diff --git a/.gitignore b/.gitignore index e8e448bd..ac014e38 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,6 @@ postgres.txt **/charts/ notes/ Chart.lock -service.* *.crt *.key *.csr diff --git a/.secrets.baseline b/.secrets.baseline index 09b1d25d..d16220d2 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -330,14 +330,14 @@ "hashed_secret": "2546383b95bb44732e9be6a877fd476c0442fdab", "is_secret": false, "is_verified": false, - "line_number": 51, + "line_number": 52, "type": "Secret Keyword" }, { "hashed_secret": "d84ce25b0f9bc2cc263006ae39453efb22cc2900", "is_secret": false, "is_verified": false, - "line_number": 53, + "line_number": 54, "type": "Secret Keyword" } ], diff --git a/Secrets/TLS/README.md b/Secrets/TLS/README.md deleted file mode 100644 index a676ae32..00000000 --- a/Secrets/TLS/README.md +++ /dev/null @@ -1,28 +0,0 @@ -# Creating and Using Gen3 Certs in Helm - -In this directory we have a `development.aced-idp.org.crt` and `development.aced-idp.org.key` file that together make up the SSL certification used for our site (https://aced-training.compbio.ohsu.edu for development purposes). These files can then be plugged into the `gen3-certs.yaml` file and included in subsequent `helm upgrade` commands. - -## 1. Add the certificate and key values - -```yaml -global: - tls: - cert: | - - key: | - -``` - -*Note*: This `tls.cert` and `tls.key` configuration will be passed by Helm into `helm/revproxy/templates/tls.yaml` and must match the key-value format found in that file. - -## 2. Use the new yaml file in Helm - -```sh -helm upgrade --install local ./helm/gen3 \ - -f Secrets values.yaml \ - -f Secrets/user.yaml \ - -f Secrets/fence-config.yaml \ - -f Secrets/TLS/gen3-certs.yaml -``` - -The 'myCA' files are the Certificate Authority backing the actual TLS certificates. Importing the myCA.pem file into the macOS keyring allows us to access https://development.aced-idp.org in the browser. diff --git a/Secrets/TLS/gen3-certs-example.yaml b/Secrets/TLS/gen3-certs-example.yaml deleted file mode 100644 index d0980a91..00000000 --- a/Secrets/TLS/gen3-certs-example.yaml +++ /dev/null @@ -1,10 +0,0 @@ -global: - tls: - cert: | - -----BEGIN CERTIFICATE----- - foo - -----END CERTIFICATE----- - key: | - -----BEGIN RSA PRIVATE KEY----- - bar - -----END RSA PRIVATE KEY----- diff --git a/helm/common/README.md b/helm/common/README.md index 75e6a5d7..dc256732 100644 --- a/helm/common/README.md +++ b/helm/common/README.md @@ -1,31 +1,30 @@ # common -![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.12](https://img.shields.io/badge/Version-0.1.12-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for provisioning databases in gen3 ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| global.ddEnabled | bool | `false` | Whether Datadog is enabled. | -| global.dev | bool | `true` | Whether the deployment is for development purposes. | -| global.dictionaryUrl | string | `"https://s3.amazonaws.com/dictionary-artifacts/datadictionary/develop/schema.json"` | URL of the data dictionary. | -| global.dispatcherJobNum | int | `"10"` | Number of dispatcher jobs. | -| global.environment | string | `"default"` | Environment name. This should be the same as vpcname if you're doing an AWS deployment. Currently this is being used to share ALB's if you have multiple namespaces. Might be used other places too. | -| global.hostname | string | `"localhost"` | Hostname for the deployment. | -| global.kubeBucket | string | `"kube-gen3"` | S3 bucket name for Kubernetes manifest files. | -| global.logsBucket | string | `"logs-gen3"` | S3 bucket name for log files. | -| global.netPolicy | bool | `true` | Whether network policies are enabled. | -| global.portalApp | string | `"gitops"` | Portal application name. | -| global.postgres.dbCreate | bool | `true` | Whether the database should be created. | -| global.postgres.externalSecret | string | `""` | Name of external secret. Disabled if empty | -| global.postgres.master | map | `{"host":null,"password":null,"port":"5432","username":"postgres"}` | Master credentials to postgres. This is going to be the default postgres server being used for each service, unless each service specifies their own postgres | -| global.postgres.master.host | string | `nil` | hostname of postgres server | -| global.postgres.master.password | string | `nil` | password for superuser in postgres. This is used to create or restore databases | -| global.postgres.master.port | string | `"5432"` | Port for Postgres. | -| global.postgres.master.username | string | `"postgres"` | username of superuser in postgres. This is used to create or restore databases | -| global.publicDataSets | bool | `true` | Whether public datasets are enabled. | -| global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | -| global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | - +| Key | Type | Default | Description | +| ------------------------------- | ------ | ------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| global.ddEnabled | bool | `false` | Whether Datadog is enabled. | +| global.dev | bool | `true` | Whether the deployment is for development purposes. | +| global.dictionaryUrl | string | `"https://s3.amazonaws.com/dictionary-artifacts/datadictionary/develop/schema.json"` | URL of the data dictionary. | +| global.dispatcherJobNum | int | `"10"` | Number of dispatcher jobs. | +| global.environment | string | `"default"` | Environment name. This should be the same as vpcname if you're doing an AWS deployment. Currently this is being used to share ALB's if you have multiple namespaces. Might be used other places too. | +| global.hostname | string | `"localhost"` | Hostname for the deployment. | +| global.kubeBucket | string | `"kube-gen3"` | S3 bucket name for Kubernetes manifest files. | +| global.logsBucket | string | `"logs-gen3"` | S3 bucket name for log files. | +| global.netPolicy | bool | `true` | Whether network policies are enabled. | +| global.portalApp | string | `"gitops"` | Portal application name. | +| global.postgres.dbCreate | bool | `true` | Whether the database should be created. | +| global.postgres.externalSecret | string | `""` | Name of external secret. Disabled if empty | +| global.postgres.master | map | `{"host":null,"password":null,"port":"5432","username":"postgres"}` | Master credentials to postgres. This is going to be the default postgres server being used for each service, unless each service specifies their own postgres | +| global.postgres.master.host | string | `nil` | hostname of postgres server | +| global.postgres.master.password | string | `nil` | password for superuser in postgres. This is used to create or restore databases | +| global.postgres.master.port | string | `"5432"` | Port for Postgres. | +| global.postgres.master.username | string | `"postgres"` | username of superuser in postgres. This is used to create or restore databases | +| global.publicDataSets | bool | `true` | Whether public datasets are enabled. | +| global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. | +| global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` | diff --git a/helm/fence/README.md b/helm/fence/README.md index ea03a462..7f318071 100644 --- a/helm/fence/README.md +++ b/helm/fence/README.md @@ -186,7 +186,7 @@ A Helm chart for gen3 Fence | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.name | string | `"fence-sa"` | The name of the service account | | tolerations | list | `[]` | Tolerations for the pods | -| usersync | map | `{"addDbgap":false,"custom_image":null,"onlyDbgap":false,"schedule":"*/30 * * * *","slack_send_dbgap":false,"slack_webhook":"None","syncFromDbgap":false,"userYamlS3Path":"s3://cdis-gen3-users/helm-test/user.yaml","usersync":true}` | Configuration options for usersync cronjob. | +| usersync | map | `{"addDbgap":false,"custom_image":null,"onlyDbgap":false,"schedule":"*/30 * * * *","slack_send_dbgap":false,"slack_webhook":"None","syncFromDbgap":false,"userYamlS3Path":"s3://cdis-gen3-users/helm-test/user.yaml","usersync":false}` | Configuration options for usersync cronjob. | | usersync.addDbgap | bool | `false` | Force attempting a dbgap sync if "true", falls back on user.yaml | | usersync.custom_image | string | `nil` | To set a custom image for pulling the user.yaml file from S3. Default is the Gen3 Awshelper image. | | usersync.onlyDbgap | bool | `false` | Forces ONLY a dbgap sync if "true", IGNORING user.yaml | diff --git a/helm/fhir-server/templates/server-config.yaml b/helm/fhir-server/templates/server-config.yaml index b0b6240b..fb3398eb 100644 --- a/helm/fhir-server/templates/server-config.yaml +++ b/helm/fhir-server/templates/server-config.yaml @@ -3,6 +3,8 @@ kind: ConfigMap metadata: name: fhir-server-config data: - serviceName: {{ .Values.serviceName | quote }} - gripServiceName: {{ .Values.fhirServerConfig.gripServiceName | quote}} - gripGraphName: {{ .Values.fhirServerConfig.gripGraphName | quote}} + serviceName: {{ .Values.serviceName | default "fhir-server-service" | quote }} + {{- if .Values.fhirServerConfig }} + gripServiceName: {{ .Values.fhirServerConfig.gripServiceName | default "grip-service" | quote }} + gripGraphName: {{ .Values.fhirServerConfig.gripGraphName | default "CALIPER" | quote }} + {{- end }} diff --git a/helm/fhir-server/templates/service.yaml b/helm/fhir-server/templates/service.yaml new file mode 100644 index 00000000..0020c8f0 --- /dev/null +++ b/helm/fhir-server/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.serviceName | quote }} + labels: + {{- include "fhir-server.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "fhir-server.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/helm/frontend-framework/Chart.yaml b/helm/frontend-framework/Chart.yaml index a86f9eb1..1a1f74d6 100644 --- a/helm/frontend-framework/Chart.yaml +++ b/helm/frontend-framework/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 +version: 0.1.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/frontend-framework/README.md b/helm/frontend-framework/README.md index 8c515bb3..da8e909a 100644 --- a/helm/frontend-framework/README.md +++ b/helm/frontend-framework/README.md @@ -1,6 +1,6 @@ # frontend-framework -![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: develop](https://img.shields.io/badge/AppVersion-develop-informational?style=flat-square) +![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: develop](https://img.shields.io/badge/AppVersion-develop-informational?style=flat-square) A Helm chart for the gen3 frontend framework @@ -8,7 +8,7 @@ A Helm chart for the gen3 frontend framework | Repository | Name | Version | |------------|------|---------| -| file://../common | common | 0.1.10 | +| file://../common | common | 0.1.12 | ## Values @@ -32,6 +32,7 @@ A Helm chart for the gen3 frontend framework | datadogLogsInjection | bool | `false` | If enabled, the Datadog Agent will automatically inject Datadog-specific metadata into your application logs. | | datadogProfilingEnabled | bool | `false` | If enabled, the Datadog Agent will collect profiling data for your application using the Continuous Profiler. This data can be used to identify performance bottlenecks and optimize your application. | | datadogTraceSampleRate | int | `1` | A value between 0 and 1, that represents the percentage of requests that will be traced. For example, a value of 0.5 means that 50% of requests will be traced. | +| env | list | `[]` | List of environment variables to add to the deployment. | | fullnameOverride | string | `""` | Override the full name of the deployment. | | global | map | `{"aws":{"awsAccessKeyId":null,"awsSecretAccessKey":null,"enabled":false},"ddEnabled":false,"dev":true,"dictionaryUrl":"https://s3.amazonaws.com/dictionary-artifacts/datadictionary/develop/schema.json","dispatcherJobNum":10,"environment":"default","hostname":"localhost","kubeBucket":"kube-gen3","logsBucket":"logs-gen3","netPolicy":true,"portalApp":"gitops","postgres":{"dbCreate":true,"master":{"host":null,"password":null,"port":"5432","username":"postgres"}},"publicDataSets":true,"revproxyArn":"arn:aws:acm:us-east-1:123456:certificate","syncFromDbgap":false,"tierAccessLevel":"libre","userYamlS3Path":"s3://cdis-gen3-users/test/user.yaml"}` | Global configuration options. | | global.aws | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null,"enabled":false}` | AWS configuration | diff --git a/helm/frontend-framework/templates/configMap.yaml b/helm/frontend-framework/templates/configMap.yaml new file mode 100644 index 00000000..f8cd1c23 --- /dev/null +++ b/helm/frontend-framework/templates/configMap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "frontend-framework.fullname" . }}-configmap + labels: + {{- include "frontend-framework.labels" . | nindent 4 }} +data: + {{- range $key, $val := .Values.env }} + {{ $key }}: {{ $val | quote }} + {{- end }} \ No newline at end of file diff --git a/helm/frontend-framework/templates/deployment.yaml b/helm/frontend-framework/templates/deployment.yaml index ccb18398..67699b85 100644 --- a/helm/frontend-framework/templates/deployment.yaml +++ b/helm/frontend-framework/templates/deployment.yaml @@ -12,13 +12,13 @@ spec: matchLabels: {{- include "frontend-framework.selectorLabels" . | nindent 6 }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - strategy: {{- toYaml .Values.strategy | nindent 8 }} template: metadata: - {{- with .Values.podAnnotations }} annotations: + checksum/config: {{ include (print $.Template.BasePath "/configMap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} labels: @@ -62,6 +62,10 @@ spec: - containerPort: 80 name: http protocol: TCP + envFrom: + - configMapRef: + name: {{ include "frontend-framework.fullname" . }}-configmap + optional: true env: {{- if .Values.global.ddEnabled }} {{- include "common.datadogEnvVar" . | nindent 12 }} diff --git a/helm/frontend-framework/values.yaml b/helm/frontend-framework/values.yaml index 03bb3777..c69fc102 100644 --- a/helm/frontend-framework/values.yaml +++ b/helm/frontend-framework/values.yaml @@ -122,6 +122,9 @@ autoscaling: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 +# -- (list) List of environment variables to add to the deployment. +env: [] + # -- (map) Node selector to apply to the pod nodeSelector: {} diff --git a/helm/gen3/Chart.yaml b/helm/gen3/Chart.yaml index fb5bb52d..a06118a8 100644 --- a/helm/gen3/Chart.yaml +++ b/helm/gen3/Chart.yaml @@ -32,7 +32,7 @@ dependencies: repository: file://../etl condition: etl.enabled - name: frontend-framework - version: 0.1.1 + version: 0.1.2 repository: "file://../frontend-framework" condition: frontend-framework.enabled - name: fence @@ -68,7 +68,7 @@ dependencies: repository: "file://../metadata" condition: metadata.enabled - name: mongodb - version: "13.16.3" + version: "16.0.3" repository: "file://../mongodb" condition: mongodb.enabled - name: portal @@ -76,7 +76,7 @@ dependencies: repository: "file://../portal" condition: portal.enabled - name: requestor - version: 0.1.11 + version: 0.1.16 repository: "file://../requestor" condition: requestor.enabled - name: revproxy @@ -103,6 +103,14 @@ dependencies: version: 11.9.13 repository: "https://charts.bitnami.com/bitnami" condition: global.dev +- name: image-viewer + version: 0.1.0 + repository: "file://../image-viewer" + condition: image-viewer.enabled +- name: viv + version: 0.1.0 + repository: "file://../viv" + condition: viv.enabled # A chart can be either an 'application' or a 'library' chart. # diff --git a/helm/gen3/README.md b/helm/gen3/README.md index 6722390f..7351eb32 100644 --- a/helm/gen3/README.md +++ b/helm/gen3/README.md @@ -2,6 +2,7 @@ ![Version: 0.1.21](https://img.shields.io/badge/Version-0.1.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) + Helm chart to deploy Gen3 Data Commons ## Maintainers diff --git a/helm/grip/templates/deployment.yaml b/helm/grip/templates/deployment.yaml index 781c67c3..00f82ac2 100644 --- a/helm/grip/templates/deployment.yaml +++ b/helm/grip/templates/deployment.yaml @@ -31,6 +31,19 @@ spec: - name: mongo-config-volume configMap: name: grip-values + initContainers: + - name: wait-for-mongodb + image: busybox:1.35 + command: + - "/bin/sh" + - "-c" + - | + echo "Waiting for MongoDB to be available..." + until nc -zv mongodb-service 27017; do + echo "MongoDB is not ready, sleeping..." + sleep 5 + done + echo "MongoDB is running" containers: - name: {{ .Chart.Name }} securityContext: diff --git a/helm/grip/templates/post-install.yaml b/helm/grip/templates/post-install.yaml index 5814a37a..71057cb4 100644 --- a/helm/grip/templates/post-install.yaml +++ b/helm/grip/templates/post-install.yaml @@ -11,13 +11,25 @@ spec: spec: containers: - name: grip - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + # Use an Alpine image with curl pre-installed + image: "curlimages/curl:latest" imagePullPolicy: Always - env: - {{- toYaml .Values.env | nindent 10 }} - command: ["/bin/sh" ] + command: ["/bin/sh"] args: - "-c" - | - apk add --no-cache curl && sleep 10 && curl -X POST 'http://{{ .Values.serviceName }}:8201/v1/graph/CALIPER' + echo "Waiting for the grip service to be available..." + until curl -s --head --request GET http://{{ .Values.serviceName }}:8201/graphql/_status | grep "200 OK" > /dev/null; do + echo "Grip service not ready, retrying in 5 seconds..." + sleep 5 + done + echo "Grip is online. Creating CALIPER Graph" + curl -X POST 'http://{{ .Values.serviceName }}:8201/v1/graph/CALIPER' + echo "Adding Caliper schema from https://raw.githubusercontent.com/bmeg/iceberg/7f6cfdb558d05370fc645b5ab894b98b38a01e1b/schemas/graph/graph-fhir.json" + curl -s https://raw.githubusercontent.com/bmeg/iceberg/7f6cfdb558d05370fc645b5ab894b98b38a01e1b/schemas/graph/graph-fhir.json -o /tmp/schema.json + echo '{"graph":"CALIPER","data":' > /tmp/request.json + cat /tmp/schema.json >> /tmp/request.json + echo '}' >> /tmp/request.json + curl -X POST --header "Content-Type: application/json" --data @/tmp/request.json http://{{ .Values.serviceName }}:8201/v1/graph/CALIPER/jsonschema + restartPolicy: OnFailure diff --git a/helm/image-viewer/.helmignore b/helm/image-viewer/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/helm/image-viewer/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/image-viewer/Chart.yaml b/helm/image-viewer/Chart.yaml new file mode 100644 index 00000000..1fba1a5a --- /dev/null +++ b/helm/image-viewer/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: image-viewer +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/helm/image-viewer/README.md b/helm/image-viewer/README.md new file mode 100644 index 00000000..ff0df44b --- /dev/null +++ b/helm/image-viewer/README.md @@ -0,0 +1,3 @@ +# To get image-viewer to be discoverable to other microservices run the following command + +kc expose deployment local-image-viewer diff --git a/helm/image-viewer/templates/_helpers.tpl b/helm/image-viewer/templates/_helpers.tpl new file mode 100644 index 00000000..3285a603 --- /dev/null +++ b/helm/image-viewer/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "image-viewer.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "image-viewer.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "image-viewer.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "image-viewer.labels" -}} +helm.sh/chart: {{ include "image-viewer.chart" . }} +{{ include "image-viewer.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "image-viewer.selectorLabels" -}} +app.kubernetes.io/name: {{ include "image-viewer.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "image-viewer.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "image-viewer.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm/image-viewer/templates/deployment.yaml b/helm/image-viewer/templates/deployment.yaml new file mode 100644 index 00000000..9dff2258 --- /dev/null +++ b/helm/image-viewer/templates/deployment.yaml @@ -0,0 +1,75 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: image-viewer-deployment + labels: + {{- include "image-viewer.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "image-viewer.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "image-viewer.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "image-viewer.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + volumes: + - name: mongo-config-volume + configMap: + name: image-viewer-values + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: /_health + port: 8000 + initialDelaySeconds: 10 + periodSeconds: 60 + timeoutSeconds: 30 + readinessProbe: + httpGet: + path: /_health + port: 8000 + initialDelaySeconds: 10 + resources: + {{- toYaml .Values.resources | nindent 12 }} + command: + - "/bin/sh" + - "-c" + - > + uvicorn image_viewer.app:app --host 0.0.0.0 --port {{ .Values.service.port }} --reload + + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm/image-viewer/templates/hpa.yaml b/helm/image-viewer/templates/hpa.yaml new file mode 100644 index 00000000..010c05d6 --- /dev/null +++ b/helm/image-viewer/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "image-viewer.fullname" . }} + labels: + {{- include "image-viewer.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "image-viewer.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/helm/image-viewer/templates/image-viewer-values.yaml b/helm/image-viewer/templates/image-viewer-values.yaml new file mode 100644 index 00000000..1f796e40 --- /dev/null +++ b/helm/image-viewer/templates/image-viewer-values.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: image-viewer-values +data: + serviceName: {{ .Values.serviceName | quote }} diff --git a/helm/image-viewer/templates/service.yaml b/helm/image-viewer/templates/service.yaml new file mode 100644 index 00000000..6aab031c --- /dev/null +++ b/helm/image-viewer/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.serviceName}} + labels: + {{- include "image-viewer.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "image-viewer.selectorLabels" . | nindent 4 }} + diff --git a/helm/image-viewer/templates/serviceaccount.yaml b/helm/image-viewer/templates/serviceaccount.yaml new file mode 100644 index 00000000..2b087a7e --- /dev/null +++ b/helm/image-viewer/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "image-viewer.serviceAccountName" . }} + labels: + {{- include "image-viewer.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/image-viewer/templates/tests/test-connection.yaml b/helm/image-viewer/templates/tests/test-connection.yaml new file mode 100644 index 00000000..3a5f5df7 --- /dev/null +++ b/helm/image-viewer/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "image-viewer.fullname" . }}-test-connection" + labels: + {{- include "image-viewer.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "image-viewer.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/helm/image-viewer/values.yaml b/helm/image-viewer/values.yaml new file mode 100644 index 00000000..ffa037c4 --- /dev/null +++ b/helm/image-viewer/values.yaml @@ -0,0 +1,66 @@ +# Default values for image-viewer. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 +serviceName: image-viewer-service + +image: + repository: quay.io/ohsu-comp-bio/gen3-image-viewer + pullPolicy: Always + tag: "development" + + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 8000 + +resources: + limits: + cpu: 2.0 + memory: 2Gi + requests: + cpu: 0.2 + memory: 256Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +env: + BASE_URL: "/aviator/?image_url=" diff --git a/helm/mongodb/.helmignore b/helm/mongodb/.helmignore index f0c13194..207983f3 100644 --- a/helm/mongodb/.helmignore +++ b/helm/mongodb/.helmignore @@ -19,3 +19,7 @@ .project .idea/ *.tmproj +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/helm/mongodb/Chart.yaml b/helm/mongodb/Chart.yaml index f954e41c..ba63e174 100644 --- a/helm/mongodb/Chart.yaml +++ b/helm/mongodb/Chart.yaml @@ -1,31 +1,42 @@ -# Copyright VMware, Inc. +# Copyright Broadcom, Inc. All Rights Reserved. # SPDX-License-Identifier: APACHE-2.0 annotations: category: Database licenses: Apache-2.0 + images: | + - name: kubectl + image: docker.io/bitnami/kubectl:1.31.1-debian-12-r3 + - name: mongodb + image: docker.io/bitnami/mongodb:8.0.1-debian-12-r0 + - name: mongodb-exporter + image: docker.io/bitnami/mongodb-exporter:0.41.1-debian-12-r1 + - name: nginx + image: docker.io/bitnami/nginx:1.27.2-debian-12-r0 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r31 apiVersion: v2 -appVersion: 6.0.8 +appVersion: 8.0.1 dependencies: - - name: common - repository: oci://registry-1.docker.io/bitnamicharts - tags: - - bitnami-common - version: 2.x.x +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x description: MongoDB(R) is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications. home: https://bitnami.com icon: https://bitnami.com/assets/stacks/mongodb/img/mongodb-stack-220x234.png keywords: - - mongodb - - database - - nosql - - cluster - - replicaset - - replication +- mongodb +- database +- nosql +- cluster +- replicaset +- replication maintainers: - - name: VMware, Inc. - url: https://github.com/bitnami/charts +- name: Broadcom, Inc. All Rights Reserved. + url: https://github.com/bitnami/charts name: mongodb sources: - - https://github.com/bitnami/charts/tree/main/bitnami/mongodb -version: 13.16.3 +- https://github.com/bitnami/charts/tree/main/bitnami/mongodb +version: 16.0.3 diff --git a/helm/mongodb/README.md b/helm/mongodb/README.md index 2defbeb8..a1c63fb4 100644 --- a/helm/mongodb/README.md +++ b/helm/mongodb/README.md @@ -14,18 +14,91 @@ Disclaimer: The respective trademarks mentioned in the offering are owned by the helm install my-release oci://registry-1.docker.io/bitnamicharts/mongodb ``` +Looking to use MongoDBreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + ## Introduction This chart bootstraps a [MongoDB(®)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use MongoDBreg; in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. +## Architecture + +This chart allows installing MongoDB(®) using two different architecture setups: `standalone` or `replicaset`. Use the `architecture` parameter to choose the one to use: + +```console +architecture="standalone" +architecture="replicaset" +``` + +### Standalone architecture + +The *standalone* architecture installs a deployment (or StatefulSet) with one MongoDB® server (it cannot be scaled): + +```text + ---------------- + | MongoDB® | + | svc | + ---------------- + | + v + ------------ + |MongoDB®| + | Server | + | Pod | + ----------- +``` + +### Replicaset architecture + +The chart also supports the *replicaset* architecture with and without a MongoDB(®) Arbiter: + +When the MongoDB(®) Arbiter is enabled, the chart installs two StatefulSets: A StatefulSet with N MongoDB(®) servers (organised with one primary and N-1 secondary nodes), and a StatefulSet with one MongoDB(®) arbiter node (it cannot be scaled). + +```text + ---------------- ---------------- ---------------- ------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | | Arbiter | + | external svc | | external svc | | external svc | | svc | + ---------------- ---------------- ---------------- ------------- + | | | | + v v v v + ---------------- ---------------- ---------------- -------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | | MongoDB® | + | Server | | Server | | Server | | Arbiter | + | Pod | | Pod | | Pod | | Pod | + ---------------- ---------------- ---------------- -------------- + primary secondary secondary +``` + +The PSA model is useful when the third Availability Zone cannot hold a full MongoDB(®) instance. The MongoDB(®) Arbiter as decision maker is lightweight and can run alongside other workloads. + +> NOTE: An update takes your MongoDB(®) replicaset offline if the Arbiter is enabled and the number of MongoDB(®) replicas is two. Helm applies updates to the StatefulSets for the MongoDB(®) instance and the Arbiter at the same time so you lose two out of three quorum votes. + +Without the Arbiter, the chart deploys a single statefulset with N MongoDB(®) servers (organised with one primary and N-1 secondary nodes). + +```text + ---------------- ---------------- ---------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | + | external svc | | external svc | | external svc | + ---------------- ---------------- ---------------- + | | | + v v v + ---------------- ---------------- ---------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | + | Server | | Server | | Server | + | Pod | | Pod | | Pod | + ---------------- ---------------- ---------------- + primary secondary secondary +``` + +There are no services load balancing requests between MongoDB(®) nodes; instead, each node has an associated service to access them individually. + +> NOTE: Although the first replica is initially assigned the primary role, any of the secondary nodes can become the primary if it is down, or during upgrades. Do not make any assumption about what replica has the primary role. Instead, configure your MongoDB(®) client with the list of MongoDB(®) hostnames so it can dynamically choose the node to send requests. ## Prerequisites -- Kubernetes 1.19+ -- Helm 3.2.0+ +- Kubernetes 1.23+ +- Helm 3.8.0+ - PV provisioner support in the underlying infrastructure ## Installing the Chart @@ -33,44 +106,308 @@ Looking to use MongoDBreg; in production? Try [VMware Application Catalog](https To install the chart with the release name `my-release`: ```console -helm install my-release oci://registry-1.docker.io/bitnamicharts/mongodb +helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + The command deploys MongoDB(®) on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details -To uninstall/delete the `my-release` deployment: +### Resource requests and limits -```console -helm delete my-release +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling vs Immutable tags](https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customize a new MongoDB instance + +The [Bitnami MongoDB(®) image](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) supports the use of custom scripts to initialize a fresh instance. In order to execute the scripts, two options are available: + +- Specify them using the `initdbScripts` parameter as dict. +- Define an external Kubernetes ConfigMap with all the initialization scripts by setting the `initdbScriptsConfigMap` parameter. Note that this will override the previous option. + +The allowed script extensions are `.sh` and `.js`. + +### Replicaset: Access MongoDB(®) nodes from outside the cluster + +In order to access MongoDB(®) nodes from outside the cluster when using a replicaset architecture, a specific service per MongoDB(®) pod will be created. There are two ways of configuring external access: + +- Using LoadBalancer services +- Using NodePort services. + +#### Use LoadBalancer services + +Three alternatives are available to use *LoadBalancer* services: + +- Use random load balancer IP addresses using an *initContainer* that waits for the IP addresses to be ready and discovers them automatically. An example deployment configuration is shown below: + + ```yaml + architecture: replicaset + replicaCount: 2 + externalAccess: + enabled: true + service: + type: LoadBalancer + autoDiscovery: + enabled: true + serviceAccount: + create: true + automountServiceAccountToken: true + rbac: + create: true + ``` + + > NOTE: This option requires creating RBAC rules on clusters where RBAC policies are enabled. + +- Manually specify the load balancer IP addresses. An example deployment configuration is shown below, with the placeholder EXTERNAL-IP-ADDRESS-X used in place of the load balancer IP addresses: + + ```yaml + architecture: replicaset + replicaCount: 2 + externalAccess: + enabled: true + service: + type: LoadBalancer + loadBalancerIPs: + - 'EXTERNAL-IP-ADDRESS-1' + - 'EXTERNAL-IP-ADDRESS-2' + ``` + + > NOTE: This option requires knowing the load balancer IP addresses, so that each MongoDB® node's advertised hostname is configured with it. + +- Specify `externalAccess.service.publicNames`. These names must be resolvable by the MongoDB® containers. To ensure that, if this value is set, an initContainer is added to wait for the ip addresses associated to those names. We can combine this feature with `external-dns`, setting the required annotations to configure the load balancer names: + + ```yaml + architecture: replicaset + replicaCount: 2 + externalAccess: + enabled: true + service: + type: LoadBalancer + publicNames: + - 'mongodb-0.example.com' + - 'mongodb-1.example.com' + annotationsList: + - external-dns.alpha.kubernetes.io/hostname: mongodb-0.example.com + - external-dns.alpha.kubernetes.io/hostname: mongodb-1.example.com + ``` + + > NOTE: If register new DNS records for those names is not an option, the release can be upgraded setting `hostAliases` with the public IPs assigned to the external services. + +#### Use NodePort services + +Manually specify the node ports to use. An example deployment configuration is shown below, with the placeholder NODE-PORT-X used in place of the node ports: + +```text +architecture=replicaset +replicaCount=2 +externalAccess.enabled=true +externalAccess.service.type=NodePort +externalAccess.service.nodePorts[0]='NODE-PORT-1' +externalAccess.service.nodePorts[1]='NODE-PORT-2' ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +> NOTE: This option requires knowing the node ports that will be exposed, so each MongoDB® node's advertised hostname is configured with it. -## Architecture +The pod will try to get the external IP address of the node using the command `curl -s https://ipinfo.io/IP-ADDRESS` unless the `externalAccess.service.domain` parameter is set. -This chart allows installing MongoDB(®) using two different architecture setups: `standalone` or `replicaset`. Use the `architecture` parameter to choose the one to use: +### Bootstrapping with an External Cluster -```console -architecture="standalone" -architecture="replicaset" +This chart is equipped with the ability to bring online a set of Pods that connect to an existing MongoDB(®) deployment that lies outside of Kubernetes. This effectively creates a hybrid MongoDB(®) Deployment where both Pods in Kubernetes and Instances such as Virtual Machines can partake in a single MongoDB(®) Deployment. This is helpful in situations where one may be migrating MongoDB(®) from Virtual Machines into Kubernetes, for example. To take advantage of this, use the following as an example configuration: + +```yaml +externalAccess: + externalMaster: + enabled: true + host: external-mongodb-0.internal +``` + +:warning: To bootstrap MongoDB(®) with an external master that lies outside of Kubernetes, be sure to set up external access using any of the suggested methods in this chart to have connectivity between the MongoDB(®) members. :warning: + +### Add extra environment variables + +To add extra environment variables (useful for advanced operations like custom init scripts), use the `extraEnvVars` property. + +```yaml +extraEnvVars: + - name: LOG_LEVEL + value: error +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` properties. + +### Use Sidecars and Init Containers + +If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +### Backup and restore MongoDB(R) deployments + +Two different approaches are available to back up and restore Bitnami MongoDB® Helm chart deployments on Kubernetes: + +- Back up the data from the source deployment and restore it in a new deployment using MongoDB® built-in backup/restore tools. +- Back up the persistent volumes from the source deployment and attach them to a new deployment using Velero, a Kubernetes backup/restore tool. + +#### Method 1: Backup and restore data using MongoDB® built-in tools + +This method involves the following steps: + +- Use the *mongodump* tool to create a snapshot of the data in the source cluster. +- Create a new MongoDB® Cluster deployment and forward the MongoDB® Cluster service port for the new deployment. +- Restore the data using the *mongorestore* tool to import the backup to the new cluster. + +> NOTE: Under this approach, it is important to create the new deployment on the destination cluster using the same credentials as the original deployment on the source cluster. + +#### Method 2: Back up and restore persistent data volumes + +This method involves copying the persistent data volumes for the MongoDB® nodes and reusing them in a new deployment with [Velero](https://velero.io/), an open source Kubernetes backup/restore tool. This method is only suitable when: + +- The Kubernetes provider is [supported by Velero](https://velero.io/docs/latest/supported-providers/). +- Both clusters are on the same Kubernetes provider, as this is a requirement of [Velero's native support for migrating persistent volumes](https://velero.io/docs/latest/migration-case/). +- The restored deployment on the destination cluster will have the same name, namespace, topology and credentials as the original deployment on the source cluster. + +This method involves the following steps: + +- Install Velero on the source and destination clusters. +- Use Velero to back up the PersistentVolumes (PVs) used by the deployment on the source cluster. +- Use Velero to restore the backed-up PVs on the destination cluster. +- Create a new deployment on the destination cluster with the same chart, deployment name, credentials and other parameters as the original. This new deployment will use the restored PVs and hence the original data. + +Refer to our detailed [tutorial on backing up and restoring MongoDB® chart deployments on Kubernetes](https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-backup-restore-data-mongodb-kubernetes-index.html), which covers both these approaches, for more information. + +### Use custom Prometheus rules + +Custom Prometheus rules can be defined for the Prometheus Operator by using the `prometheusRule` parameter. A basic configuration example is shown below: + +```text + metrics: + enabled: true + prometheusRule: + enabled: true + rules: + - name: rule1 + rules: + - alert: HighRequestLatency + expr: job:request_latency_seconds:mean5m{job="myjob"} > 0.5 + for: 10m + labels: + severity: page + annotations: + summary: High request latency +``` + +### Enable SSL/TLS + +This chart supports enabling SSL/TLS between nodes in the cluster, as well as between MongoDB(®) clients and nodes, by setting the `MONGODB_EXTRA_FLAGS` and `MONGODB_CLIENT_EXTRA_FLAGS` container environment variables, together with the correct `MONGODB_ADVERTISED_HOSTNAME`. To enable full TLS encryption, set the `tls.enabled` parameter to `true`. + +#### Generate the self-signed certificates via pre-install Helm hooks + +The `secrets-ca.yaml` file utilizes the Helm "pre-install" hook to ensure that the certificates will only be generated on chart install. + +The `genCA()` function will create a new self-signed x509 certificate authority. The `genSignedCert()` function creates an object with the certificate and key, which are base64-encoded and used in a YAML-like object. The `genSignedCert()` function is passed the CN, an empty IP list (the nil part), the validity and the CA created previously. + +A Kubernetes Secret is used to hold the signed certificate created above, and the `initContainer` sets up the rest. Using Helm's hook annotations ensures that the certificates will only be generated on chart install. This will prevent overriding the certificates if the chart is upgraded. + +#### Use your own CA + +To use your own CA, set `tls.caCert` and `tls.caKey` with appropriate base64 encoded data. The `secrets-ca.yaml` file will utilize this data to create the Secret. + +> NOTE: Currently, only RSA private keys are supported. + +#### Use your own certificates + +To use your own certificates, set `tls.standalone.existingSecret`, `tls.replicaset.existingSecrets`, `tls.hidden.existingSecrets` and/or `tls.arbiter.existingSecret` secrets according to your needs. All of them must be references to `kubernetes.io/tls` secrets and the certificates must be created using the same CA. The CA can be added directly to each secret using the `ca.crt` key: + +```shell +kubectl create secret tls "mongodb-0-cert" --cert="mongodb-0.crt" --key="mongodb-0.key" +kubectl patch secret "mongodb-0-cert" -p="{\"data\":{\"ca.crt\": \"$(cat ca.crt | base64 -w0 )\"}}" ``` -Refer to the [chart documentation for more information on each of these architectures](https://docs.bitnami.com/kubernetes/infrastructure/mongodb/get-started/understand-architecture/). +Or adding it to the "endpoint certificate" and setting the value `tls.pemChainIncluded`. If we reuse the example above, the `mongodb-0.crt` file should include CA cert and we shouldn't need to patch the secret to add the `ca.crt` set key. + +> NOTE: Certificates should be signed for the fully qualified domain names. If `externalAccess.service.publicNames`is set, those names should be used in the certificates set in `tls.replicaset.existingSecrets`. + +#### Access the cluster + +To access the cluster, enable the init container which generates the MongoDB(®) server/client PEM key needed to access the cluster. Please be sure to include the `$my_hostname` section with your actual hostname, and the alternative hostnames section should contain the hostnames that should be allowed access to the MongoDB(®) replicaset. Additionally, if external access is enabled, the load balancer IP addresses are added to the alternative names list. + +> NOTE: You will be generating self-signed certificates for the MongoDB(®) deployment. The init container generates a new MongoDB(®) private key which will be used to create a Certificate Authority (CA) and the public certificate for the CA. The Certificate Signing Request will be created as well and signed using the private key of the CA previously created. Finally, the PEM bundle will be created using the private key and public certificate. This process will be repeated for each node in the cluster. + +#### Start the cluster + +After the certificates have been generated and made available to the containers at the correct mount points, the MongoDB(®) server will be started with TLS enabled. The options for the TLS mode will be one of `disabled`, `allowTLS`, `preferTLS`, or `requireTLS`. This value can be changed via the `MONGODB_EXTRA_FLAGS` field using the `tlsMode` parameter. The client should now be able to connect to the TLS-enabled cluster with the provided certificates. + +### Set Pod affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Persistence + +The [Bitnami MongoDB(®)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) image stores the MongoDB(®) data and configurations at the `/bitnami/mongodb` path of the container. + +The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at this location. The volume is created using dynamic volume provisioning. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). ## Parameters ### Global parameters -| Name | Description | Value | -| -------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.namespaceOverride` | Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | +| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | +| `global.namespaceOverride` | Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -86,65 +423,67 @@ Refer to the [chart documentation for more information on each of these architec | `commonAnnotations` | Common annotations to add to all Mongo resources (sub-charts are not considered). Evaluated as a template | `{}` | | `topologyKey` | Override common lib default topology key. If empty - "kubernetes.io/hostname" is used | `""` | | `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | +| `enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | | `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | | `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | | `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | ### MongoDB(®) parameters -| Name | Description | Value | -| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -| `image.registry` | MongoDB(®) image registry | `docker.io` | -| `image.repository` | MongoDB(®) image registry | `bitnami/mongodb` | -| `image.tag` | MongoDB(®) image tag (immutable tags are recommended) | `6.0.8-debian-11-r12` | -| `image.digest` | MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | MongoDB(®) image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `image.debug` | Set to true if you would like to see extra information on logs | `false` | -| `schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | -| `architecture` | MongoDB(®) architecture (`standalone` or `replicaset`) | `standalone` | -| `useStatefulSet` | Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) | `false` | -| `auth.enabled` | Enable authentication | `true` | -| `auth.rootUser` | MongoDB(®) root user | `root` | -| `auth.rootPassword` | MongoDB(®) root password | `""` | -| `auth.usernames` | List of custom users to be created during the initialization | `[]` | -| `auth.passwords` | List of passwords for the custom users set at `auth.usernames` | `[]` | -| `auth.databases` | List of custom databases to be created during the initialization | `[]` | -| `auth.username` | DEPRECATED: use `auth.usernames` instead | `""` | -| `auth.password` | DEPRECATED: use `auth.passwords` instead | `""` | -| `auth.database` | DEPRECATED: use `auth.databases` instead | `""` | -| `auth.replicaSetKey` | Key used for authentication in the replicaset (only when `architecture=replicaset`) | `""` | -| `auth.existingSecret` | Existing secret with MongoDB(®) credentials (keys: `mongodb-passwords`, `mongodb-root-password`, `mongodb-metrics-password`, `mongodb-replica-set-key`) | `""` | -| `tls.enabled` | Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes | `false` | -| `tls.autoGenerated` | Generate a custom CA and self-signed certificates | `true` | -| `tls.existingSecret` | Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`) | `""` | -| `tls.caCert` | Custom CA certificated (base64 encoded) | `""` | -| `tls.caKey` | CA certificate private key (base64 encoded) | `""` | -| `tls.pemChainIncluded` | Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. | `false` | -| `tls.standalone.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `""` | -| `tls.replicaset.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `[]` | -| `tls.hidden.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `[]` | -| `tls.arbiter.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `""` | -| `tls.image.registry` | Init container TLS certs setup image registry | `docker.io` | -| `tls.image.repository` | Init container TLS certs setup image repository | `bitnami/nginx` | -| `tls.image.tag` | Init container TLS certs setup image tag (immutable tags are recommended) | `1.25.1-debian-11-r39` | -| `tls.image.digest` | Init container TLS certs setup image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `tls.image.pullPolicy` | Init container TLS certs setup image pull policy | `IfNotPresent` | -| `tls.image.pullSecrets` | Init container TLS certs specify docker-registry secret names as an array | `[]` | -| `tls.extraDnsNames` | Add extra dns names to the CA, can solve x509 auth issue for pod clients | `[]` | -| `tls.mode` | Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) | `requireTLS` | -| `tls.resources.limits` | Init container generate-tls-certs resource limits | `{}` | -| `tls.resources.requests` | Init container generate-tls-certs resource requests | `{}` | -| `hostAliases` | Add deployment host aliases | `[]` | -| `replicaSetName` | Name of the replica set (only when `architecture=replicaset`) | `rs0` | -| `replicaSetHostnames` | Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) | `true` | -| `enableIPv6` | Switch to enable/disable IPv6 on MongoDB(®) | `false` | -| `directoryPerDB` | Switch to enable/disable DirectoryPerDB on MongoDB(®) | `false` | -| `systemLogVerbosity` | MongoDB(®) system log verbosity level | `0` | -| `disableSystemLog` | Switch to enable/disable MongoDB(®) system log | `false` | -| `disableJavascript` | Switch to enable/disable MongoDB(®) server-side JavaScript execution | `false` | -| `enableJournal` | Switch to enable/disable MongoDB(®) Journaling | `true` | -| `configuration` | MongoDB(®) configuration file to be used for Primary and Secondary nodes | `""` | +| Name | Description | Value | +| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `image.registry` | MongoDB(®) image registry | `REGISTRY_NAME` | +| `image.repository` | MongoDB(®) image registry | `REPOSITORY_NAME/mongodb` | +| `image.digest` | MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | MongoDB(®) image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Set to true if you would like to see extra information on logs | `false` | +| `schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `architecture` | MongoDB(®) architecture (`standalone` or `replicaset`) | `standalone` | +| `useStatefulSet` | Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) | `false` | +| `auth.enabled` | Enable authentication | `true` | +| `auth.rootUser` | MongoDB(®) root user | `root` | +| `auth.rootPassword` | MongoDB(®) root password | `""` | +| `auth.usernames` | List of custom users to be created during the initialization | `[]` | +| `auth.passwords` | List of passwords for the custom users set at `auth.usernames` | `[]` | +| `auth.databases` | List of custom databases to be created during the initialization | `[]` | +| `auth.username` | DEPRECATED: use `auth.usernames` instead | `""` | +| `auth.password` | DEPRECATED: use `auth.passwords` instead | `""` | +| `auth.database` | DEPRECATED: use `auth.databases` instead | `""` | +| `auth.replicaSetKey` | Key used for authentication in the replicaset (only when `architecture=replicaset`) | `""` | +| `auth.existingSecret` | Existing secret with MongoDB(®) credentials (keys: `mongodb-passwords`, `mongodb-root-password`, `mongodb-metrics-password`, `mongodb-replica-set-key`) | `""` | +| `tls.enabled` | Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes | `false` | +| `tls.mTLS.enabled` | IF TLS support is enabled, require clients to provide certificates | `true` | +| `tls.autoGenerated` | Generate a custom CA and self-signed certificates | `true` | +| `tls.existingSecret` | Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`) | `""` | +| `tls.caCert` | Custom CA certificated (base64 encoded) | `""` | +| `tls.caKey` | CA certificate private key (base64 encoded) | `""` | +| `tls.pemChainIncluded` | Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. | `false` | +| `tls.standalone.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `""` | +| `tls.replicaset.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `[]` | +| `tls.hidden.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `[]` | +| `tls.arbiter.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `""` | +| `tls.image.registry` | Init container TLS certs setup image registry | `REGISTRY_NAME` | +| `tls.image.repository` | Init container TLS certs setup image repository | `REPOSITORY_NAME/nginx` | +| `tls.image.digest` | Init container TLS certs setup image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `tls.image.pullPolicy` | Init container TLS certs setup image pull policy | `IfNotPresent` | +| `tls.image.pullSecrets` | Init container TLS certs specify docker-registry secret names as an array | `[]` | +| `tls.extraDnsNames` | Add extra dns names to the CA, can solve x509 auth issue for pod clients | `[]` | +| `tls.mode` | Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) | `requireTLS` | +| `tls.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). | `nano` | +| `tls.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `tls.securityContext` | Init container generate-tls-cert Security context | `{}` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hostAliases` | Add deployment host aliases | `[]` | +| `replicaSetName` | Name of the replica set (only when `architecture=replicaset`) | `rs0` | +| `replicaSetHostnames` | Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) | `true` | +| `enableIPv6` | Switch to enable/disable IPv6 on MongoDB(®) | `false` | +| `directoryPerDB` | Switch to enable/disable DirectoryPerDB on MongoDB(®) | `false` | +| `systemLogVerbosity` | MongoDB(®) system log verbosity level | `0` | +| `disableSystemLog` | Switch to enable/disable MongoDB(®) system log | `false` | +| `disableJavascript` | Switch to enable/disable MongoDB(®) server-side JavaScript execution | `false` | +| `enableJournal` | Switch to enable/disable MongoDB(®) Journaling | `true` | +| `configuration` | MongoDB(®) configuration file to be used for Primary and Secondary nodes | `""` | ### replicaSetConfigurationSettings settings applied during runtime (not via configuration file) @@ -164,151 +503,214 @@ Refer to the [chart documentation for more information on each of these architec ### MongoDB(®) statefulset parameters -| Name | Description | Value | -| --------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | ---------------- | -| `annotations` | Additional labels to be added to the MongoDB(®) statefulset. Evaluated as a template | `{}` | -| `labels` | Annotations to be added to the MongoDB(®) statefulset. Evaluated as a template | `{}` | -| `replicaCount` | Number of MongoDB(®) nodes (only when `architecture=replicaset`) | `2` | -| `updateStrategy.type` | Strategy to use to replace existing MongoDB(®) pods. When architecture=standalone and useStatefulSet=false, | `RollingUpdate` | -| `podManagementPolicy` | Pod management policy for MongoDB(®) | `OrderedReady` | -| `podAffinityPreset` | MongoDB(®) Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `podAntiAffinityPreset` | MongoDB(®) Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `nodeAffinityPreset.type` | MongoDB(®) Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.key` | MongoDB(®) Node label key to match Ignored if `affinity` is set. | `""` | -| `nodeAffinityPreset.values` | MongoDB(®) Node label values to match. Ignored if `affinity` is set. | `[]` | -| `affinity` | MongoDB(®) Affinity for pod assignment | `{}` | -| `nodeSelector` | MongoDB(®) Node labels for pod assignment | `{}` | -| `tolerations` | MongoDB(®) Tolerations for pod assignment | `[]` | -| `topologySpreadConstraints` | MongoDB(®) Spread Constraints for Pods | `[]` | -| `lifecycleHooks` | LifecycleHook for the MongoDB(®) container(s) to automate configuration before or after startup | `{}` | -| `terminationGracePeriodSeconds` | MongoDB(®) Termination Grace Period | `""` | -| `podLabels` | MongoDB(®) pod labels | `{}` | -| `podAnnotations` | MongoDB(®) Pod annotations | `{}` | -| `priorityClassName` | Name of the existing priority class to be used by MongoDB(®) pod(s) | `""` | -| `runtimeClassName` | Name of the runtime class to be used by MongoDB(®) pod(s) | `""` | -| `podSecurityContext.enabled` | Enable MongoDB(®) pod(s)' Security Context | `true` | -| `podSecurityContext.fsGroup` | Group ID for the volumes of the MongoDB(®) pod(s) | `1001` | -| `podSecurityContext.sysctls` | sysctl settings of the MongoDB(®) pod(s)' | `[]` | -| `containerSecurityContext.enabled` | Enable MongoDB(®) container(s)' Security Context | `true` | -| `containerSecurityContext.runAsUser` | User ID for the MongoDB(®) container | `1001` | -| `containerSecurityContext.runAsGroup` | Group ID for the MongoDB(®) container | `0` | -| `containerSecurityContext.runAsNonRoot` | Set MongoDB(®) container's Security Context runAsNonRoot | `true` | -| `containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate MongoDB(®) pod(s) privileges | `false` | -| `containerSecurityContext.seccompProfile.type` | Set MongoDB(®) container's Security Context seccompProfile type | `RuntimeDefault` | -| `containerSecurityContext.capabilities.drop` | Set MongoDB(®) container's Security Context capabilities to drop | `["ALL"]` | -| `resources.limits` | The resources limits for MongoDB(®) containers | `{}` | -| `resources.requests` | The requested resources for MongoDB(®) containers | `{}` | -| `containerPorts.mongodb` | MongoDB(®) container port | `27017` | -| `livenessProbe.enabled` | Enable livenessProbe | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | -| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | -| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `readinessProbe.enabled` | Enable readinessProbe | `true` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `startupProbe.enabled` | Enable startupProbe | `false` | -| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | -| `startupProbe.periodSeconds` | Period seconds for startupProbe | `20` | -| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `10` | -| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | -| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `customLivenessProbe` | Override default liveness probe for MongoDB(®) containers | `{}` | -| `customReadinessProbe` | Override default readiness probe for MongoDB(®) containers | `{}` | -| `customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | -| `initContainers` | Add additional init containers for the hidden node pod(s) | `[]` | -| `sidecars` | Add additional sidecar containers for the MongoDB(®) pod(s) | `[]` | -| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MongoDB(®) container(s) | `[]` | -| `extraVolumes` | Optionally specify extra list of additional volumes to the MongoDB(®) statefulset | `[]` | -| `pdb.create` | Enable/disable a Pod Disruption Budget creation for MongoDB(®) pod(s) | `false` | -| `pdb.minAvailable` | Minimum number/percentage of MongoDB(®) pods that must still be available after the eviction | `1` | -| `pdb.maxUnavailable` | Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction | `""` | +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `annotations` | Additional labels to be added to the MongoDB(®) statefulset. Evaluated as a template | `{}` | +| `labels` | Annotations to be added to the MongoDB(®) statefulset. Evaluated as a template | `{}` | +| `replicaCount` | Number of MongoDB(®) nodes | `2` | +| `updateStrategy.type` | Strategy to use to replace existing MongoDB(®) pods. When architecture=standalone and useStatefulSet=false, | `RollingUpdate` | +| `podManagementPolicy` | Pod management policy for MongoDB(®) | `OrderedReady` | +| `podAffinityPreset` | MongoDB(®) Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | MongoDB(®) Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | MongoDB(®) Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | MongoDB(®) Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | MongoDB(®) Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | MongoDB(®) Affinity for pod assignment | `{}` | +| `nodeSelector` | MongoDB(®) Node labels for pod assignment | `{}` | +| `tolerations` | MongoDB(®) Tolerations for pod assignment | `[]` | +| `topologySpreadConstraints` | MongoDB(®) Spread Constraints for Pods | `[]` | +| `lifecycleHooks` | LifecycleHook for the MongoDB(®) container(s) to automate configuration before or after startup | `{}` | +| `terminationGracePeriodSeconds` | MongoDB(®) Termination Grace Period | `""` | +| `podLabels` | MongoDB(®) pod labels | `{}` | +| `podAnnotations` | MongoDB(®) Pod annotations | `{}` | +| `priorityClassName` | Name of the existing priority class to be used by MongoDB(®) pod(s) | `""` | +| `runtimeClassName` | Name of the runtime class to be used by MongoDB(®) pod(s) | `""` | +| `podSecurityContext.enabled` | Enable MongoDB(®) pod(s)' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Group ID for the volumes of the MongoDB(®) pod(s) | `1001` | +| `podSecurityContext.sysctls` | sysctl settings of the MongoDB(®) pod(s)' | `[]` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `containerPorts.mongodb` | MongoDB(®) container port | `27017` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `20` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `10` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Override default liveness probe for MongoDB(®) containers | `{}` | +| `customReadinessProbe` | Override default readiness probe for MongoDB(®) containers | `{}` | +| `customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `initContainers` | Add additional init containers for the hidden node pod(s) | `[]` | +| `sidecars` | Add additional sidecar containers for the MongoDB(®) pod(s) | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MongoDB(®) container(s) | `[]` | +| `extraVolumes` | Optionally specify extra list of additional volumes to the MongoDB(®) statefulset | `[]` | +| `pdb.create` | Enable/disable a Pod Disruption Budget creation for MongoDB(®) pod(s) | `true` | +| `pdb.minAvailable` | Minimum number/percentage of MongoDB(®) pods that must still be available after the eviction | `""` | +| `pdb.maxUnavailable` | Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. | `""` | ### Traffic exposure parameters -| Name | Description | Value | -| ------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -| `service.nameOverride` | MongoDB(®) service name | `""` | -| `service.type` | Kubernetes Service type (only for standalone architecture) | `ClusterIP` | -| `service.portName` | MongoDB(®) service port name (only for standalone architecture) | `mongodb` | -| `service.ports.mongodb` | MongoDB(®) service port. | `27017` | -| `service.nodePorts.mongodb` | Port to bind to for NodePort and LoadBalancer service types (only for standalone architecture) | `""` | -| `service.clusterIP` | MongoDB(®) service cluster IP (only for standalone architecture) | `""` | -| `service.externalIPs` | Specify the externalIP value ClusterIP service type (only for standalone architecture) | `[]` | -| `service.loadBalancerIP` | loadBalancerIP for MongoDB(®) Service (only for standalone architecture) | `""` | -| `service.loadBalancerClass` | loadBalancerClass for MongoDB(®) Service (only for standalone architecture) | `""` | -| `service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer (only for standalone architecture) | `[]` | -| `service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | -| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `service.annotations` | Provide any additional annotations that may be required | `{}` | -| `service.externalTrafficPolicy` | service external traffic policy (only for standalone architecture) | `Local` | -| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `service.headless.annotations` | Annotations for the headless service. | `{}` | -| `externalAccess.enabled` | Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) | `false` | -| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs by querying the K8s API | `false` | -| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `docker.io` | -| `externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image repository | `bitnami/kubectl` | -| `externalAccess.autoDiscovery.image.tag` | Init container auto-discovery image tag (immutable tags are recommended) | `1.25.12-debian-11-r6` | -| `externalAccess.autoDiscovery.image.digest` | Init container auto-discovery image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy | `IfNotPresent` | -| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` | -| `externalAccess.autoDiscovery.resources.limits` | Init container auto-discovery resource limits | `{}` | -| `externalAccess.autoDiscovery.resources.requests` | Init container auto-discovery resource requests | `{}` | -| `externalAccess.externalMaster.enabled` | Use external master for bootstrapping | `false` | -| `externalAccess.externalMaster.host` | External master host to bootstrap from | `""` | -| `externalAccess.externalMaster.port` | Port for MongoDB(®) service external master host | `27017` | -| `externalAccess.service.type` | Kubernetes Service type for external access. Allowed values: NodePort, LoadBalancer or ClusterIP | `LoadBalancer` | -| `externalAccess.service.portName` | MongoDB(®) port name used for external access when service type is LoadBalancer | `mongodb` | -| `externalAccess.service.ports.mongodb` | MongoDB(®) port used for external access when service type is LoadBalancer | `27017` | -| `externalAccess.service.loadBalancerIPs` | Array of load balancer IPs for MongoDB(®) nodes | `[]` | -| `externalAccess.service.loadBalancerClass` | loadBalancerClass when service type is LoadBalancer | `""` | -| `externalAccess.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | -| `externalAccess.service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | -| `externalAccess.service.externalTrafficPolicy` | MongoDB(®) service external traffic policy | `Local` | -| `externalAccess.service.nodePorts` | Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort | `[]` | -| `externalAccess.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | -| `externalAccess.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `externalAccess.service.annotations` | Service annotations for external access | `{}` | -| `externalAccess.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `externalAccess.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `externalAccess.hidden.enabled` | Enable Kubernetes external cluster access to MongoDB(®) hidden nodes | `false` | -| `externalAccess.hidden.service.type` | Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer | `LoadBalancer` | -| `externalAccess.hidden.service.portName` | MongoDB(®) port name used for external access when service type is LoadBalancer | `mongodb` | -| `externalAccess.hidden.service.ports.mongodb` | MongoDB(®) port used for external access when service type is LoadBalancer | `27017` | -| `externalAccess.hidden.service.loadBalancerIPs` | Array of load balancer IPs for MongoDB(®) nodes | `[]` | -| `externalAccess.hidden.service.loadBalancerClass` | loadBalancerClass when service type is LoadBalancer | `""` | -| `externalAccess.hidden.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | -| `externalAccess.hidden.service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | -| `externalAccess.hidden.service.externalTrafficPolicy` | MongoDB(®) service external traffic policy | `Local` | -| `externalAccess.hidden.service.nodePorts` | Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort. Length must be the same as replicaCount | `[]` | -| `externalAccess.hidden.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | -| `externalAccess.hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `externalAccess.hidden.service.annotations` | Service annotations for external access | `{}` | -| `externalAccess.hidden.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `externalAccess.hidden.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | - -### Persistence parameters - -| Name | Description | Value | -| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -| `persistence.enabled` | Enable MongoDB(®) data persistence using PVC | `true` | -| `persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | -| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | -| `persistence.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | -| `persistence.storageClass` | PVC Storage Class for MongoDB(®) data volume | `""` | -| `persistence.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | -| `persistence.size` | PVC Storage Request for MongoDB(®) data volume | `8Gi` | -| `persistence.annotations` | PVC annotations | `{}` | -| `persistence.mountPath` | Path to mount the volume at | `/bitnami/mongodb` | -| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | -| `persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | -| `persistence.volumeClaimTemplates.requests` | Custom PVC requests attributes | `{}` | -| `persistence.volumeClaimTemplates.dataSource` | Add dataSource to the VolumeClaimTemplate | `{}` | +| Name | Description | Value | +| ------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `service.nameOverride` | MongoDB(®) service name | `""` | +| `service.type` | Kubernetes Service type (only for standalone architecture) | `ClusterIP` | +| `service.portName` | MongoDB(®) service port name (only for standalone architecture) | `mongodb` | +| `service.ports.mongodb` | MongoDB(®) service port. | `27017` | +| `service.nodePorts.mongodb` | Port to bind to for NodePort and LoadBalancer service types (only for standalone architecture) | `""` | +| `service.clusterIP` | MongoDB(®) service cluster IP (only for standalone architecture) | `""` | +| `service.externalIPs` | Specify the externalIP value ClusterIP service type (only for standalone architecture) | `[]` | +| `service.loadBalancerIP` | loadBalancerIP for MongoDB(®) Service (only for standalone architecture) | `""` | +| `service.loadBalancerClass` | loadBalancerClass for MongoDB(®) Service (only for standalone architecture) | `""` | +| `service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer (only for standalone architecture) | `[]` | +| `service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | +| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `service.annotations` | Provide any additional annotations that may be required | `{}` | +| `service.externalTrafficPolicy` | service external traffic policy (only for standalone architecture) | `Local` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.headless.annotations` | Annotations for the headless service. | `{}` | +| `externalAccess.enabled` | Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) | `false` | +| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs by querying the K8s API | `false` | +| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `REGISTRY_NAME` | +| `externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image repository | `REPOSITORY_NAME/kubectl` | +| `externalAccess.autoDiscovery.image.digest` | Init container auto-discovery image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy | `IfNotPresent` | +| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` | +| `externalAccess.autoDiscovery.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). | `nano` | +| `externalAccess.autoDiscovery.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalAccess.dnsCheck.image.registry` | Init container dns-check image registry | `REGISTRY_NAME` | +| `externalAccess.dnsCheck.image.repository` | Init container dns-check image repository | `REPOSITORY_NAME/kubectl` | +| `externalAccess.dnsCheck.image.digest` | Init container dns-check image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `externalAccess.dnsCheck.image.pullPolicy` | Init container dns-check image pull policy | `IfNotPresent` | +| `externalAccess.dnsCheck.image.pullSecrets` | Init container dns-check image pull secrets | `[]` | +| `externalAccess.dnsCheck.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). | `nano` | +| `externalAccess.dnsCheck.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalAccess.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `externalAccess.externalMaster.host` | External master host to bootstrap from | `""` | +| `externalAccess.externalMaster.port` | Port for MongoDB(®) service external master host | `27017` | +| `externalAccess.service.type` | Kubernetes Service type for external access. Allowed values: NodePort, LoadBalancer or ClusterIP | `LoadBalancer` | +| `externalAccess.service.portName` | MongoDB(®) port name used for external access when service type is LoadBalancer | `mongodb` | +| `externalAccess.service.ports.mongodb` | MongoDB(®) port used for external access when service type is LoadBalancer | `27017` | +| `externalAccess.service.loadBalancerIPs` | Array of load balancer IPs for MongoDB(®) nodes | `[]` | +| `externalAccess.service.publicNames` | Array of public names. The size should be equal to the number of replicas. | `[]` | +| `externalAccess.service.loadBalancerClass` | loadBalancerClass when service type is LoadBalancer | `""` | +| `externalAccess.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.service.allocateLoadBalancerNodePorts` | Whether to allocate node ports when service type is LoadBalancer | `true` | +| `externalAccess.service.externalTrafficPolicy` | MongoDB(®) service external traffic policy | `Local` | +| `externalAccess.service.nodePorts` | Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort | `[]` | +| `externalAccess.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | +| `externalAccess.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `externalAccess.service.annotations` | Service annotations for external access. These annotations are common for all services created. | `{}` | +| `externalAccess.service.annotationsList` | Service annotations for eache external service. This value contains a list allowing different annotations per each external service. | `[]` | +| `externalAccess.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `externalAccess.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `externalAccess.hidden.enabled` | Enable Kubernetes external cluster access to MongoDB(®) hidden nodes | `false` | +| `externalAccess.hidden.service.type` | Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer | `LoadBalancer` | +| `externalAccess.hidden.service.portName` | MongoDB(®) port name used for external access when service type is LoadBalancer | `mongodb` | +| `externalAccess.hidden.service.ports.mongodb` | MongoDB(®) port used for external access when service type is LoadBalancer | `27017` | +| `externalAccess.hidden.service.loadBalancerIPs` | Array of load balancer IPs for MongoDB(®) nodes | `[]` | +| `externalAccess.hidden.service.loadBalancerClass` | loadBalancerClass when service type is LoadBalancer | `""` | +| `externalAccess.hidden.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.hidden.service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | +| `externalAccess.hidden.service.externalTrafficPolicy` | MongoDB(®) service external traffic policy | `Local` | +| `externalAccess.hidden.service.nodePorts` | Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort. Length must be the same as replicaCount | `[]` | +| `externalAccess.hidden.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | +| `externalAccess.hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `externalAccess.hidden.service.annotations` | Service annotations for external access | `{}` | +| `externalAccess.hidden.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `externalAccess.hidden.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | + +### Network policy parameters + +| Name | Description | Value | +| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `persistence.enabled` | Enable MongoDB(®) data persistence using PVC | `true` | +| `persistence.name` | Name of the PVC and mounted volume | `datadir` | +| `persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `persistence.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `persistence.storageClass` | PVC Storage Class for MongoDB(®) data volume | `""` | +| `persistence.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `persistence.size` | PVC Storage Request for MongoDB(®) data volume | `8Gi` | +| `persistence.annotations` | PVC annotations | `{}` | +| `persistence.labels` | PVC labels | `{}` | +| `persistence.mountPath` | Path to mount the volume at | `/bitnami/mongodb` | +| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `persistence.volumeClaimTemplates.requests` | Custom PVC requests attributes | `{}` | +| `persistence.volumeClaimTemplates.dataSource` | Add dataSource to the VolumeClaimTemplate | `{}` | +| `persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for MongoDB(®) Statefulset | `false` | +| `persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | + +### Backup parameters + +| Name | Description | Value | +| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | +| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | +| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | +| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | +| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | +| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | +| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | +| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | +| `backup.cronjob.backoffLimit` | Set the cronjob parameter backoffLimit | `6` | +| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `backup.cronjob.command` | Set backup container's command to run | `[]` | +| `backup.cronjob.labels` | Set the cronjob labels | `{}` | +| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | +| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | +| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | +| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | +| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/mongodb` | +| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | +| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | ### RBAC parameters @@ -317,7 +719,7 @@ Refer to the [chart documentation for more information on each of these architec | `serviceAccount.create` | Enable creation of ServiceAccount for MongoDB(®) pods | `true` | | `serviceAccount.name` | Name of the created serviceAccount | `""` | | `serviceAccount.annotations` | Additional Service Account annotations | `{}` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | | `rbac.create` | Whether to create & use RBAC resources or not | `false` | | `rbac.rules` | Custom rules to create following the role specification | `[]` | | `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | @@ -327,272 +729,285 @@ Refer to the [chart documentation for more information on each of these architec ### Volume Permissions parameters -| Name | Description | Value | -| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------ | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | -| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/os-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r16` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | -| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `volumePermissions.securityContext.runAsUser` | User ID for the volumePermissions container | `0` | +| Name | Description | Value | +| -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.securityContext.runAsUser` | User ID for the volumePermissions container | `0` | ### Arbiter parameters -| Name | Description | Value | -| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ---------------- | -| `arbiter.enabled` | Enable deploying the arbiter | `true` | -| `arbiter.hostAliases` | Add deployment host aliases | `[]` | -| `arbiter.configuration` | Arbiter configuration file to be used | `""` | -| `arbiter.existingConfigmap` | Name of existing ConfigMap with Arbiter configuration | `""` | -| `arbiter.command` | Override default container command (useful when using custom images) | `[]` | -| `arbiter.args` | Override default container args (useful when using custom images) | `[]` | -| `arbiter.extraFlags` | Arbiter additional command line flags | `[]` | -| `arbiter.extraEnvVars` | Extra environment variables to add to Arbiter pods | `[]` | -| `arbiter.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | -| `arbiter.extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | -| `arbiter.annotations` | Additional labels to be added to the Arbiter statefulset | `{}` | -| `arbiter.labels` | Annotations to be added to the Arbiter statefulset | `{}` | -| `arbiter.topologySpreadConstraints` | MongoDB(®) Spread Constraints for arbiter Pods | `[]` | -| `arbiter.lifecycleHooks` | LifecycleHook for the Arbiter container to automate configuration before or after startup | `{}` | -| `arbiter.terminationGracePeriodSeconds` | Arbiter Termination Grace Period | `""` | -| `arbiter.updateStrategy.type` | Strategy that will be employed to update Pods in the StatefulSet | `RollingUpdate` | -| `arbiter.podManagementPolicy` | Pod management policy for MongoDB(®) | `OrderedReady` | -| `arbiter.schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | -| `arbiter.podAffinityPreset` | Arbiter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `arbiter.podAntiAffinityPreset` | Arbiter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `arbiter.nodeAffinityPreset.type` | Arbiter Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `arbiter.nodeAffinityPreset.key` | Arbiter Node label key to match Ignored if `affinity` is set. | `""` | -| `arbiter.nodeAffinityPreset.values` | Arbiter Node label values to match. Ignored if `affinity` is set. | `[]` | -| `arbiter.affinity` | Arbiter Affinity for pod assignment | `{}` | -| `arbiter.nodeSelector` | Arbiter Node labels for pod assignment | `{}` | -| `arbiter.tolerations` | Arbiter Tolerations for pod assignment | `[]` | -| `arbiter.podLabels` | Arbiter pod labels | `{}` | -| `arbiter.podAnnotations` | Arbiter Pod annotations | `{}` | -| `arbiter.priorityClassName` | Name of the existing priority class to be used by Arbiter pod(s) | `""` | -| `arbiter.runtimeClassName` | Name of the runtime class to be used by Arbiter pod(s) | `""` | -| `arbiter.podSecurityContext.enabled` | Enable Arbiter pod(s)' Security Context | `true` | -| `arbiter.podSecurityContext.fsGroup` | Group ID for the volumes of the Arbiter pod(s) | `1001` | -| `arbiter.podSecurityContext.sysctls` | sysctl settings of the Arbiter pod(s)' | `[]` | -| `arbiter.containerSecurityContext.enabled` | Enable Arbiter container(s)' Security Context | `true` | -| `arbiter.containerSecurityContext.runAsUser` | User ID for the Arbiter container | `1001` | -| `arbiter.containerSecurityContext.runAsGroup` | Group ID for the Arbiter container | `0` | -| `arbiter.containerSecurityContext.runAsNonRoot` | Set Arbiter containers' Security Context runAsNonRoot | `true` | -| `arbiter.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate Arbiter pod(s) privileges | `false` | -| `arbiter.containerSecurityContext.seccompProfile.type` | Set Arbiter container's Security Context seccompProfile type | `RuntimeDefault` | -| `arbiter.containerSecurityContext.capabilities.drop` | Set Arbiter container's Security Context capabilities to drop | `["ALL"]` | -| `arbiter.resources.limits` | The resources limits for Arbiter containers | `{}` | -| `arbiter.resources.requests` | The requested resources for Arbiter containers | `{}` | -| `arbiter.containerPorts.mongodb` | MongoDB(®) arbiter container port | `27017` | -| `arbiter.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `arbiter.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `arbiter.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | -| `arbiter.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | -| `arbiter.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `arbiter.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `arbiter.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `arbiter.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `arbiter.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `20` | -| `arbiter.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | -| `arbiter.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `arbiter.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `arbiter.startupProbe.enabled` | Enable startupProbe | `false` | -| `arbiter.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | -| `arbiter.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `arbiter.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `arbiter.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | -| `arbiter.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `arbiter.customLivenessProbe` | Override default liveness probe for Arbiter containers | `{}` | -| `arbiter.customReadinessProbe` | Override default readiness probe for Arbiter containers | `{}` | -| `arbiter.customStartupProbe` | Override default startup probe for Arbiter containers | `{}` | -| `arbiter.initContainers` | Add additional init containers for the Arbiter pod(s) | `[]` | -| `arbiter.sidecars` | Add additional sidecar containers for the Arbiter pod(s) | `[]` | -| `arbiter.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Arbiter container(s) | `[]` | -| `arbiter.extraVolumes` | Optionally specify extra list of additional volumes to the Arbiter statefulset | `[]` | -| `arbiter.pdb.create` | Enable/disable a Pod Disruption Budget creation for Arbiter pod(s) | `false` | -| `arbiter.pdb.minAvailable` | Minimum number/percentage of Arbiter pods that should remain scheduled | `1` | -| `arbiter.pdb.maxUnavailable` | Maximum number/percentage of Arbiter pods that may be made unavailable | `""` | -| `arbiter.service.nameOverride` | The arbiter service name | `""` | -| `arbiter.service.ports.mongodb` | MongoDB(®) service port | `27017` | -| `arbiter.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `arbiter.service.annotations` | Provide any additional annotations that may be required | `{}` | -| `arbiter.service.headless.annotations` | Annotations for the headless service. | `{}` | +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `arbiter.enabled` | Enable deploying the arbiter | `true` | +| `arbiter.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `arbiter.hostAliases` | Add deployment host aliases | `[]` | +| `arbiter.configuration` | Arbiter configuration file to be used | `""` | +| `arbiter.existingConfigmap` | Name of existing ConfigMap with Arbiter configuration | `""` | +| `arbiter.command` | Override default container command (useful when using custom images) | `[]` | +| `arbiter.args` | Override default container args (useful when using custom images) | `[]` | +| `arbiter.extraFlags` | Arbiter additional command line flags | `[]` | +| `arbiter.extraEnvVars` | Extra environment variables to add to Arbiter pods | `[]` | +| `arbiter.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `arbiter.extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | +| `arbiter.annotations` | Additional labels to be added to the Arbiter statefulset | `{}` | +| `arbiter.labels` | Annotations to be added to the Arbiter statefulset | `{}` | +| `arbiter.topologySpreadConstraints` | MongoDB(®) Spread Constraints for arbiter Pods | `[]` | +| `arbiter.lifecycleHooks` | LifecycleHook for the Arbiter container to automate configuration before or after startup | `{}` | +| `arbiter.terminationGracePeriodSeconds` | Arbiter Termination Grace Period | `""` | +| `arbiter.updateStrategy.type` | Strategy that will be employed to update Pods in the StatefulSet | `RollingUpdate` | +| `arbiter.podManagementPolicy` | Pod management policy for MongoDB(®) | `OrderedReady` | +| `arbiter.schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `arbiter.podAffinityPreset` | Arbiter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `arbiter.podAntiAffinityPreset` | Arbiter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `arbiter.nodeAffinityPreset.type` | Arbiter Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `arbiter.nodeAffinityPreset.key` | Arbiter Node label key to match Ignored if `affinity` is set. | `""` | +| `arbiter.nodeAffinityPreset.values` | Arbiter Node label values to match. Ignored if `affinity` is set. | `[]` | +| `arbiter.affinity` | Arbiter Affinity for pod assignment | `{}` | +| `arbiter.nodeSelector` | Arbiter Node labels for pod assignment | `{}` | +| `arbiter.tolerations` | Arbiter Tolerations for pod assignment | `[]` | +| `arbiter.podLabels` | Arbiter pod labels | `{}` | +| `arbiter.podAnnotations` | Arbiter Pod annotations | `{}` | +| `arbiter.priorityClassName` | Name of the existing priority class to be used by Arbiter pod(s) | `""` | +| `arbiter.runtimeClassName` | Name of the runtime class to be used by Arbiter pod(s) | `""` | +| `arbiter.podSecurityContext.enabled` | Enable Arbiter pod(s)' Security Context | `true` | +| `arbiter.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `arbiter.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `arbiter.podSecurityContext.fsGroup` | Group ID for the volumes of the Arbiter pod(s) | `1001` | +| `arbiter.podSecurityContext.sysctls` | sysctl settings of the Arbiter pod(s)' | `[]` | +| `arbiter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `arbiter.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `arbiter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `arbiter.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `arbiter.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `arbiter.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `arbiter.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `arbiter.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `arbiter.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `arbiter.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `arbiter.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if arbiter.resources is set (arbiter.resources is recommended for production). | `small` | +| `arbiter.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `arbiter.containerPorts.mongodb` | MongoDB(®) arbiter container port | `27017` | +| `arbiter.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `arbiter.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `arbiter.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `arbiter.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `arbiter.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `arbiter.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `arbiter.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `arbiter.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `arbiter.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `20` | +| `arbiter.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `arbiter.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `arbiter.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `arbiter.startupProbe.enabled` | Enable startupProbe | `false` | +| `arbiter.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `arbiter.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `arbiter.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `arbiter.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `arbiter.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `arbiter.customLivenessProbe` | Override default liveness probe for Arbiter containers | `{}` | +| `arbiter.customReadinessProbe` | Override default readiness probe for Arbiter containers | `{}` | +| `arbiter.customStartupProbe` | Override default startup probe for Arbiter containers | `{}` | +| `arbiter.initContainers` | Add additional init containers for the Arbiter pod(s) | `[]` | +| `arbiter.sidecars` | Add additional sidecar containers for the Arbiter pod(s) | `[]` | +| `arbiter.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Arbiter container(s) | `[]` | +| `arbiter.extraVolumes` | Optionally specify extra list of additional volumes to the Arbiter statefulset | `[]` | +| `arbiter.pdb.create` | Enable/disable a Pod Disruption Budget creation for Arbiter pod(s) | `true` | +| `arbiter.pdb.minAvailable` | Minimum number/percentage of Arbiter pods that should remain scheduled | `""` | +| `arbiter.pdb.maxUnavailable` | Maximum number/percentage of Arbiter pods that may be made unavailable. Defaults to `1` if both `arbiter.pdb.minAvailable` and `arbiter.pdb.maxUnavailable` are empty. | `""` | +| `arbiter.service.nameOverride` | The arbiter service name | `""` | +| `arbiter.service.ports.mongodb` | MongoDB(®) service port | `27017` | +| `arbiter.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `arbiter.service.annotations` | Provide any additional annotations that may be required | `{}` | +| `arbiter.service.headless.annotations` | Annotations for the headless service. | `{}` | ### Hidden Node parameters -| Name | Description | Value | -| ---------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------- | -| `hidden.enabled` | Enable deploying the hidden nodes | `false` | -| `hidden.hostAliases` | Add deployment host aliases | `[]` | -| `hidden.configuration` | Hidden node configuration file to be used | `""` | -| `hidden.existingConfigmap` | Name of existing ConfigMap with Hidden node configuration | `""` | -| `hidden.command` | Override default container command (useful when using custom images) | `[]` | -| `hidden.args` | Override default container args (useful when using custom images) | `[]` | -| `hidden.extraFlags` | Hidden node additional command line flags | `[]` | -| `hidden.extraEnvVars` | Extra environment variables to add to Hidden node pods | `[]` | -| `hidden.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | -| `hidden.extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | -| `hidden.annotations` | Additional labels to be added to thehidden node statefulset | `{}` | -| `hidden.labels` | Annotations to be added to the hidden node statefulset | `{}` | -| `hidden.topologySpreadConstraints` | MongoDB(®) Spread Constraints for hidden Pods | `[]` | -| `hidden.lifecycleHooks` | LifecycleHook for the Hidden container to automate configuration before or after startup | `{}` | -| `hidden.replicaCount` | Number of hidden nodes (only when `architecture=replicaset`) | `1` | -| `hidden.terminationGracePeriodSeconds` | Hidden Termination Grace Period | `""` | -| `hidden.updateStrategy.type` | Strategy that will be employed to update Pods in the StatefulSet | `RollingUpdate` | -| `hidden.podManagementPolicy` | Pod management policy for hidden node | `OrderedReady` | -| `hidden.schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | -| `hidden.podAffinityPreset` | Hidden node Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `hidden.podAntiAffinityPreset` | Hidden node Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `hidden.nodeAffinityPreset.type` | Hidden Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `hidden.nodeAffinityPreset.key` | Hidden Node label key to match Ignored if `affinity` is set. | `""` | -| `hidden.nodeAffinityPreset.values` | Hidden Node label values to match. Ignored if `affinity` is set. | `[]` | -| `hidden.affinity` | Hidden node Affinity for pod assignment | `{}` | -| `hidden.nodeSelector` | Hidden node Node labels for pod assignment | `{}` | -| `hidden.tolerations` | Hidden node Tolerations for pod assignment | `[]` | -| `hidden.podLabels` | Hidden node pod labels | `{}` | -| `hidden.podAnnotations` | Hidden node Pod annotations | `{}` | -| `hidden.priorityClassName` | Name of the existing priority class to be used by hidden node pod(s) | `""` | -| `hidden.runtimeClassName` | Name of the runtime class to be used by hidden node pod(s) | `""` | -| `hidden.podSecurityContext.enabled` | Enable Hidden pod(s)' Security Context | `true` | -| `hidden.podSecurityContext.fsGroup` | Group ID for the volumes of the Hidden pod(s) | `1001` | -| `hidden.podSecurityContext.sysctls` | sysctl settings of the Hidden pod(s)' | `[]` | -| `hidden.containerSecurityContext.enabled` | Enable Hidden container(s)' Security Context | `true` | -| `hidden.containerSecurityContext.runAsUser` | User ID for the Hidden container | `1001` | -| `hidden.containerSecurityContext.runAsGroup` | Group ID for the Hidden container | `0` | -| `hidden.containerSecurityContext.runAsNonRoot` | Set Hidden containers' Security Context runAsNonRoot | `true` | -| `hidden.containerSecurityContext.allowPrivilegeEscalation` | Set Hidden containers' Security Context allowPrivilegeEscalation | `false` | -| `hidden.containerSecurityContext.seccompProfile.type` | Set Hidden container's Security Context seccompProfile type | `RuntimeDefault` | -| `hidden.containerSecurityContext.capabilities.drop` | Set Hidden container's Security Context capabilities to drop | `["ALL"]` | -| `hidden.resources.limits` | The resources limits for hidden node containers | `{}` | -| `hidden.resources.requests` | The requested resources for hidden node containers | `{}` | -| `hidden.containerPorts.mongodb` | MongoDB(®) hidden container port | `27017` | -| `hidden.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `hidden.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `hidden.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | -| `hidden.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | -| `hidden.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `hidden.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `hidden.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `hidden.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `hidden.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `20` | -| `hidden.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | -| `hidden.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `hidden.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `hidden.startupProbe.enabled` | Enable startupProbe | `false` | -| `hidden.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | -| `hidden.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `hidden.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `hidden.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | -| `hidden.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `hidden.customLivenessProbe` | Override default liveness probe for hidden node containers | `{}` | -| `hidden.customReadinessProbe` | Override default readiness probe for hidden node containers | `{}` | -| `hidden.customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | -| `hidden.initContainers` | Add init containers to the MongoDB(®) Hidden pods. | `[]` | -| `hidden.sidecars` | Add additional sidecar containers for the hidden node pod(s) | `[]` | -| `hidden.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the hidden node container(s) | `[]` | -| `hidden.extraVolumes` | Optionally specify extra list of additional volumes to the hidden node statefulset | `[]` | -| `hidden.pdb.create` | Enable/disable a Pod Disruption Budget creation for hidden node pod(s) | `false` | -| `hidden.pdb.minAvailable` | Minimum number/percentage of hidden node pods that should remain scheduled | `1` | -| `hidden.pdb.maxUnavailable` | Maximum number/percentage of hidden node pods that may be made unavailable | `""` | -| `hidden.persistence.enabled` | Enable hidden node data persistence using PVC | `true` | -| `hidden.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | -| `hidden.persistence.storageClass` | PVC Storage Class for hidden node data volume | `""` | -| `hidden.persistence.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | -| `hidden.persistence.size` | PVC Storage Request for hidden node data volume | `8Gi` | -| `hidden.persistence.annotations` | PVC annotations | `{}` | -| `hidden.persistence.mountPath` | The path the volume will be mounted at, useful when using different MongoDB(®) images. | `/bitnami/mongodb` | -| `hidden.persistence.subPath` | The subdirectory of the volume to mount to, useful in dev environments | `""` | -| `hidden.persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | -| `hidden.persistence.volumeClaimTemplates.requests` | Custom PVC requests attributes | `{}` | -| `hidden.persistence.volumeClaimTemplates.dataSource` | Set volumeClaimTemplate dataSource | `{}` | -| `hidden.service.portName` | MongoDB(®) service port name | `mongodb` | -| `hidden.service.ports.mongodb` | MongoDB(®) service port | `27017` | -| `hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `hidden.service.annotations` | Provide any additional annotations that may be required | `{}` | -| `hidden.service.headless.annotations` | Annotations for the headless service. | `{}` | +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `hidden.enabled` | Enable deploying the hidden nodes | `false` | +| `hidden.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hidden.hostAliases` | Add deployment host aliases | `[]` | +| `hidden.configuration` | Hidden node configuration file to be used | `""` | +| `hidden.existingConfigmap` | Name of existing ConfigMap with Hidden node configuration | `""` | +| `hidden.command` | Override default container command (useful when using custom images) | `[]` | +| `hidden.args` | Override default container args (useful when using custom images) | `[]` | +| `hidden.extraFlags` | Hidden node additional command line flags | `[]` | +| `hidden.extraEnvVars` | Extra environment variables to add to Hidden node pods | `[]` | +| `hidden.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `hidden.extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | +| `hidden.annotations` | Additional labels to be added to thehidden node statefulset | `{}` | +| `hidden.labels` | Annotations to be added to the hidden node statefulset | `{}` | +| `hidden.topologySpreadConstraints` | MongoDB(®) Spread Constraints for hidden Pods | `[]` | +| `hidden.lifecycleHooks` | LifecycleHook for the Hidden container to automate configuration before or after startup | `{}` | +| `hidden.replicaCount` | Number of hidden nodes (only when `architecture=replicaset`) | `1` | +| `hidden.terminationGracePeriodSeconds` | Hidden Termination Grace Period | `""` | +| `hidden.updateStrategy.type` | Strategy that will be employed to update Pods in the StatefulSet | `RollingUpdate` | +| `hidden.podManagementPolicy` | Pod management policy for hidden node | `OrderedReady` | +| `hidden.schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `hidden.podAffinityPreset` | Hidden node Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `hidden.podAntiAffinityPreset` | Hidden node Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `hidden.nodeAffinityPreset.type` | Hidden Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `hidden.nodeAffinityPreset.key` | Hidden Node label key to match Ignored if `affinity` is set. | `""` | +| `hidden.nodeAffinityPreset.values` | Hidden Node label values to match. Ignored if `affinity` is set. | `[]` | +| `hidden.affinity` | Hidden node Affinity for pod assignment | `{}` | +| `hidden.nodeSelector` | Hidden node Node labels for pod assignment | `{}` | +| `hidden.tolerations` | Hidden node Tolerations for pod assignment | `[]` | +| `hidden.podLabels` | Hidden node pod labels | `{}` | +| `hidden.podAnnotations` | Hidden node Pod annotations | `{}` | +| `hidden.priorityClassName` | Name of the existing priority class to be used by hidden node pod(s) | `""` | +| `hidden.runtimeClassName` | Name of the runtime class to be used by hidden node pod(s) | `""` | +| `hidden.podSecurityContext.enabled` | Enable Hidden pod(s)' Security Context | `true` | +| `hidden.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `hidden.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `hidden.podSecurityContext.fsGroup` | Group ID for the volumes of the Hidden pod(s) | `1001` | +| `hidden.podSecurityContext.sysctls` | sysctl settings of the Hidden pod(s)' | `[]` | +| `hidden.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `hidden.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `hidden.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `hidden.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `hidden.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `hidden.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `hidden.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `hidden.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `hidden.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `hidden.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `hidden.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). | `micro` | +| `hidden.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `hidden.containerPorts.mongodb` | MongoDB(®) hidden container port | `27017` | +| `hidden.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `hidden.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `hidden.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `hidden.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `hidden.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `hidden.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `hidden.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `hidden.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `hidden.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `20` | +| `hidden.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `hidden.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `hidden.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `hidden.startupProbe.enabled` | Enable startupProbe | `false` | +| `hidden.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `hidden.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `hidden.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `hidden.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `hidden.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `hidden.customLivenessProbe` | Override default liveness probe for hidden node containers | `{}` | +| `hidden.customReadinessProbe` | Override default readiness probe for hidden node containers | `{}` | +| `hidden.customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `hidden.initContainers` | Add init containers to the MongoDB(®) Hidden pods. | `[]` | +| `hidden.sidecars` | Add additional sidecar containers for the hidden node pod(s) | `[]` | +| `hidden.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the hidden node container(s) | `[]` | +| `hidden.extraVolumes` | Optionally specify extra list of additional volumes to the hidden node statefulset | `[]` | +| `hidden.pdb.create` | Enable/disable a Pod Disruption Budget creation for hidden node pod(s) | `true` | +| `hidden.pdb.minAvailable` | Minimum number/percentage of hidden node pods that should remain scheduled | `""` | +| `hidden.pdb.maxUnavailable` | Maximum number/percentage of hidden node pods that may be made unavailable. Defaults to `1` if both `hidden.pdb.minAvailable` and `hidden.pdb.maxUnavailable` are empty. | `""` | +| `hidden.persistence.enabled` | Enable hidden node data persistence using PVC | `true` | +| `hidden.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `hidden.persistence.storageClass` | PVC Storage Class for hidden node data volume | `""` | +| `hidden.persistence.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `hidden.persistence.size` | PVC Storage Request for hidden node data volume | `8Gi` | +| `hidden.persistence.annotations` | PVC annotations | `{}` | +| `hidden.persistence.mountPath` | The path the volume will be mounted at, useful when using different MongoDB(®) images. | `/bitnami/mongodb` | +| `hidden.persistence.subPath` | The subdirectory of the volume to mount to, useful in dev environments | `""` | +| `hidden.persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `hidden.persistence.volumeClaimTemplates.requests` | Custom PVC requests attributes | `{}` | +| `hidden.persistence.volumeClaimTemplates.dataSource` | Set volumeClaimTemplate dataSource | `{}` | +| `hidden.service.portName` | MongoDB(®) service port name | `mongodb` | +| `hidden.service.ports.mongodb` | MongoDB(®) service port | `27017` | +| `hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `hidden.service.annotations` | Provide any additional annotations that may be required | `{}` | +| `hidden.service.headless.annotations` | Annotations for the headless service. | `{}` | ### Metrics parameters -| Name | Description | Value | -| -------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `metrics.enabled` | Enable using a sidecar Prometheus exporter | `false` | -| `metrics.image.registry` | MongoDB(®) Prometheus exporter image registry | `docker.io` | -| `metrics.image.repository` | MongoDB(®) Prometheus exporter image repository | `bitnami/mongodb-exporter` | -| `metrics.image.tag` | MongoDB(®) Prometheus exporter image tag (immutable tags are recommended) | `0.39.0-debian-11-r53` | -| `metrics.image.digest` | MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | MongoDB(®) Prometheus exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.username` | String with username for the metrics exporter | `""` | -| `metrics.password` | String with password for the metrics exporter | `""` | -| `metrics.compatibleMode` | Enables old style mongodb-exporter metrics | `true` | -| `metrics.collector.all` | Enable all collectors. Same as enabling all individual metrics | `false` | -| `metrics.collector.diagnosticdata` | Boolean Enable collecting metrics from getDiagnosticData | `true` | -| `metrics.collector.replicasetstatus` | Boolean Enable collecting metrics from replSetGetStatus | `true` | -| `metrics.collector.dbstats` | Boolean Enable collecting metrics from dbStats | `false` | -| `metrics.collector.topmetrics` | Boolean Enable collecting metrics from top admin command | `false` | -| `metrics.collector.indexstats` | Boolean Enable collecting metrics from $indexStats | `false` | -| `metrics.collector.collstats` | Boolean Enable collecting metrics from $collStats | `false` | -| `metrics.collector.collstatsColls` | List of \.\ to get $collStats | `[]` | -| `metrics.collector.indexstatsColls` | List - List of \.\ to get $indexStats | `[]` | -| `metrics.collector.collstatsLimit` | Number - Disable collstats, dbstats, topmetrics and indexstats collector if there are more than \ collections. 0=No limit | `0` | -| `metrics.extraFlags` | String with extra flags to the metrics exporter | `""` | -| `metrics.command` | Override default container command (useful when using custom images) | `[]` | -| `metrics.args` | Override default container args (useful when using custom images) | `[]` | -| `metrics.resources.limits` | The resources limits for Prometheus exporter containers | `{}` | -| `metrics.resources.requests` | The requested resources for Prometheus exporter containers | `{}` | -| `metrics.containerPort` | Port of the Prometheus metrics container | `9216` | -| `metrics.service.annotations` | Annotations for Prometheus Exporter pods. Evaluated as a template. | `{}` | -| `metrics.service.type` | Type of the Prometheus metrics service | `ClusterIP` | -| `metrics.service.ports.metrics` | Port of the Prometheus metrics service | `9216` | -| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.startupProbe.enabled` | Enable startupProbe | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.customLivenessProbe` | Override default liveness probe for MongoDB(®) containers | `{}` | -| `metrics.customReadinessProbe` | Override default readiness probe for MongoDB(®) containers | `{}` | -| `metrics.customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | -| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the metrics container(s) | `[]` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | -| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | -| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricsRelabelConfigs to apply to samples before ingestion. | `[]` | -| `metrics.serviceMonitor.labels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` | -| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | -| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | -| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | -| `metrics.prometheusRule.namespace` | Namespace where prometheusRules resource should be created | `""` | -| `metrics.prometheusRule.rules` | Rules to be created, check values for an example | `[]` | +| Name | Description | Value | +| -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | +| `metrics.enabled` | Enable using a sidecar Prometheus exporter | `false` | +| `metrics.image.registry` | MongoDB(®) Prometheus exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | MongoDB(®) Prometheus exporter image repository | `REPOSITORY_NAME/mongodb-exporter` | +| `metrics.image.digest` | MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | MongoDB(®) Prometheus exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.username` | String with username for the metrics exporter | `""` | +| `metrics.password` | String with password for the metrics exporter | `""` | +| `metrics.compatibleMode` | Enables old style mongodb-exporter metrics | `true` | +| `metrics.collector.all` | Enable all collectors. Same as enabling all individual metrics | `false` | +| `metrics.collector.diagnosticdata` | Boolean Enable collecting metrics from getDiagnosticData | `true` | +| `metrics.collector.replicasetstatus` | Boolean Enable collecting metrics from replSetGetStatus | `true` | +| `metrics.collector.dbstats` | Boolean Enable collecting metrics from dbStats | `false` | +| `metrics.collector.topmetrics` | Boolean Enable collecting metrics from top admin command | `false` | +| `metrics.collector.indexstats` | Boolean Enable collecting metrics from $indexStats | `false` | +| `metrics.collector.collstats` | Boolean Enable collecting metrics from $collStats | `false` | +| `metrics.collector.collstatsColls` | List of \.\ to get $collStats | `[]` | +| `metrics.collector.indexstatsColls` | List - List of \.\ to get $indexStats | `[]` | +| `metrics.collector.collstatsLimit` | Number - Disable collstats, dbstats, topmetrics and indexstats collector if there are more than \ collections. 0=No limit | `0` | +| `metrics.extraFlags` | String with extra flags to the metrics exporter | `""` | +| `metrics.command` | Override default container command (useful when using custom images) | `[]` | +| `metrics.args` | Override default container args (useful when using custom images) | `[]` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.containerPort` | Port of the Prometheus metrics container | `9216` | +| `metrics.service.annotations` | Annotations for Prometheus Exporter pods. Evaluated as a template. | `{}` | +| `metrics.service.type` | Type of the Prometheus metrics service | `ClusterIP` | +| `metrics.service.ports.metrics` | Port of the Prometheus metrics service | `9216` | +| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Override default liveness probe for MongoDB(®) containers | `{}` | +| `metrics.customReadinessProbe` | Override default readiness probe for MongoDB(®) containers | `{}` | +| `metrics.customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the metrics container(s) | `[]` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricsRelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.labels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.namespace` | Namespace where prometheusRules resource should be created | `""` | +| `metrics.prometheusRule.rules` | Rules to be created, check values for an example | `[]` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, ```console helm install my-release \ --set auth.rootPassword=secretpassword,auth.username=my-user,auth.password=my-password,auth.database=my-database \ - oci://registry-1.docker.io/bitnamicharts/mongodb + oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + The above command sets the MongoDB(®) `root` account password to `secretpassword`. Additionally, it creates a standard database user named `my-user`, with the password `my-password`, who has access to a database named `my-database`. > NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. @@ -600,93 +1015,11 @@ The above command sets the MongoDB(®) `root` account password to `secretpass Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, ```console -helm install my-release -f values.yaml oci://registry-1.docker.io/bitnamicharts/mongodb -``` - -> **Tip**: You can use the default [values.yaml](values.yaml) - -## Configuration and installation details - -### [Rolling vs Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Customize a new MongoDB instance - -The [Bitnami MongoDB(®) image](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) supports the use of custom scripts to initialize a fresh instance. In order to execute the scripts, two options are available: - -- Specify them using the `initdbScripts` parameter as dict. -- Define an external Kubernetes ConfigMap with all the initialization scripts by setting the `initdbScriptsConfigMap` parameter. Note that this will override the previous option. - -The allowed script extensions are `.sh` and `.js`. - -### Replicaset: Access MongoDB(®) nodes from outside the cluster - -In order to access MongoDB(®) nodes from outside the cluster when using a replicaset architecture, a specific service per MongoDB(®) pod will be created. There are two ways of configuring external access: - -- Using LoadBalancer services -- Using NodePort services. - -Refer to the [chart documentation for more details and configuration examples](https://docs.bitnami.com/kubernetes/infrastructure/mongodb/configuration/configure-external-access-replicaset/). - -### Bootstrapping with an External Cluster - -This chart is equipped with the ability to bring online a set of Pods that connect to an existing MongoDB(®) deployment that lies outside of Kubernetes. This effectively creates a hybrid MongoDB(®) Deployment where both Pods in Kubernetes and Instances such as Virtual Machines can partake in a single MongoDB(®) Deployment. This is helpful in situations where one may be migrating MongoDB(®) from Virtual Machines into Kubernetes, for example. To take advantage of this, use the following as an example configuration: - -```yaml -externalAccess: - externalMaster: - enabled: true - host: external-mongodb-0.internal -``` - -:warning: To bootstrap MongoDB(®) with an external master that lies outside of Kubernetes, be sure to set up external access using any of the suggested methods in this chart to have connectivity between the MongoDB(®) members. :warning: - -### Add extra environment variables - -To add extra environment variables (useful for advanced operations like custom init scripts), use the `extraEnvVars` property. - -```yaml -extraEnvVars: - - name: LOG_LEVEL - value: error +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb ``` -Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` properties. - -### Use Sidecars and Init Containers - -If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. Similarly, extra init containers can be added using the `initContainers` parameter. - -Refer to the chart documentation for more information on, and examples of, configuring and using [sidecars and init containers](https://docs.bitnami.com/kubernetes/infrastructure/mongodb/configuration/configure-sidecar-init-containers/). - -## Persistence - -The [Bitnami MongoDB(®)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) image stores the MongoDB(®) data and configurations at the `/bitnami/mongodb` path of the container. - -The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at this location. The volume is created using dynamic volume provisioning. - -If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). - -## Use custom Prometheus rules - -Custom Prometheus rules can be defined for the Prometheus Operator by using the `prometheusRule` parameter. - -Refer to the [chart documentation for an example of a custom rule](https://docs.bitnami.com/kubernetes/infrastructure/mongodb/administration/use-prometheus-rules/). - -## Enable SSL/TLS - -This chart supports enabling SSL/TLS between nodes in the cluster, as well as between MongoDB(®) clients and nodes, by setting the `MONGODB_EXTRA_FLAGS` and `MONGODB_CLIENT_EXTRA_FLAGS` container environment variables, together with the correct `MONGODB_ADVERTISED_HOSTNAME`. To enable full TLS encryption, set the `tls.enabled` parameter to `true`. - -Refer to the [chart documentation for more information on enabling TLS](https://docs.bitnami.com/kubernetes/infrastructure/mongodb/administration/enable-tls/). - -### Set Pod affinity - -This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). - -As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/mongodb/values.yaml) ## Troubleshooting @@ -697,11 +1030,27 @@ Find more information about how to deal with common errors related to Bitnami's If authentication is enabled, it's necessary to set the `auth.rootPassword` (also `auth.replicaSetKey` when using a replicaset architecture) when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Credentials' section. Please note down the password, and run the command below to upgrade your chart: ```console -helm upgrade my-release oci://registry-1.docker.io/bitnamicharts/mongodb --set auth.rootPassword=[PASSWORD] (--set auth.replicaSetKey=[REPLICASETKEY]) +helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb --set auth.rootPassword=[PASSWORD] (--set auth.replicaSetKey=[REPLICASETKEY]) ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. > Note: you need to substitute the placeholders [PASSWORD] and [REPLICASETKEY] with the values obtained in the installation notes. +### To 16.0.0 + +To upgrade to MongoDB `8.0` from a `7.0` deployment, the `7.0` deployment must have `featureCompatibilityVersion` set to `7.0`. Please refer to the [official documentation](https://www.mongodb.com/docs/manual/release-notes/8.0/#upgrade-procedures). + +### To 15.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 12.0.0 This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. @@ -729,8 +1078,6 @@ Please visit the release notes from the upstream project at + Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/helm/mongodb/templates/mongodb-pvc.yaml b/helm/mongodb/mongodb-pv.yaml similarity index 100% rename from helm/mongodb/templates/mongodb-pvc.yaml rename to helm/mongodb/mongodb-pv.yaml diff --git a/helm/mongodb/templates/_helpers.tpl b/helm/mongodb/templates/_helpers.tpl index cd8afdcb..37ad98aa 100644 --- a/helm/mongodb/templates/_helpers.tpl +++ b/helm/mongodb/templates/_helpers.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -74,6 +74,13 @@ Return the proper image name (for the init container auto-discovery image) {{- include "common.images.image" (dict "imageRoot" .Values.externalAccess.autoDiscovery.image "global" .Values.global) -}} {{- end -}} +{{/* +Return the proper image name (for the init container dns-check image) +*/}} +{{- define "mongodb.externalAccess.dnsCheck.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.externalAccess.dnsCheck.image "global" .Values.global) -}} +{{- end -}} + {{/* Return the proper image name (for the TLS Certs image) */}} @@ -85,7 +92,7 @@ Return the proper image name (for the TLS Certs image) Return the proper Docker Image Registry Secret Names */}} {{- define "mongodb.imagePullSecrets" -}} -{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image .Values.tls.image) "global" .Values.global) -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image .Values.tls.image .Values.externalAccess.dnsCheck.image .Values.externalAccess.autoDiscovery.image) "context" $) -}} {{- end -}} {{/* @@ -215,12 +222,138 @@ Get the initialization scripts ConfigMap name. */}} {{- define "mongodb.initdbScriptsCM" -}} {{- if .Values.initdbScriptsConfigMap -}} -{{- printf "%s" .Values.initdbScriptsConfigMap -}} +{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}} {{- else -}} {{- printf "%s-init-scripts" (include "mongodb.fullname" .) -}} {{- end -}} {{- end -}} +{{/* +Get initial primary host to configure MongoDB cluster. +*/}} +{{- define "mongodb.initialPrimaryHost" -}} +{{ ternary ( printf "%s-0.$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.%s" (include "mongodb.fullname" .) .Values.clusterDomain ) ( first .Values.externalAccess.service.publicNames ) ( empty .Values.externalAccess.service.publicNames ) }} +{{- end -}} + +{{/* +Init container definition to change/establish volume permissions. +*/}} +{{- define "mongodb.initContainer.volumePermissions" }} +- name: volume-permissions + image: {{ include "mongodb.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + mkdir -p {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} + find {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: {{ .Values.persistence.name | default "datadir" }} + mountPath: {{ .Values.persistence.mountPath }} +{{- end -}} + +{{/* +Init container definition to recover log dir. +*/}} +{{- define "mongodb.initContainer.prepareLogDir" }} +- name: log-dir + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + ln -sf /dev/stdout "/opt/bitnami/mongodb/logs/mongodb.log" + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir +{{- end -}} + +{{/* +Init container definition to get external IP addresses. +*/}} +{{- define "mongodb.initContainers.autoDiscovery" -}} +- name: auto-discovery + image: {{ include "mongodb.externalAccess.autoDiscovery.image" . }} + imagePullPolicy: {{ .Values.externalAccess.autoDiscovery.image.pullPolicy | quote }} + # We need the service account token for contacting the k8s API + command: + - /scripts/auto-discovery.sh + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SHARED_FILE + value: "/shared/info.txt" + {{- if .Values.externalAccess.autoDiscovery.resources }} + resources: {{- toYaml .Values.externalAccess.autoDiscovery.resources | nindent 12 }} + {{- else if ne .Values.externalAccess.autoDiscovery.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.autoDiscovery.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: shared + mountPath: /shared + - name: scripts + mountPath: /scripts/auto-discovery.sh + subPath: auto-discovery.sh + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir +{{- end -}} + +{{/* +Init container definition to wait external DNS names. +*/}} +{{- define "mongodb.initContainers.dnsCheck" -}} +- name: dns-check + image: {{ include "mongodb.externalAccess.dnsCheck.image" . }} + imagePullPolicy: {{ .Values.externalAccess.dnsCheck.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + # MONGODB_INITIAL_PRIMARY_HOST should be resolvable + while ! (getent ahosts "{{ include "mongodb.initialPrimaryHost" . }}" | grep STREAM); do + sleep 10 + done + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.externalAccess.dnsCheck.resources }} + resources: {{- toYaml .Values.externalAccess.dnsCheck.resources | nindent 12 }} + {{- else if ne .Values.externalAccess.dnsCheck.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.dnsCheck.resourcesPreset) | nindent 12 }} + {{- end }} +{{- end -}} + {{/* Return true if the Arbiter should be deployed */}} @@ -294,6 +427,7 @@ Compile all warnings into a single message, and call fail. {{- $messages := append $messages (include "mongodb.validateValues.loadBalancerIPsListLength" .) -}} {{- $messages := append $messages (include "mongodb.validateValues.nodePortListLength" .) -}} {{- $messages := append $messages (include "mongodb.validateValues.externalAccessAutoDiscoveryRBAC" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.externalAccessAutoDiscoverySA" .) -}} {{- $messages := append $messages (include "mongodb.validateValues.replicaset.existingSecrets" .) -}} {{- $messages := append $messages (include "mongodb.validateValues.hidden.existingSecrets" .) -}} {{- $messages := without $messages "" -}} @@ -364,9 +498,18 @@ Validate values of MongoDB® - number of replicas must be the same than LoadB {{- define "mongodb.validateValues.loadBalancerIPsListLength" -}} {{- $replicaCount := int .Values.replicaCount }} {{- $loadBalancerListLength := len .Values.externalAccess.service.loadBalancerIPs }} -{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled ) (eq .Values.externalAccess.service.type "LoadBalancer") (not (eq $replicaCount $loadBalancerListLength )) -}} +{{- $publicNamesListLength := len .Values.externalAccess.service.publicNames }} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "LoadBalancer") -}} +{{- if and (not .Values.externalAccess.autoDiscovery.enabled) (eq $loadBalancerListLength 0) (eq $publicNamesListLength 0) -}} +mongodb: .Values.externalAccess.service.loadBalancerIPs, .Values.externalAccess.service.publicNames + externalAccess.service.loadBalancerIPs, externalAccess.service.publicNames or externalAccess.autoDiscovery.enabled are required when externalAccess is enabled. +{{- else if and (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerListLength )) (not (eq $loadBalancerListLength 0)) -}} mongodb: .Values.externalAccess.service.loadBalancerIPs - Number of replicas and loadBalancerIPs array length must be the same. + Number of replicas ({{ $replicaCount }}) and loadBalancerIPs array length ({{ $loadBalancerListLength }}) must be the same. +{{- else if and (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $publicNamesListLength )) (not (eq $publicNamesListLength 0)) -}} +mongodb: .Values.externalAccess.service.publicNames + Number of replicas ({{ $replicaCount }}) and publicNames array length ({{ $publicNamesListLength }}) must be the same. +{{- end -}} {{- end -}} {{- end -}} @@ -376,9 +519,14 @@ Validate values of MongoDB® - number of replicas must be the same than NodeP {{- define "mongodb.validateValues.nodePortListLength" -}} {{- $replicaCount := int .Values.replicaCount }} {{- $nodePortListLength := len .Values.externalAccess.service.nodePorts }} -{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "NodePort") (not (eq $replicaCount $nodePortListLength )) -}} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "NodePort") -}} +{{- if and (not .Values.externalAccess.autoDiscovery.enabled) (eq $nodePortListLength 0) -}} mongodb: .Values.externalAccess.service.nodePorts - Number of replicas and nodePorts array length must be the same. + externalAccess.service.nodePorts or externalAccess.autoDiscovery.enabled are required when externalAccess is enabled. +{{- else if and (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $nodePortListLength )) -}} +mongodb: .Values.externalAccess.service.nodePorts + Number of replicas ({{ $replicaCount }}) and nodePorts ({{ $nodePortListLength }}) array length must be the same. +{{- end -}} {{- end -}} {{- end -}} @@ -395,6 +543,19 @@ mongodb: rbac.create {{- end -}} {{- end -}} +{{/* +Validate values of MongoDB® - automountServiceAccountToken should be enabled when autoDiscovery is enabled +*/}} +{{- define "mongodb.validateValues.externalAccessAutoDiscoverySA" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (not .Values.automountServiceAccountToken ) }} +mongodb: automountServiceAccountToken + By specifying "externalAccess.enabled=true" and "externalAccess.autoDiscovery.enabled=true" + an initContainer will be used to autodetect the external IPs/ports by querying the + K8s API. Please note this initContainer requires a service account to access K8S API. + You can attach it to the pod by specifying "--set automountServiceAccountToken=true". +{{- end -}} +{{- end -}} + {{/* Validate values of MongoDB® - Number of replicaset secrets must be the same than number of replicaset nodes. */}} @@ -425,13 +586,19 @@ mongodb: tls.hidden.existingSecrets Validate values of MongoDB® exporter URI string - auth.enabled and/or tls.enabled must be enabled or it defaults */}} {{- define "mongodb.mongodb_exporter.uri" -}} - {{- $uriTlsArgs := ternary "tls=true&tlsCertificateKeyFile=/certs/mongodb.pem&tlsCAFile=/certs/mongodb-ca-cert" "" .Values.tls.enabled -}} - {{- if .Values.metrics.username }} + {{- $tlsEnabled := .Values.tls.enabled -}} + {{- $mTlsEnabled := and $tlsEnabled .Values.tls.mTLS.enabled -}} + {{- $tlsArgs := "" -}} + {{- if $tlsEnabled -}} + {{- $tlsCertKeyFile := ternary "&tlsCertificateKeyFile=/certs/mongodb.pem" "" $mTlsEnabled -}} + {{- $tlsArgs = printf "tls=true%s&tlsCAFile=/certs/mongodb-ca-cert" $tlsCertKeyFile -}} + {{- end -}} + {{- if .Values.metrics.username -}} {{- $uriAuth := ternary "$(echo $MONGODB_METRICS_USERNAME | sed -r \"s/@/%40/g;s/:/%3A/g\"):$(echo $MONGODB_METRICS_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}} - {{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $uriTlsArgs -}} + {{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}} {{- else -}} {{- $uriAuth := ternary "$MONGODB_ROOT_USER:$(echo $MONGODB_ROOT_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}} - {{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $uriTlsArgs -}} + {{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}} {{- end -}} {{- end -}} @@ -505,4 +672,4 @@ reference: https://github.com/percona/mongodb_exporter/blob/main/REFERENCE.md {{- ne (print .collstatsLimit) "0" | ternary $limitArg "" -}} {{- end -}} {{- ternary " --compatible-mode" "" .Values.metrics.compatibleMode -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/helm/mongodb/templates/arbiter/configmap.yaml b/helm/mongodb/templates/arbiter/configmap.yaml deleted file mode 100644 index 46f1bb6b..00000000 --- a/helm/mongodb/templates/arbiter/configmap.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "mongodb.arbiter.createConfigmap" .) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ print "%s-arbiter" (include "mongodb.fullname" .) }} - namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: arbiter - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - mongodb.conf: |- - {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.configuration "context" $) | nindent 4 }} -{{- end }} diff --git a/helm/mongodb/templates/arbiter/headless-svc.yaml b/helm/mongodb/templates/arbiter/headless-svc.yaml deleted file mode 100644 index 099fc117..00000000 --- a/helm/mongodb/templates/arbiter/headless-svc.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "mongodb.arbiter.enabled" .) }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "mongodb.arbiter.service.nameOverride" . }} - namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: arbiter - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.commonAnnotations .Values.arbiter.service.headless.annotations }} - annotations: - {{- if .Values.arbiter.service.headless.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.arbiter.service.headless.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: ClusterIP - clusterIP: None - ports: - - name: tcp-mongodb - port: {{ .Values.arbiter.service.ports.mongodb }} - targetPort: mongodb - {{- if .Values.arbiter.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: arbiter -{{- end }} diff --git a/helm/mongodb/templates/arbiter/pdb.yaml b/helm/mongodb/templates/arbiter/pdb.yaml deleted file mode 100644 index 13711e45..00000000 --- a/helm/mongodb/templates/arbiter/pdb.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and (include "mongodb.arbiter.enabled" .) .Values.arbiter.pdb.create }} -apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} -kind: PodDisruptionBudget -metadata: - name: {{ printf "%s-arbiter" (include "mongodb.fullname" .) }} - namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: arbiter - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.arbiter.pdb.minAvailable }} - minAvailable: {{ .Values.arbiter.pdb.minAvailable }} - {{- end }} - {{- if .Values.arbiter.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.arbiter.pdb.maxUnavailable }} - {{- end }} - selector: - matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: arbiter -{{- end }} diff --git a/helm/mongodb/templates/arbiter/statefulset.yaml b/helm/mongodb/templates/arbiter/statefulset.yaml deleted file mode 100644 index 2fe32085..00000000 --- a/helm/mongodb/templates/arbiter/statefulset.yaml +++ /dev/null @@ -1,303 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "mongodb.arbiter.enabled" .) }} -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ printf "%s-arbiter" (include "mongodb.fullname" .) }} - namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: arbiter - {{- if .Values.arbiter.labels }} - {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.labels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.arbiter.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.arbiter.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.arbiter.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - serviceName: {{ include "mongodb.arbiter.service.nameOverride" . }} - podManagementPolicy: {{ .Values.arbiter.podManagementPolicy }} - {{- if .Values.arbiter.updateStrategy }} - updateStrategy: {{- toYaml .Values.arbiter.updateStrategy | nindent 4 }} - {{- end }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: arbiter - template: - metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - app.kubernetes.io/component: arbiter - {{- if .Values.arbiter.podLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.podLabels "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} - {{- end }} - {{- if or (include "mongodb.arbiter.createConfigmap" .) .Values.arbiter.podAnnotations }} - annotations: - {{- if (include "mongodb.arbiter.createConfigmap" .) }} - checksum/configuration: {{ include (print $.Template.BasePath "/arbiter/configmap.yaml") . | sha256sum }} - {{- end }} - {{- if .Values.arbiter.podAnnotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.podAnnotations "context" $) | nindent 8 }} - {{- end }} - {{- end }} - spec: - {{- include "mongodb.imagePullSecrets" . | nindent 6 }} - {{- if .Values.arbiter.schedulerName }} - schedulerName: {{ .Values.arbiter.schedulerName | quote }} - {{- end }} - serviceAccountName: {{ template "mongodb.serviceAccountName" . }} - {{- if .Values.arbiter.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.arbiter.podAffinityPreset "component" "arbiter" "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.arbiter.podAntiAffinityPreset "component" "arbiter" "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.arbiter.nodeAffinityPreset.type "key" .Values.arbiter.nodeAffinityPreset.key "values" .Values.arbiter.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.arbiter.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.arbiter.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.arbiter.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.arbiter.topologySpreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.topologySpreadConstraints "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.arbiter.priorityClassName }} - priorityClassName: {{ .Values.arbiter.priorityClassName }} - {{- end }} - {{- if .Values.arbiter.runtimeClassName }} - runtimeClassName: {{ .Values.arbiter.runtimeClassName }} - {{- end }} - {{- if .Values.arbiter.podSecurityContext.enabled }} - securityContext: {{- omit .Values.arbiter.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - {{ if .Values.arbiter.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.arbiter.terminationGracePeriodSeconds }} - {{- end }} - initContainers: - {{- if .Values.arbiter.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.initContainers "context" $) | nindent 8 }} - {{- end }} - {{- if and .Values.tls.enabled .Values.arbiter.enabled }} - - name: generate-tls-certs - image: {{ include "mongodb.tls.image" . }} - imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} - env: - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - volumeMounts: - {{- if (include "mongodb.autoGenerateCerts" .) }} - - name: certs-volume - mountPath: /certs/CAs - {{- else }} - - name: mongodb-certs-0 - mountPath: /certs-0 - {{- end }} - - name: certs - mountPath: /certs - - name: common-scripts - mountPath: /bitnami/scripts - command: - - /bitnami/scripts/generate-certs.sh - args: - - -s {{ include "mongodb.arbiter.service.nameOverride" . }} - {{- end }} - containers: - - name: mongodb-arbiter - image: {{ include "mongodb.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if .Values.arbiter.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.arbiter.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.arbiter.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.command "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.arbiter.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.args "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.arbiter.lifecycleHooks }} - lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.lifecycleHooks "context" $) | nindent 12 }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: K8S_SERVICE_NAME - value: "{{ include "mongodb.arbiter.service.nameOverride" . }}" - - name: MONGODB_REPLICA_SET_MODE - value: "arbiter" - - name: MONGODB_INITIAL_PRIMARY_HOST - value: {{ printf "%s-0.%s.$(MY_POD_NAMESPACE).svc.%s" (include "mongodb.fullname" .) (include "mongodb.service.nameOverride" .) .Values.clusterDomain }} - - name: MONGODB_REPLICA_SET_NAME - value: {{ .Values.replicaSetName | quote }} - - name: MONGODB_ADVERTISED_HOSTNAME - value: "$(MY_POD_NAME).$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" - - name: MONGODB_PORT_NUMBER - value: {{ .Values.arbiter.containerPorts.mongodb | quote }} - - name: MONGODB_ENABLE_IPV6 - value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} - {{- if .Values.auth.enabled }} - - name: MONGODB_INITIAL_PRIMARY_ROOT_USER - value: {{ .Values.auth.rootUser | quote }} - - name: MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "mongodb.secretName" . }} - key: mongodb-root-password - - name: MONGODB_REPLICA_SET_KEY - valueFrom: - secretKeyRef: - name: {{ include "mongodb.secretName" . }} - key: mongodb-replica-set-key - {{- end }} - - name: ALLOW_EMPTY_PASSWORD - value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} - {{- $extraFlags := .Values.arbiter.extraFlags | join " " -}} - {{- if and .Values.tls.enabled .Values.arbiter.enabled }} - {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert %s" .Values.tls.mode $extraFlags }} - {{- end }} - {{- if ne $extraFlags "" }} - - name: MONGODB_EXTRA_FLAGS - value: {{ $extraFlags | quote }} - {{- end }} - {{- if and .Values.tls.enabled .Values.arbiter.enabled }} - - name: MONGODB_CLIENT_EXTRA_FLAGS - value: --tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert - {{- end }} - {{- if .Values.arbiter.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.arbiter.extraEnvVarsCM .Values.arbiter.extraEnvVarsSecret }} - envFrom: - {{- if .Values.arbiter.extraEnvVarsCM }} - - configMapRef: - name: {{ tpl .Values.arbiter.extraEnvVarsCM . | quote }} - {{- end }} - {{- if .Values.arbiter.extraEnvVarsSecret }} - - secretRef: - name: {{ tpl .Values.arbiter.extraEnvVarsSecret . | quote }} - {{- end }} - {{- end }} - ports: - - containerPort: {{ .Values.arbiter.containerPorts.mongodb }} - name: mongodb - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.arbiter.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.arbiter.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.livenessProbe "enabled") "context" $) | nindent 12 }} - tcpSocket: - port: mongodb - {{- end }} - {{- if .Values.arbiter.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.arbiter.readinessProbe.enabled }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.readinessProbe "enabled") "context" $) | nindent 12 }} - tcpSocket: - port: mongodb - {{- end }} - {{- if .Values.arbiter.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.arbiter.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.startupProbe "enabled") "context" $) | nindent 12 }} - tcpSocket: - port: mongodb - {{- end }} - {{- end }} - {{- if .Values.arbiter.resources }} - resources: {{- toYaml .Values.arbiter.resources | nindent 12 }} - {{- end }} - {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumeMounts .Values.tls.enabled }} - volumeMounts: - {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} - - name: config - mountPath: /opt/bitnami/mongodb/conf/mongodb.conf - subPath: mongodb.conf - {{- end }} - {{- if and .Values.tls.enabled .Values.arbiter.enabled }} - - name: certs - mountPath: /certs - {{- end }} - {{- if .Values.arbiter.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.arbiter.sidecars }} - {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.sidecars "context" $) | nindent 8 }} - {{- end }} - {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }} - volumes: - - name: common-scripts - configMap: - name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} - defaultMode: 0555 - {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} - - name: config - configMap: - name: {{ include "mongodb.arbiter.configmapName" . }} - {{- end }} - {{- if and .Values.tls.enabled .Values.arbiter.enabled }} - - name: certs - emptyDir: {} - {{- if (include "mongodb.autoGenerateCerts" .) }} - - name: certs-volume - secret: - secretName: {{ template "mongodb.tlsSecretName" . }} - items: - - key: mongodb-ca-cert - path: mongodb-ca-cert - mode: 0600 - - key: mongodb-ca-key - path: mongodb-ca-key - mode: 0600 - {{- else }} - - name: mongodb-certs-0 - secret: - secretName: {{ include "common.tplvalues.render" ( dict "value" .Values.tls.arbiter.existingSecret "context" $) }} - defaultMode: 256 - {{- end }} - {{- end }} - {{- if .Values.arbiter.extraVolumes }} - {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraVolumes "context" $) | nindent 8 }} - {{- end }} - {{- end }} -{{- end }} diff --git a/helm/mongodb/templates/common-scripts-cm.yaml b/helm/mongodb/templates/common-scripts-cm.yaml index 00b588c7..6f65de40 100644 --- a/helm/mongodb/templates/common-scripts-cm.yaml +++ b/helm/mongodb/templates/common-scripts-cm.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -8,11 +8,8 @@ kind: ConfigMap metadata: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: mongodb - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -22,14 +19,14 @@ data: #!/bin/bash {{- if .Values.tls.enabled }} # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. - TLS_OPTIONS='--tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' {{- end }} - mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval 'db.hello().isWritablePrimary || db.hello().secondary' | grep 'true' + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval 'if (!(db.hello().isWritablePrimary || db.hello().secondary)) { throw new Error("Not ready") }' readiness-probe.sh: | #!/bin/bash {{- if .Values.tls.enabled }} # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. - TLS_OPTIONS='--tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' {{- end }} # Run the proper check depending on the version [[ $(mongod -version | grep "db version") =~ ([0-9]+\.[0-9]+\.[0-9]+) ]] && VERSION=${BASH_REMATCH[1]} @@ -41,14 +38,14 @@ data: if [[ ( "$VERSION_MAJOR" -ge 5 ) || ( "$VERSION_MAJOR" -ge 4 && "$VERSION_MINOR" -ge 4 && "$VERSION_PATCH" -ge 2 ) ]]; then readiness_test='db.hello().isWritablePrimary || db.hello().secondary' fi - mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "${readiness_test}" | grep 'true' + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "if (!(${readiness_test})) { throw new Error(\"Not ready\") }" ping-mongodb.sh: | #!/bin/bash {{- if .Values.tls.enabled }} # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. - TLS_OPTIONS='--tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' {{- end }} - mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "db.adminCommand('ping')" + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "db.adminCommand('ping')" {{- if .Values.tls.enabled }} generate-certs.sh: | #!/bin/bash @@ -84,9 +81,6 @@ data: {{- else }} DNS.3 = $svc.$MY_POD_NAMESPACE.svc.{{ .Values.clusterDomain }} {{- end }} - DNS.4 = localhost - IP.0 = ${MY_POD_HOST_IP} - IP.1 = 127.0.0.1 EOL index=2 for ip in "${additional_ips[@]}"; do diff --git a/helm/mongodb/templates/configmap.yaml b/helm/mongodb/templates/configmap.yaml index c91551ce..01104454 100644 --- a/helm/mongodb/templates/configmap.yaml +++ b/helm/mongodb/templates/configmap.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -9,11 +9,8 @@ kind: ConfigMap metadata: name: {{ include "mongodb.fullname" . }} namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: mongodb - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/helm/mongodb/templates/extra-list.yaml b/helm/mongodb/templates/extra-list.yaml deleted file mode 100644 index 2d35a580..00000000 --- a/helm/mongodb/templates/extra-list.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- range .Values.extraDeploy }} ---- -{{ include "common.tplvalues.render" (dict "value" . "context" $) }} -{{- end }} diff --git a/helm/mongodb/templates/hidden/configmap.yaml b/helm/mongodb/templates/hidden/configmap.yaml deleted file mode 100644 index 724fe895..00000000 --- a/helm/mongodb/templates/hidden/configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "mongodb.hidden.createConfigmap" .) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-hidden" (include "mongodb.fullname" .) }} - namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: hidden - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} -data: - mongodb.conf: |- - {{- include "common.tplvalues.render" (dict "value" .Values.hidden.configuration "context" $) | nindent 4 }} -{{- end }} diff --git a/helm/mongodb/templates/hidden/external-access-svc.yaml b/helm/mongodb/templates/hidden/external-access-svc.yaml deleted file mode 100644 index 1bf2e728..00000000 --- a/helm/mongodb/templates/hidden/external-access-svc.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and (include "mongodb.hidden.enabled" .) .Values.externalAccess.hidden.enabled }} -{{- $fullName := include "mongodb.fullname" . }} -{{- $replicaCount := .Values.hidden.replicaCount | int }} -{{- $root := . }} - -{{- range $i, $e := until $replicaCount }} -{{- $targetPod := printf "%s-hidden-%d" (printf "%s" $fullName) $i }} -{{- $_ := set $ "targetPod" $targetPod }} -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-hidden-%d-external" $fullName $i }} - namespace: {{ include "mongodb.namespace" $ }} - labels: {{- include "common.labels.standard" $ | nindent 4 }} - app.kubernetes.io/component: hidden - {{- if $root.Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" $root.Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - pod: {{ $targetPod }} - {{- if or $root.Values.externalAccess.hidden.service.annotations $root.Values.commonAnnotations }} - annotations: - {{- if $root.Values.externalAccess.hidden.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" $root.Values.externalAccess.hidden.service.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if $root.Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" $root.Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: {{ $root.Values.externalAccess.hidden.service.type }} - {{- if eq $root.Values.externalAccess.hidden.service.type "LoadBalancer" }} - {{- if not (empty $root.Values.externalAccess.hidden.service.loadBalancerIPs) }} - loadBalancerIP: {{ index $root.Values.externalAccess.hidden.service.loadBalancerIPs $i }} - {{- end }} - {{- if $root.Values.externalAccess.hidden.service.loadBalancerClass }} - loadBalancerClass: {{ $root.Values.externalAccess.hidden.service.loadBalancerClass }} - {{- end }} - {{- if $root.Values.externalAccess.hidden.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.hidden.service.loadBalancerSourceRanges | nindent 4 }} - {{- end }} - allocateLoadBalancerNodePorts: {{ $root.Values.externalAccess.hidden.service.allocateLoadBalancerNodePorts }} - {{- end }} - {{- if (or (eq $root.Values.externalAccess.hidden.service.type "LoadBalancer") (eq $root.Values.externalAccess.hidden.service.type "NodePort")) }} - externalTrafficPolicy: {{ $root.Values.externalAccess.hidden.service.externalTrafficPolicy | quote }} - {{- end }} - {{- if $root.Values.externalAccess.hidden.service.sessionAffinity }} - sessionAffinity: {{ $root.Values.externalAccess.hidden.service.sessionAffinity }} - {{- end }} - {{- if $root.Values.externalAccess.hidden.service.sessionAffinityConfig }} - sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.hidden.service.sessionAffinityConfig "context" $) | nindent 4 }} - {{- end }} - publishNotReadyAddresses: true - ports: - - name: {{ $root.Values.externalAccess.hidden.service.portName | quote }} - port: {{ $root.Values.externalAccess.hidden.service.ports.mongodb }} - {{- if not (empty $root.Values.externalAccess.hidden.service.nodePorts) }} - {{- $nodePort := index $root.Values.externalAccess.hidden.service.nodePorts $i }} - nodePort: {{ $nodePort }} - {{- else }} - nodePort: null - {{- end }} - targetPort: mongodb - {{- if $root.Values.externalAccess.hidden.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.hidden.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - selector: {{- include "common.labels.matchLabels" $ | nindent 4 }} - app.kubernetes.io/component: hidden - statefulset.kubernetes.io/pod-name: {{ $targetPod }} ---- -{{- end }} -{{- end }} diff --git a/helm/mongodb/templates/hidden/headless-svc.yaml b/helm/mongodb/templates/hidden/headless-svc.yaml deleted file mode 100644 index f403914b..00000000 --- a/helm/mongodb/templates/hidden/headless-svc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "mongodb.hidden.enabled" .) }} -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-hidden-headless" (include "mongodb.fullname" .) }} - namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: hidden - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.commonAnnotations .Values.hidden.service.headless.annotations }} - annotations: - {{- if .Values.hidden.service.headless.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.hidden.service.headless.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: ClusterIP - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: {{ .Values.hidden.service.portName | quote }} - port: {{ .Values.hidden.service.ports.mongodb }} - targetPort: mongodb - {{- if .Values.hidden.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" .Values.hidden.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: hidden -{{- end }} diff --git a/helm/mongodb/templates/hidden/pdb.yaml b/helm/mongodb/templates/hidden/pdb.yaml deleted file mode 100644 index 9065fdb4..00000000 --- a/helm/mongodb/templates/hidden/pdb.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and (include "mongodb.hidden.enabled" .) .Values.hidden.pdb.create }} -apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} -kind: PodDisruptionBudget -metadata: - name: {{ printf "%s-hidden" (include "mongodb.fullname" . )}} - namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: hidden - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.hidden.pdb.minAvailable }} - minAvailable: {{ .Values.hidden.pdb.minAvailable }} - {{- end }} - {{- if .Values.hidden.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.hidden.pdb.maxUnavailable }} - {{- end }} - selector: - matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: hidden -{{- end }} diff --git a/helm/mongodb/templates/hidden/statefulset.yaml b/helm/mongodb/templates/hidden/statefulset.yaml deleted file mode 100644 index 426ec7c0..00000000 --- a/helm/mongodb/templates/hidden/statefulset.yaml +++ /dev/null @@ -1,564 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "mongodb.hidden.enabled" .) }} -{{- $replicaCount := int .Values.hidden.replicaCount }} -{{- $loadBalancerIPListLength := len .Values.externalAccess.hidden.service.loadBalancerIPs }} -{{- if not (and .Values.externalAccess.hidden.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.hidden.service.type "LoadBalancer")) }} -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ printf "%s-hidden" (include "mongodb.fullname" .) }} - namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: hidden - {{- if .Values.hidden.labels }} - {{- include "common.tplvalues.render" (dict "value" .Values.hidden.labels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.hidden.annotations }} - annotations: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.annotations "context" $) | nindent 4 }} - {{- end }} -spec: - serviceName: {{ printf "%s-hidden-headless" (include "mongodb.fullname" .) }} - podManagementPolicy: {{ .Values.hidden.podManagementPolicy }} - replicas: {{ .Values.hidden.replicaCount }} - {{- if .Values.hidden.updateStrategy }} - updateStrategy: {{- toYaml .Values.hidden.updateStrategy | nindent 4 }} - {{- end }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: hidden - template: - metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - app.kubernetes.io/component: hidden - {{- if .Values.hidden.podLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.hidden.podLabels "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} - {{- end }} - {{- if or (include "mongodb.hidden.createConfigmap" .) .Values.hidden.podAnnotations }} - annotations: - {{- if (include "mongodb.hidden.createConfigmap" .) }} - checksum/configuration: {{ include (print $.Template.BasePath "/hidden/configmap.yaml") . | sha256sum }} - {{- end }} - {{- if .Values.hidden.podAnnotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.hidden.podAnnotations "context" $) | nindent 8 }} - {{- end }} - {{- end }} - spec: - {{- include "mongodb.imagePullSecrets" . | nindent 6 }} - {{- if .Values.hidden.schedulerName }} - schedulerName: {{ .Values.hidden.schedulerName | quote }} - {{- end }} - serviceAccountName: {{ template "mongodb.serviceAccountName" . }} - {{- if .Values.hidden.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.hidden.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.hidden.podAffinityPreset "component" "" "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.hidden.podAntiAffinityPreset "component" "" "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.hidden.nodeAffinityPreset.type "key" .Values.hidden.nodeAffinityPreset.key "values" .Values.hidden.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.hidden.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.hidden.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.hidden.topologySpreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.topologySpreadConstraints "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.hidden.priorityClassName }} - priorityClassName: {{ .Values.hidden.priorityClassName }} - {{- end }} - {{- if .Values.hidden.runtimeClassName }} - runtimeClassName: {{ .Values.hidden.runtimeClassName }} - {{- end }} - {{- if .Values.hidden.podSecurityContext.enabled }} - securityContext: {{- omit .Values.hidden.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - {{ if .Values.hidden.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.hidden.terminationGracePeriodSeconds }} - {{- end }} - {{- if or .Values.hidden.initContainers (and .Values.volumePermissions.enabled .Values.hidden.persistence.enabled) (and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled) .Values.tls.enabled }} - initContainers: - {{- if .Values.hidden.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.hidden.initContainers "context" $) | nindent 8 }} - {{- end }} - {{- if and .Values.volumePermissions.enabled .Values.hidden.persistence.enabled }} - - name: volume-permissions - image: {{ include "mongodb.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - command: - - /bin/bash - args: - - -ec - - | - mkdir -p {{ printf "%s/%s" .Values.hidden.persistence.mountPath (default "" .Values.hidden.persistence.subPath) }} - chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ printf "%s/%s" .Values.hidden.persistence.mountPath (default "" .Values.hidden.persistence.subPath) }} - find {{ printf "%s/%s" .Values.hidden.persistence.mountPath (default "" .Values.hidden.persistence.subPath) }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} - securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.volumePermissions.resources }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: datadir - mountPath: {{ .Values.hidden.persistence.mountPath }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: generate-tls-certs - image: {{ include "mongodb.tls.image" . }} - imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} - env: - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - volumeMounts: - {{- if (include "mongodb.autoGenerateCerts" .) }} - - name: certs-volume - mountPath: /certs/CAs - {{- else }} - {{- range $index, $_ := .Values.tls.hidden.existingSecrets }} - - name: mongodb-certs-{{ $index }} - mountPath: /certs-{{ $index }} - {{- end }} - {{- end }} - - name: certs - mountPath: /certs - - name: common-scripts - mountPath: /bitnami/scripts - command: - - /bitnami/scripts/generate-certs.sh - args: - - -s {{ printf "%s-hidden-headless" (include "mongodb.fullname" .) }} - {{- if .Values.externalAccess.hidden.service.loadBalancerIPs }} - - -i {{ join "," .Values.externalAccess.hidden.service.loadBalancerIPs }} - {{- end }} - {{- if .Values.tls.extraDnsNames }} - - -n {{ join "," .Values.tls.extraDnsNames }} - {{- end }} - {{- if .Values.tls.resources }} - resources: {{- toYaml .Values.tls.resources | nindent 12 }} - {{- end }} - {{- end }} - {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} - - name: auto-discovery - image: {{ include "mongodb.externalAccess.autoDiscovery.image" . }} - imagePullPolicy: {{ .Values.externalAccess.autoDiscovery.image.pullPolicy | quote }} - command: - - /scripts/auto-discovery.sh - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: SHARED_FILE - value: "/shared/info.txt" - {{- if .Values.externalAccess.autoDiscovery.resources }} - resources: {{- toYaml .Values.externalAccess.autoDiscovery.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: shared - mountPath: /shared - - name: scripts - mountPath: /scripts/auto-discovery.sh - subPath: auto-discovery.sh - {{- end }} - {{- end }} - containers: - - name: mongodb - image: {{ include "mongodb.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if .Values.hidden.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.hidden.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.hidden.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.command "context" $) | nindent 12 }} - {{- else }} - command: - - /scripts/setup-hidden.sh - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.hidden.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.args "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.hidden.lifecycleHooks }} - lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.lifecycleHooks "context" $) | nindent 12 }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} - - name: SHARED_FILE - value: "/shared/info.txt" - {{- end }} - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: K8S_SERVICE_NAME - value: "{{ include "mongodb.service.nameOverride" . }}" - - name: K8S_HIDDEN_NODE_SERVICE_NAME - value: "{{ include "mongodb.fullname" . }}-hidden-headless" - - name: MONGODB_REPLICA_SET_MODE - value: "hidden" - - name: MONGODB_INITIAL_PRIMARY_HOST - value: {{ printf "%s-0.$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.%s" (include "mongodb.fullname" .) .Values.clusterDomain }} - - name: MONGODB_REPLICA_SET_NAME - value: {{ .Values.replicaSetName | quote }} - {{- if and .Values.replicaSetHostnames (not .Values.externalAccess.hidden.enabled) }} - - name: MONGODB_ADVERTISED_HOSTNAME - value: "$(MY_POD_NAME).$(K8S_HIDDEN_NODE_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" - {{- end }} - {{- $customUsers := include "mongodb.customUsers" . -}} - {{- $customDatabases := include "mongodb.customDatabases" . -}} - {{- if not (empty $customUsers) }} - - name: MONGODB_EXTRA_USERNAMES - value: {{ $customUsers | quote }} - {{- end }} - {{- if not (empty $customDatabases) }} - - name: MONGODB_EXTRA_DATABASES - value: {{ $customDatabases | quote }} - {{- end }} - {{- if .Values.auth.enabled }} - {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} - - name: MONGODB_EXTRA_PASSWORDS - valueFrom: - secretKeyRef: - name: {{ include "mongodb.secretName" . }} - key: mongodb-passwords - {{- end }} - - name: MONGODB_ROOT_USER - value: {{ .Values.auth.rootUser | quote }} - - name: MONGODB_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "mongodb.secretName" . }} - key: mongodb-root-password - - name: MONGODB_REPLICA_SET_KEY - valueFrom: - secretKeyRef: - name: {{ include "mongodb.secretName" . }} - key: mongodb-replica-set-key - {{- end }} - {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} - - name: MONGODB_METRICS_USERNAME - value: {{ .Values.metrics.username | quote }} - {{- if .Values.auth.enabled }} - - name: MONGODB_METRICS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "mongodb.secretName" . }} - key: mongodb-metrics-password - {{- end }} - {{- end }} - - name: ALLOW_EMPTY_PASSWORD - value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} - - name: MONGODB_SYSTEM_LOG_VERBOSITY - value: {{ .Values.systemLogVerbosity | quote }} - - name: MONGODB_DISABLE_SYSTEM_LOG - value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} - - name: MONGODB_DISABLE_JAVASCRIPT - value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} - - name: MONGODB_ENABLE_JOURNAL - value: {{ ternary "yes" "no" .Values.enableJournal | quote }} - - name: MONGODB_PORT_NUMBER - value: {{ .Values.hidden.containerPorts.mongodb | quote }} - - name: MONGODB_ENABLE_IPV6 - value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} - - name: MONGODB_ENABLE_DIRECTORY_PER_DB - value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} - {{- $extraFlags := .Values.hidden.extraFlags | join " " -}} - {{- if .Values.tls.enabled }} - {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert %s" .Values.tls.mode $extraFlags }} - {{- end }} - {{- if ne $extraFlags "" }} - - name: MONGODB_EXTRA_FLAGS - value: {{ $extraFlags | quote }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: MONGODB_CLIENT_EXTRA_FLAGS - value: --tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert - {{- end }} - {{- if .Values.hidden.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.hidden.extraEnvVarsCM .Values.hidden.extraEnvVarsSecret }} - envFrom: - {{- if .Values.hidden.extraEnvVarsCM }} - - configMapRef: - name: {{ tpl .Values.hidden.extraEnvVarsCM . | quote }} - {{- end }} - {{- if .Values.hidden.extraEnvVarsSecret }} - - secretRef: - name: {{ tpl .Values.hidden.extraEnvVarsSecret . | quote }} - {{- end }} - {{- end }} - ports: - - containerPort: {{ .Values.hidden.containerPorts.mongodb }} - name: mongodb - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.hidden.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.hidden.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.livenessProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bitnami/scripts/ping-mongodb.sh - {{- end }} - {{- if .Values.hidden.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.hidden.readinessProbe.enabled }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.readinessProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bitnami/scripts/ping-mongodb.sh - {{- end }} - {{- if .Values.hidden.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.hidden.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.startupProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bitnami/scripts/startup-probe.sh - {{- end }} - {{- end }} - {{- if .Values.hidden.resources }} - resources: {{- toYaml .Values.hidden.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: datadir - mountPath: {{ .Values.hidden.persistence.mountPath }} - subPath: {{ .Values.hidden.persistence.subPath }} - - name: common-scripts - mountPath: /bitnami/scripts - {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} - - name: custom-init-scripts - mountPath: /docker-entrypoint-initdb.d - {{- end }} - {{- if or .Values.hidden.configuration .Values.hidden.existingConfigmap }} - - name: config - mountPath: /opt/bitnami/mongodb/conf/mongodb.conf - subPath: mongodb.conf - {{- end }} - - name: scripts - mountPath: /scripts/setup-hidden.sh - subPath: setup-hidden.sh - {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} - - name: shared - mountPath: /shared - {{- end }} - {{- if .Values.tls.enabled }} - - name: certs - mountPath: /certs - {{- end }} - {{- if .Values.hidden.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - - name: metrics - image: {{ template "mongodb.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.metrics.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} - {{- else }} - command: - - /bin/bash - - -ec - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.metrics.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.args "context" $) | nindent 12 }} - {{- else }} - args: - - | - /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} - {{- end }} - env: - {{- if .Values.auth.enabled }} - {{- if not .Values.metrics.username }} - - name: MONGODB_ROOT_USER - value: {{ .Values.auth.rootUser | quote }} - - name: MONGODB_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "mongodb.secretName" . }} - key: mongodb-root-password - {{- else }} - - name: MONGODB_METRICS_USERNAME - value: {{ .Values.metrics.username | quote }} - - name: MONGODB_METRICS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "mongodb.secretName" . }} - key: mongodb-metrics-password - {{- end }} - {{- end }} - volumeMounts: - {{- if .Values.tls.enabled }} - - name: certs - mountPath: /certs - {{- end }} - {{- if .Values.metrics.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - ports: - - name: metrics - containerPort: 9216 - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.metrics.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: / - port: metrics - {{- end }} - {{- if .Values.metrics.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.readinessProbe.enabled }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: / - port: metrics - {{- end }} - {{- if .Values.metrics.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} - tcpSocket: - port: metrics - {{- end }} - {{- end }} - {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.hidden.sidecars }} - {{- include "common.tplvalues.render" (dict "value" .Values.hidden.sidecars "context" $) | nindent 8 }} - {{- end }} - volumes: - - name: common-scripts - configMap: - name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} - defaultMode: 0555 - {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} - - name: custom-init-scripts - configMap: - name: {{ template "mongodb.initdbScriptsCM" . }} - {{- end }} - {{- if or .Values.hidden.configuration .Values.hidden.existingConfigmap }} - - name: config - configMap: - name: {{ include "mongodb.hidden.configmapName" . }} - {{- end }} - {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} - - name: shared - emptyDir: {} - {{- end }} - - name: scripts - configMap: - name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} - defaultMode: 0755 - {{- if .Values.hidden.extraVolumes }} - {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumes "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: certs - emptyDir: {} - {{- if (include "mongodb.autoGenerateCerts" .) }} - - name: certs-volume - secret: - secretName: {{ template "mongodb.tlsSecretName" . }} - items: - - key: mongodb-ca-cert - path: mongodb-ca-cert - mode: 0600 - - key: mongodb-ca-key - path: mongodb-ca-key - mode: 0600 - {{- else }} - {{- range $index, $secret := .Values.tls.hidden.existingSecrets }} - - name: mongodb-certs-{{ $index }} - secret: - secretName: {{ include "common.tplvalues.render" ( dict "value" $secret "context" $) }} - defaultMode: 256 - {{- end }} - {{- end }} - {{- end }} - {{- if not .Values.hidden.persistence.enabled }} - - name: datadir - {{- if .Values.hidden.persistence.medium }} - emptyDir: - medium: {{ .Values.hidden.persistence.medium | quote }} - {{- else }} - emptyDir: {} - {{- end }} - {{- else }} - volumeClaimTemplates: - - metadata: - name: datadir - {{- if .Values.hidden.persistence.annotations }} - annotations: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.annotations "context" $) | nindent 10 }} - {{- end }} - spec: - accessModes: - {{- range .Values.hidden.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.hidden.persistence.size | quote }} - {{- if .Values.hidden.persistence.volumeClaimTemplates.requests }} - {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.requests "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.hidden.persistence.volumeClaimTemplates.dataSource }} - dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.dataSource "context" $) | nindent 10 }} - {{- end }} - {{- if .Values.hidden.persistence.volumeClaimTemplates.selector }} - selector: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} - {{- end }} - {{ include "common.storage.class" (dict "persistence" .Values.hidden.persistence "global" .Values.global) }} - {{- end }} -{{- end }} -{{- end }} diff --git a/helm/mongodb/templates/initialization-configmap.yaml b/helm/mongodb/templates/initialization-configmap.yaml index 9ba7a781..2c1273cf 100644 --- a/helm/mongodb/templates/initialization-configmap.yaml +++ b/helm/mongodb/templates/initialization-configmap.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -9,11 +9,8 @@ kind: ConfigMap metadata: name: {{ printf "%s-init-scripts" (include "mongodb.fullname" .) }} namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: mongodb - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/helm/mongodb/templates/metrics-svc.yaml b/helm/mongodb/templates/metrics-svc.yaml deleted file mode 100644 index 3ebe0971..00000000 --- a/helm/mongodb/templates/metrics-svc.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.metrics.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-metrics" (include "mongodb.fullname" .) }} - namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: metrics - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.metrics.service.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: {{ .Values.metrics.service.type }} - ports: - - port: {{ .Values.metrics.service.ports.metrics }} - targetPort: metrics - protocol: TCP - name: http-metrics - {{- if .Values.metrics.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - selector: {{- include "common.labels.matchLabels" $ | nindent 4 }} - app.kubernetes.io/component: mongodb -{{- end }} diff --git a/helm/mongodb/templates/prometheusrule.yaml b/helm/mongodb/templates/prometheusrule.yaml deleted file mode 100644 index f0443e95..00000000 --- a/helm/mongodb/templates/prometheusrule.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: {{ include "mongodb.fullname" . }} - namespace: {{ include "mongodb.prometheusRule.namespace" . }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.metrics.prometheusRule.additionalLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $) | nindent 4 }} - {{- end }} -spec: - groups: - - name: {{ include "mongodb.fullname" . }} - rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }} -{{- end }} diff --git a/helm/mongodb/templates/psp.yaml b/helm/mongodb/templates/psp.yaml index fa331c47..4b93f4f7 100644 --- a/helm/mongodb/templates/psp.yaml +++ b/helm/mongodb/templates/psp.yaml @@ -1,19 +1,15 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} -{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} -{{- if and $pspAvailable .Values.podSecurityPolicy.create }} +{{- if and (include "common.capabilities.psp.supported" .) .Values.podSecurityPolicy.create }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ include "mongodb.fullname" . }} namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/helm/mongodb/templates/replicaset/external-access-svc.yaml b/helm/mongodb/templates/replicaset/external-access-svc.yaml deleted file mode 100644 index 7e1df945..00000000 --- a/helm/mongodb/templates/replicaset/external-access-svc.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (not (eq .Values.externalAccess.service.type "ClusterIP")) }} -{{- $fullName := include "mongodb.fullname" . }} -{{- $replicaCount := .Values.replicaCount | int }} -{{- $root := . }} - -{{- range $i, $e := until $replicaCount }} -{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }} -{{- $_ := set $ "targetPod" $targetPod }} -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-%d-external" $fullName $i }} - namespace: {{ include "mongodb.namespace" $ }} - labels: {{- include "common.labels.standard" $ | nindent 4 }} - app.kubernetes.io/component: mongodb - {{- if $root.Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" $root.Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - pod: {{ $targetPod }} - {{- if or $root.Values.externalAccess.service.annotations $root.Values.commonAnnotations }} - annotations: - {{- if $root.Values.externalAccess.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" $root.Values.externalAccess.service.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if $root.Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" $root.Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: {{ $root.Values.externalAccess.service.type }} - {{- if eq $root.Values.externalAccess.service.type "LoadBalancer" }} - {{- if not (empty $root.Values.externalAccess.service.loadBalancerIPs) }} - loadBalancerIP: {{ index $root.Values.externalAccess.service.loadBalancerIPs $i }} - {{- end }} - {{- if and (eq $root.Values.externalAccess.service.type "LoadBalancer") $root.Values.externalAccess.service.loadBalancerClass }} - loadBalancerClass: {{ $root.Values.externalAccess.service.loadBalancerClass }} - {{- end }} - {{- if $root.Values.externalAccess.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.service.loadBalancerSourceRanges | nindent 4 }} - {{- end }} - allocateLoadBalancerNodePorts: {{ $root.Values.externalAccess.service.allocateLoadBalancerNodePorts }} - {{- end }} - {{- if (or (eq $root.Values.externalAccess.service.type "LoadBalancer") (eq $root.Values.externalAccess.service.type "NodePort")) }} - externalTrafficPolicy: {{ $root.Values.externalAccess.service.externalTrafficPolicy | quote }} - {{- end }} - {{- if $root.Values.externalAccess.service.sessionAffinity }} - sessionAffinity: {{ $root.Values.externalAccess.service.sessionAffinity }} - {{- end }} - {{- if $root.Values.externalAccess.service.sessionAffinityConfig }} - sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.service.sessionAffinityConfig "context" $) | nindent 4 }} - {{- end }} - publishNotReadyAddresses: true - ports: - - name: {{ $root.Values.externalAccess.service.portName | quote }} - port: {{ $root.Values.externalAccess.service.ports.mongodb }} - {{- if not (empty $root.Values.externalAccess.service.nodePorts) }} - {{- $nodePort := index $root.Values.externalAccess.service.nodePorts $i }} - nodePort: {{ $nodePort }} - {{- else }} - nodePort: null - {{- end }} - targetPort: mongodb - {{- if $root.Values.externalAccess.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - selector: {{- include "common.labels.matchLabels" $ | nindent 4 }} - app.kubernetes.io/component: mongodb - statefulset.kubernetes.io/pod-name: {{ $targetPod }} ---- -{{- end }} -{{- end }} diff --git a/helm/mongodb/templates/replicaset/headless-svc.yaml b/helm/mongodb/templates/replicaset/headless-svc.yaml deleted file mode 100644 index 74e892dd..00000000 --- a/helm/mongodb/templates/replicaset/headless-svc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if eq .Values.architecture "replicaset" }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "mongodb.service.nameOverride" . }} - namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: mongodb - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.commonAnnotations .Values.service.headless.annotations }} - annotations: - {{- if .Values.service.headless.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.service.headless.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: ClusterIP - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: {{ .Values.service.portName | quote }} - port: {{ .Values.service.ports.mongodb }} - targetPort: mongodb - {{- if .Values.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: mongodb -{{- end }} diff --git a/helm/mongodb/templates/replicaset/scripts-configmap.yaml b/helm/mongodb/templates/replicaset/scripts-configmap.yaml deleted file mode 100644 index 17b5f1ed..00000000 --- a/helm/mongodb/templates/replicaset/scripts-configmap.yaml +++ /dev/null @@ -1,314 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if eq .Values.architecture "replicaset" }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} - namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: mongodb - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - {{- $fullname := include "mongodb.fullname" . }} - {{- $releaseNamespace := include "mongodb.namespace" . }} - {{- if and .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} - auto-discovery.sh: |- - #!/bin/bash - - SVC_NAME="${MY_POD_NAME}-external" - - # Auxiliary functions - retry_while() { - local -r cmd="${1:?cmd is missing}" - local -r retries="${2:-12}" - local -r sleep_time="${3:-5}" - local return_value=1 - - read -r -a command <<< "$cmd" - for ((i = 1 ; i <= retries ; i+=1 )); do - "${command[@]}" && return_value=0 && break - sleep "$sleep_time" - done - return $return_value - } - k8s_svc_lb_ip() { - local namespace=${1:?namespace is missing} - local service=${2:?service is missing} - local service_ip=$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.status.loadBalancer.ingress[0].ip}") - local service_hostname=$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.status.loadBalancer.ingress[0].hostname}") - - if [[ -n ${service_ip} ]]; then - echo "${service_ip}" - else - echo "${service_hostname}" - fi - } - k8s_svc_lb_ip_ready() { - local namespace=${1:?namespace is missing} - local service=${2:?service is missing} - [[ -n "$(k8s_svc_lb_ip "$namespace" "$service")" ]] - } - # Wait until LoadBalancer IP is ready - retry_while "k8s_svc_lb_ip_ready {{ $releaseNamespace }} $SVC_NAME" || exit 1 - # Obtain LoadBalancer external IP - k8s_svc_lb_ip "{{ $releaseNamespace }}" "$SVC_NAME" | tee "$SHARED_FILE" - {{- end }} - setup.sh: |- - #!/bin/bash - - . /opt/bitnami/scripts/mongodb-env.sh - . /opt/bitnami/scripts/libfs.sh - . /opt/bitnami/scripts/liblog.sh - . /opt/bitnami/scripts/libvalidations.sh - - {{- if .Values.externalAccess.enabled }} - {{- if eq .Values.externalAccess.service.type "LoadBalancer" }} - {{- if .Values.externalAccess.autoDiscovery.enabled }} - export MONGODB_ADVERTISED_HOSTNAME="$(<${SHARED_FILE})" - {{- else }} - ID="${MY_POD_NAME#"{{ $fullname }}-"}" - export MONGODB_ADVERTISED_HOSTNAME=$(echo '{{ .Values.externalAccess.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") - {{- end }} - {{- else if eq .Values.externalAccess.service.type "NodePort" }} - ID="${MY_POD_NAME#"{{ $fullname }}-"}" - if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then - export MONGODB_ADVERTISED_PORT_NUMBER=$(echo '{{ .Values.externalAccess.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") - fi - {{- if .Values.externalAccess.service.domain }} - export MONGODB_ADVERTISED_HOSTNAME={{ .Values.externalAccess.service.domain }} - {{- else }} - export MONGODB_ADVERTISED_HOSTNAME=$MY_POD_HOST_IP - {{- end }} - {{- end }} - {{- end }} - - {{- if .Values.replicaSetConfigurationSettings.enabled }} - # placed here before root password env is overwritten - # makes no assumption about starting state - # ensures that any stepDown or non-default starting state is handled - /scripts/replicaSetConfigurationSettings.sh & - {{- end }} - - if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then - export MONGODB_ADVERTISED_PORT_NUMBER="$MONGODB_PORT_NUMBER" - fi - - info "Advertised Hostname: $MONGODB_ADVERTISED_HOSTNAME" - info "Advertised Port: $MONGODB_ADVERTISED_PORT_NUMBER" - - # Check for existing replica set in case there is no data in the PVC - # This is for cases where the PVC is lost or for MongoDB caches without - # persistence - current_primary="" - if is_dir_empty "${MONGODB_DATA_DIR}/db"; then - info "Data dir empty, checking if the replica set already exists" - {{- $replicaCount := int .Values.replicaCount }} - {{- $portNumber := int .Values.service.ports.mongodb }} - {{- $fullname := include "mongodb.fullname" . }} - {{- $releaseNamespace := include "mongodb.namespace" . }} - {{- $clusterDomain := .Values.clusterDomain }} - {{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }} - {{- $mongoList := list }} - {{- range $e, $i := until $replicaCount }} - {{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $portNumber) }} - {{- end }} - - {{- if .Values.externalAccess.externalMaster.enabled }} - current_primary={{ printf "%s:%d" (.Values.externalAccess.externalMaster.host) ( int .Values.externalAccess.externalMaster.port) }} - {{- else }} - current_primary=$(mongosh admin --host "{{ join "," $mongoList }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u $MONGODB_ROOT_USER -p $MONGODB_ROOT_PASSWORD{{- end }}{{- if .Values.tls.enabled}} --tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert{{- end }} --eval 'db.runCommand("ismaster")' | awk -F\' '/primary/ {print $2}') - {{- end }} - if ! is_empty_value "$current_primary"; then - info "Detected existing primary: ${current_primary}" - fi - fi - - if ! is_empty_value "$current_primary" && [[ "$MONGODB_ADVERTISED_HOSTNAME:$MONGODB_ADVERTISED_PORT_NUMBER" == "$current_primary" ]]; then - info "Advertised name matches current primary, configuring node as a primary" - export MONGODB_REPLICA_SET_MODE="primary" - elif ! is_empty_value "$current_primary" && [[ "$MONGODB_ADVERTISED_HOSTNAME:$MONGODB_ADVERTISED_PORT_NUMBER" != "$current_primary" ]]; then - info "Current primary is different from this node. Configuring the node as replica of ${current_primary}" - export MONGODB_REPLICA_SET_MODE="secondary" - export MONGODB_INITIAL_PRIMARY_HOST="${current_primary%:*}" - export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="${current_primary#*:}" - export MONGODB_SET_SECONDARY_OK="yes" - elif [[ "$MY_POD_NAME" = "{{ $fullname }}-0" ]]; then - info "Pod name matches initial primary pod name, configuring node as a primary" - export MONGODB_REPLICA_SET_MODE="primary" - else - info "Pod name doesn't match initial primary pod name, configuring node as a secondary" - export MONGODB_REPLICA_SET_MODE="secondary" - export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="$MONGODB_PORT_NUMBER" - fi - - if [[ "$MONGODB_REPLICA_SET_MODE" == "secondary" ]]; then - export MONGODB_INITIAL_PRIMARY_ROOT_USER="$MONGODB_ROOT_USER" - export MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD="$MONGODB_ROOT_PASSWORD" - export MONGODB_ROOT_PASSWORD="" - export MONGODB_EXTRA_USERNAMES="" - export MONGODB_EXTRA_DATABASES="" - export MONGODB_EXTRA_PASSWORDS="" - export MONGODB_ROOT_PASSWORD_FILE="" - export MONGODB_EXTRA_USERNAMES_FILE="" - export MONGODB_EXTRA_DATABASES_FILE="" - export MONGODB_EXTRA_PASSWORDS_FILE="" - fi - - exec /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh - setup-hidden.sh: |- - #!/bin/bash - - . /opt/bitnami/scripts/mongodb-env.sh - - {{- if .Values.externalAccess.hidden.enabled }} - {{- if eq .Values.externalAccess.hidden.service.type "LoadBalancer" }} - {{- if .Values.externalAccess.autoDiscovery.enabled }} - export MONGODB_ADVERTISED_HOSTNAME="$(<${SHARED_FILE})" - {{- else }} - ID="${MY_POD_NAME#"{{ $fullname }}-hidden-"}" - export MONGODB_ADVERTISED_HOSTNAME=$(echo '{{ .Values.externalAccess.hidden.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") - {{- end }} - {{- else if eq .Values.externalAccess.hidden.service.type "NodePort" }} - ID="${MY_POD_NAME#"{{ $fullname }}-hidden-"}" - if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then - export MONGODB_ADVERTISED_PORT_NUMBER=$(echo '{{ .Values.externalAccess.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") - fi - {{- if .Values.externalAccess.hidden.service.domain }} - export MONGODB_ADVERTISED_HOSTNAME={{ .Values.externalAccess.hidden.service.domain }} - {{- else }} - export MONGODB_ADVERTISED_HOSTNAME=$MY_POD_HOST_IP - {{- end }} - {{- end }} - {{- end }} - - {{- if .Values.replicaSetConfigurationSettings.enabled }} - # placed here before root password env is overwritten - # makes no assumption about starting state - # ensures that any stepDown or non-default starting state is handled - /scripts/replicaSetConfigurationSettings.sh & - {{- end }} - - echo "Advertised Hostname: $MONGODB_ADVERTISED_HOSTNAME" - echo "Advertised Port: $MONGODB_ADVERTISED_PORT_NUMBER" - echo "Configuring node as a hidden node" - export MONGODB_REPLICA_SET_MODE="hidden" - export MONGODB_INITIAL_PRIMARY_ROOT_USER="$MONGODB_ROOT_USER" - export MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD="$MONGODB_ROOT_PASSWORD" - export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="$MONGODB_PORT_NUMBER" - export MONGODB_ROOT_PASSWORD="" - export MONGODB_EXTRA_USERNAMES="" - export MONGODB_EXTRA_DATABASES="" - export MONGODB_EXTRA_PASSWORDS="" - export MONGODB_ROOT_PASSWORD_FILE="" - export MONGODB_EXTRA_USERNAMES_FILE="" - export MONGODB_EXTRA_DATABASES_FILE="" - export MONGODB_EXTRA_PASSWORDS_FILE="" - exec /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh - {{- if .Values.replicaSetConfigurationSettings.enabled }} - replicaSetConfigurationSettings.sh: |- - #!/bin/bash - # This script to be called when pod starts. - # This script sets rs settings which can not be applied via conf file - - function logger () - #$1 is the line to be logged - { - echo "replicaSetConfigurationSettings.sh -- ${1}" >&1 - } - - SLEEP_PERIOD=10 - - {{- if and .Values.auth.enabled .Values.auth.rootPassword }} - usernameAndPassword="-u ${MONGODB_ROOT_USER} -p ${MONGODB_ROOT_PASSWORD}" - {{- else }} - usernameAndPassword="" - {{- end }} - - # load Values.replicaSetConfigurationSettings.configuration into associtive array which makes iterating and string manipulation easy - declare -A desiredRsConf - {{ range $setting, $value := .Values.replicaSetConfigurationSettings.configuration -}} - {{ printf "desiredRsConf[%s]='%v'" $setting $value }} - {{ end }} - - rsConfWriteAttempts=0 - rs_conf_configured_ok=unknown - - while [[ "${rs_conf_configured_ok}" != "true" ]]; do - - # give the rs setup a chance to succeed before attempting to read or configure - sleep ${SLEEP_PERIOD} - - counter=0 - while ! mongosh ${usernameAndPassword} --eval 'rs.conf()'; do - counter=$((${counter} +1)) - logger "not yet able to read rs.conf settings from the currently running rs (after ${counter} attempts)" - sleep ${SLEEP_PERIOD} - done - counter=$((${counter} +1)) - logger "rs.conf settings have been read from the currently running rs (after ${counter} attempts)" - - # read rs.conf again and store it. settings format is '"" : ,' - currentRsConf=$(mongosh ${usernameAndPassword} --eval 'rs.conf()') - - desiredEqualsactual=unknown - settingsToConfigure="" - for key in ${!desiredRsConf[@]}; do - value=${desiredRsConf[$key]} - if ! $(echo "\"${currentRsConf}"\" | grep -q -e "${key}: ${value},"); then - logger "rs conf setting: ${key} value will be set to: ${value}" - settingsToConfigure="${settingsToConfigure}cfg.settings.${key} = ${value}; " - desiredEqualsactual=false - else - logger "rs conf: ${key} is already at desired value: ${value}" - fi - done - - if [[ "${desiredEqualsactual}" != "false" ]]; then - logger "replicaSetConfigurationSettings match the settings of the currently running rs" - desiredEqualsactual=true - rs_conf_configured_ok=true - logger "Current settings match desired settings (There have been ${rsConfWriteAttempts} attempts to write to mongoDB rs configuration)" - exit - fi - - # apply the settings only if this member is currently the mongo replicaset PRIMARY - # it might take a little time before any pod is PRIMARY - isMaster=unknown - if ! mongosh ${usernameAndPassword} --eval 'rs.isMaster()' | grep -q "ismaster: true"; then - isMaster=false - logger "This node is not yet PRIMARY - replicaSetConfigurationSettings will only be set on the member that is currently PRIMARY" - else - isMaster=true - logger "This node is PRIMARY" - fi - - if [[ "${isMaster}" == "true" ]]; then - logger "This node is currently PRIMARY - will apply rs.conf settings" - - # avoiding tricky string substitution with single quotes by making the eval string a set of vars - rsconf="cfg = rs.conf();" - rsreconf="rs.reconfig(cfg);" - rsCommand="${rsconf} ${settingsToConfigure} ${rsreconf}" - - mongosh ${usernameAndPassword} --eval "${rsCommand}" - if [ $? -ne 0 ]; then - logger "Failed to apply mongodb cfg.settings configuration" - else - logger "mongodb replicaset cfg.settings configuration applied" - logger "Will check rs conf" - # don't exit just yet - the settings will be checked in the next loop - fi - rsConfWriteAttempts=$((${rsConfWriteAttempts} + 1 )) - fi - done - {{- end }} -{{- end }} diff --git a/helm/mongodb/templates/replicaset/statefulset.yaml b/helm/mongodb/templates/replicaset/statefulset.yaml deleted file mode 100644 index 0b6584b9..00000000 --- a/helm/mongodb/templates/replicaset/statefulset.yaml +++ /dev/null @@ -1,573 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if eq .Values.architecture "replicaset" }} -{{- $replicaCount := int .Values.replicaCount }} -{{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }} -{{- if not (and .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.service.type "LoadBalancer")) }} -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ include "mongodb.fullname" . }} - namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: mongodb - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.labels }} - {{- include "common.tplvalues.render" (dict "value" .Values.labels "context" $) | nindent 4 }} - {{- end }} - {{- if or .Values.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - serviceName: {{ include "mongodb.service.nameOverride" . }} - podManagementPolicy: {{ .Values.podManagementPolicy }} - replicas: {{ .Values.replicaCount }} - {{- if .Values.updateStrategy }} - updateStrategy: {{- toYaml .Values.updateStrategy | nindent 4 }} - {{- end }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: mongodb - template: - metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - app.kubernetes.io/component: mongodb - {{- if .Values.podLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} - {{- end }} - {{- if or (include "mongodb.createConfigmap" .) .Values.podAnnotations }} - annotations: - {{- if (include "mongodb.createConfigmap" .) }} - checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- end }} - {{- if .Values.podAnnotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} - {{- end }} - {{- end }} - spec: - {{- include "mongodb.imagePullSecrets" . | nindent 6 }} - {{- if .Values.schedulerName }} - schedulerName: {{ .Values.schedulerName | quote }} - {{- end }} - serviceAccountName: {{ template "mongodb.serviceAccountName" . }} - {{- if .Values.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "mongodb" "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "mongodb" "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.topologySpreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - {{- if .Values.runtimeClassName }} - runtimeClassName: {{ .Values.runtimeClassName }} - {{- end }} - {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - {{ if .Values.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- end }} - {{- if or .Values.initContainers (and .Values.volumePermissions.enabled .Values.persistence.enabled) (and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled) .Values.tls.enabled }} - initContainers: - {{- if .Values.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} - {{- end }} - {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - - name: volume-permissions - image: {{ include "mongodb.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - command: - - /bin/bash - args: - - -ec - - | - mkdir -p {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} - chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} - find {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} - securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.volumePermissions.resources }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: datadir - mountPath: {{ .Values.persistence.mountPath }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: generate-tls-certs - image: {{ include "mongodb.tls.image" . }} - imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} - env: - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - volumeMounts: - {{- if (include "mongodb.autoGenerateCerts" .) }} - - name: certs-volume - mountPath: /certs/CAs - {{- else }} - {{- range $index, $_ := .Values.tls.replicaset.existingSecrets }} - - name: mongodb-certs-{{ $index }} - mountPath: /certs-{{ $index }} - {{- end }} - {{- end }} - - name: certs - mountPath: /certs - - name: common-scripts - mountPath: /bitnami/scripts - command: - - /bitnami/scripts/generate-certs.sh - args: - - -s {{ include "mongodb.service.nameOverride" . }} - {{- if .Values.externalAccess.service.loadBalancerIPs }} - - -i {{ join "," .Values.externalAccess.service.loadBalancerIPs }} - {{- end }} - {{- if .Values.tls.extraDnsNames }} - - -n {{ join "," .Values.tls.extraDnsNames }} - {{- end }} - {{- if .Values.tls.resources }} - resources: {{- toYaml .Values.tls.resources | nindent 12 }} - {{- end }} - {{- end }} - {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} - - name: auto-discovery - image: {{ include "mongodb.externalAccess.autoDiscovery.image" . }} - imagePullPolicy: {{ .Values.externalAccess.autoDiscovery.image.pullPolicy | quote }} - command: - - /scripts/auto-discovery.sh - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: SHARED_FILE - value: "/shared/info.txt" - {{- if .Values.externalAccess.autoDiscovery.resources }} - resources: {{- toYaml .Values.externalAccess.autoDiscovery.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: shared - mountPath: /shared - - name: scripts - mountPath: /scripts/auto-discovery.sh - subPath: auto-discovery.sh - {{- end }} - {{- end }} - containers: - - name: mongodb - image: {{ include "mongodb.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} - {{- else }} - command: - - /scripts/setup.sh - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.lifecycleHooks }} - lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} - - name: SHARED_FILE - value: "/shared/info.txt" - {{- end }} - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: K8S_SERVICE_NAME - value: "{{ include "mongodb.service.nameOverride" . }}" - - name: MONGODB_INITIAL_PRIMARY_HOST - value: {{ printf "%s-0.$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.%s" (include "mongodb.fullname" .) .Values.clusterDomain }} - - name: MONGODB_REPLICA_SET_NAME - value: {{ .Values.replicaSetName | quote }} - {{- if and .Values.replicaSetHostnames (not .Values.externalAccess.enabled) }} - - name: MONGODB_ADVERTISED_HOSTNAME - value: "$(MY_POD_NAME).$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" - {{- end }} - {{- $customUsers := include "mongodb.customUsers" . -}} - {{- $customDatabases := include "mongodb.customDatabases" . -}} - {{- if not (empty $customUsers) }} - - name: MONGODB_EXTRA_USERNAMES - value: {{ $customUsers | quote }} - {{- end }} - {{- if not (empty $customDatabases) }} - - name: MONGODB_EXTRA_DATABASES - value: {{ $customDatabases | quote }} - {{- end }} - {{- if .Values.auth.enabled }} - {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} - - name: MONGODB_EXTRA_PASSWORDS - valueFrom: - secretKeyRef: - name: {{ include "mongodb.secretName" . }} - key: mongodb-passwords - {{- end }} - - name: MONGODB_ROOT_USER - value: {{ .Values.auth.rootUser | quote }} - - name: MONGODB_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "mongodb.secretName" . }} - key: mongodb-root-password - - name: MONGODB_REPLICA_SET_KEY - valueFrom: - secretKeyRef: - name: {{ include "mongodb.secretName" . }} - key: mongodb-replica-set-key - {{- end }} - {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} - - name: MONGODB_METRICS_USERNAME - value: {{ .Values.metrics.username | quote }} - {{- if .Values.auth.enabled }} - - name: MONGODB_METRICS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "mongodb.secretName" . }} - key: mongodb-metrics-password - {{- end }} - {{- end }} - - name: ALLOW_EMPTY_PASSWORD - value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} - - name: MONGODB_SYSTEM_LOG_VERBOSITY - value: {{ .Values.systemLogVerbosity | quote }} - - name: MONGODB_DISABLE_SYSTEM_LOG - value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} - - name: MONGODB_DISABLE_JAVASCRIPT - value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} - - name: MONGODB_ENABLE_JOURNAL - value: {{ ternary "yes" "no" .Values.enableJournal | quote }} - - name: MONGODB_PORT_NUMBER - value: {{ .Values.containerPorts.mongodb | quote }} - - name: MONGODB_ENABLE_IPV6 - value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} - - name: MONGODB_ENABLE_DIRECTORY_PER_DB - value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} - {{- $extraFlags := .Values.extraFlags | join " " -}} - {{- if .Values.tls.enabled }} - {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert %s" .Values.tls.mode $extraFlags }} - {{- end }} - {{- if ne $extraFlags "" }} - - name: MONGODB_EXTRA_FLAGS - value: {{ $extraFlags | quote }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: MONGODB_CLIENT_EXTRA_FLAGS - value: --tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert - {{- end }} - {{- if .Values.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} - envFrom: - {{- if .Values.extraEnvVarsCM }} - - configMapRef: - name: {{ tpl .Values.extraEnvVarsCM . | quote }} - {{- end }} - {{- if .Values.extraEnvVarsSecret }} - - secretRef: - name: {{ tpl .Values.extraEnvVarsSecret . | quote }} - {{- end }} - {{- end }} - ports: - - name: mongodb - containerPort: {{ .Values.containerPorts.mongodb }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bitnami/scripts/ping-mongodb.sh - {{- end }} - {{- if .Values.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.readinessProbe.enabled }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bitnami/scripts/readiness-probe.sh - {{- end }} - {{- if .Values.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bitnami/scripts/startup-probe.sh - {{- end }} - {{- end }} - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: datadir - mountPath: {{ .Values.persistence.mountPath }} - subPath: {{ .Values.persistence.subPath }} - - name: common-scripts - mountPath: /bitnami/scripts - {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} - - name: custom-init-scripts - mountPath: /docker-entrypoint-initdb.d - {{- end }} - {{- if or .Values.configuration .Values.existingConfigmap }} - - name: config - mountPath: /opt/bitnami/mongodb/conf/mongodb.conf - subPath: mongodb.conf - {{- end }} - - name: scripts - mountPath: /scripts/setup.sh - subPath: setup.sh - {{ if .Values.replicaSetConfigurationSettings.enabled }} - - name: scripts - mountPath: /scripts/replicaSetConfigurationSettings.sh - subPath: replicaSetConfigurationSettings.sh - {{- end }} - {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} - - name: shared - mountPath: /shared - {{- end }} - {{- if .Values.tls.enabled }} - - name: certs - mountPath: /certs - {{- end }} - {{- if .Values.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - - name: metrics - image: {{ template "mongodb.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.metrics.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} - {{- else }} - command: - - /bin/bash - - -ec - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.metrics.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.args "context" $) | nindent 12 }} - {{- else }} - args: - - | - /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} - {{- end }} - env: - {{- if .Values.auth.enabled }} - {{- if not .Values.metrics.username }} - - name: MONGODB_ROOT_USER - value: {{ .Values.auth.rootUser | quote }} - - name: MONGODB_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "mongodb.secretName" . }} - key: mongodb-root-password - {{- else }} - - name: MONGODB_METRICS_USERNAME - value: {{ .Values.metrics.username | quote }} - - name: MONGODB_METRICS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "mongodb.secretName" . }} - key: mongodb-metrics-password - {{- end }} - {{- end }} - volumeMounts: - {{- if .Values.tls.enabled }} - - name: certs - mountPath: /certs - {{- end }} - {{- if .Values.metrics.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - ports: - - name: metrics - containerPort: {{ .Values.metrics.containerPort }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.metrics.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: / - port: metrics - {{- end }} - {{- if .Values.metrics.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.readinessProbe.enabled }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: / - port: metrics - {{- end }} - {{- if .Values.metrics.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} - tcpSocket: - port: metrics - {{- end }} - {{- end }} - {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.sidecars }} - {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} - {{- end }} - volumes: - - name: common-scripts - configMap: - name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} - defaultMode: 0550 - {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} - - name: custom-init-scripts - configMap: - name: {{ template "mongodb.initdbScriptsCM" . }} - {{- end }} - {{- if or .Values.configuration .Values.existingConfigmap }} - - name: config - configMap: - name: {{ include "mongodb.configmapName" . }} - {{- end }} - {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} - - name: shared - emptyDir: {} - {{- end }} - - name: scripts - configMap: - name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} - defaultMode: 0755 - {{- if .Values.extraVolumes }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: certs - emptyDir: {} - {{- if (include "mongodb.autoGenerateCerts" .) }} - - name: certs-volume - secret: - secretName: {{ template "mongodb.tlsSecretName" . }} - items: - - key: mongodb-ca-cert - path: mongodb-ca-cert - mode: 0600 - - key: mongodb-ca-key - path: mongodb-ca-key - mode: 0600 - {{- else }} - {{- range $index, $secret := .Values.tls.replicaset.existingSecrets }} - - name: mongodb-certs-{{ $index }} - secret: - secretName: {{ include "common.tplvalues.render" ( dict "value" $secret "context" $) }} - defaultMode: 256 - {{- end }} - {{- end }} - {{- end }} - {{- if not .Values.persistence.enabled }} - - name: datadir - {{- if .Values.persistence.medium }} - emptyDir: - medium: {{ .Values.persistence.medium | quote }} - {{- else }} - emptyDir: {} - {{- end }} - {{- else }} - volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: datadir - {{- if .Values.persistence.annotations }} - annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} - {{- end }} - spec: - accessModes: - {{- range .Values.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{- if .Values.persistence.volumeClaimTemplates.requests }} - {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.requests "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.persistence.volumeClaimTemplates.dataSource }} - dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.dataSource "context" $) | nindent 10 }} - {{- end }} - {{- if .Values.persistence.volumeClaimTemplates.selector }} - selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} - {{- end }} - {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} - {{- end }} -{{- end }} -{{- end }} diff --git a/helm/mongodb/templates/replicaset/svc.yaml b/helm/mongodb/templates/replicaset/svc.yaml deleted file mode 100644 index 247b4341..00000000 --- a/helm/mongodb/templates/replicaset/svc.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "ClusterIP") }} - -{{- $fullName := include "mongodb.fullname" . }} -{{- $replicaCount := .Values.replicaCount | int }} -{{- $root := . }} - -{{- range $i, $e := until $replicaCount }} -{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }} -{{- $_ := set $ "targetPod" $targetPod }} -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-%d" $fullName $i }} - namespace: {{ include "mongodb.namespace" $ }} - labels: {{- include "common.labels.standard" $ | nindent 4 }} - app.kubernetes.io/component: mongodb - {{- if $root.Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" $root.Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or $root.Values.service.annotations $root.Values.commonAnnotations }} - annotations: - {{- if $root.Values.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" $root.Values.service.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if $root.Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" $root.Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: ClusterIP - ports: - - name: {{ $root.Values.service.portName | quote }} - port: {{ $root.Values.service.ports.mongodb }} - targetPort: mongodb - {{- if $root.Values.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" $root.Values.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - selector: {{- include "common.labels.matchLabels" $ | nindent 4 }} - app.kubernetes.io/component: mongodb - statefulset.kubernetes.io/pod-name: {{ $targetPod }} ---- -{{- end }} -{{- end }} diff --git a/helm/mongodb/templates/role.yaml b/helm/mongodb/templates/role.yaml index a94a7993..062e8f39 100644 --- a/helm/mongodb/templates/role.yaml +++ b/helm/mongodb/templates/role.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -9,10 +9,7 @@ kind: Role metadata: name: {{ include "mongodb.fullname" . }} namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} rules: - apiGroups: - "" @@ -25,8 +22,7 @@ rules: {{- if .Values.rbac.rules }} {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} {{- end -}} -{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} -{{- if and $pspAvailable .Values.podSecurityPolicy.create }} +{{- if and (include "common.capabilities.psp.supported" .) .Values.podSecurityPolicy.create }} - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] resources: ['podsecuritypolicies'] verbs: ['use'] diff --git a/helm/mongodb/templates/rolebinding.yaml b/helm/mongodb/templates/rolebinding.yaml index 055846f0..7ff6b185 100644 --- a/helm/mongodb/templates/rolebinding.yaml +++ b/helm/mongodb/templates/rolebinding.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -9,10 +9,7 @@ kind: RoleBinding metadata: name: {{ include "mongodb.fullname" . }} namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} roleRef: kind: Role name: {{ include "mongodb.fullname" . }} diff --git a/helm/mongodb/templates/secrets-ca.yaml b/helm/mongodb/templates/secrets-ca.yaml index dc667498..932b0e6c 100644 --- a/helm/mongodb/templates/secrets-ca.yaml +++ b/helm/mongodb/templates/secrets-ca.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -14,12 +14,8 @@ kind: Secret metadata: name: {{ $secretName }} namespace: {{ template "mongodb.namespace" . }} - labels: - {{- include "common.labels.standard" . | nindent 4 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: mongodb - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/helm/mongodb/templates/secrets.yaml b/helm/mongodb/templates/secrets.yaml index c9b27e7c..4ff27c16 100644 --- a/helm/mongodb/templates/secrets.yaml +++ b/helm/mongodb/templates/secrets.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -55,11 +55,8 @@ kind: Secret metadata: name: {{ include "mongodb.fullname" . }} namespace: {{ template "mongodb.namespace" . }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: mongodb - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -83,10 +80,7 @@ kind: Secret metadata: name: {{ include "common.names.fullname" . }}-svcbind-root namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -102,15 +96,13 @@ data: uri: {{ printf "mongodb://%s:%s@%s/admin" .Values.auth.rootUser $rootPassword $hostForURI | b64enc | quote }} {{- range $e, $i := until (len $customUsersList) }} --- +{{- $currentSecret := printf "%s-svcbind-%d" (include "common.names.fullname" $) $i }} apiVersion: v1 kind: Secret metadata: - name: {{ include "common.names.fullname" $ }}-svcbind-{{ $i }} + name: {{ $currentSecret }} namespace: {{ $.Release.Namespace | quote }} - labels: {{- include "common.labels.standard" $ | nindent 4 }} - {{- if $.Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} {{- if $.Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -121,7 +113,8 @@ data: {{- if gt (len $customDatabasesList) $i }} {{- $currentDatabase = index $customDatabasesList $i }} {{- end }} - {{- $currentPassword := index $customPasswordsList $i }} + {{- $currentProvidedPassword := index $customPasswordsList $i }} + {{- $currentPassword := include "common.secrets.lookup" (dict "secret" $currentSecret "key" "password" "defaultValue" $currentProvidedPassword "context" $) | b64dec }} provider: {{ print "bitnami" | b64enc | quote }} type: {{ print "mongodb" | b64enc | quote }} host: {{ print $host | b64enc | quote }} diff --git a/helm/mongodb/templates/serviceaccount.yaml b/helm/mongodb/templates/serviceaccount.yaml index f30a4557..b54e8a0d 100644 --- a/helm/mongodb/templates/serviceaccount.yaml +++ b/helm/mongodb/templates/serviceaccount.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -9,20 +9,12 @@ kind: ServiceAccount metadata: name: {{ include "mongodb.serviceAccountName" . }} namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.serviceAccount.annotations }} - {{ toYaml .Values.serviceAccount.annotations | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} {{- end }} secrets: - - name: {{ template "mongodb.fullname" . }} + - name: {{ include "mongodb.secretName" . }} automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/helm/mongodb/templates/servicemonitor.yaml b/helm/mongodb/templates/servicemonitor.yaml deleted file mode 100644 index fc58f3ed..00000000 --- a/helm/mongodb/templates/servicemonitor.yaml +++ /dev/null @@ -1,53 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "mongodb.fullname" . }} - namespace: {{ include "mongodb.serviceMonitor.namespace" . }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.metrics.serviceMonitor.labels }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.labels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - app.kubernetes.io/component: metrics - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.metrics.serviceMonitor.jobLabel }} - jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} - {{- end }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - {{- if .Values.metrics.serviceMonitor.selector }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} - {{- end }} - app.kubernetes.io/component: metrics - endpoints: - - port: http-metrics - {{- if .Values.metrics.serviceMonitor.interval }} - interval: {{ .Values.metrics.serviceMonitor.interval }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.relabelings }} - relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.metricRelabelings }} - metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.honorLabels }} - honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} - {{- end }} - namespaceSelector: - matchNames: - - "{{ include "mongodb.namespace" . }}" -{{- end }} diff --git a/helm/mongodb/templates/standalone/dep-sts.yaml b/helm/mongodb/templates/standalone/dep-sts.yaml index c6fdb600..fdf55f23 100644 --- a/helm/mongodb/templates/standalone/dep-sts.yaml +++ b/helm/mongodb/templates/standalone/dep-sts.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -9,25 +9,15 @@ kind: {{ if .Values.useStatefulSet }}StatefulSet{{- else }}Deployment{{- end }} metadata: name: {{ include "mongodb.fullname" . }} namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: mongodb - {{- if .Values.labels }} - {{- include "common.tplvalues.render" (dict "value" .Values.labels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if or .Values.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} {{- end }} spec: - replicas: 1 + replicas: {{ gt (.Values.replicaCount | int) 1 | ternary 1 .Values.replicaCount }} {{- if .Values.useStatefulSet }} serviceName: {{ include "mongodb.service.nameOverride" . }} {{- end }} @@ -39,19 +29,14 @@ spec: {{- end }} {{- toYaml .Values.updateStrategy | nindent 4 }} {{- end}} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: mongodb template: metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} app.kubernetes.io/component: mongodb - {{- if .Values.podLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} - {{- end }} {{- if or (include "mongodb.createConfigmap" .) .Values.podAnnotations }} annotations: {{- if (include "mongodb.createConfigmap" .) }} @@ -63,6 +48,7 @@ spec: {{- end }} spec: {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -74,8 +60,8 @@ spec: affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} {{- else }} affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "mongodb" "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "mongodb" "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} {{- end }} {{- if .Values.nodeSelector }} @@ -91,40 +77,20 @@ spec: runtimeClassName: {{ .Values.runtimeClassName }} {{- end }} {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{ if .Values.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- end }} - {{- if or .Values.initContainers (and .Values.volumePermissions.enabled .Values.persistence.enabled) .Values.tls.enabled }} + enableServiceLinks: {{ .Values.enableServiceLinks }} initContainers: {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - - name: volume-permissions - image: {{ include "mongodb.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - command: - - /bin/bash - args: - - -ec - - | - mkdir -p {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} - chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} - find {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} - securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.volumePermissions.resources }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: datadir - mountPath: {{ .Values.persistence.mountPath }} + {{- include "mongodb.initContainer.volumePermissions" . | indent 8 }} {{- end }} + {{- include "mongodb.initContainer.prepareLogDir" . | nindent 8 }} {{- if .Values.tls.enabled }} - name: generate-tls-certs image: {{ include "mongodb.tls.image" . }} @@ -139,6 +105,9 @@ spec: fieldRef: fieldPath: status.hostIP volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume mountPath: /certs/CAs @@ -157,20 +126,24 @@ spec: {{- if .Values.externalAccess.service.loadBalancerIPs }} - -i {{ join "," .Values.externalAccess.service.loadBalancerIPs }} {{- end }} - {{- if .Values.tls.extraDnsNames }} - - -n {{ join "," .Values.tls.extraDnsNames }} + {{- if or .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames }} + - -n {{ join "," ( concat .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames ) }} {{- end }} {{- if .Values.tls.resources }} - resources: {{- toYaml .Values.tls.resources | nindent 12 }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.tls.resources "context" $) | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.tls.securityContext }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.tls.securityContext "context" $) | nindent 12 }} {{- end }} {{- end }} - {{- end }} containers: - name: mongodb image: {{ include "mongodb.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -243,7 +216,10 @@ spec: value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} {{- $extraFlags := .Values.extraFlags | join " " -}} {{- if .Values.tls.enabled }} - {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert %s" .Values.tls.mode $extraFlags }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} {{- end }} {{- if ne $extraFlags "" }} - name: MONGODB_EXTRA_FLAGS @@ -251,7 +227,7 @@ spec: {{- end }} {{- if .Values.tls.enabled }} - name: MONGODB_CLIENT_EXTRA_FLAGS - value: --tls --tlsCertificateKeyFile=/certs/mongodb.pem --tlsCAFile=/certs/mongodb-ca-cert + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert {{- end }} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} @@ -301,10 +277,27 @@ spec: {{- end }} {{- end }} {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.resources "context" $) | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - - name: datadir + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /.mongodb + subPath: mongosh-home + - name: {{ .Values.persistence.name | default "datadir" }} mountPath: {{ .Values.persistence.mountPath }} subPath: {{ .Values.persistence.subPath }} - name: common-scripts @@ -330,7 +323,7 @@ spec: image: {{ template "mongodb.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} @@ -371,6 +364,9 @@ spec: {{- end }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.tls.enabled }} - name: certs mountPath: /certs @@ -386,8 +382,7 @@ spec: livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} {{- else if .Values.metrics.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: / + tcpSocket: port: metrics {{- end }} {{- if .Values.metrics.customReadinessProbe }} @@ -407,13 +402,17 @@ spec: {{- end }} {{- end }} {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.resources "context" $) | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} {{- end }} {{- if .Values.sidecars }} {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} @@ -453,7 +452,7 @@ spec: {{- end }} {{- end }} {{- if not .Values.persistence.enabled }} - - name: datadir + - name: {{ .Values.persistence.name | default "datadir" }} {{- if .Values.persistence.medium }} emptyDir: medium: {{ .Values.persistence.medium | quote }} @@ -461,20 +460,28 @@ spec: emptyDir: {} {{- end }} {{- else if .Values.persistence.existingClaim }} - - name: datadir + - name: {{ .Values.persistence.name | default "datadir" }} persistentVolumeClaim: claimName: {{ printf "%s" (tpl .Values.persistence.existingClaim .) }} {{- else if not .Values.useStatefulSet }} - - name: datadir + - name: {{ .Values.persistence.name | default "datadir" }} persistentVolumeClaim: claimName: {{ template "mongodb.fullname" . }} {{- else }} + {{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} volumeClaimTemplates: - metadata: - name: datadir + name: {{ .Values.persistence.name | default "datadir" }} {{- if .Values.persistence.annotations }} annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} {{- end }} + {{- if .Values.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.labels "context" $) | nindent 10 }} + {{- end }} spec: accessModes: {{- range .Values.persistence.accessModes }} diff --git a/helm/mongodb/templates/replicaset/pdb.yaml b/helm/mongodb/templates/standalone/pdb.yaml similarity index 50% rename from helm/mongodb/templates/replicaset/pdb.yaml rename to helm/mongodb/templates/standalone/pdb.yaml index 50ce5903..d11b39a5 100644 --- a/helm/mongodb/templates/replicaset/pdb.yaml +++ b/helm/mongodb/templates/standalone/pdb.yaml @@ -1,19 +1,16 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and (eq .Values.architecture "replicaset") .Values.pdb.create }} +{{- if and (not (eq .Values.architecture "replicaset")) .Values.pdb.create }} apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ include "mongodb.fullname" . }} namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: mongodb - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} @@ -21,10 +18,11 @@ spec: {{- if .Values.pdb.minAvailable }} minAvailable: {{ .Values.pdb.minAvailable }} {{- end }} - {{- if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: mongodb {{- end }} diff --git a/helm/mongodb/templates/standalone/pvc.yaml b/helm/mongodb/templates/standalone/pvc.yaml index a45d8e8a..16098580 100644 --- a/helm/mongodb/templates/standalone/pvc.yaml +++ b/helm/mongodb/templates/standalone/pvc.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -9,23 +9,16 @@ apiVersion: v1 metadata: name: {{ include "mongodb.fullname" . }} namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: mongodb - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.persistence.annotations .Values.commonAnnotations .Values.persistence.resourcePolicy }} annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.persistence.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.persistence.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.persistence.resourcePolicy }} + {{- if .Values.persistence.resourcePolicy }} helm.sh/resource-policy: {{ .Values.persistence.resourcePolicy | quote }} - {{- end }} - {{- end }} + {{- end }} + {{- if or .Values.persistence.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.persistence.annotations .Values.commonAnnotations ) "context" . ) }} + {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} spec: accessModes: {{- range .Values.persistence.accessModes }} diff --git a/helm/mongodb/templates/standalone/svc.yaml b/helm/mongodb/templates/standalone/svc.yaml index 4ed2f317..c1ec6f74 100644 --- a/helm/mongodb/templates/standalone/svc.yaml +++ b/helm/mongodb/templates/standalone/svc.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -9,19 +9,11 @@ kind: Service metadata: name: {{ include "mongodb.service.nameOverride" . }} namespace: {{ include "mongodb.namespace" . | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: mongodb - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- if or .Values.service.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.service.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} {{- end }} spec: type: {{ .Values.service.type }} @@ -64,6 +56,7 @@ spec: {{- if .Values.service.extraPorts }} {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: mongodb {{- end }} diff --git a/helm/mongodb/values.schema.json b/helm/mongodb/values.schema.json index be8e54b4..3eb6a64c 100644 --- a/helm/mongodb/values.schema.json +++ b/helm/mongodb/values.schema.json @@ -100,6 +100,65 @@ } } }, + "networkPolicy": { + "type": "object", + "title": "Network policy configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable network policy", + "description": "Enable network policy using Kubernetes native NP", + "hidden": { + "value": false, + "path": "networkPolicy/enabled" + } + }, + "ingress": { + "type": "object", + "properties": { + "namespaceSelector": { + "type": "object", + "title": "Namespace selector label that is allowed to access this instance", + "hidden": { + "value": {}, + "path": "networkPolicy/ingress/namespaceSelector" + } + }, + "podSelector": { + "type": "object", + "title": "Pod selector label that is allowed to access this instance", + "hidden": { + "value": {}, + "path": "networkPolicy/ingress/podSelector" + } + }, + "customRules": { + "type": "array", + "title": "Custom rules for ingress network policy", + "hidden": { + "value": [], + "path": "networkPolicy/ingress/customRules" + } + } + } + }, + "egress": { + "type": "object", + "properties": { + "customRules": { + "type": "array", + "title": "Custom rules for egress network policy", + "hidden": { + "value": [], + "path": "networkPolicy/egress/customRules" + } + } + } + } + } + }, "persistence": { "type": "object", "title": "Persistence configuration", diff --git a/helm/mongodb/values.yaml b/helm/mongodb/values.yaml index 0afcfcf3..1bab6805 100644 --- a/helm/mongodb/values.yaml +++ b/helm/mongodb/values.yaml @@ -1,4 +1,4 @@ -# Copyright VMware, Inc. +# Copyright Broadcom, Inc. All Rights Reserved. # SPDX-License-Identifier: APACHE-2.0 ## @section Global parameters @@ -9,7 +9,8 @@ ## @param global.imageRegistry Global Docker image registry ## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.storageClass Global StorageClass for Persistent Volume(s) +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) +## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead ## @param global.namespaceOverride Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride ## global: @@ -19,9 +20,18 @@ global: ## - myRegistryKeySecretName ## imagePullSecrets: [] + defaultStorageClass: "" storageClass: "" namespaceOverride: "" - + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto ## @section Common parameters ## @@ -77,18 +87,20 @@ commonLabels: {} ## @param commonAnnotations Common annotations to add to all Mongo resources (sub-charts are not considered). Evaluated as a template ## commonAnnotations: {} - ## @param topologyKey Override common lib default topology key. If empty - "kubernetes.io/hostname" is used ## i.e. topologyKey: topology.kubernetes.io/zone ## topologyKey: "" - ## @param serviceBindings.enabled Create secret for service binding (Experimental) ## Ref: https://servicebinding.io/service-provider/ ## serviceBindings: enabled: false - +## @param enableServiceLinks Whether information about services should be injected into pod's environment variable +## The environment variables injected by service links are not used, but can lead to slow boot times or slow running of the scripts when there are many services in the current namespace. +## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. +## +enableServiceLinks: true ## Enable diagnostic mode in the deployment ## diagnosticMode: @@ -103,32 +115,26 @@ diagnosticMode: ## args: - infinity - ## @section MongoDB(®) parameters ## ## Bitnami MongoDB(®) image ## ref: https://hub.docker.com/r/bitnami/mongodb/tags/ -## @param image.registry MongoDB(®) image registry -## @param image.repository MongoDB(®) image registry -## @param image.tag MongoDB(®) image tag (immutable tags are recommended) +## @param image.registry [default: REGISTRY_NAME] MongoDB(®) image registry +## @param image.repository [default: REPOSITORY_NAME/mongodb] MongoDB(®) image registry +## @skip image.tag MongoDB(®) image tag (immutable tags are recommended) ## @param image.digest MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param image.pullPolicy MongoDB(®) image pull policy ## @param image.pullSecrets Specify docker-registry secret names as an array ## @param image.debug Set to true if you would like to see extra information on logs + ## image: registry: docker.io - repository: zcube/bitnami-compat-mongodb - tag: 6.0.5-debian-11 + repository: mongo digest: "" -# image: - # registry: docker.io - # repository: bitnami/mongodb - # tag: 6.0.8-debian-11-r12 - # digest: "" ## Specify a imagePullPolicy - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -142,8 +148,7 @@ image: ## Set to true if you would like to see extra information on logs ## debug: false - -## @param schedulerName Name of the scheduler (other than default)xf to dispatch pods +## @param schedulerName Name of the scheduler (other than default) to dispatch pods ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## schedulerName: "" @@ -158,7 +163,7 @@ useStatefulSet: false auth: ## @param auth.enabled Enable authentication ## ref: https://docs.mongodb.com/manual/tutorial/enable-authentication/ - ## I should probably enable this eventually + ## enabled: false ## @param auth.rootUser MongoDB(®) root user ## @@ -194,6 +199,9 @@ tls: ## @param tls.enabled Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes ## enabled: false + mTLS: + ## @param tls.mTLS.enabled IF TLS support is enabled, require clients to provide certificates + enabled: true ## @param tls.autoGenerated Generate a custom CA and self-signed certificates ## autoGenerated: true @@ -238,9 +246,9 @@ tls: ## existingSecret: "" ## Bitnami Nginx image - ## @param tls.image.registry Init container TLS certs setup image registry - ## @param tls.image.repository Init container TLS certs setup image repository - ## @param tls.image.tag Init container TLS certs setup image tag (immutable tags are recommended) + ## @param tls.image.registry [default: REGISTRY_NAME] Init container TLS certs setup image registry + ## @param tls.image.repository [default: REPOSITORY_NAME/nginx] Init container TLS certs setup image repository + ## @skip tls.image.tag Init container TLS certs setup image tag (immutable tags are recommended) ## @param tls.image.digest Init container TLS certs setup image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param tls.image.pullPolicy Init container TLS certs setup image pull policy ## @param tls.image.pullSecrets Init container TLS certs specify docker-registry secret names as an array @@ -249,7 +257,7 @@ tls: image: registry: docker.io repository: bitnami/nginx - tag: 1.25.1-debian-11-r39 + tag: 1.27.2-debian-12-r0 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -260,7 +268,6 @@ tls: ## - myRegistryKeySecretName ## pullSecrets: [] - ## e.g: ## extraDnsNames ## "DNS.6": "$my_host" @@ -271,27 +278,40 @@ tls: ## mode: requireTLS ## Init Container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param tls.resources.limits Init container generate-tls-certs resource limits - ## @param tls.resources.requests Init container generate-tls-certs resource requests + ## @param tls.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 128Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 128Mi - ## - requests: {} + resourcesPreset: "nano" + ## @param tls.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init Container securityContext + ## ref: https://kubernetes.io/docs/concepts/security/pod-security-policy/ + ## @param tls.securityContext Init container generate-tls-cert Security context + ## + securityContext: + runAsUser: 0 + ## Example: + ## allowPrivilegeEscalation: false + ## capabilities: + ## drop: ["ALL"] + ## +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false ## @param hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -327,7 +347,7 @@ disableJavascript: false ## @param enableJournal Switch to enable/disable MongoDB(®) Journaling ## ref: https://docs.mongodb.com/manual/reference/configuration-options/#mongodb-setting-storage.journal.enabled ## -enableJournal: true +enableJournal: false ## @param configuration MongoDB(®) configuration file to be used for Primary and Secondary nodes ## For documentation of all options, see: http://docs.mongodb.org/manual/reference/configuration-options/ ## Example: @@ -380,6 +400,11 @@ configuration: "" replicaSetConfigurationSettings: enabled: false configuration: {} +## Custom configurations for individual replica set members. +## Use the prefix 'members[X].' to apply settings to the member X of the replica set. +## Example: 'members[0].priority: 3' sets the priority of the first replica set member to 3. +## The index X in 'members[X]' corresponds to the member's position in the replica set. +## members[0].priority: 3 ## chainingAllowed : false ## heartbeatTimeoutSecs : 10 ## heartbeatIntervalMillis : 2000 @@ -426,7 +451,6 @@ extraEnvVarsCM: "" ## @param extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) ## extraEnvVarsSecret: "" - ## @section MongoDB(®) statefulset parameters ## @@ -436,8 +460,9 @@ annotations: {} ## @param labels Annotations to be added to the MongoDB(®) statefulset. Evaluated as a template ## labels: {} -## @param replicaCount Number of MongoDB(®) nodes (only when `architecture=replicaset`) -## Ignored when mongodb.architecture=standalone +## @param replicaCount Number of MongoDB(®) nodes +## When `mongodb.architecture=replicaset`, the number of replicas is taken in account +## When `mongodb.architecture=standalone`, the number of replicas can only be 0 or 1 (value higher then 1 will not be taken in account) ## replicaCount: 2 ## @param updateStrategy.type Strategy to use to replace existing MongoDB(®) pods. When architecture=standalone and useStatefulSet=false, @@ -490,7 +515,7 @@ nodeAffinityPreset: ## affinity: {} ## @param nodeSelector MongoDB(®) Node labels for pod assignment -## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param tolerations MongoDB(®) Tolerations for pod assignment @@ -526,11 +551,15 @@ runtimeClassName: "" ## MongoDB(®) pods' Security Context. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enable MongoDB(®) pod(s)' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Group ID for the volumes of the MongoDB(®) pod(s) ## @param podSecurityContext.sysctls sysctl settings of the MongoDB(®) pod(s)' ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] fsGroup: 1001 ## sysctl settings ## Example: @@ -541,47 +570,51 @@ podSecurityContext: sysctls: [] ## MongoDB(®) containers' Security Context (main and metrics container). ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -## @param containerSecurityContext.enabled Enable MongoDB(®) container(s)' Security Context -## @param containerSecurityContext.runAsUser User ID for the MongoDB(®) container -## @param containerSecurityContext.runAsGroup Group ID for the MongoDB(®) container -## @param containerSecurityContext.runAsNonRoot Set MongoDB(®) container's Security Context runAsNonRoot -## @param containerSecurityContext.allowPrivilegeEscalation Is it possible to escalate MongoDB(®) pod(s) privileges -## @param containerSecurityContext.seccompProfile.type Set MongoDB(®) container's Security Context seccompProfile type -## @param containerSecurityContext.capabilities.drop Set MongoDB(®) container's Security Context capabilities to drop +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: - enabled: true + enabled: false + seLinuxOptions: {} runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault capabilities: - drop: - - ALL + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## MongoDB(®) containers' resource requests and limits. -## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. -## @param resources.limits The resources limits for MongoDB(®) containers -## @param resources.requests The requested resources for MongoDB(®) containers +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 128Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 128Mi - ## - requests: {} +resourcesPreset: "small" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} ## @param containerPorts.mongodb MongoDB(®) container port ## containerPorts: @@ -705,14 +738,13 @@ extraVolumes: [] pdb: ## @param pdb.create Enable/disable a Pod Disruption Budget creation for MongoDB(®) pod(s) ## - create: false + create: true ## @param pdb.minAvailable Minimum number/percentage of MongoDB(®) pods that must still be available after the eviction ## - minAvailable: 1 - ## @param pdb.maxUnavailable Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction + minAvailable: "" + ## @param pdb.maxUnavailable Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. ## maxUnavailable: "" - ## @section Traffic exposure parameters ## @@ -773,7 +805,7 @@ service: externalTrafficPolicy: Local ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity @@ -804,9 +836,9 @@ externalAccess: enabled: false ## Bitnami Kubectl image ## ref: https://hub.docker.com/r/bitnami/kubectl/tags/ - ## @param externalAccess.autoDiscovery.image.registry Init container auto-discovery image registry - ## @param externalAccess.autoDiscovery.image.repository Init container auto-discovery image repository - ## @param externalAccess.autoDiscovery.image.tag Init container auto-discovery image tag (immutable tags are recommended) + ## @param externalAccess.autoDiscovery.image.registry [default: REGISTRY_NAME] Init container auto-discovery image registry + ## @param externalAccess.autoDiscovery.image.repository [default: REPOSITORY_NAME/kubectl] Init container auto-discovery image repository + ## @skip externalAccess.autoDiscovery.image.tag Init container auto-discovery image tag (immutable tags are recommended) ## @param externalAccess.autoDiscovery.image.digest Init container auto-discovery image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param externalAccess.autoDiscovery.image.pullPolicy Init container auto-discovery image pull policy ## @param externalAccess.autoDiscovery.image.pullSecrets Init container auto-discovery image pull secrets @@ -814,11 +846,11 @@ externalAccess: image: registry: docker.io repository: bitnami/kubectl - tag: 1.25.12-debian-11-r6 + tag: 1.31.1-debian-12-r3 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -829,27 +861,76 @@ externalAccess: ## pullSecrets: [] ## Init Container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param externalAccess.autoDiscovery.resources.limits Init container auto-discovery resource limits - ## @param externalAccess.autoDiscovery.resources.requests Init container auto-discovery resource requests + ## @param externalAccess.autoDiscovery.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 128Mi + resourcesPreset: "nano" + ## @param externalAccess.autoDiscovery.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init container what mission is ensure public names can be resolved. + ## + dnsCheck: + ## Bitnami os-shell image + ## ref: https://hub.docker.com/r/bitnami/os-shell/tags/ + ## @param externalAccess.dnsCheck.image.registry [default: REGISTRY_NAME] Init container dns-check image registry + ## @param externalAccess.dnsCheck.image.repository [default: REPOSITORY_NAME/kubectl] Init container dns-check image repository + ## @skip externalAccess.dnsCheck.image.tag Init container dns-check image tag (immutable tags are recommended) + ## @param externalAccess.dnsCheck.image.digest Init container dns-check image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param externalAccess.dnsCheck.image.pullPolicy Init container dns-check image pull policy + ## @param externalAccess.dnsCheck.image.pullSecrets Init container dns-check image pull secrets + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 12-debian-12-r31 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 128Mi + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName ## - requests: {} + pullSecrets: [] + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param externalAccess.dnsCheck.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param externalAccess.dnsCheck.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Parameters to configure a set of Pods that connect to an existing MongoDB(®) deployment that lies outside of Kubernetes. ## @param externalAccess.externalMaster.enabled Use external master for bootstrapping ## @param externalAccess.externalMaster.host External master host to bootstrap from @@ -880,6 +961,9 @@ externalAccess: ## - Y.Y.Y.Y ## loadBalancerIPs: [] + ## @param externalAccess.service.publicNames Array of public names. The size should be equal to the number of replicas. + ## + publicNames: [] ## @param externalAccess.service.loadBalancerClass loadBalancerClass when service type is LoadBalancer # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class loadBalancerClass: "" @@ -890,7 +974,7 @@ externalAccess: ## - 10.10.10.0/24 ## loadBalancerSourceRanges: [] - ## @param externalAccess.service.allocateLoadBalancerNodePorts Wheter to allocate node ports when service type is LoadBalancer + ## @param externalAccess.service.allocateLoadBalancerNodePorts Whether to allocate node ports when service type is LoadBalancer ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation ## allocateLoadBalancerNodePorts: true @@ -914,12 +998,19 @@ externalAccess: ## @param externalAccess.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) ## extraPorts: [] - ## @param externalAccess.service.annotations Service annotations for external access + ## @param externalAccess.service.annotations Service annotations for external access. These annotations are common for all services created. ## annotations: {} + ## @param externalAccess.service.annotationsList Service annotations for eache external service. This value contains a list allowing different annotations per each external service. + ## Eg: + ## annotationsList: + ## - external-dns.alpha.kubernetes.io/hostname: mongodb-0.example.com + ## - external-dns.alpha.kubernetes.io/hostname: mongodb-1.example.com + ## + annotationsList: [] ## @param externalAccess.service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param externalAccess.service.sessionAffinityConfig Additional settings for the sessionAffinity @@ -994,7 +1085,7 @@ externalAccess: annotations: {} ## @param externalAccess.hidden.service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param externalAccess.hidden.service.sessionAffinityConfig Additional settings for the sessionAffinity @@ -1003,17 +1094,80 @@ externalAccess: ## timeoutSeconds: 300 ## sessionAffinityConfig: {} - -## @section Persistence parameters +## @section Network policy parameters ## -## Enable persistence using Persistent Volume Claims -## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} persistence: ## @param persistence.enabled Enable MongoDB(®) data persistence using PVC ## enabled: true + ## @param persistence.name Name of the PVC and mounted volume + ## + name: "datadir" ## @param persistence.medium Provide a medium for `emptyDir` volumes. ## Requires persistence.enabled: false ## @@ -1040,10 +1194,13 @@ persistence: - ReadWriteOnce ## @param persistence.size PVC Storage Request for MongoDB(®) data volume ## - size: 8Gi + size: 30Gi ## @param persistence.annotations PVC annotations ## annotations: {} + ## @param persistence.labels PVC labels + ## + labels: {} ## @param persistence.mountPath Path to mount the volume at ## MongoDB(®) images. ## @@ -1068,7 +1225,132 @@ persistence: ## @param persistence.volumeClaimTemplates.dataSource Add dataSource to the VolumeClaimTemplate ## dataSource: {} - +## Persistent Volume Claim Retention Policy +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention +## +persistentVolumeClaimRetentionPolicy: + ## @param persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for MongoDB(®) Statefulset + ## + enabled: false + ## @param persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced + ## + whenScaled: Retain + ## @param persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted + ## + whenDeleted: Retain +## @section Backup parameters +## This section implements a trivial logical dump cronjob of the database. +## This only comes with the consistency guarantees of the dump program. +## This is not a snapshot based roll forward/backward recovery backup. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ +## +backup: + ## @param backup.enabled Enable the logical dump of the database "regularly" + ## + enabled: false + ## Fine tuning cronjob's config + ## + cronjob: + ## @param backup.cronjob.schedule Set the cronjob parameter schedule + ## + schedule: "@daily" + ## @param backup.cronjob.concurrencyPolicy Set the cronjob parameter concurrencyPolicy + ## + concurrencyPolicy: Allow + ## @param backup.cronjob.failedJobsHistoryLimit Set the cronjob parameter failedJobsHistoryLimit + ## + failedJobsHistoryLimit: 1 + ## @param backup.cronjob.successfulJobsHistoryLimit Set the cronjob parameter successfulJobsHistoryLimit + ## + successfulJobsHistoryLimit: 3 + ## @param backup.cronjob.startingDeadlineSeconds Set the cronjob parameter startingDeadlineSeconds + ## + startingDeadlineSeconds: "" + ## @param backup.cronjob.ttlSecondsAfterFinished Set the cronjob parameter ttlSecondsAfterFinished + ## + ttlSecondsAfterFinished: "" + ## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy + ## + restartPolicy: OnFailure + ## @param backup.cronjob.backoffLimit Set the cronjob parameter backoffLimit + backoffLimit: 6 + ## backup container's Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context + ## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param backup.cronjob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged + ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param backup.cronjob.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param backup.cronjob.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: false + seLinuxOptions: {} + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: true + privileged: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param backup.cronjob.command Set backup container's command to run + ## + command: [] + ## @param backup.cronjob.labels Set the cronjob labels + ## + labels: {} + ## @param backup.cronjob.annotations Set the cronjob annotations + ## + annotations: {} + ## Backup container's + ## + storage: + ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) + ## If defined, PVC must be created manually before volume will be bound + ## + existingClaim: "" + ## @param backup.cronjob.storage.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted + ## + resourcePolicy: "" + ## @param backup.cronjob.storage.storageClass PVC Storage Class for the backup data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param backup.cronjob.storage.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param backup.cronjob.storage.size PVC Storage Request for the backup data volume + ## + size: 30Gi + ## @param backup.cronjob.storage.annotations PVC annotations + ## + annotations: {} + ## @param backup.cronjob.storage.mountPath Path to mount the volume at + ## + mountPath: /backup/mongodb + ## @param backup.cronjob.storage.subPath Subdirectory of the volume to mount at + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param backup.cronjob.storage.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} ## @section RBAC parameters ## @@ -1089,7 +1371,7 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## Role Based Access ## ref: https://kubernetes.io/docs/admin/authorization/rbac/ ## @@ -1145,7 +1427,7 @@ podSecurityPolicy: ## hostNetwork: false ## hostPID: false ## privileged: false - ## readOnlyRootFilesystem: false + ## readOnlyRootFilesystem: true ## requiredDropCapabilities: ## - ALL ## runAsUser: @@ -1166,7 +1448,6 @@ podSecurityPolicy: ## - 'emptyDir' ## - 'persistentVolumeClaim' ## - ## @section Volume Permissions parameters ## ## Init Container parameters @@ -1177,9 +1458,9 @@ volumePermissions: ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` ## enabled: false - ## @param volumePermissions.image.registry Init container volume-permissions image registry - ## @param volumePermissions.image.repository Init container volume-permissions image repository - ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository + ## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array @@ -1187,11 +1468,11 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r16 + tag: 12-debian-12-r31 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1202,27 +1483,26 @@ volumePermissions: ## pullSecrets: [] ## Init Container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param volumePermissions.resources.limits Init container volume-permissions resource limits - ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 128Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 128Mi - ## - requests: {} + resourcesPreset: "nano" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Init container Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.securityContext.runAsUser @@ -1231,19 +1511,22 @@ volumePermissions: ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with ## podSecurityContext.enabled=false,containerSecurityContext.enabled=false and shmVolume.chmod.enabled=false + ## @param volumePermissions.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.securityContext.runAsUser User ID for the volumePermissions container ## securityContext: + seLinuxOptions: {} runAsUser: 0 - ## @section Arbiter parameters ## - arbiter: ## @param arbiter.enabled Enable deploying the arbiter ## https://docs.mongodb.com/manual/tutorial/add-replica-set-arbiter/ ## enabled: true + ## @param arbiter.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param arbiter.hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -1348,7 +1631,7 @@ arbiter: ## affinity: {} ## @param arbiter.nodeSelector Arbiter Node labels for pod assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param arbiter.tolerations Arbiter Tolerations for pod assignment @@ -1374,11 +1657,15 @@ arbiter: ## MongoDB(®) Arbiter pods' Security Context. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param arbiter.podSecurityContext.enabled Enable Arbiter pod(s)' Security Context + ## @param arbiter.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param arbiter.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param arbiter.podSecurityContext.fsGroup Group ID for the volumes of the Arbiter pod(s) ## @param arbiter.podSecurityContext.sysctls sysctl settings of the Arbiter pod(s)' ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] fsGroup: 1001 ## sysctl settings ## Example: @@ -1389,47 +1676,51 @@ arbiter: sysctls: [] ## MongoDB(®) Arbiter containers' Security Context (only main container). ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param arbiter.containerSecurityContext.enabled Enable Arbiter container(s)' Security Context - ## @param arbiter.containerSecurityContext.runAsUser User ID for the Arbiter container - ## @param arbiter.containerSecurityContext.runAsGroup Group ID for the Arbiter container - ## @param arbiter.containerSecurityContext.runAsNonRoot Set Arbiter containers' Security Context runAsNonRoot - ## @param arbiter.containerSecurityContext.allowPrivilegeEscalation Is it possible to escalate Arbiter pod(s) privileges - ## @param arbiter.containerSecurityContext.seccompProfile.type Set Arbiter container's Security Context seccompProfile type - ## @param arbiter.containerSecurityContext.capabilities.drop Set Arbiter container's Security Context capabilities to drop + ## @param arbiter.containerSecurityContext.enabled Enabled containers' Security Context + ## @param arbiter.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param arbiter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param arbiter.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param arbiter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param arbiter.containerSecurityContext.privileged Set container's Security Context privileged + ## @param arbiter.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param arbiter.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param arbiter.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param arbiter.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: - enabled: true + enabled: false + seLinuxOptions: {} runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault capabilities: - drop: - - ALL + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## MongoDB(®) Arbiter containers' resource requests and limits. - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param arbiter.resources.limits The resources limits for Arbiter containers - ## @param arbiter.resources.requests The requested resources for Arbiter containers + ## @param arbiter.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if arbiter.resources is set (arbiter.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 128Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 128Mi - ## - requests: {} + resourcesPreset: "small" + ## @param arbiter.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## @param arbiter.containerPorts.mongodb MongoDB(®) arbiter container port ## containerPorts: @@ -1448,7 +1739,7 @@ arbiter: initialDelaySeconds: 30 periodSeconds: 20 timeoutSeconds: 10 - failureThreshold: 6 + failureThreshold: 3 successThreshold: 1 ## MongoDB(®) Arbiter pods' readiness probe. Evaluated as a template. ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes @@ -1461,10 +1752,10 @@ arbiter: ## readinessProbe: enabled: true - initialDelaySeconds: 5 + initialDelaySeconds: 10 periodSeconds: 20 timeoutSeconds: 10 - failureThreshold: 6 + failureThreshold: 3 successThreshold: 1 ## MongoDB(®) Arbiter pods' startup probe. Evaluated as a template. ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes @@ -1536,11 +1827,11 @@ arbiter: pdb: ## @param arbiter.pdb.create Enable/disable a Pod Disruption Budget creation for Arbiter pod(s) ## - create: false + create: true ## @param arbiter.pdb.minAvailable Minimum number/percentage of Arbiter pods that should remain scheduled ## - minAvailable: 1 - ## @param arbiter.pdb.maxUnavailable Maximum number/percentage of Arbiter pods that may be made unavailable + minAvailable: "" + ## @param arbiter.pdb.maxUnavailable Maximum number/percentage of Arbiter pods that may be made unavailable. Defaults to `1` if both `arbiter.pdb.minAvailable` and `arbiter.pdb.maxUnavailable` are empty. ## maxUnavailable: "" ## MongoDB(®) Arbiter service parameters @@ -1565,15 +1856,16 @@ arbiter: ## @param arbiter.service.headless.annotations Annotations for the headless service. ## annotations: {} - ## @section Hidden Node parameters ## - hidden: ## @param hidden.enabled Enable deploying the hidden nodes ## https://docs.mongodb.com/manual/tutorial/configure-a-hidden-replica-set-member/ ## enabled: false + ## @param hidden.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param hidden.hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -1682,7 +1974,7 @@ hidden: ## affinity: {} ## @param hidden.nodeSelector Hidden node Node labels for pod assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param hidden.tolerations Hidden node Tolerations for pod assignment @@ -1708,11 +2000,15 @@ hidden: ## MongoDB(®) Hidden pods' Security Context. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param hidden.podSecurityContext.enabled Enable Hidden pod(s)' Security Context + ## @param hidden.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param hidden.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param hidden.podSecurityContext.fsGroup Group ID for the volumes of the Hidden pod(s) ## @param hidden.podSecurityContext.sysctls sysctl settings of the Hidden pod(s)' ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] fsGroup: 1001 ## sysctl settings ## Example: @@ -1723,47 +2019,51 @@ hidden: sysctls: [] ## MongoDB(®) Hidden containers' Security Context (only main container). ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param hidden.containerSecurityContext.enabled Enable Hidden container(s)' Security Context - ## @param hidden.containerSecurityContext.runAsUser User ID for the Hidden container - ## @param hidden.containerSecurityContext.runAsGroup Group ID for the Hidden container - ## @param hidden.containerSecurityContext.runAsNonRoot Set Hidden containers' Security Context runAsNonRoot - ## @param hidden.containerSecurityContext.allowPrivilegeEscalation Set Hidden containers' Security Context allowPrivilegeEscalation - ## @param hidden.containerSecurityContext.seccompProfile.type Set Hidden container's Security Context seccompProfile type - ## @param hidden.containerSecurityContext.capabilities.drop Set Hidden container's Security Context capabilities to drop + ## @param hidden.containerSecurityContext.enabled Enabled containers' Security Context + ## @param hidden.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param hidden.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param hidden.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param hidden.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param hidden.containerSecurityContext.privileged Set container's Security Context privileged + ## @param hidden.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param hidden.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param hidden.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param hidden.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: - enabled: true + enabled: false + seLinuxOptions: {} runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault capabilities: - drop: - - ALL + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## MongoDB(®) Hidden containers' resource requests and limits. - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param hidden.resources.limits The resources limits for hidden node containers - ## @param hidden.resources.requests The requested resources for hidden node containers + ## @param hidden.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 128Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 128Mi - ## - requests: {} + resourcesPreset: "micro" + ## @param hidden.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## @param hidden.containerPorts.mongodb MongoDB(®) hidden container port ## containerPorts: @@ -1871,15 +2171,15 @@ hidden: pdb: ## @param hidden.pdb.create Enable/disable a Pod Disruption Budget creation for hidden node pod(s) ## - create: false + create: true ## @param hidden.pdb.minAvailable Minimum number/percentage of hidden node pods that should remain scheduled ## - minAvailable: 1 - ## @param hidden.pdb.maxUnavailable Maximum number/percentage of hidden node pods that may be made unavailable + minAvailable: "" + ## @param hidden.pdb.maxUnavailable Maximum number/percentage of hidden node pods that may be made unavailable. Defaults to `1` if both `hidden.pdb.minAvailable` and `hidden.pdb.maxUnavailable` are empty. ## maxUnavailable: "" ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param hidden.persistence.enabled Enable hidden node data persistence using PVC @@ -1902,7 +2202,7 @@ hidden: - ReadWriteOnce ## @param hidden.persistence.size PVC Storage Request for hidden node data volume ## - size: 8Gi + size: 30Gi ## @param hidden.persistence.annotations PVC annotations ## annotations: {} @@ -1948,19 +2248,17 @@ hidden: ## @param hidden.service.headless.annotations Annotations for the headless service. ## annotations: {} - ## @section Metrics parameters ## - metrics: ## @param metrics.enabled Enable using a sidecar Prometheus exporter ## enabled: false ## Bitnami MongoDB(®) Promtheus Exporter image ## ref: https://hub.docker.com/r/bitnami/mongodb-exporter/tags/ - ## @param metrics.image.registry MongoDB(®) Prometheus exporter image registry - ## @param metrics.image.repository MongoDB(®) Prometheus exporter image repository - ## @param metrics.image.tag MongoDB(®) Prometheus exporter image tag (immutable tags are recommended) + ## @param metrics.image.registry [default: REGISTRY_NAME] MongoDB(®) Prometheus exporter image registry + ## @param metrics.image.repository [default: REPOSITORY_NAME/mongodb-exporter] MongoDB(®) Prometheus exporter image repository + ## @skip metrics.image.tag MongoDB(®) Prometheus exporter image tag (immutable tags are recommended) ## @param metrics.image.digest MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param metrics.image.pullPolicy MongoDB(®) Prometheus exporter image pull policy ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array @@ -1968,7 +2266,7 @@ metrics: image: registry: docker.io repository: bitnami/mongodb-exporter - tag: 0.39.0-debian-11-r53 + tag: 0.41.1-debian-12-r1 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1979,7 +2277,6 @@ metrics: ## - myRegistryKeySecretName ## pullSecrets: [] - ## @param metrics.username String with username for the metrics exporter ## If undefined the root user will be used for the metrics exporter ## @@ -1990,7 +2287,6 @@ metrics: password: "" ## @param metrics.compatibleMode Enables old style mongodb-exporter metrics compatibleMode: true - collector: ## @param metrics.collector.all Enable all collectors. Same as enabling all individual metrics ## Enabling all metrics will cause significant CPU load on mongod @@ -2013,7 +2309,6 @@ metrics: indexstatsColls: [] ## @param metrics.collector.collstatsLimit Number - Disable collstats, dbstats, topmetrics and indexstats collector if there are more than \ collections. 0=No limit collstatsLimit: 0 - ## @param metrics.extraFlags String with extra flags to the metrics exporter ## ref: https://github.com/percona/mongodb_exporter/blob/main/main.go ## @@ -2025,27 +2320,26 @@ metrics: command: [] args: [] ## Metrics exporter container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param metrics.resources.limits The resources limits for Prometheus exporter containers - ## @param metrics.resources.requests The requested resources for Prometheus exporter containers + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 128Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 128Mi - ## - requests: {} + resourcesPreset: "nano" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## @param metrics.containerPort Port of the Prometheus metrics container ## containerPort: 9216 diff --git a/helm/requestor/Chart.yaml b/helm/requestor/Chart.yaml index e0c06a88..17fe9e2a 100644 --- a/helm/requestor/Chart.yaml +++ b/helm/requestor/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.11 +version: 0.1.16 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -23,12 +23,11 @@ version: 0.1.11 # It is recommended to use it with quotes. appVersion: "master" - dependencies: -- name: common - version: 0.1.10 - repository: file://../common -- name: postgresql - version: 11.9.13 - repository: "https://charts.bitnami.com/bitnami" - condition: postgres.separate + - name: common + version: 0.1.10 + repository: file://../common + - name: postgresql + version: 11.9.13 + repository: "https://charts.bitnami.com/bitnami" + condition: postgres.separate diff --git a/helm/requestor/README.md b/helm/requestor/README.md index 85792b12..dd01b6f4 100644 --- a/helm/requestor/README.md +++ b/helm/requestor/README.md @@ -1,6 +1,6 @@ # requestor -![Version: 0.1.11](https://img.shields.io/badge/Version-0.1.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.16](https://img.shields.io/badge/Version-0.1.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for gen3 Requestor Service @@ -8,7 +8,7 @@ A Helm chart for gen3 Requestor Service | Repository | Name | Version | |------------|------|---------| -| file://../common | common | 0.1.10 | +| file://../common | common | 0.1.16 | | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 | ## Values @@ -23,7 +23,7 @@ A Helm chart for gen3 Requestor Service | affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values | list | `["requestor"]` | Value for the match expression key. | | affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"` | Value for topology key label. | | arboristUrl | string | `"http://arborist-service"` | Arborist service URL. | -| args | list | `["-c","/env/bin/alembic upgrade head\n"]` | Arguments to pass to the init container. | +| args | list | `["-c","# Managing virtual environments via poetry instead of python since the AL base image update, but retaining backwards compatibility\npoetry run alembic upgrade head || /env/bin/alembic upgrade head\n"]` | Arguments to pass to the init container. | | automountServiceAccountToken | bool | `false` | Automount the default service account token | | autoscaling | map | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Configuration for autoscaling the number of replicas | | autoscaling.enabled | bool | `false` | Whether autoscaling is enabled | @@ -33,9 +33,6 @@ A Helm chart for gen3 Requestor Service | command | list | `["/bin/sh"]` | Command to run for the init container. | | commonLabels | map | `nil` | Will completely override the commonLabels defined in the common chart's _label_setup.tpl | | criticalService | string | `"false"` | Valid options are "true" or "false". If invalid option is set- the value will default to "false". | -| datadogLogsInjection | bool | `true` | If enabled, the Datadog Agent will automatically inject Datadog-specific metadata into your application logs. | -| datadogProfilingEnabled | bool | `true` | If enabled, the Datadog Agent will collect profiling data for your application using the Continuous Profiler. This data can be used to identify performance bottlenecks and optimize your application. | -| datadogTraceSampleRate | int | `1` | A value between 0 and 1, that represents the percentage of requests that will be traced. For example, a value of 0.5 means that 50% of requests will be traced. | | externalSecrets | map | `{"dbcreds":null}` | External Secrets settings. | | externalSecrets.dbcreds | string | `nil` | Will override the name of the aws secrets manager secret. Default is "Values.global.environment-.Chart.Name-creds" | | global.addDbgap | bool | `false` | Force attempting a dbgap sync if "true", falls back on user.yaml | @@ -43,7 +40,6 @@ A Helm chart for gen3 Requestor Service | global.aws.awsAccessKeyId | string | `nil` | Credentials for AWS stuff. | | global.aws.awsSecretAccessKey | string | `nil` | Credentials for AWS stuff. | | global.aws.enabled | bool | `false` | Set to true if deploying to AWS. Controls ingress annotations. | -| global.ddEnabled | bool | `false` | Whether Datadog is enabled. | | global.dev | bool | `true` | Whether the deployment is for development purposes. | | global.dictionaryUrl | string | `"https://s3.amazonaws.com/dictionary-artifacts/datadictionary/develop/schema.json"` | URL of the data dictionary. | | global.dispatcherJobNum | int | `"10"` | Number of dispatcher jobs. | @@ -55,7 +51,7 @@ A Helm chart for gen3 Requestor Service | global.kubeBucket | string | `"kube-gen3"` | S3 bucket name for Kubernetes manifest files. | | global.logsBucket | string | `"logs-gen3"` | S3 bucket name for log files. | | global.minAvialable | int | `1` | The minimum amount of pods that are available at all times if the PDB is deployed. | -| global.netPolicy | bool | `true` | Whether network policies are enabled. | +| global.netPolicy | map | `{"enabled":false}` | Controls network policy settings | | global.onlyDbgap | bool | `false` | Forces ONLY a dbgap sync if "true", IGNORING user.yaml | | global.pdb | bool | `false` | If the service will be deployed with a Pod Disruption Budget. Note- you need to have more than 2 replicas for the pdb to be deployed. | | global.portalApp | string | `"gitops"` | Portal application name. | @@ -83,6 +79,7 @@ A Helm chart for gen3 Requestor Service | initResources.limits | map | `{"cpu":0.8,"memory":"512Mi"}` | The maximum amount of resources that the container is allowed to use | | initResources.limits.cpu | string | `0.8` | The maximum amount of CPU the container can use | | initResources.limits.memory | string | `"512Mi"` | The maximum amount of memory the container can use | +| metricsEnabled | bool | `false` | Whether Metrics are enabled. | | partOf | string | `"Authentication"` | Label to help organize pods and their use. Any value is valid, but use "_" or "-" to divide words. | | postgres | map | `{"database":null,"dbCreate":null,"dbRestore":false,"host":null,"password":null,"port":"5432","separate":false,"username":null}` | Postgres database configuration. If db does not exist in postgres cluster and dbCreate is set ot true then these databases will be created for you | | postgres.database | string | `nil` | Database name for postgres. This is a service override, defaults to - | @@ -116,4 +113,3 @@ A Helm chart for gen3 Requestor Service | strategy.rollingUpdate.maxSurge | int | `1` | Number of additional replicas to add during rollout. | | strategy.rollingUpdate.maxUnavailable | int | `0` | Maximum amount of pods that can be unavailable during the update. | | volumeMounts | list | `nil` | Volumes to mount to the container. | - diff --git a/helm/requestor/templates/deployment.yaml b/helm/requestor/templates/deployment.yaml index 24876c59..3983b3fb 100644 --- a/helm/requestor/templates/deployment.yaml +++ b/helm/requestor/templates/deployment.yaml @@ -4,9 +4,6 @@ metadata: name: requestor-deployment labels: {{- include "requestor.labels" . | nindent 4 }} - {{- if .Values.global.ddEnabled }} - {{- include "common.datadogLabels" . | nindent 4 }} - {{- end }} spec: {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} @@ -27,8 +24,9 @@ spec: netnolimit: 'yes' public: 'yes' dbrequestor: 'yes' - {{- if .Values.global.ddEnabled }} - {{- include "common.datadogLabels" . | nindent 8 }} + annotations: + {{- if .Values.metricsEnabled }} + {{- include "common.grafanaAnnotations" . | nindent 8 }} {{- end }} spec: {{- with .Values.affinity }} @@ -109,9 +107,6 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - {{- if .Values.global.ddEnabled }} - {{- include "common.datadogEnvVar" . | nindent 12 }} - {{- end }} - name: DB_PORT value: "5432" - name: DB_HOST @@ -156,4 +151,4 @@ spec: args: - "-c" - | - /env/bin/alembic upgrade head \ No newline at end of file + poetry run alembic upgrade head || /env/bin/alembic upgrade head \ No newline at end of file diff --git a/helm/requestor/values.yaml b/helm/requestor/values.yaml index 1a060975..cbbedfc9 100644 --- a/helm/requestor/values.yaml +++ b/helm/requestor/values.yaml @@ -2,7 +2,6 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. - # Global configuration global: # -- (map) AWS configuration @@ -63,12 +62,9 @@ global: publicDataSets: true # -- (string) Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` tierAccessLevel: libre - # -- (bool) Whether network policies are enabled. - netPolicy: true + # -- (map) Controls network policy settings # -- (int) Number of dispatcher jobs. dispatcherJobNum: "10" - # -- (bool) Whether Datadog is enabled. - ddEnabled: false # -- (bool) If the service will be deployed with a Pod Disruption Budget. Note- you need to have more than 2 replicas for the pdb to be deployed. pdb: false # -- (int) The minimum amount of pods that are available at all times if the PDB is deployed. @@ -80,6 +76,9 @@ global: # -- (string) Will deploy a separate External Secret Store for this service. separateSecretStore: false +# -- (bool) Whether Metrics are enabled. +metricsEnabled: false + # -- (map) External Secrets settings. externalSecrets: # -- (string) Will override the name of the aws secrets manager secret. Default is "Values.global.environment-.Chart.Name-creds" @@ -152,20 +151,20 @@ affinity: podAntiAffinity: # -- (map) Option for scheduling to be required or preferred. preferredDuringSchedulingIgnoredDuringExecution: - # -- (int) Weight value for preferred scheduling. - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - # -- (list) Label key for match expression. - - key: app - # -- (string) Operation type for the match expression. - operator: In - # -- (list) Value for the match expression key. - values: - - requestor - # -- (string) Value for topology key label. - topologyKey: "kubernetes.io/hostname" + # -- (int) Weight value for preferred scheduling. + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + # -- (list) Label key for match expression. + - key: app + # -- (string) Operation type for the match expression. + operator: In + # -- (list) Value for the match expression key. + values: + - requestor + # -- (string) Value for topology key label. + topologyKey: "kubernetes.io/hostname" # -- (bool) Automount the default service account token automountServiceAccountToken: false @@ -189,6 +188,11 @@ volumeMounts: # readOnly: true # mountPath: "/src/requestor-config.yaml" # subPath: "requestor-config.yaml" + # Added an additional volume mount for new images using the / directory, while retaining the 'src' mount for backward compatibility. + # - name: "config-volume" + # readOnly: true + # mountPath: "/requestor/requestor-config.yaml" + # subPath: "requestor-config.yaml" # -- (map) Resource requests and limits for the containers in the pod resources: @@ -222,7 +226,8 @@ command: ["/bin/sh"] args: - "-c" - | - /env/bin/alembic upgrade head + # Managing virtual environments via poetry instead of python since the AL base image update, but retaining backwards compatibility + poetry run alembic upgrade head || /env/bin/alembic upgrade head # Service and Pod # -- (map) Kubernetes service information. @@ -247,11 +252,3 @@ partOf: "Authentication" selectorLabels: # -- (map) Will completely override the commonLabels defined in the common chart's _label_setup.tpl commonLabels: - -# Values to configure datadog if ddEnabled is set to "true". -# -- (bool) If enabled, the Datadog Agent will automatically inject Datadog-specific metadata into your application logs. -datadogLogsInjection: true -# -- (bool) If enabled, the Datadog Agent will collect profiling data for your application using the Continuous Profiler. This data can be used to identify performance bottlenecks and optimize your application. -datadogProfilingEnabled: true -# -- (int) A value between 0 and 1, that represents the percentage of requests that will be traced. For example, a value of 0.5 means that 50% of requests will be traced. -datadogTraceSampleRate: 1 diff --git a/helm/revproxy/gen3.nginx.conf/fhir-server-service.conf b/helm/revproxy/gen3.nginx.conf/fhir-server-service.conf index cee8c994..5dc03883 100644 --- a/helm/revproxy/gen3.nginx.conf/fhir-server-service.conf +++ b/helm/revproxy/gen3.nginx.conf/fhir-server-service.conf @@ -3,6 +3,7 @@ location /Bundle { proxy_send_timeout 600s; proxy_read_timeout 600s; send_timeout 600s; + client_max_body_size 50M; set $upstream http://fhir-server-service.$namespace.svc.cluster.local:8000; rewrite ^/Bundle/(.*) /$1 break; diff --git a/helm/revproxy/gen3.nginx.conf/image-viewer-service.conf b/helm/revproxy/gen3.nginx.conf/image-viewer-service.conf new file mode 100644 index 00000000..64f95986 --- /dev/null +++ b/helm/revproxy/gen3.nginx.conf/image-viewer-service.conf @@ -0,0 +1,9 @@ +location /image-viewer/ { + proxy_connect_timeout 600s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + send_timeout 600s; + + rewrite ^/image-viewer/(.*) /$1 break; + proxy_pass http://image-viewer-service.$namespace.svc.cluster.local:8000; +} diff --git a/helm/revproxy/gen3.nginx.conf/viv-service.conf b/helm/revproxy/gen3.nginx.conf/viv-service.conf new file mode 100644 index 00000000..f0eaa785 --- /dev/null +++ b/helm/revproxy/gen3.nginx.conf/viv-service.conf @@ -0,0 +1,9 @@ +location /aviator/ { + proxy_connect_timeout 600s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + send_timeout 600s; + +# maintain the /aviator prefix in the proxied request + proxy_pass http://viv-service.$namespace.svc.cluster.local:8000; +} diff --git a/helm/viv/.helmignore b/helm/viv/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/helm/viv/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/viv/Chart.yaml b/helm/viv/Chart.yaml new file mode 100644 index 00000000..4ca5eae7 --- /dev/null +++ b/helm/viv/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: viv +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.14.2" diff --git a/helm/viv/README.md b/helm/viv/README.md new file mode 100644 index 00000000..0ad18839 --- /dev/null +++ b/helm/viv/README.md @@ -0,0 +1,3 @@ +# To get viv to be discoverable to other microservices run the following command + +kc expose deployment local-viv diff --git a/helm/viv/templates/_helpers.tpl b/helm/viv/templates/_helpers.tpl new file mode 100644 index 00000000..00be60ec --- /dev/null +++ b/helm/viv/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "viv.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "viv.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "viv.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "viv.labels" -}} +helm.sh/chart: {{ include "viv.chart" . }} +{{ include "viv.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "viv.selectorLabels" -}} +app.kubernetes.io/name: {{ include "viv.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "viv.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "viv.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm/viv/templates/deployment.yaml b/helm/viv/templates/deployment.yaml new file mode 100644 index 00000000..64581d7e --- /dev/null +++ b/helm/viv/templates/deployment.yaml @@ -0,0 +1,72 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: viv-deployment + labels: + {{- include "viv.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "viv.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "viv.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "viv.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + volumes: [] + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: 8000 + initialDelaySeconds: 10 + periodSeconds: 60 + timeoutSeconds: 30 + readinessProbe: + httpGet: + path: / + port: 8000 + initialDelaySeconds: 10 + resources: + {{- toYaml .Values.resources | nindent 12 }} + command: + - "/bin/sh" + - "-c" + - > + pnpm dev --host 0.0.0.0 --port {{ .Values.service.port }} --base /aviator + + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm/viv/templates/hpa.yaml b/helm/viv/templates/hpa.yaml new file mode 100644 index 00000000..a1be03ec --- /dev/null +++ b/helm/viv/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "viv.fullname" . }} + labels: + {{- include "viv.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "viv.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/helm/viv/templates/service.yaml b/helm/viv/templates/service.yaml new file mode 100644 index 00000000..48ba6f1d --- /dev/null +++ b/helm/viv/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.serviceName}} + labels: + {{- include "viv.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "viv.selectorLabels" . | nindent 4 }} + diff --git a/helm/viv/templates/serviceaccount.yaml b/helm/viv/templates/serviceaccount.yaml new file mode 100644 index 00000000..e2df0780 --- /dev/null +++ b/helm/viv/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "viv.serviceAccountName" . }} + labels: + {{- include "viv.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/viv/templates/tests/test-connection.yaml b/helm/viv/templates/tests/test-connection.yaml new file mode 100644 index 00000000..3096599c --- /dev/null +++ b/helm/viv/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "viv.fullname" . }}-test-connection" + labels: + {{- include "viv.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "viv.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/helm/viv/templates/viv-values.yaml b/helm/viv/templates/viv-values.yaml new file mode 100644 index 00000000..cfecf91e --- /dev/null +++ b/helm/viv/templates/viv-values.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: viv-values +data: + serviceName: {{ .Values.serviceName | quote }} diff --git a/helm/viv/values.yaml b/helm/viv/values.yaml new file mode 100644 index 00000000..e6117f9f --- /dev/null +++ b/helm/viv/values.yaml @@ -0,0 +1,62 @@ +# Default values for viv. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 +serviceName: viv-service + +image: + repository: quay.io/ohsu-comp-bio/viv + pullPolicy: Always + tag: "latest" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 8000 + +resources: + limits: + cpu: 2.0 + memory: 2Gi + requests: + cpu: 0.2 + memory: 256Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {}