diff --git a/charts/druid/Chart.yaml b/charts/druid/Chart.yaml index dc9f1267..45ffcebf 100644 --- a/charts/druid/Chart.yaml +++ b/charts/druid/Chart.yaml @@ -7,5 +7,5 @@ maintainers: - name: Gazza7205 sources: - https://github.com/CAAPIM/apim-charts -version: 1.0.11 +version: 1.0.13 appVersion: 0.17.0 diff --git a/charts/druid/templates/broker/broker-statefulset.yaml b/charts/druid/templates/broker/broker-statefulset.yaml index c0266d89..854f8c3a 100644 --- a/charts/druid/templates/broker/broker-statefulset.yaml +++ b/charts/druid/templates/broker/broker-statefulset.yaml @@ -41,10 +41,20 @@ spec: {{- if .Values.broker.tolerations }} tolerations: {{- toYaml .Values.broker.tolerations | nindent 12 }} {{- end }} + {{- if .Values.broker.podSecurityContext }} + securityContext: {{- toYaml .Values.broker.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} containers: - name: broker image: "{{ .Values.global.portalRepository }}{{ .Values.image.broker }}" imagePullPolicy: "{{ .Values.broker.image.pullPolicy }}" + {{- if .Values.broker.containerSecurityContext }} + securityContext: {{- toYaml .Values.broker.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} envFrom: - configMapRef: name: broker-config diff --git a/charts/druid/templates/coordinator/coordinator-statefulset.yaml b/charts/druid/templates/coordinator/coordinator-statefulset.yaml index 1e227c73..6c8e7a75 100644 --- a/charts/druid/templates/coordinator/coordinator-statefulset.yaml +++ b/charts/druid/templates/coordinator/coordinator-statefulset.yaml @@ -41,10 +41,20 @@ spec: {{- if .Values.coordinator.tolerations }} tolerations: {{- toYaml .Values.coordinator.tolerations | nindent 12 }} {{- end }} + {{- if .Values.coordinator.podSecurityContext }} + securityContext: {{- toYaml .Values.coordinator.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} containers: - name: coordinator image: "{{ .Values.global.portalRepository }}{{ .Values.image.coordinator }}" imagePullPolicy: "{{ .Values.coordinator.image.pullPolicy }}" + {{- if .Values.coordinator.containerSecurityContext }} + securityContext: {{- toYaml .Values.coordinator.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: MINIO_ACCESS_KEY valueFrom: diff --git a/charts/druid/templates/historical/historical-statefulset.yaml b/charts/druid/templates/historical/historical-statefulset.yaml index 3204dbcc..47fe6255 100644 --- a/charts/druid/templates/historical/historical-statefulset.yaml +++ b/charts/druid/templates/historical/historical-statefulset.yaml @@ -41,12 +41,23 @@ spec: {{- if .Values.historical.tolerations }} tolerations: {{- toYaml .Values.historical.tolerations | nindent 12 }} {{- end }} + {{- if .Values.historical.podSecurityContext }} + securityContext: {{- toYaml .Values.historical.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- else }} securityContext: fsGroup: 1010 + {{- end }} containers: - name: historical image: "{{ .Values.global.portalRepository }}{{ .Values.image.historical }}" imagePullPolicy: "{{ .Values.historical.image.pullPolicy }}" + {{- if .Values.historical.containerSecurityContext }} + securityContext: {{- toYaml .Values.historical.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: MINIO_ACCESS_KEY valueFrom: diff --git a/charts/druid/templates/ingestion/ingestion-deployment.yaml b/charts/druid/templates/ingestion/ingestion-deployment.yaml index e3435edf..e3e546a9 100644 --- a/charts/druid/templates/ingestion/ingestion-deployment.yaml +++ b/charts/druid/templates/ingestion/ingestion-deployment.yaml @@ -42,10 +42,20 @@ spec: {{- if .Values.ingestion.tolerations }} tolerations: {{- toYaml .Values.ingestion.tolerations | nindent 12 }} {{- end }} + {{- if .Values.ingestion.podSecurityContext }} + securityContext: {{- toYaml .Values.ingestion.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} containers: - name: ingestion-server image: "{{ .Values.global.portalRepository }}{{ .Values.image.ingestion }}" imagePullPolicy: "{{ .Values.ingestion.image.pullPolicy }}" + {{- if .Values.ingestion.containerSecurityContext }} + securityContext: {{- toYaml .Values.ingestion.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: MINIO_ACCESS_KEY valueFrom: diff --git a/charts/druid/templates/ingestion/ingestion-pdb.yaml b/charts/druid/templates/ingestion/ingestion-pdb.yaml index c4c2d41a..8c0e185f 100644 --- a/charts/druid/templates/ingestion/ingestion-pdb.yaml +++ b/charts/druid/templates/ingestion/ingestion-pdb.yaml @@ -14,5 +14,5 @@ spec: {{- end }} selector: matchLabels: - app: ingestion + app: ingestion-server {{ end }} diff --git a/charts/druid/templates/kafka/kafka-statefulset.yaml b/charts/druid/templates/kafka/kafka-statefulset.yaml index 8c57e5a6..23bc2940 100644 --- a/charts/druid/templates/kafka/kafka-statefulset.yaml +++ b/charts/druid/templates/kafka/kafka-statefulset.yaml @@ -41,12 +41,23 @@ spec: {{- if .Values.kafka.tolerations }} tolerations: {{- toYaml .Values.kafka.tolerations | nindent 12 }} {{- end }} + {{- if .Values.kafka.podSecurityContext }} + securityContext: {{- toYaml .Values.kafka.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- else }} securityContext: fsGroup: 1010 + {{- end }} containers: - name: kafka image: "{{ .Values.global.portalRepository }}{{ .Values.image.kafka }}" imagePullPolicy: "{{ .Values.kafka.image.pullPolicy }}" + {{- if .Values.kafka.containerSecurityContext }} + securityContext: {{- toYaml .Values.kafka.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} envFrom: - configMapRef: name: kafka-config diff --git a/charts/druid/templates/middlemanager/middlemanager-statefulset.yaml b/charts/druid/templates/middlemanager/middlemanager-statefulset.yaml index ab375dbf..e1eacd5c 100644 --- a/charts/druid/templates/middlemanager/middlemanager-statefulset.yaml +++ b/charts/druid/templates/middlemanager/middlemanager-statefulset.yaml @@ -41,10 +41,20 @@ spec: {{- if .Values.middlemanager.tolerations }} tolerations: {{- toYaml .Values.middlemanager.tolerations | nindent 12 }} {{- end }} + {{- if .Values.middlemanager.podSecurityContext }} + securityContext: {{- toYaml .Values.middlemanager.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} containers: - name: middlemanager image: "{{ .Values.global.portalRepository }}{{ .Values.image.middlemanager }}" imagePullPolicy: "{{ .Values.middlemanager.image.pullPolicy }}" + {{- if .Values.middlemanager.containerSecurityContext }} + securityContext: {{- toYaml .Values.middlemanager.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: MINIO_ACCESS_KEY valueFrom: diff --git a/charts/druid/templates/minio/minio-statefulset.yaml b/charts/druid/templates/minio/minio-statefulset.yaml index 08686ee7..b2a2ba36 100644 --- a/charts/druid/templates/minio/minio-statefulset.yaml +++ b/charts/druid/templates/minio/minio-statefulset.yaml @@ -42,8 +42,14 @@ spec: {{- if .Values.minio.tolerations }} tolerations: {{- toYaml .Values.minio.tolerations | nindent 12 }} {{- end }} + {{- if .Values.minio.podSecurityContext }} + securityContext: {{- toYaml .Values.minio.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- else }} securityContext: fsGroup: 1010 + {{- end }} containers: {{ $address := print ".minio." .Release.Namespace ".svc.cluster.local/opt/data" }} - command: @@ -56,7 +62,12 @@ spec: {{ end }} name: minio image: "{{ .Values.global.portalRepository }}{{ .Values.image.minio }}" - imagePullPolicy: "{{ .Values.minio.image.pullPolicy }}" + imagePullPolicy: "{{ .Values.minio.image.pullPolicy }}" + {{- if .Values.minio.containerSecurityContext }} + securityContext: {{- toYaml .Values.minio.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: MINIO_ACCESS_KEY valueFrom: diff --git a/charts/druid/templates/zookeeper/zookeeper-statefulset.yaml b/charts/druid/templates/zookeeper/zookeeper-statefulset.yaml index 2934f0a7..1ab05c5b 100644 --- a/charts/druid/templates/zookeeper/zookeeper-statefulset.yaml +++ b/charts/druid/templates/zookeeper/zookeeper-statefulset.yaml @@ -44,12 +44,23 @@ spec: {{- if .Values.zookeeper.tolerations }} tolerations: {{- toYaml .Values.zookeeper.tolerations | nindent 12 }} {{- end }} + {{- if .Values.zookeeper.podSecurityContext }} + securityContext: {{- toYaml .Values.zookeeper.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- else }} securityContext: fsGroup: 1010 + {{- end }} containers: - name: zookeeper image: "{{ .Values.global.portalRepository }}{{ .Values.image.zookeeper }}" imagePullPolicy: "{{ .Values.zookeeper.image.pullPolicy }}" + {{- if .Values.zookeeper.containerSecurityContext }} + securityContext: {{- toYaml .Values.zookeeper.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} ports: - containerPort: 2181 - containerPort: 2888 diff --git a/charts/portal/Chart.lock b/charts/portal/Chart.lock index 3beccb98..6efd356d 100644 --- a/charts/portal/Chart.lock +++ b/charts/portal/Chart.lock @@ -1,15 +1,15 @@ dependencies: - name: druid repository: file://../druid - version: 1.0.11 + version: 1.0.13 - name: mysql repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami - version: 9.4.7 + version: 9.19.1 - name: rabbitmq repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami version: 12.0.3 - name: ingress-nginx repository: https://kubernetes.github.io/ingress-nginx/ version: 4.7.2 -digest: sha256:f389872802ff4b5fa8e629a7218888f295477b84e144b4d224ef5726d162ad2d -generated: "2023-10-11T16:00:27.1193375+05:30" +digest: sha256:fabdd9a1a279335547e764c767281be489be70ddd02f0d2807e4403e591226eb +generated: "2024-02-20T14:13:27.1279746+05:30" diff --git a/charts/portal/Chart.yaml b/charts/portal/Chart.yaml index 76baad15..85d35794 100644 --- a/charts/portal/Chart.yaml +++ b/charts/portal/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "5.2.2.1" +appVersion: "5.2.3" description: CA API Developer Portal name: portal -version: 2.3.7 +version: 2.3.8 type: application home: https://github.com/CAAPIM/apim-charts maintainers: @@ -16,7 +16,7 @@ dependencies: condition: portal.analytics.enabled repository: "file://../druid" - name: mysql - version: 9.4.7 + version: 9.19.1 repository: "https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami" condition: global.setupDemoDatabase - name: rabbitmq diff --git a/charts/portal/README.md b/charts/portal/README.md index 4871c8e1..2afd1e84 100644 --- a/charts/portal/README.md +++ b/charts/portal/README.md @@ -3,6 +3,8 @@ The Layer7 API Developer Portal (API Portal) is part of the Layer7 API Managemen ## Introduction This Chart deploys the Layer7 API Developer Portal on a Kubernetes Cluster using the Helm Package Manager. +## 2.3.8 General Updates +- This new version of the chart supports API Portal 5.2.3 ## 2.3.7 General Updates - This new version of the chart supports API Portal 5.2.2.1 ## 2.3.6 General Updates @@ -200,6 +202,9 @@ This section describes configurable parameters in **values.yaml**, there is also | `global.schedulerName` | Global Scheduler name for Portal + Analytics, this doesn't apply to other subcharts | `not set` | | `global.saas` | Reserved | `not set` | | `global.additionalLabels` | A list of custom key: value labels applied to all components | `not set` | +| `global.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) settings are applied to all portal microservices. | `[]` | +| `global.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) settings are applied to all portal microservices. | `{}` | + ### Portal Parameters | Parameter | Description | Default | @@ -277,6 +282,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `analytics.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `analytics.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `analytics.pdb.minAvailable` | Minimum number of available pods | `1` | +| `analytics.podSecurityContext` | Analytics pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `analytics.containerSecurityContext` | Analytics container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `analytics.strategy` | Update strategy | `{} evaluated as a template` | | `analytics.resources` | Resource request/limits | `{} evaluated as a template` | | `analytics.nodeSelector` | Node labels for pod assignment | `{} evaluated as a template` | @@ -290,6 +297,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `apim.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `apim.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `apim.pdb.minAvailable` | Minimum number of available pods | `1` | +| `apim.podSecurityContext` | APIM pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `apim.containerSecurityContext` | APIM container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `apim.strategy` | Update strategy | `{} evaluated as a template` | | `apim.resources` | Resource request/limits | `{} evaluated as a template` | | `apim.nodeSelector` | Node labels for pod assignment | `{} evaluated as a template` | @@ -315,6 +324,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `authenticator.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `authenticator.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `authenticator.pdb.minAvailable` | Minimum number of available pods | `1` | +| `authenticator.podSecurityContext` | authenticator pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `authenticator.containerSecurityContext` | authenticator container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `authenticator.strategy` | Update strategy | `{} evaluated as a template` | | `authenticator.resources` | Resource request/limits | `{} evaluated as a template` | | `authenticator.nodeSelector` | Node labels for pod assignment | `{} evaluated as a template` | @@ -327,6 +338,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `dispatcher.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `dispatcher.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `dispatcher.pdb.minAvailable` | Minimum number of available pods | `1` | +| `dispatcher.podSecurityContext` | Dispatcher pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `dispatcher.containerSecurityContext`| Dispatcher container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `dispatcher.strategy` | Update strategy | `{} evaluated as a template` | | `dispatcher.resources` | Resource request/limits | `{} evaluated as a template` | | `dispatcher.nodeSelector` | Node labels for pod assignment | `{} evaluated as a template` | @@ -353,6 +366,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `portalData.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `portalData.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `portalData.additionalLabels` | A list of custom key: value labels | `not set` | +| `portalData.podSecurityContext` | Portal-data pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `portalData.containerSecurityContext`| Portal-data container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `portalEnterprise.forceRedeploy` | Force redeployment during helm upgrade whether there is a change or not | `false` | | `portalEnterprise.replicaCount` | Number of portal-enterprise nodes | `1` | | `portalEnterprise.javaOptions` | Java Options to pass in | `-Xms2g -Xmx2g` | @@ -366,6 +381,9 @@ This section describes configurable parameters in **values.yaml**, there is also | `portalEnterprise.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `portalEnterprise.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `portalEnterprise.additionalLabels` | A list of custom key: value labels | `not set` | +| `portalEnterprise.podSecurityContext`| Portal enterprise pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `portalEnterprise.containerSecurityContext`| Portal enterprise container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | +| `portalEnterprise.forceRedeploy` | Force redeployment during helm upgrade whether there is a change or not | `false` | | `pssg.forceRedeploy` | Force redeployment during helm upgrade whether there is a change or not | `false` | | `pssg.replicaCount` | Number of PSSG nodes | `1` | | `pssg.image.pullPolicy` | PSSG image pull policy | `IfNotPresent` | @@ -378,6 +396,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `pssg.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `pssg.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `pssg.additionalLabels` | A list of custom key: value labels | `not set` | +| `pssg.podSecurityContext` | PSSG pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `pssg.containerSecurityContext`| PSSG container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `pssg.additionalEnv.CONFIG_8443_TLS` | Enabled Port 8443 TLS Versions | `If not specfied, Portal TLS defaults are enabled.` see [Portal TLS Defaults](#portal-tls-defaults) | | `pssg.additionalEnv.CONFIG_9443_TLS` | Enabled Port 9443 TLS Versions | `If not specfied, Portal TLS defaults are enabled` see [Portal TLS Defaults](#portal-tls-defaults) | | `pssg.additionalEnv.CONFIG_9446_TLS` | Enabled Port 9446 TLS Versions | `If not specfied, Portal TLS defaults are enabled` see [Portal TLS Defaults](#portal-tls-defaults) | @@ -401,10 +421,14 @@ This section describes configurable parameters in **values.yaml**, there is also | `tenantProvisioner.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `tenantProvisioner.affinity ` | Affinity for pod assignment | `{} evaluated as a template` | | `tenantProvisioner.additionalLabels` | A list of custom key: value labels | `not set` | +| `tenantProvisioner.podSecurityContext`| Tenant provisioner pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `tenantProvisioner.containerSecurityContext`| Tenant provisioner container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `jobs.nodeSelector` | Node labels for pod assignment | `{} evaluated as a template` | | `jobs.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `jobs.labels` | A list of custom key: value labels applied to jobs | `not set` | | `jobs.image.PullPolicy` | Image pull policy applied to jobs | `IfNotPresent` | +| `jobs.podSecurityContext` | Pod's security context settings applied to jobs. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `jobs.containerSecurityContext`| Container's security context settings applied to jobs. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | ### Database Node Pool Configurations @@ -637,18 +661,18 @@ Portal Analytics ### Portal Images | Parameter | Description | Default | |-------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------| -| `image.dispatcher` | dispatcher image | `dispatcher:5.2.2` | -| `image.pssg` | PSSG image | `pssg:5.2.2` | -| `image.apim` | APIM ingress image | `ingress:5.2.2.1` | -| `image.enterprise` | portal-enterprise image | `portal-enterprise:5.2.2` | -| `image.data` | portal-data image | `portal-data:5.2.2` | -| `image.tps` | tenant provisioner image | `tenant-provisioning-service:5.2.2` | -| `image.analytics` | Analytics image | `analytics-server:5.2.2` | -| `image.authenticator` | Authenticator image | `authenticator:5.2.2` | -| `image.dbUpgrade` | db upgrade image | `db-upgrade-portal:5.2.2` | -| `image.rbacUpgrade` | Analytics image, per Portal version | `db-upgrade-rbac:5.2.2` | -| `image.upgradeVerify` | Upgrade verification image | `upgrade-verify:5.2.2` | -| `image.tlsManager` | TLS manager image | `tls-automator:5.2.2` | +| `image.dispatcher` | dispatcher image | `dispatcher:5.2.3` | +| `image.pssg` | PSSG image | `pssg:5.2.3` | +| `image.apim` | APIM ingress image | `ingress:5.2.3` | +| `image.enterprise` | portal-enterprise image | `portal-enterprise:5.2.3` | +| `image.data` | portal-data image | `portal-data:5.2.3` | +| `image.tps` | tenant provisioner image | `tenant-provisioning-service:5.2.3` | +| `image.analytics` | Analytics image | `analytics-server:5.2.3` | +| `image.authenticator` | Authenticator image | `authenticator:5.2.3` | +| `image.dbUpgrade` | db upgrade image | `db-upgrade-portal:5.2.3` | +| `image.rbacUpgrade` | Analytics image, per Portal version | `db-upgrade-rbac:5.2.3` | +| `image.upgradeVerify` | Upgrade verification image | `upgrade-verify:5.2.3` | +| `image.tlsManager` | TLS manager image | `tls-automator:5.2.3` | ## Subcharts For Production, use an external MySQL Server. @@ -688,6 +712,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.minio.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.minio.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.minio.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.minio.podSecurityContext` | Minio pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.minio.containerSecurityContext` | Minio container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `druid.zookeeper.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `druid.zookeeper.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `druid.zookeeper.pdb.minAvailable` | Minimum number of available pods | `not set` | @@ -698,6 +724,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.zookeeper.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.zookeeper.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.zookeeper.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.zookeeper.podSecurityContext` | Zookeeper pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.zookeeper.containerSecurityContext` | Zookeeper container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `druid.coordinator.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `druid.coordinator.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `druid.coordinator.pdb.minAvailable` | Minimum number of available pods | `not set` | @@ -708,6 +736,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.coodinator.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.coordinator.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.coordinator.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.coordinator.podSecurityContext` | Coordinator pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.coordinator.containerSecurityContext` | Coordinator container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `druid.kafka.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `druid.kafka.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `druid.kafka.pdb.minAvailable` | Minimum number of available pods | `not set` | @@ -718,6 +748,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.kafka.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.kafka.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.kafka.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.kafka.podSecurityContext` | Kafka pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.kafka.containerSecurityContext` | Kafka container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `druid.broker.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `druid.broker.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `druid.broker.pdb.minAvailable` | Minimum number of available pods | `not set` | @@ -728,6 +760,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.broker.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.broker.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.broker.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.broker.podSecurityContext` | Broker pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.broker.containerSecurityContext` | Broker container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `druid.historical.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `druid.historical.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `druid.historical.pdb.minAvailable` | Minimum number of available pods | `not set` | @@ -738,6 +772,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.historical.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.historical.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.historical.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.historical.podSecurityContext` | Historical pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.historical.containerSecurityContext` | Historical container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `druid.ingestion.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `druid.ingestion.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `druid.ingestion.pdb.minAvailable` | Minimum number of available pods | `not set` | @@ -748,6 +784,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.ingestion.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.ingestion.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.ingestion.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.ingestion.podSecurityContext` | Ingestion pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.ingestion.containerSecurityContext` | Ingestion container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `druid.middlemanager.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `druid.middlemanager.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `druid.middlemanager.pdb.minAvailable` | Minimum number of available pods | `not set` | @@ -758,20 +796,22 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.middlemanager.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.middlemanager.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.middlemanager.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.middlemanager.podSecurityContext` | Middle manager pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.middlemanager.containerSecurityContext` | Middle manager container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | ## Druid Images The following table lists the configured parameters of the Druid Subchart | Parameter | Description | Default | |-----------------------------|---------------------|--------------------------| -| `druid.image.zookeeper ` | Zookeeper image | `zookeeper:5.2.2` | -| `druid.image.broker` | Broker image | `druid:5.2.2` | -| `druid.image.coordinator` | Coordinator | `druid:5.2.2` | -| `druid.image.middlemanager` | Middlemanager image | `druid:5.2.2` | -| `druid.image.minio` | Minio image | `minio:5.2.2` | -| `druid.image.historical` | Historical image | `druid:5.2.2` | -| `druid.image.kafka` | Kafka image | `kafka:5.2.2` | -| `druid.image.ingestion` | Ingestion image | `ingestion-server:5.2.2` | +| `druid.image.zookeeper ` | Zookeeper image | `zookeeper:5.2.3` | +| `druid.image.broker` | Broker image | `druid:5.2.3` | +| `druid.image.coordinator` | Coordinator | `druid:5.2.3` | +| `druid.image.middlemanager` | Middlemanager image | `druid:5.2.3` | +| `druid.image.minio` | Minio image | `minio:5.2.3` | +| `druid.image.historical` | Historical image | `druid:5.2.3` | +| `druid.image.kafka` | Kafka image | `kafka:5.2.3` | +| `druid.image.ingestion` | Ingestion image | `ingestion-server:5.2.3` | ## RabbitMQ The following table lists the configured parameters of the Bitnami RabbitMQ Subchart - https://github.com/bitnami/charts/tree/master/bitnami/rabbitmq @@ -892,6 +932,23 @@ Resulting hostnames: | TSSG sync | `dev-portal-sync.example.com` | `sync.example.com` | | API analytics | `dev-portal-analytics.example.com` | `analytics.example.com` | +## Installing in OpenShift +Fetch the OC namespace openshift.io/sa.scc.uid-range values(`/`) and openshift.io/sa.scc.supplemental-groups(`/`) annotation values. +[Refer to OpenShift documentation](https://docs.openshift.com/dedicated/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth) + +Set the following global values in the override-values.yaml and do the helm install. +``` +global: + podSecurityContext: + fsGroup: + runAsNonRoot: true + containerSecurityContext: + runAsUser: +ingress: + type: + kubernetes: false + openshift: true +``` ## Persistent Volumes With the deployment of API Portal, PersistentVolumeClaims (PVC) are created for components as below: diff --git a/charts/portal/charts/druid-1.0.13.tgz b/charts/portal/charts/druid-1.0.13.tgz new file mode 100644 index 00000000..5bee2946 Binary files /dev/null and b/charts/portal/charts/druid-1.0.13.tgz differ diff --git a/charts/portal/charts/mysql-9.19.1.tgz b/charts/portal/charts/mysql-9.19.1.tgz new file mode 100644 index 00000000..164835ef Binary files /dev/null and b/charts/portal/charts/mysql-9.19.1.tgz differ diff --git a/charts/portal/charts/mysql-9.4.7.tgz b/charts/portal/charts/mysql-9.4.7.tgz deleted file mode 100644 index 716e485e..00000000 Binary files a/charts/portal/charts/mysql-9.4.7.tgz and /dev/null differ diff --git a/charts/portal/templates/analytics-server/analytics-deployment.yaml b/charts/portal/templates/analytics-server/analytics-deployment.yaml index 58c14e74..276f5a3a 100644 --- a/charts/portal/templates/analytics-server/analytics-deployment.yaml +++ b/charts/portal/templates/analytics-server/analytics-deployment.yaml @@ -47,6 +47,11 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.analytics.podSecurityContext }} + securityContext: {{- toYaml .Values.analytics.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} initContainers: - name: liquidbase-upgrade-portal image: "{{ .Values.global.portalRepository }}{{ .Values.image.upgradeVerify }}" @@ -58,6 +63,11 @@ spec: - name: analytics-server image: "{{ .Values.global.portalRepository }}{{ .Values.image.analytics }}" imagePullPolicy: "{{ .Values.analytics.image.pullPolicy }}" + {{- if .Values.analytics.containerSecurityContext }} + securityContext: {{- toYaml .Values.analytics.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: RABBITMQ_PASSWORD valueFrom: diff --git a/charts/portal/templates/apim/apim-deployment.yaml b/charts/portal/templates/apim/apim-deployment.yaml index 797d5fc3..c23544d9 100644 --- a/charts/portal/templates/apim/apim-deployment.yaml +++ b/charts/portal/templates/apim/apim-deployment.yaml @@ -43,6 +43,11 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.apim.podSecurityContext }} + securityContext: {{- toYaml .Values.apim.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} initContainers: - name: liquidbase-upgrade-portal image: "{{ .Values.global.portalRepository }}{{ .Values.image.upgradeVerify }}" @@ -54,6 +59,11 @@ spec: - name: apim image: "{{ .Values.global.portalRepository }}{{ .Values.image.apim }}" imagePullPolicy: {{ .Values.apim.image.pullPolicy | quote }} + {{- if .Values.apim.containerSecurityContext }} + securityContext: {{- toYaml .Values.apim.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: RABBITMQ_DEFAULT_PASS valueFrom: diff --git a/charts/portal/templates/authenticator/authenticator-deployment.yaml b/charts/portal/templates/authenticator/authenticator-deployment.yaml index dc56fd90..cc4566de 100644 --- a/charts/portal/templates/authenticator/authenticator-deployment.yaml +++ b/charts/portal/templates/authenticator/authenticator-deployment.yaml @@ -43,6 +43,11 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.authenticator.podSecurityContext }} + securityContext: {{- toYaml .Values.authenticator.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} initContainers: - name: liquidbase-upgrade-portal image: "{{ .Values.global.portalRepository }}{{ .Values.image.upgradeVerify }}" @@ -54,6 +59,11 @@ spec: - name: authenticator image: "{{ .Values.global.portalRepository }}{{ .Values.image.authenticator }}" imagePullPolicy: "{{ .Values.authenticator.image.pullPolicy }}" + {{- if .Values.authenticator.containerSecurityContext }} + securityContext: {{- toYaml .Values.authenticator.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: RABBITMQ_PASSWORD valueFrom: diff --git a/charts/portal/templates/dispatcher/dispatcher-deployment.yaml b/charts/portal/templates/dispatcher/dispatcher-deployment.yaml index 097c4a71..50760755 100644 --- a/charts/portal/templates/dispatcher/dispatcher-deployment.yaml +++ b/charts/portal/templates/dispatcher/dispatcher-deployment.yaml @@ -43,10 +43,20 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.dispatcher.podSecurityContext }} + securityContext: {{- toYaml .Values.dispatcher.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} containers: - name: dispatcher image: "{{ .Values.global.portalRepository }}{{ .Values.image.dispatcher }}" imagePullPolicy: "{{ .Values.dispatcher.image.pullPolicy }}" + {{- if .Values.dispatcher.containerSecurityContext }} + securityContext: {{- toYaml .Values.dispatcher.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: HTTPD_SSL_KEY valueFrom: diff --git a/charts/portal/templates/jobs/cert-update-job.yaml b/charts/portal/templates/jobs/cert-update-job.yaml index fd261fb2..bc622dab 100644 --- a/charts/portal/templates/jobs/cert-update-job.yaml +++ b/charts/portal/templates/jobs/cert-update-job.yaml @@ -24,10 +24,16 @@ spec: spec: serviceAccountName: {{ include "portal.serviceAccountName" . }} restartPolicy: Never + {{- if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 8 }} + {{- end }} containers: - name: {{ .Release.Name }}-tls-manager image: "{{ .Values.global.portalRepository }}{{ .Values.image.tlsManager }}" imagePullPolicy: {{ .Values.jobs.image.pullPolicy }} + {{- if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 10 }} + {{- end }} env: - name: P12_INTERNAL_PASS valueFrom: diff --git a/charts/portal/templates/jobs/db-upgrade-job.yaml b/charts/portal/templates/jobs/db-upgrade-job.yaml index dded490d..e33acc14 100644 --- a/charts/portal/templates/jobs/db-upgrade-job.yaml +++ b/charts/portal/templates/jobs/db-upgrade-job.yaml @@ -22,10 +22,16 @@ spec: template: spec: serviceAccountName: {{ include "portal.serviceAccountName" . }} + {{- if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 8 }} + {{- end }} containers: - name: db-upgrade image: "{{ .Values.global.portalRepository }}{{ .Values.image.dbUpgrade }}" imagePullPolicy: {{ .Values.jobs.image.pullPolicy }} + {{- if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: HOST {{ if .Values.global.setupDemoDatabase }} diff --git a/charts/portal/templates/jobs/rbac-upgrade-job.yaml b/charts/portal/templates/jobs/rbac-upgrade-job.yaml index 689acc2e..b6c7de17 100644 --- a/charts/portal/templates/jobs/rbac-upgrade-job.yaml +++ b/charts/portal/templates/jobs/rbac-upgrade-job.yaml @@ -22,10 +22,16 @@ spec: template: spec: serviceAccountName: {{ include "portal.serviceAccountName" . }} + {{- if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 8 }} + {{- end }} containers: - name: rbac-upgrade image: "{{ .Values.global.portalRepository }}{{ .Values.image.rbacUpgrade }}" imagePullPolicy: {{ .Values.jobs.image.pullPolicy }} + {{- if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: HOST {{ if .Values.global.setupDemoDatabase }} diff --git a/charts/portal/templates/portal-data/portal-data-deployment.yaml b/charts/portal/templates/portal-data/portal-data-deployment.yaml index 367f9601..bbccea67 100644 --- a/charts/portal/templates/portal-data/portal-data-deployment.yaml +++ b/charts/portal/templates/portal-data/portal-data-deployment.yaml @@ -43,6 +43,11 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.portalData.podSecurityContext }} + securityContext: {{- toYaml .Values.portalData.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} initContainers: - name: liquidbase-upgrade-portal image: "{{ .Values.global.portalRepository }}{{ .Values.image.upgradeVerify }}" @@ -54,6 +59,11 @@ spec: - name: portal-data image: "{{ .Values.global.portalRepository }}{{ .Values.image.data }}" imagePullPolicy: "{{ .Values.portalData.image.pullPolicy }}" + {{- if .Values.portalData.containerSecurityContext }} + securityContext: {{- toYaml .Values.portalData.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: RABBITMQ_DEFAULT_PASS valueFrom: diff --git a/charts/portal/templates/portal-enterprise/portal-enterprise-deployment.yaml b/charts/portal/templates/portal-enterprise/portal-enterprise-deployment.yaml index 3cc8d3dd..580bc2c4 100644 --- a/charts/portal/templates/portal-enterprise/portal-enterprise-deployment.yaml +++ b/charts/portal/templates/portal-enterprise/portal-enterprise-deployment.yaml @@ -43,6 +43,11 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.portalEnterprise.podSecurityContext }} + securityContext: {{- toYaml .Values.portalEnterprise.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} initContainers: - name: liquidbase-upgrade-portal image: "{{ .Values.global.portalRepository }}{{ .Values.image.upgradeVerify }}" @@ -54,6 +59,11 @@ spec: - name: portal-enterprise image: "{{ .Values.global.portalRepository }}{{ .Values.image.enterprise }}" imagePullPolicy: "{{ .Values.portalEnterprise.image.pullPolicy }}" + {{- if .Values.portalEnterprise.containerSecurityContext }} + securityContext: {{- toYaml .Values.portalEnterprise.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: RABBITMQ_DEFAULT_PASS valueFrom: diff --git a/charts/portal/templates/pssg/pssg-deployment.yaml b/charts/portal/templates/pssg/pssg-deployment.yaml index 161b5191..f768d28c 100644 --- a/charts/portal/templates/pssg/pssg-deployment.yaml +++ b/charts/portal/templates/pssg/pssg-deployment.yaml @@ -43,6 +43,11 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.pssg.podSecurityContext }} + securityContext: {{- toYaml .Values.pssg.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} initContainers: - name: liquidbase-upgrade-portal image: "{{ .Values.global.portalRepository }}{{ .Values.image.upgradeVerify }}" @@ -54,6 +59,11 @@ spec: - name: pssg image: "{{ .Values.global.portalRepository }}{{ .Values.image.pssg }}" imagePullPolicy: "{{ .Values.pssg.image.pullPolicy }}" + {{- if .Values.pssg.containerSecurityContext }} + securityContext: {{- toYaml .Values.pssg.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: SSG_ADMIN_USERNAME valueFrom: diff --git a/charts/portal/templates/tenant-provisioner/tenant-provisioner-deployment.yaml b/charts/portal/templates/tenant-provisioner/tenant-provisioner-deployment.yaml index e13d9fb1..9b8fa618 100644 --- a/charts/portal/templates/tenant-provisioner/tenant-provisioner-deployment.yaml +++ b/charts/portal/templates/tenant-provisioner/tenant-provisioner-deployment.yaml @@ -43,6 +43,11 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.tenantProvisioner.podSecurityContext }} + securityContext: {{- toYaml .Values.tenantProvisioner.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} initContainers: - name: liquidbase-upgrade-portal image: "{{ .Values.global.portalRepository }}{{ .Values.image.upgradeVerify }}" @@ -54,6 +59,11 @@ spec: - name: tenant-provisioner-service image: "{{ .Values.global.portalRepository }}{{ .Values.image.tps }}" imagePullPolicy: "{{ .Values.tenantProvisioner.image.pullPolicy }}" + {{- if .Values.tenantProvisioner.containerSecurityContext }} + securityContext: {{- toYaml .Values.tenantProvisioner.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} ports: - containerPort: 9000 protocol: TCP diff --git a/charts/portal/values-production.yaml b/charts/portal/values-production.yaml index a475a8e5..92520d6b 100644 --- a/charts/portal/values-production.yaml +++ b/charts/portal/values-production.yaml @@ -23,6 +23,15 @@ global: legacyHostnames: false legacyDatabaseNames: false subdomainPrefix: dev-portal + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # podSecurityContext: + # fsGroup: 1001 + # runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} + # containerSecurityContext: + # runAsUser: 1001 helpPage: https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-developer-portal/5-2/ # storageClass: "_" # schedulerName: @@ -181,6 +190,10 @@ analytics: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 100m @@ -218,6 +231,10 @@ apim: rollingUpdate: maxSurge: 2 maxUnavailable: 2 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 1000m @@ -254,6 +271,10 @@ authenticator: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 250m @@ -289,6 +310,10 @@ dispatcher: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 100m @@ -353,6 +378,10 @@ portalData: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 100m @@ -389,6 +418,10 @@ portalEnterprise: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 250m @@ -424,6 +457,10 @@ pssg: rollingUpdate: maxSurge: 2 maxUnavailable: 2 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 100m @@ -460,6 +497,10 @@ tenantProvisioner: rollingUpdate: maxSurge: 1 maxUnavailable: 1 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 100m @@ -482,18 +523,18 @@ tenantProvisioner: additionalEnv: image: - dispatcher: dispatcher:5.2.2 - pssg: pssg:5.2.2 - apim: ingress:5.2.2.1 - enterprise: portal-enterprise:5.2.2 - data: portal-data:5.2.2 - tps: tenant-provisioning-service:5.2.2 - analytics: analytics-server:5.2.2 - authenticator: authenticator:5.2.2 - dbUpgrade: db-upgrade-portal:5.2.2 - rbacUpgrade: db-upgrade-rbac:5.2.2 - upgradeVerify: upgrade-verify:5.2.2 - tlsManager: tls-automator:5.2.2 + dispatcher: dispatcher:5.2.3 + pssg: pssg:5.2.3 + apim: ingress:5.2.3 + enterprise: portal-enterprise:5.2.3 + data: portal-data:5.2.3 + tps: tenant-provisioning-service:5.2.3 + analytics: analytics-server:5.2.3 + authenticator: authenticator:5.2.3 + dbUpgrade: db-upgrade-portal:5.2.3 + rbacUpgrade: db-upgrade-rbac:5.2.3 + upgradeVerify: upgrade-verify:5.2.3 + tlsManager: tls-automator:5.2.3 ## ## Subchart Configuration @@ -518,6 +559,10 @@ druid: # consider changing to mode... standalone/distributed. # Once Portal is installed, minio can not be scaled up or down. replicaCount: 4 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} image: pullPolicy: IfNotPresent pdb: @@ -581,6 +626,10 @@ druid: create: false maxUnavailable: "" minAvailable: "" + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: limits: memory: 256Mi @@ -608,6 +657,10 @@ druid: create: false maxUnavailable: "" minAvailable: "" + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: limits: memory: 512Mi @@ -634,6 +687,10 @@ druid: create: false maxUnavailable: "" minAvailable: "" + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 100m @@ -662,6 +719,10 @@ druid: create: false maxUnavailable: "" minAvailable: "" + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: memory: 1Gi @@ -688,6 +749,10 @@ druid: create: false maxUnavailable: "" minAvailable: "" + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: memory: 2Gi @@ -715,6 +780,10 @@ druid: maxUnavailable: "" minAvailable: "" portName: ingestion-svc + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 100m @@ -743,6 +812,10 @@ druid: create: false maxUnavailable: "" minAvailable: "" + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: memory: 4Gi @@ -762,14 +835,14 @@ druid: # topologyKey: kubernetes.io/hostname image: - zookeeper: zookeeper:5.2.2 - broker: druid:5.2.2 - coordinator: druid:5.2.2 - middlemanager: druid:5.2.2 - minio: minio:5.2.2 - historical: druid:5.2.2 - kafka: kafka:5.2.2 - ingestion: ingestion-server:5.2.2 + zookeeper: zookeeper:5.2.3 + broker: druid:5.2.3 + coordinator: druid:5.2.3 + middlemanager: druid:5.2.3 + minio: minio:5.2.3 + historical: druid:5.2.3 + kafka: kafka:5.2.3 + ingestion: ingestion-server:5.2.3 # Settings for RabbitMQ - https://github.com/bitnami/charts/tree/master/bitnami/rabbitmq rabbitmq: @@ -779,7 +852,7 @@ rabbitmq: image: registry: caapim repository: message-broker - tag: "5.2.2" + tag: "5.2.3" pullSecrets: - broadcom-apim pdb: @@ -852,6 +925,18 @@ rabbitmq: requests: cpu: 1000m memory: 2Gi + customLivenessProbe: + exec: + command: + - sh + - -ec + - curl -f --user {{ .Values.auth.username }}:$RABBITMQ_PASSWORD 127.0.0.1:{{ .Values.containerPorts.manager }}/api/health/checks/virtual-hosts + customReadinessProbe: + exec: + command: + - sh + - -ec + - curl -f --user {{ .Values.auth.username }}:$RABBITMQ_PASSWORD 127.0.0.1:{{ .Values.containerPorts.manager }}/api/health/checks/local-alarms # Settings for Nginx-Ingress - https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx ingress-nginx: @@ -893,7 +978,7 @@ jobs: # MySQL Stable Chart values - https://github.com/bitnami/charts/tree/master/bitnami/mysql mysql: image: - tag: "8.0.31-debian-11-r36" + tag: "8.0.36-debian-11-r4" auth: username: portal existingSecret: database-secret diff --git a/charts/portal/values.yaml b/charts/portal/values.yaml index 756ead27..1310c931 100644 --- a/charts/portal/values.yaml +++ b/charts/portal/values.yaml @@ -23,6 +23,15 @@ global: legacyHostnames: false legacyDatabaseNames: false subdomainPrefix: dev-portal + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # podSecurityContext: + # fsGroup: 1001 + # runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} + # containerSecurityContext: + # runAsUser: 1001 helpPage: https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-developer-portal/5-2/ # storageClass: "_" # schedulerName: @@ -183,6 +192,10 @@ analytics: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 100m @@ -211,6 +224,10 @@ apim: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 1000m @@ -238,6 +255,10 @@ authenticator: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 250m @@ -264,6 +285,10 @@ dispatcher: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 100m @@ -319,6 +344,10 @@ portalData: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 100m @@ -346,6 +375,10 @@ portalEnterprise: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 250m @@ -372,6 +405,10 @@ pssg: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 100m @@ -399,6 +436,10 @@ tenantProvisioner: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 100m @@ -412,18 +453,18 @@ tenantProvisioner: additionalEnv: image: - dispatcher: dispatcher:5.2.2 - pssg: pssg:5.2.2 - apim: ingress:5.2.2.1 - enterprise: portal-enterprise:5.2.2 - data: portal-data:5.2.2 - tps: tenant-provisioning-service:5.2.2 - analytics: analytics-server:5.2.2 - authenticator: authenticator:5.2.2 - dbUpgrade: db-upgrade-portal:5.2.2 - rbacUpgrade: db-upgrade-rbac:5.2.2 - upgradeVerify: upgrade-verify:5.2.2 - tlsManager: tls-automator:5.2.2 + dispatcher: dispatcher:5.2.3 + pssg: pssg:5.2.3 + apim: ingress:5.2.3 + enterprise: portal-enterprise:5.2.3 + data: portal-data:5.2.3 + tps: tenant-provisioning-service:5.2.3 + analytics: analytics-server:5.2.3 + authenticator: authenticator:5.2.3 + dbUpgrade: db-upgrade-portal:5.2.3 + rbacUpgrade: db-upgrade-rbac:5.2.3 + upgradeVerify: upgrade-verify:5.2.3 + tlsManager: tls-automator:5.2.3 ## ## Subchart Configuration @@ -452,6 +493,10 @@ druid: # consider changing to mode... standalone/distributed. # Once Portal is installed, minio can not be scaled up or down. replicaCount: 1 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} image: pullPolicy: IfNotPresent auth: @@ -501,6 +546,10 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: limits: {} # memory: 256Mi @@ -518,6 +567,10 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: limits: {} # memory: 512Mi @@ -535,6 +588,10 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 100m @@ -554,6 +611,10 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # memory: 1Gi @@ -571,6 +632,10 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # memory: 2Gi @@ -589,6 +654,10 @@ druid: image: pullPolicy: IfNotPresent portName: ingestion-svc + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 100m @@ -608,6 +677,10 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # memory: 4Gi @@ -618,14 +691,14 @@ druid: # affinity: {} image: - zookeeper: zookeeper:5.2.2 - broker: druid:5.2.2 - coordinator: druid:5.2.2 - middlemanager: druid:5.2.2 - minio: minio:5.2.2 - historical: druid:5.2.2 - kafka: kafka:5.2.2 - ingestion: ingestion-server:5.2.2 + zookeeper: zookeeper:5.2.3 + broker: druid:5.2.3 + coordinator: druid:5.2.3 + middlemanager: druid:5.2.3 + minio: minio:5.2.3 + historical: druid:5.2.3 + kafka: kafka:5.2.3 + ingestion: ingestion-server:5.2.3 # Settings for RabbitMQ - https://github.com/bitnami/charts/tree/master/bitnami/rabbitmq rabbitmq: @@ -635,7 +708,7 @@ rabbitmq: image: registry: caapim repository: message-broker - tag: "5.2.2" + tag: "5.2.3" pullSecrets: - broadcom-apim pdb: @@ -698,7 +771,18 @@ rabbitmq: requests: {} # cpu: 1000m # memory: 2Gi - + customLivenessProbe: + exec: + command: + - sh + - -ec + - curl -f --user {{ .Values.auth.username }}:$RABBITMQ_PASSWORD 127.0.0.1:{{ .Values.containerPorts.manager }}/api/health/checks/virtual-hosts + customReadinessProbe: + exec: + command: + - sh + - -ec + - curl -f --user {{ .Values.auth.username }}:$RABBITMQ_PASSWORD 127.0.0.1:{{ .Values.containerPorts.manager }}/api/health/checks/local-alarms # Settings for Nginx-Ingress - https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx ingress-nginx: @@ -739,7 +823,7 @@ jobs: # MySQL Stable Chart values - https://github.com/bitnami/charts/tree/master/bitnami/mysql mysql: image: - tag: "8.0.31-debian-11-r36" + tag: "8.0.36-debian-11-r4" auth: username: portal existingSecret: database-secret