Reusable unhelm.sh

README.md

@@ -25,3 +25,5 @@ Each generated kustomize base gets a file `unhelm-namespace-placeholder.txt`
 which helps point out these strings.
 They typically call for specific Kustomize patches.
 Or use this repo only as examples and maintain your own yaml.
+
+To set a different namespace, use a line prefixed `# unhelm-namespace: [namespace name]`.

cockroachdb.ystack.values.yaml

@@ -17,3 +17,10 @@ tls:
     selfSigner:
       enabled: false
       caProvided: false
+
+statefulset:
+  replicas: 1
+  conf:
+    single-node: true
+  serviceAccount:
+    create: false

cockroachdb/ystack/cockroachdb/templates/job.init.yaml

@@ -6,7 +6,7 @@ metadata:
   name: cockroachdb-init
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"
@@ -22,11 +22,19 @@ spec:
         app.kubernetes.io/instance: "cockroachdb"
         app.kubernetes.io/component: init
     spec:
+      securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
+        runAsGroup: 1000
+        runAsUser: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
       restartPolicy: OnFailure
       terminationGracePeriodSeconds: 0
+      serviceAccountName: default
       containers:
         - name: cluster-init
-          image: "cockroachdb/cockroach:v23.1.4"
+          image: "cockroachdb/cockroach:v23.1.12"
           imagePullPolicy: "IfNotPresent"
           # Run the command in an `while true` loop because this Job is bound
           # to come up before the CockroachDB Pods (due to the time needed to
@@ -64,3 +72,7 @@ spec:
 
               initCluster;
           env:
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]

cockroachdb/ystack/cockroachdb/templates/poddisruptionbudget.yaml

@@ -6,7 +6,7 @@ metadata:
   name: cockroachdb-budget
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"

cockroachdb/ystack/cockroachdb/templates/service.discovery.yaml

@@ -10,7 +10,7 @@ metadata:
   name: cockroachdb
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"

cockroachdb/ystack/cockroachdb/templates/service.public.yaml

@@ -9,7 +9,7 @@ metadata:
   name: cockroachdb-public
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"

cockroachdb/ystack/cockroachdb/templates/serviceMonitor.yaml

@@ -6,7 +6,7 @@ metadata:
   name: cockroachdb
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"

cockroachdb/ystack/cockroachdb/templates/statefulset.yaml

@@ -6,14 +6,14 @@ metadata:
   name: cockroachdb
   namespace: "unhelm-namespace-placeholder"
   labels:
-    helm.sh/chart: cockroachdb-11.0.3
+    helm.sh/chart: cockroachdb-11.2.2
     app.kubernetes.io/name: cockroachdb
     app.kubernetes.io/instance: "cockroachdb"
     app.kubernetes.io/managed-by: "Helm"
     app.kubernetes.io/component: cockroachdb
 spec:
   serviceName: cockroachdb
-  replicas: 3
+  replicas: 1
   updateStrategy:
     type: RollingUpdate
   podManagementPolicy: "Parallel"
@@ -29,6 +29,7 @@ spec:
         app.kubernetes.io/instance: "cockroachdb"
         app.kubernetes.io/component: cockroachdb
     spec:
+      serviceAccountName: default
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -54,7 +55,7 @@ spec:
       terminationGracePeriodSeconds: 60
       containers:
         - name: db
-          image: "cockroachdb/cockroach:v23.1.4"
+          image: "cockroachdb/cockroach:v23.1.12"
           imagePullPolicy: "IfNotPresent"
           args:
             - shell
@@ -115,10 +116,24 @@ spec:
             initialDelaySeconds: 10
             periodSeconds: 5
             failureThreshold: 2
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
       volumes:
         - name: datadir
           persistentVolumeClaim:
             claimName: datadir
+      securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsUser: 1000
+        runAsNonRoot: true
   volumeClaimTemplates:
     - metadata:
         name: datadir

cockroachdb/ystack/cockroachdb/templates/tests/client.yaml

@@ -11,7 +11,7 @@ spec:
   restartPolicy: Never
   containers:
     - name: client-test
-      image: "cockroachdb/cockroach:v23.1.4"
+      image: "cockroachdb/cockroach:v23.1.12"
       imagePullPolicy: "IfNotPresent"
       command:
         - /cockroach/cockroach

cockroachdb/ystack/unhelm-namespace-placeholder.txt

@@ -10,7 +10,7 @@ Note the following instances of namespace strings that Kustomize won't replace
           value: cockroachdb.unhelm-namespace-placeholder.svc.cluster.local
         - name: COCKROACH_CHANNEL
           value: kubernetes-helm
-        image: cockroachdb/cockroach:v23.1.4
+        image: cockroachdb/cockroach:v23.1.12
         imagePullPolicy: IfNotPresent
         livenessProbe:
 --
@@ -36,4 +36,4 @@ Note the following instances of namespace strings that Kustomize won't replace
     - "26257"
     - -e
     - SHOW DATABASES;
-    image: cockroachdb/cockroach:v23.1.4
+    image: cockroachdb/cockroach:v23.1.12

redpanda.minimal.values.yaml

@@ -1,5 +1,7 @@
 # yaml-language-server: $schema=https://github.com/redpanda-data/helm-charts/raw/redpanda-4.0.32/charts/redpanda/values.schema.json
 # unhelm-template-repo: https://charts.redpanda.com
+# unhelm-namespace: kafka
+
 image:
   repository: docker.redpanda.com/redpandadata/redpanda
   # sha256 is disallowed here by the json schema

redpanda/minimal/redpanda/templates/configmap.yaml

@@ -4,7 +4,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: redpanda
-  namespace: "unhelm-namespace-placeholder"
+  namespace: "kafka"
   labels:
     app.kubernetes.io/component: redpanda
     app.kubernetes.io/instance: redpanda
@@ -64,13 +64,13 @@ data:
         port: 33145
       seed_servers:
         - host:
-            address: redpanda-0.redpanda.unhelm-namespace-placeholder.svc.cluster.local.
+            address: redpanda-0.redpanda.kafka.svc.cluster.local.
             port: 33145
         - host:
-            address: redpanda-1.redpanda.unhelm-namespace-placeholder.svc.cluster.local.
+            address: redpanda-1.redpanda.kafka.svc.cluster.local.
             port: 33145
         - host:
-            address: redpanda-2.redpanda.unhelm-namespace-placeholder.svc.cluster.local.
+            address: redpanda-2.redpanda.kafka.svc.cluster.local.
             port: 33145
     schema_registry:
       schema_registry_api:

redpanda/minimal/redpanda/templates/poddisruptionbudget.yaml

@@ -4,7 +4,7 @@ apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: redpanda
-  namespace: unhelm-namespace-placeholder
+  namespace: kafka
   labels:
     app.kubernetes.io/component: redpanda
     app.kubernetes.io/instance: redpanda

redpanda/minimal/redpanda/templates/secrets.yaml

@@ -4,7 +4,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: redpanda-sts-lifecycle
-  namespace: "unhelm-namespace-placeholder"
+  namespace: "kafka"
   labels:
     app.kubernetes.io/component: redpanda
     app.kubernetes.io/instance: redpanda
@@ -17,7 +17,7 @@ stringData:
     #!/usr/bin/env bash
 
     # the SERVICE_NAME comes from the metadata.name of the pod, essentially the POD_NAME
-    CURL_URL="http://${SERVICE_NAME}.redpanda.unhelm-namespace-placeholder.svc.cluster.local:9644"
+    CURL_URL="http://${SERVICE_NAME}.redpanda.kafka.svc.cluster.local:9644"
 
     # commands used throughout
     CURL_NODE_ID_CMD="curl --silent --fail  ${CURL_URL}/v1/node_config"

redpanda/minimal/redpanda/templates/service.internal.yaml

@@ -7,7 +7,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: redpanda
-  namespace: "unhelm-namespace-placeholder"
+  namespace: "kafka"
   labels:
     monitoring.redpanda.com/enabled: "false"
     app.kubernetes.io/component: redpanda

redpanda/minimal/redpanda/templates/statefulset.yaml

@@ -29,7 +29,7 @@ spec:
         app.kubernetes.io/component: redpanda-statefulset
         redpanda.com/poddisruptionbudget: redpanda
       annotations:
-        checksum/config: 3d72e1348bc6b82ebfb04ace04181c2f1e0b6105339fc4b9cdb9e02fd494c817
+        checksum/config: 1ea38287095928598ef2a1a2ee5d4cfc96ddc3a21b5d1e62e047bb6a0818777a
     spec:
       terminationGracePeriodSeconds: 90
       securityContext: 
@@ -52,9 +52,9 @@ spec:
                 fieldRef:
                   fieldPath: metadata.name
             - name: ADVERTISED_KAFKA_ADDRESSES
-              value: '{"address":"$(SERVICE_NAME).redpanda.unhelm-namespace-placeholder.svc.cluster.local.","name":"internal","port":9093};{"address":"$(SERVICE_NAME)","name":"default","port":31092} {"address":"$(SERVICE_NAME).redpanda.unhelm-namespace-placeholder.svc.cluster.local.","name":"internal","port":9093};{"address":"$(SERVICE_NAME)","name":"default","port":31092} {"address":"$(SERVICE_NAME).redpanda.unhelm-namespace-placeholder.svc.cluster.local.","name":"internal","port":9093};{"address":"$(SERVICE_NAME)","name":"default","port":31092}'
+              value: '{"address":"$(SERVICE_NAME).redpanda.kafka.svc.cluster.local.","name":"internal","port":9093};{"address":"$(SERVICE_NAME)","name":"default","port":31092} {"address":"$(SERVICE_NAME).redpanda.kafka.svc.cluster.local.","name":"internal","port":9093};{"address":"$(SERVICE_NAME)","name":"default","port":31092} {"address":"$(SERVICE_NAME).redpanda.kafka.svc.cluster.local.","name":"internal","port":9093};{"address":"$(SERVICE_NAME)","name":"default","port":31092}'
             - name: ADVERTISED_HTTP_ADDRESSES
-              value: '{"address":"$(SERVICE_NAME).redpanda.unhelm-namespace-placeholder.svc.cluster.local.","name":"internal","port":8082};{"address":"$(SERVICE_NAME)","name":"default","port":30082} {"address":"$(SERVICE_NAME).redpanda.unhelm-namespace-placeholder.svc.cluster.local.","name":"internal","port":8082};{"address":"$(SERVICE_NAME)","name":"default","port":30082} {"address":"$(SERVICE_NAME).redpanda.unhelm-namespace-placeholder.svc.cluster.local.","name":"internal","port":8082};{"address":"$(SERVICE_NAME)","name":"default","port":30082}'
+              value: '{"address":"$(SERVICE_NAME).redpanda.kafka.svc.cluster.local.","name":"internal","port":8082};{"address":"$(SERVICE_NAME)","name":"default","port":30082} {"address":"$(SERVICE_NAME).redpanda.kafka.svc.cluster.local.","name":"internal","port":8082};{"address":"$(SERVICE_NAME)","name":"default","port":30082} {"address":"$(SERVICE_NAME).redpanda.kafka.svc.cluster.local.","name":"internal","port":8082};{"address":"$(SERVICE_NAME)","name":"default","port":30082}'
             - name: KUBERNETES_NODE_NAME
               valueFrom:
                 fieldRef:
@@ -126,7 +126,7 @@ spec:
                 - -c
                 - |
                   set -e
-                  RESULT=$(curl --silent --fail -k  "http://${SERVICE_NAME}.redpanda.unhelm-namespace-placeholder.svc.cluster.local.:9644/v1/status/ready")
+                  RESULT=$(curl --silent --fail -k  "http://${SERVICE_NAME}.redpanda.kafka.svc.cluster.local.:9644/v1/status/ready")
                   echo $RESULT
                   echo $RESULT | grep ready
             initialDelaySeconds: 1
@@ -138,7 +138,7 @@ spec:
               command:
                 - /bin/sh
                 - -c
-                - curl --silent --fail -k  "http://${SERVICE_NAME}.redpanda.unhelm-namespace-placeholder.svc.cluster.local.:9644/v1/status/ready"
+                - curl --silent --fail -k  "http://${SERVICE_NAME}.redpanda.kafka.svc.cluster.local.:9644/v1/status/ready"
             initialDelaySeconds: 10
             failureThreshold: 3
             periodSeconds: 10
@@ -153,8 +153,8 @@ spec:
                 - -c
                 - |
                   set -x
-                  rpk cluster health --api-urls ${SERVICE_NAME}.redpanda.unhelm-namespace-placeholder.svc.cluster.local.:9644
-                  rpk cluster health --api-urls ${SERVICE_NAME}.redpanda.unhelm-namespace-placeholder.svc.cluster.local.:9644 | grep 'Healthy:.*true'
+                  rpk cluster health --api-urls ${SERVICE_NAME}.redpanda.kafka.svc.cluster.local.:9644
+                  rpk cluster health --api-urls ${SERVICE_NAME}.redpanda.kafka.svc.cluster.local.:9644 | grep 'Healthy:.*true'
             initialDelaySeconds: 1
             failureThreshold: 3
             periodSeconds: 10
@@ -167,7 +167,7 @@ spec:
             - --memory=2048M
             - --reserve-memory=205M
             - --default-log-level=info
-            - --advertise-rpc-addr=$(SERVICE_NAME).redpanda.unhelm-namespace-placeholder.svc.cluster.local.:33145
+            - --advertise-rpc-addr=$(SERVICE_NAME).redpanda.kafka.svc.cluster.local.:33145
             - --overprovisioned
           ports:
             - name: admin

redpanda/minimal/redpanda/templates/tests/test-api-status.yaml

@@ -4,7 +4,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: "redpanda-test-api-status"
-  namespace: "unhelm-namespace-placeholder"
+  namespace: "kafka"
   labels:
     app.kubernetes.io/component: redpanda
     app.kubernetes.io/instance: redpanda
@@ -29,7 +29,7 @@ spec:
       - -c
       - |
         until rpk cluster info \
-          --brokers redpanda-0.redpanda.unhelm-namespace-placeholder.svc.cluster.local.:9093
+          --brokers redpanda-0.redpanda.kafka.svc.cluster.local.:9093
           do sleep 2
         done
       volumeMounts:

redpanda/minimal/redpanda/templates/tests/test-kafka-produce-consume.yaml

@@ -4,7 +4,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: redpanda-test-kafka-produce-consume
-  namespace: "unhelm-namespace-placeholder"
+  namespace: "kafka"
   labels:
     app.kubernetes.io/component: redpanda
     app.kubernetes.io/instance: redpanda
@@ -24,7 +24,7 @@ spec:
       image: docker.redpanda.com/redpandadata/redpanda:v23.1.13
       env:
         - name: REDPANDA_BROKERS
-          value: "redpanda.unhelm-namespace-placeholder.svc.cluster.local:9093"
+          value: "redpanda.kafka.svc.cluster.local:9093"
         - name: POD_NAME
           valueFrom:
             fieldRef:

redpanda/minimal/redpanda/templates/tests/test-pandaproxy-status.yaml

@@ -4,7 +4,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: "redpanda-test-pandaproxy-status"
-  namespace: "unhelm-namespace-placeholder"
+  namespace: "kafka"
   labels:
     app.kubernetes.io/component: redpanda
     app.kubernetes.io/instance: redpanda

redpanda/minimal/redpanda/templates/tests/test-schemaregistry-status.yaml

@@ -4,7 +4,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: "redpanda-test-schemaregistry-status"
-  namespace: "unhelm-namespace-placeholder"
+  namespace: "kafka"
   labels:
     app.kubernetes.io/component: redpanda
     app.kubernetes.io/instance: redpanda
@@ -31,21 +31,21 @@ spec:
             $*
           }
 
-          schemaCurl http://redpanda.unhelm-namespace-placeholder.svc.cluster.local.:8081/schemas/types
+          schemaCurl http://redpanda.kafka.svc.cluster.local.:8081/schemas/types
 
           curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors \
           -X POST -H 'Content-Type:application/vnd.schemaregistry.v1+json' \
           -d '{"schema":"{\"type\":\"record\",\"name\":\"sensor_sample\",\"fields\":[{\"name\":\"timestamp\",\"type\":\"long\",\"logicalType\":\"timestamp-millis\"},{\"name\":\"identifier\",\"type\":\"string\",\"logicalType\":\"uuid\"},{\"name\":\"value\",\"type\":\"long\"}]}"}' \
-          http://redpanda.unhelm-namespace-placeholder.svc.cluster.local.:8081/subjects/sensor-value/versions
+          http://redpanda.kafka.svc.cluster.local.:8081/subjects/sensor-value/versions
 
-          schemaCurl http://redpanda.unhelm-namespace-placeholder.svc.cluster.local.:8081/schemas/ids/1
+          schemaCurl http://redpanda.kafka.svc.cluster.local.:8081/schemas/ids/1
 
-          schemaCurl http://redpanda.unhelm-namespace-placeholder.svc.cluster.local.:8081/subjects
+          schemaCurl http://redpanda.kafka.svc.cluster.local.:8081/subjects
 
           schemaCurl -X DELETE \
-          http://redpanda.unhelm-namespace-placeholder.svc.cluster.local.:8081/subjects/sensor-value/versions/1
+          http://redpanda.kafka.svc.cluster.local.:8081/subjects/sensor-value/versions/1
 
           schemaCurl -X DELETE \
-          http://redpanda.unhelm-namespace-placeholder.svc.cluster.local.:8081/subjects/sensor-value/versions/1?permanent=true
+          http://redpanda.kafka.svc.cluster.local.:8081/subjects/sensor-value/versions/1?permanent=true
       volumeMounts:
   volumes: