec }}
|
||||
{{- end }}
|
||||
{{- $ldapPassword := "" }}
|
||||
{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }}
|
||||
{{- $ldapPassword = coalesce .Values.ldap.bind_password .Values.ldap.bindpw }}
|
||||
{{- end }}
|
||||
{{- $password := "" }}
|
||||
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
|
||||
{{- $password = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.userPasswordKey .Values.auth.secretKeys.userPasswordKey) "providedValues" (list "global.postgresql.auth.password" "auth.password") "context" $) | trimAll "\"" | b64dec }}
|
||||
{{- end }}
|
||||
{{- $database := include "postgresql.v1.database" . }}
|
||||
{{- if (include "postgresql.v1.createSecret" .) }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if $postgresPassword }}
|
||||
postgres-password: {{ $postgresPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if $password }}
|
||||
password: {{ $password | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if $replicationPassword }}
|
||||
replication-password: {{ $replicationPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
# We don't auto-generate LDAP password when it's not provided as we do for other passwords
|
||||
{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }}
|
||||
ldap-password: {{ $ldapPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.serviceBindings.enabled }}
|
||||
{{- if $postgresPassword }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}-svcbind-postgres
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: servicebinding.io/postgresql
|
||||
data:
|
||||
provider: {{ print "bitnami" | b64enc | quote }}
|
||||
type: {{ print "postgresql" | b64enc | quote }}
|
||||
host: {{ $host | b64enc | quote }}
|
||||
port: {{ $port | b64enc | quote }}
|
||||
username: {{ print "postgres" | b64enc | quote }}
|
||||
database: {{ print "postgres" | b64enc | quote }}
|
||||
password: {{ $postgresPassword | b64enc | quote }}
|
||||
uri: {{ printf "postgresql://postgres:%s@%s:%s/postgres" $postgresPassword $host $port | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if $password }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}-svcbind-custom-user
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: servicebinding.io/postgresql
|
||||
data:
|
||||
provider: {{ print "bitnami" | b64enc | quote }}
|
||||
type: {{ print "postgresql" | b64enc | quote }}
|
||||
host: {{ $host | b64enc | quote }}
|
||||
port: {{ $port | b64enc | quote }}
|
||||
username: {{ $customUser | b64enc | quote }}
|
||||
password: {{ $password | b64enc | quote }}
|
||||
{{- if $database }}
|
||||
database: {{ $database | b64enc | quote }}
|
||||
{{- end }}
|
||||
uri: {{ printf "postgresql://%s:%s@%s:%s/%s" $customUser $password $host $port $database | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,18 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "postgresql.v1.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
||||
{{- end }}
|
30
matrix/dendrite/charts/postgresql/templates/tls-secrets.yaml
Normal file
30
matrix/dendrite/charts/postgresql/templates/tls-secrets.yaml
Normal file
@ -0,0 +1,30 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if (include "postgresql.v1.createTlsSecret" . ) }}
|
||||
{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }}
|
||||
{{- $ca := genCA "postgresql-ca" 365 }}
|
||||
{{- $fullname := include "common.names.fullname" . }}
|
||||
{{- $releaseNamespace := .Release.Namespace }}
|
||||
{{- $clusterDomain := .Values.clusterDomain }}
|
||||
{{- $primaryHeadlessServiceName := include "postgresql.v1.primary.svc.headless" . }}
|
||||
{{- $readHeadlessServiceName := include "postgresql.v1.readReplica.svc.headless" . }}
|
||||
{{- $altNames := list (printf "*.%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) $fullname }}
|
||||
{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
|
||||
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
|
||||
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
|
||||
{{- end }}
|
156
matrix/dendrite/charts/postgresql/values.schema.json
Normal file
156
matrix/dendrite/charts/postgresql/values.schema.json
Normal file
@ -0,0 +1,156 @@
|
||||
{
|
||||
"$schema": "http://json-schema.org/schema#",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"architecture": {
|
||||
"type": "string",
|
||||
"title": "PostgreSQL architecture",
|
||||
"form": true,
|
||||
"description": "Allowed values: `standalone` or `replication`"
|
||||
},
|
||||
"auth": {
|
||||
"type": "object",
|
||||
"title": "Authentication configuration",
|
||||
"form": true,
|
||||
"properties": {
|
||||
"enablePostgresUser": {
|
||||
"type": "boolean",
|
||||
"title": "Enable \"postgres\" admin user",
|
||||
"description": "Assign a password to the \"postgres\" admin user. Otherwise, remote access will be blocked for this user",
|
||||
"form": true
|
||||
},
|
||||
"postgresPassword": {
|
||||
"type": "string",
|
||||
"title": "Password for the \"postgres\" admin user",
|
||||
"description": "Defaults to a random 10-character alphanumeric string if not set",
|
||||
"form": true
|
||||
},
|
||||
"database": {
|
||||
"type": "string",
|
||||
"title": "PostgreSQL custom database",
|
||||
"description": "Name of the custom database to be created during the 1st initialization of PostgreSQL",
|
||||
"form": true
|
||||
},
|
||||
"username": {
|
||||
"type": "string",
|
||||
"title": "PostgreSQL custom user",
|
||||
"description": "Name of the custom user to be created during the 1st initialization of PostgreSQL. This user only has permissions on the PostgreSQL custom database",
|
||||
"form": true
|
||||
},
|
||||
"password": {
|
||||
"type": "string",
|
||||
"title": "Password for the custom user to create",
|
||||
"description": "Defaults to a random 10-character alphanumeric string if not set",
|
||||
"form": true
|
||||
},
|
||||
"replicationUsername": {
|
||||
"type": "string",
|
||||
"title": "PostgreSQL replication user",
|
||||
"description": "Name of user used to manage replication.",
|
||||
"form": true,
|
||||
"hidden": {
|
||||
"value": "standalone",
|
||||
"path": "architecture"
|
||||
}
|
||||
},
|
||||
"replicationPassword": {
|
||||
"type": "string",
|
||||
"title": "Password for PostgreSQL replication user",
|
||||
"description": "Defaults to a random 10-character alphanumeric string if not set",
|
||||
"form": true,
|
||||
"hidden": {
|
||||
"value": "standalone",
|
||||
"path": "architecture"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"persistence": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"size": {
|
||||
"type": "string",
|
||||
"title": "Persistent Volume Size",
|
||||
"form": true,
|
||||
"render": "slider",
|
||||
"sliderMin": 1,
|
||||
"sliderMax": 100,
|
||||
"sliderUnit": "Gi"
|
||||
}
|
||||
}
|
||||
},
|
||||
"resources": {
|
||||
"type": "object",
|
||||
"title": "Required Resources",
|
||||
"description": "Configure resource requests",
|
||||
"form": true,
|
||||
"properties": {
|
||||
"requests": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"memory": {
|
||||
"type": "string",
|
||||
"form": true,
|
||||
"render": "slider",
|
||||
"title": "Memory Request",
|
||||
"sliderMin": 10,
|
||||
"sliderMax": 2048,
|
||||
"sliderUnit": "Mi"
|
||||
},
|
||||
"cpu": {
|
||||
"type": "string",
|
||||
"form": true,
|
||||
"render": "slider",
|
||||
"title": "CPU Request",
|
||||
"sliderMin": 10,
|
||||
"sliderMax": 2000,
|
||||
"sliderUnit": "m"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"replication": {
|
||||
"type": "object",
|
||||
"form": true,
|
||||
"title": "Replication Details",
|
||||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean",
|
||||
"title": "Enable Replication",
|
||||
"form": true
|
||||
},
|
||||
"readReplicas": {
|
||||
"type": "integer",
|
||||
"title": "read Replicas",
|
||||
"form": true,
|
||||
"hidden": {
|
||||
"value": "standalone",
|
||||
"path": "architecture"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"volumePermissions": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean",
|
||||
"form": true,
|
||||
"title": "Enable Init Containers",
|
||||
"description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup"
|
||||
}
|
||||
}
|
||||
},
|
||||
"metrics": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean",
|
||||
"title": "Configure metrics exporter",
|
||||
"form": true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
1688
matrix/dendrite/charts/postgresql/values.yaml
Normal file
1688
matrix/dendrite/charts/postgresql/values.yaml
Normal file
File diff suppressed because it is too large
Load Diff
18
matrix/dendrite/ci/ct-ingress-values.yaml
Normal file
18
matrix/dendrite/ci/ct-ingress-values.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
postgresql:
|
||||
enabled: true
|
||||
primary:
|
||||
persistence:
|
||||
size: 1Gi
|
||||
|
||||
dendrite_config:
|
||||
global:
|
||||
server_name: "localhost"
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
|
||||
# dashboard is an ConfigMap with labels - it does not harm on testing
|
||||
grafana:
|
||||
dashboards:
|
||||
enabled: true
|
16
matrix/dendrite/ci/ct-postgres-sharedsecret-values.yaml
Normal file
16
matrix/dendrite/ci/ct-postgres-sharedsecret-values.yaml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
postgresql:
|
||||
enabled: true
|
||||
primary:
|
||||
persistence:
|
||||
size: 1Gi
|
||||
|
||||
dendrite_config:
|
||||
global:
|
||||
server_name: "localhost"
|
||||
|
||||
client_api:
|
||||
registration_shared_secret: "d233f2fcb0470845a8e150a20ef594ddbe0b4cf7fe482fb9d5120c198557acbf" # echo "dendrite" | sha256sum
|
||||
|
||||
ingress:
|
||||
enabled: true
|
479
matrix/dendrite/grafana_dashboards/dendrite-rev2.json
Normal file
479
matrix/dendrite/grafana_dashboards/dendrite-rev2.json
Normal file
@ -0,0 +1,479 @@
|
||||
{
|
||||
"annotations": {
|
||||
"list": [
|
||||
{
|
||||
"builtIn": 1,
|
||||
"datasource": {
|
||||
"type": "datasource",
|
||||
"uid": "grafana"
|
||||
},
|
||||
"enable": true,
|
||||
"hide": true,
|
||||
"iconColor": "rgba(0, 211, 255, 1)",
|
||||
"name": "Annotations & Alerts",
|
||||
"target": {
|
||||
"limit": 100,
|
||||
"matchAny": false,
|
||||
"tags": [],
|
||||
"type": "dashboard"
|
||||
},
|
||||
"type": "dashboard"
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": "Dendrite dashboard from https://github.com/matrix-org/dendrite/",
|
||||
"editable": true,
|
||||
"fiscalYearStartMonth": 0,
|
||||
"gnetId": 13916,
|
||||
"graphTooltip": 0,
|
||||
"id": 60,
|
||||
"links": [],
|
||||
"liveNow": false,
|
||||
"panels": [
|
||||
{
|
||||
"collapsed": false,
|
||||
"datasource": {
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 1,
|
||||
"w": 24,
|
||||
"x": 0,
|
||||
"y": 0
|
||||
},
|
||||
"id": 4,
|
||||
"panels": [],
|
||||
"targets": [
|
||||
{
|
||||
"datasource": {
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
"title": "Overview",
|
||||
"type": "row"
|
||||
},
|
||||
{
|
||||
"datasource": {
|
||||
"type": "prometheus",
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"description": "Total number of registered users",
|
||||
"fieldConfig": {
|
||||
"defaults": {
|
||||
"color": {
|
||||
"mode": "thresholds"
|
||||
},
|
||||
"mappings": [],
|
||||
"thresholds": {
|
||||
"mode": "absolute",
|
||||
"steps": [
|
||||
{
|
||||
"color": "green",
|
||||
"value": null
|
||||
},
|
||||
{
|
||||
"color": "red",
|
||||
"value": 80
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"overrides": []
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 8,
|
||||
"w": 7,
|
||||
"x": 0,
|
||||
"y": 1
|
||||
},
|
||||
"id": 20,
|
||||
"options": {
|
||||
"colorMode": "value",
|
||||
"graphMode": "area",
|
||||
"justifyMode": "auto",
|
||||
"orientation": "auto",
|
||||
"reduceOptions": {
|
||||
"calcs": [
|
||||
"lastNotNull"
|
||||
],
|
||||
"fields": "",
|
||||
"values": false
|
||||
},
|
||||
"text": {},
|
||||
"textMode": "auto"
|
||||
},
|
||||
"pluginVersion": "9.3.6",
|
||||
"targets": [
|
||||
{
|
||||
"datasource": {
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"editorMode": "code",
|
||||
"exemplar": false,
|
||||
"expr": "sum(dendrite_clientapi_reg_users_total{namespace=~\"$namespace\",service=~\"$service\"}) by (namespace,service)",
|
||||
"instant": false,
|
||||
"interval": "",
|
||||
"legendFormat": "{{namespace}}: {{service}}",
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
"title": "Registered Users",
|
||||
"type": "stat"
|
||||
},
|
||||
{
|
||||
"datasource": {
|
||||
"type": "prometheus",
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"description": "The number of sync requests that are active right now and are waiting to be woken by a notifier",
|
||||
"fieldConfig": {
|
||||
"defaults": {
|
||||
"color": {
|
||||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"axisCenteredZero": false,
|
||||
"axisColorMode": "text",
|
||||
"axisLabel": "",
|
||||
"axisPlacement": "auto",
|
||||
"barAlignment": 0,
|
||||
"drawStyle": "line",
|
||||
"fillOpacity": 10,
|
||||
"gradientMode": "none",
|
||||
"hideFrom": {
|
||||
"legend": false,
|
||||
"tooltip": false,
|
||||
"viz": false
|
||||
},
|
||||
"lineInterpolation": "linear",
|
||||
"lineWidth": 2,
|
||||
"pointSize": 5,
|
||||
"scaleDistribution": {
|
||||
"type": "linear"
|
||||
},
|
||||
"showPoints": "never",
|
||||
"spanNulls": false,
|
||||
"stacking": {
|
||||
"group": "A",
|
||||
"mode": "none"
|
||||
},
|
||||
"thresholdsStyle": {
|
||||
"mode": "off"
|
||||
}
|
||||
},
|
||||
"mappings": [],
|
||||
"min": 0,
|
||||
"thresholds": {
|
||||
"mode": "absolute",
|
||||
"steps": [
|
||||
{
|
||||
"color": "green",
|
||||
"value": null
|
||||
},
|
||||
{
|
||||
"color": "red",
|
||||
"value": 80
|
||||
}
|
||||
]
|
||||
},
|
||||
"unit": "ops"
|
||||
},
|
||||
"overrides": []
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 8,
|
||||
"w": 17,
|
||||
"x": 7,
|
||||
"y": 1
|
||||
},
|
||||
"id": 6,
|
||||
"options": {
|
||||
"legend": {
|
||||
"calcs": [
|
||||
"mean",
|
||||
"lastNotNull"
|
||||
],
|
||||
"displayMode": "table",
|
||||
"placement": "right",
|
||||
"showLegend": true
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "multi",
|
||||
"sort": "none"
|
||||
}
|
||||
},
|
||||
"pluginVersion": "9.3.6",
|
||||
"targets": [
|
||||
{
|
||||
"datasource": {
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"editorMode": "code",
|
||||
"expr": "sum(rate(dendrite_syncapi_active_sync_requests{namespace=~\"$namespace\",service=~\"$service\"}[$__rate_interval]))by (namspace,service)",
|
||||
"hide": false,
|
||||
"interval": "",
|
||||
"legendFormat": "active: {{namspace}} - {{service}}",
|
||||
"range": true,
|
||||
"refId": "A"
|
||||
},
|
||||
{
|
||||
"datasource": {
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"editorMode": "code",
|
||||
"expr": "sum(rate(dendrite_syncapi_waiting_sync_requests{namespace=~\"$namespace\",service=~\"$service\"}[$__rate_interval]))by (namespace,service)",
|
||||
"hide": false,
|
||||
"interval": "",
|
||||
"legendFormat": "waiting: {{namspace}} - {{service}}",
|
||||
"range": true,
|
||||
"refId": "B"
|
||||
}
|
||||
],
|
||||
"title": "Sync API",
|
||||
"type": "timeseries"
|
||||
},
|
||||
{
|
||||
"collapsed": false,
|
||||
"datasource": {
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 1,
|
||||
"w": 24,
|
||||
"x": 0,
|
||||
"y": 9
|
||||
},
|
||||
"id": 8,
|
||||
"panels": [],
|
||||
"targets": [
|
||||
{
|
||||
"datasource": {
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"refId": "A"
|
||||
}
|
||||
],
|
||||
"title": "Federation",
|
||||
"type": "row"
|
||||
},
|
||||
{
|
||||
"datasource": {
|
||||
"type": "prometheus",
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"description": "Collection of queues for sending transactions to other matrix servers",
|
||||
"fieldConfig": {
|
||||
"defaults": {
|
||||
"color": {
|
||||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"axisCenteredZero": false,
|
||||
"axisColorMode": "text",
|
||||
"axisLabel": "",
|
||||
"axisPlacement": "auto",
|
||||
"barAlignment": 0,
|
||||
"drawStyle": "line",
|
||||
"fillOpacity": 10,
|
||||
"gradientMode": "none",
|
||||
"hideFrom": {
|
||||
"legend": false,
|
||||
"tooltip": false,
|
||||
"viz": false
|
||||
},
|
||||
"lineInterpolation": "linear",
|
||||
"lineWidth": 1,
|
||||
"pointSize": 5,
|
||||
"scaleDistribution": {
|
||||
"type": "linear"
|
||||
},
|
||||
"showPoints": "never",
|
||||
"spanNulls": false,
|
||||
"stacking": {
|
||||
"group": "A",
|
||||
"mode": "none"
|
||||
},
|
||||
"thresholdsStyle": {
|
||||
"mode": "off"
|
||||
}
|
||||
},
|
||||
"mappings": [],
|
||||
"thresholds": {
|
||||
"mode": "absolute",
|
||||
"steps": [
|
||||
{
|
||||
"color": "green",
|
||||
"value": null
|
||||
},
|
||||
{
|
||||
"color": "red",
|
||||
"value": 80
|
||||
}
|
||||
]
|
||||
},
|
||||
"unit": "short"
|
||||
},
|
||||
"overrides": []
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 10,
|
||||
"w": 24,
|
||||
"x": 0,
|
||||
"y": 10
|
||||
},
|
||||
"id": 10,
|
||||
"options": {
|
||||
"legend": {
|
||||
"calcs": [
|
||||
"mean",
|
||||
"lastNotNull"
|
||||
],
|
||||
"displayMode": "table",
|
||||
"placement": "right",
|
||||
"showLegend": true
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "multi",
|
||||
"sort": "none"
|
||||
}
|
||||
},
|
||||
"pluginVersion": "9.3.6",
|
||||
"targets": [
|
||||
{
|
||||
"datasource": {
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"editorMode": "code",
|
||||
"expr": "dendrite_federationapi_destination_queues_running{namespace=~\"$namespace\",service=~\"$service\"}",
|
||||
"interval": "",
|
||||
"legendFormat": "Queue Running: {{namespace}}-{{service}}",
|
||||
"range": true,
|
||||
"refId": "A"
|
||||
},
|
||||
{
|
||||
"datasource": {
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"editorMode": "code",
|
||||
"expr": "dendrite_federationapi_destination_queues_total{namespace=~\"$namespace\",service=~\"$service\"}",
|
||||
"hide": false,
|
||||
"interval": "",
|
||||
"legendFormat": "Queue Total: {{namespace}}-{{service}}",
|
||||
"range": true,
|
||||
"refId": "B"
|
||||
},
|
||||
{
|
||||
"datasource": {
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"editorMode": "code",
|
||||
"expr": "dendrite_federationapi_destination_queues_backing_off{namespace=~\"$namespace\",service=~\"$service\"}",
|
||||
"hide": false,
|
||||
"interval": "",
|
||||
"legendFormat": "Backing Off: {{namespace}}-{{service}}",
|
||||
"range": true,
|
||||
"refId": "C"
|
||||
}
|
||||
],
|
||||
"title": "Federation Sender Destination",
|
||||
"type": "timeseries"
|
||||
}
|
||||
],
|
||||
"refresh": "10s",
|
||||
"schemaVersion": 37,
|
||||
"style": "dark",
|
||||
"tags": [
|
||||
"matrix",
|
||||
"dendrite"
|
||||
],
|
||||
"templating": {
|
||||
"list": [
|
||||
{
|
||||
"current": {
|
||||
"selected": false,
|
||||
"text": "Prometheus",
|
||||
"value": "Prometheus"
|
||||
},
|
||||
"hide": 0,
|
||||
"includeAll": false,
|
||||
"label": "datasource",
|
||||
"multi": false,
|
||||
"name": "DS_PROMETHEUS",
|
||||
"options": [],
|
||||
"query": "prometheus",
|
||||
"refresh": 1,
|
||||
"regex": "",
|
||||
"skipUrlSync": false,
|
||||
"type": "datasource"
|
||||
},
|
||||
{
|
||||
"current": {
|
||||
"selected": true,
|
||||
"text": [
|
||||
"All"
|
||||
],
|
||||
"value": [
|
||||
"$__all"
|
||||
]
|
||||
},
|
||||
"datasource": {
|
||||
"type": "prometheus",
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"definition": "label_values(dendrite_syncapi_active_sync_requests, namespace)",
|
||||
"hide": 0,
|
||||
"includeAll": true,
|
||||
"multi": true,
|
||||
"name": "namespace",
|
||||
"options": [],
|
||||
"query": {
|
||||
"query": "label_values(dendrite_syncapi_active_sync_requests, namespace)",
|
||||
"refId": "StandardVariableQuery"
|
||||
},
|
||||
"refresh": 1,
|
||||
"regex": "",
|
||||
"skipUrlSync": false,
|
||||
"sort": 0,
|
||||
"type": "query"
|
||||
},
|
||||
{
|
||||
"current": {
|
||||
"selected": false,
|
||||
"text": "All",
|
||||
"value": "$__all"
|
||||
},
|
||||
"datasource": {
|
||||
"type": "prometheus",
|
||||
"uid": "${DS_PROMETHEUS}"
|
||||
},
|
||||
"definition": "label_values(dendrite_syncapi_active_sync_requests{namespace=~\"$namespace\"}, service)",
|
||||
"hide": 0,
|
||||
"includeAll": true,
|
||||
"multi": true,
|
||||
"name": "service",
|
||||
"options": [],
|
||||
"query": {
|
||||
"query": "label_values(dendrite_syncapi_active_sync_requests{namespace=~\"$namespace\"}, service)",
|
||||
"refId": "StandardVariableQuery"
|
||||
},
|
||||
"refresh": 1,
|
||||
"regex": "",
|
||||
"skipUrlSync": false,
|
||||
"sort": 0,
|
||||
"type": "query"
|
||||
}
|
||||
]
|
||||
},
|
||||
"time": {
|
||||
"from": "now-3h",
|
||||
"to": "now"
|
||||
},
|
||||
"timepicker": {},
|
||||
"timezone": "",
|
||||
"title": "Dendrite",
|
||||
"uid": "RoRt1jEGz",
|
||||
"version": 1,
|
||||
"weekStart": ""
|
||||
}
|
BIN
matrix/dendrite/grafana_dashboards/dendrite-rev2.png
Normal file
BIN
matrix/dendrite/grafana_dashboards/dendrite-rev2.png
Normal file
Binary file not shown.
After ![]() (image error) Size: 125 KiB |
68
matrix/dendrite/templates/_helpers.tpl
Normal file
68
matrix/dendrite/templates/_helpers.tpl
Normal file
@ -0,0 +1,68 @@
|
||||
{{- define "validate.config" }}
|
||||
{{- if and (not .Values.signing_key.create) (eq .Values.signing_key.existingSecret "") -}}
|
||||
{{- fail "You must create a signing key for configuration.signing_key OR specify an existing secret name in .Values.signing_key.existingSecret to mount it. (see https://github.com/matrix-org/dendrite/blob/master/docs/INSTALL.md#server-key-generation)" -}}
|
||||
{{- end -}}
|
||||
{{- if and (not .Values.postgresql.enabled) (eq .Values.dendrite_config.global.database.connection_string "") -}}
|
||||
{{- fail "Database connection string must be set." -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
|
||||
{{- define "image.name" -}}
|
||||
{{- with .Values.image -}}
|
||||
image: {{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}
|
||||
imagePullPolicy: {{ .pullPolicy }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "dendrite.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "dendrite.fullname" -}}
|
||||
{{- if .Values.fullnameOverride }}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride }}
|
||||
{{- if contains $name .Release.Name }}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "dendrite.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "dendrite.labels" -}}
|
||||
helm.sh/chart: {{ include "dendrite.chart" . }}
|
||||
{{ include "dendrite.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "dendrite.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "dendrite.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
16
matrix/dendrite/templates/_overrides.yaml
Normal file
16
matrix/dendrite/templates/_overrides.yaml
Normal file
@ -0,0 +1,16 @@
|
||||
{{- define "override.config" }}
|
||||
{{- if .Values.postgresql.enabled }}
|
||||
{{- $_ := set .Values.dendrite_config.global.database "connection_string" (print "postgresql://" .Values.postgresql.auth.username ":" .Values.postgresql.auth.password "@" .Release.Name "-postgresql/dendrite?sslmode=disable") -}}
|
||||
{{ end }}
|
||||
global:
|
||||
private_key: /etc/dendrite/secrets/signing.key
|
||||
jetstream:
|
||||
in_memory: false
|
||||
{{ if (gt (len (.Files.Glob "appservices/*")) 0) }}
|
||||
app_service_api:
|
||||
config_files:
|
||||
{{- range $x, $y := .Files.Glob "appservices/*" }}
|
||||
- /etc/dendrite/appservices/{{ base $x }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
16
matrix/dendrite/templates/configmap_grafana_dashboards.yaml
Normal file
16
matrix/dendrite/templates/configmap_grafana_dashboards.yaml
Normal file
@ -0,0 +1,16 @@
|
||||
{{- if .Values.grafana.dashboards.enabled }}
|
||||
{{- range $path, $bytes := .Files.Glob "grafana_dashboards/*.json" }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "dendrite.fullname" $ }}-grafana-dashboards-{{ base $path }}
|
||||
labels:
|
||||
{{- include "dendrite.labels" $ | nindent 4 }}
|
||||
{{- toYaml $.Values.grafana.dashboards.labels | nindent 4 }}
|
||||
annotations:
|
||||
{{- toYaml $.Values.grafana.dashboards.annotations | nindent 4 }}
|
||||
data:
|
||||
{{- ($.Files.Glob $path ).AsConfig | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
115
matrix/dendrite/templates/deployment.yaml
Normal file
115
matrix/dendrite/templates/deployment.yaml
Normal file
@ -0,0 +1,115 @@
|
||||
{{ template "validate.config" . }}
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
name: {{ include "dendrite.fullname" . }}
|
||||
labels:
|
||||
{{- include "dendrite.labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "dendrite.selectorLabels" . | nindent 6 }}
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: {{ $.Values.strategy.type }}
|
||||
{{- if eq $.Values.strategy.type "RollingUpdate" }}
|
||||
rollingUpdate:
|
||||
maxSurge: {{ $.Values.strategy.rollingUpdate.maxSurge }}
|
||||
maxUnavailable: {{ $.Values.strategy.rollingUpdate.maxUnavailable }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "dendrite.selectorLabels" . | nindent 8 }}
|
||||
annotations:
|
||||
confighash: secret-{{ .Values.dendrite_config | toYaml | sha256sum | trunc 32 }}
|
||||
spec:
|
||||
volumes:
|
||||
- name: {{ include "dendrite.fullname" . }}-conf-vol
|
||||
secret:
|
||||
secretName: {{ include "dendrite.fullname" . }}-conf
|
||||
- name: {{ include "dendrite.fullname" . }}-signing-key
|
||||
secret:
|
||||
secretName: {{ default (print ( include "dendrite.fullname" . ) "-signing-key") $.Values.signing_key.existingSecret | quote }}
|
||||
{{- if (gt (len ($.Files.Glob "appservices/*")) 0) }}
|
||||
- name: {{ include "dendrite.fullname" . }}-appservices
|
||||
secret:
|
||||
secretName: {{ include "dendrite.fullname" . }}-appservices-conf
|
||||
{{- end }}
|
||||
- name: {{ include "dendrite.fullname" . }}-jetstream
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ default (print ( include "dendrite.fullname" . ) "-jetstream-pvc") $.Values.persistence.jetstream.existingClaim | quote }}
|
||||
- name: {{ include "dendrite.fullname" . }}-media
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ default (print ( include "dendrite.fullname" . ) "-media-pvc") $.Values.persistence.media.existingClaim | quote }}
|
||||
- name: {{ include "dendrite.fullname" . }}-search
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ default (print ( include "dendrite.fullname" . ) "-search-pvc") $.Values.persistence.search.existingClaim | quote }}
|
||||
{{- with .Values.extraVolumes }}
|
||||
{{ . | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
{{- include "image.name" . | nindent 8 }}
|
||||
args:
|
||||
- '--config'
|
||||
- '/etc/dendrite/dendrite.yaml'
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8008
|
||||
protocol: TCP
|
||||
{{- if $.Values.dendrite_config.global.profiling.enabled }}
|
||||
env:
|
||||
- name: PPROFLISTEN
|
||||
value: "localhost:{{- $.Values.dendrite_config.global.profiling.port -}}"
|
||||
{{- end }}
|
||||
env:
|
||||
- name: HTTPS_PROXY
|
||||
value: "socks5://proxy:1080"
|
||||
resources:
|
||||
{{- toYaml $.Values.resources | nindent 10 }}
|
||||
volumeMounts:
|
||||
- mountPath: /etc/dendrite/
|
||||
name: {{ include "dendrite.fullname" . }}-conf-vol
|
||||
- mountPath: /etc/dendrite/secrets/
|
||||
name: {{ include "dendrite.fullname" . }}-signing-key
|
||||
{{- if (gt (len ($.Files.Glob "appservices/*")) 0) }}
|
||||
- mountPath: /etc/dendrite/appservices
|
||||
name: {{ include "dendrite.fullname" . }}-appservices
|
||||
readOnly: true
|
||||
{{ end }}
|
||||
- mountPath: {{ .Values.dendrite_config.media_api.base_path }}
|
||||
name: {{ include "dendrite.fullname" . }}-media
|
||||
- mountPath: {{ .Values.dendrite_config.global.jetstream.storage_path }}
|
||||
name: {{ include "dendrite.fullname" . }}-jetstream
|
||||
- mountPath: {{ .Values.dendrite_config.sync_api.search.index_path }}
|
||||
name: {{ include "dendrite.fullname" . }}-search
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
{{ . | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 10
|
||||
httpGet:
|
||||
path: /_dendrite/monitor/health
|
||||
port: http
|
||||
readinessProbe:
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 10
|
||||
httpGet:
|
||||
path: /_dendrite/monitor/health
|
||||
port: http
|
||||
startupProbe:
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 10
|
||||
httpGet:
|
||||
path: /_dendrite/monitor/up
|
||||
port: http
|
116
matrix/dendrite/templates/ingress.yaml
Normal file
116
matrix/dendrite/templates/ingress.yaml
Normal file
@ -0,0 +1,116 @@
|
||||
{{- if .Values.ingress.enabled -}}
|
||||
{{- $fullName := include "dendrite.fullname" . -}}
|
||||
{{- $serverNameHost := .Values.dendrite_config.global.server_name -}}
|
||||
{{- $wellKnownServerHost := default $serverNameHost (regexFind "^(\\[.+\\])?[^:]*" .Values.dendrite_config.global.well_known_server_name) -}}
|
||||
{{- $wellKnownClientHost := default $serverNameHost (regexFind "//(\\[.+\\])?[^:/]*" .Values.dendrite_config.global.well_known_client_name | trimAll "/") -}}
|
||||
{{- $allHosts := list $serverNameHost $wellKnownServerHost $wellKnownClientHost | uniq -}}
|
||||
|
||||
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
{{- else -}}
|
||||
apiVersion: extensions/v1beta1
|
||||
{{- end }}
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ $fullName }}
|
||||
labels:
|
||||
{{- include "dendrite.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
|
||||
kubernetes.io/ingress.class: {{ .Values.ingress.className }}
|
||||
{{- end }}
|
||||
{{- with .Values.ingress.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
|
||||
ingressClassName: {{ .Values.ingress.className }}
|
||||
{{- end }}
|
||||
{{- if kindIs "slice" .Values.ingress.tls }}
|
||||
tls:
|
||||
{{- range .Values.ingress.tls }}
|
||||
- hosts:
|
||||
{{- range .hosts }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
secretName: {{ .secretName }}
|
||||
{{- end }}
|
||||
{{- else if .Values.ingress.tls.generate }}
|
||||
tls:
|
||||
- hosts:
|
||||
{{- range $allHosts }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
secretName: {{ $fullName }}-ingress-tls
|
||||
{{- end }}
|
||||
rules:
|
||||
{{- if .Values.ingress.hostName }}
|
||||
- host: {{ .Values.ingress.hostName | quote }}
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
|
||||
service:
|
||||
name: {{ $fullName }}
|
||||
port:
|
||||
number: {{ $.Values.service.port }}
|
||||
{{- else }}
|
||||
serviceName: {{ $fullName }}
|
||||
servicePort: http
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- host: {{ $serverNameHost | quote }}
|
||||
http:
|
||||
paths:
|
||||
- path: /.well-known/matrix
|
||||
pathType: Prefix
|
||||
backend:
|
||||
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
|
||||
service:
|
||||
name: {{ $fullName }}
|
||||
port:
|
||||
number: {{ $.Values.service.port }}
|
||||
{{- else }}
|
||||
serviceName: {{ $fullName }}
|
||||
servicePort: http
|
||||
{{- end }}
|
||||
- host: {{ $wellKnownServerHost | quote }}
|
||||
http:
|
||||
paths:
|
||||
{{- range list "/_matrix/key" "/_matrix/federation" }}
|
||||
- path: {{ . | quote }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
|
||||
service:
|
||||
name: {{ $fullName }}
|
||||
port:
|
||||
number: {{ $.Values.service.port }}
|
||||
{{- else }}
|
||||
serviceName: {{ $fullName }}
|
||||
servicePort: http
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- host: {{ $wellKnownClientHost | quote }}
|
||||
http:
|
||||
paths:
|
||||
{{- range list "/_matrix/client" "/_matrix/media" }}
|
||||
- path: {{ . | quote }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
|
||||
service:
|
||||
name: {{ $fullName }}
|
||||
port:
|
||||
number: {{ $.Values.service.port }}
|
||||
{{- else }}
|
||||
serviceName: {{ $fullName }}
|
||||
servicePort: http
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
100
matrix/dendrite/templates/jobs.yaml
Normal file
100
matrix/dendrite/templates/jobs.yaml
Normal file
@ -0,0 +1,100 @@
|
||||
{{ if and .Values.signing_key.create (not .Values.signing_key.existingSecret ) }}
|
||||
{{ $name := (print ( include "dendrite.fullname" . ) "-signing-key") }}
|
||||
{{ $secretName := (print ( include "dendrite.fullname" . ) "-signing-key") }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ $name }}
|
||||
labels:
|
||||
app.kubernetes.io/component: signingkey-job
|
||||
{{- include "dendrite.labels" . | nindent 4 }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $name }}
|
||||
labels:
|
||||
app.kubernetes.io/component: signingkey-job
|
||||
{{- include "dendrite.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
resourceNames:
|
||||
- {{ $secretName }}
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
- patch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $name }}
|
||||
labels:
|
||||
app.kubernetes.io/component: signingkey-job
|
||||
{{- include "dendrite.labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $name }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: generate-signing-key
|
||||
labels:
|
||||
{{- include "dendrite.labels" . | nindent 4 }}
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
restartPolicy: "Never"
|
||||
serviceAccount: {{ $name }}
|
||||
containers:
|
||||
- name: upload-key
|
||||
image: {{ $.Values.image.kubectl }}
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
# check if key already exists
|
||||
key=$(kubectl get secret {{ $secretName }} -o jsonpath="{.data['signing\.key']}" 2> /dev/null)
|
||||
[ $? -ne 0 ] && echo "Failed to get existing secret" && exit 1
|
||||
[ -n "$key" ] && echo "Key already created, exiting." && exit 0
|
||||
# wait for signing key
|
||||
while [ ! -f /etc/dendrite/signing-key.pem ]; do
|
||||
echo "Waiting for signing key.."
|
||||
sleep 5;
|
||||
done
|
||||
# update secret
|
||||
kubectl patch secret {{ $secretName }} -p "{\"data\":{\"signing.key\":\"$(base64 /etc/dendrite/signing-key.pem | tr -d '\n')\"}}"
|
||||
[ $? -ne 0 ] && echo "Failed to update secret." && exit 1
|
||||
echo "Signing key successfully created."
|
||||
volumeMounts:
|
||||
- mountPath: /etc/dendrite/
|
||||
name: signing-key
|
||||
readOnly: true
|
||||
- name: generate-key
|
||||
{{- include "image.name" . | nindent 8 }}
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
/usr/bin/generate-keys -private-key /etc/dendrite/signing-key.pem
|
||||
chown 1001:1001 /etc/dendrite/signing-key.pem
|
||||
volumeMounts:
|
||||
- mountPath: /etc/dendrite/
|
||||
name: signing-key
|
||||
volumes:
|
||||
- name: signing-key
|
||||
emptyDir: {}
|
||||
parallelism: 1
|
||||
completions: 1
|
||||
backoffLimit: 1
|
||||
{{ end }}
|
18
matrix/dendrite/templates/prometheus-rules.yaml
Normal file
18
matrix/dendrite/templates/prometheus-rules.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
{{- if and ( .Values.prometheus.rules.enabled ) ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) }}
|
||||
---
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PrometheusRule
|
||||
metadata:
|
||||
name: {{ include "dendrite.fullname" . }}
|
||||
labels:
|
||||
{{- include "dendrite.labels" . | nindent 4 }}
|
||||
{{- with .Values.prometheus.rules.labels }}
|
||||
{{- . | toYaml | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
groups:
|
||||
{{- if .Values.prometheus.rules.additionalRules }}
|
||||
- name: {{ template "dendrite.name" . }}-Additional
|
||||
rules: {{- toYaml .Values.prometheus.rules.additionalRules | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
69
matrix/dendrite/templates/pvc.yaml
Normal file
69
matrix/dendrite/templates/pvc.yaml
Normal file
@ -0,0 +1,69 @@
|
||||
{{ if not .Values.persistence.media.existingClaim }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
annotations:
|
||||
helm.sh/resource-policy: keep
|
||||
name: {{ include "dendrite.fullname" . }}-media-pvc
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.persistence.media.capacity }}
|
||||
{{ $storageClass := .Values.persistence.media.storageClass | default .Values.persistence.storageClass }}
|
||||
{{- if $storageClass }}
|
||||
{{- if (eq "-" $storageClass) }}
|
||||
storageClassName: ""
|
||||
{{- else }}
|
||||
storageClassName: "{{ $storageClass }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
{{ if not .Values.persistence.jetstream.existingClaim }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
annotations:
|
||||
helm.sh/resource-policy: keep
|
||||
name: {{ include "dendrite.fullname" . }}-jetstream-pvc
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.persistence.jetstream.capacity }}
|
||||
{{ $storageClass := .Values.persistence.jetstream.storageClass | default .Values.persistence.storageClass }}
|
||||
{{- if $storageClass }}
|
||||
{{- if (eq "-" $storageClass) }}
|
||||
storageClassName: ""
|
||||
{{- else }}
|
||||
storageClassName: "{{ $storageClass }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
{{ if not .Values.persistence.search.existingClaim }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
annotations:
|
||||
helm.sh/resource-policy: keep
|
||||
name: {{ include "dendrite.fullname" . }}-search-pvc
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.persistence.search.capacity }}
|
||||
{{ $storageClass := .Values.persistence.search.storageClass | default .Values.persistence.storageClass }}
|
||||
{{- if $storageClass }}
|
||||
{{- if (eq "-" $storageClass) }}
|
||||
storageClassName: ""
|
||||
{{- else }}
|
||||
storageClassName: "{{ $storageClass }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{ end }}
|
45
matrix/dendrite/templates/secrets.yaml
Normal file
45
matrix/dendrite/templates/secrets.yaml
Normal file
@ -0,0 +1,45 @@
|
||||
{{- if (gt (len (.Files.Glob "appservices/*")) 0) }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "dendrite.fullname" . }}-appservices-conf
|
||||
type: Opaque
|
||||
data:
|
||||
{{ (.Files.Glob "appservices/*").AsSecrets | indent 2 }}
|
||||
{{- end }}
|
||||
|
||||
{{- if and .Values.signing_key.create (not .Values.signing_key.existingSecret) }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
helm.sh/resource-policy: keep
|
||||
name: {{ include "dendrite.fullname" . }}-signing-key
|
||||
type: Opaque
|
||||
{{- end }}
|
||||
|
||||
{{- with .Values.dendrite_config.global.metrics }}
|
||||
{{- if .enabled }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "dendrite.fullname" $ }}-metrics-basic-auth
|
||||
type: Opaque
|
||||
stringData:
|
||||
user: {{ .basic_auth.user | quote }}
|
||||
password: {{ .basic_auth.password | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "dendrite.fullname" . }}-conf
|
||||
type: Opaque
|
||||
stringData:
|
||||
dendrite.yaml: |
|
||||
{{ toYaml ( mustMergeOverwrite .Values.dendrite_config ( fromYaml (include "override.config" .) ) .Values.dendrite_config ) | nindent 4 }}
|
17
matrix/dendrite/templates/service.yaml
Normal file
17
matrix/dendrite/templates/service.yaml
Normal file
@ -0,0 +1,17 @@
|
||||
{{ template "validate.config" . }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
name: {{ include "dendrite.fullname" . }}
|
||||
labels:
|
||||
{{- include "dendrite.labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
{{- include "dendrite.selectorLabels" . | nindent 4 }}
|
||||
ports:
|
||||
- name: http
|
||||
protocol: TCP
|
||||
port: {{ .Values.service.port }}
|
||||
targetPort: http
|
28
matrix/dendrite/templates/servicemonitor.yaml
Normal file
28
matrix/dendrite/templates/servicemonitor.yaml
Normal file
@ -0,0 +1,28 @@
|
||||
{{- if and
|
||||
(and .Values.prometheus.servicemonitor.enabled .Values.dendrite_config.global.metrics.enabled )
|
||||
( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" )
|
||||
}}
|
||||
---
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "dendrite.fullname" . }}
|
||||
labels:
|
||||
{{- include "dendrite.labels" . | nindent 4 }}
|
||||
{{- with .Values.prometheus.servicemonitor.labels }}
|
||||
{{- . | toYaml | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
endpoints:
|
||||
- port: http
|
||||
basicAuth:
|
||||
username:
|
||||
name: {{ include "dendrite.fullname" . }}-metrics-basic-auth
|
||||
key: "user"
|
||||
password:
|
||||
name: {{ include "dendrite.fullname" . }}-metrics-basic-auth
|
||||
key: "password"
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "dendrite.selectorLabels" . | nindent 6 }}
|
||||
{{- end }}
|
17
matrix/dendrite/templates/tests/test-version.yaml
Normal file
17
matrix/dendrite/templates/tests/test-version.yaml
Normal file
@ -0,0 +1,17 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: "{{ include "dendrite.fullname" . }}-test-version"
|
||||
labels:
|
||||
{{- include "dendrite.selectorLabels" . | nindent 4 }}
|
||||
annotations:
|
||||
"helm.sh/hook": test
|
||||
spec:
|
||||
containers:
|
||||
- name: curl
|
||||
image: curlimages/curl
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- 'http://{{- include "dendrite.fullname" . -}}:8008/_matrix/client/versions'
|
||||
restartPolicy: Never
|
428
matrix/dendrite/values.yaml
Normal file
428
matrix/dendrite/values.yaml
Normal file
@ -0,0 +1,428 @@
|
||||
image:
|
||||
# -- Docker repository/image to use
|
||||
repository: "ghcr.io/matrix-org/dendrite-monolith"
|
||||
kubectl: "bitnami/kubectl"
|
||||
# -- Kubernetes pullPolicy
|
||||
pullPolicy: IfNotPresent
|
||||
# -- Overrides the image tag whose default is the chart appVersion.
|
||||
tag: ""
|
||||
|
||||
|
||||
# signing key to use
|
||||
signing_key:
|
||||
# -- Create a new signing key, if not exists
|
||||
create: true
|
||||
# -- Use an existing secret
|
||||
existingSecret: ""
|
||||
|
||||
# -- Default resource requests/limits.
|
||||
# @default -- sets some sane default values
|
||||
resources:
|
||||
requests:
|
||||
memory: "512Mi"
|
||||
limits:
|
||||
memory: "4096Mi"
|
||||
|
||||
persistence:
|
||||
# -- The storage class to use for volume claims.
|
||||
# Used unless specified at the specific component.
|
||||
# Defaults to the cluster default storage class.
|
||||
# If defined, storageClassName: <storageClass>
|
||||
# If set to "-", storageClassName: "", which disables dynamic provisioning
|
||||
# If undefined (the default) or set to null, no storageClassName spec is
|
||||
# set, choosing the default provisioner. (gp2 on AWS, standard on
|
||||
# GKE, AWS & OpenStack)
|
||||
#
|
||||
storageClass:
|
||||
jetstream:
|
||||
# -- Use an existing volume claim for jetstream
|
||||
existingClaim: ""
|
||||
# -- PVC Storage Request for the jetstream volume
|
||||
capacity: "1Gi"
|
||||
# -- The storage class to use for volume claims.
|
||||
# Defaults to persistence.storageClass
|
||||
# If defined, storageClassName: <storageClass>
|
||||
# If set to "-", storageClassName: "", which disables dynamic provisioning
|
||||
# If undefined (the default) or set to null, no storageClassName spec is
|
||||
# set, choosing the default provisioner. (gp2 on AWS, standard on
|
||||
# GKE, AWS & OpenStack)
|
||||
storageClass:
|
||||
media:
|
||||
# -- Use an existing volume claim for media files
|
||||
existingClaim: ""
|
||||
# -- PVC Storage Request for the media volume
|
||||
capacity: "1Gi"
|
||||
# -- The storage class to use for volume claims.
|
||||
# Defaults to persistence.storageClass
|
||||
# If defined, storageClassName: <storageClass>
|
||||
# If set to "-", storageClassName: "", which disables dynamic provisioning
|
||||
# If undefined (the default) or set to null, no storageClassName spec is
|
||||
# set, choosing the default provisioner. (gp2 on AWS, standard on
|
||||
# GKE, AWS & OpenStack)
|
||||
storageClass:
|
||||
search:
|
||||
# -- Use an existing volume claim for the fulltext search index
|
||||
existingClaim: ""
|
||||
# -- PVC Storage Request for the search volume
|
||||
capacity: "1Gi"
|
||||
# -- The storage class to use for volume claims.
|
||||
# Defaults to persistence.storageClass
|
||||
# If defined, storageClassName: <storageClass>
|
||||
# If set to "-", storageClassName: "", which disables dynamic provisioning
|
||||
# If undefined (the default) or set to null, no storageClassName spec is
|
||||
# set, choosing the default provisioner. (gp2 on AWS, standard on
|
||||
# GKE, AWS & OpenStack)
|
||||
storageClass:
|
||||
|
||||
# -- Add additional volumes to the Dendrite Pod
|
||||
extraVolumes: []
|
||||
# ex.
|
||||
# - name: extra-config
|
||||
# secret:
|
||||
# secretName: extra-config
|
||||
|
||||
# -- Configure additional mount points volumes in the Dendrite Pod
|
||||
extraVolumeMounts: []
|
||||
# ex.
|
||||
# - mountPath: /etc/dendrite/extra-config
|
||||
# name: extra-config
|
||||
|
||||
strategy:
|
||||
# -- Strategy to use for rolling updates (e.g. Recreate, RollingUpdate)
|
||||
# If you are using ReadWriteOnce volumes, you should probably use Recreate
|
||||
type: Recreate
|
||||
rollingUpdate:
|
||||
# -- Maximum number of pods that can be unavailable during the update process
|
||||
maxUnavailable: 25%
|
||||
# -- Maximum number of pods that can be scheduled above the desired number of pods
|
||||
maxSurge: 25%
|
||||
|
||||
dendrite_config:
|
||||
version: 2
|
||||
global:
|
||||
# -- **REQUIRED** Servername for this Dendrite deployment.
|
||||
server_name: ""
|
||||
|
||||
# -- The private key to use. (**NOTE**: This is overriden in Helm)
|
||||
private_key: /etc/dendrite/secrets/signing.key
|
||||
|
||||
# -- The server name to delegate server-server communications to, with optional port
|
||||
# e.g. localhost:443
|
||||
well_known_server_name: ""
|
||||
|
||||
# -- The server name to delegate client-server communications to, with optional port
|
||||
# e.g. localhost:443
|
||||
well_known_client_name: ""
|
||||
|
||||
# -- Lists of domains that the server will trust as identity servers to verify third
|
||||
# party identifiers such as phone numbers and email addresses.
|
||||
trusted_third_party_id_servers:
|
||||
- matrix.org
|
||||
- vector.im
|
||||
|
||||
# -- The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
|
||||
# to old signing keys that were formerly in use on this domain name. These
|
||||
# keys will not be used for federation request or event signing, but will be
|
||||
# provided to any other homeserver that asks when trying to verify old events.
|
||||
old_private_keys:
|
||||
# If the old private key file is available:
|
||||
# - private_key: old_matrix_key.pem
|
||||
# expired_at: 1601024554498
|
||||
# If only the public key (in base64 format) and key ID are known:
|
||||
# - public_key: mn59Kxfdq9VziYHSBzI7+EDPDcBS2Xl7jeUdiiQcOnM=
|
||||
# key_id: ed25519:mykeyid
|
||||
# expired_at: 1601024554498
|
||||
|
||||
# -- Disable federation. Dendrite will not be able to make any outbound HTTP requests
|
||||
# to other servers and the federation API will not be exposed.
|
||||
disable_federation: false
|
||||
|
||||
key_validity_period: 168h0m0s
|
||||
|
||||
database:
|
||||
# -- The connection string for connections to Postgres.
|
||||
# This will be set automatically if using the Postgres dependency
|
||||
connection_string: ""
|
||||
|
||||
# -- Default database maximum open connections
|
||||
max_open_conns: 90
|
||||
# -- Default database maximum idle connections
|
||||
max_idle_conns: 5
|
||||
# -- Default database maximum lifetime
|
||||
conn_max_lifetime: -1
|
||||
|
||||
jetstream:
|
||||
# -- Persistent directory to store JetStream streams in.
|
||||
storage_path: "/data/jetstream"
|
||||
# -- NATS JetStream server addresses if not using internal NATS.
|
||||
addresses: []
|
||||
# -- The prefix for JetStream streams
|
||||
topic_prefix: "Dendrite"
|
||||
# -- Keep all data in memory. (**NOTE**: This is overriden in Helm to `false`)
|
||||
in_memory: false
|
||||
# -- Disables TLS validation. This should **NOT** be used in production.
|
||||
disable_tls_validation: true
|
||||
|
||||
cache:
|
||||
# -- The estimated maximum size for the global cache in bytes, or in terabytes,
|
||||
# gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or
|
||||
# 'kb' suffix is specified. Note that this is not a hard limit, nor is it a
|
||||
# memory limit for the entire process. A cache that is too small may ultimately
|
||||
# provide little or no benefit.
|
||||
max_size_estimated: 1gb
|
||||
# -- The maximum amount of time that a cache entry can live for in memory before
|
||||
# it will be evicted and/or refreshed from the database. Lower values result in
|
||||
# easier admission of new cache entries but may also increase database load in
|
||||
# comparison to higher values, so adjust conservatively. Higher values may make
|
||||
# it harder for new items to make it into the cache, e.g. if new rooms suddenly
|
||||
# become popular.
|
||||
max_age: 1h
|
||||
|
||||
report_stats:
|
||||
# -- Configures phone-home statistics reporting. These statistics contain the server
|
||||
# name, number of active users and some information on your deployment config.
|
||||
# We use this information to understand how Dendrite is being used in the wild.
|
||||
enabled: false
|
||||
# -- Endpoint to report statistics to.
|
||||
endpoint: https://matrix.org/report-usage-stats/push
|
||||
|
||||
presence:
|
||||
# -- Controls whether we receive presence events from other servers
|
||||
enable_inbound: false
|
||||
# -- Controls whether we send presence events for our local users to other servers.
|
||||
# (_May increase CPU/memory usage_)
|
||||
enable_outbound: false
|
||||
|
||||
server_notices:
|
||||
# -- Server notices allows server admins to send messages to all users on the server.
|
||||
enabled: false
|
||||
# -- The local part for the user sending server notices.
|
||||
local_part: "_server"
|
||||
# -- The display name for the user sending server notices.
|
||||
display_name: "Server Alerts"
|
||||
# -- The avatar URL (as a mxc:// URL) name for the user sending server notices.
|
||||
avatar_url: ""
|
||||
# The room name to be used when sending server notices. This room name will
|
||||
# appear in user clients.
|
||||
room_name: "Server Alerts"
|
||||
|
||||
# prometheus metrics
|
||||
metrics:
|
||||
# -- Whether or not Prometheus metrics are enabled.
|
||||
enabled: false
|
||||
# HTTP basic authentication to protect access to monitoring.
|
||||
basic_auth:
|
||||
# -- HTTP basic authentication username
|
||||
user: "metrics"
|
||||
# -- HTTP basic authentication password
|
||||
password: metrics
|
||||
|
||||
dns_cache:
|
||||
# -- Whether or not the DNS cache is enabled.
|
||||
enabled: false
|
||||
# -- Maximum number of entries to hold in the DNS cache
|
||||
cache_size: 256
|
||||
# -- Duration for how long DNS cache items should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
|
||||
cache_lifetime: "10m"
|
||||
|
||||
profiling:
|
||||
# -- Enable pprof. You will need to manually create a port forwarding to the deployment to access PPROF,
|
||||
# as it will only listen on localhost and the defined port.
|
||||
# e.g. `kubectl port-forward deployments/dendrite 65432:65432`
|
||||
enabled: false
|
||||
# -- pprof port, if enabled
|
||||
port: 65432
|
||||
|
||||
# -- Configuration for experimental MSC's. (Valid values are: msc2836)
|
||||
mscs:
|
||||
mscs: []
|
||||
# A list of enabled MSC's
|
||||
# Currently valid values are:
|
||||
# - msc2836 (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836)
|
||||
|
||||
app_service_api:
|
||||
# -- Disable the validation of TLS certificates of appservices. This is
|
||||
# not recommended in production since it may allow appservice traffic
|
||||
# to be sent to an insecure endpoint.
|
||||
disable_tls_validation: false
|
||||
# -- Appservice config files to load on startup. (**NOTE**: This is overriden by Helm, if a folder `./appservices/` exists)
|
||||
config_files: []
|
||||
|
||||
client_api:
|
||||
# -- Prevents new users from being able to register on this homeserver, except when
|
||||
# using the registration shared secret below.
|
||||
registration_disabled: true
|
||||
|
||||
# Prevents new guest accounts from being created. Guest registration is also
|
||||
# disabled implicitly by setting 'registration_disabled' above.
|
||||
guests_disabled: true
|
||||
|
||||
# -- If set, allows registration by anyone who knows the shared secret, regardless of
|
||||
# whether registration is otherwise disabled.
|
||||
registration_shared_secret: ""
|
||||
|
||||
# -- enable reCAPTCHA registration
|
||||
enable_registration_captcha: false
|
||||
# -- reCAPTCHA public key
|
||||
recaptcha_public_key: ""
|
||||
# -- reCAPTCHA private key
|
||||
recaptcha_private_key: ""
|
||||
# -- reCAPTCHA bypass secret
|
||||
recaptcha_bypass_secret: ""
|
||||
recaptcha_siteverify_api: ""
|
||||
|
||||
# TURN server information that this homeserver should send to clients.
|
||||
turn:
|
||||
# -- Duration for how long users should be considered valid ([see time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for more)
|
||||
turn_user_lifetime: "24h"
|
||||
turn_uris: []
|
||||
turn_shared_secret: ""
|
||||
# -- The TURN username
|
||||
turn_username: ""
|
||||
# -- The TURN password
|
||||
turn_password: ""
|
||||
|
||||
rate_limiting:
|
||||
# -- Enable rate limiting
|
||||
enabled: true
|
||||
# -- After how many requests a rate limit should be activated
|
||||
threshold: 20
|
||||
# -- Cooloff time in milliseconds
|
||||
cooloff_ms: 500
|
||||
# -- Users which should be exempt from rate limiting
|
||||
exempt_user_ids:
|
||||
|
||||
federation_api:
|
||||
# -- Federation failure threshold. How many consecutive failures that we should
|
||||
# tolerate when sending federation requests to a specific server. The backoff
|
||||
# is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds, etc.
|
||||
# The default value is 16 if not specified, which is circa 18 hours.
|
||||
send_max_retries: 16
|
||||
# -- Disable TLS validation. This should **NOT** be used in production.
|
||||
disable_tls_validation: false
|
||||
prefer_direct_fetch: false
|
||||
# -- Prevents Dendrite from keeping HTTP connections
|
||||
# open for reuse for future requests. Connections will be closed quicker
|
||||
# but we may spend more time on TLS handshakes instead.
|
||||
disable_http_keepalives: false
|
||||
# -- Perspective keyservers, to use as a backup when direct key fetch
|
||||
# requests don't succeed.
|
||||
# @default -- See value.yaml
|
||||
key_perspectives:
|
||||
- server_name: matrix.org
|
||||
keys:
|
||||
- key_id: ed25519:auto
|
||||
public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
|
||||
- key_id: ed25519:a_RXGa
|
||||
public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
|
||||
|
||||
media_api:
|
||||
# -- The path to store media files (e.g. avatars) in
|
||||
base_path: "/data/media_store"
|
||||
# -- The max file size for uploaded media files
|
||||
max_file_size_bytes: 10485760
|
||||
# Whether to dynamically generate thumbnails if needed.
|
||||
dynamic_thumbnails: false
|
||||
# -- The maximum number of simultaneous thumbnail generators to run.
|
||||
max_thumbnail_generators: 10
|
||||
# -- A list of thumbnail sizes to be generated for media content.
|
||||
# @default -- See value.yaml
|
||||
thumbnail_sizes:
|
||||
- width: 32
|
||||
height: 32
|
||||
method: crop
|
||||
- width: 96
|
||||
height: 96
|
||||
method: crop
|
||||
- width: 640
|
||||
height: 480
|
||||
method: scale
|
||||
|
||||
sync_api:
|
||||
# -- This option controls which HTTP header to inspect to find the real remote IP
|
||||
# address of the client. This is likely required if Dendrite is running behind
|
||||
# a reverse proxy server.
|
||||
real_ip_header: X-Real-IP
|
||||
# -- Configuration for the full-text search engine.
|
||||
search:
|
||||
# -- Whether fulltext search is enabled.
|
||||
enabled: true
|
||||
# -- The path to store the search index in.
|
||||
index_path: "/data/search"
|
||||
# -- The language most likely to be used on the server - used when indexing, to
|
||||
# ensure the returned results match expectations. A full list of possible languages
|
||||
# can be found [here](https://github.com/matrix-org/dendrite/blob/76db8e90defdfb9e61f6caea8a312c5d60bcc005/internal/fulltext/bleve.go#L25-L46)
|
||||
language: "en"
|
||||
|
||||
user_api:
|
||||
# -- bcrypt cost to use when hashing passwords.
|
||||
# (ranges from 4-31; 4 being least secure, 31 being most secure; _NOTE: Using a too high value can cause clients to timeout and uses more CPU._)
|
||||
bcrypt_cost: 10
|
||||
# -- OpenID Token lifetime in milliseconds.
|
||||
openid_token_lifetime_ms: 3600000
|
||||
# - Disable TLS validation when hitting push gateways. This should **NOT** be used in production.
|
||||
push_gateway_disable_tls_validation: false
|
||||
# -- Rooms to join users to after registration
|
||||
auto_join_rooms: []
|
||||
|
||||
# -- Default logging configuration
|
||||
logging:
|
||||
- type: std
|
||||
level: info
|
||||
|
||||
postgresql:
|
||||
# -- Enable and configure postgres as the database for dendrite.
|
||||
# @default -- See value.yaml
|
||||
enabled: false
|
||||
image:
|
||||
repository: bitnami/postgresql
|
||||
tag: "16.2.0"
|
||||
auth:
|
||||
username: dendrite
|
||||
password: changeme
|
||||
database: dendrite
|
||||
|
||||
persistence:
|
||||
enabled: false
|
||||
|
||||
ingress:
|
||||
# -- Create an ingress for the deployment
|
||||
enabled: false
|
||||
# -- The ingressClass to use. Will be converted to annotation if not yet supported.
|
||||
className: ""
|
||||
# -- Extra, custom annotations
|
||||
annotations: {}
|
||||
# -- The ingress hostname for your matrix server.
|
||||
# Should align with the server_name and well_known_* hosts.
|
||||
# If not set, generated from the dendrite_config values.
|
||||
hostName: ""
|
||||
# -- TLS configuration. Should contain information for the server_name and well-known hosts.
|
||||
# Alternatively, set tls.generate=true to generate defaults based on the dendrite_config.
|
||||
tls: []
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 8008
|
||||
|
||||
prometheus:
|
||||
servicemonitor:
|
||||
# -- Enable ServiceMonitor for Prometheus-Operator for scrape metric-endpoint
|
||||
enabled: false
|
||||
# -- Extra Labels on ServiceMonitor for selector of Prometheus Instance
|
||||
labels: {}
|
||||
rules:
|
||||
# -- Enable PrometheusRules for Prometheus-Operator for setup alerting
|
||||
enabled: false
|
||||
# -- Extra Labels on PrometheusRules for selector of Prometheus Instance
|
||||
labels: {}
|
||||
# -- additional alertrules (no default alertrules are provided)
|
||||
additionalRules: []
|
||||
|
||||
grafana:
|
||||
dashboards:
|
||||
enabled: false
|
||||
# -- Extra Labels on ConfigMap for selector of grafana sidecar
|
||||
labels:
|
||||
grafana_dashboard: "1"
|
||||
# -- Extra Annotations on ConfigMap additional config in grafana sidecar
|
||||
annotations: {}
|
24
matrix/values.yaml
Normal file
24
matrix/values.yaml
Normal file
@ -0,0 +1,24 @@
|
||||
dendrite_config:
|
||||
global:
|
||||
server_name: "m.sense-t.eu.org"
|
||||
well_known_server_name: "m.sense-t.eu.org:443"
|
||||
well_known_client_name: "https://m.sense-t.eu.org"
|
||||
database:
|
||||
connection_string: "postgresql://matrix@10.43.148.199:5432/matrix?sslmode=disable"
|
||||
max_open_conns: 90
|
||||
max_idle_conns: 5
|
||||
conn_max_lifetime: -1
|
||||
client_api:
|
||||
registration_shared_secret: "ZPSLjXmWEHBz8Jxu"
|
||||
|
||||
persistence:
|
||||
storageClass: nfs-client
|
||||
|
||||
image:
|
||||
tag: v0.14.0
|
||||
kubectl: cr.wetofu.me/docker.io/bitnami/kubectl:1.23
|
||||
pullPolicy: IfNotPresent
|
||||
repository: ghcr.io/element-hq/dendrite-monolith
|
||||
|
||||
ingress:
|
||||
enabled: true
|
Loading…
x
Reference in New Issue
Block a user