Common part of Storage Part 2 (#344)

* Prepare Common for different permission schema

* Don't use PGID for storage ownership in any case.
This commit is contained in:
Kjeld Schouten-Lebbing
2021-04-14 19:14:58 +02:00
committed by GitHub
parent df05cf8ce6
commit d67ca77bae
29 changed files with 182 additions and 1475 deletions

View File

@@ -38,36 +38,7 @@ class Test < ChartTest
end
end
describe 'startAsRoot' do
it 'defaults to false = runAs 568' do
jq('.spec.template.spec.securityContext.runAsUser', resource('Deployment')).must_equal 568
jq('.spec.template.spec.securityContext.runAsGroup', resource('Deployment')).must_equal 568
jq('.spec.template.spec.securityContext.fsGroup', resource('Deployment')).must_equal 568
jq('.spec.template.spec.securityContext.runAsNonRoot', resource('Deployment')).must_equal true
jq('.spec.template.spec.securityContext.supplementalGroups', resource('Deployment')).must_equal []
end
it 'allow settingsupplementalGroups' do
values = {
supplementalGroups: "5,20"
}
chart.value values
jq('.spec.template.spec.securityContext.runAsUser', resource('Deployment')).must_equal 568
jq('.spec.template.spec.securityContext.runAsGroup', resource('Deployment')).must_equal 568
jq('.spec.template.spec.securityContext.fsGroup', resource('Deployment')).must_equal 568
jq('.spec.template.spec.securityContext.runAsNonRoot', resource('Deployment')).must_equal true
jq('.spec.template.spec.securityContext.supplementalGroups', resource('Deployment')).must_equal [5,20]
end
it 'can be enabled = runAs nil' do
chart.value startAsRoot: true
jq('.spec.template.spec.securityContext.runAsUser', resource('Deployment')).must_equal nil
jq('.spec.template.spec.securityContext.runAsGroup', resource('Deployment')).must_equal nil
jq('.spec.template.spec.securityContext.runAsNonRoot', resource('Deployment')).must_equal nil
jq('.spec.template.spec.securityContext.fsGroup', resource('Deployment')).must_equal nil
jq('.spec.template.spec.securityContext.supplementalGroups', resource('Deployment')).must_equal nil
end
end
describe 'hostNetwork' do
it ' hostnetworking default = nil' do
@@ -277,43 +248,43 @@ class Test < ChartTest
end
end
describe 'appVolumeMounts' do
default_name_1 = 'test1'
default_name_2 = 'test2'
describe 'deviceMounts' do
default_name_1 = 'devicemount-test1'
default_name_2 = 'devicemount-test2'
default_mountPath_1 = '/test1'
default_mountPath_2 = '/test2'
empty_dir = {}
path = '/tmp'
it 'appVolumeMounts creates VolumeMounts' do
it 'deviceMounts creates VolumeMounts' do
jq('.spec.template.spec.containers[0].volumeMounts[0].name', resource('Deployment')).must_equal default_name_1
jq('.spec.template.spec.containers[0].volumeMounts[1].name', resource('Deployment')).must_equal default_name_2
jq('.spec.template.spec.containers[0].volumeMounts[0].mountPath', resource('Deployment')).must_equal default_mountPath_1
jq('.spec.template.spec.containers[0].volumeMounts[1].mountPath', resource('Deployment')).must_equal default_mountPath_2
end
it 'appVolumeMounts creates Volumes' do
it 'deviceMounts creates Volumes' do
jq('.spec.template.spec.volumes[0].emptyDir', resource('Deployment')).must_equal empty_dir
jq('.spec.template.spec.volumes[1].hostPath.path', resource('Deployment')).must_equal path
end
end
describe 'additionalAppVolumeMounts' do
default_name_3 = 'test3'
default_name_4 = 'test4'
describe 'customStorage' do
default_name_3 = 'customstorage-test3'
default_name_4 = 'customstorage-test4'
default_mountPath_3 = '/test3'
default_mountPath_4 = '/test4'
empty_dir = {}
path = '/tmp'
it 'additionalAppVolumeMounts creates VolumeMounts' do
it 'customStorage creates VolumeMounts' do
jq('.spec.template.spec.containers[0].volumeMounts[2].name', resource('Deployment')).must_equal default_name_3
jq('.spec.template.spec.containers[0].volumeMounts[3].name', resource('Deployment')).must_equal default_name_4
jq('.spec.template.spec.containers[0].volumeMounts[2].mountPath', resource('Deployment')).must_equal default_mountPath_3
jq('.spec.template.spec.containers[0].volumeMounts[3].mountPath', resource('Deployment')).must_equal default_mountPath_4
end
it 'additionalAppVolumeMounts creates Volumes' do
it 'customStorage creates Volumes' do
jq('.spec.template.spec.volumes[2].emptyDir', resource('Deployment')).must_equal empty_dir
jq('.spec.template.spec.volumes[3].hostPath.path', resource('Deployment')).must_equal path
end

View File

@@ -1 +0,0 @@
{{- include "common.notes.defaultNotes" . -}}

View File

@@ -56,35 +56,27 @@ additionalIngress:
# these values and names are set specifically with the unittests in mind.
fixMountPermissions: false
appVolumeMounts:
deviceMounts:
test1:
enabled: true
emptyDir: true
datasetName: "test1"
mountPath: "/test1"
hostPathEnabled: false
hostPath: ""
hostPath: "/tmp"
test2:
enabled: true
emptyDir: false
datasetName: "test2"
mountPath: "/test2"
hostPathEnabled: true
hostPath: "/tmp"
# these values and names are set specifically with the unittests in mind.
additionalAppVolumeMounts:
customStorage:
- name: "test3"
enabled: true
emptyDir: true
datasetName: "test3"
mountPath: "/test3"
hostPathEnabled: false
hostPath: ""
- name: "test4"
enabled: true
emptyDir: false
datasetName: "test4"
mountPath: "/test4"
hostPathEnabled: true
hostPath: "/tmp"

View File

@@ -1,7 +1,7 @@
apiVersion: v2
kubeVersion: ">=1.16.0-0"
name: common
version: 2.2.2
version: 3.0.0
# upstream_version:
appVersion: none
description: Function library for TrueCharts

View File

@@ -1,22 +1,3 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/*
Main entrypoint for the common library chart. It will render all underlying templates based on the provided values.
*/}}

View File

@@ -1,40 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/*
Default NOTES.txt content.
*/}}
{{- define "common.notes.defaultNotes" -}}
{{- $svcPort := .Values.services.main.port.port -}}
echo "use your Ingress URL to connect or find the application URL by running these commands:"
{{- if contains "NodePort" .Values.services.main.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.services.main.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ include "common.names.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ $svcPort }}
{{- else if contains "ClusterIP" .Values.services.main.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "common.names.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:{{ $svcPort }}
{{- end }}
{{- end }}

View File

@@ -33,19 +33,4 @@ of all the entries of the persistence key.
{{- include "common.classes.pvc" $ -}}
{{- end }}
{{- end }}
{{/*
This is kept seperate, to enable us ot add "persistence" to questions.yaml and keep this out of it
*/}}
{{- range $index, $PVC := .Values.backupPersistence }}
{{- if and $PVC.enabled (not (or $PVC.emptyDir $PVC.existingClaim)) -}}
{{- $persistenceValues := $PVC -}}
{{- if not $persistenceValues.nameSuffix -}}
{{- $_ := set $persistenceValues "nameSuffix" "buildinBackup" -}}
{{- end -}}
{{- $_ := set $ "ObjectValues" (dict "persistence" $persistenceValues) -}}
{{- print ("---") | nindent 0 -}}
{{- include "common.classes.pvc" $ -}}
{{- end }}
{{- end }}
{{- end }}

View File

@@ -1,21 +1,3 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/*
The ServiceAccount object to be created.
*/}}

View File

@@ -1,114 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/* Currently only used as Bitnami Compatibility layer, may want to integrate more later */}}
{{/* vim: set filetype=mustache: */}}
{{/*
Return a soft nodeAffinity definition
{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes.soft" -}}
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: {{ .key }}
operator: In
values:
{{- range .values }}
- {{ . }}
{{- end }}
weight: 1
{{- end -}}
{{/*
Return a hard nodeAffinity definition
{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes.hard" -}}
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: {{ .key }}
operator: In
values:
{{- range .values }}
- {{ . }}
{{- end }}
{{- end -}}
{{/*
Return a nodeAffinity definition
{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes" -}}
{{- if eq .type "soft" }}
{{- include "common.affinities.nodes.soft" . -}}
{{- else if eq .type "hard" }}
{{- include "common.affinities.nodes.hard" . -}}
{{- end -}}
{{- end -}}
{{/*
Return a soft podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods.soft" (dict "component" "FOO" "context" $) -}}
*/}}
{{- define "common.affinities.pods.soft" -}}
{{- $component := default "" .component -}}
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
namespaces:
- {{ .context.Release.Namespace | quote }}
topologyKey: kubernetes.io/hostname
weight: 1
{{- end -}}
{{/*
Return a hard podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods.hard" (dict "component" "FOO" "context" $) -}}
*/}}
{{- define "common.affinities.pods.hard" -}}
{{- $component := default "" .component -}}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
namespaces:
- {{ .context.Release.Namespace | quote }}
topologyKey: kubernetes.io/hostname
{{- end -}}
{{/*
Return a podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.pods" -}}
{{- if eq .type "soft" }}
{{- include "common.affinities.pods.soft" . -}}
{{- else if eq .type "hard" }}
{{- include "common.affinities.pods.hard" . -}}
{{- end -}}
{{- end -}}

View File

@@ -1,63 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/* Currently only used as Bitnami compatibility Layer, needs more integration during the Ingress integration project. */}}
{{/* vim: set filetype=mustache: */}}
{{/*
Generate backend entry that is compatible with all Kubernetes API versions.
Usage:
{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}
Params:
- serviceName - String. Name of an existing service backend
- servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer.
- context - Dict - Required. The context for the template evaluation.
*/}}
{{- define "common.ingress.backend" -}}
{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}}
{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}}
serviceName: {{ .serviceName }}
servicePort: {{ .servicePort }}
{{- else -}}
service:
name: {{ .serviceName }}
port:
{{- if typeIs "string" .servicePort }}
name: {{ .servicePort }}
{{- else if typeIs "int" .servicePort }}
number: {{ .servicePort }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Print "true" if the API pathType field is supported
Usage:
{{ include "common.ingress.supportsPathType" . }}
*/}}
{{- define "common.ingress.supportsPathType" -}}
{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}}
{{- print "false" -}}
{{- else -}}
{{- print "true" -}}
{{- end -}}
{{- end -}}

View File

@@ -1,148 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/* Currently only used as Bitnami Compatibility layer, may want to integrate more later */}}
{{/* vim: set filetype=mustache: */}}
{{/*
Generate secret name.
Usage:
{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
Params:
- existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
- defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
- context - Dict - Required. The context for the template evaluation.
*/}}
{{- define "common.secrets.name" -}}
{{- $name := (include "common.names.fullname" .context) -}}
{{- if .defaultNameSuffix -}}
{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- with .existingSecret -}}
{{- if not (typeIs "string" .) -}}
{{- with .name -}}
{{- $name = . -}}
{{- end -}}
{{- else -}}
{{- $name = . -}}
{{- end -}}
{{- end -}}
{{- printf "%s" $name -}}
{{- end -}}
{{/*
Generate secret key.
Usage:
{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
Params:
- existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
- key - String - Required. Name of the key in the secret.
*/}}
{{- define "common.secrets.key" -}}
{{- $key := .key -}}
{{- if .existingSecret -}}
{{- if not (typeIs "string" .existingSecret) -}}
{{- if .existingSecret.keyMapping -}}
{{- $key = index .existingSecret.keyMapping $.key -}}
{{- end -}}
{{- end }}
{{- end -}}
{{- printf "%s" $key -}}
{{- end -}}
{{/*
Generate secret password or retrieve one if already created.
Usage:
{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }}
Params:
- secret - String - Required - Name of the 'Secret' resource where the password is stored.
- key - String - Required - Name of the key in the secret.
- providedValues - List<String> - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
- length - int - Optional - Length of the generated random password.
- strong - Boolean - Optional - Whether to add symbols to the generated random password.
- chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart.
- context - Context - Required - Parent context.
*/}}
{{- define "common.secrets.passwords.manage" -}}
{{- $password := "" }}
{{- $subchart := "" }}
{{- $chartName := default "" .chartName }}
{{- $passwordLength := default 10 .length }}
{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }}
{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }}
{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }}
{{- if $secret }}
{{- if index $secret.data .key }}
{{- $password = index $secret.data .key }}
{{- end -}}
{{- else if $providedPasswordValue }}
{{- $password = $providedPasswordValue | toString | b64enc | quote }}
{{- else }}
{{- if .context.Values.enabled }}
{{- $subchart = $chartName }}
{{- end -}}
{{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
{{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
{{- $passwordValidationErrors := list $requiredPasswordError -}}
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
{{- if .strong }}
{{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
{{- $password = randAscii $passwordLength }}
{{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
{{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }}
{{- else }}
{{- $password = randAlphaNum $passwordLength | b64enc | quote }}
{{- end }}
{{- end -}}
{{- printf "%s" $password -}}
{{- end -}}
{{/*
Returns whether a previous generated secret already exists
Usage:
{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }}
Params:
- secret - String - Required - Name of the 'Secret' resource where the password is stored.
- context - Context - Required - Parent context.
*/}}
{{- define "common.secrets.exists" -}}
{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }}
{{- if $secret }}
{{- true -}}
{{- end -}}
{{- end -}}

View File

@@ -1,33 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/* Currently only used as Bitnami Compatibility layer, may want to integrate more later */}}
{{/* vim: set filetype=mustache: */}}
{{/*
Renders a value that contains template.
Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "common.tplvalues.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}

View File

@@ -1,37 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/*
## We might want to include more repositories in this warnings
## This is mostly used to prevent chart maintainers using "latest" when version is available
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Warning about using rolling tag.
Usage:
{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }}
*/}}
{{- define "common.warnings.rollingTag" -}}
{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- end -}}

View File

@@ -23,7 +23,6 @@ The main container included in the controller.
{{- define "common.controller.mainContainer" -}}
- name: {{ include "common.names.fullname" . }}
image: "{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}"
{{ include "common.warnings.rollingTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.command }}
command: {{ . }}
@@ -74,29 +73,13 @@ The main container included in the controller.
{{- toYaml . | nindent 12 }}
{{- end }}
{{- include "common.controller.ports" . | trim | nindent 2 }}
{{- with (include "common.controller.volumeMounts" . | trim) }}
volumeMounts:
{{- range $index, $PVC := .Values.persistence }}
{{- if and ( $PVC.enabled ) ( $PVC.mountPath ) }}
- mountPath: {{ $PVC.mountPath }}
name: {{ $index }}
{{- if $PVC.subPath }}
subPath: {{ $PVC.subPath }}
{{- end }}
{{- end }}
{{- end }}
{{ include "common.storage.allContainerVolumeMounts" . | nindent 2 }}
{{- if .Values.additionalVolumeMounts }}
{{- toYaml .Values.additionalVolumeMounts | nindent 2 }}
{{- end }}
{{- if eq .Values.controllerType "statefulset" }}
{{- range $index, $vct := .Values.volumeClaimTemplates }}
- mountPath: {{ $vct.mountPath }}
name: {{ $vct.name }}
{{- if $vct.subPath }}
subPath: {{ $vct.subPath }}
{{- end }}
{{- end }}
{{- . | nindent 2 }}
{{- end }}
{{- include "common.controller.probes" . | nindent 2 }}
resources:
{{- with .Values.resources }}

View File

@@ -1,22 +1,3 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{- /*
The pod definition included in the controller.
*/ -}}
@@ -26,16 +7,8 @@ imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
serviceAccountName: {{ include "common.names.serviceAccountName" . }}
securityContext:
{{- if not .Values.startAsRoot }}
runAsUser: {{ .Values.PUID }}
runAsGroup: {{ .Values.PGID }}
fsGroup: {{ .Values.PGID }}
# 5=tty 20=dailout 24=cdrom 44=video 107=render
supplementalGroups: [{{- .Values.supplementalGroups }}]
runAsNonRoot: true
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.priorityClassName }}

View File

@@ -0,0 +1,59 @@
{{/*
Volumes included by the controller.
*/}}
{{- define "common.controller.volumeMounts" -}}
{{- range $index, $PVC := .Values.persistence }}
{{- if and ( $PVC.enabled ) ( $PVC.mountPath ) }}
- mountPath: {{ $PVC.mountPath }}
name: {{ $index }}
{{- if $PVC.subPath }}
subPath: {{ $PVC.subPath }}
{{- end }}
{{- end }}
{{- end }}
{{ range $name, $dmm := .Values.deviceMounts }}
{{- if $dmm.enabled -}}
{{ if $dmm.name }}
{{ $name = $dmm.name }}
{{ end }}
- name: devicemount-{{ $name }}
mountPath: {{ $dmm.mountPath }}
{{ if $dmm.subPath }}
subPath: {{ $dmm.subPath }}
{{ end }}
{{- end -}}
{{ end }}
{{ range $name, $csm := .Values.customStorage }}
{{- if $csm.enabled -}}
{{ if $csm.name }}
{{ $name = $csm.name }}
{{ end }}
- name: customstorage-{{ $name }}
mountPath: {{ $csm.mountPath }}
{{ if $csm.subPath }}
subPath: {{ $csm.subPath }}
{{ end }}
{{- end -}}
{{ end }}
{{- if .Values.additionalVolumeMounts }}
{{- toYaml .Values.additionalVolumeMounts | nindent 0 }}
{{- end }}
{{- if eq .Values.controllerType "statefulset" }}
{{- range $index, $vct := .Values.volumeClaimTemplates }}
- mountPath: {{ $vct.mountPath }}
name: {{ $vct.name }}
{{- if $vct.subPath }}
subPath: {{ $vct.subPath }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}

View File

@@ -46,7 +46,38 @@ Volumes included by the controller.
{{- end }}
{{- end }}
{{- end }}
{{ include "common.storage.allAppVolumes" . | nindent 0 }}
{{- range $name, $dm := .Values.deviceMounts -}}
{{ if $dm.enabled }}
{{ if $dm.name }}
{{ $name = $dm.name }}
{{ end }}
- name: devicemount-{{ $name }}
{{ if $dm.emptyDir }}
emptyDir: {}
{{- else -}}
hostPath:
path: {{ required "hostPath not set" $dm.hostPath }}
{{ end }}
{{ end }}
{{- end -}}
{{- range $name, $cs := .Values.customStorage -}}
{{ if $cs.enabled }}
{{ if $cs.name }}
{{ $name = $cs.name }}
{{ end }}
- name: customstorage-{{ $name }}
{{ if $cs.emptyDir }}
emptyDir: {}
{{- else -}}
hostPath:
path: {{ required "hostPath not set" $cs.hostPath }}
{{ end }}
{{ end }}
{{- end -}}
{{- if .Values.additionalVolumes }}
{{- toYaml .Values.additionalVolumes | nindent 0 }}
{{- end }}

View File

@@ -1,76 +0,0 @@
{{/*
Define appVolumeMounts for container
*/}}
{{- define "common.storage.configureAppVolumeMountsInContainer" -}}
{{ range $name, $avm := . }}
{{- if $avm.enabled -}}
{{ if $avm.name }}
{{ $name = $avm.name }}
{{ end }}
- name: {{ $name }}
mountPath: {{ $avm.mountPath }}
{{ if $avm.subPath }}
subPath: {{ $avm.subPath }}
{{ end }}
{{- end -}}
{{ end }}
{{- end -}}
{{/*
Define hostPath for appVolumes
*/}}
{{- define "common.storage.configureAppVolumes" -}}
{{- range $name, $av := $.volMounts -}}
{{ if $av.enabled }}
{{ if $av.name }}
{{ $name = $av.name }}
{{ end }}
- name: {{ $name }}
{{ if $av.emptyDir }}
emptyDir: {}
{{- else -}}
hostPath:
{{ if $av.hostPathEnabled }}
path: {{ required "hostPath not set" $av.hostPath }}
{{ else }}
{{- $ixVolDict := dict "datasetName" $av.datasetName "ixVolumes" $.ixVolumes -}}
path: {{ include "common.storage.retrieveHostPathFromiXVolume" $ixVolDict }}
{{ end }}
{{ end }}
{{ end }}
{{- end -}}
{{- end -}}
{{/*
Get all volumes configuration
*/}}
{{- define "common.storage.allAppVolumes" -}}
{{- $volDict := dict "volMounts" .Values.appVolumeMounts "ixVolumes" .Values.ixVolumes -}}
{{- $volExtraDict := dict "volMounts" .Values.additionalAppVolumeMounts "ixVolumes" .Values.ixVolumes -}}
{{- if .Values.appVolumeMounts -}}
{{- include "common.storage.configureAppVolumes" $volDict | nindent 0 -}}
{{- end -}}
{{- if .Values.additionalAppVolumeMounts -}}
{{- include "common.storage.configureAppVolumes" $volExtraDict | nindent 0 -}}
{{- end -}}
{{- end -}}
{{/*
Get all container volume moutns configuration
*/}}
{{- define "common.storage.allContainerVolumeMounts" -}}
{{- if .Values.appVolumeMounts -}}
{{- include "common.storage.configureAppVolumeMountsInContainer" .Values.appVolumeMounts | nindent 0 -}}
{{- end -}}
{{- if .Values.additionalAppVolumeMounts -}}
{{- include "common.storage.configureAppVolumeMountsInContainer" .Values.additionalAppVolumeMounts | nindent 0 -}}
{{- end -}}
{{- end -}}

View File

@@ -1,11 +0,0 @@
{{/*
Retrieve host path from ix volumes based on dataset name
*/}}
{{- define "common.storage.retrieveHostPathFromiXVolume" -}}
{{- range $index, $hostPathConfiguration := $.ixVolumes }}
{{- $dsName := base $hostPathConfiguration.hostPath -}}
{{- if eq $.datasetName $dsName -}}
{{- $hostPathConfiguration.hostPath -}}
{{- end }}
{{- end }}
{{- end -}}

View File

@@ -5,25 +5,7 @@ before chart installation.
{{- define "common.storage.permissions" -}}
{{- if .Values.fixMountPermissions }}
{{- if .Values.appVolumeMounts }}
{{- range $name, $vm := .Values.appVolumeMounts -}}
{{- if and $vm.enabled $vm.setPermissions}}
{{- print "---" | nindent 0 -}}
{{- $VMValues := $vm -}}
{{- if not $VMValues.nameSuffix -}}
{{- $_ := set $VMValues "nameSuffix" $name -}}
{{ end -}}
{{- $_ := set $ "ObjectValues" (dict "appVolumeMounts" $VMValues) -}}
{{ include "common.storage.permissions.job" $ | nindent 0 }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.additionalAppVolumeMounts }}
{{- range $index, $avm := .Values.additionalAppVolumeMounts -}}
{{- range $index, $avm := .Values.customStorage -}}
{{- if and $avm.enabled $avm.setPermissions}}
{{- print "---" | nindent 0 -}}
@@ -34,9 +16,69 @@ before chart installation.
{{- $_ := set $ "ObjectValues" (dict "appVolumeMounts" $AVMValues) -}}
{{ include "common.storage.permissions.job" $ | nindent 0 }}
{{- end }}
{{- end }}
{{- end }}
{{- $values := .Values.appVolumeMounts -}}
{{- if hasKey . "ObjectValues" -}}
{{- with .ObjectValues.appVolumeMounts -}}
{{- $values = . -}}
{{- end -}}
{{ end -}}
{{- $JobName := include "common.names.fullname" . -}}
{{- if hasKey $values "nameSuffix" -}}
{{- $JobName = printf "%v-%v" $JobName $values.nameSuffix -}}
{{ end -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ $JobName }}
labels:
{{- include "common.labels" . | nindent 4 }}
{{- with .Values.controllerLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-10"
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
{{- with .Values.controllerAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "common.labels.selectorLabels" . | nindent 8 }}
spec:
restartPolicy: Never
containers:
- name: set-mount-permissions
image: "alpine:3.3"
command:
- /bin/sh
- -c
- |
chown -R{{ if eq .podSecurityContext.runAsNonRoot false }}{{ print .Values.PUID }}{{ else }}{{ print .podSecurityContext.runAsUser }}{{ end }}:{{ print .podSecurityContext.fsGroup }} {{ print $values.mountPath }}
#args:
#
#securityContext:
#
volumeMounts:
{{- include "common.controller.volumeMounts" . | indent 12 }}
{{- with (include "common.controller.volumes" . | trim) }}
volumes:
{{- . | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

View File

@@ -1,63 +0,0 @@
{{/*
This template serves as the blueprint for the mountPermissions job that is run
before chart installation.
*/}}
{{- define "common.storage.permissions.job" -}}
{{- $values := .Values.appVolumeMounts -}}
{{- if hasKey . "ObjectValues" -}}
{{- with .ObjectValues.appVolumeMounts -}}
{{- $values = . -}}
{{- end -}}
{{ end -}}
{{- $JobName := include "common.names.fullname" . -}}
{{- if hasKey $values "nameSuffix" -}}
{{- $JobName = printf "%v-%v" $JobName $values.nameSuffix -}}
{{ end -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ $JobName }}
labels:
{{- include "common.labels" . | nindent 4 }}
{{- with .Values.controllerLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-10"
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
{{- with .Values.controllerAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "common.labels.selectorLabels" . | nindent 8 }}
spec:
restartPolicy: Never
containers:
- name: set-mount-permissions
image: "alpine:3.3"
command:
- /bin/sh
- -c
- |
chown -R {{ print .Values.PUID }}:{{ print .Values.PGID }} {{ print $values.mountPath }}
#args:
#
#securityContext:
#
volumeMounts:
{{- include "common.storage.allContainerVolumeMounts" . | indent 12 }}
{{- with (include "common.controller.volumes" . | trim) }}
volumes:
{{- . | nindent 8 }}
{{- end }}
{{- end }}

View File

@@ -1,42 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper Storage Class
{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
*/}}
{{- define "common.storage.class" -}}
{{- $storageClass := .persistence.storageClass -}}
{{- if .global -}}
{{- if .global.storageClass -}}
{{- $storageClass = .global.storageClass -}}
{{- end -}}
{{- end -}}
{{- if $storageClass -}}
{{- if (eq "-" $storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" $storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}

View File

@@ -1,91 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Validate Cassandra required passwords are not empty.
Usage:
{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret"
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.cassandra.passwords" -}}
{{- $existingSecret := include "common.cassandra.values.existingSecret" . -}}
{{- $enabled := include "common.cassandra.values.enabled" . -}}
{{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}}
{{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}}
{{- if and (not $existingSecret) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.cassandra.values.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
*/}}
{{- define "common.cassandra.values.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.cassandra.dbUser.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.dbUser.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled cassandra.
Usage:
{{ include "common.cassandra.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.cassandra.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.cassandra.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key dbUser
Usage:
{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
*/}}
{{- define "common.cassandra.values.key.dbUser" -}}
{{- if .subchart -}}
cassandra.dbUser
{{- else -}}
dbUser
{{- end -}}
{{- end -}}

View File

@@ -1,122 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MariaDB required passwords are not empty.
Usage:
{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret"
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.mariadb.passwords" -}}
{{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}}
{{- $enabled := include "common.mariadb.values.enabled" . -}}
{{- $architecture := include "common.mariadb.values.architecture" . -}}
{{- $authPrefix := include "common.mariadb.values.key.auth" . -}}
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
{{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
{{- if and (not $existingSecret) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
{{- if not (empty $valueUsername) -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- end -}}
{{- if (eq $architecture "replication") -}}
{{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.auth.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.mariadb.auth.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.auth.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled mariadb.
Usage:
{{ include "common.mariadb.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.mariadb.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.mariadb.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for architecture
Usage:
{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.architecture" -}}
{{- if .subchart -}}
{{- .context.Values.mariadb.architecture -}}
{{- else -}}
{{- .context.Values.architecture -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key auth
Usage:
{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.key.auth" -}}
{{- if .subchart -}}
mariadb.auth
{{- else -}}
auth
{{- end -}}
{{- end -}}

View File

@@ -1,127 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MongoDB(R) required passwords are not empty.
Usage:
{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where MongoDB(R) values are stored, e.g: "mongodb-passwords-secret"
- subchart - Boolean - Optional. Whether MongoDB(R) is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.mongodb.passwords" -}}
{{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}}
{{- $enabled := include "common.mongodb.values.enabled" . -}}
{{- $authPrefix := include "common.mongodb.values.key.auth" . -}}
{{- $architecture := include "common.mongodb.values.architecture" . -}}
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
{{- $valueKeyDatabase := printf "%s.database" $authPrefix -}}
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
{{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}}
{{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}}
{{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}}
{{- if and (not $existingSecret) (eq $enabled "true") (eq $authEnabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
{{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }}
{{- if and $valueUsername $valueDatabase -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- end -}}
{{- if (eq $architecture "replicaset") -}}
{{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false
*/}}
{{- define "common.mongodb.values.auth.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.mongodb.auth.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.auth.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled mongodb.
Usage:
{{ include "common.mongodb.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.mongodb.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.mongodb.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key auth
Usage:
{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MongoDB(R) is used as subchart or not. Default: false
*/}}
{{- define "common.mongodb.values.key.auth" -}}
{{- if .subchart -}}
mongodb.auth
{{- else -}}
auth
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for architecture
Usage:
{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mongodb.values.architecture" -}}
{{- if .subchart -}}
{{- .context.Values.mongodb.architecture -}}
{{- else -}}
{{- .context.Values.architecture -}}
{{- end -}}
{{- end -}}

View File

@@ -1,150 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Validate PostgreSQL required passwords are not empty.
Usage:
{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret"
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.postgresql.passwords" -}}
{{- $existingSecret := include "common.postgresql.values.existingSecret" . -}}
{{- $enabled := include "common.postgresql.values.enabled" . -}}
{{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}}
{{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}}
{{- if and (not $existingSecret) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}}
{{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}}
{{- if (eq $enabledReplication "true") -}}
{{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to decide whether evaluate global values.
Usage:
{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }}
Params:
- key - String - Required. Field to be evaluated within global, e.g: "existingSecret"
*/}}
{{- define "common.postgresql.values.use.global" -}}
{{- if .context.Values.global -}}
{{- if .context.Values.global.postgresql -}}
{{- index .context.Values.global.postgresql .key | quote -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.postgresql.values.existingSecret" (dict "context" $) }}
*/}}
{{- define "common.postgresql.values.existingSecret" -}}
{{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}}
{{- if .subchart -}}
{{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}}
{{- else -}}
{{- default (.context.Values.existingSecret | quote) $globalValue -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled postgresql.
Usage:
{{ include "common.postgresql.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.postgresql.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.postgresql.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key postgressPassword.
Usage:
{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.key.postgressPassword" -}}
{{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}}
{{- if not $globalValue -}}
{{- if .subchart -}}
postgresql.postgresqlPassword
{{- else -}}
postgresqlPassword
{{- end -}}
{{- else -}}
global.postgresql.postgresqlPassword
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled.replication.
Usage:
{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.enabled.replication" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.postgresql.replication.enabled -}}
{{- else -}}
{{- printf "%v" .context.Values.replication.enabled -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for the key replication.password.
Usage:
{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.key.replicationPassword" -}}
{{- if .subchart -}}
postgresql.replication.password
{{- else -}}
replication.password
{{- end -}}
{{- end -}}

View File

@@ -1,90 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Validate Redis(TM) required passwords are not empty.
Usage:
{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret"
- subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.redis.passwords" -}}
{{- $existingSecret := include "common.redis.values.existingSecret" . -}}
{{- $enabled := include "common.redis.values.enabled" . -}}
{{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}}
{{- $valueKeyRedisPassword := printf "%s%s" $valueKeyPrefix "password" -}}
{{- $valueKeyRedisUsePassword := printf "%s%s" $valueKeyPrefix "usePassword" -}}
{{- if and (not $existingSecret) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $usePassword := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUsePassword "context" .context) -}}
{{- if eq $usePassword "true" -}}
{{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Redis Auxiliary function to get the right value for existingSecret.
Usage:
{{ include "common.redis.values.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether Redis(TM) is used as subchart or not. Default: false
*/}}
{{- define "common.redis.values.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.redis.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled redis.
Usage:
{{ include "common.redis.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.redis.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.redis.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right prefix path for the values
Usage:
{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
*/}}
{{- define "common.redis.values.keys.prefix" -}}
{{- if .subchart -}}redis.{{- else -}}{{- end -}}
{{- end -}}

View File

@@ -1,65 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
`SPDX-License-Identifier: Apache-2.0`
This file is considered to be modified by the TrueCharts Project.
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Validate values must not be empty.
Usage:
{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}}
{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}}
{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
Validate value params:
- valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
- secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
- field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
*/}}
{{- define "common.validations.values.multiple.empty" -}}
{{- range .required -}}
{{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}}
{{- end -}}
{{- end -}}
{{/*
Validate a value must not be empty.
Usage:
{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }}
Validate value params:
- valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
- secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
- field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
- subchart - String - Optional - Name of the subchart that the validated password is part of.
*/}}
{{- define "common.validations.values.single.empty" -}}
{{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }}
{{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }}
{{- if not $value -}}
{{- $varname := "my-value" -}}
{{- $getCurrentValue := "" -}}
{{- if and .secret .field -}}
{{- $varname = include "common.utils.fieldToEnvVar" . -}}
{{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}}
{{- end -}}
{{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}}
{{- end -}}
{{- end -}}

View File

@@ -82,12 +82,17 @@ hostNetwork: false
enableServiceLinks: true
# Configure the Security Context for the Pod
podSecurityContext: {}
podSecurityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: "OnRootMismatch"
# Configure the Security Context for the main container
# PUID and PGID gets added automatically!
securityContext: {}
initContainers: []
additionalContainers: []
@@ -241,29 +246,6 @@ persistence:
emptyDir: true
mountPath: /shared
# Special PVC instance, that does get affected by putting "persistence" into questions.yaml
backupPersistence:
buildinbackup:
enabled: false
nameOverride: buildinbackup
## configuration data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
## storageClass: "-"
##
## If you want to reuse an existing claim, you can pass the name of the PVC using
## the existingClaim variable
# existingClaim: your-claim
# subPath: some-subpath
accessMode: ReadWriteOnce
size: 100Gi
## Set to true to retain the PVC upon helm uninstall
skipuninstall: false
additionalVolumes: []
additionalVolumeMounts: []
@@ -312,7 +294,6 @@ resources: {}
PUID: 568
PGID: 568
UMASK: "002"
startAsRoot: false
fixMountPermissions: true
# appVolumeMounts: