repository: "file://./subcharts/docker-credential"
condition: docker-credential.enabled
- name: kong
- version: 0.17.0
+ version: 0.36.6
repository: "file://./subcharts/kong"
condition: kong.enabled
- name: certificate-manager
-################################################################################
-# Copyright (c) 2019 AT&T Intellectual Property. #
-# #
-# Licensed under the Apache License, Version 2.0 (the "License"); #
-# you may not use this file except in compliance with the License. #
-# You may obtain a copy of the License at #
-# #
-# http://www.apache.org/licenses/LICENSE-2.0 #
-# #
-# Unless required by applicable law or agreed to in writing, software #
-# distributed under the License is distributed on an "AS IS" BASIS, #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
-# See the License for the specific language governing permissions and #
-# limitations under the License. #
-################################################################################
-
apiVersion: v1
-appVersion: "1.3"
-description: The Cloud-Native Ingress and Service Mesh for APIs and Microservices
+appVersion: "1.4"
+description: DEPRECATED The Cloud-Native Ingress and API-management
engine: gotpl
-home: https://KongHQ.com/
+home: https://konghq.com/
icon: https://s3.amazonaws.com/downloads.kong/universe/assets/icon-kong-inc-large.png
maintainers:
- email: shashi@konghq.com
- email: harry@konghq.com
name: hbagdi
name: kong
-sources:
-- https://github.com/Kong/kong
-version: 0.17.0
+version: 0.36.6
--- /dev/null
+# Frequently Asked Questions (FAQs)
+
+#### Kong fails to start after `helm upgrade` when Postgres is used. What do I do?
+
+You may be running into this issue: https://github.com/helm/charts/issues/12575.
+This issue is caused due to: https://github.com/helm/helm/issues/3053.
+
+The problem that happens is that Postgres database has the old password but
+the new secret has a different password, which is used by Kong, and password
+based authentication fails.
+
+The solution to the problem is to specify a password to the `postgresql` chart.
+This is to ensure that the password is not generated randomly but is set to
+the same one that is user-provided on each upgrade.
+
+#### Kong fails to start on a fresh installation with Postgres. What do I do?
+
+Please make sure that there is no `PersistentVolumes` present from a previous
+release. If there are, it can lead to data or passwords being out of sync
+and result in connection issues.
+
+A simple way to find out is to use the following command:
+
+```
+kubectl get pv -n <your-namespace>
+```
+
+And then based on the `AGE` column, determine if you have an old volume.
+If you do, then please delete the release, delete the volume, and then
+do a fresh installation. PersistentVolumes can remain in the cluster even if
+you delete the namespace itself (the namespace in which they were present).
+
-## Kong
+# DEPRECATED
-[Kong](https://KongHQ.com/) is an open-source API Gateway and Microservices
-Management Layer, delivering high performance and reliability.
+This chart has been deprecated in favor of
+Kong's official chart [repository](https://github.com/kong/charts).
+
+All users are advised to immediately migrate over to the new repository.
+
+## Kong for Kubernetes
+
+[Kong for Kubernetes](https://github.com/Kong/kubernetes-ingress-controller)
+is an open-source Ingress Controller for Kubernetes that offers
+API management capabilities with a plugin architecture.
+
+This chart bootstraps all the components needed to run Kong on a
+[Kubernetes](http://kubernetes.io) cluster using the
+[Helm](https://helm.sh) package manager.
## TL;DR;
```bash
+$ helm repo update
$ helm install stable/kong
```
-## Introduction
-
-This chart bootstraps all the components needed to run Kong on a [Kubernetes](http://kubernetes.io)
-cluster using the [Helm](https://helm.sh) package manager.
+## Table of content
+
+- [Prerequisites](#prerequisites)
+- [Install](#install)
+- [Uninstall](#uninstall)
+- [Kong Enterprise](#kong-enterprise)
+- [FAQs](#faqs)
+- [Deployment Options](#deployment-options)
+ - [Database](#database)
+ - [Runtime package](#runtime-package)
+ - [Configuration method](#configuration-method)
+- [Configuration](#configuration)
+ - [Kong Parameters](#kong-parameters)
+ - [Ingress Controller Parameters](#ingress-controller-parameters)
+ - [General Parameters](#general-parameters)
+ - [The `env` section](#the-env-section)
+- [Kong Enterprise Parameters](#kong-enterprise-parameters)
+ - [Prerequisites](#prerequisites-1)
+ - [Kong Enterprise License](#kong-enterprise-license)
+ - [Kong Enterprise Docker registry access](#kong-enterprise-docker-registry-access)
+ - [Service location hints](#service-location-hints)
+ - [RBAC](#rbac)
+ - [Sessions](#sessions)
+ - [Email/SMTP](#emailsmtp)
+- [Changelog](#changelog)
+- [Seeking help](#seeking-help)
## Prerequisites
-- Kubernetes 1.8+ with Beta APIs enabled.
+- Kubernetes 1.12+
- PV provisioner support in the underlying infrastructure if persistence
is needed for Kong datastore.
-## Installing the Chart
+## Install
To install the chart with the release name `my-release`:
```bash
+$ helm repo update
$ helm install --name my-release stable/kong
```
-If using Kong Enterprise, several additional steps are necessary before
-installing the chart. At minimum, you must:
-* Create a [license secret](#license).
-* Set `enterprise.enabled: true` in values.yaml.
-* Update values.yaml to use a Kong Enterprise image. If needed, follow the
-instructions in values.yaml to add a registry pull secret.
-
-Reading through [the full list of Enterprise considerations](#kong-enterprise-specific-parameters)
-is recommended.
-
-> **Tip**: List all releases using `helm list`
-
-## Uninstalling the Chart
+## Uninstall
To uninstall/delete the `my-release` deployment:
The command removes all the Kubernetes components associated with the
chart and deletes the release.
-## Configuration
+> **Tip**: List all releases using `helm list`
+
+## FAQs
+
+Please read the
+[FAQs](https://github.com/helm/charts/blob/master/stable/kong/FAQs.md)
+document.
+
+## Kong Enterprise
+
+If using Kong Enterprise, several additional steps are necessary before
+installing the chart:
+
+- set `enterprise.enabled` to `true` in `values.yaml` file
+- Update values.yaml to use a Kong Enterprise image
+- Satisfy the two prerequsisites below for
+ [Enterprise License](#kong-enterprise-license) and
+ [Enterprise Docker Registry](#kong-enterprise-docker-registry-access)
+
+Once you have these set, it is possible to install Kong Enterprise
+
+Please read through
+[Kong Enterprise considerations](#kong-enterprise-parameters)
+to understand all settings that are enterprise specific.
+
+## Deployment Options
+
+Kong is a highly configurable piece of software that can be deployed
+in a number of different ways, depending on your use-case.
+
+All combinations of various runtimes, databases and configuration methods are
+supported by this Helm chart.
+The recommended approach is to use the Ingress Controller based configuration
+along-with DB-less mode.
+
+Following sections detail on various high-level architecture options available:
+
+### Database
-### General Configuration Parameters
+Kong can run with or without a database (DB-less).
+By default, this chart installs Kong without a database.
-The following table lists the configurable parameters of the Kong chart
-and their default values.
+Although Kong can run with Postgres and Cassandra, the recommended database,
+if you would like to use one, is Postgres for Kubernetes installations.
+If your use-case warrants Cassandra, you should run the Cassandra cluster
+outside of Kubernetes.
+
+The database to use for Kong can be controlled via the `env.database` parameter.
+For more details, please read the [env](#the-env-section) section.
+
+Furthermore, this chart allows you to bring your own database that you manage
+or spin up a new Postgres instance using the `postgres.enabled` parameter.
+
+> Cassandra deployment via a sub-chart was previously supported but
+the support has now been dropped due to stability issues.
+You can still deploy Cassandra on your own and configure Kong to use
+that via the `env.database` parameter.
+
+#### DB-less deployment
+
+When deploying Kong in DB-less mode(`env.database: "off"`)
+and without the Ingress Controller(`ingressController.enabled: false`),
+you have to provide a declarative configuration for Kong to run.
+The configuration can be provided using an existing ConfigMap
+(`dblessConfig.configMap`) or or the whole configuration can be put into the
+`values.yaml` file for deployment itself, under the `dblessConfig.config`
+parameter. See the example configuration in the default values.yaml
+for more details.
+
+### Runtime package
+
+There are three different packages of Kong that are available:
+
+- **Kong Gateway**
+ This is the [Open-Source](https://github.com/kong/kong) offering. It is a
+ full-blown API Gateway and Ingress solution with a wide-array of functionality.
+ When Kong Gateway is combined with the Ingress based configuration method,
+ you get Kong for Kubernetes. This is the default deployment for this Helm
+ Chart.
+- **Kong Enterprise K8S**
+ This package builds up on top of the Open-Source Gateway and bundles in all
+ the Enterprise-only plugins as well.
+ When Kong Enterprise K8S is combined with the Ingress based
+ configuration method, you get Kong for Kubernetes Enterprise.
+ This package also comes with 24x7 support from Kong Inc.
+- **Kong Enterprise**
+ This is the full-blown Enterprise package which packs with itself all the
+ Enterprise functionality like Manager, Portal, Vitals, etc.
+ This package can't be run in DB-less mode.
+
+The package to run can be changed via `image.repository` and `image.tag`
+parameters. If you would like to run the Enterprise package, please read
+the [Kong Enterprise Parameters](#kong-enterprise-parameters) section.
+
+### Configuration method
+
+Kong can be configured via two methods:
+- **Ingress and CRDs**
+ The configuration for Kong is done via `kubectl` and Kubernetes-native APIs.
+ This is also known as Kong Ingress Controller or Kong for Kubernetes and is
+ the default deployment pattern for this Helm Chart. The configuration
+ for Kong is managed via Ingress and a few
+ [Custom Resources](https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/concepts/custom-resources.md).
+ For more details, please read the
+ [documentation](https://github.com/Kong/kubernetes-ingress-controller/tree/master/docs)
+ on Kong Ingress Controller.
+ To configure and fine-tune the controller, please read the
+ [Ingress Controller Parameters](#ingress-controller-parameters) section.
+- **Admin API**
+ This is the traditional method of running and configuring Kong.
+ By default, the Admin API of Kong is not exposed as a Service. This
+ can be controlled via `admin.enabled` and `env.admin_listen` parameters.
+
+## Configuration
+
+### Kong parameters
| Parameter | Description | Default |
| ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- |
| image.pullPolicy | Image pull policy | `IfNotPresent` |
| image.pullSecrets | Image pull secrets | `null` |
| replicaCount | Kong instance count | `1` |
+| admin.enabled | Create Admin Service | `false` |
| admin.useTLS | Secure Admin traffic | `true` |
| admin.servicePort | TCP port on which the Kong admin service is exposed | `8444` |
| admin.containerPort | TCP port on which Kong app listens for admin traffic | `8444` |
| proxy.tls.servicePort | Service port to use for TLS | 8443 |
| proxy.tls.nodePort | Node port to use for TLS | 32443 |
| proxy.tls.hostPort | Host port to use for TLS | |
-| proxy.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | `NodePort` |
+| proxy.tls.overrideServiceTargetPort| Override service port to use for TLS without touching Kong containerPort | |
+| proxy.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | `LoadBalancer` |
+| proxy.clusterIP | k8s service clusterIP | |
| proxy.loadBalancerSourceRanges | Limit proxy access to CIDRs if set and service type is `LoadBalancer` | `[]` |
| proxy.loadBalancerIP | To reuse an existing ingress static IP for the admin service | |
| proxy.externalIPs | IPs for which nodes in the cluster will also accept traffic for the proxy | `[]` |
| proxy.ingress.hosts | List of ingress hosts. | `[]` |
| proxy.ingress.path | Ingress path. | `/` |
| proxy.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` |
-| updateStrategy | update strategy for deployment | `{}` |
+| plugins | Install custom plugins into Kong via ConfigMaps or Secrets | `{}` |
| env | Additional [Kong configurations](https://getkong.org/docs/latest/configuration/) | |
| runMigrations | Run Kong migrations job | `true` |
+| waitImage.repository | Image used to wait for database to become ready | `busybox` |
+| waitImage.tag | Tag for image used to wait for database to become ready | `latest` |
+| waitImage.pullPolicy | Wait image pull policy | `IfNotPresent` |
+| postgresql.enabled | Spin up a new postgres instance for Kong | `false` |
+| dblessConfig.configMap | Name of an existing ConfigMap containing the `kong.yml` file. This must have the key `kong.yml`.| `` |
+| dblessConfig.config | Yaml configuration file for the dbless (declarative) configuration of Kong | see in `values.yaml` |
+
+### Ingress Controller Parameters
+
+All of the following properties are nested under the `ingressController`
+section of `values.yaml` file:
+
+| Parameter | Description | Default |
+| ---------------------------------- | ------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
+| enabled | Deploy the ingress controller, rbac and crd | true |
+| replicaCount | Number of desired ingress controllers | 1 |
+| image.repository | Docker image with the ingress controller | kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller |
+| image.tag | Version of the ingress controller | 0.7.0 |
+| readinessProbe | Kong ingress controllers readiness probe | |
+| livenessProbe | Kong ingress controllers liveness probe | |
+| env | Specify Kong Ingress Controller configuration via environment variables | |
+| ingressClass | The ingress-class value for controller | kong |
+| admissionWebhook.enabled | Whether to enable the validating admission webhook | false |
+| admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Fail |
+| admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 |
+
+For a complete list of all configuration values you can set in the
+`env` section, please read the Kong Ingress Controller's
+[configuration document](https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/references/cli-arguments.md).
+
+### General Parameters
+
+| Parameter | Description | Default |
+| ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- |
+| updateStrategy | update strategy for deployment | `{}` |
| readinessProbe | Kong readiness probe | |
| livenessProbe | Kong liveness probe | |
| affinity | Node/pod affinities | |
| podDisruptionBudget.enabled | Enable PodDisruptionBudget for Kong | `false` |
| podDisruptionBudget.maxUnavailable | Represents the minimum number of Pods that can be unavailable (integer or percentage) | `50%` |
| podDisruptionBudget.minAvailable | Represents the number of Pods that must be available (integer or percentage) | |
+| podSecurityPolicy.enabled | Enable podSecurityPolicy for Kong | `false` |
| serviceMonitor.enabled | Create ServiceMonitor for Prometheus Operator | false |
| serviceMonitor.interval | Scrapping interval | 10s |
| serviceMonitor.namespace | Where to create ServiceMonitor | |
+| secretVolumes | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]` |
+| serviceMonitor.labels | ServiceMonito Labels | {} |
-### Admin/Proxy listener override
+#### The `env` section
-If you specify `env.admin_listen` or `env.proxy_listen`, this chart will use
-the value provided by you as opposed to constructing a listen variable
-from fields like `proxy.http.containerPort` and `proxy.http.enabled`. This allows
-you to be more prescriptive when defining listen directives.
+The `env` section can be used to configured all properties of Kong.
+Any key value put under this section translates to environment variables
+used to control Kong's configuration. Every key is prefixed with `KONG_`
+and upper-cased before setting the environment variable.
-**Note:** Overriding `env.proxy_listen` and `env.admin_listen` will potentially cause
-`admin.containerPort`, `proxy.http.containerPort` and `proxy.tls.containerPort` to become out of sync,
-and therefore must be updated accordingly.
-
-I.E. updatating to `env.proxy_listen: 0.0.0.0:4444, 0.0.0.0:4443 ssl` will need
-`proxy.http.containerPort: 4444` and `proxy.tls.containerPort: 4443` to be set in order
-for the service definition to work properly.
-
-### Kong-specific parameters
-
-Kong has a choice of either Postgres or Cassandra as a backend datatstore.
-This chart allows you to choose either of them with the `env.database`
-parameter. Postgres is chosen by default.
-
-Additionally, this chart allows you to use your own database or spin up a new
-instance by using the `postgres.enabled` or `cassandra.enabled` parameters.
-Enabling both will create both databases in your cluster, but only one
-will be used by Kong based on the `env.database` parameter.
-Postgres is enabled by default.
-
-| Parameter | Description | Default |
-| ------------------------------| ------------------------------------------------------------------------| ----------------------|
-| cassandra.enabled | Spin up a new cassandra cluster for Kong | `false` |
-| postgresql.enabled | Spin up a new postgres instance for Kong | `true` |
-| waitImage.repository | Image used to wait for database to become ready | `busybox` |
-| waitImage.tag | Tag for image used to wait for database to become ready | `latest` |
-| env.database | Choose either `postgres`, `cassandra` or `"off"` (for dbless mode) | `postgres` |
-| env.pg_user | Postgres username | `kong` |
-| env.pg_database | Postgres database name | `kong` |
-| env.pg_password | Postgres database password (required if you are using your own database)| `kong` |
-| env.pg_host | Postgres database host (required if you are using your own database) | `` |
-| env.pg_port | Postgres database port | `5432` |
-| env.cassandra_contact_points | Cassandra contact points (required if you are using your own database) | `` |
-| env.cassandra_port | Cassandra query port | `9042` |
-| env.cassandra_keyspace | Cassandra keyspace | `kong` |
-| env.cassandra_repl_factor | Replication factor for the Kong keyspace | `2` |
-| dblessConfig.configMap | Name of an existing ConfigMap containing the `kong.yml` file. This must have the key `kong.yml`.| `` |
-| dblessConfig.config | Yaml configuration file for the dbless (declarative) configuration of Kong | see in `values.yaml` |
-
-All `kong.env` parameters can also accept a mapping instead of a value to ensure the parameters can be set through configmaps and secrets.
+Furthermore, all `kong.env` parameters can also accept a mapping instead of a
+value to ensure the parameters can be set through configmaps and secrets.
An example :
```yaml
kong:
- env:
+ env: # load PG password from a secret dynamically
pg_user: kong
pg_password:
valueFrom:
secretKeyRef:
key: kong
name: postgres
+ nginx_worker_processes: "2"
```
+For complete list of Kong configurations please check the
+[Kong configuration docs](https://docs.konghq.com/latest/configuration).
-For complete list of Kong configurations please check https://getkong.org/docs/latest/configuration/.
+> **Tip**: You can use the default [values.yaml](values.yaml)
-Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+##### Admin/Proxy listener override
-```console
-$ helm install stable/kong --name my-release \
- --set=image.tag=1.3,env.database=cassandra,cassandra.enabled=true
-```
+If you specify `env.admin_listen` or `env.proxy_listen`, this chart will use
+the value provided by you as opposed to constructing a listen variable
+from fields like `proxy.http.containerPort` and `proxy.http.enabled`.
+This allows you to be more prescriptive when defining listen directives.
-Alternatively, a YAML file that specifies the values for the above parameters
-can be provided while installing the chart. For example,
+**Note:** Overriding `env.proxy_listen` and `env.admin_listen` will
+potentially cause `admin.containerPort`, `proxy.http.containerPort` and
+`proxy.tls.containerPort` to become out of sync,
+and therefore must be updated accordingly.
-```console
-$ helm install stable/kong --name my-release -f values.yaml
-```
+For example, updating to `env.proxy_listen: 0.0.0.0:4444, 0.0.0.0:4443 ssl`
+will need `proxy.http.containerPort: 4444` and `proxy.tls.containerPort: 4443`
+to be set in order for the service definition to work properly.
-> **Tip**: You can use the default [values.yaml](values.yaml)
+## Kong Enterprise Parameters
-### Kong Enterprise-specific parameters
+### Overview
Kong Enterprise requires some additional configuration not needed when using
-Kong OSS. Some of the more important configuration is grouped in sections
-under the `.enterprise` key in values.yaml, though most enterprise-specific
-configuration can be placed under the `.env` key.
+Kong Open-Source. To use Kong Enterprise, at the minimum,
+you need to do the following:
-To use Kong Enterprise, change your image to a Kong Enterprise image and set
-`.enterprise.enabled: true` in values.yaml to render Enterprise sections of the
-templates. Review the sections below for other settings you should consider
-configuring before installing the chart.
+- set `enterprise.enabled` to `true` in `values.yaml` file
+- Update values.yaml to use a Kong Enterprise image
+- Satisfy the two prerequsisites below for Enterprise License and
+ Enterprise Docker Registry
-#### Service location hints
+Once you have these set, it is possible to install Kong Enterprise,
+but please make sure to review the below sections for other settings that
+you should consider configuring before installing Kong.
-Kong Enterprise add two GUIs, Kong Manager and the Kong Developer Portal, that
-must know where other Kong services (namely the admin and files APIs) can be
-accessed in order to function properly. Kong's default behavior for attempting
-to locate these absent configuration is unlikely to work in common Kubernetes
-environments. Because of this, you should set each of `admin_gui_url`,
-`admin_api_uri`, `proxy_url`, `portal_api_url`, `portal_gui_host`, and
-`portal_gui_protocol` under the `.env` key in values.yaml to locations where
-each of their respective services can be accessed to ensure that Kong services
-can locate one another and properly set CORS headers. See the [Property Reference documentation](https://docs.konghq.com/enterprise/0.35-x/property-reference/)
-for more details on these settings.
+Some of the more important configuration is grouped in sections
+under the `.enterprise` key in values.yaml, though most enterprise-specific
+configuration can be placed under the `.env` key.
-#### License
+### Prerequisites
+
+#### Kong Enterprise License
All Kong Enterprise deployments require a license. If you do not have a copy
of yours, please contact Kong Support. Once you have it, you will need to
store it in a Secret. Save your secret in a file named `license` (no extension)
and then create and inspect your secret:
-```
+```bash
$ kubectl create secret generic kong-enterprise-license --from-file=./license
-$ kubectl get secret kong-enterprise-license -o yaml
-apiVersion: v1
-data:
- license: eyJsaWNlbnNlIjp7InNpZ25hdHVyZSI6IkhFWSBJIFNFRSBZT1UgUEVFS0lORyBJTlNJREUgTVkgQkFTRTY0IEVYQU1QTEUiLCJwYXlsb2FkIjp7ImN1c3RvbWVyIjoiV0VMTCBUT08gQkFEIiwibGljZW5zZV9jcmVhdGlvbl9kYXRlIjoiMjAxOC0wNi0wNSIsInByb2R1Y3Rfc3Vic2NyaXB0aW9uIjoiVEhFUkVTIE5PVEhJTkcgSEVSRSIsImFkbWluX3NlYXRzIjoiNSIsInN1cHBvcnRfcGxhbiI6IkZha2UiLCJsaWNlbnNlX2V4cGlyYXRpb25fZGF0ZSI6IjIwMjAtMjAtMjAiLCJsaWNlbnNlX2tleSI6IlRTT0kgWkhJViJ9LCJ2ZXJzaW9uIjoxfX0K
-kind: Secret
-metadata:
- creationTimestamp: "2019-05-17T21:45:16Z"
- name: kong-enterprise-license
- namespace: default
- resourceVersion: "48695485"
- selfLink: /api/v1/namespaces/default/secrets/kong-enterprise-license
- uid: 0f2e8903-78ed-11e9-b1a6-42010a8a02ec
-type: Opaque
```
-Set the secret name in values.yaml, in the `.enterprise.license_secret` key.
-#### RBAC
+Set the secret name in `values.yaml`, in the `.enterprise.license_secret` key.
+Please ensure the above secret is created in the same namespace in which
+Kong is going to be deployed.
-Note that you can create a default RBAC superuser when initially setting up an
-environment, by setting the `KONG_PASSWORD` environment variable on the initial
-migration Job's Pod. This will create a `kong_admin` admin whose token and
-basic-auth password match the value of `KONG_PASSWORD`
+#### Kong Enterprise Docker registry access
+
+Next, we need to setup Docker credentials in order to allow Kubernetes
+nodes to pull down Kong Enterprise Docker image, which is hosted as a private
+repository.
-Using RBAC within Kubernetes environments requires providing Kubernetes an RBAC
-user for its readiness and liveness checks. We recommend creating a user that
-has permission to read `/status` and nothing else. For example, with RBAC still
-disabled:
+As part of your sign up for Kong Enterprise, you should have received
+credentials for these as well.
+```bash
+$ kubectl create secret docker-registry kong-enterprise-docker \
+ --docker-server=kong-docker-kong-enterprise-k8s.bintray.io \
+ --docker-username=<your-username> \
+ --docker-password=<your-password>
+secret/kong-enterprise-docker created
```
-$ curl -sX POST http://admin.kong.example/rbac/users --data name=statuschecker --data user_token=REPLACE_WITH_SOME_TOKEN
-{"user_token_ident":"45239","user_token":"$2b$09$cL.xbvRQCzE35A0osl8VTej7u0BgJOIgpTVjxpwZ1U8.jNdMwyQRW","id":"fe8824dc-09a7-4b68-b5e6-541e4b9b4ced","name":"statuschecker","enabled":true,"comment":null,"created_at":1558131229}
-$ curl -sX POST http://admin.kong.example/rbac/roles --data name=read-status
-{"comment":null,"created_at":1558131353,"id":"e32507a5-e636-40b2-88c0-090042db7d79","name":"read-status","is_default":false}
+Set the secret name in `values.yaml` in the `image.pullSecrets` section.
+Again, Please ensure the above secret is created in the same namespace in which
+Kong is going to be deployed.
-$ curl -sX POST http://admin.kong.example/rbac/roles/read-status/endpoints --data endpoint="/status" --data actions=read
-{"endpoint":"\/status","created_at":1558131423,"workspace":"default","actions":["read"],"negative":false,"role":{"id":"e32507a5-e636-40b2-88c0-090042db7d79"}}
+### Service location hints
-$ curl -sX POST http://admin.kong.example/rbac/users/statuschecker/roles --data roles=read-status
-{"roles":[{"created_at":1558131353,"id":"e32507a5-e636-40b2-88c0-090042db7d79","name":"read-status"}],"user":{"user_token_ident":"45239","user_token":"$2b$09$cL.xbvRQCzE35A0osl8VTej7u0BgJOIgpTVjxpwZ1U8.jNdMwyQRW","id":"fe8824dc-09a7-4b68-b5e6-541e4b9b4ced","name":"statuschecker","comment":null,"enabled":true,"created_at":1558131229}}
-```
-Probes will then need to include that user's token, e.g. for the readinessProbe:
+Kong Enterprise add two GUIs, Kong Manager and the Kong Developer Portal, that
+must know where other Kong services (namely the admin and files APIs) can be
+accessed in order to function properly. Kong's default behavior for attempting
+to locate these absent configuration is unlikely to work in common Kubernetes
+environments. Because of this, you should set each of `admin_gui_url`,
+`admin_api_uri`, `proxy_url`, `portal_api_url`, `portal_gui_host`, and
+`portal_gui_protocol` under the `.env` key in values.yaml to locations where
+each of their respective services can be accessed to ensure that Kong services
+can locate one another and properly set CORS headers. See the
+[Property Reference documentation](https://docs.konghq.com/enterprise/latest/property-reference/)
+for more details on these settings.
-```
-readinessProbe:
- httpGet:
- path: "/status"
- port: admin
- scheme: HTTP
- httpHeaders:
- - name: Kong-Admin-Token
- value: REPLACE_WITH_SOME_TOKEN
- ...
-```
+### RBAC
+
+You can create a default RBAC superuser when initially setting up an
+environment, by setting the `KONG_PASSWORD` environment variable on the initial
+migration Job's Pod. This will create a `kong_admin` admin whose token and
+basic-auth password match the value of `KONG_PASSWORD`.
+You can create a secret holding the initial password value and then
+mount the secret as an environment variable using the `env` section.
Note that RBAC is **NOT** currently enabled on the admin API container for the
controller Pod when the ingress controller is enabled. This admin API container
main deployment when using the ingress controller, as that admin API *is*
accessible outside the Pod.
-#### Sessions
+### Sessions
-Login sessions for Kong Manager and the Developer Portal make use of [the Kong
-Sessions plugin](https://docs.konghq.com/enterprise/0.35-x/kong-manager/authentication/sessions/).
+Login sessions for Kong Manager and the Developer Portal make use of
+[the Kong Sessions plugin](https://docs.konghq.com/enterprise/latest/kong-manager/authentication/sessions).
Their configuration must be stored in Secrets, as it contains an HMAC key.
If using either RBAC or the Portal, create a Secret with `admin_gui_session_conf`
and `portal_session_conf` keys.
After creating your secret, set its name in values.yaml, in the
`.enterprise.rbac.session_conf_secret` and
-`.enterprise.rbac.session_conf_secret` keys.
+`.enterprise.portal.session_conf_secret` keys.
-#### Email/SMTP
+### Email/SMTP
-Email is used to send invitations for [Kong Admins](https://docs.konghq.com/enterprise/enterprise/0.35-x/kong-manager/networking/email/)
-and [Developers](https://docs.konghq.com/enterprise/enterprise/0.35-x/developer-portal/configuration/smtp/).
+Email is used to send invitations for
+[Kong Admins](https://docs.konghq.com/enterprise/latest/kong-manager/networking/email)
+and [Developers](https://docs.konghq.com/enterprise/latest/developer-portal/configuration/smtp).
Email invitations rely on setting a number of SMTP settings at once. For
convenience, these are grouped under the `.enterprise.smtp` key in values.yaml.
`smtp_password_secret` must be a Secret containing an `smtp_password` key whose
value is your SMTP password.
-### DB-less Configuration
+## Changelog
+### 0.36.6
-When deploying Kong in DB-less mode (`env.database: "off"`) and without the Ingress
-Controller (`ingressController.enabled: false`), Kong needs a config to run. In
-this case, configuration can be provided using an exsiting ConfigMap
-(`dblessConfig.configMap`) or pushed directly into the values file under
-`dblessConfig.config`. See the example configuration in the default values.yaml
-for more details.
+This version has no code changes and Kong's chart is now deprecated in this
+repository. Please use Kong's official
+[chart repository](https://github.com/kong/charts).
-### Kong Ingress Controller
+### 0.36.5
-Kong Ingress Controller's primary purpose is to satisfy Ingress resources
-created in your Kubernetes cluster.
-It uses CRDs for more fine grained control over routing and
-for Kong specific configuration.
-To deploy the ingress controller together with
-kong run the following command:
+> PR https://github.com/helm/charts/pull/20099
-```bash
-# without a database
-helm install stable/kong --set ingressController.enabled=true \
- --set postgresql.enabled=false --set env.database=off
-# with a database
-helm install stable/kong --set ingressController.enabled=true
-```
+#### Improvements
-If you like to use a static IP:
+- Allow `grpc` protocol for KongPlugins
-```shell
-helm install stable/kong --set ingressController.enabled=true --set proxy.loadBalancerIP=[Your IP goes there] --set proxy.type=LoadBalancer --name kong --namespace kong
-```
+### 0.36.4
-**Note**: Kong Ingress controller doesn't support custom SSL certificates
-on Admin port. We will be removing this limitation in the future.
+> PR https://github.com/helm/charts/pull/20051
-Kong ingress controller relies on several Custom Resource Definition objects to
-declare the the Kong configurations and synchronize the configuration with the
-Kong admin API. Each of this new objects declared in Kubernetes have a
-one-to-one relation with a Kong resource.
-The custom resources are:
+#### Fixed
-- KongConsumer
-- KongCredential
-- KongPlugin
-- KongIngress
+- Issue: [`Ingress Controller errors when chart is redeployed with Admission
+ Webhook enabled`](https://github.com/helm/charts/issues/20050)
-You can can learn about kong ingress custom resource definitions [here](https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/custom-resources.md).
+### 0.36.3
+> PR https://github.com/helm/charts/pull/19992
-| Parameter | Description | Default |
-| ---------------------------------- | ------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
-| enabled | Deploy the ingress controller, rbac and crd | false |
-| replicaCount | Number of desired ingress controllers | 1 |
-| image.repository | Docker image with the ingress controller | kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller |
-| image.tag | Version of the ingress controller | 0.2.0 |
-| readinessProbe | Kong ingress controllers readiness probe | |
-| livenessProbe | Kong ingress controllers liveness probe | |
-| ingressClass | The ingress-class value for controller | nginx |
-| podDisruptionBudget.enabled | Enable PodDisruptionBudget for ingress controller | `false` |
-| podDisruptionBudget.maxUnavailable | Represents the minimum number of Pods that can be unavailable (integer or percentage) | `50%` |
-| podDisruptionBudget.minAvailable | Represents the number of Pods that must be available (integer or percentage) | |
+#### Fixed
+
+- Fix spacing in ServiceMonitor when label is specified in config
+
+### 0.36.2
+
+> PR https://github.com/helm/charts/pull/19955
+
+#### Fixed
+
+- Set `sideEffects` and `admissionReviewVersions` for Admission Webhook
+- timeouts for liveness and readiness probes has been changed from `1s` to `5s`
+
+### 0.36.1
+
+> PR https://github.com/helm/charts/pull/19946
+
+#### Fixed
+
+- Added missing watch permission to custom resources
+
+### 0.36.0
+
+> PR https://github.com/helm/charts/pull/19916
+
+#### Upgrade Instructions
+
+- When upgrading from <0.35.0, in-place chart upgrades will fail.
+ It is necessary to delete the helm release with `helm del --purge $RELEASE` and redeploy from scratch.
+ Note that this will cause downtime for the kong proxy.
+
+#### Improvements
+
+- Fixed Deployment's label selector that prevented in-place chart upgrades.
+
+### 0.35.1
+
+> PR https://github.com/helm/charts/pull/19914
+
+#### Improvements
+
+- Update CRDs to Ingress Controller 0.7
+- Optimize readiness and liveness probes for more responsive health checks
+- Fixed incorrect space in NOTES.txt
+
+### 0.35.0
+
+> PR [#19856](https://github.com/helm/charts/pull/19856)
+
+#### Improvements
+
+- Labels on all resources have been updated to adhere to the Helm Chart
+ guideline here:
+ https://v2.helm.sh/docs/developing_charts/#syncing-your-chart-repository
+
+### 0.34.2
+
+> PR [#19854](https://github.com/helm/charts/pull/19854)
+
+This release contains no user-visible changes
+
+#### Under the hood
+
+ - Various tests have been consolidated to speed up CI.
+
+### 0.34.1
+
+> PR [#19887](https://github.com/helm/charts/pull/19887)
+
+#### Fixed
+
+- Correct indentation for Job securityContexts.
+
+### 0.34.0
+
+> PR [#19885](https://github.com/helm/charts/pull/19885)
+
+#### New features
+
+- Update default version of Ingress Controller to 0.7.0
+
+### 0.33.1
+
+> PR [#19852](https://github.com/helm/charts/pull/19852)
+
+#### Fixed
+
+- Correct an issue with white space handling within `final_env` helper.
+
+### 0.33.0
+
+> PR [#19840](https://github.com/helm/charts/pull/19840)
+
+#### Dependencies
+
+- Postgres sub-chart has been bumped up to 8.1.2
+
+#### Fixed
+
+- Removed podDisruption budge for Ingress Controller. Ingress Controller and
+ Kong run in the same pod so this was no longer applicable
+- Migration job now receives the same environment variable and configuration
+ as that of the Kong pod.
+- If Kong is configured to run with Postgres, the Kong pods now always wait
+ for Postgres to start. Previously this was done only when the sub-chart
+ Postgres was deployed.
+- A hard-coded container name is used for kong: `proxy`. Previously this
+ was auto-generated by Helm. This deterministic naming allows for simpler
+ scripts and documentation.
+
+#### Under the hood
+
+Following changes have no end user visible effects:
+
+- All Custom Resource Definitions have been consolidated into a single
+ template file
+- All RBAC resources have been consolidated into a single template file
+- `wait-for-postgres` container has been refactored and de-duplicated
+
+### 0.32.1
+
+#### Improvements
+
+- This is a doc only release. No code changes have been done.
+- Post installation steps have been simplified and now point to a getting
+ started page
+- Misc updates to README:
+ - Document missing variables
+ - Remove outdated variables
+ - Revamp and rewrite major portions of the README
+ - Added a table of content to make the content navigable
+
+### 0.32.0
+
+#### Improvements
+
+- Create and mount emptyDir volumes for `/tmp` and `/kong_prefix` to allow
+ for read-only root filesystem securityContexts and PodSecurityPolicys.
+- Use read-only mounts for custom plugin volumes.
+- Update stock PodSecurityPolicy to allow emptyDir access.
+- Override the standard `/usr/local/kong` prefix to the mounted emptyDir
+ at `/kong_prefix` in `.Values.env`.
+- Add securityContext injection points to template. By default,
+ it sets Kong pods to run with UID 1000.
+
+#### Fixes
+
+- Correct behavior for the Vitals toggle.
+ Vitals defaults to on in all current Kong Enterprise releases, and
+ the existing template only created the Vitals environment variable
+ if `.Values.enterprise.enabled == true`. Inverted template to create
+ it (and set it to "off") if that setting is instead disabled.
+- Correct an issue where custom plugin configurations would block Kong
+ from starting.
+
+### 0.31.0
+
+#### Breaking changes
+
+- Admin Service is disabled by default (`admin.enabled`)
+- Default for `proxy.type` has been changed to `LoadBalancer`
+
+#### New features
+
+- Update default version of Kong to 1.4
+- Update default version of Ingress Controller to 0.6.2
+- Add support to disable kong-admin service via `admin.enabled` flag.
+
+### 0.31.2
+
+#### Fixes
+
+- Do not remove white space between documents when rendering
+ `migrations-pre-upgrade.yaml`
+
+### 0.30.1
+
+#### New Features
+
+- Add support for specifying Proxy service ClusterIP
+
+### 0.30.0
+
+#### Breaking changes
+
+- `admin_gui_auth_conf_secret` is now required for Kong Manager
+ authentication methods other than `basic-auth`.
+ Users defining values for `admin_gui_auth_conf` should migrate them to
+ an externally-defined secret with a key of `admin_gui_auth_conf` and
+ reference the secret name in `admin_gui_auth_conf_secret`.
+
+### 0.29.0
+
+#### New Features
+
+- Add support for specifying Ingress Controller environment variables.
+
+### 0.28.0
+
+#### New Features
+
+- Added support for the Validating Admission Webhook with the Ingress Controller.
+
+### 0.27.2
+
+#### Fixes
+
+- Do not create a ServiceAccount if it is not necessary.
+- If a configuration change requires creating a ServiceAccount,
+ create a temporary ServiceAccount to allow pre-upgrade tasks to
+ complete before the regular ServiceAccount is created.
+
+### 0.27.1
+
+#### Documentation updates
+- Retroactive changelog update for 0.24 breaking changes.
+
+### 0.27.0
+
+#### Breaking changes
+
+- DB-less mode is enabled by default.
+- Kong is installed as an Ingress Controller for the cluster by default.
+
+### 0.25.0
+
+#### New features
+
+- Add support for PodSecurityPolicy
+- Require creation of a ServiceAccount
+
+### 0.24.0
+
+#### Breaking changes
+
+- The configuration format for ingresses in values.yaml has changed.
+Previously, all ingresses accepted an array of hostnames, and would create
+ingress rules for each. Ingress configuration for services other than the proxy
+now accepts a single hostname, which allows simpler TLS configuration and
+automatic population of `admin_api_uri` and similar settings. Configuration for
+the proxy ingress is unchanged, but its documentation now accurately reflects
+the TLS configuration needed.
+
+## Seeking help
+If you run into an issue, bug or have a question, please reach out to the Kong
+community via [Kong Nation](https://discuss.konghq.com).
+Please do not open issues in [this](https://github.com/helm/charts) repository
+as the maintainers will not be notified and won't respond.
+++ /dev/null
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-OWNERS
+++ /dev/null
-apiVersion: v1
-appVersion: 3.11.3
-description: Apache Cassandra is a free and open-source distributed database management
- system designed to handle large amounts of data across many commodity servers, providing
- high availability with no single point of failure.
-engine: gotpl
-home: http://cassandra.apache.org
-icon: https://upload.wikimedia.org/wikipedia/commons/thumb/5/5e/Cassandra_logo.svg/330px-Cassandra_logo.svg.png
-keywords:
-- cassandra
-- database
-- nosql
-maintainers:
-- email: goonohc@gmail.com
- name: KongZ
-name: cassandra
-version: 0.10.5
+++ /dev/null
-# Cassandra
-A Cassandra Chart for Kubernetes
-
-## Install Chart
-To install the Cassandra Chart into your Kubernetes cluster (This Chart requires persistent volume by default, you may need to create a storage class before install chart. To create storage class, see [Persist data](#persist_data) section)
-
-```bash
-helm install --namespace "cassandra" -n "cassandra" incubator/cassandra
-```
-
-After installation succeeds, you can get a status of Chart
-
-```bash
-helm status "cassandra"
-```
-
-If you want to delete your Chart, use this command
-```bash
-helm delete --purge "cassandra"
-```
-
-## Persist data
-You need to create `StorageClass` before able to persist data in persistent volume.
-To create a `StorageClass` on Google Cloud, run the following
-
-```bash
-kubectl create -f sample/create-storage-gce.yaml
-```
-
-And set the following values in `values.yaml`
-
-```yaml
-persistence:
- enabled: true
-```
-
-If you want to create a `StorageClass` on other platform, please see documentation here [https://kubernetes.io/docs/user-guide/persistent-volumes/](https://kubernetes.io/docs/user-guide/persistent-volumes/)
-
-When running a cluster without persistence, the termination of a pod will first initiate a decommissioning of that pod.
-Depending on the amount of data stored inside the cluster this may take a while. In order to complete a graceful
-termination, pods need to get more time for it. Set the following values in `values.yaml`:
-
-```yaml
-podSettings:
- terminationGracePeriodSeconds: 1800
-```
-
-## Install Chart with specific cluster size
-By default, this Chart will create a cassandra with 3 nodes. If you want to change the cluster size during installation, you can use `--set config.cluster_size={value}` argument. Or edit `values.yaml`
-
-For example:
-Set cluster size to 5
-
-```bash
-helm install --namespace "cassandra" -n "cassandra" --set config.cluster_size=5 incubator/cassandra/
-```
-
-## Install Chart with specific resource size
-By default, this Chart will create a cassandra with CPU 2 vCPU and 4Gi of memory which is suitable for development environment.
-If you want to use this Chart for production, I would recommend to update the CPU to 4 vCPU and 16Gi. Also increase size of `max_heap_size` and `heap_new_size`.
-To update the settings, edit `values.yaml`
-
-## Install Chart with specific node
-Sometime you may need to deploy your cassandra to specific nodes to allocate resources. You can use node selector by edit `nodes.enabled=true` in `values.yaml`
-For example, you have 6 vms in node pools and you want to deploy cassandra to node which labeled as `cloud.google.com/gke-nodepool: pool-db`
-
-Set the following values in `values.yaml`
-
-```yaml
-nodes:
- enabled: true
- selector:
- nodeSelector:
- cloud.google.com/gke-nodepool: pool-db
-```
-
-## Configuration
-
-The following table lists the configurable parameters of the Cassandra chart and their default values.
-
-| Parameter | Description | Default |
-| ----------------------- | --------------------------------------------- | ---------------------------------------------------------- |
-| `image.repo` | `cassandra` image repository | `cassandra` |
-| `image.tag` | `cassandra` image tag | `3.11.3` |
-| `image.pullPolicy` | Image pull policy | `Always` if `imageTag` is `latest`, else `IfNotPresent` |
-| `image.pullSecrets` | Image pull secrets | `nil` |
-| `config.cluster_domain` | The name of the cluster domain. | `cluster.local` |
-| `config.cluster_name` | The name of the cluster. | `cassandra` |
-| `config.cluster_size` | The number of nodes in the cluster. | `3` |
-| `config.seed_size` | The number of seed nodes used to bootstrap new clients joining the cluster. | `2` |
-| `config.seeds` | The comma-separated list of seed nodes. | Automatically generated according to `.Release.Name` and `config.seed_size` |
-| `config.num_tokens` | Initdb Arguments | `256` |
-| `config.dc_name` | Initdb Arguments | `DC1` |
-| `config.rack_name` | Initdb Arguments | `RAC1` |
-| `config.endpoint_snitch` | Initdb Arguments | `SimpleSnitch` |
-| `config.max_heap_size` | Initdb Arguments | `2048M` |
-| `config.heap_new_size` | Initdb Arguments | `512M` |
-| `config.ports.cql` | Initdb Arguments | `9042` |
-| `config.ports.thrift` | Initdb Arguments | `9160` |
-| `config.ports.agent` | The port of the JVM Agent (if any) | `nil` |
-| `config.start_rpc` | Initdb Arguments | `false` |
-| `configOverrides` | Overrides config files in /etc/cassandra dir | `{}` |
-| `commandOverrides` | Overrides default docker command | `[]` |
-| `argsOverrides` | Overrides default docker args | `[]` |
-| `env` | Custom env variables | `{}` |
-| `persistence.enabled` | Use a PVC to persist data | `true` |
-| `persistence.storageClass` | Storage class of backing PVC | `nil` (uses alpha storage class annotation) |
-| `persistence.accessMode` | Use volume as ReadOnly or ReadWrite | `ReadWriteOnce` |
-| `persistence.size` | Size of data volume | `10Gi` |
-| `resources` | CPU/Memory resource requests/limits | Memory: `4Gi`, CPU: `2` |
-| `service.type` | k8s service type exposing ports, e.g. `NodePort`| `ClusterIP` |
-| `podManagementPolicy` | podManagementPolicy of the StatefulSet | `OrderedReady` |
-| `podDisruptionBudget` | Pod distruption budget | `{}` |
-| `podAnnotations` | pod annotations for the StatefulSet | `{}` |
-| `updateStrategy.type` | UpdateStrategy of the StatefulSet | `OnDelete` |
-| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | `90` |
-| `livenessProbe.periodSeconds` | How often to perform the probe | `30` |
-| `livenessProbe.timeoutSeconds` | When the probe times out | `5` |
-| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
-| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
-| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | `90` |
-| `readinessProbe.periodSeconds` | How often to perform the probe | `30` |
-| `readinessProbe.timeoutSeconds` | When the probe times out | `5` |
-| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` |
-| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `3` |
-| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
-| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
-| `serviceAccount.name` | The name of the ServiceAccount to use | |
-| `backup.enabled` | Enable backup on chart installation | `false` |
-| `backup.schedule` | Keyspaces to backup, each with cron time | |
-| `backup.annotations` | Backup pod annotations | iam.amazonaws.com/role: `cain` |
-| `backup.image.repo` | Backup image repository | `nuvo/cain` |
-| `backup.image.tag` | Backup image tag | `0.4.1` |
-| `backup.extraArgs` | Additional arguments for cain | `[]` |
-| `backup.env` | Backup environment variables | AWS_REGION: `us-east-1` |
-| `backup.resources` | Backup CPU/Memory resource requests/limits | Memory: `1Gi`, CPU: `1` |
-| `backup.destination` | Destination to store backup artifacts | `s3://bucket/cassandra` |
-| `exporter.enabled` | Enable Cassandra exporter | `false` |
-| `exporter.image.repo` | Exporter image repository | `criteord/cassandra_exporter` |
-| `exporter.image.tag` | Exporter image tag | `2.0.2` |
-| `exporter.port` | Exporter port | `5556` |
-| `exporter.jvmOpts` | Exporter additional JVM options | |
-| `affinity` | Kubernetes node affinity | `{}` |
-| `tolerations` | Kubernetes node tolerations | `[]` |
-
-
-## Scale cassandra
-When you want to change the cluster size of your cassandra, you can use the helm upgrade command.
-
-```bash
-helm upgrade --set config.cluster_size=5 cassandra incubator/cassandra
-```
-
-## Get cassandra status
-You can get your cassandra cluster status by running the command
-
-```bash
-kubectl exec -it --namespace cassandra $(kubectl get pods --namespace cassandra -l app=cassandra-cassandra -o jsonpath='{.items[0].metadata.name}') nodetool status
-```
-
-Output
-```bash
-Datacenter: asia-east1
-======================
-Status=Up/Down
-|/ State=Normal/Leaving/Joining/Moving
--- Address Load Tokens Owns (effective) Host ID Rack
-UN 10.8.1.11 108.45 KiB 256 66.1% 410cc9da-8993-4dc2-9026-1dd381874c54 a
-UN 10.8.4.12 84.08 KiB 256 68.7% 96e159e1-ef94-406e-a0be-e58fbd32a830 c
-UN 10.8.3.6 103.07 KiB 256 65.2% 1a42b953-8728-4139-b070-b855b8fff326 b
-```
-
-## Benchmark
-You can use [cassandra-stress](https://docs.datastax.com/en/cassandra/3.0/cassandra/tools/toolsCStress.html) tool to run the benchmark on the cluster by the following command
-
-```bash
-kubectl exec -it --namespace cassandra $(kubectl get pods --namespace cassandra -l app=cassandra-cassandra -o jsonpath='{.items[0].metadata.name}') cassandra-stress
-```
-
-Example of `cassandra-stress` argument
- - Run both read and write with ration 9:1
- - Operator total 1 million keys with uniform distribution
- - Use QUORUM for read/write
- - Generate 50 threads
- - Generate result in graph
- - Use NetworkTopologyStrategy with replica factor 2
-
-```bash
-cassandra-stress mixed ratio\(write=1,read=9\) n=1000000 cl=QUORUM -pop dist=UNIFORM\(1..1000000\) -mode native cql3 -rate threads=50 -log file=~/mixed_autorate_r9w1_1M.log -graph file=test2.html title=test revision=test2 -schema "replication(strategy=NetworkTopologyStrategy, factor=2)"
-```
+++ /dev/null
-kind: StorageClass
-apiVersion: storage.k8s.io/v1
-metadata:
- name: generic
-provisioner: kubernetes.io/gce-pd
-parameters:
- type: pd-ssd
+++ /dev/null
-Cassandra CQL can be accessed via port {{ .Values.config.ports.cql }} on the following DNS name from within your cluster:
-Cassandra Thrift can be accessed via port {{ .Values.config.ports.thrift }} on the following DNS name from within your cluster:
-
-If you want to connect to the remote instance with your local Cassandra CQL cli. To forward the API port to localhost:9042 run the following:
-- kubectl port-forward --namespace {{ .Release.Namespace }} $(kubectl get pods --namespace {{ .Release.Namespace }} -l app={{ template "cassandra.name" . }},release={{ .Release.Name }} -o jsonpath='{ .items[0].metadata.name }') 9042:{{ .Values.config.ports.cql }}
-
-If you want to connect to the Cassandra CQL run the following:
-{{- if contains "NodePort" .Values.service.type }}
-- export CQL_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "cassandra.fullname" . }})
-- export CQL_HOST=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-- cqlsh $CQL_HOST $CQL_PORT
-
-{{- else if contains "LoadBalancer" .Values.service.type }}
- NOTE: It may take a few minutes for the LoadBalancer IP to be available.
- Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "cassandra.fullname" . }}'
-- export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "cassandra.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-- echo cqlsh $SERVICE_IP
-{{- else if contains "ClusterIP" .Values.service.type }}
-- kubectl port-forward --namespace {{ .Release.Namespace }} $(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "cassandra.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 9042:{{ .Values.config.ports.cql }}
- echo cqlsh 127.0.0.1 9042
-{{- end }}
-
-You can also see the cluster status by run the following:
-- kubectl exec -it --namespace {{ .Release.Namespace }} $(kubectl get pods --namespace {{ .Release.Namespace }} -l app={{ template "cassandra.name" . }},release={{ .Release.Name }} -o jsonpath='{.items[0].metadata.name}') nodetool status
-
-To tail the logs for the Cassandra pod run the following:
-- kubectl logs -f --namespace {{ .Release.Namespace }} $(kubectl get pods --namespace {{ .Release.Namespace }} -l app={{ template "cassandra.name" . }},release={{ .Release.Name }} -o jsonpath='{ .items[0].metadata.name }')
-
-{{- if not .Values.persistence.enabled }}
-
-Note that the cluster is running with node-local storage instead of PersistentVolumes. In order to prevent data loss,
-pods will be decommissioned upon termination. Decommissioning may take some time, so you might also want to adjust the
-pod termination gace period, which is currently set to {{ .Values.podSettings.terminationGracePeriodSeconds }} seconds.
-
-{{- end}}
+++ /dev/null
-{{/* vim: set filetype=mustache: */}}
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "cassandra.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "cassandra.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "cassandra.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "cassandra.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create -}}
- {{ default (include "cassandra.fullname" .) .Values.serviceAccount.name }}
-{{- else -}}
- {{ default "default" .Values.serviceAccount.name }}
-{{- end -}}
-{{- end -}}
+++ /dev/null
-{{- if .Values.backup.enabled }}
-{{- $release := .Release }}
-{{- $values := .Values }}
-{{- $backup := $values.backup }}
-{{- range $index, $schedule := $backup.schedule }}
----
-apiVersion: batch/v1beta1
-kind: CronJob
-metadata:
- name: {{ template "cassandra.fullname" $ }}-backup-{{ $schedule.keyspace | replace "_" "-" }}
- labels:
- app: {{ template "cassandra.name" $ }}-cain
- chart: {{ template "cassandra.chart" $ }}
- release: "{{ $release.Name }}"
- heritage: "{{ $release.Service }}"
-spec:
- schedule: {{ $schedule.cron | quote }}
- concurrencyPolicy: Forbid
- startingDeadlineSeconds: 120
- jobTemplate:
- spec:
- template:
- metadata:
- annotations:
- {{ toYaml $backup.annotations }}
- spec:
- restartPolicy: OnFailure
- serviceAccountName: {{ template "cassandra.serviceAccountName" $ }}
- containers:
- - name: cassandra-backup
- image: "{{ $backup.image.repos }}:{{ $backup.image.tag }}"
- command: ["cain"]
- args:
- - backup
- - --namespace
- - {{ $release.Namespace }}
- - --selector
- - release={{ $release.Name }},app={{ template "cassandra.name" $ }}
- - --keyspace
- - {{ $schedule.keyspace }}
- - --dst
- - {{ $backup.destination }}
- {{- with $backup.extraArgs }}
-{{ toYaml . | indent 12 }}
- {{- end }}
- {{- with $backup.env }}
- env:
-{{ toYaml . | indent 12 }}
- {{- end }}
- {{- with $backup.resources }}
- resources:
-{{ toYaml . | indent 14 }}
- {{- end }}
- affinity:
- podAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchExpressions:
- - key: app
- operator: In
- values:
- - {{ template "cassandra.fullname" $ }}
- - key: release
- operator: In
- values:
- - {{ $release.Name }}
- topologyKey: "kubernetes.io/hostname"
- {{- with $values.tolerations }}
- tolerations:
-{{ toYaml . | indent 10 }}
- {{- end }}
-{{- end }}
-{{- end }}
+++ /dev/null
-{{- if .Values.backup.enabled }}
-{{- if .Values.serviceAccount.create }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{ template "cassandra.serviceAccountName" . }}
- labels:
- app: {{ template "cassandra.name" . }}
- chart: {{ template "cassandra.chart" . }}
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
----
-{{- end }}
-{{- if .Values.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: {{ template "cassandra.fullname" . }}-backup
- labels:
- app: {{ template "cassandra.name" . }}
- chart: {{ template "cassandra.chart" . }}
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
-rules:
-- apiGroups: [""]
- resources: ["pods", "pods/log"]
- verbs: ["get", "list"]
-- apiGroups: [""]
- resources: ["pods/exec"]
- verbs: ["create"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: {{ template "cassandra.fullname" . }}-backup
- labels:
- app: {{ template "cassandra.name" . }}
- chart: {{ template "cassandra.chart" . }}
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: {{ template "cassandra.fullname" . }}-backup
-subjects:
-- kind: ServiceAccount
- name: {{ template "cassandra.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
-{{- end }}
-{{- end }}
+++ /dev/null
-{{- if .Values.configOverrides }}
-kind: ConfigMap
-apiVersion: v1
-metadata:
- name: {{ template "cassandra.name" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- app: {{ template "cassandra.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ .Release.Name }}
- heritage: {{ .Release.Service }}
-data:
-{{ toYaml .Values.configOverrides | indent 2 }}
-{{- end }}
+++ /dev/null
-{{- if .Values.podDisruptionBudget -}}
-apiVersion: policy/v1beta1
-kind: PodDisruptionBudget
-metadata:
- labels:
- app: {{ template "cassandra.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version }}
- heritage: {{ .Release.Service }}
- release: {{ .Release.Name }}
- name: {{ template "cassandra.fullname" . }}
-spec:
- selector:
- matchLabels:
- app: {{ template "cassandra.name" . }}
- release: {{ .Release.Name }}
-{{ toYaml .Values.podDisruptionBudget | indent 2 }}
-{{- end -}}
+++ /dev/null
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ template "cassandra.fullname" . }}
- labels:
- app: {{ template "cassandra.name" . }}
- chart: {{ template "cassandra.chart" . }}
- release: {{ .Release.Name }}
- heritage: {{ .Release.Service }}
-spec:
- clusterIP: None
- type: {{ .Values.service.type }}
- ports:
- - name: intra
- port: 7000
- targetPort: 7000
- - name: tls
- port: 7001
- targetPort: 7001
- - name: jmx
- port: 7199
- targetPort: 7199
- - name: cql
- port: {{ default 9042 .Values.config.ports.cql }}
- targetPort: {{ default 9042 .Values.config.ports.cql }}
- - name: thrift
- port: {{ default 9160 .Values.config.ports.thrift }}
- targetPort: {{ default 9160 .Values.config.ports.thrift }}
- {{- if .Values.config.ports.agent }}
- - name: agent
- port: {{ .Values.config.ports.agent }}
- targetPort: {{ .Values.config.ports.agent }}
- {{- end }}
- selector:
- app: {{ template "cassandra.name" . }}
- release: {{ .Release.Name }}
+++ /dev/null
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
- name: {{ template "cassandra.fullname" . }}
- labels:
- app: {{ template "cassandra.name" . }}
- chart: {{ template "cassandra.chart" . }}
- release: {{ .Release.Name }}
- heritage: {{ .Release.Service }}
-spec:
- selector:
- matchLabels:
- app: {{ template "cassandra.name" . }}
- release: {{ .Release.Name }}
- serviceName: {{ template "cassandra.fullname" . }}
- replicas: {{ .Values.config.cluster_size }}
- podManagementPolicy: {{ .Values.podManagementPolicy }}
- updateStrategy:
- type: {{ .Values.updateStrategy.type }}
- template:
- metadata:
- labels:
- app: {{ template "cassandra.name" . }}
- release: {{ .Release.Name }}
-{{- if .Values.podLabels }}
-{{ toYaml .Values.podLabels | indent 8 }}
-{{- end }}
-{{- if .Values.podAnnotations }}
- annotations:
-{{ toYaml .Values.podAnnotations | indent 8 }}
-{{- end }}
- spec:
- hostNetwork: {{ .Values.hostNetwork }}
-{{- if .Values.selector }}
-{{ toYaml .Values.selector | indent 6 }}
-{{- end }}
- {{- if .Values.securityContext.enabled }}
- securityContext:
- fsGroup: {{ .Values.securityContext.fsGroup }}
- runAsUser: {{ .Values.securityContext.runAsUser }}
- {{- end }}
-{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
-{{- end }}
-{{- if .Values.tolerations }}
- tolerations:
-{{ toYaml .Values.tolerations | indent 8 }}
-{{- end }}
- containers:
-{{- if .Values.exporter.enabled }}
- - name: cassandra-exporter
- image: "{{ .Values.exporter.image.repo }}:{{ .Values.exporter.image.tag }}"
- env:
- - name: CASSANDRA_EXPORTER_CONFIG_listenPort
- value: {{ .Values.exporter.port | quote }}
- - name: JVM_OPTS
- value: {{ .Values.exporter.jvmOpts | quote }}
- ports:
- - name: metrics
- containerPort: {{ .Values.exporter.port }}
- protocol: TCP
- - name: jmx
- containerPort: 5555
- livenessProbe:
- tcpSocket:
- port: {{ .Values.exporter.port }}
- readinessProbe:
- httpGet:
- path: /metrics
- port: {{ .Values.exporter.port }}
- initialDelaySeconds: 20
- timeoutSeconds: 45
-{{- end }}
- - name: {{ template "cassandra.fullname" . }}
- image: "{{ .Values.image.repo }}:{{ .Values.image.tag }}"
- imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
-{{- if .Values.commandOverrides }}
- command: {{ .Values.commandOverrides }}
-{{- end }}
-{{- if .Values.argsOverrides }}
- args: {{ .Values.argsOverrides }}
-{{- end }}
- resources:
-{{ toYaml .Values.resources | indent 10 }}
- env:
- {{- $seed_size := default 1 .Values.config.seed_size | int -}}
- {{- $global := . }}
- - name: CASSANDRA_SEEDS
- {{- if .Values.hostNetwork }}
- value: {{ required "You must fill \".Values.config.seeds\" with list of Cassandra seeds when hostNetwork is set to true" .Values.config.seeds | quote }}
- {{- else }}
- value: "{{- range $i, $e := until $seed_size }}{{ template "cassandra.fullname" $global }}-{{ $i }}.{{ template "cassandra.fullname" $global }}.{{ $global.Release.Namespace }}.svc.{{ $global.Values.config.cluster_domain }}{{- if (lt ( add1 $i ) $seed_size ) }},{{- end }}{{- end }}"
- {{- end }}
- - name: MAX_HEAP_SIZE
- value: {{ default "8192M" .Values.config.max_heap_size | quote }}
- - name: HEAP_NEWSIZE
- value: {{ default "200M" .Values.config.heap_new_size | quote }}
- - name: CASSANDRA_ENDPOINT_SNITCH
- value: {{ default "SimpleSnitch" .Values.config.endpoint_snitch | quote }}
- - name: CASSANDRA_CLUSTER_NAME
- value: {{ default "Cassandra" .Values.config.cluster_name | quote }}
- - name: CASSANDRA_DC
- value: {{ default "DC1" .Values.config.dc_name | quote }}
- - name: CASSANDRA_RACK
- value: {{ default "RAC1" .Values.config.rack_name | quote }}
- - name: CASSANDRA_START_RPC
- value: {{ default "false" .Values.config.start_rpc | quote }}
- - name: POD_IP
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- {{- range $key, $value := .Values.env }}
- - name: {{ $key | quote }}
- value: {{ $value | quote }}
- {{- end }}
- livenessProbe:
- exec:
- command: [ "/bin/sh", "-c", "nodetool status" ]
- initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
- periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
- timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
- successThreshold: {{ .Values.livenessProbe.successThreshold }}
- failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
- readinessProbe:
- exec:
- command: [ "/bin/sh", "-c", "nodetool status | grep -E \"^UN\\s+${POD_IP}\"" ]
- initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
- periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
- timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
- successThreshold: {{ .Values.readinessProbe.successThreshold }}
- failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
- ports:
- - name: intra
- containerPort: 7000
- - name: tls
- containerPort: 7001
- - name: jmx
- containerPort: 7199
- - name: cql
- containerPort: {{ default 9042 .Values.config.ports.cql }}
- - name: thrift
- containerPort: {{ default 9160 .Values.config.ports.thrift }}
- {{- if .Values.config.ports.agent }}
- - name: agent
- containerPort: {{ .Values.config.ports.agent }}
- {{- end }}
- volumeMounts:
- - name: data
- mountPath: /var/lib/cassandra
-{{- range $key, $value := .Values.configOverrides }}
- - name: cassandra-config-{{ $key | replace "." "-" }}
- mountPath: /etc/cassandra/{{ $key }}
- subPath: {{ $key }}
-{{- end }}
- {{- if not .Values.persistence.enabled }}
- lifecycle:
- preStop:
- exec:
- command: ["/bin/sh", "-c", "exec nodetool decommission"]
- {{- end }}
- terminationGracePeriodSeconds: {{ default 30 .Values.podSettings.terminationGracePeriodSeconds }}
- {{- if .Values.image.pullSecrets }}
- imagePullSecrets:
- - name: {{ .Values.image.pullSecrets }}
- {{- end }}
-{{- if or .Values.configOverrides (not .Values.persistence.enabled) }}
- volumes:
-{{- end }}
-{{- range $key, $value := .Values.configOverrides }}
- - configMap:
- name: cassandra
- name: cassandra-config-{{ $key | replace "." "-" }}
-{{- end }}
-{{- if not .Values.persistence.enabled }}
- - name: data
- emptyDir: {}
-{{- else }}
- volumeClaimTemplates:
- - metadata:
- name: data
- labels:
- app: {{ template "cassandra.name" . }}
- chart: {{ template "cassandra.chart" . }}
- release: {{ .Release.Name }}
- heritage: {{ .Release.Service }}
- spec:
- accessModes:
- - {{ .Values.persistence.accessMode | quote }}
- resources:
- requests:
- storage: {{ .Values.persistence.size | quote }}
- {{- if .Values.persistence.storageClass }}
- {{- if (eq "-" .Values.persistence.storageClass) }}
- storageClassName: ""
- {{- else }}
- storageClassName: "{{ .Values.persistence.storageClass }}"
- {{- end }}
- {{- end }}
-{{- end }}
+++ /dev/null
-## Cassandra image version
-## ref: https://hub.docker.com/r/library/cassandra/
-image:
- repo: cassandra
- tag: 3.11.3
- pullPolicy: IfNotPresent
- ## Specify ImagePullSecrets for Pods
- ## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
- # pullSecrets: myregistrykey
-
-## Specify a service type
-## ref: http://kubernetes.io/docs/user-guide/services/
-service:
- type: ClusterIP
-
-## Persist data to a persistent volume
-persistence:
- enabled: true
- ## cassandra data Persistent Volume Storage Class
- ## If defined, storageClassName: <storageClass>
- ## If set to "-", storageClassName: "", which disables dynamic provisioning
- ## If undefined (the default) or set to null, no storageClassName spec is
- ## set, choosing the default provisioner. (gp2 on AWS, standard on
- ## GKE, AWS & OpenStack)
- ##
- # storageClass: "-"
- accessMode: ReadWriteOnce
- size: 10Gi
-
-## Configure resource requests and limits
-## ref: http://kubernetes.io/docs/user-guide/compute-resources/
-## Minimum memory for development is 4GB and 2 CPU cores
-## Minimum memory for production is 8GB and 4 CPU cores
-## ref: http://docs.datastax.com/en/archived/cassandra/2.0/cassandra/architecture/architecturePlanningHardware_c.html
-resources: {}
- # requests:
- # memory: 4Gi
- # cpu: 2
- # limits:
- # memory: 4Gi
- # cpu: 2
-
-## Change cassandra configuration parameters below:
-## ref: http://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/configCassandra_yaml.html
-## Recommended max heap size is 1/2 of system memory
-## Recommended heap new size is 1/4 of max heap size
-## ref: http://docs.datastax.com/en/cassandra/3.0/cassandra/operations/opsTuneJVM.html
-config:
- cluster_domain: cluster.local
- cluster_name: cassandra
- cluster_size: 3
- seed_size: 2
- num_tokens: 256
- # If you want Cassandra to use this datacenter and rack name,
- # you need to set endpoint_snitch to GossipingPropertyFileSnitch.
- # Otherwise, these values are ignored and datacenter1 and rack1
- # are used.
- dc_name: DC1
- rack_name: RAC1
- endpoint_snitch: SimpleSnitch
- max_heap_size: 2048M
- heap_new_size: 512M
- start_rpc: false
- ports:
- cql: 9042
- thrift: 9160
- # If a JVM Agent is in place
- # agent: 61621
-
-## Cassandra config files overrides
-configOverrides: {}
-
-## Cassandra docker command overrides
-commandOverrides: []
-
-## Cassandra docker args overrides
-argsOverrides: []
-
-## Custom env variables.
-## ref: https://hub.docker.com/_/cassandra/
-env: {}
-
-## Liveness and Readiness probe values.
-## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
-livenessProbe:
- initialDelaySeconds: 90
- periodSeconds: 30
- timeoutSeconds: 5
- successThreshold: 1
- failureThreshold: 3
-readinessProbe:
- initialDelaySeconds: 90
- periodSeconds: 30
- timeoutSeconds: 5
- successThreshold: 1
- failureThreshold: 3
-
-## Configure node selector. Edit code below for adding selector to pods
-## ref: https://kubernetes.io/docs/user-guide/node-selection/
-# selector:
- # nodeSelector:
- # cloud.google.com/gke-nodepool: pool-db
-
-## Additional pod annotations
-## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
-podAnnotations: {}
-
-## Additional pod labels
-## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
-podLabels: {}
-
-## Additional pod-level settings
-podSettings:
- # Change this to give pods more time to properly leave the cluster when not using persistent storage.
- terminationGracePeriodSeconds: 30
-
-## Pod distruption budget
-podDisruptionBudget: {}
- # maxUnavailable: 1
- # minAvailable: 2
-
-podManagementPolicy: OrderedReady
-updateStrategy:
- type: OnDelete
-
-## Pod Security Context
-securityContext:
- enabled: false
- fsGroup: 999
- runAsUser: 999
-
-## Affinity for pod assignment
-## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-affinity: {}
-
-## Node tolerations for pod assignment
-## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-tolerations: []
-
-rbac:
- # Specifies whether RBAC resources should be created
- create: true
-
-serviceAccount:
- # Specifies whether a ServiceAccount should be created
- create: true
- # The name of the ServiceAccount to use.
- # If not set and create is true, a name is generated using the fullname template
- # name:
-
-# Use host network for Cassandra pods
-# You must pass seed list into config.seeds property if set to true
-hostNetwork: false
-
-## Backup cronjob configuration
-## Ref: https://github.com/nuvo/cain
-backup:
- enabled: false
-
- # Schedule to run jobs. Must be in cron time format
- # Ref: https://crontab.guru/
- schedule:
- - keyspace: keyspace1
- cron: "0 7 * * *"
- - keyspace: keyspace2
- cron: "30 7 * * *"
-
- annotations:
- # Example for authorization to AWS S3 using kube2iam
- # Can also be done using environment variables
- iam.amazonaws.com/role: cain
-
- image:
- repos: nuvo/cain
- tag: 0.4.1
-
- # Additional arguments for cain
- # Ref: https://github.com/nuvo/cain#usage
- extraArgs: []
-
- # Add additional environment variables
- env:
- # Example environment variable required for AWS credentials chain
- - name: AWS_REGION
- value: us-east-1
-
- resources:
- requests:
- memory: 1Gi
- cpu: 1
- limits:
- memory: 1Gi
- cpu: 1
-
- # Destination to store the backup artifacts
- # Supported cloud storage services: AWS S3, Minio S3, Azure Blob Storage
- # Additional support can added. Visit this repository for details
- # Ref: https://github.com/nuvo/skbn
- destination: s3://bucket/cassandra
-
-## Cassandra exported configuration
-## ref: https://github.com/criteo/cassandra_exporter
-exporter:
- enabled: false
- image:
- repo: criteord/cassandra_exporter
- tag: 2.0.2
- port: 5556
- jvmOpts: ""
apiVersion: v1
-appVersion: 10.6.0
+appVersion: 11.6.0
description: Chart for PostgreSQL, an object-relational database management system
(ORDBMS) with an emphasis on extensibility and on standards-compliance.
engine: gotpl
name: postgresql
sources:
- https://github.com/bitnami/bitnami-docker-postgresql
-version: 3.9.5
+version: 8.1.2
[PostgreSQL](https://www.postgresql.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance.
+For HA, please see [this repo](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha)
+
## TL;DR;
```console
This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
-Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters.
+Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/).
## Prerequisites
-- Kubernetes 1.10+
+- Kubernetes 1.12+
+- Helm 2.11+ or Helm 3.0-beta3+
- PV provisioner support in the underlying infrastructure
## Installing the Chart
-
To install the chart with the release name `my-release`:
```console
$ helm install --name my-release stable/postgresql
```
-The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
+The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
The command removes all the Kubernetes components associated with the chart and deletes the release.
-## Configuration
+## Parameters
The following tables lists the configurable parameters of the PostgreSQL chart and their default values.
-| Parameter | Description | Default |
-|-----------------------------------------------|------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|
-| `global.imageRegistry` | Global Docker Image registry | `nil` |
-| `image.registry` | PostgreSQL Image registry | `docker.io` |
-| `image.repository` | PostgreSQL Image name | `bitnami/postgresql` |
-| `image.tag` | PostgreSQL Image tag | `{VERSION}` |
-| `image.pullPolicy` | PostgreSQL Image pull policy | `Always` |
-| `image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) |
-| `image.debug` | Specify if debug values should be set | `false` |
-| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
-| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` |
-| `volumePermissions.image.tag` | Init container volume-permissions image tag | `latest` |
-| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` |
-| `volumePermissions.securityContext.runAsUser` | User ID for the init container | `0` |
-| `usePasswordFile` | Have the secrets mounted as a file instead of env vars | `false` |
-| `replication.enabled` | Would you like to enable replication | `false` |
-| `replication.user` | Replication user | `repl_user` |
-| `replication.password` | Replication user password | `repl_password` |
-| `replication.slaveReplicas` | Number of slaves replicas | `1` |
-| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` |
-| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.slaveReplicas`. | `0` |
-| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` |
-| `existingSecret` | Name of existing secret to use for PostgreSQL passwords | `nil` |
-| `postgresqlUsername` | PostgreSQL admin user | `postgres` |
-| `postgresqlPassword` | PostgreSQL admin password | _random 10 character alphanumeric string_ |
-| `postgresqlDatabase` | PostgreSQL database | `nil` |
-| `postgresqlConfiguration` | Runtime Config Parameters | `nil` |
-| `postgresqlExtendedConf` | Extended Runtime Config Parameters (appended to main or default configuration) | `nil` |
-| `pgHbaConfiguration` | Content of pg\_hba.conf | `nil (do not create pg_hba.conf)` |
-| `configurationConfigMap` | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`) | `nil` |
-| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files | `nil` |
-| `initdbScripts` | List of initdb scripts | `nil` |
-| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `nil` |
-| `service.type` | Kubernetes Service type | `ClusterIP` |
-| `service.port` | PostgreSQL port | `5432` |
-| `service.nodePort` | Kubernetes Service nodePort | `nil` |
-| `service.annotations` | Annotations for PostgreSQL service | {} |
-| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` |
-| `persistence.enabled` | Enable persistence using PVC | `true` |
-| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim` | `nil` |
-| `persistence.mountPath` | Path to mount the volume at | `/bitnami/postgresql` |
-| `persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `nil` |
-| `persistence.accessMode` | PVC Access Mode for PostgreSQL volume | `ReadWriteOnce` |
-| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
-| `persistence.annotations` | Annotations for the PVC | `{}` |
-| `master.nodeSelector` | Node labels for pod assignment (postgresql master) | `{}` |
-| `master.affinity` | Affinity labels for pod assignment (postgresql master) | `{}` |
-| `master.tolerations` | Toleration labels for pod assignment (postgresql master) | `[]` |
-| `slave.nodeSelector` | Node labels for pod assignment (postgresql slave) | `{}` |
-| `slave.affinity` | Affinity labels for pod assignment (postgresql slave) | `{}` |
-| `slave.tolerations` | Toleration labels for pod assignment (postgresql slave) | `[]` |
-| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` |
-| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` |
-| `securityContext.enabled` | Enable security context | `true` |
-| `securityContext.fsGroup` | Group ID for the container | `1001` |
-| `securityContext.runAsUser` | User ID for the container | `1001` |
-| `livenessProbe.enabled` | Would you like a livessProbed to be enabled | `true` |
-| `networkPolicy.enabled` | Enable NetworkPolicy | `false` |
-| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
-| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 |
-| `livenessProbe.periodSeconds` | How often to perform the probe | 10 |
-| `livenessProbe.timeoutSeconds` | When the probe times out | 5 |
-| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
-| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
-| `readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` |
-| `readinessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 5 |
-| `readinessProbe.periodSeconds` | How often to perform the probe | 10 |
-| `readinessProbe.timeoutSeconds` | When the probe times out | 5 |
-| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
-| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
-| `metrics.enabled` | Start a prometheus exporter | `false` |
-| `metrics.service.type` | Kubernetes Service type | `ClusterIP` |
-| `service.clusterIP` | Static clusterIP or None for headless services | `nil` |
-| `metrics.service.annotations` | Additional annotations for metrics exporter pod | `{}` |
-| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` |
-| `metrics.image.registry` | PostgreSQL Image registry | `docker.io` |
-| `metrics.image.repository` | PostgreSQL Image name | `wrouesnel/postgres_exporter` |
-| `metrics.image.tag` | PostgreSQL Image tag | `{VERSION}` |
-| `metrics.image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` |
-| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) |
-| `extraEnv` | Any extra environment variables you would like to pass on to the pod | `{}` |
-| `updateStrategy` | Update strategy policy | `{type: "onDelete"}` |
+| Parameter | Description | Default |
+|-----------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------|
+| `global.imageRegistry` | Global Docker Image registry | `nil` |
+| `global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides `postgresqlDatabase`) | `nil` |
+| `global.postgresql.postgresqlUsername` | PostgreSQL username (overrides `postgresqlUsername`) | `nil` |
+| `global.postgresql.existingSecret` | Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`) | `nil` |
+| `global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides `postgresqlPassword`) | `nil` |
+| `global.postgresql.servicePort` | PostgreSQL port (overrides `service.port`) | `nil` |
+| `global.postgresql.replicationPassword` | Replication user password (overrides `replication.password`) | `nil` |
+| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
+| `global.storageClass` | Global storage class for dynamic provisioning | `nil` |
+| `image.registry` | PostgreSQL Image registry | `docker.io` |
+| `image.repository` | PostgreSQL Image name | `bitnami/postgresql` |
+| `image.tag` | PostgreSQL Image tag | `{TAG_NAME}` |
+| `image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` |
+| `image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) |
+| `image.debug` | Specify if debug values should be set | `false` |
+| `nameOverride` | String to partially override postgresql.fullname template with a string (will prepend the release name) | `nil` |
+| `fullnameOverride` | String to fully override postgresql.fullname template with a string | `nil` |
+| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
+| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` |
+| `volumePermissions.image.tag` | Init container volume-permissions image tag | `stretch` |
+| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` |
+| `volumePermissions.securityContext.runAsUser` | User ID for the init container | `0` |
+| `usePasswordFile` | Have the secrets mounted as a file instead of env vars | `false` |
+| `ldap.enabled` | Enable LDAP support | `false` |
+| `ldap.existingSecret` | Name of existing secret to use for LDAP passwords | `nil` |
+| `ldap.url` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn[?[attribute][?[scope][?[filter]]]]` | `nil` |
+| `ldap.server` | IP address or name of the LDAP server. | `nil` |
+| `ldap.port` | Port number on the LDAP server to connect to | `nil` |
+| `ldap.scheme` | Set to `ldaps` to use LDAPS. | `nil` |
+| `ldap.tls` | Set to `1` to use TLS encryption | `nil` |
+| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `nil` |
+| `ldap.suffix` | String to append to the user name when forming the DN to bind | `nil` |
+| `ldap.search_attr` | Attribute to match agains the user name in the search | `nil` |
+| `ldap.search_filter` | The search filter to use when doing search+bind authentication | `nil` |
+| `ldap.baseDN` | Root DN to begin the search for the user in | `nil` |
+| `ldap.bindDN` | DN of user to bind to LDAP | `nil` |
+| `ldap.bind_password` | Password for the user to bind to LDAP | `nil` |
+| `replication.enabled` | Enable replication | `false` |
+| `replication.user` | Replication user | `repl_user` |
+| `replication.password` | Replication user password | `repl_password` |
+| `replication.slaveReplicas` | Number of slaves replicas | `1` |
+| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` |
+| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.slaveReplicas`. | `0` |
+| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` |
+| `existingSecret` | Name of existing secret to use for PostgreSQL passwords | `nil` |
+| `postgresqlPostgresPassword` | PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`) | _random 10 character alphanumeric string_ |
+| `postgresqlUsername` | PostgreSQL admin user | `postgres` |
+| `postgresqlPassword` | PostgreSQL admin password | _random 10 character alphanumeric string_ |
+| `postgresqlDatabase` | PostgreSQL database | `nil` |
+| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql` (same value as persistence.mountPath) |
+| `extraEnv` | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `[]` |
+| `postgresqlInitdbArgs` | PostgreSQL initdb extra arguments | `nil` |
+| `postgresqlInitdbWalDir` | PostgreSQL location for transaction log | `nil` |
+| `postgresqlConfiguration` | Runtime Config Parameters | `nil` |
+| `postgresqlExtendedConf` | Extended Runtime Config Parameters (appended to main or default configuration) | `nil` |
+| `pgHbaConfiguration` | Content of pg_hba.conf | `nil (do not create pg_hba.conf)` |
+| `configurationConfigMap` | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`). The value is evaluated as a template. | `nil` |
+| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template. | `nil` |
+| `initdbScripts` | Dictionary of initdb scripts | `nil` |
+| `initdbUsername` | PostgreSQL user to execute the .sql and sql.gz scripts | `nil` |
+| `initdbPassword` | Password for the user specified in `initdbUsername` | `nil` |
+| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` |
+| `initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil` |
+| `service.type` | Kubernetes Service type | `ClusterIP` |
+| `service.port` | PostgreSQL port | `5432` |
+| `service.nodePort` | Kubernetes Service nodePort | `nil` |
+| `service.annotations` | Annotations for PostgreSQL service, the value is evaluated as a template. | {} |
+| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` |
+| `service.loadBalancerSourceRanges` | Address that are allowed when svc is LoadBalancer | [] |
+| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` |
+| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for master and slave(s) Pod(s) | `true` |
+| `persistence.enabled` | Enable persistence using PVC | `true` |
+| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. | `nil` |
+| `persistence.mountPath` | Path to mount the volume at | `/bitnami/postgresql` |
+| `persistence.subPath` | Subdirectory of the volume to mount at | `""` |
+| `persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `nil` |
+| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `[ReadWriteOnce]` |
+| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
+| `persistence.annotations` | Annotations for the PVC | `{}` |
+| `master.nodeSelector` | Node labels for pod assignment (postgresql master) | `{}` |
+| `master.affinity` | Affinity labels for pod assignment (postgresql master) | `{}` |
+| `master.tolerations` | Toleration labels for pod assignment (postgresql master) | `[]` |
+| `master.anotations` | Map of annotations to add to the statefulset (postgresql master) | `{}` |
+| `master.labels` | Map of labels to add to the statefulset (postgresql master) | `{}` |
+| `master.podAnnotations` | Map of annotations to add to the pods (postgresql master) | `{}` |
+| `master.podLabels` | Map of labels to add to the pods (postgresql master) | `{}` |
+| `master.priorityClassName` | Priority Class to use for each pod (postgresql master) | `nil` |
+| `master.extraInitContainers` | Additional init containers to add to the pods (postgresql master) | `[]` |
+| `master.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql master) | `[]` |
+| `master.extraVolumes` | Additional volumes to add to the pods (postgresql master) | `[]` |
+| `slave.nodeSelector` | Node labels for pod assignment (postgresql slave) | `{}` |
+| `slave.affinity` | Affinity labels for pod assignment (postgresql slave) | `{}` |
+| `slave.tolerations` | Toleration labels for pod assignment (postgresql slave) | `[]` |
+| `slave.anotations` | Map of annotations to add to the statefulsets (postgresql slave) | `{}` |
+| `slave.labels` | Map of labels to add to the statefulsets (postgresql slave) | `{}` |
+| `slave.podAnnotations` | Map of annotations to add to the pods (postgresql slave) | `{}` |
+| `slave.podLabels` | Map of labels to add to the pods (postgresql slave) | `{}` |
+| `slave.priorityClassName` | Priority Class to use for each pod (postgresql slave) | `nil` |
+| `slave.extraInitContainers` | Additional init containers to add to the pods (postgresql slave) | `[]` |
+| `slave.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql slave) | `[]` |
+| `slave.extraVolumes` | Additional volumes to add to the pods (postgresql slave) | `[]` |
+| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` |
+| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` |
+| `securityContext.enabled` | Enable security context | `true` |
+| `securityContext.fsGroup` | Group ID for the container | `1001` |
+| `securityContext.runAsUser` | User ID for the container | `1001` |
+| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` |
+| `serviceAcccount.name` | Name of existing service account | `nil` |
+| `livenessProbe.enabled` | Would you like a livenessProbe to be enabled | `true` |
+| `networkPolicy.enabled` | Enable NetworkPolicy | `false` |
+| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
+| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed | `nil` |
+| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 |
+| `livenessProbe.periodSeconds` | How often to perform the probe | 10 |
+| `livenessProbe.timeoutSeconds` | When the probe times out | 5 |
+| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
+| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
+| `readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` |
+| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 5 |
+| `readinessProbe.periodSeconds` | How often to perform the probe | 10 |
+| `readinessProbe.timeoutSeconds` | When the probe times out | 5 |
+| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
+| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
+| `metrics.enabled` | Start a prometheus exporter | `false` |
+| `metrics.service.type` | Kubernetes Service type | `ClusterIP` |
+| `service.clusterIP` | Static clusterIP or None for headless services | `nil` |
+| `metrics.service.annotations` | Additional annotations for metrics exporter pod | `{ prometheus.io/scrape: "true", prometheus.io/port: "9187"}` |
+| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` |
+| `metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` |
+| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` |
+| `metrics.serviceMonitor.namespace` | Optional namespace in which to create ServiceMonitor | `nil` |
+| `metrics.serviceMonitor.interval` | Scrape interval. If not set, the Prometheus default scrape interval is used | `nil` |
+| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout. If not set, the Prometheus default scrape timeout is used | `nil` |
+| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` |
+| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` |
+| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | the same namespace as postgresql |
+| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` |
+| `metrics.image.registry` | PostgreSQL Image registry | `docker.io` |
+| `metrics.image.repository` | PostgreSQL Image name | `bitnami/postgres-exporter` |
+| `metrics.image.tag` | PostgreSQL Image tag | `{TAG_NAME}` |
+| `metrics.image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` |
+| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) |
+| `metrics.customMetrics` | Additional custom metrics | `nil` |
+| `metrics.securityContext.enabled` | Enable security context for metrics | `false` |
+| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` |
+| `metrics.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 |
+| `metrics.livenessProbe.periodSeconds` | How often to perform the probe | 10 |
+| `metrics.livenessProbe.timeoutSeconds` | When the probe times out | 5 |
+| `metrics.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
+| `metrics.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
+| `metrics.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` |
+| `metrics.readinessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 5 |
+| `metrics.readinessProbe.periodSeconds` | How often to perform the probe | 10 |
+| `metrics.readinessProbe.timeoutSeconds` | When the probe times out | 5 |
+| `metrics.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
+| `metrics.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
+| `updateStrategy` | Update strategy policy | `{type: "RollingUpdate"}` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
> **Tip**: You can use the default [values.yaml](values.yaml)
+## Configuration and installation details
+
+### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
+
+It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
+
+Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
+
+### Production configuration and horizontal scaling
+
+This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one.
+
+- Enable replication:
+```diff
+- replication.enabled: false
++ replication.enabled: true
+```
+
+- Number of slaves replicas:
+```diff
+- replication.slaveReplicas: 1
++ replication.slaveReplicas: 2
+```
+
+- Set synchronous commit mode:
+```diff
+- replication.synchronousCommit: "off"
++ replication.synchronousCommit: "on"
+```
+
+- Number of replicas that will have synchronous replication:
+```diff
+- replication.numSynchronousReplicas: 0
++ replication.numSynchronousReplicas: 1
+```
+
+- Start a prometheus exporter:
+```diff
+- metrics.enabled: false
++ metrics.enabled: true
+```
+
+To horizontally scale this chart, you can use the `--replicas` flag to modify the number of nodes in your PostgreSQL deployment. Also you can use the `values-production.yaml` file or modify the parameters shown above.
+
+### Change PostgreSQL version
+
+To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=12.0.0-debian-9-r0`
+
### postgresql.conf / pg_hba.conf files as configMap
This helm chart also supports to customize the whole configuration file.
Alternatively, you can also set an external ConfigMap with all the extra configuration files. This is done by setting the `extendedConfConfigMap` parameter. Note that this will override the previous option.
-## Initialize a fresh instance
+### Initialize a fresh instance
The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, they must be located inside the chart folder `files/docker-entrypoint-initdb.d` so they can be consumed as a ConfigMap.
Alternatively, you can specify custom scripts using the `initdbScripts` parameter as dict.
-In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options.
+In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `initdbScriptsSecret` parameter.
The allowed extensions are `.sh`, `.sql` and `.sql.gz`.
-## Production and horizontal scaling
+### Metrics
-The following repo contains the recommended production settings for PostgreSQL server in an alternative [values file](values-production.yaml). Please read carefully the comments in the values-production.yaml file to set up your environment
+The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml).
-To horizontally scale this chart, first download the [values-production.yaml](values-production.yaml) file to your local folder, then:
+The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details.
-```console
-$ helm install --name my-release -f ./values-production.yaml stable/postgresql
-$ kubectl scale statefulset my-postgresql-slave --replicas=3
+### Use of global variables
+
+In more complex scenarios, we may have the following tree of dependencies
+
+```
+ +--------------+
+ | |
+ +------------+ Chart 1 +-----------+
+ | | | |
+ | --------+------+ |
+ | | |
+ | | |
+ | | |
+ | | |
+ v v v
++-------+------+ +--------+------+ +--------+------+
+| | | | | |
+| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 |
+| | | | | |
++--------------+ +---------------+ +---------------+
```
+The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters:
+
+```
+postgresql.postgresqlPassword=testtest
+subchart1.postgresql.postgresqlPassword=testtest
+subchart2.postgresql.postgresqlPassword=testtest
+postgresql.postgresqlDatabase=db1
+subchart1.postgresql.postgresqlDatabase=db1
+subchart2.postgresql.postgresqlDatabase=db1
+```
+
+If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows:
+
+```
+global.postgresql.postgresqlPassword=testtest
+global.postgresql.postgresqlDatabase=db1
+```
+
+This way, the credentials will be available in all of the subcharts.
+
## Persistence
The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container.
Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube.
-See the [Configuration](#configuration) section to configure the PVC or to disable persistence.
-
-## Metrics
-
-The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml).
+See the [Parameters](#parameters) section to configure the PVC or to disable persistence.
-The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details.
+If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished.
## NetworkPolicy
For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL.
This label will be displayed in the output of a successful install.
+## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image
+
+- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image.
+- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift.
+
+### Deploy chart using Docker Official PostgreSQL Image
+
+From chart version 4.0.0, it is possible to use this chart with the Docker Official PostgreSQL image.
+Besides specifying the new Docker repository and tag, it is important to modify the PostgreSQL data directory and volume mount point. Basically, the PostgreSQL data dir cannot be the mount point directly, it has to be a subdirectory.
+
+```
+helm install --name postgres \
+ --set image.repository=postgres \
+ --set image.tag=10.6 \
+ --set postgresqlDataDir=/data/pgdata \
+ --set persistence.mountPath=/data/ \
+ stable/postgresql
+```
+
## Upgrade
+It's necessary to specify the existing passwords while performing an upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresqlPassword` and `replication.password` parameters when upgrading the chart:
+
+```bash
+$ helm upgrade my-release bitnami/influxdb \
+ --set postgresqlPassword=[POSTGRESQL_PASSWORD] \
+ --set replication.password=[REPLICATION_PASSWORD]
+```
+
+> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes.
+
+## 8.0.0
+
+Prefixes the port names with their protocols to comply with Istio conventions.
+
+If you depend on the port names in your setup, make sure to update them to reflect this change.
+
+## 7.1.0
+
+Adds support for LDAP configuration.
+
+## 7.0.0
+
+Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec.
+
+In https://github.com/helm/charts/pull/17281 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage.
+
+This major version bump signifies this change.
+
+## 6.5.7
+
+In this version, the chart will use PostgreSQL with the Postgis extension included. The version used with Postgresql version 10, 11 and 12 is Postgis 2.5. It has been compiled with the following dependencies:
+
+ - protobuf
+ - protobuf-c
+ - json-c
+ - geos
+ - proj
+
+## 5.0.0
+
+In this version, the **chart is using PostgreSQL 11 instead of PostgreSQL 10**. You can find the main difference and notable changes in the following links: [https://www.postgresql.org/about/news/1894/](https://www.postgresql.org/about/news/1894/) and [https://www.postgresql.org/about/featurematrix/](https://www.postgresql.org/about/featurematrix/).
+
+For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs:
+
+```bash
+Welcome to the Bitnami postgresql container
+Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql
+Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues
+Send us your feedback at containers@bitnami.com
+
+INFO ==> ** Starting PostgreSQL setup **
+NFO ==> Validating settings in POSTGRESQL_* env vars..
+INFO ==> Initializing PostgreSQL database...
+INFO ==> postgresql.conf file not detected. Generating it...
+INFO ==> pg_hba.conf file not detected. Generating it...
+INFO ==> Deploying PostgreSQL with persisted data...
+INFO ==> Configuring replication parameters
+INFO ==> Loading custom scripts...
+INFO ==> Enabling remote connections
+INFO ==> Stopping PostgreSQL...
+INFO ==> ** PostgreSQL setup finished! **
+
+INFO ==> ** Starting PostgreSQL **
+ [1] FATAL: database files are incompatible with server
+ [1] DETAIL: The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3.
+```
+In this case, you should migrate the data from the old chart to the new one following an approach similar to that described in [this section](https://www.postgresql.org/docs/current/upgrading.html#UPGRADING-VIA-PGDUMPALL) from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one.
+
+### 4.0.0
+
+This chart will use by default the Bitnami PostgreSQL container starting from version `10.7.0-r68`. This version moves the initialization logic from node.js to bash. This new version of the chart requires setting the `POSTGRES_PASSWORD` in the slaves as well, in order to properly configure the `pg_hba.conf` file. Users from previous versions of the chart are advised to upgrade immediately.
+
+IMPORTANT: If you do not want to upgrade the chart version then make sure you use the `10.7.0-r68` version of the container. Otherwise, you will get this error
+
+```
+The POSTGRESQL_PASSWORD environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development
+```
+
### 3.0.0
This releases make it possible to specify different nodeSelector, affinity and tolerations for master and slave pods.
--- /dev/null
+# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml.
--- /dev/null
+shmVolume:
+ enabled: false
-{{- if contains .Values.service.type "LoadBalancer" }}
-{{- if not .Values.postgresqlPassword }}
--------------------------------------------------------------------------------
- WARNING
-
- By specifying "serviceType=LoadBalancer" and not specifying "postgresqlPassword"
- you have most likely exposed the PostgreSQL service externally without any
- authentication mechanism.
-
- For security reasons, we strongly suggest that you switch to "ClusterIP" or
- "NodePort". As an alternative, you can also specify a valid password on the
- "postgresqlPassword" parameter.
-
--------------------------------------------------------------------------------
-{{- end }}
-{{- end }}
-
** Please be patient while the chart is being deployed **
-PostgreSQL can be accessed via port 5432 on the following DNS name from within your cluster:
+PostgreSQL can be accessed via port {{ template "postgresql.port" . }} on the following DNS name from within your cluster:
{{ template "postgresql.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection
{{- if .Values.replication.enabled }}
{{ template "postgresql.fullname" . }}-read.{{ .Release.Namespace }}.svc.cluster.local - Read only connection
{{- end }}
-To get the password for "{{ .Values.postgresqlUsername }}" run:
- export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ if .Values.existingSecret }}{{ .Values.existingSecret }}{{ else }}{{ template "postgresql.fullname" . }}{{ end }} -o jsonpath="{.data.postgresql-password}" | base64 --decode)
+{{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
+
+To get the password for "postgres" run:
+
+ export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-postgres-password}" | base64 --decode)
+{{- end }}
+
+To get the password for "{{ template "postgresql.username" . }}" run:
+
+ export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode)
To connect to your database run the following command:
- kubectl run {{ template "postgresql.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image bitnami/postgresql --env="PGPASSWORD=$POSTGRESQL_PASSWORD" {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
- --labels="{{ template "postgresql.fullname" . }}-client=true" {{- end }} --command -- psql --host {{ template "postgresql.fullname" . }} -U {{ .Values.postgresqlUsername }}
+ kubectl run {{ template "postgresql.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ template "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
+ --labels="{{ template "postgresql.fullname" . }}-client=true" {{- end }} --command -- psql --host {{ template "postgresql.fullname" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }}
{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
Note: Since NetworkPolicy is enabled, only pods with label {{ template "postgresql.fullname" . }}-client=true" will be able to connect to this PostgreSQL cluster.
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "postgresql.fullname" . }})
- {{ if .Values.postgresqlPassword }}PGPASSWORD="{{ .Values.postgresqlPassword}}" {{ end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }}
+ {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }}
{{- else if contains "LoadBalancer" .Values.service.type }}
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "postgresql.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "postgresql.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
- {{ if .Values.postgresqlPassword }}PGPASSWORD="{{ .Values.postgresqlPassword}}" {{ end }}psql --host $SERVICE_IP --port {{ .Values.service.port }} -U {{ .Values.postgresqlUsername }}
+ {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $SERVICE_IP --port {{ template "postgresql.port" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }}
{{- else if contains "ClusterIP" .Values.service.type }}
- kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "postgresql.fullname" . }} 5432:5432 &
- {{ if .Values.postgresqlPassword }}PGPASSWORD="{{ .Values.postgresqlPassword}}" {{ end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }}
+ kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "postgresql.fullname" . }} {{ template "postgresql.port" . }}:{{ template "postgresql.port" . }} &
+ {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }}
+
+{{- end }}
+
+{{- include "postgresql.validateValues" . -}}
+
+{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
+
+WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
*/}}
{{- define "postgresql.fullname" -}}
{{- if .Values.fullnameOverride -}}
-{{- printf .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
-
+{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
{{- end -}}
{{- end -}}
+{{/*
+Return PostgreSQL postgres user password
+*/}}
+{{- define "postgresql.postgres.password" -}}
+{{- if .Values.global.postgresql.postgresqlPostgresPassword }}
+ {{- .Values.global.postgresql.postgresqlPostgresPassword -}}
+{{- else if .Values.postgresqlPostgresPassword -}}
+ {{- .Values.postgresqlPostgresPassword -}}
+{{- else -}}
+ {{- randAlphaNum 10 -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL password
+*/}}
+{{- define "postgresql.password" -}}
+{{- if .Values.global.postgresql.postgresqlPassword }}
+ {{- .Values.global.postgresql.postgresqlPassword -}}
+{{- else if .Values.postgresqlPassword -}}
+ {{- .Values.postgresqlPassword -}}
+{{- else -}}
+ {{- randAlphaNum 10 -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL replication password
+*/}}
+{{- define "postgresql.replication.password" -}}
+{{- if .Values.global.postgresql.replicationPassword }}
+ {{- .Values.global.postgresql.replicationPassword -}}
+{{- else if .Values.replication.password -}}
+ {{- .Values.replication.password -}}
+{{- else -}}
+ {{- randAlphaNum 10 -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL username
+*/}}
+{{- define "postgresql.username" -}}
+{{- if .Values.global.postgresql.postgresqlUsername }}
+ {{- .Values.global.postgresql.postgresqlUsername -}}
+{{- else -}}
+ {{- .Values.postgresqlUsername -}}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Return PostgreSQL replication username
+*/}}
+{{- define "postgresql.replication.username" -}}
+{{- if .Values.global.postgresql.replicationUser }}
+ {{- .Values.global.postgresql.replicationUser -}}
+{{- else -}}
+ {{- .Values.replication.user -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL port
+*/}}
+{{- define "postgresql.port" -}}
+{{- if .Values.global.postgresql.servicePort }}
+ {{- .Values.global.postgresql.servicePort -}}
+{{- else -}}
+ {{- .Values.service.port -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL created database
+*/}}
+{{- define "postgresql.database" -}}
+{{- if .Values.global.postgresql.postgresqlDatabase }}
+ {{- .Values.global.postgresql.postgresqlDatabase -}}
+{{- else if .Values.postgresqlDatabase -}}
+ {{- .Values.postgresqlDatabase -}}
+{{- end -}}
+{{- end -}}
+
{{/*
Return the proper image name to change the volume permissions
*/}}
{{- end -}}
{{- end -}}
-
{{/*
Return the proper PostgreSQL metrics image name
*/}}
-{{- define "metrics.image" -}}
+{{- define "postgresql.metrics.image" -}}
{{- $registryName := default "docker.io" .Values.metrics.image.registry -}}
+{{- $repositoryName := .Values.metrics.image.repository -}}
{{- $tag := default "latest" .Values.metrics.image.tag | toString -}}
-{{- printf "%s/%s:%s" $registryName .Values.metrics.image.repository $tag -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
+Also, we can't use a single if because lazy evaluation is not an option
+*/}}
+{{- if .Values.global }}
+ {{- if .Values.global.imageRegistry }}
+ {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
+ {{- else -}}
+ {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+ {{- end -}}
+{{- else -}}
+ {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+{{- end -}}
{{- end -}}
{{/*
Get the password secret.
*/}}
{{- define "postgresql.secretName" -}}
-{{- if .Values.existingSecret -}}
-{{- printf "%s" .Values.existingSecret -}}
+{{- if .Values.global.postgresql.existingSecret }}
+ {{- printf "%s" .Values.global.postgresql.existingSecret -}}
+{{- else if .Values.existingSecret -}}
+ {{- printf "%s" .Values.existingSecret -}}
+{{- else -}}
+ {{- printf "%s" (include "postgresql.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a secret object should be created
+*/}}
+{{- define "postgresql.createSecret" -}}
+{{- if .Values.global.postgresql.existingSecret }}
+{{- else if .Values.existingSecret -}}
{{- else -}}
-{{- printf "%s" (include "postgresql.fullname" .) -}}
+ {{- true -}}
{{- end -}}
{{- end -}}
*/}}
{{- define "postgresql.configurationCM" -}}
{{- if .Values.configurationConfigMap -}}
-{{- printf "%s" .Values.configurationConfigMap -}}
+{{- printf "%s" (tpl .Values.configurationConfigMap $) -}}
{{- else -}}
{{- printf "%s-configuration" (include "postgresql.fullname" .) -}}
{{- end -}}
*/}}
{{- define "postgresql.extendedConfigurationCM" -}}
{{- if .Values.extendedConfConfigMap -}}
-{{- printf "%s" .Values.extendedConfConfigMap -}}
+{{- printf "%s" (tpl .Values.extendedConfConfigMap $) -}}
{{- else -}}
{{- printf "%s-extended-configuration" (include "postgresql.fullname" .) -}}
{{- end -}}
*/}}
{{- define "postgresql.initdbScriptsCM" -}}
{{- if .Values.initdbScriptsConfigMap -}}
-{{- printf "%s" .Values.initdbScriptsConfigMap -}}
+{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}}
{{- else -}}
{{- printf "%s-init-scripts" (include "postgresql.fullname" .) -}}
{{- end -}}
{{- end -}}
+
+{{/*
+Get the initialization scripts Secret name.
+*/}}
+{{- define "postgresql.initdbScriptsSecret" -}}
+{{- printf "%s" (tpl .Values.initdbScriptsSecret $) -}}
+{{- end -}}
+
+{{/*
+Get the metrics ConfigMap name.
+*/}}
+{{- define "postgresql.metricsCM" -}}
+{{- printf "%s-metrics" (include "postgresql.fullname" .) -}}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names
+*/}}
+{{- define "postgresql.imagePullSecrets" -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
+Also, we can not use a single if because lazy evaluation is not an option
+*/}}
+{{- if .Values.global }}
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }}
+imagePullSecrets:
+{{- range .Values.image.pullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- range .Values.metrics.image.pullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- range .Values.volumePermissions.image.pullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end -}}
+{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }}
+imagePullSecrets:
+{{- range .Values.image.pullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- range .Values.metrics.image.pullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- range .Values.volumePermissions.image.pullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the readiness probe command
+*/}}
+{{- define "postgresql.readinessProbeCommand" -}}
+- |
+{{- if (include "postgresql.database" .) }}
+ exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+{{- else }}
+ exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+{{- end }}
+{{- if contains "bitnami/" .Values.image.repository }}
+ [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper Storage Class
+*/}}
+{{- define "postgresql.storageClass" -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
+*/}}
+{{- if .Values.global -}}
+ {{- if .Values.global.storageClass -}}
+ {{- if (eq "-" .Values.global.storageClass) -}}
+ {{- printf "storageClassName: \"\"" -}}
+ {{- else }}
+ {{- printf "storageClassName: %s" .Values.global.storageClass -}}
+ {{- end -}}
+ {{- else -}}
+ {{- if .Values.persistence.storageClass -}}
+ {{- if (eq "-" .Values.persistence.storageClass) -}}
+ {{- printf "storageClassName: \"\"" -}}
+ {{- else }}
+ {{- printf "storageClassName: %s" .Values.persistence.storageClass -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+{{- else -}}
+ {{- if .Values.persistence.storageClass -}}
+ {{- if (eq "-" .Values.persistence.storageClass) -}}
+ {{- printf "storageClassName: \"\"" -}}
+ {{- else }}
+ {{- printf "storageClassName: %s" .Values.persistence.storageClass -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Renders a value that contains template.
+Usage:
+{{ include "postgresql.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }}
+*/}}
+{{- define "postgresql.tplValue" -}}
+ {{- if typeIs "string" .value }}
+ {{- tpl .value .context }}
+ {{- else }}
+ {{- tpl (.value | toYaml) .context }}
+ {{- end }}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for statefulset.
+*/}}
+{{- define "postgresql.statefulset.apiVersion" -}}
+{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- print "apps/v1beta2" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Compile all warnings into a single message, and call fail.
+*/}}
+{{- define "postgresql.validateValues" -}}
+{{- $messages := list -}}
+{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}}
+{{- $messages := without $messages "" -}}
+{{- $message := join "\n" $messages -}}
+
+{{- if $message -}}
+{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap
+*/}}
+{{- define "postgresql.validateValues.ldapConfigurationMethod" -}}
+{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }}
+postgresql: ldap.url, ldap.server
+ You cannot set both `ldap.url` and `ldap.server` at the same time.
+ Please provide a unique way to configure LDAP.
+ More info at https://www.postgresql.org/docs/current/auth-ldap.html
+{{- end -}}
+{{- end -}}
--- /dev/null
+{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ template "postgresql.metricsCM" . }}
+ labels:
+ app: {{ template "postgresql.name" . }}
+ chart: {{ template "postgresql.chart" . }}
+ release: {{ .Release.Name | quote }}
+ heritage: {{ .Release.Service | quote }}
+data:
+ custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
+{{- end }}
loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }}
{{- end }}
ports:
- - name: metrics
- port: 9187
- targetPort: metrics
+ - name: http-metrics
+ port: 9187
+ targetPort: http-metrics
selector:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name }}
ingress:
# Allow inbound connections
- ports:
- - port: 5432
- {{- if not .Values.networkPolicy.allowExternal }}
+ - port: {{ template "postgresql.port" . }}
+ {{- if not .Values.networkPolicy.allowExternal }}
from:
- - podSelector:
- matchLabels:
- {{ template "postgresql.fullname" . }}-client: "true"
- {{- end }}
+ - podSelector:
+ matchLabels:
+ {{ template "postgresql.fullname" . }}-client: "true"
+ {{- if .Values.networkPolicy.explicitNamespacesSelector }}
+ namespaceSelector:
+{{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }}
+ {{- end }}
+ - podSelector:
+ matchLabels:
+ app: {{ template "postgresql.name" . }}
+ release: {{ .Release.Name | quote }}
+ role: slave
+ {{- end }}
# Allow prometheus scrapes
- ports:
- - port: 9187
+ - port: 9187
{{- end }}
--- /dev/null
+{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+ name: {{ template "postgresql.fullname" . }}
+{{- with .Values.metrics.prometheusRule.namespace }}
+ namespace: {{ . }}
+{{- end }}
+ labels:
+ app: {{ template "postgresql.name" . }}
+ chart: {{ template "postgresql.chart" . }}
+ release: {{ .Release.Name | quote }}
+ heritage: {{ .Release.Service | quote }}
+{{- with .Values.metrics.prometheusRule.additionalLabels }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+spec:
+{{- with .Values.metrics.prometheusRule.rules }}
+ groups:
+ - name: {{ template "postgresql.name" $ }}
+ rules: {{ tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+{{- end }}
-{{- if not .Values.existingSecret }}
+{{- if (include "postgresql.createSecret" .) }}
apiVersion: v1
kind: Secret
metadata:
heritage: {{ .Release.Service | quote }}
type: Opaque
data:
- {{- if .Values.postgresqlPassword }}
- postgresql-password: {{ .Values.postgresqlPassword | b64enc | quote }}
- {{- else }}
- postgresql-password: {{ randAlphaNum 10 | b64enc | quote }}
+ {{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
+ postgresql-postgres-password: {{ include "postgresql.postgres.password" . | b64enc | quote }}
{{- end }}
+ postgresql-password: {{ include "postgresql.password" . | b64enc | quote }}
{{- if .Values.replication.enabled }}
- {{- if .Values.replication.password }}
- postgresql-replication-password: {{ .Values.replication.password | b64enc | quote }}
- {{- else }}
- postgresql-replication-password: {{ randAlphaNum 10 | b64enc | quote }}
+ postgresql-replication-password: {{ include "postgresql.replication.password" . | b64enc | quote }}
{{- end }}
+ {{- if (and .Values.ldap.enabled .Values.ldap.bind_password)}}
+ postgresql-ldap-password: {{ .Values.ldap.bind_password | b64enc | quote }}
{{- end }}
{{- end -}}
--- /dev/null
+{{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app: {{ template "postgresql.name" . }}
+ chart: {{ template "postgresql.chart" . }}
+ release: {{ .Release.Name | quote }}
+ heritage: {{ .Release.Service | quote }}
+ name: {{ template "postgresql.fullname" . }}
+{{- end }}
\ No newline at end of file
--- /dev/null
+{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: {{ include "postgresql.fullname" . }}
+ {{- if .Values.metrics.serviceMonitor.namespace }}
+ namespace: {{ .Values.metrics.serviceMonitor.namespace }}
+ {{- end }}
+ labels:
+ app: {{ template "postgresql.name" . }}
+ chart: {{ template "postgresql.chart" . }}
+ release: {{ .Release.Name | quote }}
+ heritage: {{ .Release.Service | quote }}
+ {{- if .Values.metrics.serviceMonitor.additionalLabels }}
+{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }}
+ {{- end }}
+spec:
+ endpoints:
+ - port: http-metrics
+ {{- if .Values.metrics.serviceMonitor.interval }}
+ interval: {{ .Values.metrics.serviceMonitor.interval }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
+ scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+ {{- end }}
+ namespaceSelector:
+ matchNames:
+ - {{ .Release.Namespace }}
+ selector:
+ matchLabels:
+ app: {{ template "postgresql.name" . }}
+ release: {{ .Release.Name }}
+{{- end }}
{{- if .Values.replication.enabled }}
-apiVersion: apps/v1
+apiVersion: {{ template "postgresql.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: "{{ template "postgresql.fullname" . }}-slave"
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
+{{- with .Values.slave.labels }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.slave.annotations }}
+ annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
spec:
serviceName: {{ template "postgresql.fullname" . }}-headless
replicas: {{ .Values.replication.slaveReplicas }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
role: slave
+{{- with .Values.slave.podLabels }}
+{{ toYaml . | indent 8 }}
+{{- end }}
+{{- with .Values.slave.podAnnotations }}
+ annotations:
+{{ toYaml . | indent 8 }}
+{{- end }}
spec:
- {{- if .Values.securityContext.enabled }}
- securityContext:
- fsGroup: {{ .Values.securityContext.fsGroup }}
- runAsUser: {{ .Values.securityContext.runAsUser }}
- {{- end }}
- {{- if .Values.image.pullSecrets }}
- imagePullSecrets:
- {{- range .Values.image.pullSecrets }}
- - name: {{ . }}
- {{- end}}
+ {{- if .Values.schedulerName }}
+ schedulerName: "{{ .Values.schedulerName }}"
{{- end }}
+{{- include "postgresql.imagePullSecrets" . | indent 6 }}
{{- if .Values.slave.nodeSelector }}
nodeSelector:
{{ toYaml .Values.slave.nodeSelector | indent 8 }}
{{- if .Values.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- end }}
- {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ fsGroup: {{ .Values.securityContext.fsGroup }}
+ {{- end }}
+ {{- if .Values.serviceAccount.enabled }}
+ serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name}}
+ {{- end }}
+ {{- if or .Values.slave.extraInitContainers (and .Values.volumePermissions.enabled .Values.persistence.enabled) .Values.shmVolume.enabled }}
initContainers:
- - name: init-chmod-data
- image: {{ template "postgresql.volumePermissions.image" . }}
- imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}"
- resources:
-{{ toYaml .Values.resources | indent 10 }}
- command:
- - sh
- - -c
- - |
- chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /bitnami
- if [ -d /bitnami/postgresql/data ]; then
- chmod 0700 /bitnami/postgresql/data;
- fi
- securityContext:
- runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }}
- volumeMounts:
- - name: data
- mountPath: /bitnami/postgresql
+ {{- if or (and .Values.volumePermissions.enabled .Values.persistence.enabled) .Values.shmVolume.enabled }}
+ - name: init-chmod-data
+ image: {{ template "postgresql.volumePermissions.image" . }}
+ imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}"
+ {{- if .Values.resources }}
+ resources: {{- toYaml .Values.resources | nindent 12 }}
+ {{- end }}
+ command:
+ - /bin/sh
+ - -c
+ - |
+ mkdir -p {{ .Values.persistence.mountPath }}/data
+ chmod 700 {{ .Values.persistence.mountPath }}/data
+ find {{ .Values.persistence.mountPath }} -mindepth 0 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \
+ xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}
+ {{- if .Values.shmVolume.enabled }}
+ chmod -R 777 /dev/shm
+ {{- end }}
+ securityContext:
+ runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }}
+ volumeMounts:
+ - name: data
+ mountPath: {{ .Values.persistence.mountPath }}
+ subPath: {{ .Values.persistence.subPath }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ mountPath: /dev/shm
+ {{- end }}
+ {{- end }}
+ {{- if .Values.slave.extraInitContainers }}
+{{ tpl .Values.slave.extraInitContainers . | indent 8 }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.slave.priorityClassName }}
+ priorityClassName: {{ .Values.slave.priorityClassName }}
{{- end }}
containers:
- - name: {{ template "postgresql.fullname" . }}
- image: {{ template "postgresql.image" . }}
- imagePullPolicy: "{{ .Values.image.pullPolicy }}"
- resources:
-{{ toYaml .Values.resources | indent 10 }}
- env:
- {{- if .Values.image.debug}}
- - name: BASH_DEBUG
- value: "1"
- - name: NAMI_DEBUG
- value: "1"
- {{- end }}
- - name: POSTGRESQL_REPLICATION_MODE
- value: "slave"
- - name: POSTGRESQL_REPLICATION_USER
- value: {{ .Values.replication.user | quote }}
+ - name: {{ template "postgresql.fullname" . }}
+ image: {{ template "postgresql.image" . }}
+ imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+ {{- if .Values.resources }}
+ resources: {{- toYaml .Values.resources | nindent 12 }}
+ {{- end }}
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.runAsUser }}
+ {{- end }}
+ env:
+ - name: BITNAMI_DEBUG
+ value: {{ ternary "true" "false" .Values.image.debug | quote }}
+ - name: POSTGRESQL_VOLUME_DIR
+ value: "{{ .Values.persistence.mountPath }}"
+ - name: POSTGRESQL_PORT_NUMBER
+ value: "{{ template "postgresql.port" . }}"
+ {{- if .Values.persistence.mountPath }}
+ - name: PGDATA
+ value: {{ .Values.postgresqlDataDir | quote }}
+ {{- end }}
+ - name: POSTGRES_REPLICATION_MODE
+ value: "slave"
+ - name: POSTGRES_REPLICATION_USER
+ value: {{ include "postgresql.replication.username" . | quote }}
+ {{- if .Values.usePasswordFile }}
+ - name: POSTGRES_REPLICATION_PASSWORD_FILE
+ value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password"
+ {{- else }}
+ - name: POSTGRES_REPLICATION_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "postgresql.secretName" . }}
+ key: postgresql-replication-password
+ {{- end }}
+ - name: POSTGRES_CLUSTER_APP_NAME
+ value: {{ .Values.replication.applicationName }}
+ - name: POSTGRES_MASTER_HOST
+ value: {{ template "postgresql.fullname" . }}
+ - name: POSTGRES_MASTER_PORT_NUMBER
+ value: {{ include "postgresql.port" . | quote }}
+ {{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
+ {{- if .Values.usePasswordFile }}
+ - name: POSTGRES_POSTGRES_PASSWORD_FILE
+ value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password"
+ {{- else }}
+ - name: POSTGRES_POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "postgresql.secretName" . }}
+ key: postgresql-postgres-password
+ {{- end }}
+ {{- end }}
+ {{- if .Values.usePasswordFile }}
+ - name: POSTGRES_PASSWORD_FILE
+ value: "/opt/bitnami/postgresql/secrets/postgresql-password"
+ {{- else }}
+ - name: POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "postgresql.secretName" . }}
+ key: postgresql-password
+ {{- end }}
+ ports:
+ - name: tcp-postgresql
+ containerPort: {{ template "postgresql.port" . }}
+ {{- if .Values.livenessProbe.enabled }}
+ livenessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ {{- if (include "postgresql.database" .) }}
+ - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+ {{- else }}
+ - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+ {{- end }}
+ initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.livenessProbe.successThreshold }}
+ failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+ {{- end }}
+ {{- if .Values.readinessProbe.enabled }}
+ readinessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - -e
+ {{- include "postgresql.readinessProbeCommand" . | nindent 16 }}
+ initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.readinessProbe.successThreshold }}
+ failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+ {{- end }}
+ volumeMounts:
+ {{- if .Values.usePasswordFile }}
+ - name: postgresql-password
+ mountPath: /opt/bitnami/postgresql/secrets/
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ mountPath: /dev/shm
+ {{- end }}
+ {{- if .Values.persistence.enabled }}
+ - name: data
+ mountPath: {{ .Values.persistence.mountPath }}
+ subPath: {{ .Values.persistence.subPath }}
+ {{ end }}
+ {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
+ - name: postgresql-extended-config
+ mountPath: /bitnami/postgresql/conf/conf.d/
+ {{- end }}
+ {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }}
+ - name: postgresql-config
+ mountPath: /bitnami/postgresql/conf
+ {{- end }}
+ {{- if .Values.slave.extraVolumeMounts }}
+ {{- toYaml .Values.slave.extraVolumeMounts | nindent 12 }}
+ {{- end }}
+ volumes:
{{- if .Values.usePasswordFile }}
- - name: POSTGRESQL_REPLICATION_PASSWORD_FILE
- value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password"
- {{- else }}
- - name: POSTGRESQL_REPLICATION_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "postgresql.secretName" . }}
- key: postgresql-replication-password
+ - name: postgresql-password
+ secret:
+ secretName: {{ template "postgresql.secretName" . }}
{{- end }}
- - name: POSTGRESQL_CLUSTER_APP_NAME
- value: {{ .Values.replication.applicationName }}
- - name: POSTGRESQL_MASTER_HOST
- value: {{ template "postgresql.fullname" . }}
- - name: POSTGRESQL_MASTER_PORT_NUMBER
- value: {{ .Values.service.port | quote }}
- ports:
- - name: postgresql
- containerPort: {{ .Values.service.port }}
- {{- if .Values.livenessProbe.enabled }}
- livenessProbe:
- exec:
- command:
- - sh
- - -c
- {{- if .Values.postgresqlDatabase }}
- - exec pg_isready -U {{ .Values.postgresqlUsername | quote }} -d {{ .Values.postgresqlDatabase | quote }} -h localhost
- {{- else }}
- - exec pg_isready -U {{ .Values.postgresqlUsername | quote }} -h localhost
- {{- end }}
- initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
- periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
- timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
- successThreshold: {{ .Values.livenessProbe.successThreshold }}
- failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+ {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}}
+ - name: postgresql-config
+ configMap:
+ name: {{ template "postgresql.configurationCM" . }}
{{- end }}
- {{- if .Values.readinessProbe.enabled }}
- readinessProbe:
- exec:
- command:
- - sh
- - -c
- {{- if .Values.postgresqlDatabase }}
- - exec pg_isready -U {{ .Values.postgresqlUsername | quote }} -d {{ .Values.postgresqlDatabase | quote }} -h localhost
- {{- else }}
- - exec pg_isready -U {{ .Values.postgresqlUsername | quote }} -h localhost
- {{- end }}
- initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
- periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
- timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
- successThreshold: {{ .Values.readinessProbe.successThreshold }}
- failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+ {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
+ - name: postgresql-extended-config
+ configMap:
+ name: {{ template "postgresql.extendedConfigurationCM" . }}
{{- end }}
- volumeMounts:
- {{- if .Values.usePasswordFile }}
- - name: postgresql-password
- mountPath: /opt/bitnami/postgresql/secrets
- {{ end }}
- {{- if .Values.persistence.enabled }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ emptyDir:
+ medium: Memory
+ sizeLimit: 1Gi
+ {{- end }}
+ {{- if not .Values.persistence.enabled }}
- name: data
- mountPath: {{ .Values.persistence.mountPath }}
- {{ end }}
- {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.extendedConfConfigMap }}
- - name: postgresql-extended-config
- mountPath: /bitnami/postgresql/conf/conf.d/
+ emptyDir: {}
{{- end }}
- {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }}
- - name: postgresql-config
- mountPath: /bitnami/postgresql/conf
+ {{- if .Values.slave.extraVolumes }}
+ {{- toYaml .Values.slave.extraVolumes | nindent 8 }}
{{- end }}
- volumes:
- {{- if .Values.usePasswordFile }}
- - name: postgresql-password
- secret:
- secretName: {{ template "postgresql.secretName" . }}
- {{ end }}
- {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}}
- - name: postgresql-config
- configMap:
- name: {{ template "postgresql.configurationCM" . }}
- {{- end }}
- {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.extendedConfConfigMap }}
- - name: postgresql-extended-config
- configMap:
- name: {{ template "postgresql.extendedConfigurationCM" . }}
- {{- end }}
- {{- if not .Values.persistence.enabled }}
- - name: data
- emptyDir: {}
- {{- end }}
updateStrategy:
type: {{ .Values.updateStrategy.type }}
+ {{- if (eq "Recreate" .Values.updateStrategy.type) }}
+ rollingUpdate: null
+ {{- end }}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
- metadata:
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
- {{- if .Values.persistence.storageClass }}
- {{- if (eq "-" .Values.persistence.storageClass) }}
- storageClassName: ""
- {{- else }}
- storageClassName: "{{ .Values.persistence.storageClass }}"
- {{- end }}
- {{- end }}
+ {{ include "postgresql.storageClass" . }}
{{- end }}
{{- end }}
-apiVersion: apps/v1
+apiVersion: {{ template "postgresql.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ template "postgresql.master.fullname" . }}
chart: {{ template "postgresql.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
+{{- with .Values.master.labels }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.master.annotations }}
+ annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
spec:
serviceName: {{ template "postgresql.fullname" . }}-headless
replicas: 1
updateStrategy:
type: {{ .Values.updateStrategy.type }}
+ {{- if (eq "Recreate" .Values.updateStrategy.type) }}
+ rollingUpdate: null
+ {{- end }}
selector:
matchLabels:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
role: master
+{{- with .Values.master.podLabels }}
+{{ toYaml . | indent 8 }}
+{{- end }}
+{{- with .Values.master.podAnnotations }}
+ annotations:
+{{ toYaml . | indent 8 }}
+{{- end }}
spec:
- {{- if .Values.securityContext.enabled }}
- securityContext:
- fsGroup: {{ .Values.securityContext.fsGroup }}
- runAsUser: {{ .Values.securityContext.runAsUser }}
- {{- end }}
- {{- if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets }}
- imagePullSecrets:
- {{- range .Values.image.pullSecrets }}
- - name: {{ . }}
- {{- end}}
- {{- range .Values.metrics.image.pullSecrets }}
- - name: {{ . }}
- {{- end}}
+ {{- if .Values.schedulerName }}
+ schedulerName: "{{ .Values.schedulerName }}"
{{- end }}
+{{- include "postgresql.imagePullSecrets" . | indent 6 }}
{{- if .Values.master.nodeSelector }}
nodeSelector:
{{ toYaml .Values.master.nodeSelector | indent 8 }}
{{- if .Values.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- end }}
- {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ fsGroup: {{ .Values.securityContext.fsGroup }}
+ {{- end }}
+ {{- if .Values.serviceAccount.enabled }}
+ serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name }}
+ {{- end }}
+ {{- if or .Values.master.extraInitContainers (and .Values.volumePermissions.enabled .Values.persistence.enabled) .Values.shmVolume.enabled }}
initContainers:
- - name: init-chmod-data
- image: {{ template "postgresql.volumePermissions.image" . }}
- imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}"
- resources:
-{{ toYaml .Values.resources | indent 10 }}
- command:
- - sh
- - -c
- - |
- chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /bitnami
- if [ -d /bitnami/postgresql/data ]; then
- chmod 0700 /bitnami/postgresql/data;
- fi
- securityContext:
- runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }}
- volumeMounts:
- - name: data
- mountPath: /bitnami/postgresql
+ {{- if or (and .Values.volumePermissions.enabled .Values.persistence.enabled) .Values.shmVolume.enabled }}
+ - name: init-chmod-data
+ image: {{ template "postgresql.volumePermissions.image" . }}
+ imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}"
+ {{- if .Values.resources }}
+ resources: {{- toYaml .Values.resources | nindent 12 }}
+ {{- end }}
+ command:
+ - /bin/sh
+ - -c
+ - |
+ mkdir -p {{ .Values.persistence.mountPath }}/data
+ chmod 700 {{ .Values.persistence.mountPath }}/data
+ find {{ .Values.persistence.mountPath }} -mindepth 0 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \
+ xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}
+ {{- if .Values.shmVolume.enabled }}
+ chmod -R 777 /dev/shm
+ {{- end }}
+ securityContext:
+ runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }}
+ volumeMounts:
+ - name: data
+ mountPath: {{ .Values.persistence.mountPath }}
+ subPath: {{ .Values.persistence.subPath }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ mountPath: /dev/shm
+ {{- end }}
+ {{- end }}
+ {{- if .Values.master.extraInitContainers }}
+{{ tpl .Values.master.extraInitContainers . | indent 8 }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.master.priorityClassName }}
+ priorityClassName: {{ .Values.master.priorityClassName }}
{{- end }}
containers:
- - name: {{ template "postgresql.fullname" . }}
- image: {{ template "postgresql.image" . }}
- imagePullPolicy: "{{ .Values.image.pullPolicy }}"
- resources:
-{{ toYaml .Values.resources | indent 10 }}
- env:
- {{- if .Values.image.debug}}
- - name: BASH_DEBUG
- value: "1"
- - name: NAMI_DEBUG
- value: "1"
- {{- end }}
- {{- if .Values.replication.enabled }}
- - name: POSTGRESQL_REPLICATION_MODE
- value: "master"
- - name: POSTGRESQL_REPLICATION_USER
- value: {{ .Values.replication.user | quote }}
- {{- if .Values.usePasswordFile }}
- - name: POSTGRESQL_REPLICATION_PASSWORD_FILE
- value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password"
- {{- else }}
- - name: POSTGRESQL_REPLICATION_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "postgresql.secretName" . }}
- key: postgresql-replication-password
- {{- end }}
- {{- if not (eq .Values.replication.synchronousCommit "off")}}
- - name: POSTGRESQL_SYNCHRONOUS_COMMIT_MODE
- value: {{ .Values.replication.synchronousCommit | quote }}
- - name: POSTGRESQL_NUM_SYNCHRONOUS_REPLICAS
- value: {{ .Values.replication.numSynchronousReplicas | quote }}
- {{- end }}
- - name: POSTGRESQL_CLUSTER_APP_NAME
- value: {{ .Values.replication.applicationName }}
- {{- end }}
- - name: POSTGRESQL_USERNAME
- value: {{ .Values.postgresqlUsername | quote }}
- {{- if .Values.usePasswordFile }}
- - name: POSTGRESQL_PASSWORD_FILE
- value: "/opt/bitnami/postgresql/secrets/postgresql-password"
- {{- else }}
- - name: POSTGRESQL_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "postgresql.secretName" . }}
- key: postgresql-password
- {{- end }}
- {{- if .Values.postgresqlDatabase }}
- - name: POSTGRESQL_DATABASE
- value: {{ .Values.postgresqlDatabase | quote }}
+ - name: {{ template "postgresql.fullname" . }}
+ image: {{ template "postgresql.image" . }}
+ imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+ {{- if .Values.resources }}
+ resources: {{- toYaml .Values.resources | nindent 12 }}
+ {{- end }}
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.runAsUser }}
+ {{- end }}
+ env:
+ - name: BITNAMI_DEBUG
+ value: {{ ternary "true" "false" .Values.image.debug | quote }}
+ - name: POSTGRESQL_PORT_NUMBER
+ value: "{{ template "postgresql.port" . }}"
+ - name: POSTGRESQL_VOLUME_DIR
+ value: "{{ .Values.persistence.mountPath }}"
+ {{- if .Values.postgresqlInitdbArgs }}
+ - name: POSTGRES_INITDB_ARGS
+ value: {{ .Values.postgresqlInitdbArgs | quote }}
+ {{- end }}
+ {{- if .Values.postgresqlInitdbWalDir }}
+ - name: POSTGRES_INITDB_WALDIR
+ value: {{ .Values.postgresqlInitdbWalDir | quote }}
+ {{- end }}
+ {{- if .Values.initdbUser }}
+ - name: POSTGRESQL_INITSCRIPTS_USERNAME
+ value: {{ .Values.initdbUser }}
+ {{- end }}
+ {{- if .Values.initdbPassword }}
+ - name: POSTGRESQL_INITSCRIPTS_PASSWORD
+ value: .Values.initdbPassword
+ {{- end }}
+ {{- if .Values.persistence.mountPath }}
+ - name: PGDATA
+ value: {{ .Values.postgresqlDataDir | quote }}
+ {{- end }}
+ {{- if .Values.replication.enabled }}
+ - name: POSTGRES_REPLICATION_MODE
+ value: "master"
+ - name: POSTGRES_REPLICATION_USER
+ value: {{ include "postgresql.replication.username" . | quote }}
+ {{- if .Values.usePasswordFile }}
+ - name: POSTGRES_REPLICATION_PASSWORD_FILE
+ value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password"
+ {{- else }}
+ - name: POSTGRES_REPLICATION_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "postgresql.secretName" . }}
+ key: postgresql-replication-password
+ {{- end }}
+ {{- if not (eq .Values.replication.synchronousCommit "off")}}
+ - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE
+ value: {{ .Values.replication.synchronousCommit | quote }}
+ - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS
+ value: {{ .Values.replication.numSynchronousReplicas | quote }}
+ {{- end }}
+ - name: POSTGRES_CLUSTER_APP_NAME
+ value: {{ .Values.replication.applicationName }}
+ {{- end }}
+ {{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
+ {{- if .Values.usePasswordFile }}
+ - name: POSTGRES_POSTGRES_PASSWORD_FILE
+ value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password"
+ {{- else }}
+ - name: POSTGRES_POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "postgresql.secretName" . }}
+ key: postgresql-postgres-password
+ {{- end }}
+ {{- end }}
+ - name: POSTGRES_USER
+ value: {{ include "postgresql.username" . | quote }}
+ {{- if .Values.usePasswordFile }}
+ - name: POSTGRES_PASSWORD_FILE
+ value: "/opt/bitnami/postgresql/secrets/postgresql-password"
+ {{- else }}
+ - name: POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "postgresql.secretName" . }}
+ key: postgresql-password
+ {{- end }}
+ {{- if (include "postgresql.database" .) }}
+ - name: POSTGRES_DB
+ value: {{ (include "postgresql.database" .) | quote }}
+ {{- end }}
+ {{- if .Values.extraEnv }}
+ {{- include "postgresql.tplValue" (dict "value" .Values.extraEnv "context" $) | nindent 12 }}
+ {{- end }}
+ - name: POSTGRESQL_ENABLE_LDAP
+ value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }}
+ {{- if .Values.ldap.enabled }}
+ - name: POSTGRESQL_LDAP_SERVER
+ value: {{ .Values.ldap.server }}
+ - name: POSTGRESQL_LDAP_PORT
+ value: {{ .Values.ldap.port | quote }}
+ - name: POSTGRESQL_LDAP_SCHEME
+ value: {{ .Values.ldap.scheme }}
+ {{- if .Values.ldap.tls }}
+ - name: POSTGRESQL_LDAP_TLS
+ value: "1"
+ {{- end}}
+ - name: POSTGRESQL_LDAP_PREFIX
+ value: {{ .Values.ldap.prefix | quote }}
+ - name: POSTGRESQL_LDAP_SUFFIX
+ value: {{ .Values.ldap.suffix | quote}}
+ - name: POSTGRESQL_LDAP_BASE_DN
+ value: {{ .Values.ldap.baseDN }}
+ - name: POSTGRESQL_LDAP_BIND_DN
+ value: {{ .Values.ldap.bindDN }}
+ {{- if (not (empty .Values.ldap.bind_password)) }}
+ - name: POSTGRESQL_LDAP_BIND_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "postgresql.secretName" . }}
+ key: postgresql-ldap-password
+ {{- end}}
+ - name: POSTGRESQL_LDAP_SEARCH_ATTR
+ value: {{ .Values.ldap.search_attr }}
+ - name: POSTGRESQL_LDAP_SEARCH_FILTER
+ value: {{ .Values.ldap.search_filter }}
+ - name: POSTGRESQL_LDAP_URL
+ value: {{ .Values.ldap.url }}
+ {{- end}}
+ ports:
+ - name: tcp-postgresql
+ containerPort: {{ template "postgresql.port" . }}
+ {{- if .Values.livenessProbe.enabled }}
+ livenessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ {{- if (include "postgresql.database" .) }}
+ - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+ {{- else }}
+ - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+ {{- end }}
+ initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.livenessProbe.successThreshold }}
+ failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+ {{- end }}
+ {{- if .Values.readinessProbe.enabled }}
+ readinessProbe:
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - -e
+ {{- include "postgresql.readinessProbeCommand" . | nindent 16 }}
+ initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.readinessProbe.successThreshold }}
+ failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+ {{- end }}
+ volumeMounts:
+ {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }}
+ - name: custom-init-scripts
+ mountPath: /docker-entrypoint-initdb.d/
+ {{- end }}
+ {{- if .Values.initdbScriptsSecret }}
+ - name: custom-init-scripts-secret
+ mountPath: /docker-entrypoint-initdb.d/secret
+ {{- end }}
+ {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
+ - name: postgresql-extended-config
+ mountPath: /bitnami/postgresql/conf/conf.d/
+ {{- end }}
+ {{- if .Values.usePasswordFile }}
+ - name: postgresql-password
+ mountPath: /opt/bitnami/postgresql/secrets/
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ mountPath: /dev/shm
+ {{- end }}
+ {{- if .Values.persistence.enabled }}
+ - name: data
+ mountPath: {{ .Values.persistence.mountPath }}
+ subPath: {{ .Values.persistence.subPath }}
+ {{- end }}
+ {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }}
+ - name: postgresql-config
+ mountPath: /bitnami/postgresql/conf
+ {{- end }}
+ {{- if .Values.master.extraVolumeMounts }}
+ {{- toYaml .Values.master.extraVolumeMounts | nindent 12 }}
+ {{- end }}
+{{- if .Values.metrics.enabled }}
+ - name: metrics
+ image: {{ template "postgresql.metrics.image" . }}
+ imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
+ {{- if .Values.metrics.securityContext.enabled }}
+ securityContext:
+ runAsUser: {{ .Values.metrics.securityContext.runAsUser }}
{{- end }}
-{{- if .Values.extraEnv }}
-{{ toYaml .Values.extraEnv | indent 8 }}
+ env:
+ {{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }}
+ - name: DATA_SOURCE_URI
+ value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.port" .)) $database | quote }}
+ {{- if .Values.usePasswordFile }}
+ - name: DATA_SOURCE_PASS_FILE
+ value: "/opt/bitnami/postgresql/secrets/postgresql-password"
+ {{- else }}
+ - name: DATA_SOURCE_PASS
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "postgresql.secretName" . }}
+ key: postgresql-password
+ {{- end }}
+ - name: DATA_SOURCE_USER
+ value: {{ template "postgresql.username" . }}
+ {{- if .Values.livenessProbe.enabled }}
+ livenessProbe:
+ httpGet:
+ path: /
+ port: http-metrics
+ initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }}
+ failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }}
+ {{- end }}
+ {{- if .Values.readinessProbe.enabled }}
+ readinessProbe:
+ httpGet:
+ path: /
+ port: http-metrics
+ initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }}
+ failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }}
+ {{- end }}
+ volumeMounts:
+ {{- if .Values.usePasswordFile }}
+ - name: postgresql-password
+ mountPath: /opt/bitnami/postgresql/secrets/
+ {{- end }}
+ {{- if .Values.metrics.customMetrics }}
+ - name: custom-metrics
+ mountPath: /conf
+ readOnly: true
+ args: ["--extend.query-path", "/conf/custom-metrics.yaml"]
+ {{- end }}
+ ports:
+ - name: http-metrics
+ containerPort: 9187
+ {{- if .Values.metrics.resources }}
+ resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
+ {{- end }}
{{- end }}
- ports:
- - name: postgresql
- containerPort: {{ .Values.service.port }}
- {{- if .Values.livenessProbe.enabled }}
- livenessProbe:
- exec:
- command:
- - sh
- - -c
- {{- if .Values.postgresqlDatabase }}
- - exec pg_isready -U {{ .Values.postgresqlUsername | quote }} -d {{ .Values.postgresqlDatabase | quote }} -h localhost
- {{- else }}
- - exec pg_isready -U {{ .Values.postgresqlUsername | quote }} -h localhost
- {{- end }}
- initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
- periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
- timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
- successThreshold: {{ .Values.livenessProbe.successThreshold }}
- failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
- {{- end }}
- {{- if .Values.readinessProbe.enabled }}
- readinessProbe:
- exec:
- command:
- - sh
- - -c
- {{- if .Values.postgresqlDatabase }}
- - exec pg_isready -U {{ .Values.postgresqlUsername | quote }} -d {{ .Values.postgresqlDatabase | quote }} -h localhost
- {{- else }}
- - exec pg_isready -U {{ .Values.postgresqlUsername | quote }} -h localhost
- {{- end }}
- initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
- periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
- timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
- successThreshold: {{ .Values.readinessProbe.successThreshold }}
- failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
- {{- end }}
- volumeMounts:
- {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- - name: custom-init-scripts
- mountPath: /docker-entrypoint-initdb.d
+ volumes:
+ {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}}
+ - name: postgresql-config
+ configMap:
+ name: {{ template "postgresql.configurationCM" . }}
{{- end }}
{{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
- name: postgresql-extended-config
- mountPath: /bitnami/postgresql/conf/conf.d/
+ configMap:
+ name: {{ template "postgresql.extendedConfigurationCM" . }}
{{- end }}
{{- if .Values.usePasswordFile }}
- name: postgresql-password
- mountPath: /opt/bitnami/postgresql/secrets/
+ secret:
+ secretName: {{ template "postgresql.secretName" . }}
{{- end }}
- {{- if .Values.persistence.enabled }}
- - name: data
- mountPath: {{ .Values.persistence.mountPath }}
+ {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }}
+ - name: custom-init-scripts
+ configMap:
+ name: {{ template "postgresql.initdbScriptsCM" . }}
{{- end }}
- {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }}
- - name: postgresql-config
- mountPath: /bitnami/postgresql/conf
+ {{- if .Values.initdbScriptsSecret }}
+ - name: custom-init-scripts-secret
+ secret:
+ secretName: {{ template "postgresql.initdbScriptsSecret" . }}
{{- end }}
-{{- if .Values.metrics.enabled }}
- - name: metrics
- image: {{ template "metrics.image" . }}
- imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
- env:
- {{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase)" .Values.postgresqlDatabase }}
- - name: DATA_SOURCE_URI
- value: {{ printf "localhost:%d/%s?sslmode=disable" (int .Values.service.port) $database | quote }}
- {{- if .Values.usePasswordFile }}
- - name: DATA_SOURCE_PASS_FILE
- value: "/opt/bitnami/postgresql/secrets/postgresql-password"
- {{- else }}
- - name: DATA_SOURCE_PASS
- valueFrom:
- secretKeyRef:
- name: {{ template "postgresql.secretName" . }}
- key: postgresql-password
- {{- end }}
- - name: DATA_SOURCE_USER
- value: {{ .Values.postgresqlUsername }}
- {{- if .Values.livenessProbe.enabled }}
- livenessProbe:
- httpGet:
- path: /
- port: metrics
- initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }}
- periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }}
- timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }}
- successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }}
- failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }}
+ {{- if .Values.master.extraVolumes }}
+ {{- toYaml .Values.master.extraVolumes | nindent 8 }}
{{- end }}
- {{- if .Values.readinessProbe.enabled }}
- readinessProbe:
- httpGet:
- path: /
- port: metrics
- initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }}
- periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }}
- timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }}
- successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }}
- failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }}
+ {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
+ - name: custom-metrics
+ configMap:
+ name: {{ template "postgresql.metricsCM" . }}
{{- end }}
- volumeMounts:
- {{- if .Values.usePasswordFile }}
- - name: postgresql-password
- mountPath: /opt/bitnami/postgresql/secrets/
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ emptyDir:
+ medium: Memory
+ sizeLimit: 1Gi
{{- end }}
- ports:
- - name: metrics
- containerPort: 9187
- resources:
-{{ toYaml .Values.metrics.resources | indent 10 }}
-{{- end }}
- volumes:
- {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}}
- - name: postgresql-config
- configMap:
- name: {{ template "postgresql.configurationCM" . }}
- {{- end }}
- {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
- - name: postgresql-extended-config
- configMap:
- name: {{ template "postgresql.extendedConfigurationCM" . }}
- {{- end }}
- {{- if .Values.usePasswordFile }}
- - name: postgresql-password
- secret:
- secretName: {{ template "postgresql.secretName" . }}
- {{- end }}
- {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- - name: custom-init-scripts
- configMap:
- name: {{ template "postgresql.initdbScriptsCM" . }}
- {{- end }}
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
- - name: data
- persistentVolumeClaim:
- claimName: {{ .Values.persistence.existingClaim }}
+ - name: data
+ persistentVolumeClaim:
+{{- with .Values.persistence.existingClaim }}
+ claimName: {{ tpl . $ }}
+{{- end }}
{{- else if not .Values.persistence.enabled }}
- - name: data
- emptyDir: {}
+ - name: data
+ emptyDir: {}
{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
volumeClaimTemplates:
- metadata:
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
- {{- if .Values.persistence.storageClass }}
- {{- if (eq "-" .Values.persistence.storageClass) }}
- storageClassName: ""
- {{- else }}
- storageClassName: "{{ .Values.persistence.storageClass }}"
- {{- end }}
- {{- end }}
+ {{ include "postgresql.storageClass" . }}
{{- end }}
type: ClusterIP
clusterIP: None
ports:
- - name: postgresql
- port: 5432
- targetPort: postgresql
+ - name: tcp-postgresql
+ port: {{ template "postgresql.port" . }}
+ targetPort: tcp-postgresql
selector:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name | quote }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
ports:
- - name: postgresql
- port: {{ .Values.service.port }}
- targetPort: postgresql
- {{- if .Values.service.nodePort }}
- nodePort: {{ .Values.service.nodePort }}
- {{- end }}
+ - name: tcp-postgresql
+ port: {{ template "postgresql.port" . }}
+ targetPort: tcp-postgresql
+ {{- if .Values.service.nodePort }}
+ nodePort: {{ .Values.service.nodePort }}
+ {{- end }}
selector:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- with .Values.service.annotations }}
annotations:
-{{ toYaml . | indent 4 }}
+{{ tpl (toYaml .) $ | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
+ {{- end }}
+ {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }}
+ loadBalancerSourceRanges:
+ {{ with .Values.service.loadBalancerSourceRanges }}
+{{ toYaml . | indent 4 }}
+{{- end }}
{{- end }}
{{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
ports:
- - name: postgresql
- port: {{ .Values.service.port }}
- targetPort: postgresql
- {{- if .Values.service.nodePort }}
- nodePort: {{ .Values.service.nodePort }}
- {{- end }}
+ - name: tcp-postgresql
+ port: {{ template "postgresql.port" . }}
+ targetPort: tcp-postgresql
+ {{- if .Values.service.nodePort }}
+ nodePort: {{ .Values.service.nodePort }}
+ {{- end }}
selector:
app: {{ template "postgresql.name" . }}
release: {{ .Release.Name | quote }}
-## Global Docker image registry
-### Please, note that this will override the image registry for all the images, including dependencies, configured to use the global value
-###
-## global:
-## imageRegistry:
+## Global Docker image parameters
+## Please, note that this will override the image parameters, including dependencies, configured to use the global value
+## Current available global Docker image parameters: imageRegistry and imagePullSecrets
+##
+global:
+ postgresql: {}
+# imageRegistry: myRegistryName
+# imagePullSecrets:
+# - myRegistryKeySecretName
+# storageClass: myStorageClass
## Bitnami PostgreSQL image version
## ref: https://hub.docker.com/r/bitnami/postgresql/tags/
image:
registry: docker.io
repository: bitnami/postgresql
- tag: 10.6.0
+ tag: 11.6.0-debian-9-r0
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
- pullPolicy: Always
-
+ pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
- # - myRegistrKeySecretName
+ # - myRegistryKeySecretName
## Set to true if you would like to see extra information on logs
## It turns BASH and NAMI debugging in minideb
## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging
debug: false
+## String to partially override postgresql.fullname template (will maintain the release name)
+##
+# nameOverride:
+
+## String to fully override postgresql.fullname template
+##
+# fullnameOverride:
+
##
## Init containers parameters:
## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup
image:
registry: docker.io
repository: bitnami/minideb
- tag: latest
+ tag: stretch
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: Always
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
## Init container Security Context
securityContext:
runAsUser: 0
+## Use an alternate scheduler, e.g. "stork".
+## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+##
+# schedulerName:
+
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
fsGroup: 1001
runAsUser: 1001
+## Pod Service Account
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+serviceAccount:
+ enabled: false
+ ## Name of an already existing service account. Setting this value disables the automatic service account creation.
+ # name:
+
replication:
enabled: true
user: repl_user
## Replication Cluster application name. Useful for defining multiple replication policies
applicationName: my_application
-## PostgreSQL admin user
+## PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`)
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!)
+# postgresqlPostgresPassword:
+
+## PostgreSQL user (has superuser privileges if username is `postgres`)
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
postgresqlUsername: postgres
##
# postgresqlPassword:
+## PostgreSQL password using existing secret
+## existingSecret: secret
+
+## Mount PostgreSQL secret as a file instead of passing environment variable
+# usePasswordFile: false
+
## Create a database
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run
##
# postgresqlDatabase:
-## PostgreSQL password using existing secret
-## existingSecret: secret
+## PostgreSQL data dir
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
+##
+postgresqlDataDir: /bitnami/postgresql/data
-## Mount PostgreSQL secret as a file instead of passing environment variable
-# usePasswordFile: false
+## An array to add extra environment variables
+## For example:
+## extraEnv:
+## - name: FOO
+## value: "bar"
+##
+# extraEnv:
+extraEnv: []
+
+## Specify extra initdb args
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
+##
+# postgresqlInitdbArgs:
+
+## Specify a custom location for the PostgreSQL transaction log
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
+##
+# postgresqlInitdbWalDir:
## PostgreSQL configuration
## Specify runtime configuration parameters as a dict, using camelCase, e.g.
# extendedConfConfigMap:
## initdb scripts
-## Specify dictionnary of scripts to be run at first boot
+## Specify dictionary of scripts to be run at first boot
## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory
##
# initdbScripts:
-# my_init_script.sh:|
+# my_init_script.sh: |
# #!/bin/sh
# echo "Do something."
+## Specify the PostgreSQL username and password to execute the initdb scripts
+# initdbUser:
+# initdbPassword:
+
## ConfigMap with scripts to be run at first boot
## NOTE: This will override initdbScripts
# initdbScriptsConfigMap:
+## Secret with scripts to be run at first boot (in case it contains sensitive information)
+## NOTE: This can work along initdbScripts or initdbScriptsConfigMap
+# initdbScriptsSecret:
+
+## Optional duration in seconds the pod needs to terminate gracefully.
+## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
+##
+# terminationGracePeriodSeconds: 30
+
+## LDAP configuration
+##
+ldap:
+ enabled: false
+ url: ""
+ server: ""
+ port: ""
+ prefix: ""
+ suffix: ""
+ baseDN: ""
+ bindDN: ""
+ bind_password:
+ search_attr: ""
+ search_filter: ""
+ scheme: ""
+ tls: false
+
## PostgreSQL service configuration
service:
## PosgresSQL service type
type: ClusterIP
+ # clusterIP: None
port: 5432
## Specify the nodePort value for the LoadBalancer and NodePort service types.
##
# nodePort:
- ## Provide any additional annotations which may be required. This can be used to
+ ## Provide any additional annotations which may be required.
+ ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
annotations: {}
## Set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
+ ## Load Balancer sources
+ ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
+ ##
+ # loadBalancerSourceRanges:
+ # - 10.10.10.0/24
+
+## Start master and slave(s) pod(s) without limitations on shm memory.
+## By default docker and containerd (and possibly other container runtimes)
+## limit `/dev/shm` to `64M` (see e.g. the
+## [docker issue](https://github.com/docker-library/postgres/issues/416) and the
+## [containerd issue](https://github.com/containerd/containerd/issues/3654),
+## which could be not enough if PostgreSQL uses parallel workers heavily.
+## If this option is present and value is `true`,
+## to the target database pod will be mounted a new tmpfs volume to remove
+## this limitation.
+shmVolume:
+ enabled: true
+
## PostgreSQL data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
enabled: true
## A manually managed Persistent Volume and Claim
## If defined, PVC must be created manually before volume will be bound
+ ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart
+ ##
# existingClaim:
+
+ ## The path the volume will be mounted at, useful when using different
+ ## PostgreSQL images.
+ ##
mountPath: /bitnami/postgresql
+
+ ## The subdirectory of the volume to mount to, useful in dev environments
+ ## and one PV for multiple services.
+ ##
+ subPath: ""
+
# storageClass: "-"
accessModes:
- ReadWriteOnce
## PostgreSQL Master parameters
##
master:
- ## Node, affinity and tolerations labels for pod assignment
+ ## Node, affinity, tolerations, and priorityclass settings for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
+ ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption
nodeSelector: {}
affinity: {}
tolerations: []
+ labels: {}
+ annotations: {}
+ podLabels: {}
+ podAnnotations: {}
+ priorityClassName: ""
+ ## Additional PostgreSQL Master Volume mounts
+ ##
+ extraVolumeMounts: []
+ ## Additional PostgreSQL Master Volumes
+ ##
+ extraVolumes: []
##
## PostgreSQL Slave parameters
##
slave:
- ## Node, affinity and tolerations labels for pod assignment
+ ## Node, affinity, tolerations, and priorityclass settings for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
+ ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption
nodeSelector: {}
affinity: {}
tolerations: []
+ labels: {}
+ annotations: {}
+ podLabels: {}
+ podAnnotations: {}
+ priorityClassName: ""
+ ## Additional PostgreSQL Slave Volume mounts
+ ##
+ extraVolumeMounts: []
+ ## Additional PostgreSQL Slave Volumes
+ ##
+ extraVolumes: []
## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
cpu: 250m
networkPolicy:
- ## Enable creation of NetworkPolicy resources.
+ ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
##
enabled: false
##
allowExternal: true
+ ## if explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
+ ## and that match other criteria, the ones that have the good label, can reach the DB.
+ ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this
+ ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
+ ##
+ # explicitNamespacesSelector:
+ # matchLabels:
+ # role: frontend
+ # matchExpressions:
+ # - {key: role, operator: In, values: [frontend]}
+
## Configure extra options for liveness and readiness probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
livenessProbe:
prometheus.io/scrape: "true"
prometheus.io/port: "9187"
loadBalancerIP:
+ serviceMonitor:
+ enabled: false
+ additionalLabels: {}
+ # namespace: monitoring
+ # interval: 30s
+ # scrapeTimeout: 10s
+ ## Custom PrometheusRule to be defined
+ ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
+ ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
+ prometheusRule:
+ enabled: false
+ additionalLabels: {}
+ namespace: ""
+ rules: []
+ ## These are just examples rules, please adapt them to your needs.
+ ## Make sure to constraint the rules to the current postgresql service.
+ # - alert: HugeReplicationLag
+ # expr: pg_replication_lag{service="{{ template "postgresql.fullname" . }}-metrics"} / 3600 > 1
+ # for: 1m
+ # labels:
+ # severity: critical
+ # annotations:
+ # description: replication for {{ template "postgresql.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s).
+ # summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s).
image:
registry: docker.io
- repository: wrouesnel/postgres_exporter
- tag: v0.4.6
+ repository: bitnami/postgres-exporter
+ tag: 0.7.0-debian-9-r12
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
- # - myRegistrKeySecretName
-
+ # - myRegistryKeySecretName
+ ## Define additional custom metrics
+ ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file
+ # customMetrics:
+ # pg_database:
+ # query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')"
+ # metrics:
+ # - name:
+ # usage: "LABEL"
+ # description: "Name of the database"
+ # - size_bytes:
+ # usage: "GAUGE"
+ # description: "Size of the database in bytes"
+ ## Pod Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ ##
+ securityContext:
+ enabled: false
+ runAsUser: 1001
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
## Configure extra options for liveness and readiness probes
livenessProbe:
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
-
-# Define custom environment variables to pass to the image here
-extraEnv: {}
--- /dev/null
+{
+ "$schema": "http://json-schema.org/schema#",
+ "type": "object",
+ "properties": {
+ "postgresqlUsername": {
+ "type": "string",
+ "title": "Admin user",
+ "form": true
+ },
+ "postgresqlPassword": {
+ "type": "string",
+ "title": "Password",
+ "form": true
+ },
+ "persistence": {
+ "type": "object",
+ "properties": {
+ "size": {
+ "type": "string",
+ "title": "Persistent Volume Size",
+ "form": true,
+ "render": "slider",
+ "sliderMin": 1,
+ "sliderMax": 100,
+ "sliderUnit": "Gi"
+ }
+ }
+ },
+ "resources": {
+ "type": "object",
+ "title": "Required Resources",
+ "description": "Configure resource requests",
+ "form": true,
+ "properties": {
+ "requests": {
+ "type": "object",
+ "properties": {
+ "memory": {
+ "type": "string",
+ "form": true,
+ "render": "slider",
+ "title": "Memory Request",
+ "sliderMin": 10,
+ "sliderMax": 2048,
+ "sliderUnit": "Mi"
+ },
+ "cpu": {
+ "type": "string",
+ "form": true,
+ "render": "slider",
+ "title": "CPU Request",
+ "sliderMin": 10,
+ "sliderMax": 2000,
+ "sliderUnit": "m"
+ }
+ }
+ }
+ }
+ },
+ "replication": {
+ "type": "object",
+ "form": true,
+ "title": "Replication Details",
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "title": "Enable Replication",
+ "form": true
+ },
+ "slaveReplicas": {
+ "type": "integer",
+ "title": "Slave Replicas",
+ "form": true,
+ "hidden": {
+ "condition": false,
+ "value": "replication.enabled"
+ }
+ }
+ }
+ },
+ "volumePermissions": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "form": true,
+ "title": "Enable Init Containers",
+ "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup"
+ }
+ }
+ },
+ "metrics": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "title": "Configure metrics exporter",
+ "form": true
+ }
+ }
+ }
+ }
+}
-## Global Docker image registry
-### Please, note that this will override the image registry for all the images, including dependencies, configured to use the global value
-###
-## global:
-## imageRegistry:
+## Global Docker image parameters
+## Please, note that this will override the image parameters, including dependencies, configured to use the global value
+## Current available global Docker image parameters: imageRegistry and imagePullSecrets
+##
+global:
+ postgresql: {}
+# imageRegistry: myRegistryName
+# imagePullSecrets:
+# - myRegistryKeySecretName
+# storageClass: myStorageClass
## Bitnami PostgreSQL image version
## ref: https://hub.docker.com/r/bitnami/postgresql/tags/
image:
registry: docker.io
repository: bitnami/postgresql
- tag: 10.6.0
+ tag: 11.6.0-debian-9-r0
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
- pullPolicy: Always
-
+ pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
- # - myRegistrKeySecretName
+ # - myRegistryKeySecretName
## Set to true if you would like to see extra information on logs
## It turns BASH and NAMI debugging in minideb
## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging
debug: false
+## String to partially override postgresql.fullname template (will maintain the release name)
+##
+# nameOverride:
+
+## String to fully override postgresql.fullname template
+##
+# fullnameOverride:
+
##
## Init containers parameters:
## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup
image:
registry: docker.io
repository: bitnami/minideb
- tag: latest
+ tag: stretch
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: Always
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
## Init container Security Context
securityContext:
runAsUser: 0
+## Use an alternate scheduler, e.g. "stork".
+## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+##
+# schedulerName:
+
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
fsGroup: 1001
runAsUser: 1001
+## Pod Service Account
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+serviceAccount:
+ enabled: false
+ ## Name of an already existing service account. Setting this value disables the automatic service account creation.
+ # name:
+
replication:
enabled: false
user: repl_user
## Replication Cluster application name. Useful for defining multiple replication policies
applicationName: my_application
-## PostgreSQL admin user
+## PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`)
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!)
+# postgresqlPostgresPassword:
+
+## PostgreSQL user (has superuser privileges if username is `postgres`)
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
postgresqlUsername: postgres
##
# postgresqlDatabase:
+## PostgreSQL data dir
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
+##
+postgresqlDataDir: /bitnami/postgresql/data
+
+## An array to add extra environment variables
+## For example:
+## extraEnv:
+## - name: FOO
+## value: "bar"
+##
+# extraEnv:
+extraEnv: []
+
+## Specify extra initdb args
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
+##
+# postgresqlInitdbArgs:
+
+## Specify a custom location for the PostgreSQL transaction log
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
+##
+# postgresqlInitdbWalDir:
+
## PostgreSQL configuration
## Specify runtime configuration parameters as a dict, using camelCase, e.g.
## {"sharedBuffers": "500MB"}
# extendedConfConfigMap:
## initdb scripts
-## Specify dictionnary of scripts to be run at first boot
+## Specify dictionary of scripts to be run at first boot
## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory
##
# initdbScripts:
-# my_init_script.sh:|
+# my_init_script.sh: |
# #!/bin/sh
# echo "Do something."
-#
+
## ConfigMap with scripts to be run at first boot
## NOTE: This will override initdbScripts
# initdbScriptsConfigMap:
+## Secret with scripts to be run at first boot (in case it contains sensitive information)
+## NOTE: This can work along initdbScripts or initdbScriptsConfigMap
+# initdbScriptsSecret:
+
+## Specify the PostgreSQL username and password to execute the initdb scripts
+# initdbUser:
+# initdbPassword:
+
## Optional duration in seconds the pod needs to terminate gracefully.
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
##
# terminationGracePeriodSeconds: 30
+## LDAP configuration
+##
+ldap:
+ enabled: false
+ url: ""
+ server: ""
+ port: ""
+ prefix: ""
+ suffix: ""
+ baseDN: ""
+ bindDN: ""
+ bind_password:
+ search_attr: ""
+ search_filter: ""
+ scheme: ""
+ tls: false
+
## PostgreSQL service configuration
service:
## PosgresSQL service type
##
# nodePort:
- ## Provide any additional annotations which may be required. This can be used to
+ ## Provide any additional annotations which may be required.
+ ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
annotations: {}
## Set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
+ ## Load Balancer sources
+ ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
+ ##
+ # loadBalancerSourceRanges:
+ # - 10.10.10.0/24
+
+## Start master and slave(s) pod(s) without limitations on shm memory.
+## By default docker and containerd (and possibly other container runtimes)
+## limit `/dev/shm` to `64M` (see e.g. the
+## [docker issue](https://github.com/docker-library/postgres/issues/416) and the
+## [containerd issue](https://github.com/containerd/containerd/issues/3654),
+## which could be not enough if PostgreSQL uses parallel workers heavily.
+## If this option is present and value is `true`,
+## to the target database pod will be mounted a new tmpfs volume to remove
+## this limitation.
+shmVolume:
+ enabled: true
+
## PostgreSQL data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
enabled: true
## A manually managed Persistent Volume and Claim
## If defined, PVC must be created manually before volume will be bound
+ ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart
+ ##
# existingClaim:
+
+ ## The path the volume will be mounted at, useful when using different
+ ## PostgreSQL images.
+ ##
mountPath: /bitnami/postgresql
+
+ ## The subdirectory of the volume to mount to, useful in dev environments
+ ## and one PV for multiple services.
+ ##
+ subPath: ""
+
# storageClass: "-"
accessModes:
- ReadWriteOnce
## PostgreSQL Master parameters
##
master:
- ## Node, affinity and tolerations labels for pod assignment
+ ## Node, affinity, tolerations, and priorityclass settings for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
+ ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption
nodeSelector: {}
affinity: {}
tolerations: []
+ labels: {}
+ annotations: {}
+ podLabels: {}
+ podAnnotations: {}
+ priorityClassName: ""
+ extraInitContainers: |
+ # - name: do-something
+ # image: busybox
+ # command: ['do', 'something']
+ ## Additional PostgreSQL Master Volume mounts
+ ##
+ extraVolumeMounts: []
+ ## Additional PostgreSQL Master Volumes
+ ##
+ extraVolumes: []
##
## PostgreSQL Slave parameters
##
slave:
- ## Node, affinity and tolerations labels for pod assignment
+ ## Node, affinity, tolerations, and priorityclass settings for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
+ ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption
nodeSelector: {}
affinity: {}
tolerations: []
+ labels: {}
+ annotations: {}
+ podLabels: {}
+ podAnnotations: {}
+ priorityClassName: ""
+ extraInitContainers: |
+ # - name: do-something
+ # image: busybox
+ # command: ['do', 'something']
+ ## Additional PostgreSQL Slave Volume mounts
+ ##
+ extraVolumeMounts: []
+ ## Additional PostgreSQL Slave Volumes
+ ##
+ extraVolumes: []
## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
cpu: 250m
networkPolicy:
- ## Enable creation of NetworkPolicy resources.
+ ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
##
enabled: false
##
allowExternal: true
+ ## if explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
+ ## and that match other criteria, the ones that have the good label, can reach the DB.
+ ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this
+ ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
+ ##
+ # explicitNamespacesSelector:
+ # matchLabels:
+ # role: frontend
+ # matchExpressions:
+ # - {key: role, operator: In, values: [frontend]}
+
## Configure extra options for liveness and readiness probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
livenessProbe:
prometheus.io/scrape: "true"
prometheus.io/port: "9187"
loadBalancerIP:
+ serviceMonitor:
+ enabled: false
+ additionalLabels: {}
+ # namespace: monitoring
+ # interval: 30s
+ # scrapeTimeout: 10s
+ ## Custom PrometheusRule to be defined
+ ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
+ ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
+ prometheusRule:
+ enabled: false
+ additionalLabels: {}
+ namespace: ""
+ rules: []
+ ## These are just examples rules, please adapt them to your needs.
+ ## Make sure to constraint the rules to the current postgresql service.
+ # - alert: HugeReplicationLag
+ # expr: pg_replication_lag{service="{{ template "postgresql.fullname" . }}-metrics"} / 3600 > 1
+ # for: 1m
+ # labels:
+ # severity: critical
+ # annotations:
+ # description: replication for {{ template "postgresql.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s).
+ # summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s).
image:
registry: docker.io
- repository: wrouesnel/postgres_exporter
- tag: v0.4.6
+ repository: bitnami/postgres-exporter
+ tag: 0.7.0-debian-9-r12
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
- # - myRegistrKeySecretName
-
+ # - myRegistryKeySecretName
+ ## Define additional custom metrics
+ ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file
+ # customMetrics:
+ # pg_database:
+ # query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')"
+ # metrics:
+ # - name:
+ # usage: "LABEL"
+ # description: "Name of the database"
+ # - size_bytes:
+ # usage: "GAUGE"
+ # description: "Size of the database in bytes"
+ ## Pod Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ ##
+ securityContext:
+ enabled: false
+ runAsUser: 1001
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
## Configure extra options for liveness and readiness probes
livenessProbe:
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
-
-# Define custom environment variables to pass to the image here
-extraEnv: {}
+++ /dev/null
-env:
- database: cassandra
-
-cassandra:
- enabled: true
-postgres:
- enabled: false
+++ /dev/null
-################################################################################
-# Copyright (c) 2019 AT&T Intellectual Property. #
-# #
-# Licensed under the Apache License, Version 2.0 (the "License"); #
-# you may not use this file except in compliance with the License. #
-# You may obtain a copy of the License at #
-# #
-# http://www.apache.org/licenses/LICENSE-2.0 #
-# #
-# Unless required by applicable law or agreed to in writing, software #
-# distributed under the License is distributed on an "AS IS" BASIS, #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
-# See the License for the specific language governing permissions and #
-# limitations under the License. #
-################################################################################
-
-# CI test for testing dbless deployment without ingress controllers
-ingressController:
- enabled: false
-env:
- database: "off"
-postgresql:
- enabled: false
-dblessConfig:
- # Or the configuration is passed in full-text below
- config:
- _format_version: "1.1"
- services:
- - name: test-svc
- url: http://example.com
- routes:
- - name: test
- paths:
- - /test
- plugins:
- - name: request-termination
- config:
- status_code: 200
- message: "dbless-config"
+++ /dev/null
-################################################################################
-# Copyright (c) 2019 AT&T Intellectual Property. #
-# #
-# Licensed under the Apache License, Version 2.0 (the "License"); #
-# you may not use this file except in compliance with the License. #
-# You may obtain a copy of the License at #
-# #
-# http://www.apache.org/licenses/LICENSE-2.0 #
-# #
-# Unless required by applicable law or agreed to in writing, software #
-# distributed under the License is distributed on an "AS IS" BASIS, #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
-# See the License for the specific language governing permissions and #
-# limitations under the License. #
-################################################################################
-
-# CI test for testing dbless deployment
-env:
- database: "off"
-postgresql:
- enabled: false
+++ /dev/null
-################################################################################
-# Copyright (c) 2019 AT&T Intellectual Property. #
-# #
-# Licensed under the Apache License, Version 2.0 (the "License"); #
-# you may not use this file except in compliance with the License. #
-# You may obtain a copy of the License at #
-# #
-# http://www.apache.org/licenses/LICENSE-2.0 #
-# #
-# Unless required by applicable law or agreed to in writing, software #
-# distributed under the License is distributed on an "AS IS" BASIS, #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
-# See the License for the specific language governing permissions and #
-# limitations under the License. #
-################################################################################
-
-# CI test for testing dbless deployment
-
-podDisruptionBudget:
- enabled: true
-
-ingressController:
- enabled: true
- podDisruptionBudget:
- enabled: true
-env:
- database: "off"
-postgresql:
- enabled: false
-################################################################################
-# Copyright (c) 2019 AT&T Intellectual Property. #
-# #
-# Licensed under the Apache License, Version 2.0 (the "License"); #
-# you may not use this file except in compliance with the License. #
-# You may obtain a copy of the License at #
-# #
-# http://www.apache.org/licenses/LICENSE-2.0 #
-# #
-# Unless required by applicable law or agreed to in writing, software #
-# distributed under the License is distributed on an "AS IS" BASIS, #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
-# See the License for the specific language governing permissions and #
-# limitations under the License. #
-################################################################################
-
-# Default values for kong.
-# Declare variables to be passed into your templates.
-
-image:
- repository: kong
- # repository: kong-docker-kong-enterprise-edition-docker.bintray.io/kong-enterprise-edition
- tag: 1.3
- pullPolicy: IfNotPresent
- ## Optionally specify an array of imagePullSecrets.
- ## Secrets must be manually created in the namespace.
- ## If using the official Kong Enterprise registry above, you MUST provide a secret.
- ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
- ##
- # pullSecrets:
- # - myRegistrKeySecretName
-
-waitImage:
- repository: busybox
- tag: latest
-
-# Specify Kong admin and proxy services configurations
-admin:
- # If you want to specify annotations for the admin service, uncomment the following
- # line, add additional or adjust as needed, and remove the curly braces after 'annotations:'.
- annotations: {}
- # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
-
- # HTTPS traffic on the admin port
- # if set to false also set readinessProbe and livenessProbe httpGet scheme's to 'HTTP'
- useTLS: true
- servicePort: 8444
- containerPort: 8444
- # Kong admin service type
- type: NodePort
- # Set a nodePort which is available
- # nodePort: 32444
- # Kong admin ingress settings.
- ingress:
- # Enable/disable exposure using ingress.
- enabled: false
- # TLS secret name.
- # tls: kong-admin.example.com-tls
- # Array of ingress hosts.
- hosts: []
- # Map of ingress annotations.
- annotations: {}
- # Ingress path.
- path: /
-
+# install chart with default values
proxy:
- # If you want to specify annotations for the proxy service, uncomment the following
- # line, add additional or adjust as needed, and remove the curly braces after 'annotations:'.
- annotations: {}
- # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
-
- # HTTP plain-text traffic
- http:
- enabled: true
- servicePort: 80
- containerPort: 8000
- # Set a nodePort which is available if service type is NodePort
- # nodePort: 32080
-
- tls:
- enabled: true
- servicePort: 443
- containerPort: 8443
- # Set a nodePort which is available if service type is NodePort
- # nodePort: 32443
-
- type: NodePort
-
- # Kong proxy ingress settings.
- ingress:
- # Enable/disable exposure using ingress.
- enabled: false
- # TLS secret name.
- # tls: kong-proxy.example.com-tls
- # Array of ingress hosts.
- hosts: []
- # Map of ingress annotations.
- annotations: {}
- # Ingress path.
- path: /
-
- externalIPs: []
-
-manager:
- # If you want to specify annotations for the Manager service, uncomment the following
- # line, add additional or adjust as needed, and remove the curly braces after 'annotations:'.
- annotations: {}
- # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
-
- # HTTP plain-text traffic
- http:
- enabled: true
- servicePort: 8002
- containerPort: 8002
- # Set a nodePort which is available if service type is NodePort
- # nodePort: 32080
-
- tls:
- enabled: true
- servicePort: 8445
- containerPort: 8445
- # Set a nodePort which is available if service type is NodePort
- # nodePort: 32443
-
- type: NodePort
-
- # Kong proxy ingress settings.
- ingress:
- # Enable/disable exposure using ingress.
- enabled: false
- # TLS secret name.
- # tls: kong-proxy.example.com-tls
- # Array of ingress hosts.
- hosts: []
- # Map of ingress annotations.
- annotations: {}
- # Ingress path.
- path: /
-
- externalIPs: []
-
-portal:
- # If you want to specify annotations for the Portal service, uncomment the following
- # line, add additional or adjust as needed, and remove the curly braces after 'annotations:'.
- annotations: {}
- # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
-
- # HTTP plain-text traffic
- http:
- enabled: true
- servicePort: 8003
- containerPort: 8003
- # Set a nodePort which is available if service type is NodePort
- # nodePort: 32080
-
- tls:
- enabled: true
- servicePort: 8446
- containerPort: 8446
- # Set a nodePort which is available if service type is NodePort
- # nodePort: 32443
-
- type: NodePort
-
- # Kong proxy ingress settings.
- ingress:
- # Enable/disable exposure using ingress.
- enabled: false
- # TLS secret name.
- # tls: kong-proxy.example.com-tls
- # Array of ingress hosts.
- hosts: []
- # Map of ingress annotations.
- annotations: {}
- # Ingress path.
- path: /
-
- externalIPs: []
-
-portalapi:
- # If you want to specify annotations for the Portal API service, uncomment the following
- # line, add additional or adjust as needed, and remove the curly braces after 'annotations:'.
- annotations: {}
- # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
-
- # HTTP plain-text traffic
- http:
- enabled: true
- servicePort: 8004
- containerPort: 8004
- # Set a nodePort which is available if service type is NodePort
- # nodePort: 32080
-
- tls:
- enabled: true
- servicePort: 8447
- containerPort: 8447
- # Set a nodePort which is available if service type is NodePort
- # nodePort: 32443
-
type: NodePort
-
- # Kong proxy ingress settings.
- ingress:
- # Enable/disable exposure using ingress.
- enabled: false
- # TLS secret name.
- # tls: kong-proxy.example.com-tls
- # Array of ingress hosts.
- hosts: []
- # Map of ingress annotations.
- annotations: {}
- # Ingress path.
- path: /
-
- externalIPs: []
-
-# Toggle Kong Enterprise features on or off
-# RBAC and SMTP configuration have additional options that must all be set together
-# Other settings should be added to the "env" settings below
-enterprise:
- enabled: false
- # Kong Enterprise license secret name
- # This secret must contain a single 'license' key, containing your base64-encoded license data
- # The license secret is required for all Kong Enterprise deployments
- license_secret: you-must-create-a-kong-license-secret
- # Session configuration secret
- # The session conf secret is required if using RBAC or the Portal
- vitals:
- enabled: true
- portal:
- enabled: false
- # portal_auth here sets the default authentication mechanism for the Portal
- # FIXME This can be changed per-workspace, but must currently default to
- # basic-auth to work around limitations with session configuration
- portal_auth: basic-auth
- # If the Portal is enabled and any workspace's Portal uses authentication,
- # this Secret must contain an portal_session_conf key
- # The key value must be a secret configuration, following the example at https://docs.konghq.com/enterprise/0.35-x/kong-manager/authentication/sessions/
- session_conf_secret: you-must-create-a-portal-session-conf-secret
- rbac:
- enabled: false
- admin_gui_auth: basic-auth
- # If RBAC is enabled, this Secret must contain an admin_gui_session_conf key
- # The key value must be a secret configuration, following the example at https://docs.konghq.com/enterprise/0.35-x/kong-manager/authentication/sessions/
- session_conf_secret: you-must-create-an-rbac-session-conf-secret
- # Set to the appropriate plugin config JSON if not using basic-auth
- admin_gui_auth_conf: {}
- smtp:
- enabled: false
- portal_emails_from: none@example.com
- portal_emails_reply_to: none@example.com
- admin_emails_from: none@example.com
- admin_emails_reply_to: none@example.com
- smtp_admin_emails: none@example.com
- smtp_host: smtp.example.com
- smtp_port: 587
- smtp_starttls: true
- auth:
- # If your SMTP server does not require authentication, this section can
- # be left as-is. If smtp_username is set to anything other than an empty
- # string, you must create a Secret with an smtp_password key containing
- # your SMTP password and specify its name here.
- smtp_username: '' # e.g. postmaster@example.com
- smtp_password_secret: you-must-create-an-smtp-password
-
-# Set runMigrations to run Kong migrations
-runMigrations: true
-
-# update strategy
-updateStrategy: {}
- # type: RollingUpdate
- # rollingUpdate:
- # maxSurge: "100%"
- # maxUnavailable: "0%"
-
-# Specify Kong configurations
-# Kong configurations guide https://getkong.org/docs/latest/configuration/
-# Values here take precedence over values from other sections of values.yaml,
-# e.g. setting pg_user here will override the value normally set when postgresql.enabled
-# is set below. In general, you should not set values here if they are set elsewhere.
-env:
- database: postgres
- proxy_access_log: /dev/stdout
- admin_access_log: /dev/stdout
- admin_gui_access_log: /dev/stdout
- portal_api_access_log: /dev/stdout
- proxy_error_log: /dev/stderr
- admin_error_log: /dev/stderr
- admin_gui_error_log: /dev/stderr
- portal_api_error_log: /dev/stderr
-
-# If you want to specify resources, uncomment the following
-# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-resources: {}
- # limits:
- # cpu: 100m
- # memory: 128Mi
- # requests:
- # cpu: 100m
- # memory: 128Mi
-
-# readinessProbe for Kong pods
-# If using Kong Enterprise with RBAC, you must add a Kong-Admin-Token header
-readinessProbe:
- httpGet:
- path: "/status"
- port: admin
- scheme: HTTPS
- initialDelaySeconds: 30
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 5
-
-# livenessProbe for Kong pods
-# If using Kong Enterprise with RBAC, you must add a Kong-Admin-Token header
-livenessProbe:
- httpGet:
- path: "/status"
- port: admin
- scheme: HTTPS
- initialDelaySeconds: 30
- timeoutSeconds: 5
- periodSeconds: 30
- successThreshold: 1
- failureThreshold: 5
-
-# Affinity for pod assignment
-# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-# affinity: {}
-
-# Tolerations for pod assignment
-# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-tolerations: []
-
-# Node labels for pod assignment
-# Ref: https://kubernetes.io/docs/user-guide/node-selection/
-nodeSelector: {}
-
-# Annotation to be added to Kong pods
-podAnnotations: {}
-
-# Kong pod count
-replicaCount: 1
-
-# Kong Pod Disruption Budget
-podDisruptionBudget:
- enabled: false
- maxUnavailable: "50%"
-
-# Kong has a choice of either Postgres or Cassandra as a backend datatstore.
-# This chart allows you to choose either of them with the `database.type`
-# parameter. Postgres is chosen by default.
-
-# Additionally, this chart allows you to use your own database or spin up a new
-# instance by using the `postgres.enabled` or `cassandra.enabled` parameters.
-# Enabling both will create both databases in your cluster, but only one
-# will be used by Kong based on the `env.database` parameter.
-# Postgres is enabled by default.
-
-# Cassandra chart configs
-cassandra:
- enabled: false
-
-# PostgreSQL chart configs
-postgresql:
- enabled: true
- postgresqlUsername: kong
- postgresqlDatabase: kong
- service:
- port: 5432
-
-# Kong Ingress Controller's primary purpose is to satisfy Ingress resources
-# created in k8s. It uses CRDs for more fine grained control over routing and
-# for Kong specific configuration.
-ingressController:
- enabled: false
- image:
- repository: kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller
- tag: 0.5.0
- replicaCount: 1
- livenessProbe:
- failureThreshold: 3
- httpGet:
- path: "/healthz"
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 30
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 5
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: "/healthz"
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 30
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 5
-
- installCRDs: true
-
- rbac:
- # Specifies whether RBAC resources should be created
- create: true
-
- serviceAccount:
- # Specifies whether a ServiceAccount should be created
- create: true
- # The name of the ServiceAccount to use.
- # If not set and create is true, a name is generated using the fullname template
- name:
-
- ingressClass: kong
-
- podDisruptionBudget:
- enabled: false
- maxUnavailable: "50%"
-
-# We pass the dbless (declarative) config over here.
-dblessConfig:
- # Either Kong's configuration is managed from an existing ConfigMap (with Key: kong.yml)
- configMap: ""
- # Or the configuration is passed in full-text below
- config:
- _format_version: "1.1"
- services:
- # Example configuration
- # - name: example.com
- # url: http://example.com
- # routes:
- # - name: example
- # paths:
- # - "/example"
-
-serviceMonitor:
- # Specifies whether ServiceMonitor for Prometheus operator should be created
- enabled: false
- # interval: 10s
- # Specifies namespace, where ServiceMonitor should be installed
- # namespace: monitoring
+++ /dev/null
-# CI test for Ingress controller basic installation
-ingressController:
- enabled: true
+++ /dev/null
-# CI test for LoadBalancer admin/proxy types
-
-admin:
- useTLS: true
- type: LoadBalancer
- loadBalancerSourceRanges:
- - 192.168.1.1/32
- - 10.10.10.10/32
-
-proxy:
- useTLS: true
- type: LoadBalancer
- loadBalancerSourceRanges:
- - 192.168.1.1/32
- - 10.10.10.10/32
-
-updateStrategy:
- type: "RollingUpdate"
- rollingUpdate:
- maxSurge: 1
- maxUnavailable: 0
-
-readinessProbe:
- httpGet:
- path: "/status"
- port: admin
- scheme: HTTPS
- initialDelaySeconds: 30
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 5
-
-livenessProbe:
- httpGet:
- path: "/status"
- port: admin
- scheme: HTTPS
- initialDelaySeconds: 30
- timeoutSeconds: 5
- periodSeconds: 30
- successThreshold: 1
- failureThreshold: 5
-
-postgresql:
- enabled: true
- postgresUser: kong
- postgresDatabase: kong
- service:
- port: 5432
--- /dev/null
+# This tests the following unrealted aspects of Ingress Controller
+# - ingressController deploys without a database (default)
+ingressController:
+ enabled: true
+# - webhook is enabled and deploys
+ admissionWebhook:
+ enabled: true
+# - environment variables can be injected into ingress controller container
+ env:
+ kong_admin_header: "foo:bar"
+# - podSecurityPolicies are enabled
+podSecurityPolicy:
+ enabled: true
+# - ingress resources are created with hosts
+admin:
+ type: NodePort
+ ingress:
+ enabled: true
+ hosts: ["test.com", "test2.com"]
+ annotations: {}
+ path: /
+proxy:
+ type: NodePort
+ ingress:
+ enabled: true
+ hosts: ["test.com", "test2.com"]
+ annotations: {}
+ path: /
--- /dev/null
+# This tests the following unrealted aspects of Ingress Controller
+# - ingressController deploys with a database
+ingressController:
+ enabled: true
+postgresql:
+ enabled: true
+ postgresqlUsername: kong
+ postgresqlDatabase: kong
+ service:
+ port: 5432
+env:
+ database: "postgres"
+# - ingress resources are created without hosts
+admin:
+ type: NodePort
+ ingress:
+ enabled: true
+ hosts: []
+ path: /
+proxy:
+ type: NodePort
+ ingress:
+ enabled: true
+ hosts: []
+ annotations: {}
+ path: /
+ useTLS: true
+
+# - PDB is enabled
+podDisruptionBudget:
+ enabled: true
+# update strategy
+updateStrategy:
+ type: "RollingUpdate"
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
--- /dev/null
+# CI test for testing dbless deployment without ingress controllers
+# - disable ingress controller
+ingressController:
+ enabled: false
+# - disable DB for kong
+env:
+ database: "off"
+postgresql:
+ enabled: false
+# - supply DBless config for kong
+dblessConfig:
+ # Or the configuration is passed in full-text below
+ config:
+ _format_version: "1.1"
+ services:
+ - name: test-svc
+ url: http://example.com
+ routes:
+ - name: test
+ paths:
+ - /test
+ plugins:
+ - name: request-termination
+ config:
+ status_code: 200
+ message: "dbless-config"
+proxy:
+ type: NodePort
-################################################################################
-# Copyright (c) 2019 AT&T Intellectual Property. #
-# #
-# Licensed under the Apache License, Version 2.0 (the "License"); #
-# you may not use this file except in compliance with the License. #
-# You may obtain a copy of the License at #
-# #
-# http://www.apache.org/licenses/LICENSE-2.0 #
-# #
-# Unless required by applicable law or agreed to in writing, software #
-# distributed under the License is distributed on an "AS IS" BASIS, #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
-# See the License for the specific language governing permissions and #
-# limitations under the License. #
-################################################################################
-
dependencies:
- name: postgresql
- version: ~3.9.1
+ version: ~8.1.0
repository: https://kubernetes-charts.storage.googleapis.com/
condition: postgresql.enabled
-- name: cassandra
- version: ~0.10.5
- repository: https://kubernetes-charts-incubator.storage.googleapis.com/
- condition: cassandra.enabled
-1. Kong Admin can be accessed inside the cluster using:
- DNS={{ template "kong.fullname" . }}-admin.{{ .Release.Namespace }}.svc.cluster.local
- PORT={{ .Values.admin.servicePort }}
+To connect to Kong, please execute the following command
-To connect from outside the K8s cluster:
- {{- if contains "LoadBalancer" .Values.admin.type }}
- HOST=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kong.fullname" . }}-admin -o jsonpath='{.status.loadBalancer.ingress.ip}')
- PORT=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kong.fullname" . }}-admin -o jsonpath='{.spec.ports[0].nodePort}')
- {{- else if contains "NodePort" .Values.admin.type }}
- HOST=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath='{.items[0].status.addresses[0].address}')
- PORT=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kong.fullname" . }}-admin -o jsonpath='{.spec.ports[0].nodePort}')
+{{- if contains "LoadBalancer" .Values.proxy.type }}
+ HOST=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+ PORT=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.spec.ports[0].port}')
+{{- else if contains "NodePort" .Values.proxy.type -}}
+ HOST=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath='{.items[0].status.addresses[0].address}')
+ PORT=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.spec.ports[0].nodePort}')
+{{- end -}}
+export PROXY_IP=${HOST}:${PORT}
+curl $PROXY_IP
- {{- else if .Values.admin.ingress.enabled }}
+Once installed, please follow along the getting started guide to start using Kong:
+https://bit.ly/k4k8s-get-started
-use one of the addresses listed below
-
- {{- $path := .Values.admin.ingress.path -}}
- {{- if .Values.admin.ingress.tls }}
- {{- range .Values.admin.ingress.hosts }}
- https://{{ . }}{{ $path }}
- {{- end }}
- {{- else }}
- {{- range .Values.admin.ingress.hosts }}
- http://{{ . }}{{ $path }}
- {{- end }}
- {{- end }}
-
- {{- else if contains "ClusterIP" .Values.admin.type }}
- HOST=127.0.0.1
-
- # Execute the following commands to route the connection to Admin SSL port:
- export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "release={{ .Release.Name }}, app={{ template "kong.name" . }}" -o jsonpath="{.items[0].metadata.name}")
- kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME {{ .Values.admin.servicePort }}:{{ .Values.admin.servicePort }}
- {{- end }}
-
-
-2. Kong Proxy can be accessed inside the cluster using:
- DNS={{ template "kong.fullname" . }}-proxy.{{ .Release.Namespace }}.svc.cluster.local
- {{- if .Values.proxy.tls.enabled -}}
- PORT={{ .Values.proxy.tls.servicePort }}
- {{- else -}}
- PORT={{ .Values.proxy.http.servicePort }}
- {{- end -}}
-
-
-To connect from outside the K8s cluster:
- {{- if contains "LoadBalancer" .Values.proxy.type }}
- HOST=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.status.loadBalancer.ingress.ip}')
- PORT=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.spec.ports[0].nodePort}')
-
- {{- else if contains "NodePort" .Values.proxy.type }}
- HOST=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath='{.items[0].status.addresses[0].address}')
- PORT=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.spec.ports[0].nodePort}')
-
- {{- else if .Values.proxy.ingress.enabled }}
-
-use one of the addresses listed below
-
- {{- $path := .Values.proxy.ingress.path -}}
- {{- if .Values.proxy.ingress.tls }}
- {{- range .Values.proxy.ingress.hosts }}
- https://{{ . }}{{ $path }}
- {{- end }}
- {{- else }}
- {{- range .Values.proxy.ingress.hosts }}
- http://{{ . }}{{ $path }}
- {{- end }}
- {{- end }}
-
- {{- else if contains "ClusterIP" .Values.proxy.type }}
- HOST=127.0.0.1
-
- # Execute the following commands to route the connection to proxy SSL port:
- export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "release={{ .Release.Name }}, app={{ template "kong.name" . }}" -o jsonpath="{.items[0].metadata.name}")
- {{- if .Values.proxy.tls.enabled -}}
- kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME {{ .Values.proxy.tls.servicePort }}:{{ .Values.proxy.tls.servicePort }}
- {{- else -}}
- kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME {{ .Values.proxy.http.servicePort }}:{{ .Values.proxy.http.servicePort }}
- {{- end -}}
- {{- end }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
-{{- define "kong.postgresql.fullname" -}}
-{{- $name := default "postgresql" .Values.postgresql.nameOverride -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- define "kong.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "kong.metaLabels" -}}
+app.kubernetes.io/name: {{ template "kong.name" . }}
+helm.sh/chart: {{ template "kong.chart" . }}
+app.kubernetes.io/instance: "{{ .Release.Name }}"
+app.kubernetes.io/managed-by: "{{ .Release.Service }}"
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end -}}
+
+{{- define "kong.selectorLabels" -}}
+app.kubernetes.io/name: {{ template "kong.name" . }}
+app.kubernetes.io/component: app
+app.kubernetes.io/instance: "{{ .Release.Name }}"
{{- end -}}
-{{- define "kong.cassandra.fullname" -}}
-{{- $name := default "cassandra" .Values.cassandra.nameOverride -}}
+{{- define "kong.postgresql.fullname" -}}
+{{- $name := default "postgresql" .Values.postgresql.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- if .Values.ingressController.serviceAccount.create -}}
{{ default (include "kong.fullname" .) .Values.ingressController.serviceAccount.name }}
{{- else -}}
- {{ default "default" .Values.serviceAccount.name }}
+ {{ default "default" .Values.ingressController.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
+{{/*
+Generate an appropriate external URL from a Kong service's ingress configuration
+Strips trailing slashes from the path. Manager at least does not handle these
+intelligently and will append its own slash regardless, and the admin API cannot handle
+the extra slash.
+*/}}
+
+{{- define "kong.ingress.serviceUrl" -}}
+{{- if .tls -}}
+ https://{{ .hostname }}{{ .path | trimSuffix "/" }}
+{{- else -}}
+ http://{{ .hostname }}{{ .path | trimSuffix "/" }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+The name of the service used for the ingress controller's validation webhook
+*/}}
+
+{{- define "kong.service.validationWebhook" -}}
+{{ include "kong.fullname" . }}-validation-webhook
+{{- end -}}
{{- define "kong.env" -}}
{{- range $key, $val := .Values.env }}
{{- end -}}
{{- end -}}
+{{- define "kong.ingressController.env" -}}
+{{- range $key, $val := .Values.ingressController.env }}
+- name: CONTROLLER_{{ $key | upper}}
+{{- $valueType := printf "%T" $val -}}
+{{ if eq $valueType "map[string]interface {}" }}
+{{ toYaml $val | indent 2 -}}
+{{- else }}
+ value: {{ $val | quote -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kong.volumes" -}}
+- name: {{ template "kong.fullname" . }}-prefix-dir
+ emptyDir: {}
+- name: {{ template "kong.fullname" . }}-tmp
+ emptyDir: {}
+{{- range .Values.plugins.configMaps }}
+- name: kong-plugin-{{ .pluginName }}
+ configMap:
+ name: {{ .name }}
+{{- end }}
+{{- range .Values.plugins.secrets }}
+- name: kong-plugin-{{ .pluginName }}
+ secret:
+ secretName: {{ .name }}
+{{- end }}
+- name: custom-nginx-template-volume
+ configMap:
+ name: {{ template "kong.fullname" . }}-default-custom-server-blocks
+{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
+- name: kong-custom-dbless-config-volume
+ configMap:
+ {{- if .Values.dblessConfig.configMap }}
+ name: {{ .Values.dblessConfig.configMap }}
+ {{- else }}
+ name: {{ template "kong.dblessConfig.fullname" . }}
+ {{- end }}
+{{- end }}
+{{- if .Values.ingressController.admissionWebhook.enabled }}
+- name: webhook-cert
+ secret:
+ secretName: {{ template "kong.fullname" . }}-validation-webhook-keypair
+{{- end }}
+{{- range $secretVolume := .Values.secretVolumes }}
+- name: {{ . }}
+ secret:
+ secretName: {{ . }}
+{{- end }}
+{{- end -}}
+
+{{- define "kong.volumeMounts" -}}
+- name: {{ template "kong.fullname" . }}-prefix-dir
+ mountPath: /kong_prefix/
+- name: {{ template "kong.fullname" . }}-tmp
+ mountPath: /tmp
+- name: custom-nginx-template-volume
+ mountPath: /kong
+{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
+- name: kong-custom-dbless-config-volume
+ mountPath: /kong_dbless/
+{{- end }}
+{{- range .Values.secretVolumes }}
+- name: {{ . }}
+ mountPath: /etc/secrets/{{ . }}
+{{- end }}
+{{- range .Values.plugins.configMaps }}
+- name: kong-plugin-{{ .pluginName }}
+ mountPath: /opt/kong/plugins/{{ .pluginName }}
+ readOnly: true
+{{- end }}
+{{- range .Values.plugins.secrets }}
+- name: kong-plugin-{{ .pluginName }}
+ mountPath: /opt/kong/plugins/{{ .pluginName }}
+ readOnly: true
+{{- end }}
+{{- end -}}
+
+{{- define "kong.plugins" -}}
+{{ $myList := list "bundled" }}
+{{- range .Values.plugins.configMaps -}}
+{{- $myList = append $myList .pluginName -}}
+{{- end -}}
+{{- range .Values.plugins.secrets -}}
+ {{ $myList = append $myList .pluginName -}}
+{{- end }}
+{{- $myList | join "," -}}
+{{- end -}}
+
{{- define "kong.wait-for-db" -}}
- name: wait-for-db
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
name: {{ template "kong.postgresql.fullname" . }}
key: postgresql-password
{{- end }}
- {{- if .Values.cassandra.enabled }}
- - name: KONG_CASSANDRA_CONTACT_POINTS
- value: {{ template "kong.cassandra.fullname" . }}
- {{- end }}
+ - name: KONG_LUA_PACKAGE_PATH
+ value: "/opt/?.lua;;"
+ - name: KONG_PLUGINS
+ value: {{ template "kong.plugins" . }}
{{- include "kong.env" . | nindent 2 }}
command: [ "/bin/sh", "-c", "until kong start; do echo 'waiting for db'; sleep 1; done; kong stop" ]
+ volumeMounts:
+ {{- include "kong.volumeMounts" . | nindent 4 }}
{{- end -}}
{{- define "kong.controller-container" -}}
{{- else }}
- --kong-url=http://localhost:{{ .Values.admin.containerPort }}
{{- end }}
+ {{- if .Values.ingressController.admissionWebhook.enabled }}
+ - --admission-webhook-listen=0.0.0.0:{{ .Values.ingressController.admissionWebhook.port }}
+ {{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+{{- include "kong.ingressController.env" . | indent 2 }}
image: "{{ .Values.ingressController.image.repository }}:{{ .Values.ingressController.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
- livenessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 30
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
+{{ toYaml .Values.ingressController.readinessProbe | indent 4 }}
+ livenessProbe:
+{{ toYaml .Values.ingressController.livenessProbe | indent 4 }}
resources:
-{{ toYaml .Values.ingressController.resources | indent 10 }}
+{{ toYaml .Values.ingressController.resources | indent 4 }}
+{{- if .Values.ingressController.admissionWebhook.enabled }}
+ volumeMounts:
+ - name: webhook-cert
+ mountPath: /admission-webhook
+ readOnly: true
+{{- end }}
{{- end -}}
{{/*
name: {{ .Values.enterprise.license_secret }}
key: license
{{- end -}}
+
+{{/*
+Use the Pod security context defined in Values or set the UID by default
+*/}}
+{{- define "kong.podsecuritycontext" -}}
+{{ .Values.securityContext | toYaml }}
+{{- end -}}
+
+{{/*
+The environment values passed to Kong; this should come after all
+the template that it itself is using form the above sections.
+*/}}
+{{- define "kong.final_env" -}}
+- name: KONG_LUA_PACKAGE_PATH
+ value: "/opt/?.lua;;"
+{{- if not .Values.env.admin_listen }}
+{{- if .Values.admin.useTLS }}
+- name: KONG_ADMIN_LISTEN
+ value: "0.0.0.0:{{ .Values.admin.containerPort }} ssl"
+{{- else }}
+- name: KONG_ADMIN_LISTEN
+ value: 0.0.0.0:{{ .Values.admin.containerPort }}
+{{- end }}
+{{- end }}
+{{- if .Values.admin.ingress.enabled }}
+- name: KONG_ADMIN_API_URI
+ value: {{ include "kong.ingress.serviceUrl" .Values.admin.ingress }}
+{{- end }}
+{{- if not .Values.env.proxy_listen }}
+- name: KONG_PROXY_LISTEN
+ value: {{ template "kong.kongProxyListenValue" . }}
+{{- end }}
+{{- if and (not .Values.env.admin_gui_listen) (.Values.enterprise.enabled) }}
+- name: KONG_ADMIN_GUI_LISTEN
+ value: {{ template "kong.kongManagerListenValue" . }}
+{{- end }}
+{{- if and (.Values.manager.ingress.enabled) (.Values.enterprise.enabled) }}
+- name: KONG_ADMIN_GUI_URL
+ value: {{ include "kong.ingress.serviceUrl" .Values.manager.ingress }}
+{{- end }}
+{{- if and (not .Values.env.portal_gui_listen) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }}
+- name: KONG_PORTAL_GUI_LISTEN
+ value: {{ template "kong.kongPortalListenValue" . }}
+{{- end }}
+{{- if and (.Values.portal.ingress.enabled) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }}
+- name: KONG_PORTAL_GUI_HOST
+ value: {{ .Values.portal.ingress.hostname }}
+{{- if .Values.portal.ingress.tls }}
+- name: KONG_PORTAL_GUI_PROTOCOL
+ value: https
+{{- else }}
+- name: KONG_PORTAL_GUI_PROTOCOL
+ value: http
+{{- end }}
+{{- end }}
+{{- if and (not .Values.env.portal_api_listen) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }}
+- name: KONG_PORTAL_API_LISTEN
+ value: {{ template "kong.kongPortalApiListenValue" . }}
+{{- end }}
+{{- if and (.Values.portalapi.ingress.enabled) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }}
+- name: KONG_PORTAL_API_URL
+ value: {{ include "kong.ingress.serviceUrl" .Values.portalapi.ingress }}
+{{- end }}
+- name: KONG_NGINX_DAEMON
+ value: "off"
+{{- if .Values.enterprise.enabled }}
+{{- if not .Values.enterprise.vitals.enabled }}
+- name: KONG_VITALS
+ value: "off"
+{{- end }}
+{{- if .Values.enterprise.portal.enabled }}
+- name: KONG_PORTAL
+ value: "on"
+{{- if .Values.enterprise.portal.portal_auth }}
+- name: KONG_PORTAL_AUTH
+ value: {{ .Values.enterprise.portal.portal_auth }}
+- name: KONG_PORTAL_SESSION_CONF
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.enterprise.portal.session_conf_secret }}
+ key: portal_session_conf
+{{- end }}
+{{- end }}
+{{- if .Values.enterprise.rbac.enabled }}
+- name: KONG_ENFORCE_RBAC
+ value: "on"
+- name: KONG_ADMIN_GUI_AUTH
+ value: {{ .Values.enterprise.rbac.admin_gui_auth | default "basic-auth" }}
+{{- if not (eq .Values.enterprise.rbac.admin_gui_auth "basic-auth") }}
+- name: KONG_ADMIN_GUI_AUTH_CONF
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.enterprise.rbac.admin_gui_auth_conf_secret }}
+ key: admin_gui_auth_conf
+{{- end }}
+- name: KONG_ADMIN_GUI_SESSION_CONF
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.enterprise.rbac.session_conf_secret }}
+ key: admin_gui_session_conf
+{{- end }}
+{{- if .Values.enterprise.smtp.enabled }}
+- name: KONG_PORTAL_EMAILS_FROM
+ value: {{ .Values.enterprise.smtp.portal_emails_from }}
+- name: KONG_PORTAL_EMAILS_REPLY_TO
+ value: {{ .Values.enterprise.smtp.portal_emails_reply_to }}
+- name: KONG_ADMIN_EMAILS_FROM
+ value: {{ .Values.enterprise.smtp.admin_emails_from }}
+- name: KONG_ADMIN_EMAILS_REPLY_TO
+ value: {{ .Values.enterprise.smtp.admin_emails_reply_to }}
+- name: KONG_SMTP_HOST
+ value: {{ .Values.enterprise.smtp.smtp_host }}
+- name: KONG_SMTP_PORT
+ value: {{ .Values.enterprise.smtp.smtp_port | quote }}
+- name: KONG_SMTP_STARTTLS
+ value: {{ .Values.enterprise.smtp.smtp_starttls | quote }}
+{{- if .Values.enterprise.smtp.auth.smtp_username }}
+- name: KONG_SMTP_USERNAME
+ value: {{ .Values.enterprise.smtp.auth.smtp_username }}
+- name: KONG_SMTP_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.enterprise.smtp.auth.smtp_password_secret }}
+ key: smtp_password
+{{- end }}
+{{- else }}
+- name: KONG_SMTP_MOCK
+ value: "on"
+{{- end }}
+{{ include "kong.license" . }}
+{{- end }}
+- name: KONG_NGINX_HTTP_INCLUDE
+ value: /kong/servers.conf
+{{- if .Values.postgresql.enabled }}
+- name: KONG_PG_HOST
+ value: {{ template "kong.postgresql.fullname" . }}
+- name: KONG_PG_PORT
+ value: "{{ .Values.postgresql.service.port }}"
+- name: KONG_PG_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "kong.postgresql.fullname" . }}
+ key: postgresql-password
+{{- end }}
+{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
+- name: KONG_DECLARATIVE_CONFIG
+ value: "/kong_dbless/kong.yml"
+{{- end }}
+- name: KONG_PLUGINS
+ value: {{ template "kong.plugins" . }}
+{{- include "kong.env" . }}
+{{- end -}}
+
+{{- define "kong.wait-for-postgres" -}}
+- name: wait-for-postgres
+ image: "{{ .Values.waitImage.repository }}:{{ .Values.waitImage.tag }}"
+ imagePullPolicy: {{ .Values.waitImage.pullPolicy }}
+ env:
+ {{- include "kong.final_env" . | nindent 2 }}
+ command: [ "/bin/sh", "-c", "until nc -zv $KONG_PG_HOST $KONG_PG_PORT -w1; do echo 'waiting for db'; sleep 1; done" ]
+{{- end -}}
--- /dev/null
+{{- if .Values.ingressController.admissionWebhook.enabled }}
+{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) .Release.Namespace }}
+{{- $ca := genCA "kong-admission-ca" 3650 -}}
+{{- $cert := genSignedCert $cn nil nil 3650 $ca -}}
+kind: ValidatingWebhookConfiguration
+{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
+apiVersion: admissionregistration.k8s.io/v1
+{{- else }}
+apiVersion: admissionregistration.k8s.io/v1beta1
+{{- end }}
+metadata:
+ name: {{ template "kong.fullname" . }}-validations
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+webhooks:
+- name: validations.kong.konghq.com
+ failurePolicy: {{ .Values.ingressController.admissionWebhook.failurePolicy }}
+ sideEffects: None
+ admissionReviewVersions: ["v1beta1"]
+ rules:
+ - apiGroups:
+ - configuration.konghq.com
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kongconsumers
+ - kongplugins
+ clientConfig:
+ caBundle: {{ b64enc $ca.Cert }}
+ service:
+ name: {{ template "kong.service.validationWebhook" . }}
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ template "kong.service.validationWebhook" . }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+spec:
+ ports:
+ - name: webhook
+ port: 443
+ protocol: TCP
+ targetPort: webhook
+ selector:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+ app.kubernetes.io/component: app
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "kong.fullname" . }}-validation-webhook-keypair
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+ tls.crt: {{ b64enc $cert.Cert }}
+ tls.key: {{ b64enc $cert.Key }}
+{{ end }}
metadata:
name: {{ template "kong.fullname" . }}-default-custom-server-blocks
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
data:
servers.conf: |
- # Prometheus metrics server
+ # Prometheus metrics and health-checking server
server {
server_name kong_prometheus_exporter;
listen 0.0.0.0:9542; # can be any other port as well
access_log off;
+ location /status {
+ default_type text/plain;
+ return 200;
+ }
location /metrics {
default_type text/plain;
content_by_lua_block {
metadata:
name: {{ template "kong.dblessConfig.fullname" . }}
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
data:
kong.yml: |
{{ .Values.dblessConfig.config | toYaml | indent 4 }}
+++ /dev/null
-{{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
- name: {{ template "kong.fullname" . }}
-rules:
- - apiGroups:
- - ""
- resources:
- - endpoints
- - nodes
- - pods
- - secrets
- verbs:
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- - apiGroups:
- - ""
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - "networking.k8s.io"
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - events
- verbs:
- - create
- - patch
- - apiGroups:
- - "networking.k8s.io"
- resources:
- - ingresses/status
- verbs:
- - update
- - apiGroups:
- - "configuration.konghq.com"
- resources:
- - kongplugins
- - kongcredentials
- - kongconsumers
- - kongingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - "networking.k8s.io"
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
-{{- end -}}
+++ /dev/null
-{{- if (and (.Values.ingressController.enabled) (not (eq .Values.env.database "off"))) }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: "{{ template "kong.fullname" . }}-controller"
- labels:
- app: "{{ template "kong.name" . }}"
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
- component: "controller"
-spec:
- replicas: {{ .Values.ingressController.replicaCount }}
- selector:
- matchLabels:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: "controller"
- template:
- metadata:
- {{- if .Values.podAnnotations }}
- annotations:
-{{ toYaml .Values.podAnnotations | indent 8 }}
- {{- end }}
- labels:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: "controller"
- spec:
- serviceAccountName: {{ template "kong.serviceAccountName" . }}
- {{- if .Values.image.pullSecrets }}
- imagePullSecrets:
- {{- range .Values.image.pullSecrets }}
- - name: {{ . }}
- {{- end }}
- {{- end }}
- initContainers:
- {{- include "kong.wait-for-db" . | nindent 6 }}
- containers:
- - name: admin-api
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
- imagePullPolicy: {{ .Values.image.pullPolicy }}
- env:
- - name: KONG_PROXY_LISTEN
- value: 'off'
- {{- if .Values.enterprise.enabled }}
- {{- if .Values.enterprise.rbac.enabled }}
- # TODO: uncomment this once we have a means of securely providing the
- # controller its token using a secret.
- #- name: KONG_ENFORCE_RBAC
- # value: "on"
- {{- end }}
- # the controller admin API should not receive requests to create admins or developers
- # never enable SMTP on it as such
- {{- if .Values.enterprise.smtp.enabled }}
- - name: KONG_SMTP_MOCK
- value: "on"
- {{- else }}
- - name: KONG_SMTP_MOCK
- value: "on"
- {{- end }}
- {{- include "kong.license" . | nindent 8 }}
- {{- end }}
- {{- if .Values.admin.useTLS }}
- - name: KONG_ADMIN_LISTEN
- value: "0.0.0.0:{{ .Values.admin.containerPort }} ssl"
- {{- else }}
- - name: KONG_ADMIN_LISTEN
- value: 0.0.0.0:{{ .Values.admin.containerPort }}
- {{- end }}
- {{- if .Values.postgresql.enabled }}
- - name: KONG_PG_HOST
- value: {{ template "kong.postgresql.fullname" . }}
- - name: KONG_PG_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "kong.postgresql.fullname" . }}
- key: postgresql-password
- {{- end }}
- {{- if .Values.cassandra.enabled }}
- - name: KONG_CASSANDRA_CONTACT_POINTS
- value: {{ template "kong.cassandra.fullname" . }}
- {{- end }}
- {{- include "kong.env" . | indent 8 }}
- ports:
- - name: admin
- containerPort: {{ .Values.admin.containerPort }}
- protocol: TCP
- readinessProbe:
-{{ toYaml .Values.readinessProbe | indent 10 }}
- livenessProbe:
-{{ toYaml .Values.livenessProbe | indent 10 }}
- resources:
-{{ toYaml .Values.resources | indent 10 }}
- {{- include "kong.controller-container" . | nindent 6 }}
-{{- end -}}
+++ /dev/null
-{{- if and .Values.ingressController.enabled .Values.ingressController.podDisruptionBudget.enabled }}
-apiVersion: policy/v1beta1
-kind: PodDisruptionBudget
-metadata:
- name: "{{ template "kong.fullname" . }}-controller"
- labels:
- app: "{{ template "kong.name" . }}"
-spec:
- {{- if .Values.ingressController.podDisruptionBudget.minAvailable }}
- minAvailable: {{ .Values.ingressController.podDisruptionBudget.minAvailable }}
- {{- end }}
- {{- if .Values.ingressController.podDisruptionBudget.maxUnavailable }}
- maxUnavailable: {{ .Values.ingressController.podDisruptionBudget.maxUnavailable }}
- {{- end }}
- selector:
- matchLabels:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: controller
-{{- end }}
\ No newline at end of file
+++ /dev/null
-{{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: {{ template "kong.fullname" . }}
- labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: {{ template "kong.fullname" . }}
-subjects:
- - kind: ServiceAccount
- name: {{ template "kong.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
-{{- end -}}
--- /dev/null
+{{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+ name: {{ template "kong.fullname" . }}
+ namespace: {{ .Release.namespace }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - pods
+ - secrets
+ - namespaces
+ verbs:
+ - get
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ resourceNames:
+ # Defaults to "<election-id>-<ingress-class>"
+ # Here: "<kong-ingress-controller-leader-nginx>-<nginx>"
+ # This has to be adapted if you change either parameter
+ # when launching the nginx-ingress-controller.
+ - "kong-ingress-controller-leader-{{ .Values.ingressController.ingressClass }}-{{ .Values.ingressController.ingressClass }}"
+ verbs:
+ - get
+ - update
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - apiGroups:
+ - ""
+ resources:
+ - endpoints
+ verbs:
+ - get
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: {{ template "kong.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "kong.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "kong.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+ name: {{ template "kong.fullname" . }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - endpoints
+ - nodes
+ - pods
+ - secrets
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - apiGroups:
+ - ""
+ resources:
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - "extensions"
+ - "networking.k8s.io"
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - "extensions"
+ - "networking.k8s.io"
+ resources:
+ - ingresses/status
+ verbs:
+ - update
+ - apiGroups:
+ - "configuration.konghq.com"
+ resources:
+ - kongplugins
+ - kongcredentials
+ - kongconsumers
+ - kongingresses
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ template "kong.fullname" . }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ template "kong.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "kong.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end -}}
+++ /dev/null
-{{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
-metadata:
- name: {{ template "kong.fullname" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: {{ template "kong.fullname" . }}
-subjects:
- - kind: ServiceAccount
- name: {{ template "kong.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
-{{- end -}}
+++ /dev/null
-{{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
- name: {{ template "kong.fullname" . }}
- namespace: {{ .Release.namespace }}
- labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
-rules:
- - apiGroups:
- - ""
- resources:
- - configmaps
- - pods
- - secrets
- - namespaces
- verbs:
- - get
- - apiGroups:
- - ""
- resources:
- - configmaps
- resourceNames:
- # Defaults to "<election-id>-<ingress-class>"
- # Here: "<kong-ingress-controller-leader-nginx>-<nginx>"
- # This has to be adapted if you change either parameter
- # when launching the nginx-ingress-controller.
- - "kong-ingress-controller-leader-{{ .Values.ingressController.ingressClass }}-{{ .Values.ingressController.ingressClass }}"
- verbs:
- - get
- - update
- - apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - create
- - apiGroups:
- - ""
- resources:
- - endpoints
- verbs:
- - get
-{{- end -}}
-{{- if and .Values.ingressController.enabled .Values.ingressController.serviceAccount.create -}}
+{{- if or .Values.podSecurityPolicy.enabled (and .Values.ingressController.enabled .Values.ingressController.serviceAccount.create) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kong.serviceAccountName" . }}
namespace: {{ .Release.namespace }}
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
{{- end -}}
+++ /dev/null
-{{- if and .Values.ingressController.enabled .Values.ingressController.installCRDs -}}
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: kongconsumers.configuration.konghq.com
- labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
-spec:
- group: configuration.konghq.com
- version: v1
- scope: Namespaced
- names:
- kind: KongConsumer
- plural: kongconsumers
- shortNames:
- - kc
- additionalPrinterColumns:
- - name: Username
- type: string
- description: Username of a Kong Consumer
- JSONPath: .username
- - name: Age
- type: date
- description: Age
- JSONPath: .metadata.creationTimestamp
- validation:
- openAPIV3Schema:
- properties:
- username:
- type: string
- custom_id:
- type: string
-{{- end -}}
+++ /dev/null
-{{- if and .Values.ingressController.enabled .Values.ingressController.installCRDs -}}
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: kongcredentials.configuration.konghq.com
- labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
-spec:
- group: configuration.konghq.com
- version: v1
- scope: Namespaced
- names:
- kind: KongCredential
- plural: kongcredentials
- additionalPrinterColumns:
- - name: Credential-type
- type: string
- description: Type of credential
- JSONPath: .type
- - name: Age
- type: date
- description: Age
- JSONPath: .metadata.creationTimestamp
- - name: Consumer-Ref
- type: string
- description: Owner of the credential
- JSONPath: .consumerRef
- validation:
- openAPIV3Schema:
- required:
- - consumerRef
- - type
- properties:
- consumerRef:
- type: string
- type:
- type: string
-{{- end -}}
+++ /dev/null
-{{- if and .Values.ingressController.enabled .Values.ingressController.installCRDs -}}
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: kongplugins.configuration.konghq.com
- labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
-spec:
- group: configuration.konghq.com
- version: v1
- scope: Namespaced
- names:
- kind: KongPlugin
- plural: kongplugins
- shortNames:
- - kp
- additionalPrinterColumns:
- - name: Plugin-Type
- type: string
- description: Name of the plugin
- JSONPath: .plugin
- - name: Age
- type: date
- description: Age
- JSONPath: .metadata.creationTimestamp
- - name: Disabled
- type: boolean
- description: Indicates if the plugin is disabled
- JSONPath: .disabled
- priority: 1
- - name: Config
- type: string
- description: Configuration of the plugin
- JSONPath: .config
- priority: 1
- validation:
- openAPIV3Schema:
- required:
- - plugin
- properties:
- plugin:
- type: string
- disabled:
- type: boolean
- config:
- type: object
-{{- end -}}
{{- if and .Values.ingressController.enabled .Values.ingressController.installCRDs -}}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+metadata:
+ name: kongconsumers.configuration.konghq.com
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+spec:
+ group: configuration.konghq.com
+ version: v1
+ scope: Namespaced
+ names:
+ kind: KongConsumer
+ plural: kongconsumers
+ shortNames:
+ - kc
+ additionalPrinterColumns:
+ - name: Username
+ type: string
+ description: Username of a Kong Consumer
+ JSONPath: .username
+ - name: Age
+ type: date
+ description: Age
+ JSONPath: .metadata.creationTimestamp
+ validation:
+ openAPIV3Schema:
+ properties:
+ username:
+ type: string
+ custom_id:
+ type: string
+ credentials:
+ type: array
+ items:
+ type: string
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: kongcredentials.configuration.konghq.com
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+spec:
+ group: configuration.konghq.com
+ version: v1
+ scope: Namespaced
+ names:
+ kind: KongCredential
+ plural: kongcredentials
+ additionalPrinterColumns:
+ - name: Credential-type
+ type: string
+ description: Type of credential
+ JSONPath: .type
+ - name: Age
+ type: date
+ description: Age
+ JSONPath: .metadata.creationTimestamp
+ - name: Consumer-Ref
+ type: string
+ description: Owner of the credential
+ JSONPath: .consumerRef
+ validation:
+ openAPIV3Schema:
+ required:
+ - consumerRef
+ - type
+ properties:
+ consumerRef:
+ type: string
+ type:
+ type: string
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: kongplugins.configuration.konghq.com
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+spec:
+ group: configuration.konghq.com
+ version: v1
+ scope: Namespaced
+ names:
+ kind: KongPlugin
+ plural: kongplugins
+ shortNames:
+ - kp
+ additionalPrinterColumns:
+ - name: Plugin-Type
+ type: string
+ description: Name of the plugin
+ JSONPath: .plugin
+ - name: Age
+ type: date
+ description: Age
+ JSONPath: .metadata.creationTimestamp
+ - name: Disabled
+ type: boolean
+ description: Indicates if the plugin is disabled
+ JSONPath: .disabled
+ priority: 1
+ - name: Config
+ type: string
+ description: Configuration of the plugin
+ JSONPath: .config
+ priority: 1
+ validation:
+ openAPIV3Schema:
+ required:
+ - plugin
+ properties:
+ plugin:
+ type: string
+ disabled:
+ type: boolean
+ config:
+ type: object
+ run_on:
+ type: string
+ enum:
+ - first
+ - second
+ - all
+ protocols:
+ type: array
+ items:
+ type: string
+ enum:
+ - http
+ - https
+ - tcp
+ - tls
+ - grpc
+ - grpcs
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
metadata:
name: kongingresses.configuration.konghq.com
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
spec:
group: configuration.konghq.com
version: v1
validation:
openAPIV3Schema:
properties:
- upstream:
- type: object
route:
properties:
methods:
type: array
items:
type: string
+ headers:
+ type: object
+ additionalProperties:
+ type: array
+ items:
+ type: string
regex_priority:
type: integer
strip_path:
enum:
- http
- https
+ - grpc
+ - grpcs
+ https_redirect_status_code:
+ type: integer
proxy:
type: object
properties:
enum:
- http
- https
+ - grpc
+ - grpcs
path:
type: string
pattern: ^/.*$
upstream:
type: object
properties:
+ algorithm:
+ type: string
+ enum:
+ - "round-robin"
+ - "consistent-hashing"
+ - "least-connections"
+ host_header:
+ type: string
hash_on:
type: string
hash_on_cookie:
apiVersion: apps/v1
kind: Deployment
metadata:
- name: "{{ template "kong.fullname" . }}"
+ name: {{ template "kong.fullname" . }}
labels:
- app: "{{ template "kong.name" . }}"
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
- component: app
+ {{- include "kong.metaLabels" . | nindent 4 }}
+ app.kubernetes.io/component: app
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: app
+ {{- include "kong.selectorLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }}
strategy:
{{ toYaml .Values.updateStrategy | indent 4 }}
template:
metadata:
annotations:
+ {{- if .Values.ingressController.admissionWebhook.enabled }}
+ checksum/admission-webhook.yaml: {{ include (print $.Template.BasePath "/admission-webhook.yaml") . | sha256sum }}
+ {{- end }}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }}
{{- if .Values.dblessConfig.config }}
checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
labels:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: app
+ {{- include "kong.metaLabels" . | nindent 8 }}
+ app.kubernetes.io/component: app
spec:
- {{- if (and (.Values.ingressController.enabled) (eq .Values.env.database "off")) }}
+ {{- if or .Values.ingressController.enabled .Values.podSecurityPolicy.enabled }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{ end }}
{{- if .Values.image.pullSecrets }}
{{- include "kong.wait-for-db" . | nindent 6 }}
{{ end }}
containers:
- {{- if (and (.Values.ingressController.enabled) (eq .Values.env.database "off")) }}
+ {{- if .Values.ingressController.enabled }}
{{- include "kong.controller-container" . | nindent 6 }}
{{ end }}
- - name: {{ template "kong.name" . }}
+ - name: "proxy"
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- {{- if not .Values.env.admin_listen }}
- {{- if .Values.admin.useTLS }}
- - name: KONG_ADMIN_LISTEN
- value: "0.0.0.0:{{ .Values.admin.containerPort }} ssl"
- {{- else }}
- - name: KONG_ADMIN_LISTEN
- value: 0.0.0.0:{{ .Values.admin.containerPort }}
- {{- end }}
- {{- end }}
- {{- if not .Values.env.proxy_listen }}
- - name: KONG_PROXY_LISTEN
- value: {{ template "kong.kongProxyListenValue" . }}
- {{- end }}
- {{- if and (not .Values.env.admin_gui_listen) (.Values.enterprise.enabled) }}
- - name: KONG_ADMIN_GUI_LISTEN
- value: {{ template "kong.kongManagerListenValue" . }}
- {{- end }}
- {{- if and (not .Values.env.portal_gui_listen) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }}
- - name: KONG_PORTAL_GUI_LISTEN
- value: {{ template "kong.kongPortalListenValue" . }}
- {{- end }}
- {{- if and (not .Values.env.portal_api_listen) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }}
- - name: KONG_PORTAL_API_LISTEN
- value: {{ template "kong.kongPortalApiListenValue" . }}
- {{- end }}
- - name: KONG_NGINX_DAEMON
- value: "off"
- {{- if .Values.enterprise.enabled }}
- {{- if .Values.enterprise.vitals.enabled }}
- - name: KONG_VITALS
- value: "on"
- {{- end }}
- {{- if .Values.enterprise.portal.enabled }}
- - name: KONG_PORTAL
- value: "on"
- {{- if .Values.enterprise.portal.portal_auth }}
- - name: KONG_PORTAL_AUTH
- value: {{ .Values.enterprise.portal.portal_auth }}
- - name: KONG_PORTAL_SESSION_CONF
- valueFrom:
- secretKeyRef:
- name: {{ .Values.enterprise.portal.session_conf_secret }}
- key: portal_session_conf
- {{- end }}
- {{- end }}
- {{- if .Values.enterprise.rbac.enabled }}
- - name: KONG_ENFORCE_RBAC
- value: "on"
- - name: KONG_ADMIN_GUI_AUTH
- value: {{ .Values.enterprise.rbac.admin_gui_auth | default "basic-auth" }}
- - name: KONG_ADMIN_GUI_AUTH_CONF
- value: '{{ toJson .Values.enterprise.rbac.admin_gui_auth_conf }}'
- - name: KONG_ADMIN_GUI_SESSION_CONF
- valueFrom:
- secretKeyRef:
- name: {{ .Values.enterprise.rbac.session_conf_secret }}
- key: admin_gui_session_conf
- {{- end }}
- {{- if .Values.enterprise.smtp.enabled }}
- - name: KONG_PORTAL_EMAILS_FROM
- value: {{ .Values.enterprise.smtp.portal_emails_from }}
- - name: KONG_PORTAL_EMAILS_REPLY_TO
- value: {{ .Values.enterprise.smtp.portal_emails_reply_to }}
- - name: KONG_ADMIN_EMAILS_FROM
- value: {{ .Values.enterprise.smtp.admin_emails_from }}
- - name: KONG_ADMIN_EMAILS_REPLY_TO
- value: {{ .Values.enterprise.smtp.admin_emails_reply_to }}
- - name: KONG_SMTP_HOST
- value: {{ .Values.enterprise.smtp.smtp_host }}
- - name: KONG_SMTP_PORT
- value: {{ .Values.enterprise.smtp.smtp_port }}
- - name: KONG_SMTP_STARTTLS
- value: {{ .Values.enterprise.smtp.smtp_starttls }}
- {{- if .Values.enterprise.smtp.auth.smtp_username }}
- - name: KONG_SMTP_USERNAME
- value: {{ .Values.enterprise.smtp.auth.smtp_username }}
- - name: KONG_SMTP_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ .Values.enterprise.smtp.auth.smtp_password }}
- key: smtp_password
- {{- end }}
- {{- else }}
- - name: KONG_SMTP_MOCK
- value: "on"
- {{- end }}
- {{- include "kong.license" . | nindent 8 }}
- {{- end }}
- - name: KONG_NGINX_HTTP_INCLUDE
- value: /kong/servers.conf
- {{- if .Values.postgresql.enabled }}
- - name: KONG_PG_HOST
- value: {{ template "kong.postgresql.fullname" . }}
- - name: KONG_PG_PORT
- value: "{{ .Values.postgresql.service.port }}"
- - name: KONG_PG_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "kong.postgresql.fullname" . }}
- key: postgresql-password
- {{- end }}
- {{- if .Values.cassandra.enabled }}
- - name: KONG_CASSANDRA_CONTACT_POINTS
- value: {{ template "kong.cassandra.fullname" . }}
- {{- end }}
- {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
- - name: KONG_DECLARATIVE_CONFIG
- value: "/kong_dbless/kong.yml"
- {{- end }}
- {{- include "kong.env" . | indent 8 }}
+ {{- include "kong.final_env" . | nindent 8 }}
+ lifecycle:
+ preStop:
+ exec:
+ command: [ "/bin/sh", "-c", "kong quit" ]
ports:
- name: admin
containerPort: {{ .Values.admin.containerPort }}
- name: metrics
containerPort: 9542
protocol: TCP
+ {{- if .Values.ingressController.admissionWebhook.enabled }}
+ - name: webhook
+ containerPort: {{ .Values.ingressController.admissionWebhook.port }}
+ protocol: TCP
+ {{- end }}
{{- if .Values.enterprise.enabled }}
{{- if .Values.manager.http.enabled }}
- name: manager
{{- end }}
{{- end }}
volumeMounts:
- - name: custom-nginx-template-volume
- mountPath: /kong
- {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
- - name: kong-custom-dbless-config-volume
- mountPath: /kong_dbless/
- {{- end }}
+ {{- include "kong.volumeMounts" . | nindent 10 }}
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 10 }}
livenessProbe:
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
+ securityContext:
+ {{- include "kong.podsecuritycontext" . | nindent 8 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
volumes:
- - name: custom-nginx-template-volume
- configMap:
- name: {{ template "kong.fullname" . }}-default-custom-server-blocks
-{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
- - name: kong-custom-dbless-config-volume
- configMap:
- {{- if .Values.dblessConfig.configMap }}
- name: {{ .Values.dblessConfig.configMap }}
- {{- else }}
- name: {{ template "kong.dblessConfig.fullname" . }}
- {{- end }}
-{{- end }}
+ {{- include "kong.volumes" . | nindent 8 -}}
{{- $serviceName := include "kong.fullname" . -}}
{{- $servicePort := .Values.admin.servicePort -}}
{{- $path := .Values.admin.ingress.path -}}
-apiVersion: networking.k8s.io/v1beta1
+{{- $tls := .Values.admin.ingress.tls -}}
+{{- $hostname := .Values.admin.ingress.hostname -}}
+apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "kong.fullname" . }}-admin
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
annotations:
{{- range $key, $value := .Values.admin.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
- {{- range $host := .Values.admin.ingress.hosts }}
- - host: {{ $host }}
- http:
- paths:
- - path: {{ $path }}
- backend:
- serviceName: {{ $serviceName }}-admin
- servicePort: {{ $servicePort }}
- {{- end -}}
- {{- if .Values.admin.ingress.tls }}
+ - host: {{ $hostname }}
+ http:
+ paths:
+ - path: {{ $path }}
+ backend:
+ serviceName: {{ $serviceName }}-admin
+ servicePort: {{ $servicePort }}
+ {{- if $tls }}
tls:
-{{ toYaml .Values.admin.ingress.tls | indent 4 }}
+ - hosts:
+ - {{ $hostname }}
+ secretName: {{ $tls }}
{{- end -}}
{{- end -}}
{{- $serviceName := include "kong.fullname" . -}}
{{- $servicePort := include "kong.ingress.servicePort" .Values.manager -}}
{{- $path := .Values.manager.ingress.path -}}
-apiVersion: networking.k8s.io/v1beta1
+{{- $tls := .Values.manager.ingress.tls -}}
+{{- $hostname := .Values.manager.ingress.hostname -}}
+apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "kong.fullname" . }}-manager
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
annotations:
{{- range $key, $value := .Values.manager.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
- {{- range $host := .Values.manager.ingress.hosts }}
- - host: {{ $host }}
- http:
- paths:
- - path: {{ $path }}
- backend:
- serviceName: {{ $serviceName }}-manager
- servicePort: {{ $servicePort }}
- {{- end -}}
- {{- if .Values.manager.ingress.tls }}
+ - host: {{ $hostname }}
+ http:
+ paths:
+ - path: {{ $path }}
+ backend:
+ serviceName: {{ $serviceName }}-manager
+ servicePort: {{ $servicePort }}
+ {{- if $tls }}
tls:
-{{ toYaml .Values.manager.ingress.tls | indent 4 }}
+ - hosts:
+ - {{ $hostname }}
+ secretName: {{ $tls }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- $serviceName := include "kong.fullname" . -}}
{{- $servicePort := include "kong.ingress.servicePort" .Values.portalapi -}}
{{- $path := .Values.portalapi.ingress.path -}}
-apiVersion: networking.k8s.io/v1beta1
+{{- $tls := .Values.portalapi.ingress.tls -}}
+{{- $hostname := .Values.portalapi.ingress.hostname -}}
+apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "kong.fullname" . }}-portalapi
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
annotations:
{{- range $key, $value := .Values.portalapi.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
- {{- range $host := .Values.portalapi.ingress.hosts }}
- - host: {{ $host }}
- http:
- paths:
- - path: {{ $path }}
- backend:
- serviceName: {{ $serviceName }}-portalapi
- servicePort: {{ $servicePort }}
- {{- end -}}
- {{- if .Values.portalapi.ingress.tls }}
+ - host: {{ $hostname }}
+ http:
+ paths:
+ - path: {{ $path }}
+ backend:
+ serviceName: {{ $serviceName }}-portalapi
+ servicePort: {{ $servicePort }}
+ {{- if $tls }}
tls:
-{{ toYaml .Values.portalapi.ingress.tls | indent 4 }}
+ - hosts:
+ - {{ $hostname }}
+ secretName: {{ $tls }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- $serviceName := include "kong.fullname" . -}}
{{- $servicePort := include "kong.ingress.servicePort" .Values.portal -}}
{{- $path := .Values.portal.ingress.path -}}
-apiVersion: networking.k8s.io/v1beta1
+{{- $tls := .Values.portal.ingress.tls -}}
+{{- $hostname := .Values.portal.ingress.hostname -}}
+apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "kong.fullname" . }}-portal
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
annotations:
{{- range $key, $value := .Values.portal.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
- {{- range $host := .Values.portal.ingress.hosts }}
- - host: {{ $host }}
- http:
- paths:
- - path: {{ $path }}
- backend:
- serviceName: {{ $serviceName }}-portal
- servicePort: {{ $servicePort }}
- {{- end -}}
- {{- if .Values.portal.ingress.tls }}
+ - host: {{ $hostname }}
+ http:
+ paths:
+ - path: {{ $path }}
+ backend:
+ serviceName: {{ $serviceName }}-portal
+ servicePort: {{ $servicePort }}
+ {{- if $tls }}
tls:
-{{ toYaml .Values.portal.ingress.tls | indent 4 }}
+ - hosts:
+ - {{ $hostname }}
+ secretName: {{ $tls }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- $serviceName := include "kong.fullname" . -}}
{{- $servicePort := include "kong.ingress.servicePort" .Values.proxy -}}
{{- $path := .Values.proxy.ingress.path -}}
-apiVersion: networking.k8s.io/v1beta1
+{{- $hosts_count := len .Values.proxy.ingress.hosts -}}
+apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "kong.fullname" . }}-proxy
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
annotations:
{{- range $key, $value := .Values.proxy.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
+ {{- if eq $hosts_count 0 }}
+ - http:
+ paths:
+ - path: {{ $path }}
+ backend:
+ serviceName: {{ $serviceName }}-proxy
+ servicePort: {{ $servicePort }}
+ {{ else -}}
{{- range $host := .Values.proxy.ingress.hosts }}
- - host: {{ $host }}
+ - host: {{ $host | quote }}
http:
paths:
- path: {{ $path }}
serviceName: {{ $serviceName }}-proxy
servicePort: {{ $servicePort }}
{{- end -}}
+ {{- end -}}
{{- if .Values.proxy.ingress.tls }}
tls:
{{ toYaml .Values.proxy.ingress.tls | indent 4 }}
metadata:
name: {{ template "kong.fullname" . }}-post-upgrade-migrations
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
- component: post-upgrade-migrations
+ {{- include "kong.metaLabels" . | nindent 4 }}
+ app.kubernetes.io/component: post-upgrade-migrations
annotations:
helm.sh/hook: "post-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
metadata:
name: {{ template "kong.name" . }}-post-upgrade-migrations
labels:
- app: {{ template "kong.name" . }}
- release: "{{ .Release.Name }}"
- component: post-upgrade-migrations
+ {{- include "kong.metaLabels" . | nindent 8 }}
+ app.kubernetes.io/component: post-upgrade-migrations
spec:
+ {{- if .Values.podSecurityPolicy.enabled }}
+ serviceAccountName: {{ template "kong.serviceAccountName" . }}
+ {{- end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
- {{- if .Values.postgresql.enabled }}
initContainers:
- - name: wait-for-postgres
- image: "{{ .Values.waitImage.repository }}:{{ .Values.waitImage.tag }}"
- env:
- - name: KONG_PG_HOST
- value: {{ template "kong.postgresql.fullname" . }}
- - name: KONG_PG_PORT
- value: "{{ .Values.postgresql.service.port }}"
- - name: KONG_PG_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "kong.postgresql.fullname" . }}
- key: postgresql-password
- command: [ "/bin/sh", "-c", "until nc -zv $KONG_PG_HOST $KONG_PG_PORT -w1; do echo 'waiting for db'; sleep 1; done" ]
+ {{- if (eq .Values.env.database "postgres") }}
+ {{- include "kong.wait-for-postgres" . | nindent 6 }}
{{- end }}
containers:
- name: {{ template "kong.name" . }}-post-upgrade-migrations
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- - name: KONG_NGINX_DAEMON
- value: "off"
- {{- if .Values.enterprise.enabled }}
- {{- include "kong.license" . | nindent 8 }}
- {{- end }}
- {{- if .Values.postgresql.enabled }}
- - name: KONG_PG_HOST
- value: {{ template "kong.postgresql.fullname" . }}
- - name: KONG_PG_PORT
- value: "{{ .Values.postgresql.service.port }}"
- - name: KONG_PG_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "kong.postgresql.fullname" . }}
- key: postgresql-password
- {{- end }}
- {{- if .Values.cassandra.enabled }}
- - name: KONG_CASSANDRA_CONTACT_POINTS
- value: {{ template "kong.cassandra.fullname" . }}
- {{- end }}
- {{- include "kong.env" . | indent 8 }}
+ {{- include "kong.final_env" . | nindent 8 }}
command: [ "/bin/sh", "-c", "kong migrations finish" ]
+ volumeMounts:
+ {{- include "kong.volumeMounts" . | nindent 8 }}
+ securityContext:
+ {{- include "kong.podsecuritycontext" . | nindent 8 }}
restartPolicy: OnFailure
+ volumes:
+ {{- include "kong.volumes" . | nindent 6 -}}
{{- end }}
metadata:
name: {{ template "kong.fullname" . }}-pre-upgrade-migrations
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
- component: pre-upgrade-migrations
+ {{- include "kong.metaLabels" . | nindent 4 }}
+ app.kubernetes.io/component: pre-upgrade-migrations
annotations:
helm.sh/hook: "pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
metadata:
name: {{ template "kong.name" . }}-pre-upgrade-migrations
labels:
- app: {{ template "kong.name" . }}
- release: "{{ .Release.Name }}"
- component: pre-upgrade-migrations
+ {{- include "kong.metaLabels" . | nindent 8 }}
+ app.kubernetes.io/component: pre-upgrade-migrations
spec:
+ {{- if .Values.podSecurityPolicy.enabled }}
+ serviceAccountName: {{ template "kong.serviceAccountName" . }}
+ {{- end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
- {{- if .Values.postgresql.enabled }}
initContainers:
- - name: wait-for-postgres
- image: "{{ .Values.waitImage.repository }}:{{ .Values.waitImage.tag }}"
- env:
- - name: KONG_PG_HOST
- value: {{ template "kong.postgresql.fullname" . }}
- - name: KONG_PG_PORT
- value: "{{ .Values.postgresql.service.port }}"
- - name: KONG_PG_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "kong.postgresql.fullname" . }}
- key: postgresql-password
- command: [ "/bin/sh", "-c", "until nc -zv $KONG_PG_HOST $KONG_PG_PORT -w1; do echo 'waiting for db'; sleep 1; done" ]
+ {{- if (eq .Values.env.database "postgres") }}
+ {{- include "kong.wait-for-postgres" . | nindent 6 }}
{{- end }}
containers:
- name: {{ template "kong.name" . }}-upgrade-migrations
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- - name: KONG_NGINX_DAEMON
- value: "off"
- {{- if .Values.enterprise.enabled }}
- {{- include "kong.license" . | nindent 8 }}
- {{- end }}
- {{- if .Values.postgresql.enabled }}
- - name: KONG_PG_HOST
- value: {{ template "kong.postgresql.fullname" . }}
- - name: KONG_PG_PORT
- value: "{{ .Values.postgresql.service.port }}"
- - name: KONG_PG_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "kong.postgresql.fullname" . }}
- key: postgresql-password
- {{- end }}
- {{- if .Values.cassandra.enabled }}
- - name: KONG_CASSANDRA_CONTACT_POINTS
- value: {{ template "kong.cassandra.fullname" . }}
- {{- end }}
- {{- include "kong.env" . | indent 8 }}
+ {{- include "kong.final_env" . | nindent 8 }}
command: [ "/bin/sh", "-c", "kong migrations up" ]
+ volumeMounts:
+ {{- include "kong.volumeMounts" . | nindent 8 }}
+ securityContext:
+ {{- include "kong.podsecuritycontext" . | nindent 8 }}
restartPolicy: OnFailure
+ volumes:
+ {{- include "kong.volumes" . | nindent 6 -}}
{{- end }}
+
+{{ if or .Values.podSecurityPolicy.enabled (and .Values.ingressController.enabled .Values.ingressController.serviceAccount.create) -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ template "kong.serviceAccountName" . }}
+ namespace: {{ .Release.namespace }}
+ annotations:
+ "helm.sh/hook": pre-upgrade
+ "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+{{- end -}}
metadata:
name: {{ template "kong.fullname" . }}-init-migrations
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
- component: init-migrations
+ {{- include "kong.metaLabels" . | nindent 4 }}
+ app.kubernetes.io/component: init-migrations
spec:
template:
metadata:
name: {{ template "kong.name" . }}-init-migrations
labels:
- app: {{ template "kong.name" . }}
- release: "{{ .Release.Name }}"
- component: init-migrations
+ {{- include "kong.metaLabels" . | nindent 8 }}
+ app.kubernetes.io/component: init-migrations
spec:
+ {{- if .Values.podSecurityPolicy.enabled }}
+ serviceAccountName: {{ template "kong.serviceAccountName" . }}
+ {{- end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
- {{- if .Values.postgresql.enabled }}
initContainers:
- - name: wait-for-postgres
- image: "{{ .Values.waitImage.repository }}:{{ .Values.waitImage.tag }}"
- env:
- - name: KONG_PG_HOST
- value: {{ template "kong.postgresql.fullname" . }}
- - name: KONG_PG_PORT
- value: "{{ .Values.postgresql.service.port }}"
- - name: KONG_PG_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "kong.postgresql.fullname" . }}
- key: postgresql-password
- command: [ "/bin/sh", "-c", "until nc -zv $KONG_PG_HOST $KONG_PG_PORT -w1; do echo 'waiting for db'; sleep 1; done" ]
+ {{- if (eq .Values.env.database "postgres") }}
+ {{- include "kong.wait-for-postgres" . | nindent 6 }}
{{- end }}
containers:
- name: {{ template "kong.name" . }}-migrations
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- - name: KONG_NGINX_DAEMON
- value: "off"
- {{- if .Values.enterprise.enabled }}
- {{- include "kong.license" . | nindent 8 }}
- {{- end }}
- {{- if .Values.postgresql.enabled }}
- - name: KONG_PG_HOST
- value: {{ template "kong.postgresql.fullname" . }}
- - name: KONG_PG_PORT
- value: "{{ .Values.postgresql.service.port }}"
- - name: KONG_PG_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "kong.postgresql.fullname" . }}
- key: postgresql-password
- {{- end }}
- {{- if .Values.cassandra.enabled }}
- - name: KONG_CASSANDRA_CONTACT_POINTS
- value: {{ template "kong.cassandra.fullname" . }}
- {{- end }}
- {{- include "kong.env" . | indent 8 }}
+ {{- include "kong.final_env" . | nindent 8 }}
command: [ "/bin/sh", "-c", "kong migrations bootstrap" ]
+ volumeMounts:
+ {{- include "kong.volumeMounts" . | nindent 8 }}
+ securityContext:
+ {{- include "kong.podsecuritycontext" . | nindent 8 }}
restartPolicy: OnFailure
+ volumes:
+ {{- include "kong.volumes" . | nindent 6 -}}
{{- end }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
- name: "{{ template "kong.fullname" . }}"
+ name: {{ template "kong.fullname" . }}
labels:
- app: "{{ template "kong.name" . }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
spec:
{{- if .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
{{- end }}
selector:
matchLabels:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: app
-{{- end }}
\ No newline at end of file
+ {{- include "kong.metaLabels" . | nindent 6 }}
+{{- end }}
--- /dev/null
+{{- if .Values.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: {{ template "kong.serviceAccountName" . }}-psp
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+spec:
+ privileged: false
+ fsGroup:
+ rule: RunAsAny
+ runAsUser:
+ rule: RunAsAny
+ runAsGroup:
+ rule: RunAsAny
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ rule: RunAsAny
+ volumes:
+ - 'configMap'
+ - 'secret'
+ - 'emptyDir'
+ allowPrivilegeEscalation: false
+ hostNetwork: false
+ hostIPC: false
+ hostPID: false
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ template "kong.serviceAccountName" . }}-psp
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+rules:
+ - apiGroups:
+ - extensions
+ resources:
+ - podsecuritypolicies
+ verbs:
+ - use
+ resourceNames:
+ - {{ template "kong.serviceAccountName" . }}-psp
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ template "kong.serviceAccountName" . }}-psp
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "kong.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: {{ template "kong.serviceAccountName" . }}-psp
+ apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- if .Values.admin.enabled -}}
apiVersion: v1
kind: Service
metadata:
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
spec:
type: {{ .Values.admin.type }}
{{- if eq .Values.admin.type "LoadBalancer" }}
{{- end }}
protocol: TCP
selector:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: app
+ {{- include "kong.selectorLabels" . | nindent 4 }}
+{{- end -}}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
spec:
type: {{ .Values.manager.type }}
{{- if eq .Values.manager.type "LoadBalancer" }}
{{- end }}
protocol: TCP
{{- end }}
-
-
selector:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: app
+ {{- include "kong.selectorLabels" . | nindent 4 }}
{{- end -}}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
spec:
type: {{ .Values.portalapi.type }}
{{- if eq .Values.portalapi.type "LoadBalancer" }}
{{- end }}
protocol: TCP
{{- end }}
-
-
selector:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: app
+ {{- include "kong.selectorLabels" . | nindent 4 }}
{{- end -}}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
spec:
type: {{ .Values.portal.type }}
{{- if eq .Values.portal.type "LoadBalancer" }}
{{- end }}
protocol: TCP
{{- end }}
-
-
selector:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: app
+ {{- include "kong.selectorLabels" . | nindent 4 }}
{{- end -}}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
+ {{- include "kong.metaLabels" . | nindent 4 }}
spec:
type: {{ .Values.proxy.type }}
{{- if eq .Values.proxy.type "LoadBalancer" }}
{{- if or .Values.proxy.tls.enabled }}
- name: kong-proxy-tls
port: {{ .Values.proxy.tls.servicePort }}
- targetPort: {{ .Values.proxy.tls.containerPort }}
+ targetPort: {{ .Values.proxy.tls.overrideServiceTargetPort | default .Values.proxy.tls.containerPort }}
{{- if (and (eq .Values.proxy.type "NodePort") (not (empty .Values.proxy.tls.nodePort))) }}
nodePort: {{ .Values.proxy.tls.nodePort }}
{{- end }}
{{- if .Values.proxy.externalTrafficPolicy }}
externalTrafficPolicy: {{ .Values.proxy.externalTrafficPolicy }}
{{- end }}
-
+ {{- if .Values.proxy.clusterIP }}
+ clusterIP: {{ .Values.proxy.clusterIP }}
+ {{- end }}
selector:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: app
+ {{- include "kong.selectorLabels" . | nindent 4 }}
namespace: {{ .Values.serviceMonitor.namespace }}
{{- end }}
labels:
- app: {{ template "kong.name" . }}
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- heritage: {{ .Release.Service }}
- release: {{ .Release.Name }}
+ {{- include "kong.metaLabels" . | nindent 4 }}
+ {{- if .Values.serviceMonitor.labels }}
+ {{ toYaml .Values.serviceMonitor.labels | nindent 4 }}
+ {{- end }}
spec:
endpoints:
- targetPort: metrics
- {{ .Release.Namespace }}
selector:
matchLabels:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
+ {{- include "kong.metaLabels" . | nindent 6 }}
{{- end }}
-################################################################################
-# Copyright (c) 2019 AT&T Intellectual Property. #
-# #
-# Licensed under the Apache License, Version 2.0 (the "License"); #
-# you may not use this file except in compliance with the License. #
-# You may obtain a copy of the License at #
-# #
-# http://www.apache.org/licenses/LICENSE-2.0 #
-# #
-# Unless required by applicable law or agreed to in writing, software #
-# distributed under the License is distributed on an "AS IS" BASIS, #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
-# See the License for the specific language governing permissions and #
-# limitations under the License. #
-################################################################################
-
-# Default values for kong.
+# Default values for Kong's Helm Chart.
# Declare variables to be passed into your templates.
+#
+# Sections:
+# - Kong parameters
+# - Ingress Controller parameters
+# - Postgres sub-chart parameters
+# - Miscellaneous parameters
+# - Kong Enterprise parameters
+
+# -----------------------------------------------------------------------------
+# Kong parameters
+# -----------------------------------------------------------------------------
+# Specify Kong configurations
+# Kong configurations guide https://docs.konghq.com/latest/configuration
+# Values here take precedence over values from other sections of values.yaml,
+# e.g. setting pg_user here will override the value normally set when postgresql.enabled
+# is set below. In general, you should not set values here if they are set elsewhere.
+env:
+ database: "off"
+ nginx_worker_processes: "1"
+ proxy_access_log: /dev/stdout
+ admin_access_log: /dev/stdout
+ admin_gui_access_log: /dev/stdout
+ portal_api_access_log: /dev/stdout
+ proxy_error_log: /dev/stderr
+ admin_error_log: /dev/stderr
+ admin_gui_error_log: /dev/stderr
+ portal_api_error_log: /dev/stderr
+ prefix: /kong_prefix/
+
+# Specify Kong's Docker image and repository details here
image:
repository: kong
+ # repository: kong-docker-kong-enterprise-k8s.bintray.io/kong-enterprise-k8s
# repository: kong-docker-kong-enterprise-edition-docker.bintray.io/kong-enterprise-edition
- tag: 1.3
+ tag: 1.4
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
# pullSecrets:
# - myRegistrKeySecretName
-waitImage:
- repository: busybox
- tag: latest
-
-# Specify Kong admin and proxy services configurations
+# Specify Kong admin service configuration
+# Note: It is recommended to not use the Admin API to configure Kong
+# when using Kong as an Ingress Controller.
admin:
+ enabled: false
# If you want to specify annotations for the admin service, uncomment the following
# line, add additional or adjust as needed, and remove the curly braces after 'annotations:'.
annotations: {}
type: NodePort
# Set a nodePort which is available
# nodePort: 32444
- # Kong admin ingress settings.
+ # Kong admin ingress settings. Useful if you want to expose the Admin
+ # API of Kong outside the k8s cluster.
ingress:
# Enable/disable exposure using ingress.
enabled: false
# TLS secret name.
# tls: kong-admin.example.com-tls
- # Array of ingress hosts.
- hosts: []
+ # Ingress hostname
+ hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
path: /
+# Specify Kong proxy service configuration
proxy:
# If you want to specify annotations for the proxy service, uncomment the following
# line, add additional or adjust as needed, and remove the curly braces after 'annotations:'.
enabled: true
servicePort: 443
containerPort: 8443
+ # Set a target port for the TLS port in proxy service, useful when using TLS
+ # termination on an ELB.
+ # overrideServiceTargetPort: 8000
# Set a nodePort which is available if service type is NodePort
nodePort: 32443
type: NodePort
# Kong proxy ingress settings.
+ # Note: You need this only if you are using another Ingress Controller
+ # to expose Kong outside the k8s cluster.
ingress:
# Enable/disable exposure using ingress.
enabled: false
- # TLS secret name.
- # tls: kong-proxy.example.com-tls
- # Array of ingress hosts.
hosts: []
+ # TLS section. Unlike other ingresses, this follows the format at
+ # https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
+ # tls:
+ # - hosts:
+ # - 1.example.com
+ # secretName: example1-com-tls-secret
+ # - hosts:
+ # - 2.example.net
+ # secretName: example2-net-tls-secret
# Map of ingress annotations.
annotations: {}
# Ingress path.
externalIPs: []
+# Custom Kong plugins can be loaded into Kong by mounting the plugin code
+# into the file-system of Kong container.
+# The plugin code should be present in ConfigMap or Secret inside the same
+# namespace as Kong is being installed.
+# The `name` property refers to the name of the ConfigMap or Secret
+# itself, while the pluginName refers to the name of the plugin as it appears
+# in Kong.
+plugins: {}
+ # configMaps:
+ # - pluginName: rewriter
+ # name: kong-plugin-rewriter
+ # secrets:
+ # - pluginName: rewriter
+ # name: kong-plugin-rewriter
+# Inject specified secrets as a volume in Kong Container at path /etc/secrets/{secret-name}/
+# This can be used to override default SSL certificates
+# Example configuration
+# secretVolumes:
+# - kong-proxy-tls
+# - kong-admin-tls
+secretVolumes: []
+
+# Set runMigrations to run Kong migrations
+runMigrations: true
+
+# Kong's configuration for DB-less mode
+# Note: Use this section only if you are deploying Kong in DB-less mode
+# and not as an Ingress Controller.
+dblessConfig:
+ # Either Kong's configuration is managed from an existing ConfigMap (with Key: kong.yml)
+ configMap: ""
+ # Or the configuration is passed in full-text below
+ config:
+ _format_version: "1.1"
+ services:
+ # Example configuration
+ # - name: example.com
+ # url: http://example.com
+ # routes:
+ # - name: example
+ # paths:
+ # - "/example"
+
+# -----------------------------------------------------------------------------
+# Ingress Controller parameters
+# -----------------------------------------------------------------------------
+
+# Kong Ingress Controller's primary purpose is to satisfy Ingress resources
+# created in k8s. It uses CRDs for more fine grained control over routing and
+# for Kong specific configuration.
+ingressController:
+ enabled: true
+ image:
+ repository: kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller
+ tag: 0.7.0
+
+ # Specify Kong Ingress Controller configuration via environment variables
+ env: {}
+
+ admissionWebhook:
+ enabled: false
+ failurePolicy: Fail
+ port: 8080
+
+ ingressClass: kong
+
+ rbac:
+ # Specifies whether RBAC resources should be created
+ create: true
+
+ serviceAccount:
+ # Specifies whether a ServiceAccount should be created
+ create: true
+ # The name of the ServiceAccount to use.
+ # If not set and create is true, a name is generated using the fullname template
+ name:
+
+ installCRDs: true
+
+ # general properties
+ livenessProbe:
+ httpGet:
+ path: "/healthz"
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ failureThreshold: 3
+ readinessProbe:
+ httpGet:
+ path: "/healthz"
+ port: 10254
+ scheme: HTTP
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ failureThreshold: 3
+ resources: {}
+
+# -----------------------------------------------------------------------------
+# Postgres sub-chart parameters
+# -----------------------------------------------------------------------------
+
+# Kong can run without a database or use either Postgres or Cassandra
+# as a backend datatstore for it's configuration.
+# By default, this chart installs Kong without a database.
+
+# If you would like to use a database, there are two options:
+# - (recommended) Deploy and maintain a database and pass the connection
+# details to Kong via the `env` section.
+# - You can use the below `postgresql` sub-chart to deploy a database
+# along-with Kong as part of a single Helm release.
+
+# PostgreSQL chart documentation:
+# https://github.com/helm/charts/blob/master/stable/postgresql/README.md
+
+postgresql:
+ enabled: false
+ # postgresqlUsername: kong
+ # postgresqlDatabase: kong
+ # service:
+ # port: 5432
+
+# -----------------------------------------------------------------------------
+# Miscellaneous parameters
+# -----------------------------------------------------------------------------
+
+waitImage:
+ repository: busybox
+ tag: latest
+ pullPolicy: IfNotPresent
+
+# update strategy
+updateStrategy: {}
+ # type: RollingUpdate
+ # rollingUpdate:
+ # maxSurge: "100%"
+ # maxUnavailable: "0%"
+
+# If you want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+resources: {}
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+# readinessProbe for Kong pods
+# If using Kong Enterprise with RBAC, you must add a Kong-Admin-Token header
+readinessProbe:
+ httpGet:
+ path: "/status"
+ port: metrics
+ scheme: HTTP
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ failureThreshold: 3
+
+# livenessProbe for Kong pods
+livenessProbe:
+ httpGet:
+ path: "/status"
+ port: metrics
+ scheme: HTTP
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ failureThreshold: 3
+
+# Affinity for pod assignment
+# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+# affinity: {}
+
+# Tolerations for pod assignment
+# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+tolerations: []
+
+# Node labels for pod assignment
+# Ref: https://kubernetes.io/docs/user-guide/node-selection/
+nodeSelector: {}
+
+# Annotation to be added to Kong pods
+podAnnotations: {}
+
+# Kong pod count
+replicaCount: 1
+
+# Kong Pod Disruption Budget
+podDisruptionBudget:
+ enabled: false
+ maxUnavailable: "50%"
+
+podSecurityPolicy:
+ enabled: false
+
+# securityContext for Kong pods.
+securityContext:
+ runAsUser: 1000
+
+serviceMonitor:
+ # Specifies whether ServiceMonitor for Prometheus operator should be created
+ enabled: false
+ # interval: 10s
+ # Specifies namespace, where ServiceMonitor should be installed
+ # namespace: monitoring
+ # labels:
+ # foo: bar
+
+# -----------------------------------------------------------------------------
+# Kong Enterprise parameters
+# -----------------------------------------------------------------------------
+
+# Toggle Kong Enterprise features on or off
+# RBAC and SMTP configuration have additional options that must all be set together
+# Other settings should be added to the "env" settings below
+enterprise:
+ enabled: false
+ # Kong Enterprise license secret name
+ # This secret must contain a single 'license' key, containing your base64-encoded license data
+ # The license secret is required for all Kong Enterprise deployments
+ license_secret: you-must-create-a-kong-license-secret
+ # Session configuration secret
+ # The session conf secret is required if using RBAC or the Portal
+ vitals:
+ enabled: true
+ portal:
+ enabled: false
+ # portal_auth here sets the default authentication mechanism for the Portal
+ # FIXME This can be changed per-workspace, but must currently default to
+ # basic-auth to work around limitations with session configuration
+ portal_auth: basic-auth
+ # If the Portal is enabled and any workspace's Portal uses authentication,
+ # this Secret must contain an portal_session_conf key
+ # The key value must be a secret configuration, following the example at
+ # https://docs.konghq.com/enterprise/latest/developer-portal/configuration/authentication/sessions
+ session_conf_secret: you-must-create-a-portal-session-conf-secret
+ rbac:
+ enabled: false
+ admin_gui_auth: basic-auth
+ # If RBAC is enabled, this Secret must contain an admin_gui_session_conf key
+ # The key value must be a secret configuration, following the example at
+ # https://docs.konghq.com/enterprise/latest/kong-manager/authentication/sessions
+ session_conf_secret: you-must-create-an-rbac-session-conf-secret
+ # If admin_gui_auth is not set to basic-auth, provide a secret name which
+ # has an admin_gui_auth_conf key containing the plugin config JSON
+ admin_gui_auth_conf_secret: you-must-create-an-admin-gui-auth-conf-secret
+ # For configuring emails and SMTP, please read through:
+ # https://docs.konghq.com/enterprise/latest/developer-portal/configuration/smtp
+ # https://docs.konghq.com/enterprise/latest/kong-manager/networking/email
+ smtp:
+ enabled: false
+ portal_emails_from: none@example.com
+ portal_emails_reply_to: none@example.com
+ admin_emails_from: none@example.com
+ admin_emails_reply_to: none@example.com
+ smtp_admin_emails: none@example.com
+ smtp_host: smtp.example.com
+ smtp_port: 587
+ smtp_starttls: true
+ auth:
+ # If your SMTP server does not require authentication, this section can
+ # be left as-is. If smtp_username is set to anything other than an empty
+ # string, you must create a Secret with an smtp_password key containing
+ # your SMTP password and specify its name here.
+ smtp_username: '' # e.g. postmaster@example.com
+ smtp_password_secret: you-must-create-an-smtp-password
+
manager:
# If you want to specify annotations for the Manager service, uncomment the following
# line, add additional or adjust as needed, and remove the curly braces after 'annotations:'.
enabled: false
# TLS secret name.
# tls: kong-proxy.example.com-tls
- # Array of ingress hosts.
- hosts: []
+ # Ingress hostname
+ hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
enabled: false
# TLS secret name.
# tls: kong-proxy.example.com-tls
- # Array of ingress hosts.
- hosts: []
+ # Ingress hostname
+ hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
enabled: false
# TLS secret name.
# tls: kong-proxy.example.com-tls
- # Array of ingress hosts.
- hosts: []
+ # Ingress hostname
+ hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
path: /
externalIPs: []
-
-# Toggle Kong Enterprise features on or off
-# RBAC and SMTP configuration have additional options that must all be set together
-# Other settings should be added to the "env" settings below
-enterprise:
- enabled: false
- # Kong Enterprise license secret name
- # This secret must contain a single 'license' key, containing your base64-encoded license data
- # The license secret is required for all Kong Enterprise deployments
- license_secret: you-must-create-a-kong-license-secret
- # Session configuration secret
- # The session conf secret is required if using RBAC or the Portal
- vitals:
- enabled: true
- portal:
- enabled: false
- # portal_auth here sets the default authentication mechanism for the Portal
- # FIXME This can be changed per-workspace, but must currently default to
- # basic-auth to work around limitations with session configuration
- portal_auth: basic-auth
- # If the Portal is enabled and any workspace's Portal uses authentication,
- # this Secret must contain an portal_session_conf key
- # The key value must be a secret configuration, following the example at https://docs.konghq.com/enterprise/0.35-x/kong-manager/authentication/sessions/
- session_conf_secret: you-must-create-a-portal-session-conf-secret
- rbac:
- enabled: false
- admin_gui_auth: basic-auth
- # If RBAC is enabled, this Secret must contain an admin_gui_session_conf key
- # The key value must be a secret configuration, following the example at https://docs.konghq.com/enterprise/0.35-x/kong-manager/authentication/sessions/
- session_conf_secret: you-must-create-an-rbac-session-conf-secret
- # Set to the appropriate plugin config JSON if not using basic-auth
- admin_gui_auth_conf: {}
- smtp:
- enabled: false
- portal_emails_from: none@example.com
- portal_emails_reply_to: none@example.com
- admin_emails_from: none@example.com
- admin_emails_reply_to: none@example.com
- smtp_admin_emails: none@example.com
- smtp_host: smtp.example.com
- smtp_port: 587
- smtp_starttls: true
- auth:
- # If your SMTP server does not require authentication, this section can
- # be left as-is. If smtp_username is set to anything other than an empty
- # string, you must create a Secret with an smtp_password key containing
- # your SMTP password and specify its name here.
- smtp_username: '' # e.g. postmaster@example.com
- smtp_password_secret: you-must-create-an-smtp-password
-
-# Set runMigrations to run Kong migrations
-runMigrations: true
-
-# update strategy
-updateStrategy: {}
- # type: RollingUpdate
- # rollingUpdate:
- # maxSurge: "100%"
- # maxUnavailable: "0%"
-
-# Specify Kong configurations
-# Kong configurations guide https://getkong.org/docs/latest/configuration/
-# Values here take precedence over values from other sections of values.yaml,
-# e.g. setting pg_user here will override the value normally set when postgresql.enabled
-# is set below. In general, you should not set values here if they are set elsewhere.
-env:
- database: off
- proxy_access_log: /dev/stdout
- admin_access_log: /dev/stdout
- admin_gui_access_log: /dev/stdout
- portal_api_access_log: /dev/stdout
- proxy_error_log: /dev/stderr
- admin_error_log: /dev/stderr
- admin_gui_error_log: /dev/stderr
- portal_api_error_log: /dev/stderr
-
-# If you want to specify resources, uncomment the following
-# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-resources: {}
- # limits:
- # cpu: 100m
- # memory: 128Mi
- # requests:
- # cpu: 100m
- # memory: 128Mi
-
-# readinessProbe for Kong pods
-# If using Kong Enterprise with RBAC, you must add a Kong-Admin-Token header
-readinessProbe:
- httpGet:
- path: "/status"
- port: admin
- scheme: HTTPS
- initialDelaySeconds: 30
- timeoutSeconds: 1
- periodSeconds: 10
- successThreshold: 1
- failureThreshold: 5
-
-# livenessProbe for Kong pods
-# If using Kong Enterprise with RBAC, you must add a Kong-Admin-Token header
-livenessProbe:
- httpGet:
- path: "/status"
- port: admin
- scheme: HTTPS
- initialDelaySeconds: 30
- timeoutSeconds: 5
- periodSeconds: 30
- successThreshold: 1
- failureThreshold: 5
-
-# Affinity for pod assignment
-# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-# affinity: {}
-
-# Tolerations for pod assignment
-# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-tolerations: []
-
-# Node labels for pod assignment
-# Ref: https://kubernetes.io/docs/user-guide/node-selection/
-nodeSelector: {}
-
-# Annotation to be added to Kong pods
-podAnnotations: {}
-
-# Kong pod count
-replicaCount: 1
-
-# Kong Pod Disruption Budget
-podDisruptionBudget:
- enabled: false
- maxUnavailable: "50%"
-
-# Kong has a choice of either Postgres or Cassandra as a backend datatstore.
-# This chart allows you to choose either of them with the `database.type`
-# parameter. Postgres is chosen by default.
-
-# Additionally, this chart allows you to use your own database or spin up a new
-# instance by using the `postgres.enabled` or `cassandra.enabled` parameters.
-# Enabling both will create both databases in your cluster, but only one
-# will be used by Kong based on the `env.database` parameter.
-# Postgres is enabled by default.
-
-# Cassandra chart configs
-cassandra:
- enabled: false
-
-# PostgreSQL chart configs
-postgresql:
- enabled: false
- postgresqlUsername: kong
- postgresqlDatabase: kong
- service:
- port: 5432
-
-# Kong Ingress Controller's primary purpose is to satisfy Ingress resources
-# created in k8s. It uses CRDs for more fine grained control over routing and
-# for Kong specific configuration.
-ingressController:
- enabled: true
- image:
- repository: kong-docker-kubernetes-ingress-controller.bintray.io/kong-ingress-controller
- tag: 0.6.0
- replicaCount: 1
- livenessProbe:
- failureThreshold: 3
- httpGet:
- path: "/healthz"
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 30
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 5
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: "/healthz"
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 30
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 5
-
- installCRDs: true
-
- rbac:
- # Specifies whether RBAC resources should be created
- create: true
-
- serviceAccount:
- # Specifies whether a ServiceAccount should be created
- create: true
- # The name of the ServiceAccount to use.
- # If not set and create is true, a name is generated using the fullname template
- name:
-
- ingressClass: kong
-
- podDisruptionBudget:
- enabled: false
- maxUnavailable: "50%"
-
-# We pass the dbless (declarative) config over here.
-dblessConfig:
- # Either Kong's configuration is managed from an existing ConfigMap (with Key: kong.yml)
- configMap: ""
- # Or the configuration is passed in full-text below
- config:
- _format_version: "1.1"
- services:
- # Example configuration
- # - name: example.com
- # url: http://example.com
- # routes:
- # - name: example
- # paths:
- # - "/example"
-
-serviceMonitor:
- # Specifies whether ServiceMonitor for Prometheus operator should be created
- enabled: false
- # interval: 10s
- # Specifies namespace, where ServiceMonitor should be installed
- # namespace: monitoring
Code Review / ric-plt / ric-dep.git / commitdiff