diff --git a/.gitleaksignore b/.gitleaksignore index b14ed815..ff45eb46 100644 --- a/.gitleaksignore +++ b/.gitleaksignore @@ -32,4 +32,15 @@ a1b4bf1043a7f3681fdd294579be16aa76a03549:packs/hipster-3.0.0/manifests/hipster.y 9e9db671c183a6c890ed53a7f2a196e07b81fbcb:packs/wordpress-6.4.3/charts/wordpress/README.md:private-key:511 a1b4bf1043a7f3681fdd294579be16aa76a03549:packs/wordpress-5.4.1/charts/wordpress/README.md:private-key:368 a1b4bf1043a7f3681fdd294579be16aa76a03549:packs/kubewatch-1.0.7/charts/kubewatch/values.yaml:generic-api-key:16 -a1b4bf1043a7f3681fdd294579be16aa76a03549:packs/kubewatch-1.0.7/values.yaml:generic-api-key:22 \ No newline at end of file +a1b4bf1043a7f3681fdd294579be16aa76a03549:packs/kubewatch-1.0.7/values.yaml:generic-api-key:22 +285ff65156d65cc6d9e5905129b39feeb4fa8a4a:packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/values.yaml:gcp-service-account:145 +285ff65156d65cc6d9e5905129b39feeb4fa8a4a:packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/values.yaml:generic-api-key:678 +285ff65156d65cc6d9e5905129b39feeb4fa8a4a:packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/values-full.yaml:gcp-service-account:938 +285ff65156d65cc6d9e5905129b39feeb4fa8a4a:packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/values-full.yaml:gcp-service-account:1100 +85ff65156d65cc6d9e5905129b39feeb4fa8a4a:packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/values-full.yaml:gcp-service-account:1107 +285ff65156d65cc6d9e5905129b39feeb4fa8a4a:packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/values-full.yaml:gcp-service-account:1111 +285ff65156d65cc6d9e5905129b39feeb4fa8a4a:packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/configmap.yaml:generic-api-key:24 +285ff65156d65cc6d9e5905129b39feeb4fa8a4a:packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel-v1.1.0.tgz:generic-api-key:24 +285ff65156d65cc6d9e5905129b39feeb4fa8a4a:packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel-v1.1.0.tgz:generic-api-key:38 +285ff65156d65cc6d9e5905129b39feeb4fa8a4a:packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/values.yaml:generic-api-key:38 +285ff65156d65cc6d9e5905129b39feeb4fa8a4a:packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/values-full.yaml:gcp-service-account:1107 diff --git a/packs/nvidia-nvsentinel-v1.1.0/README.md b/packs/nvidia-nvsentinel-v1.1.0/README.md new file mode 100644 index 00000000..a9d356c8 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/README.md @@ -0,0 +1,181 @@ +# NVSentinel +**GPU Fault Detection and Remediation for Kubernetes** + +NVSentinel automatically detects, classifies, and remediates hardware and software faults in GPU nodes. It monitors GPU health, system logs, and cloud provider maintenance events, then takes action: cordoning faulty nodes, draining workloads, and triggering break-fix workflows. + +> [!NOTE] +> **Beta / Stable** +> NVSentinel is ready for production testing and use. APIs, configurations, and features may change between releases. If you encounter issues, please [open an issue](https://github.com/NVIDIA/NVSentinel/issues) or [start a discussion](https://github.com/NVIDIA/NVSentinel/discussions). + +## 🚀 Quick Start + +### Prerequisites + +- Kubernetes 1.25+ +- NVIDIA GPU Operator (includes DCGM for GPU monitoring) +- Prometheus (for metrics) + +## ✨ Key Features + +- **🔍 Comprehensive Monitoring**: Real-time detection of GPU, NVSwitch, and system-level failures +- **🔧 Automated Remediation**: Intelligent fault handling with cordon, drain, and break-fix workflows +- **📦 Modular Architecture**: Pluggable health monitors with standardized gRPC interfaces +- **🔄 High Availability**: Kubernetes-native design with replica support and leader election +- **⚡ Real-time Processing**: Event-driven architecture with immediate fault response +- **📊 Persistent Storage**: MongoDB-based event store with change streams for real-time updates +- **🛡️ Graceful Handling**: Coordinated workload eviction with configurable timeouts +- **🏷️ Metadata Enrichment**: Automatic augmentation of health events with cloud provider and node metadata information + +> **Testing**: The example above uses default settings. For production, customize values for your environment. + +> **Production**: By default, only health monitoring is enabled. Enable fault quarantine and remediation modules via Helm values. See [Configuration](#-configuration) below. + +## 🎮 Try the Demo + +Want to see NVSentinel in action without GPU hardware? Try our **[Local Fault Injection Demo](demos/local-fault-injection-demo/README.md)**: + +- 🚀 **5-minute setup** - runs entirely in a local KIND cluster +- 🔍 **Real pipeline** - see fault detection → quarantine → node cordon +- 🎯 **No GPU required** - uses simulated DCGM for testing + +```bash +cd demos/local-fault-injection-demo +make demo # Automated: creates cluster, installs NVSentinel, injects fault, verifies cordon +``` + +Perfect for learning, presentations, or CI/CD testing! + +## 🏗️ Architecture + +NVSentinel follows a microservices architecture with modular health monitors and core processing modules: + +```mermaid +graph LR + subgraph "Health Monitors" + GPU["GPU Health Monitor
(DCGM Integration)"] + SYS["Syslog Health Monitor
(Journalctl)"] + CSP["CSP Health Monitor
(CSP APIs)"] + K8SOM["Kubernetes Object Monitor
(CEL Policies)"] + end + + subgraph "Core Processing" + PC["Platform Connectors
(gRPC Server)"] + STORE[("MongoDB Store
(Event Database)")] + FQ["Fault Quarantine
(Node Cordon)"] + ND["Node Drainer
(Workload Eviction)"] + FR["Fault Remediation
(Break-Fix Integration)"] + HEA["Health Events Analyzer
(Pattern Analysis)"] + LBL["Labeler
(Node Labels)"] + end + + subgraph "Kubernetes Cluster" + K8S["Kubernetes API
(Nodes, Pods, Events)"] + end + + GPU -->|gRPC| PC + SYS -->|gRPC| PC + CSP -->|gRPC| PC + K8SOM -->|gRPC| PC + + PC -->|persist| STORE + PC <-->|update status| K8S + + FQ -.->|watch changes| STORE + FQ -->|cordon| K8S + + ND -.->|watch changes| STORE + ND -->|drain| K8S + + FR -.->|watch changes| STORE + FR -->|create CRDs| K8S + + HEA -.->|watch changes| STORE + + LBL -->|update labels| K8S + + K8SOM -.->|watch changes| K8S +``` + +**Data Flow**: +1. **Health Monitors** detect hardware/software faults and send events via gRPC to Platform Connectors +2. **Platform Connectors** validate, persist events to MongoDB, and update Kubernetes node conditions +3. **Core Modules** independently watch MongoDB change streams for relevant events +4. **Modules** interact with Kubernetes API to cordon, drain, label nodes, and create remediation CRDs +5. **Labeler** monitors pods to automatically label nodes with DCGM and driver versions + +> **Note**: All modules operate independently without direct communication. Coordination happens through MongoDB change streams and Kubernetes API. + +## ⚙️ Configuration + +NVSentinel is highly configurable with options for each module. For complete configuration documentation, see the **[Helm Chart README](distros/kubernetes/README.md)**. + +### Quick Configuration Overview + +```yaml +global: + dryRun: false # Test mode - log actions without executing + + # Health Monitors (enabled by default) + gpuHealthMonitor: + enabled: true + syslogHealthMonitor: + enabled: true + + # Core Modules (disabled by default - enable for production) + faultQuarantine: + enabled: false + nodeDrainer: + enabled: false + faultRemediation: + enabled: false + janitor: + enabled: false + mongodbStore: + enabled: false +``` + +**Configuration Resources**: +- **[Helm Chart Configuration Guide](distros/kubernetes/README.md#configuration)**: Complete configuration reference +- **[values-full.yaml](distros/kubernetes/nvsentinel/values-full.yaml)**: Detailed reference with all options +- **[values.yaml](distros/kubernetes/nvsentinel/values.yaml)**: Default values + +## 📦 Module Details + +For detailed module configuration, see the **[Helm Chart Configuration Guide](distros/kubernetes/README.md#module-specific-configuration)**. + +### 🔍 Health Monitors + +- **[GPU Health Monitor](docs/gpu-health-monitor.md)**: Monitors GPU hardware health via DCGM - detects thermal issues, ECC errors, and XID events +- **[Syslog Health Monitor](docs/syslog-health-monitor.md)**: Analyzes system logs for hardware and software fault patterns via journalctl +- **CSP Health Monitor**: Integrates with cloud provider APIs (GCP/AWS) for maintenance events +- **[Kubernetes Object Monitor](docs/kubernetes-object-monitor.md)**: Policy-based monitoring for any Kubernetes resource using CEL expressions + +### 🏗️ Core Modules + +- **[Platform Connectors](docs/platform-connectors.md)**: Receives health events from monitors via gRPC, persists to MongoDB, and updates Kubernetes node status +- **[Fault Quarantine](docs/fault-quarantine.md)**: Watches MongoDB for health events and cordons nodes based on configurable CEL rules +- **[Node Drainer](docs/node-drainer.md)**: Gracefully evicts workloads from cordoned nodes with per-namespace eviction strategies +- **[Fault Remediation](docs/fault-remediation.md)**: Triggers external break-fix systems by creating maintenance CRDs after drain completion +- **Janitor**: Executes node reboots and terminations via cloud provider APIs +- **Health Events Analyzer**: Analyzes event patterns and generates recommended actions +- **[Event Exporter](docs/event-exporter.md)**: Streams health events to external systems in CloudEvents format +- **MongoDB Store**: Persistent storage for health events with real-time change streams +- **[Labeler](docs/labeler.md)**: Automatically labels nodes with DCGM and driver versions for self-configuration +- **[Metadata Collector](docs/metadata-collector.md)**: Gathers GPU and NVSwitch topology information +- **[Log Collection](docs/log-collection.md)**: Collects diagnostic logs and GPU reports for troubleshooting + +## 📋 Requirements + +- **Kubernetes**: 1.25 or later +- **Helm**: 3.0 or later +- **NVIDIA GPU Operator**: For GPU monitoring capabilities (includes DCGM) +- **Storage**: Persistent storage for MongoDB (recommended 10GB+) +- **Network**: Cluster networking for inter-service communication + +## 📄 License + +This project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details. + +--- + +*Built with ❤️ by NVIDIA for GPU infrastructure reliability* \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel-v1.1.0.tgz b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel-v1.1.0.tgz new file mode 100644 index 00000000..ab127dad Binary files /dev/null and b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel-v1.1.0.tgz differ diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/Chart.lock b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/Chart.lock new file mode 100644 index 00000000..da50bb47 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/Chart.lock @@ -0,0 +1,48 @@ +dependencies: +- name: gpu-health-monitor + repository: "" + version: 0.1.0 +- name: mongodb-store + repository: "" + version: 0.1.0 +- name: postgresql + repository: "" + version: 15.5.38 +- name: fault-quarantine + repository: "" + version: 0.1.0 +- name: node-drainer + repository: "" + version: 0.1.0 +- name: fault-remediation + repository: "" + version: 0.1.0 +- name: health-events-analyzer + repository: "" + version: 0.1.0 +- name: csp-health-monitor + repository: "" + version: 0.1.0 +- name: syslog-health-monitor + repository: "" + version: 0.1.0 +- name: incluster-file-server + repository: "" + version: 0.1.0 +- name: labeler + repository: "" + version: 0.1.0 +- name: janitor + repository: "" + version: 0.1.0 +- name: metadata-collector + repository: "" + version: 0.1.0 +- name: kubernetes-object-monitor + repository: "" + version: 0.1.0 +- name: preflight + repository: "" + version: 0.1.0 +digest: sha256:9f6ec426cf34f29407b4f8febe6cd89ddfce8f39a08c5f07e4a78c716afe5de1 +generated: "2026-01-29T15:19:46.818345818+05:30" diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/Chart.yaml new file mode 100644 index 00000000..d25b44af --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/Chart.yaml @@ -0,0 +1,83 @@ +apiVersion: v2 +appVersion: v1.1.0 +dependencies: +- condition: global.gpuHealthMonitor.enabled + name: gpu-health-monitor + repository: "" + version: 0.1.0 +- condition: global.mongodbStore.enabled + name: mongodb-store + repository: "" + version: 0.1.0 +- condition: postgresql.enabled + name: postgresql + repository: "" + version: 15.5.38 +- condition: global.faultQuarantine.enabled + name: fault-quarantine + repository: "" + version: 0.1.0 +- condition: global.nodeDrainer.enabled + name: node-drainer + repository: "" + version: 0.1.0 +- condition: global.faultRemediation.enabled + name: fault-remediation + repository: "" + version: 0.1.0 +- condition: global.healthEventsAnalyzer.enabled + name: health-events-analyzer + repository: "" + version: 0.1.0 +- condition: global.cspHealthMonitor.enabled + name: csp-health-monitor + repository: "" + version: 0.1.0 +- condition: global.syslogHealthMonitor.enabled + name: syslog-health-monitor + repository: "" + version: 0.1.0 +- condition: global.inclusterFileServer.enabled + name: incluster-file-server + repository: "" + version: 0.1.0 +- condition: global.labeler.enabled + name: labeler + repository: "" + version: 0.1.0 +- condition: global.janitor.enabled + name: janitor + repository: "" + version: 0.1.0 +- condition: global.janitorProvider.enabled + name: janitor-provider + repository: "" + version: 0.1.0 +- condition: global.metadataCollector.enabled + name: metadata-collector + repository: "" + version: 0.1.0 +- condition: global.kubernetesObjectMonitor.enabled + name: kubernetes-object-monitor + repository: "" + version: 0.1.0 +- condition: global.eventExporter.enabled + name: event-exporter + repository: "" + version: 0.1.0 +- condition: global.preflight.enabled + name: preflight + repository: "" + version: 0.1.0 +- condition: global.k8sdatastoreCrds.enabled + name: k8sdatastore-crds + repository: "" + version: 0.1.0 +- condition: global.slurmDrainMonitor.enabled + name: slurm-drain-monitor + repository: "" + version: 0.1.0 +description: Helm chart for NVSentinel +name: nvsentinel +type: application +version: v1.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/Chart.yaml new file mode 100644 index 00000000..914d8e64 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for CSP health monitor module +name: csp-health-monitor +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/_helpers.tpl new file mode 100644 index 00000000..d603fc63 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "csp-health-monitor.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "csp-health-monitor.fullname" -}} +{{- "csp-health-monitor" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "csp-health-monitor.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "csp-health-monitor.labels" -}} +helm.sh/chart: {{ include "csp-health-monitor.chart" . }} +{{ include "csp-health-monitor.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "csp-health-monitor.selectorLabels" -}} +app.kubernetes.io/name: {{ include "csp-health-monitor.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/clusterrole.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/clusterrole.yaml new file mode 100644 index 00000000..e5b73bd9 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/clusterrole.yaml @@ -0,0 +1,29 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "csp-health-monitor.fullname" . }} + labels: + {{- include "csp-health-monitor.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - nodes + - nodes/status + verbs: + - get + - list + - watch diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/clusterrolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..b7137c2b --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/clusterrolebinding.yaml @@ -0,0 +1,28 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "csp-health-monitor.fullname" . }} + labels: + {{- include "csp-health-monitor.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "csp-health-monitor.fullname" . }} # This ClusterRole is defined by this subchart +subjects: + - kind: ServiceAccount + name: {{ include "csp-health-monitor.fullname" . }} + namespace: {{ .Release.Namespace }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/configmap.yaml new file mode 100644 index 00000000..703cd558 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/configmap.yaml @@ -0,0 +1,47 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "csp-health-monitor.fullname" . }} + labels: + {{- include "csp-health-monitor.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + config.toml: | + # Global settings + maintenanceEventPollIntervalSeconds = {{ .Values.configToml.maintenanceEventPollIntervalSeconds }} + triggerQuarantineWorkflowTimeLimitMinutes = {{ .Values.configToml.triggerQuarantineWorkflowTimeLimitMinutes }} + postMaintenanceHealthyDelayMinutes = {{ .Values.configToml.postMaintenanceHealthyDelayMinutes }} + clusterName = {{ .Values.configToml.clusterName | quote }} + nodeReadinessTimeoutMinutes = {{ .Values.configToml.nodeReadinessTimeoutMinutes }} + {{- if .Values.configToml.kubeconfigPath }} + kubeconfigPath = {{ .Values.configToml.kubeconfigPath | quote }} + {{- end }} + + [gcp] + enabled = {{ eq .Values.cspName "gcp" }} + targetProjectId = {{ .Values.configToml.gcp.targetProjectId | quote }} + apiPollingIntervalSeconds = {{ .Values.configToml.gcp.apiPollingIntervalSeconds }} + gcpServiceAccountName = {{ .Values.configToml.gcp.gcpServiceAccountName | quote }} + logFilter = {{ .Values.configToml.gcp.logFilter | quote }} + endpointOverride = {{ .Values.configToml.gcp.endpointOverride | default "" | quote }} + + [aws] + enabled = {{ eq .Values.cspName "aws" }} + accountId = {{ .Values.configToml.aws.accountId | quote }} + pollingIntervalSeconds = {{ .Values.configToml.aws.pollingIntervalSeconds }} + region = {{ .Values.configToml.aws.region | quote }} + endpointOverride = {{ .Values.configToml.aws.endpointOverride | default "" | quote }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/deployment.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/deployment.yaml new file mode 100644 index 00000000..fa2c42b5 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/deployment.yaml @@ -0,0 +1,236 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "csp-health-monitor.fullname" . }} + labels: + {{- include "csp-health-monitor.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "csp-health-monitor.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + # Force pod restart when configmap changes + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with ((.Values.global).podAnnotations | default .Values.podAnnotations) }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "csp-health-monitor.selectorLabels" . | nindent 8 }} + spec: + {{- with ((.Values.global).imagePullSecrets | default .Values.imagePullSecrets) }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "csp-health-monitor.fullname" . }} + {{- if and .Values.clientCertMountPath .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + initContainers: + - name: fix-cert-permissions + image: "{{ .Values.global.initContainerImage.repository }}:{{ .Values.global.initContainerImage.tag }}" + imagePullPolicy: {{ .Values.global.initContainerImage.pullPolicy }} + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + command: + - sh + - -c + - | + echo "Copying PostgreSQL client certificates with correct permissions..." + cp /etc/ssl/client-certs-original/tls.crt /etc/ssl/client-certs-fixed/ + cp /etc/ssl/client-certs-original/ca.crt /etc/ssl/client-certs-fixed/ + cp /etc/ssl/client-certs-original/tls.key /etc/ssl/client-certs-fixed/ + chmod 644 /etc/ssl/client-certs-fixed/tls.crt + chmod 644 /etc/ssl/client-certs-fixed/ca.crt + chmod 600 /etc/ssl/client-certs-fixed/tls.key + echo "Certificate permissions fixed:" + ls -la /etc/ssl/client-certs-fixed/ + volumeMounts: + - name: postgresql-client-cert-original + mountPath: /etc/ssl/client-certs-original + readOnly: true + - name: client-certs-fixed + mountPath: /etc/ssl/client-certs-fixed + {{- end }} + volumes: + - name: config-volume + configMap: + name: {{ include "csp-health-monitor.fullname" . }} + items: + - key: config.toml + path: config.toml + {{- if and .Values.clientCertMountPath .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: postgresql-client-cert-original + secret: + secretName: postgresql-client-cert + optional: false + - name: client-certs-fixed + emptyDir: {} + {{- else if .Values.clientCertMountPath }} + - name: mongo-app-client-cert + secret: + secretName: {{ include "nvsentinel.certificates.secretName" . }} + {{- include "nvsentinel.certificates.volumeItems" . | nindent 10 }} + optional: true + {{- end }} + - name: platform-connector-uds + hostPath: + path: /var/run/nvsentinel + type: DirectoryOrCreate + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + {{- end }} + args: + - "--config=/etc/config/config.toml" + - "--metrics-port={{ ((.Values.global).metricsPort) | default 2112 }}" + {{- if .Values.clientCertMountPath }} + - "--database-client-cert-mount-path={{ .Values.clientCertMountPath }}" + {{- else }} + - "--database-client-cert-mount-path=" + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + ports: + - name: metrics + containerPort: {{ ((.Values.global).metricsPort) | default 2112 }} + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + volumeMounts: + - name: config-volume + mountPath: /etc/config/ + {{- if and .Values.clientCertMountPath .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: client-certs-fixed + mountPath: {{ .Values.clientCertMountPath }} + readOnly: true + {{- else if .Values.clientCertMountPath }} + - name: mongo-app-client-cert + mountPath: {{ .Values.clientCertMountPath }} + readOnly: true + {{- end }} + env: + - name: LOG_LEVEL + value: "{{ .Values.logLevel }}" + # App name for connection identification in logs and currentOp + - name: APP_NAME + value: {{ .Chart.Name | quote }} + envFrom: + - configMapRef: + name: {{ if .Values.global.datastore }}{{ .Release.Name }}-datastore-config{{ else }}mongodb-config{{ end }} + optional: true + + - name: maintenance-notifier + image: "{{ .Values.quarantineTriggerEngine.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.quarantineTriggerEngine.image.pullPolicy | default .Values.image.pullPolicy }} + securityContext: + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + runAsUser: 1001 + runAsGroup: 1001 + {{- else }} + runAsUser: 0 + {{- end }} + args: + - "--config=/etc/config/config.toml" + {{- if .Values.clientCertMountPath }} + - "--database-client-cert-mount-path={{ .Values.clientCertMountPath }}" + {{- else }} + - "--database-client-cert-mount-path=" + {{- end }} + - "--uds-path=/run/nvsentinel/nvsentinel.sock" + - "--metrics-port=2113" + - "--processing-strategy={{ .Values.processingStrategy }}" + resources: + {{- toYaml .Values.quarantineTriggerEngine.resources | default .Values.resources | nindent 12 }} + ports: + - name: metrics-sidecar + containerPort: 2113 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: metrics-sidecar + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: metrics-sidecar + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + volumeMounts: + - name: config-volume + mountPath: /etc/config/ + {{- if and .Values.clientCertMountPath .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: client-certs-fixed + mountPath: {{ .Values.clientCertMountPath }} + readOnly: true + {{- else if .Values.clientCertMountPath }} + - name: mongo-app-client-cert + mountPath: {{ .Values.clientCertMountPath }} + readOnly: true + {{- end }} + - name: platform-connector-uds + mountPath: /run/nvsentinel + env: + - name: LOG_LEVEL + value: "{{ .Values.quarantineTriggerEngine.logLevel | default .Values.logLevel }}" + # App name for connection identification in logs and currentOp + - name: APP_NAME + value: "maintenance-notifier" + envFrom: + - configMapRef: + name: {{ if .Values.global.datastore }}{{ .Release.Name }}-datastore-config{{ else }}mongodb-config{{ end }} + optional: true + restartPolicy: Always + {{- with (((.Values.global).systemNodeSelector) | default .Values.nodeSelector) }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (((.Values.global).affinity) | default .Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (((.Values.global).systemNodeTolerations) | default .Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/serviceaccount.yaml new file mode 100644 index 00000000..fe3d4d47 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/templates/serviceaccount.yaml @@ -0,0 +1,32 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "csp-health-monitor.fullname" . }} + labels: + {{- include "csp-health-monitor.labels" . | nindent 4 }} + annotations: + {{- if .Values.configToml }} + {{- if and (eq .Values.cspName "gcp") .Values.configToml.gcp .Values.configToml.gcp.targetProjectId .Values.configToml.gcp.gcpServiceAccountName }} + iam.gke.io/gcp-service-account: {{ .Values.configToml.gcp.gcpServiceAccountName }}@{{ .Values.configToml.gcp.targetProjectId }}.iam.gserviceaccount.com + {{- end }} + {{- if and (eq .Values.cspName "aws") .Values.configToml.aws .Values.configToml.aws.accountId }} + {{- if .Values.configToml.aws.iamRoleName }} + eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Values.configToml.aws.accountId }}:role/{{ .Values.configToml.aws.iamRoleName }} + {{- else if .Values.configToml.clusterName }} + eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Values.configToml.aws.accountId }}:role/{{ .Values.configToml.clusterName }}-nvsentinel-health-monitor-assume-role-policy + {{- end }} + {{- end }} + {{- end }} \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/values.yaml new file mode 100644 index 00000000..bfac8eb9 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/csp-health-monitor/values.yaml @@ -0,0 +1,95 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +replicaCount: 1 + +image: + repository: ghcr.io/nvidia/nvsentinel/csp-health-monitor + pullPolicy: IfNotPresent + tag: "" + +resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "200m" + memory: "256Mi" + +# Configuration for the Quarantine Trigger Engine sidecar +quarantineTriggerEngine: + image: + repository: ghcr.io/nvidia/nvsentinel/maintenance-notifier + pullPolicy: IfNotPresent + resources: + limits: + cpu: "500m" + memory: "512Mi" + requests: + cpu: "100m" + memory: "128Mi" + # Log verbosity for the sidecar, defaults to main container's logLevel if not set + logLevel: info + +# Scheduling configuration +nodeSelector: {} +affinity: {} +tolerations: [] + +podAnnotations: {} + +# Processing strategy for health events +# valid values: EXECUTE_REMEDIATION, STORE_ONLY +# default: EXECUTE_REMEDIATION +# EXECUTE_REMEDIATION: normal behavior; downstream modules may update cluster state. +# STORE_ONLY: observability-only behavior; event should be persisted/exported but should not modify cluster resources (i.e., no node conditions, no quarantine, no drain, no remediation). +processingStrategy: EXECUTE_REMEDIATION + +# Log verbosity level for the main CSP health monitor container (e.g. "debug", "info", "warn", "error") +logLevel: info + +# Client certificate mount path for database connections. +# Set to an empty string to disable MongoDB TLS client certificate mounts. +clientCertMountPath: /etc/ssl/client-certs + +# cspName specifies the active cloud service provider. Can be "gcp" or "aws". +cspName: "" + +# config.toml content will be generated from the fields below using the configmap template. +# Both main container and sidecar will mount and use this. +configToml: + # Global settings + maintenanceEventPollIntervalSeconds: 60 # Used by Quarantine Trigger Engine sidecar + triggerQuarantineWorkflowTimeLimitMinutes: 30 # Used by Quarantine Trigger Engine sidecar + postMaintenanceHealthyDelayMinutes: 15 # Used by Quarantine Trigger Engine sidecar + nodeReadinessTimeoutMinutes: 60 # Used to monitor node readiness after maintenance + clusterName: "" # Used by main monitor and potentially sidecar if needed + kubeconfigPath: "" # Optional, only set if running out-of-cluster against a tenant. Set to non-empty string to enable. + + gcp: + targetProjectId: "" # Used by main monitor + apiPollingIntervalSeconds: 60 # Used by main monitor (GCP poller) + gcpServiceAccountName: "" # GCP service account name for workload identity + logFilter: "" # example: 'logName="projects/{PROJECT_ID}/logs/csp-health-monitor-test-log" AND operation.producer="compute.instances.upcomingMaintenance"' + + aws: + accountId: "" # Used by main monitor + # How often to poll the AWS Health API for events in seconds + pollingIntervalSeconds: 60 # Used by main monitor (AWS poller) + # AWS region of the tenant cluster. + region: "" # Used by main monitor + # Custom IAM role name for IRSA (IAM Roles for Service Accounts). + # If empty, defaults to "-nvsentinel-health-monitor-assume-role-policy". + # Set this if your cluster name exceeds 19 characters (AWS IAM role names max 64 chars). + iamRoleName: "" diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/Chart.yaml new file mode 100644 index 00000000..1df5ffac --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for Health Events Exporter +name: event-exporter +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/templates/_helpers.tpl new file mode 100644 index 00000000..97758a60 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/templates/_helpers.tpl @@ -0,0 +1,41 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "event-exporter.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "event-exporter.fullname" -}} +{{- "event-exporter" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "event-exporter.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "event-exporter.labels" -}} +helm.sh/chart: {{ include "event-exporter.chart" . }} +{{ include "event-exporter.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "event-exporter.selectorLabels" -}} +app.kubernetes.io/name: {{ include "event-exporter.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/templates/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/templates/configmap.yaml new file mode 100644 index 00000000..4e6edfb0 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/templates/configmap.yaml @@ -0,0 +1,61 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "event-exporter.fullname" . }} + labels: + {{- include "event-exporter.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + config.toml: | + [exporter.metadata] + cluster = "{{ .Values.exporter.metadata.cluster }}" + environment = "{{ .Values.exporter.metadata.environment }}" + {{- range $key, $value := .Values.exporter.metadata }} + {{- if and (ne $key "cluster") (ne $key "environment") }} + {{ $key }} = "{{ $value }}" + {{- end }} + {{- end }} + + [exporter.sink] + endpoint = "{{ .Values.exporter.sink.endpoint }}" + timeout = "{{ .Values.exporter.sink.timeout }}" + insecure_skip_verify = {{ .Values.exporter.sink.insecureSkipVerify }} + + [exporter.oidc] + token_url = "{{ .Values.exporter.oidc.tokenUrl }}" + client_id = "{{ .Values.exporter.oidc.clientId }}" + scope = "{{ .Values.exporter.oidc.scope }}" + insecure_skip_verify = {{ .Values.exporter.oidc.insecureSkipVerify }} + + [exporter.backfill] + enabled = {{ .Values.exporter.backfill.enabled }} + max_age = "{{ .Values.exporter.backfill.maxAge }}" + max_events = {{ .Values.exporter.backfill.maxEvents }} + batch_size = {{ .Values.exporter.backfill.batchSize }} + rate_limit = {{ .Values.exporter.backfill.rateLimit }} + + [exporter.resume_token] + database = "{{ .Values.exporter.resumeToken.database }}" + collection = "{{ .Values.exporter.resumeToken.collection }}" + + [exporter.failure_handling] + max_retries = {{ .Values.exporter.failureHandling.maxRetries }} + initial_backoff = "{{ .Values.exporter.failureHandling.initialBackoff }}" + max_backoff = "{{ .Values.exporter.failureHandling.maxBackoff }}" + backoff_multiplier = {{ .Values.exporter.failureHandling.backoffMultiplier }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/templates/deployment.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/templates/deployment.yaml new file mode 100644 index 00000000..1d3b7a99 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/templates/deployment.yaml @@ -0,0 +1,187 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "event-exporter.fullname" . }} + labels: + {{- include "event-exporter.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "event-exporter.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + # Force pod restart when configmap changes + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "event-exporter.labels" . | nindent 8 }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + initContainers: + - name: fix-cert-permissions + image: "{{ .Values.global.initContainerImage.repository }}:{{ .Values.global.initContainerImage.tag }}" + imagePullPolicy: {{ .Values.global.initContainerImage.pullPolicy }} + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + command: + - sh + - -c + - | + echo "Copying PostgreSQL client certificates with correct permissions..." + cp /etc/ssl/client-certs-original/tls.crt /etc/ssl/client-certs-fixed/ + cp /etc/ssl/client-certs-original/ca.crt /etc/ssl/client-certs-fixed/ + cp /etc/ssl/client-certs-original/tls.key /etc/ssl/client-certs-fixed/ + chmod 644 /etc/ssl/client-certs-fixed/tls.crt + chmod 644 /etc/ssl/client-certs-fixed/ca.crt + chmod 600 /etc/ssl/client-certs-fixed/tls.key + echo "Certificate permissions fixed:" + ls -la /etc/ssl/client-certs-fixed/ + volumeMounts: + - name: postgresql-client-cert-original + mountPath: /etc/ssl/client-certs-original + readOnly: true + - name: client-certs-fixed + mountPath: /etc/ssl/client-certs-fixed + {{- end }} + containers: + - name: event-exporter + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + {{- else }} + securityContext: + runAsUser: 0 + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + args: + - "--config=/etc/config/config.toml" + - "--metrics-port={{ .Values.global.metricsPort }}" + - "--oidc-secret-path=/var/secrets/oidc-client-secret" + - "--workers={{ .Values.exporter.workers }}" + ports: + - name: metrics + containerPort: {{ .Values.global.metricsPort }} + livenessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + volumeMounts: + - name: config-volume + mountPath: /etc/config/config.toml + subPath: config.toml + - name: oidc-secret + mountPath: /var/secrets + readOnly: true + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: client-certs-fixed + mountPath: /etc/ssl/client-certs + readOnly: true + {{- else if .Values.mongodbStore.clientCertMountPath }} + - name: mongo-app-client-cert + mountPath: {{ .Values.mongodbStore.clientCertMountPath }} + readOnly: true + {{- end }} + - name: var-run-vol + mountPath: /var/run/ + env: + # App name for connection identification in logs and currentOp + - name: APP_NAME + value: {{ .Chart.Name | quote }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: POSTGRESQL_CLIENT_CERT_MOUNT_PATH + value: "/etc/ssl/client-certs" + {{- else if .Values.mongodbStore.clientCertMountPath }} + - name: MONGODB_CLIENT_CERT_PATH + value: {{ printf "%s/tls.crt" .Values.mongodbStore.clientCertMountPath | quote }} + - name: MONGODB_CLIENT_KEY_PATH + value: {{ printf "%s/tls.key" .Values.mongodbStore.clientCertMountPath | quote }} + - name: MONGODB_CA_CERT_PATH + value: {{ printf "%s/ca.crt" .Values.mongodbStore.clientCertMountPath | quote }} + {{- end }} + envFrom: + - configMapRef: + name: {{ if .Values.global.datastore }}{{ .Release.Name }}-datastore-config{{ else }}mongodb-config{{ end }} + optional: true + volumes: + - name: config-volume + configMap: + name: {{ include "event-exporter.fullname" . }} + items: + - key: config.toml + path: config.toml + - name: oidc-secret + secret: + secretName: {{ .Values.oidcSecretName }} + optional: false + - name: var-run-vol + hostPath: + path: /var/run/nvsentinel + type: DirectoryOrCreate + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: postgresql-client-cert-original + secret: + secretName: postgresql-client-cert + optional: false + - name: client-certs-fixed + emptyDir: {} + {{- else if .Values.mongodbStore.clientCertMountPath }} + - name: mongo-app-client-cert + secret: + secretName: {{ include "nvsentinel.certificates.secretName" . }} + {{- include "nvsentinel.certificates.volumeItems" . | nindent 10 }} + optional: true + {{- end }} + restartPolicy: Always + {{- with (.Values.global.systemNodeSelector | default .Values.nodeSelector) }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (.Values.global.affinity | default .Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (.Values.global.systemNodeTolerations | default .Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/values.yaml new file mode 100644 index 00000000..fbbb7eec --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/event-exporter/values.yaml @@ -0,0 +1,91 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +replicaCount: 1 + +image: + repository: ghcr.io/nvidia/nvsentinel/event-exporter + pullPolicy: IfNotPresent + tag: "" + +podAnnotations: {} + +resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "500m" + memory: "512Mi" + +# OIDC secret configuration +# The secret should contain a key named 'oidc-client-secret' +# You must create this secret manually before deploying this chart +oidcSecretName: "event-exporter-oidc-secret" + +# Set to an empty string to disable MongoDB TLS client certificate mounts. +mongodbStore: + clientCertMountPath: /etc/ssl/mongo-client + +# Event exporter configuration +exporter: + # Metadata configuration + # Add any custom metadata fields here - they will be included in CloudEvents data.metadata + metadata: + cluster: "my-cluster" + environment: "production" + # Additional custom metadata fields (optional): + # region: "us-west-2" + # datacenter: "dc01" + # tenant: "acme-corp" + + # Sink configuration for event destination + sink: + endpoint: "https://events.example.com/api/v1/events" + timeout: "30s" + insecureSkipVerify: false + + # OIDC configuration for authentication + oidc: + tokenUrl: "https://auth.example.com/oauth2/token" + clientId: "nvsentinel-exporter" + scope: "events:write" + insecureSkipVerify: false + + # Backfill configuration for historical events + backfill: + enabled: true + maxAge: "720h" # 30 days + maxEvents: 1000000 + batchSize: 500 + rateLimit: 1000 # events per second + + # Resume token storage configuration + resumeToken: + database: "nvsentinel" + collection: "resumetokens" + + # Number of concurrent publish workers. + # Each worker publishes events to the sink in parallel. + # Higher values increase throughput for high-event-rate clusters. + # At 300ms per publish, 10 workers ≈ 33 events/sec throughput. + workers: 10 + + # Failure handling and retry configuration + failureHandling: + maxRetries: 17 # ~30 minutes of retries + initialBackoff: "1s" + maxBackoff: "5m" + backoffMultiplier: 2.0 + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/Chart.yaml new file mode 100644 index 00000000..6deefdaf --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for Fault quarantine module +name: fault-quarantine +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/_helpers.tpl new file mode 100644 index 00000000..60574532 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "fault-quarantine.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "fault-quarantine.fullname" -}} +{{- "fault-quarantine" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fault-quarantine.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "fault-quarantine.labels" -}} +helm.sh/chart: {{ include "fault-quarantine.chart" . }} +{{ include "fault-quarantine.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "fault-quarantine.selectorLabels" -}} +app.kubernetes.io/name: {{ include "fault-quarantine.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/clusterrole.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/clusterrole.yaml new file mode 100644 index 00000000..aa1a30f5 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/clusterrole.yaml @@ -0,0 +1,39 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "fault-quarantine.fullname" . }} + labels: + {{- include "fault-quarantine.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - nodes + - nodes/status + verbs: + - get + - patch + - update + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - update + - create diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/clusterrolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..8d333a1f --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/clusterrolebinding.yaml @@ -0,0 +1,27 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "fault-quarantine.fullname" . }} + labels: + {{- include "fault-quarantine.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "fault-quarantine.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "fault-quarantine.fullname" . }} + namespace: {{ .Release.Namespace }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/configmap.yaml new file mode 100644 index 00000000..58a8ec1c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/configmap.yaml @@ -0,0 +1,64 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "fault-quarantine.fullname" . }} + labels: + {{- include "fault-quarantine.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + config.toml: | + label-prefix = {{ .Values.labelPrefix | quote }} + + [circuitBreaker] + percentage = {{ .Values.circuitBreaker.percentage }} + duration = {{ .Values.circuitBreaker.duration | quote }} + + {{- range .Values.ruleSets }} + [[rule-sets]] + version = {{ .version | quote }} + name = {{ .name | quote }} + {{- if .match.all }} + {{- range .match.all }} + + [[rule-sets.match.all]] + kind = {{ .kind | quote }} + expression = {{ if contains "\n" .expression }}''' + {{ .expression | trim }} + '''{{ else }}{{ .expression | quote }}{{ end }} + {{- end }} + {{- end }} + {{- if .match.any }} + {{- range .match.any }} + + [[rule-sets.match.any]] + kind = {{ .kind | quote }} + expression = {{ if contains "\n" .expression }}''' + {{ .expression | trim }} + '''{{ else }}{{ .expression | quote }}{{ end }} + {{- end }} + {{- end }} + + {{- if .taint }} + [rule-sets.taint] + key = {{ .taint.key | quote }} + value = {{ .taint.value | quote }} + effect = {{ .taint.effect | quote }} + {{- end }} + + [rule-sets.cordon] + shouldCordon = {{ .cordon.shouldCordon }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/deployment.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/deployment.yaml new file mode 100644 index 00000000..8b41ee8c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/deployment.yaml @@ -0,0 +1,205 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fault-quarantine.fullname" . }} + labels: + {{- include "fault-quarantine.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "fault-quarantine.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + # Force pod restart when configmap changes + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with ((.Values.global).podAnnotations | default .Values.podAnnotations) }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "fault-quarantine.selectorLabels" . | nindent 8 }} + spec: + {{- with ((.Values.global).imagePullSecrets | default .Values.imagePullSecrets) }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "fault-quarantine.fullname" . }} + {{- if .Values.global.auditLogging.enabled }} + securityContext: + fsGroup: 65532 + {{- end }} + {{- if or .Values.global.auditLogging.enabled (and .Values.clientCertMountPath .Values.global.datastore (eq .Values.global.datastore.provider "postgresql")) }} + initContainers: + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.initContainer" . | nindent 8 }} + {{- end }} + {{- if and .Values.clientCertMountPath .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: fix-cert-permissions + image: "{{ .Values.global.initContainerImage.repository }}:{{ .Values.global.initContainerImage.tag }}" + imagePullPolicy: {{ .Values.global.initContainerImage.pullPolicy }} + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + command: + - sh + - -c + - | + echo "Copying PostgreSQL client certificates with correct permissions..." + cp /etc/ssl/client-certs-original/tls.crt /etc/ssl/client-certs-fixed/ + cp /etc/ssl/client-certs-original/ca.crt /etc/ssl/client-certs-fixed/ + cp /etc/ssl/client-certs-original/tls.key /etc/ssl/client-certs-fixed/ + chmod 644 /etc/ssl/client-certs-fixed/tls.crt + chmod 644 /etc/ssl/client-certs-fixed/ca.crt + chmod 600 /etc/ssl/client-certs-fixed/tls.key + echo "Certificate permissions fixed:" + ls -la /etc/ssl/client-certs-fixed/ + volumeMounts: + - name: postgresql-client-cert-original + mountPath: /etc/ssl/client-certs-original + readOnly: true + - name: client-certs-fixed + mountPath: /etc/ssl/client-certs-fixed + {{- end }} + {{- end }} + containers: + - name: fault-quarantine + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + args: + - "--metrics-port={{ ((.Values.global).metricsPort) | default 2112 }}" + - "--dry-run={{ ((.Values.global).dryRun) | default false }}" + {{- if .Values.clientCertMountPath }} + - "--database-client-cert-mount-path={{ .Values.clientCertMountPath }}" + {{- else }} + - "--tls-enabled=false" + {{- end }} + - "--circuit-breaker-enabled={{ .Values.circuitBreaker.enabled }}" + ports: + - name: metrics + containerPort: {{ ((.Values.global).metricsPort) | default 2112 }} + livenessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + volumeMounts: + - name: config-volume + mountPath: /etc/config/config.toml + subPath: config.toml + {{- if .Values.clientCertMountPath }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: client-certs-fixed + mountPath: {{ .Values.clientCertMountPath }} + readOnly: true + {{- else }} + - name: mongo-app-client-cert + mountPath: {{ .Values.clientCertMountPath }} + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.volumeMount" . | nindent 10 }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "{{ .Values.logLevel }}" + # App name for connection identification in logs and currentOp + - name: APP_NAME + value: {{ .Chart.Name | quote }} + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.envVars" . | nindent 12 }} + {{- end }} + {{- if .Values.clientCertMountPath }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: POSTGRESQL_CLIENT_CERT_MOUNT_PATH + value: {{ .Values.clientCertMountPath }} + {{- else }} + - name: MONGODB_CLIENT_CERT_MOUNT_PATH + value: {{ .Values.clientCertMountPath }} + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ if .Values.global.datastore }}{{ .Release.Name }}-datastore-config{{ else }}mongodb-config{{ end }} + optional: true + volumes: + - name: config-volume + configMap: + name: {{ include "fault-quarantine.fullname" . }} + items: + - key: config.toml + path: config.toml + {{- if .Values.clientCertMountPath }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: postgresql-client-cert-original + secret: + secretName: postgresql-client-cert + optional: false + - name: client-certs-fixed + emptyDir: {} + {{- else }} + - name: mongo-app-client-cert + secret: + secretName: {{ include "nvsentinel.certificates.secretName" . }} + {{- include "nvsentinel.certificates.volumeItems" . | nindent 10 }} + optional: true + {{- end }} + {{- end }} + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.volume" . | nindent 6 }} + {{- end }} + restartPolicy: Always + {{- with (((.Values.global).systemNodeSelector) | default .Values.nodeSelector) }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (((.Values.global).affinity) | default .Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (((.Values.global).systemNodeTolerations) | default .Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/serviceaccount.yaml new file mode 100644 index 00000000..8bebe8d7 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/templates/serviceaccount.yaml @@ -0,0 +1,19 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "fault-quarantine.fullname" . }} + labels: + {{- include "fault-quarantine.labels" . | nindent 4 }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/values.yaml new file mode 100644 index 00000000..0c8b8aac --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-quarantine/values.yaml @@ -0,0 +1,142 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +replicaCount: 1 + +image: + repository: ghcr.io/nvidia/nvsentinel/fault-quarantine + pullPolicy: IfNotPresent + tag: "" + +resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + +# Scheduling configuration +nodeSelector: {} +affinity: {} +tolerations: [] + +podAnnotations: {} + +# Log level for the fault quarantine module (e.g. "debug", "info", "warn", "error") +logLevel: info + +# Client certificate mount path for database connections +clientCertMountPath: /etc/ssl/client-certs + +# Label prefix for node labels and annotations +# Used to generate label keys like: cordon-by, cordon-reason, cordon-timestamp +# Also used for uncordon labels: uncordon-by, uncordon-reason, uncordon-timestamp +# These labels track the quarantine/uncordon lifecycle and help with debugging and auditing +labelPrefix: "k8saas.nvidia.com/" + +# Circuit breaker configuration to prevent cascading failures +# The circuit breaker prevents quarantining too many nodes in the cluster at once +# If the percentage threshold is exceeded, the circuit breaker trips and new quarantine actions are blocked +# The circuit breaker state is stored in a ConfigMap and persists across restarts +circuitBreaker: + # Enable/disable circuit breaker protection (passed as command-line arg to the deployment) + enabled: true + # Maximum percentage of cluster nodes that can be quarantined before circuit breaker trips + # Example: 50 means if 50% or more nodes are cordoned, no new quarantines will be allowed + percentage: 50 + # Time window for the sliding window circuit breaker + # The circuit breaker counts cordon events within this time window + # Example: "5m" means if 50% of nodes are cordoned within any 5-minute window, the circuit breaker trips + duration: "5m" + +# Rule sets for node quarantine actions +# Each ruleset defines conditions (match) and actions (taint, cordon) to apply when conditions are met +# Rules are evaluated using CEL (Common Expression Language) expressions +# Multiple rulesets can be defined and are evaluated in order +ruleSets: + - # Ruleset version (for future compatibility and migration) + version: "1" + # Human-readable name for the ruleset (used in logs and metrics) + name: "GPU fatal error ruleset" + # Match conditions - defines when this ruleset should trigger + match: + # All conditions must be true (AND logic) + # Use 'any' for OR logic - at least one condition must be true + all: + # Match health events from gpu-health-monitor with fatal GPU errors + - kind: "HealthEvent" + # CEL expression with access to 'event' object containing HealthEvent fields + # Available fields: agent, componentClass, isFatal, nodeName, etc. + expression: "event.agent == 'gpu-health-monitor' && event.componentClass == 'GPU' && event.isFatal == true" + # Ensure the node is not explicitly excluded from NVSentinel management + - kind: "Node" + # CEL expression with access to 'node' object containing Node spec and metadata + # This checks if the node has a label preventing automated management + expression: | + !('k8saas.nvidia.com/ManagedByNVSentinel' in node.metadata.labels && node.metadata.labels['k8saas.nvidia.com/ManagedByNVSentinel'] == "false") + # Cordon action - marks node as unschedulable when ruleset triggers + cordon: + # Set to true to cordon (mark unschedulable) the node + # When true, node.spec.unschedulable is set, preventing new pod scheduling + shouldCordon: true + # Optional: Taint configuration for this ruleset + # Taints are applied to nodes to repel pods without matching tolerations + # Uncomment to enable tainting for this ruleset + # taint: + # # Taint key (used to identify the taint) + # key: "nvidia.com/gpu-error" + # # Taint value (additional information about the taint) + # value: "fatal" + # # Taint effect determines how it affects pod scheduling + # # NoSchedule: New pods without toleration won't be scheduled + # # PreferNoSchedule: Soft version of NoSchedule (scheduler tries to avoid) + # # NoExecute: Existing pods without toleration are evicted + # effect: "NoSchedule" + + - version: "1" + name: "CSP health monitor fatal error ruleset" + match: + all: + - kind: "HealthEvent" + expression: "event.agent == 'csp-health-monitor' && event.checkName == 'CSPMaintenance' && event.isFatal == true" + - kind: "Node" + expression: | + !('k8saas.nvidia.com/ManagedByNVSentinel' in node.metadata.labels && node.metadata.labels['k8saas.nvidia.com/ManagedByNVSentinel'] == "false") + cordon: + shouldCordon: true + + - version: "1" + name: "Syslog fatal error ruleset" + match: + all: + - kind: "HealthEvent" + expression: "event.agent == 'syslog-health-monitor' && event.componentClass == 'GPU' && event.isFatal == true" + - kind: "Node" + expression: | + !('k8saas.nvidia.com/ManagedByNVSentinel' in node.metadata.labels && node.metadata.labels['k8saas.nvidia.com/ManagedByNVSentinel'] == "false") + cordon: + shouldCordon: true + + - version: "1" + name: "Kubernetes object monitor fatal error ruleset" + match: + all: + - kind: "HealthEvent" + expression: "event.agent == 'kubernetes-object-monitor' && event.isFatal == true" + - kind: "Node" + expression: | + !('k8saas.nvidia.com/ManagedByNVSentinel' in node.metadata.labels && node.metadata.labels['k8saas.nvidia.com/ManagedByNVSentinel'] == "false") + cordon: + shouldCordon: true \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/.helmignore new file mode 100644 index 00000000..691fa13d --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/Chart.yaml new file mode 100644 index 00000000..5af8eb86 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for Kubernetes +name: fault-remediation +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/files/log-collector-job.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/files/log-collector-job.yaml new file mode 100644 index 00000000..e24e2c31 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/files/log-collector-job.yaml @@ -0,0 +1,79 @@ +## +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +## + +# Source: manifests/log-collector-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + generateName: {{ include "fault-remediation.fullname" . }}-log-collector-job- + namespace: {{ .Release.Namespace }} + labels: + app: log-collector +spec: + ttlSecondsAfterFinished: 3600 + template: + metadata: + labels: + app: log-collector + spec: + serviceAccountName: log-collector-job + + restartPolicy: Never + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: log-collector + image: {{ .Values.logCollector.image.repository }}:{{ .Values.logCollector.image.tag | default .Values.global.image.tag | default "latest" }} + imagePullPolicy: {{ .Values.logCollector.image.pullPolicy }} + securityContext: + privileged: true + allowPrivilegeEscalation: true + readOnlyRootFilesystem: false + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: KEEP_ALIVE + value: "false" + - name: GPU_OPERATOR_NAMESPACE + value: {{ .Values.logCollector.gpuOperatorNamespaces | default "gpu-operator" | quote }} + - name: ENABLE_GPU_OPERATOR_MUST_GATHER + value: {{ .Values.logCollector.enableGpuOperatorMustGather | quote }} + - name: UPLOAD_URL_BASE + value: {{ .Values.logCollector.uploadURL | quote }} + - name: ENABLE_GCP_SOS_COLLECTION + value: {{ .Values.logCollector.enableGcpSosCollection | quote }} + - name: ENABLE_AWS_SOS_COLLECTION + value: {{ .Values.logCollector.enableAwsSosCollection | quote }} + {{- range $key, $value := .Values.logCollector.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + volumeMounts: + - name: artifacts + mountPath: /artifacts + - name: host-root + mountPath: /host + readOnly: false + volumes: + - name: artifacts + emptyDir: {} + - name: host-root + hostPath: + path: / diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/_helpers.tpl new file mode 100644 index 00000000..23a31f84 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "fault-remediation.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "fault-remediation.fullname" -}} +{{- "fault-remediation" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fault-remediation.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "fault-remediation.labels" -}} +helm.sh/chart: {{ include "fault-remediation.chart" . }} +{{ include "fault-remediation.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "fault-remediation.selectorLabels" -}} +app.kubernetes.io/name: {{ include "fault-remediation.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/clusterrole.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/clusterrole.yaml new file mode 100644 index 00000000..bc3c8a53 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/clusterrole.yaml @@ -0,0 +1,89 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "fault-remediation.fullname" . }} + labels: + {{- include "fault-remediation.labels" . | nindent 4 }} +rules: +{{- /* +Collect all unique API groups and their associated resources from multi-template remediation actions +*/ -}} +{{- $apiGroups := dict }} + +{{- /* Add multi-template remediation API groups */ -}} +{{- /* NOTE: Resource names are generated by appending 's' to lowercase kind */ -}} +{{- /* This works for regular nouns (RebootNode → rebootnodes) but may fail */ -}} +{{- /* for irregular plurals (Policy → policys instead of policies) */ -}} +{{- range $actionName, $config := .Values.maintenance.actions }} + {{- $resourceName := printf "%ss" ($config.kind | lower) }} + {{- $existingResources := (index $apiGroups $config.apiGroup | default (list)) }} + {{- $newResources := append $existingResources $resourceName | uniq }} + {{- $_ := set $apiGroups $config.apiGroup $newResources }} +{{- end }} + + +{{- /* Generate RBAC rules for each API group */ -}} +{{- range $apiGroup, $resources := $apiGroups }} +- apiGroups: + - {{ $apiGroup }} + resources: + {{- range $resources }} + - {{ . }} + {{- end }} + verbs: + - get + - list + - create + - update + - patch +{{- end }} +- apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - get + - create + - update + - patch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - update + - patch + - watch +- apiGroups: + - "" + resources: + - "events" + verbs: + - "create" + - "patch" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - create + - delete + - update + - get + - list + - watch diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/clusterrolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..49d2560e --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/clusterrolebinding.yaml @@ -0,0 +1,27 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "fault-remediation.fullname" . }} + labels: + {{- include "fault-remediation.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "fault-remediation.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "fault-remediation.fullname" . }} + namespace: {{ .Release.Namespace }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/configmap.yaml new file mode 100644 index 00000000..d294fc0e --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/configmap.yaml @@ -0,0 +1,66 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "fault-remediation.fullname" . }} + labels: + {{- include "fault-remediation.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + config.toml: | + [template] + mountPath = "/etc/config" + + # Multi-template remediation configuration + {{- range $actionName, $config := .Values.maintenance.actions }} + [remediationActions.{{ $actionName | quote }}] + apiGroup = {{ $config.apiGroup | quote }} + version = {{ $config.version | quote }} + kind = {{ $config.kind | quote }} + scope = {{ $config.scope | default "Cluster" | quote }} + {{- if $config.namespace }} + namespace = {{ $config.namespace | quote }} + {{- end }} + completeConditionType = {{ $config.completeConditionType | default "NodeReady" | quote }} + templateFileName = {{ $config.templateFileName | quote }} + {{- if $config.equivalenceGroup }} + equivalenceGroup = {{ $config.equivalenceGroup | quote }} + {{- end }} + {{- if $config.impactedEntityScope }} + impactedEntityScope = {{ $config.impactedEntityScope | quote }} + {{- end }} + {{- if $config.supersedingEquivalenceGroups }} + supersedingEquivalenceGroups = {{ $config.supersedingEquivalenceGroups | toJson }} + {{- end }} + {{- end }} + + [updateRetry] + maxRetries = {{ .Values.updateRetry.maxRetries }} + retryDelaySeconds = {{ .Values.updateRetry.retryDelaySeconds }} + + {{- if .Values.maintenance.templates }} + # Multi-template files + {{- range $templateName, $templateContent := .Values.maintenance.templates }} + {{ $templateName }}: | +{{- $templateContent | nindent 4 }} + {{- end }} + {{- end }} + + {{- if .Values.logCollector.enabled }} + log-collector-job.yaml: | + {{- tpl (.Files.Get "files/log-collector-job.yaml") . | nindent 4 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/deployment.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/deployment.yaml new file mode 100644 index 00000000..8f048257 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/deployment.yaml @@ -0,0 +1,202 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fault-remediation.fullname" . }} + labels: + {{- include "fault-remediation.labels" . | nindent 4}} + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "fault-remediation.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + # Force pod restart when configmap changes + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with ((.Values.global).podAnnotations | default .Values.podAnnotations) }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "fault-remediation.selectorLabels" . | nindent 8 }} + spec: + {{- with ((.Values.global).imagePullSecrets | default .Values.imagePullSecrets) }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "fault-remediation.fullname" . }} + {{- if .Values.global.auditLogging.enabled }} + securityContext: + fsGroup: 65532 + {{- end }} + {{- if or .Values.global.auditLogging.enabled (and .Values.clientCertMountPath .Values.global.datastore (eq .Values.global.datastore.provider "postgresql")) }} + initContainers: + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.initContainer" . | nindent 8 }} + {{- end }} + {{- if and .Values.clientCertMountPath .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: fix-cert-permissions + image: "{{ .Values.global.initContainerImage.repository }}:{{ .Values.global.initContainerImage.tag }}" + imagePullPolicy: {{ .Values.global.initContainerImage.pullPolicy }} + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + command: + - sh + - -c + - | + echo "Copying PostgreSQL client certificates with correct permissions..." + cp /etc/ssl/client-certs-original/tls.crt /etc/ssl/client-certs-fixed/ + cp /etc/ssl/client-certs-original/ca.crt /etc/ssl/client-certs-fixed/ + cp /etc/ssl/client-certs-original/tls.key /etc/ssl/client-certs-fixed/ + chmod 644 /etc/ssl/client-certs-fixed/tls.crt + chmod 644 /etc/ssl/client-certs-fixed/ca.crt + chmod 600 /etc/ssl/client-certs-fixed/tls.key + echo "Certificate permissions fixed:" + ls -la /etc/ssl/client-certs-fixed/ + volumeMounts: + - name: postgresql-client-cert-original + mountPath: /etc/ssl/client-certs-original + readOnly: true + - name: client-certs-fixed + mountPath: /etc/ssl/client-certs-fixed + {{- end }} + {{- end }} + containers: + - name: fault-remediation + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + args: + - "--dry-run={{ ((.Values.global).dryRun) | default false }}" + - "--enable-log-collector={{ .Values.logCollector.enabled }}" + - "--leader-elect=true" + ports: + - name: metrics + containerPort: {{ ((.Values.global).metricsPort) | default 2112 }} + - name: health + containerPort: {{ ((.Values.global).healthPort) | default 9440 }} + livenessProbe: + httpGet: + path: /healthz + port: health + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: "/readyz" + port: "health" + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + volumeMounts: + {{- if .Values.clientCertMountPath }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: client-certs-fixed + mountPath: {{ .Values.clientCertMountPath }} + readOnly: true + {{- else }} + - name: mongo-app-client-cert + mountPath: {{ .Values.clientCertMountPath }} + readOnly: true + {{- end }} + {{- end }} + - name: config-volume + mountPath: /etc/config + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.volumeMount" . | nindent 10 }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: LOG_LEVEL + value: "{{ .Values.logLevel }}" + # App name for connection identification in logs and currentOp + - name: APP_NAME + value: {{ .Chart.Name | quote }} + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.envVars" . | nindent 10 }} + {{- end }} + - name: LOG_COLLECTOR_MANIFEST_PATH + value: /etc/config/log-collector-job.yaml + - name: LOG_COLLECTOR_TIMEOUT + value: "{{ .Values.logCollector.timeout | default "10m" }}" + - name: ENABLE_GCP_SOS_COLLECTION + value: "{{ .Values.logCollector.enableGcpSosCollection }}" + - name: ENABLE_AWS_SOS_COLLECTION + value: "{{ .Values.logCollector.enableAwsSosCollection }}" + {{- if .Values.clientCertMountPath }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: POSTGRESQL_CLIENT_CERT_MOUNT_PATH + value: {{ .Values.clientCertMountPath }} + {{- else }} + - name: MONGODB_CLIENT_CERT_MOUNT_PATH + value: {{ .Values.clientCertMountPath }} + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ if .Values.global.datastore }}{{ .Release.Name }}-datastore-config{{ else }}mongodb-config{{ end }} + optional: true + volumes: + {{- if .Values.clientCertMountPath }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: postgresql-client-cert-original + secret: + secretName: postgresql-client-cert + optional: false + - name: client-certs-fixed + emptyDir: {} + {{- else }} + - name: mongo-app-client-cert + secret: + secretName: {{ include "nvsentinel.certificates.secretName" . }} + {{- include "nvsentinel.certificates.volumeItems" . | nindent 10 }} + optional: true + {{- end }} + {{- end }} + - name: config-volume + configMap: + name: {{ include "fault-remediation.fullname" . }} + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.volume" . | nindent 6 }} + {{- end }} + restartPolicy: Always + {{- with (((.Values.global).systemNodeSelector) | default .Values.nodeSelector) }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (((.Values.global).affinity) | default .Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (((.Values.global).systemNodeTolerations) | default .Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/log-collector-rbac.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/log-collector-rbac.yaml new file mode 100644 index 00000000..4e242f75 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/log-collector-rbac.yaml @@ -0,0 +1,46 @@ +# Source: manifests/log-collector-job.yaml +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if .Values.logCollector.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: log-collector-job +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: log-collector-job +rules: + - apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get","list"] + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: log-collector-job +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: log-collector-job +subjects: + - kind: ServiceAccount + name: log-collector-job + namespace: {{ .Release.Namespace }} +{{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/serviceaccount.yaml new file mode 100644 index 00000000..809f5332 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/templates/serviceaccount.yaml @@ -0,0 +1,19 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "fault-remediation.fullname" . }} + labels: + {{- include "fault-remediation.labels" . | nindent 4 }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/values.yaml new file mode 100644 index 00000000..6c5b17f8 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/fault-remediation/values.yaml @@ -0,0 +1,173 @@ + +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +replicaCount: 1 + +logLevel: info + +# Client certificate mount path for database connections +clientCertMountPath: /etc/ssl/client-certs + +image: + repository: ghcr.io/nvidia/nvsentinel/fault-remediation + pullPolicy: IfNotPresent + tag: "" + +resources: + limits: + cpu: "200m" + memory: "300Mi" + requests: + cpu: "200m" + memory: "300Mi" + +# Scheduling configuration +nodeSelector: {} +affinity: {} + +podAnnotations: {} + +# Special tolerations for fault remediation - allow running on nodes with any taints for log collection +tolerations: + - operator: "Exists" + +# Multi-template remediation configuration +# Allows different remediation actions to use different CRDs and operators +maintenance: + # Per-action remediation definitions + # Key is the RecommendedAction string (e.g., "COMPONENT_RESET", "RESTART_BM") + actions: + COMPONENT_RESET: + apiGroup: "janitor.dgxc.nvidia.com" + version: "v1alpha1" + kind: "RebootNode" + scope: "Cluster" + completeConditionType: "NodeReady" + templateFileName: "nvidia-reboot.yaml" + equivalenceGroup: "restart" + + # RESTART_VM is used as a fallback when GPU UUID is not available from metadata-collector. + RESTART_VM: + apiGroup: "janitor.dgxc.nvidia.com" + version: "v1alpha1" + kind: "RebootNode" + scope: "Cluster" + completeConditionType: "NodeReady" + templateFileName: "nvidia-reboot.yaml" + equivalenceGroup: "restart" + + # RESTART_BM is used for bare-metal node restarts. + RESTART_BM: + apiGroup: "janitor.dgxc.nvidia.com" + version: "v1alpha1" + kind: "RebootNode" + scope: "Cluster" + completeConditionType: "NodeReady" + templateFileName: "nvidia-reboot.yaml" + equivalenceGroup: "restart" + + # REPLACE_VM is used when the VM needs to be terminated and replaced. + REPLACE_VM: + apiGroup: "janitor.dgxc.nvidia.com" + version: "v1alpha1" + kind: "TerminateNode" + scope: "Cluster" + completeConditionType: "NodeTerminated" + templateFileName: "terminate-node.yaml" + equivalenceGroup: "terminate" + + # NOTE: Resource names for RBAC are generated by appending 's' to lowercase kind. + # This works for regular nouns but may fail for irregular plurals: + # RebootNode → rebootnodes (✓ correct) + # Policy → policys (✗ should be policies) + # Use CRD kinds that follow regular pluralization rules. + + # Template content for each remediation action + # Key matches the templateFileName name from actions above + templates: + "nvidia-reboot.yaml": | + apiVersion: janitor.dgxc.nvidia.com/v1alpha1 + kind: RebootNode + metadata: + name: maintenance-{{ .HealthEvent.NodeName }}-{{ .HealthEventID }} + labels: + app.kubernetes.io/managed-by: nvsentinel + spec: + nodeName: {{ .HealthEvent.NodeName }} + force: false + "terminate-node.yaml": | + apiVersion: janitor.dgxc.nvidia.com/v1alpha1 + kind: TerminateNode + metadata: + name: maintenance-{{ .HealthEvent.NodeName }}-{{ .HealthEventID }} + labels: + app.kubernetes.io/managed-by: nvsentinel + spec: + nodeName: {{ .HealthEvent.NodeName }} + force: false + # Additional template examples: + # "namespaced-restart.yaml": | + # apiVersion: remediation.example.com/v1alpha1 + # kind: RestartNode + # metadata: + # name: maintenance-{{ .NodeName }}-{{ .HealthEventID }} + # namespace: remediation + # labels: + # app.kubernetes.io/managed-by: nvsentinel + # spec: + # nodeName: {{ .NodeName }} + # ttlSecondsAfterFinished: 60 + +# Retry configuration for maintenance resource updates +# Used when updating annotations on nodes after creating maintenance resources +updateRetry: + # Maximum number of retry attempts if the update fails (due to conflicts, network issues, etc.) + maxRetries: 5 + # Delay in seconds between retry attempts (uses exponential backoff) + retryDelaySeconds: 10 + +# Log collector configuration +# When enabled, creates a Kubernetes Job to collect diagnostic logs from failing nodes +logCollector: + # Enable log collection jobs on node failures + enabled: false + image: + repository: ghcr.io/nvidia/nvsentinel/log-collector + # tag: latest # Optional: Override global.image.tag for log-collector + pullPolicy: IfNotPresent + # HTTP endpoint where collected logs will be uploaded + uploadURL: "http://nvsentinel-incluster-file-server.nvsentinel.svc.cluster.local/upload" + # Comma-separated list of namespaces where GPU operator components run (for collecting GPU operator logs) + gpuOperatorNamespaces: "gpu-operator" + # Enable GPU Operator must-gather collection (disabled by default) + # WARNING: must-gather collects logs from ALL nodes in the cluster, which can be very + # time-consuming for large clusters (e.g., GB200 clusters with 100+ nodes). + # If enabling this, you MUST increase the timeout accordingly. + # Recommended timeout: ~2-3 minutes per node (e.g., 100 nodes = 200-300 minutes) + enableGpuOperatorMustGather: false + # Enable GCP-specific SOS report collection + enableGcpSosCollection: false + # Enable AWS-specific SOS report collection + enableAwsSosCollection: false + # Timeout for waiting for log collection job to complete + # Default: 10m (sufficient for nvidia-bug-report only) + # If enableGpuOperatorMustGather is true, increase to: ~2-3 min per node in cluster + timeout: "10m" + # Additional environment variables to pass to the log-collector container + # Example: + # env: + # MOCK_MODE: "true" + # DEBUG: "1" + env: {} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/Chart.yaml new file mode 100644 index 00000000..dc578d1a --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for the GPU health monitor +name: gpu-health-monitor +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/files/dcgmerrorsmapping.csv b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/files/dcgmerrorsmapping.csv new file mode 100644 index 00000000..77b99d92 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/files/dcgmerrorsmapping.csv @@ -0,0 +1,121 @@ +DCGM_FR_UNKNOWN,CONTACT_SUPPORT +DCGM_FR_UNRECOGNIZED,CONTACT_SUPPORT +DCGM_FR_PCI_REPLAY_RATE,CONTACT_SUPPORT +DCGM_FR_VOLATILE_DBE_DETECTED,COMPONENT_RESET +DCGM_FR_VOLATILE_SBE_DETECTED,NONE +DCGM_FR_PENDING_PAGE_RETIREMENTS,NONE +DCGM_FR_RETIRED_PAGES_LIMIT,CONTACT_SUPPORT +DCGM_FR_RETIRED_PAGES_DBE_LIMIT,CONTACT_SUPPORT +DCGM_FR_CORRUPT_INFOROM,COMPONENT_RESET +DCGM_FR_CLOCKS_EVENT_THERMAL,CONTACT_SUPPORT +DCGM_FR_CLOCK_THROTTLE_THERMAL,NONE +DCGM_FR_POWER_UNREADABLE,RESTART_VM +DCGM_FR_CLOCKS_EVENT_POWER,NONE +DCGM_FR_CLOCK_THROTTLE_POWER,NONE +DCGM_FR_NVLINK_ERROR_THRESHOLD,NONE +DCGM_FR_NVLINK_DOWN,RESTART_VM +DCGM_FR_NVSWITCH_FATAL_ERROR,CONTACT_SUPPORT +DCGM_FR_NVSWITCH_NON_FATAL_ERROR,NONE +DCGM_FR_NVSWITCH_DOWN,COMPONENT_RESET +DCGM_FR_NO_ACCESS_TO_FILE,CONTACT_SUPPORT +DCGM_FR_NVML_API,CONTACT_SUPPORT +DCGM_FR_DEVICE_COUNT_MISMATCH,CONTACT_SUPPORT +DCGM_FR_BAD_PARAMETER,CONTACT_SUPPORT +DCGM_FR_CANNOT_OPEN_LIB,CONTACT_SUPPORT +DCGM_FR_DENYLISTED_DRIVER,CONTACT_SUPPORT +DCGM_FR_NVML_LIB_BAD,CONTACT_SUPPORT +DCGM_FR_GRAPHICS_PROCESSES,CONTACT_SUPPORT +DCGM_FR_HOSTENGINE_CONN,CONTACT_SUPPORT +DCGM_FR_FIELD_QUERY,RESTART_VM +DCGM_FR_BAD_CUDA_ENV,CONTACT_SUPPORT +DCGM_FR_PERSISTENCE_MODE,CONTACT_SUPPORT +DCGM_FR_LOW_BANDWIDTH,CONTACT_SUPPORT +DCGM_FR_HIGH_LATENCY,CONTACT_SUPPORT +DCGM_FR_CANNOT_GET_FIELD_TAG,CONTACT_SUPPORT +DCGM_FR_FIELD_VIOLATION,RESTART_VM +DCGM_FR_FIELD_THRESHOLD,RESTART_VM +DCGM_FR_FIELD_VIOLATION_DBL,RESTART_VM +DCGM_FR_FIELD_THRESHOLD_DBL,RESTART_VM +DCGM_FR_UNSUPPORTED_FIELD_TYPE,RESTART_VM +DCGM_FR_FIELD_THRESHOLD_TS,RESTART_VM +DCGM_FR_FIELD_THRESHOLD_TS_DBL,RESTART_VM +DCGM_FR_THERMAL_VIOLATIONS,CONTACT_SUPPORT +DCGM_FR_THERMAL_VIOLATIONS_TS,CONTACT_SUPPORT +DCGM_FR_TEMP_VIOLATION,CONTACT_SUPPORT +DCGM_FR_CLOCKS_EVENT_VIOLATION,RESTART_VM +DCGM_FR_THROTTLING_VIOLATION,RESTART_VM +DCGM_FR_INTERNAL,CONTACT_SUPPORT +DCGM_FR_PCIE_GENERATION,CONTACT_SUPPORT +DCGM_FR_PCIE_WIDTH,CONTACT_SUPPORT +DCGM_FR_ABORTED,NONE +DCGM_FR_TEST_DISABLED,NONE +DCGM_FR_CANNOT_GET_STAT,CONTACT_SUPPORT +DCGM_FR_STRESS_LEVEL,RESTART_VM +DCGM_FR_CUDA_API,CONTACT_SUPPORT +DCGM_FR_FAULTY_MEMORY,CONTACT_SUPPORT +DCGM_FR_CANNOT_SET_WATCHES,RESTART_VM +DCGM_FR_CUDA_UNBOUND,RESTART_VM +DCGM_FR_ECC_DISABLED,CONTACT_SUPPORT +DCGM_FR_MEMORY_ALLOC,RESTART_VM +DCGM_FR_CUDA_DBE,CONTACT_SUPPORT +DCGM_FR_MEMORY_MISMATCH,CONTACT_SUPPORT +DCGM_FR_CUDA_DEVICE,CONTACT_SUPPORT +DCGM_FR_ECC_UNSUPPORTED,CONTACT_SUPPORT +DCGM_FR_ECC_PENDING,RESTART_VM +DCGM_FR_MEMORY_BANDWIDTH,RESTART_VM +DCGM_FR_TARGET_POWER,NONE +DCGM_FR_API_FAIL,RESTART_VM +DCGM_FR_API_FAIL_GPU,RESTART_VM +DCGM_FR_CUDA_CONTEXT,CONTACT_SUPPORT +DCGM_FR_DCGM_API,CONTACT_SUPPORT +DCGM_FR_CONCURRENT_GPUS,CONTACT_SUPPORT +DCGM_FR_TOO_MANY_ERRORS,CONTACT_SUPPORT +DCGM_FR_NVLINK_CRC_ERROR_THRESHOLD,CONTACT_SUPPORT +DCGM_FR_NVLINK_ERROR_CRITICAL,CONTACT_SUPPORT +DCGM_FR_ENFORCED_POWER_LIMIT,CONTACT_SUPPORT +DCGM_FR_MEMORY_ALLOC_HOST,RESTART_VM +DCGM_FR_GPU_OP_MODE,CONTACT_SUPPORT +DCGM_FR_NO_MEMORY_CLOCKS,CONTACT_SUPPORT +DCGM_FR_NO_GRAPHICS_CLOCKS,NONE +DCGM_FR_HAD_TO_RESTORE_STATE,RESTART_VM +DCGM_FR_L1TAG_UNSUPPORTED,CONTACT_SUPPORT +DCGM_FR_L1TAG_MISCOMPARE,CONTACT_SUPPORT +DCGM_FR_ROW_REMAP_FAILURE,CONTACT_SUPPORT +DCGM_FR_UNCONTAINED_ERROR,RESTART_VM +DCGM_FR_EMPTY_GPU_LIST,CONTACT_SUPPORT +DCGM_FR_DBE_PENDING_PAGE_RETIREMENTS,RESTART_VM +DCGM_FR_UNCORRECTABLE_ROW_REMAP,NONE +DCGM_FR_PENDING_ROW_REMAP,COMPONENT_RESET +DCGM_FR_BROKEN_P2P_MEMORY_DEVICE,CONTACT_SUPPORT +DCGM_FR_BROKEN_P2P_WRITER_DEVICE,CONTACT_SUPPORT +DCGM_FR_NVSWITCH_NVLINK_DOWN,CONTACT_SUPPORT +DCGM_FR_EUD_BINARY_PERMISSIONS,CONTACT_SUPPORT +DCGM_FR_EUD_NON_ROOT_USER,CONTACT_SUPPORT +DCGM_FR_EUD_SPAWN_FAILURE,CONTACT_SUPPORT +DCGM_FR_EUD_TIMEOUT,CONTACT_SUPPORT +DCGM_FR_EUD_ZOMBIE,CONTACT_SUPPORT +DCGM_FR_EUD_NON_ZERO_EXIT_CODE,CONTACT_SUPPORT +DCGM_FR_EUD_TEST_FAILED,CONTACT_SUPPORT +DCGM_FR_FILE_CREATE_PERMISSIONS,CONTACT_SUPPORT +DCGM_FR_PAUSE_RESUME_FAILED,CONTACT_SUPPORT +DCGM_FR_PCIE_H_REPLAY_VIOLATION,CONTACT_SUPPORT +DCGM_FR_GPU_EXPECTED_NVLINKS_UP,CONTACT_SUPPORT +DCGM_FR_NVSWITCH_EXPECTED_NVLINKS_UP,CONTACT_SUPPORT +DCGM_FR_XID_ERROR,NONE +DCGM_FR_SBE_VIOLATION,CONTACT_SUPPORT +DCGM_FR_DBE_VIOLATION,CONTACT_SUPPORT +DCGM_FR_PCIE_REPLAY_VIOLATION,CONTACT_SUPPORT +DCGM_FR_SBE_THRESHOLD_VIOLATION,CONTACT_SUPPORT +DCGM_FR_DBE_THRESHOLD_VIOLATION,CONTACT_SUPPORT +DCGM_FR_PCIE_REPLAY_THRESHOLD_VIOLATION,CONTACT_SUPPORT +DCGM_FR_CUDA_FM_NOT_INITIALIZED,CONTACT_SUPPORT +DCGM_FR_SXID_ERROR,RESTART_VM +DCGM_FR_GFLOPS_THRESHOLD_VIOLATION,CONTACT_SUPPORT +DCGM_FR_NAN_VALUE,CONTACT_SUPPORT +DCGM_FR_FABRIC_MANAGER_TRAINING_ERROR,CONTACT_SUPPORT +DCGM_FR_BROKEN_P2P_PCIE_MEMORY_DEVICE,CONTACT_SUPPORT +DCGM_FR_BROKEN_P2P_PCIE_WRITER_DEVICE,CONTACT_SUPPORT +DCGM_FR_BROKEN_P2P_NVLINK_MEMORY_DEVICE,CONTACT_SUPPORT +DCGM_FR_BROKEN_P2P_NVLINK_WRITER_DEVICE,CONTACT_SUPPORT +DCGM_FR_TEST_SKIPPED,NONE +DCGM_FR_ERROR_SENTINEL,NONE \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/NOTES.txt b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/NOTES.txt new file mode 100644 index 00000000..8c6b4b9a --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/NOTES.txt @@ -0,0 +1 @@ +GPU health monitor has been successfully installed. diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/_helpers.tpl new file mode 100644 index 00000000..dc64a005 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/_helpers.tpl @@ -0,0 +1,80 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "gpu-health-monitor.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "gpu-health-monitor.fullname" -}} +{{- "gpu-health-monitor" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gpu-health-monitor.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "gpu-health-monitor.labels" -}} +helm.sh/chart: {{ include "gpu-health-monitor.chart" . }} +{{ include "gpu-health-monitor.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "gpu-health-monitor.selectorLabels" -}} +app.kubernetes.io/name: {{ include "gpu-health-monitor.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +DCGM service enabled - uses global.dcgm.enabled with fallback to local +*/}} +{{- define "gpu-health-monitor.dcgmEnabled" -}} +{{- if and .Values.global .Values.global.dcgm }} +{{- .Values.global.dcgm.enabled }} +{{- else }} +{{- .Values.dcgm.dcgmK8sServiceEnabled }} +{{- end }} +{{- end }} + +{{/* +DCGM service endpoint - uses global.dcgm.service.endpoint with fallback to local +*/}} +{{- define "gpu-health-monitor.dcgmEndpoint" -}} +{{- if and .Values.global .Values.global.dcgm .Values.global.dcgm.service }} +{{- .Values.global.dcgm.service.endpoint | default .Values.dcgm.service.endpoint }} +{{- else }} +{{- .Values.dcgm.service.endpoint }} +{{- end }} +{{- end }} + +{{/* +DCGM service port - uses global.dcgm.service.port with fallback to local +*/}} +{{- define "gpu-health-monitor.dcgmPort" -}} +{{- if and .Values.global .Values.global.dcgm .Values.global.dcgm.service }} +{{- .Values.global.dcgm.service.port | default .Values.dcgm.service.port }} +{{- else }} +{{- .Values.dcgm.service.port }} +{{- end }} +{{- end }} + +{{/* +DCGM address - combines endpoint and port +*/}} +{{- define "gpu-health-monitor.dcgmAddr" -}} +{{- printf "%s:%v" (include "gpu-health-monitor.dcgmEndpoint" .) (include "gpu-health-monitor.dcgmPort" .) }} +{{- end }} \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/configmap.yaml new file mode 100644 index 00000000..d7fc76b1 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/configmap.yaml @@ -0,0 +1,38 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "gpu-health-monitor.fullname" . }} + labels: + {{- include "gpu-health-monitor.labels" . | nindent 4 }} +data: + config.ini: | + [logging] + LogFormat = %%(asctime)s,%%(msecs)03d %%(levelname)-8s [%%(filename)s:%%(lineno)d] %%(message)s + DateTimeFormat = %%Y-%%m-%%d:%%H:%%M:%%S + + [dcgm] + PollIntervalSeconds = 15 + + [eventprocessors.kubernetes] + ConflictRetryCount = 10 + + [eventprocessors.platformconnector] + SocketPath = /var/run/nvsentinel.sock + + [cli] + EnabledEventProcessors = PlatformConnectorEventProcessor + +{{ (.Files.Glob "files/dcgmerrorsmapping.csv").AsConfig | indent 2 }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/daemonset-dcgm-3.x.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/daemonset-dcgm-3.x.yaml new file mode 100644 index 00000000..b5589ff2 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/daemonset-dcgm-3.x.yaml @@ -0,0 +1,138 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "gpu-health-monitor.fullname" . }}-dcgm-3.x + labels: + {{- include "gpu-health-monitor.labels" . | nindent 4 }} +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 5% + selector: + matchLabels: + {{- include "gpu-health-monitor.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + labels: + {{- include "gpu-health-monitor.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + command: ["gpu_health_monitor"] + args: + - --config-file + - "/etc/dcgmhealth/config.ini" + - --dcgm-error-mapping-config-file + - "/etc/dcgmhealth/dcgmerrorsmapping.csv" + - --dcgm-addr + - {{ ternary (include "gpu-health-monitor.dcgmAddr" .) "localhost:5555" (include "gpu-health-monitor.dcgmEnabled" . | eq "true") | quote }} + - --port + - "{{ .Values.global.metricsPort }}" + - --verbose + - {{ .Values.verbose | quote }} + - --state-file + - "/var/run/statefile" + - --dcgm-k8s-service-enabled + - {{ include "gpu-health-monitor.dcgmEnabled" . | quote }} + - --metadata-path + - {{ .Values.global.metadataPath | quote }} + - --processing-strategy + - {{ .Values.processingStrategy | quote }} + securityContext: + runAsUser: 0 + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}-dcgm-3.x" + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + ports: + - name: metrics + containerPort: {{ .Values.global.metricsPort }} + livenessProbe: + httpGet: + path: /metrics + port: {{ .Values.global.metricsPort }} + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 3 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /metrics + port: {{ .Values.global.metricsPort }} + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + volumeMounts: + {{- if .Values.additionalVolumeMounts }} + {{ toYaml .Values.additionalVolumeMounts | nindent 12 }} + {{- end }} + - name: config-vol + mountPath: /etc/dcgmhealth + - name: var-run-vol + mountPath: /var/run/ + - name: gpu-metadata + mountPath: /var/lib/nvsentinel + readOnly: true + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumes: + - name: config-vol + configMap: + name: {{ include "gpu-health-monitor.fullname" . }} + defaultMode: 0777 + - name: var-run-vol + hostPath: + path: /var/run/nvsentinel + type: Directory + - name: gpu-metadata + hostPath: + path: /var/lib/nvsentinel + type: DirectoryOrCreate + {{- if .Values.additionalHostVolumes }} + {{ toYaml .Values.additionalHostVolumes | nindent 8 }} + {{- end }} + {{- if .Values.useHostNetworking }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + {{- end }} + nodeSelector: + nvsentinel.dgxc.nvidia.com/dcgm.version: "3.x" + {{- with (.Values.global.nodeSelector | default .Values.nodeSelector) }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (.Values.global.affinity | default .Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (.Values.global.tolerations | default .Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/daemonset-dcgm-4.x.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/daemonset-dcgm-4.x.yaml new file mode 100644 index 00000000..ddef4a38 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/templates/daemonset-dcgm-4.x.yaml @@ -0,0 +1,138 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "gpu-health-monitor.fullname" . }}-dcgm-4.x + labels: + {{- include "gpu-health-monitor.labels" . | nindent 4 }} +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 5% + selector: + matchLabels: + {{- include "gpu-health-monitor.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + labels: + {{- include "gpu-health-monitor.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + command: ["gpu_health_monitor"] + args: + - --config-file + - "/etc/dcgmhealth/config.ini" + - --dcgm-error-mapping-config-file + - "/etc/dcgmhealth/dcgmerrorsmapping.csv" + - --dcgm-addr + - {{ ternary (include "gpu-health-monitor.dcgmAddr" .) "localhost:5555" (include "gpu-health-monitor.dcgmEnabled" . | eq "true") | quote }} + - --port + - "{{ .Values.global.metricsPort }}" + - --verbose + - {{ .Values.verbose | quote }} + - --state-file + - "/var/run/statefile" + - --dcgm-k8s-service-enabled + - {{ include "gpu-health-monitor.dcgmEnabled" . | quote }} + - --metadata-path + - {{ .Values.global.metadataPath | quote }} + - --processing-strategy + - {{ .Values.processingStrategy | quote }} + securityContext: + runAsUser: 0 + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}-dcgm-4.x" + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + ports: + - name: metrics + containerPort: {{ .Values.global.metricsPort }} + livenessProbe: + httpGet: + path: /metrics + port: {{ .Values.global.metricsPort }} + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 3 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /metrics + port: {{ .Values.global.metricsPort }} + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + volumeMounts: + {{- if .Values.additionalVolumeMounts }} + {{ toYaml .Values.additionalVolumeMounts | nindent 12 }} + {{- end }} + - name: config-vol + mountPath: /etc/dcgmhealth + - name: var-run-vol + mountPath: /var/run/ + - name: gpu-metadata + mountPath: /var/lib/nvsentinel + readOnly: true + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumes: + - name: config-vol + configMap: + name: {{ include "gpu-health-monitor.fullname" . }} + defaultMode: 0777 + - name: var-run-vol + hostPath: + path: /var/run/nvsentinel + type: Directory + - name: gpu-metadata + hostPath: + path: /var/lib/nvsentinel + type: DirectoryOrCreate + {{- if .Values.additionalHostVolumes }} + {{ toYaml .Values.additionalHostVolumes | nindent 8 }} + {{- end }} + {{- if .Values.useHostNetworking }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + {{- end }} + nodeSelector: + nvsentinel.dgxc.nvidia.com/dcgm.version: "4.x" + {{- with (.Values.global.nodeSelector | default .Values.nodeSelector) }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (.Values.global.affinity | default .Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (.Values.global.tolerations | default .Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/values.yaml new file mode 100644 index 00000000..9f5ee758 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/gpu-health-monitor/values.yaml @@ -0,0 +1,62 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +image: + repository: ghcr.io/nvidia/nvsentinel/gpu-health-monitor + pullPolicy: IfNotPresent + tag: "" + +# DCGM (Data Center GPU Manager) integration configuration +dcgm: + # Enable DCGM Kubernetes service for GPU metrics collection + dcgmK8sServiceEnabled: true + service: + # DCGM service endpoint in the cluster + endpoint: "nvidia-dcgm.gpu-operator.svc" + # DCGM service port + port: 5555 + +# Use host networking for GPU health monitor pods +# Required for accessing host-level GPU metrics +useHostNetworking: false + +# Additional volume mounts for GPU health monitor (optional) +additionalVolumeMounts: [] + +# Additional host volumes for GPU health monitor (optional) +additionalHostVolumes: [] + +resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 128Mi + +# Scheduling configuration +nodeSelector: {} +affinity: {} +tolerations: [] + +podAnnotations: {} + +verbose: "False" + +# Processing strategy for health events +# valid values: EXECUTE_REMEDIATION, STORE_ONLY +# default: EXECUTE_REMEDIATION +# EXECUTE_REMEDIATION: normal behavior; downstream modules may update cluster state. +# STORE_ONLY: observability-only behavior; event should be persisted/exported but should not modify cluster resources (i.e., no node conditions, no quarantine, no drain, no remediation). +processingStrategy: EXECUTE_REMEDIATION diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/Chart.yaml new file mode 100644 index 00000000..3226d716 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for Kubernetes +name: health-events-analyzer +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/templates/_helpers.tpl new file mode 100644 index 00000000..0b09a9b5 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "health-events-analyzer.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "health-events-analyzer.fullname" -}} +{{- "health-events-analyzer" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "health-events-analyzer.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "health-events-analyzer.labels" -}} +helm.sh/chart: {{ include "health-events-analyzer.chart" . }} +{{ include "health-events-analyzer.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "health-events-analyzer.selectorLabels" -}} +app.kubernetes.io/name: {{ include "health-events-analyzer.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/templates/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/templates/configmap.yaml new file mode 100644 index 00000000..9be10cdf --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/templates/configmap.yaml @@ -0,0 +1,23 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "health-events-analyzer.fullname" . }}-config + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + config.toml: | + {{ tpl .Values.config . | nindent 6 }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/templates/deployment.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/templates/deployment.yaml new file mode 100644 index 00000000..2d4e7497 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/templates/deployment.yaml @@ -0,0 +1,185 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "health-events-analyzer.fullname" . }} + labels: + {{- include "health-events-analyzer.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "health-events-analyzer.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + # Force pod restart when configmap changes + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "health-events-analyzer.labels" . | nindent 8 }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "health-events-analyzer.fullname" . }} + {{- if and .Values.clientCertMountPath .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + initContainers: + - name: fix-cert-permissions + image: "{{ .Values.global.initContainerImage.repository }}:{{ .Values.global.initContainerImage.tag }}" + imagePullPolicy: {{ .Values.global.initContainerImage.pullPolicy }} + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + command: + - sh + - -c + - | + echo "Copying PostgreSQL client certificates with correct permissions..." + cp /etc/ssl/client-certs-original/tls.crt /etc/ssl/client-certs-fixed/ + cp /etc/ssl/client-certs-original/ca.crt /etc/ssl/client-certs-fixed/ + cp /etc/ssl/client-certs-original/tls.key /etc/ssl/client-certs-fixed/ + chmod 644 /etc/ssl/client-certs-fixed/tls.crt + chmod 644 /etc/ssl/client-certs-fixed/ca.crt + chmod 600 /etc/ssl/client-certs-fixed/tls.key + echo "Certificate permissions fixed:" + ls -la /etc/ssl/client-certs-fixed/ + volumeMounts: + - name: postgresql-client-cert-original + mountPath: /etc/ssl/client-certs-original + readOnly: true + - name: client-certs-fixed + mountPath: /etc/ssl/client-certs-fixed + {{- end }} + containers: + - name: health-events-analyzer + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + args: + - "--metrics-port={{ .Values.global.metricsPort }}" + {{- if .Values.clientCertMountPath }} + - "--database-client-cert-mount-path={{ .Values.clientCertMountPath }}" + {{- end }} + - "--processing-strategy={{ .Values.processingStrategy }}" + ports: + - name: metrics + containerPort: {{ .Values.global.metricsPort }} + livenessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + securityContext: + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + runAsUser: 1001 + runAsGroup: 1001 + {{- else }} + runAsUser: 0 + {{- end }} + volumeMounts: + - name: config-volume + mountPath: /etc/config/config.toml + subPath: config.toml + {{- if .Values.clientCertMountPath }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: client-certs-fixed + mountPath: {{ .Values.clientCertMountPath }} + readOnly: true + {{- else }} + - name: mongo-app-client-cert + mountPath: {{ .Values.clientCertMountPath }} + readOnly: true + {{- end }} + {{- end }} + - name: var-run-vol + mountPath: /var/run/ + env: + - name: LOG_LEVEL + value: "{{ .Values.logLevel }}" + # App name for connection identification in logs and currentOp + - name: APP_NAME + value: {{ .Chart.Name | quote }} + {{- if .Values.clientCertMountPath }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: POSTGRESQL_CLIENT_CERT_MOUNT_PATH + value: {{ .Values.clientCertMountPath }} + {{- else }} + - name: MONGODB_CLIENT_CERT_MOUNT_PATH + value: {{ .Values.clientCertMountPath }} + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ if .Values.global.datastore }}{{ .Release.Name }}-datastore-config{{ else }}mongodb-config{{ end }} + optional: true + volumes: + - name: config-volume + configMap: + name: {{ include "health-events-analyzer.fullname" . }}-config + items: + - key: config.toml + path: config.toml + - name: var-run-vol + hostPath: + path: /var/run/nvsentinel + type: Directory + {{- if .Values.clientCertMountPath }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: postgresql-client-cert-original + secret: + secretName: postgresql-client-cert + optional: false + - name: client-certs-fixed + emptyDir: {} + {{- else }} + - name: mongo-app-client-cert + secret: + secretName: {{ include "nvsentinel.certificates.secretName" . }} + {{- include "nvsentinel.certificates.volumeItems" . | nindent 10 }} + optional: true + {{- end }} + {{- end }} + restartPolicy: Always + {{- with (.Values.global.systemNodeSelector | default .Values.nodeSelector) }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (.Values.global.affinity | default .Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (.Values.global.systemNodeTolerations | default .Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/templates/serviceaccount.yaml new file mode 100644 index 00000000..411f1069 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/templates/serviceaccount.yaml @@ -0,0 +1,20 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "health-events-analyzer.fullname" . }} + labels: + {{- include "health-events-analyzer.labels" . | nindent 4 }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/values.yaml new file mode 100644 index 00000000..7bdb3698 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/health-events-analyzer/values.yaml @@ -0,0 +1,3443 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +replicaCount: 1 + +image: + repository: ghcr.io/nvidia/nvsentinel/health-events-analyzer + pullPolicy: IfNotPresent + tag: "" + +podAnnotations: {} + +resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + +logLevel: info + +# Processing strategy for health events +# valid values: EXECUTE_REMEDIATION, STORE_ONLY +# default: EXECUTE_REMEDIATION +# EXECUTE_REMEDIATION: normal behavior; downstream modules may update cluster state. +# STORE_ONLY: observability-only behavior; event should be persisted/exported but should not modify cluster resources (i.e., no node conditions, no quarantine, no drain, no remediation). +processingStrategy: EXECUTE_REMEDIATION + +# Enable flags for the rules to be evaluated. +enableMultipleRemediationsRule: true +enableRepeatedXIDErrorOnSameGPURule: true +enableRepeatedXID31OnSameGPURule: true +enableRepeatedXID31OnDifferentGPURule: true +enableRepeatedXID13OnSameGPCAndTPCRule: true +enableRepeatedXID13OnDifferentGPCAndTPCRule: true +enableXIDErrorSoloNoBurstRule: true +enableXID74Reg0SoloNVLinkErrorRule: true +enableXID74Reg0ECCParityErrorRule: true +enableRepeatedXID74Reg0HardwareIssueRule: true +enableXID74Reg0SignalIntegrityErrorRule: true +enableXID74Reg0Bit27Or29SetRule: true +enableRepeatedXID74Reg2HardwareIssueRule: true +enableXID74Reg2Bit13SetRule: true +enableRepeatedXID74Reg2Bit16Or19SetRule: true +enableRepeatedXID74Reg2Bit17Or18SetRule: true +enableXID74Reg3UnexpectedErrorRule: true +enableXID74Reg3Bit18SetRule: true +enableXID74Reg4HardwareIssueRule: true +enableXID74Reg4ECCErrorRule: true + +# Client certificate mount path for database connections +clientCertMountPath: /etc/ssl/client-certs + +config: | + # The node condition for these rules needs to be removed manually because health-events-analyzer does not publish healthy events to clear it. + # Please run the command below to remove the node condition: + # kubectl get node -o json | jq '.status.conditions |= map(select(.type != ""))' | kubectl replace -f - --subresource=status + [[rules]] + name = "MultipleRemediations" + description = "Detect if multiple remediations are performed within 7 days on a node" + recommended_action = "CONTACT_SUPPORT" + evaluate_rule = {{ .Values.enableMultipleRemediationsRule }} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 604800]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "healtheventstatus.faultremediated.value": true, + "healthevent.nodename": "this.healthevent.nodename", + "healthevent.isfatal": "this.healthevent.isfatal" + } + } + ''', + '{"$count": "count"}', + '{"$match": {"count": {"$gte": 5}}}' + ] + + [[rules]] + name = "RepeatedXIDErrorOnSameGPU" + description = "Detect occurrence of fatal XIDs 5 times within 24 hours where the burst window is 3 minutes and sticky XIDs window is 3 hours" + recommended_action = "CONTACT_SUPPORT" + evaluate_rule = {{ .Values.enableRepeatedXIDErrorOnSameGPURule }} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$ne": [ + "this.healthevent.errorcode.0", + "31" + ] + } + } + } + ''', + ''' + { + "$match": { + "healthevent.ishealthy": false, + "healthevent.nodename": "this.healthevent.nodename", + "$expr": { + "$gt": [ + { + "$size": { + "$setIntersection": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + { + "$map": { + "input": { + "$filter": { + "input": "this.healthevent.entitiesimpacted", + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + } + ] + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"healthevent.generatedtimestamp.seconds": 1}, + "output": { + "prevTimestamp": { + "$shift": { + "output": "$healthevent.generatedtimestamp.seconds", + "by": -1 + } + } + } + } + } + ''', + ''' + { + "$addFields": { + "isStickyXid": { + "$in": [ + {"$arrayElemAt": ["$healthevent.errorcode", 0]}, + ["74", "79", "95", "109", "119"] + ] + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"healthevent.generatedtimestamp.seconds": 1}, + "output": { + "allPreviousEvents": { + "$push": "$$ROOT", + "window": {"documents": ["unbounded", -1]} + } + } + } + } + ''', + ''' + { + "$addFields": { + "stickyXidWithin3Hours": { + "$cond": { + "if": "$isStickyXid", + "then": { + "$anyElementTrue": { + "$map": { + "input": "$allPreviousEvents", + "as": "prevEvent", + "in": { + "$and": [ + { + "$in": [ + {"$arrayElemAt": ["$$prevEvent.healthevent.errorcode", 0]}, + ["74", "79", "95", "109", "119"] + ] + }, + {"$lte": [{"$subtract": ["$healthevent.generatedtimestamp.seconds", "$$prevEvent.healthevent.generatedtimestamp.seconds"]}, 10800]} + ] + } + } + } + }, + "else": false + } + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"healthevent.generatedtimestamp.seconds": 1}, + "output": { + "burstId": { + "$sum": { + "$cond": { + "if": {"$eq": ["$prevTimestamp", null]}, + "then": 1, + "else": { + "$cond": { + "if": { + "$and": [ + "$isStickyXid", + "$stickyXidWithin3Hours" + ] + }, + "then": 0, + "else": { + "$cond": { + "if": {"$gt": [{"$subtract": ["$healthevent.generatedtimestamp.seconds", "$prevTimestamp"]}, 180]}, + "then": 1, + "else": 0 + } + } + } + } + } + }, + "window": {"documents": ["unbounded", "current"]} + } + } + } + } + ''', + ''' + { + "$group": { + "_id": {"burstId": "$burstId"}, + "uniqueXidsInBurst": {"$addToSet": {"$arrayElemAt": ["$healthevent.errorcode", 0]}}, + "targetXidCount": { + "$sum": { + "$cond": [ + {"$eq": [{"$arrayElemAt": ["$healthevent.errorcode", 0]}, "this.healthevent.errorcode.0"]}, + 1, + 0 + ] + } + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"_id.burstId": 1}, + "output": {"maxBurstId": {"$max": "$_id.burstId"}} + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + {"$in": ["this.healthevent.errorcode.0", "$uniqueXidsInBurst"]}, + { + "$or": [ + {"$ne": ["$_id.burstId", "$maxBurstId"]}, + {"$eq": ["$targetXidCount", 1]} + ] + } + ] + } + } + } + ''', + ''' + { + "$group": { + "_id": null, + "count": {"$sum": 1}, + "bursts": {"$push": {"burstId": "$_id.burstId", "uniqueXids": "$uniqueXidsInBurst"}} + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$gte": [ + "$count", 5 + ] + } + } + } + ''' + ] + + [[rules]] + name = "RepeatedXID31OnSameGPU" + description = "Detect if XID 31 occurred 2 or more times on the same GPU within 24 hours where the burst window is 3 minutes and sticky XIDs window is 3 hours" + recommended_action = "RUN_DCGMEUD" + message = "if DCGM EUD tests pass, run field diagnostics" + evaluate_rule = {{ .Values.enableRepeatedXID31OnSameGPURule }} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "31" + ] + } + } + } + ''', + ''' + { + "$match": { + "healthevent.ishealthy": false, + "healthevent.nodename": "this.healthevent.nodename", + "$expr": { + "$gt": [ + { + "$size": { + "$setIntersection": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + { + "$map": { + "input": { + "$filter": { + "input": "this.healthevent.entitiesimpacted", + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + } + ] + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"healthevent.generatedtimestamp.seconds": 1}, + "output": { + "prevTimestamp": { + "$shift": { + "output": "$healthevent.generatedtimestamp.seconds", + "by": -1 + } + } + } + } + } + ''', + ''' + { + "$addFields": { + "isStickyXid": { + "$in": [ + {"$arrayElemAt": ["$healthevent.errorcode", 0]}, + ["74", "79", "95", "109", "119"] + ] + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"healthevent.generatedtimestamp.seconds": 1}, + "output": { + "allPreviousEvents": { + "$push": "$$ROOT", + "window": {"documents": ["unbounded", -1]} + } + } + } + } + ''', + ''' + { + "$addFields": { + "stickyXidWithin3Hours": { + "$cond": { + "if": "$isStickyXid", + "then": { + "$anyElementTrue": { + "$map": { + "input": "$allPreviousEvents", + "as": "prevEvent", + "in": { + "$and": [ + { + "$in": [ + {"$arrayElemAt": ["$$prevEvent.healthevent.errorcode", 0]}, + ["74", "79", "95", "109", "119"] + ] + }, + {"$lte": [{"$subtract": ["$healthevent.generatedtimestamp.seconds", "$$prevEvent.healthevent.generatedtimestamp.seconds"]}, 10800]} + ] + } + } + } + }, + "else": false + } + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"healthevent.generatedtimestamp.seconds": 1}, + "output": { + "burstId": { + "$sum": { + "$cond": { + "if": {"$eq": ["$prevTimestamp", null]}, + "then": 1, + "else": { + "$cond": { + "if": { + "$and": [ + "$isStickyXid", + "$stickyXidWithin3Hours" + ] + }, + "then": 0, + "else": { + "$cond": { + "if": {"$gt": [{"$subtract": ["$healthevent.generatedtimestamp.seconds", "$prevTimestamp"]}, 180]}, + "then": 1, + "else": 0 + } + } + } + } + } + }, + "window": {"documents": ["unbounded", "current"]} + } + } + } + } + ''', + ''' + { + "$group": { + "_id": {"burstId": "$burstId"}, + "uniqueXidsInBurst": {"$addToSet": {"$arrayElemAt": ["$healthevent.errorcode", 0]}}, + "targetXidCount": { + "$sum": { + "$cond": [ + {"$eq": [{"$arrayElemAt": ["$healthevent.errorcode", 0]}, "this.healthevent.errorcode.0"]}, + 1, + 0 + ] + } + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"_id.burstId": 1}, + "output": {"maxBurstId": {"$max": "$_id.burstId"}} + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + {"$in": ["this.healthevent.errorcode.0", "$uniqueXidsInBurst"]}, + { + "$or": [ + {"$ne": ["$_id.burstId", "$maxBurstId"]}, + {"$eq": ["$targetXidCount", 1]} + ] + } + ] + } + } + } + ''', + ''' + { + "$group": { + "_id": null, + "count": {"$sum": 1}, + "bursts": {"$push": {"burstId": "$_id.burstId", "uniqueXids": "$uniqueXidsInBurst"}} + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$gte": [ + "$count", 2 + ] + } + } + } + ''' + ] + + [[rules]] + name = "RepeatedXID31OnDifferentGPU" + description = "Detect if XID 31 occurred 2 or more times on different GPUs within 24 hours" + message = "App passing bad data or using incorrect GPU methods; check error PID to identify source of the problem, if application is known good and problem persists, then contact support" + recommended_action = "NONE" + evaluate_rule = {{ .Values.enableRepeatedXID31OnDifferentGPURule }} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "31" + ] + } + } + } + ''', + ''' + { + "$match": { + "healthevent.ishealthy": false, + "healthevent.nodename": "this.healthevent.nodename", + "healthevent.errorcode": "this.healthevent.errorcode.0" + } + } + ''', + ''' + { + "$addFields": { + "gpuUuid": { + "$let": { + "vars": { + "uuid": { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + }, + "in": { + "$cond": [ + {"$ne": ["$$uuid", null]}, + "$$uuid", + null + ] + } + } + } + } + } + ''', + ''' + { + "$group": { + "_id": null, + "uniqueGPUs": {"$addToSet": "$gpuUuid"} + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$gte": [{"$size": "$uniqueGPUs"}, 2] + } + } + } + ''' + ] + + [[rules]] + name = "RepeatedXID13OnSameGPCAndTPC" + description = "Detect if XID 13 occurred 2 or more times on the same GPC and TPC within 24 hours" + message = "if DCGM EUD tests pass, run field diagnostics" + recommended_action = "RUN_DCGMEUD" + evaluate_rule = {{ .Values.enableRepeatedXID13OnSameGPCAndTPCRule }} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "13" + ] + } + } + } + ''', + ''' + { + "$match": { + "healthevent.ishealthy": false, + "healthevent.nodename": "this.healthevent.nodename", + "$expr": { + "$gt": [ + { + "$size": { + "$setIntersection": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + { + "$map": { + "input": { + "$filter": { + "input": "this.healthevent.entitiesimpacted", + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + } + ] + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"healthevent.generatedtimestamp.seconds": 1}, + "output": { + "prevTimestamp": { + "$shift": { + "output": "$healthevent.generatedtimestamp.seconds", + "by": -1 + } + } + } + } + } + ''', + ''' + { + "$addFields": { + "isStickyXid": { + "$in": [ + {"$arrayElemAt": ["$healthevent.errorcode", 0]}, + ["74", "79", "95", "109", "119"] + ] + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"healthevent.generatedtimestamp.seconds": 1}, + "output": { + "allPreviousEvents": { + "$push": "$$ROOT", + "window": {"documents": ["unbounded", -1]} + } + } + } + } + ''', + ''' + { + "$addFields": { + "stickyXidWithin3Hours": { + "$cond": { + "if": "$isStickyXid", + "then": { + "$anyElementTrue": { + "$map": { + "input": "$allPreviousEvents", + "as": "prevEvent", + "in": { + "$and": [ + { + "$in": [ + {"$arrayElemAt": ["$$prevEvent.healthevent.errorcode", 0]}, + ["74", "79", "95", "109", "119"] + ] + }, + {"$lte": [{"$subtract": ["$healthevent.generatedtimestamp.seconds", "$$prevEvent.healthevent.generatedtimestamp.seconds"]}, 10800]} + ] + } + } + } + }, + "else": false + } + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"healthevent.generatedtimestamp.seconds": 1}, + "output": { + "burstId": { + "$sum": { + "$cond": { + "if": {"$eq": ["$prevTimestamp", null]}, + "then": 1, + "else": { + "$cond": { + "if": { + "$and": [ + "$isStickyXid", + "$stickyXidWithin3Hours" + ] + }, + "then": 0, + "else": { + "$cond": { + "if": {"$gt": [{"$subtract": ["$healthevent.generatedtimestamp.seconds", "$prevTimestamp"]}, 15]}, + "then": 1, + "else": 0 + } + } + } + } + } + }, + "window": {"documents": ["unbounded", "current"]} + } + } + } + } + ''', + ''' + { + "$addFields": { + "gpcValue": { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, "cond": {"$eq": ["$$this.entitytype", "GPC"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + }, + "tpcValue": { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, "cond": {"$eq": ["$$this.entitytype", "TPC"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$match": { + "$and": [ + {"gpcValue": {"$ne": null}}, + {"tpcValue": {"$ne": null}} + ] + } + } + ''', + ''' + { + "$group": { + "_id": {"burstId": "$burstId"}, + "uniqueXidsInBurst": {"$addToSet": {"$arrayElemAt": ["$healthevent.errorcode", 0]}}, + "targetXidCount": { + "$sum": { + "$cond": [ + { + "$and": [ + {"$eq": [{"$arrayElemAt": ["$healthevent.errorcode", 0]}, "this.healthevent.errorcode.0"]}, + {"$eq": ["$gpcValue", { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": "this.healthevent.entitiesimpacted", "cond": {"$eq": ["$$this.entitytype", "GPC"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + }]}, + {"$eq": ["$tpcValue", { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": "this.healthevent.entitiesimpacted", "cond": {"$eq": ["$$this.entitytype", "TPC"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + }]} + ] + }, + 1, + 0 + ] + } + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"_id.burstId": 1}, + "output": {"maxBurstId": {"$max": "$_id.burstId"}} + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + {"$in": ["this.healthevent.errorcode.0", "$uniqueXidsInBurst"]}, + {"$gt": ["$targetXidCount", 0]}, + { + "$or": [ + {"$ne": ["$_id.burstId", "$maxBurstId"]}, + {"$gte": ["$targetXidCount", 1]} + ] + } + ] + } + } + } + ''', + ''' + { + "$group": { + "_id": null, + "count": {"$sum": 1}, + "bursts": {"$push": {"burstId": "$_id.burstId", "uniqueXids": "$uniqueXidsInBurst"}} + } + } + ''', + '{"$match": {"count": {"$gte": 2}}}' + ] + + [[rules]] + name = "RepeatedXID13OnDifferentGPCAndTPC" + description = "Detect if XID 13 occurred 2 or more times on different GPC and TPC combinations within 24 hours" + message = "App passing bad data or using incorrect GPU methods; check error PID to identify source of the problem, if application is known good and problem persists, then contact support" + recommended_action = "NONE" + evaluate_rule = {{ .Values.enableRepeatedXID13OnDifferentGPCAndTPCRule }} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "13" + ] + } + } + } + ''', + ''' + { + "$match": { + "healthevent.ishealthy": false, + "healthevent.nodename": "this.healthevent.nodename", + "healthevent.errorcode": "this.healthevent.errorcode.0", + "$expr": { + "$gt": [ + { + "$size": { + "$setIntersection": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + { + "$map": { + "input": { + "$filter": { + "input": "this.healthevent.entitiesimpacted", + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + } + ] + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$addFields": { + "gpcTpcCombination": { + "$let": { + "vars": { + "gpc": { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, "cond": {"$eq": ["$$this.entitytype", "GPC"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + }, + "tpc": { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, "cond": {"$eq": ["$$this.entitytype", "TPC"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + }, + "in": { + "$cond": [ + {"$and": [{"$ne": ["$$gpc", null]}, {"$ne": ["$$tpc", null]}]}, + {"$concat": ["GPC:", "$$gpc", "-TPC:", "$$tpc"]}, + null + ] + } + } + } + } + } + ''', + ''' + { + "$match": { + "gpcTpcCombination": {"$ne": null} + } + } + ''', + ''' + { + "$group": { + "_id": null, + "uniqueGPCAndTPCCombinations": {"$addToSet": "$gpcTpcCombination"} + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$gte": [{"$size": "$uniqueGPCAndTPCCombinations"}, 2] + } + } + } + ''' + ] + + [[rules]] + name = "XIDErrorSoloNoBurst" + description = "Detect if XID error occurred only once in the last burst within 24 hours time window" + message = "App passing bad data or using incorrect GPU methods; check error PID to identify source of the problem, if application is known good and problem persists, then contact support" + recommended_action = "NONE" + evaluate_rule = {{ .Values.enableXIDErrorSoloNoBurstRule }} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$in": [ + "this.healthevent.errorcode.0", + ["13", "31"] + ] + } + } + } + ''', + ''' + { + "$match": { + "healthevent.ishealthy": false, + "healthevent.nodename": "this.healthevent.nodename", + "$expr": { + "$gt": [ + { + "$size": { + "$setIntersection": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + { + "$map": { + "input": { + "$filter": { + "input": "this.healthevent.entitiesimpacted", + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + } + ] + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"healthevent.generatedtimestamp.seconds": 1}, + "output": { + "prevTimestamp": { + "$shift": { + "output": "$healthevent.generatedtimestamp.seconds", + "by": -1 + } + } + } + } + } + ''', + ''' + { + "$addFields": { + "isStickyXid": { + "$in": [ + {"$arrayElemAt": ["$healthevent.errorcode", 0]}, + ["74", "79", "95", "109", "119"] + ] + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"healthevent.generatedtimestamp.seconds": 1}, + "output": { + "allPreviousEvents": { + "$push": "$$ROOT", + "window": {"documents": ["unbounded", -1]} + } + } + } + } + ''', + ''' + { + "$addFields": { + "stickyXidWithin3Hours": { + "$cond": { + "if": "$isStickyXid", + "then": { + "$anyElementTrue": { + "$map": { + "input": "$allPreviousEvents", + "as": "prevEvent", + "in": { + "$and": [ + { + "$in": [ + {"$arrayElemAt": ["$$prevEvent.healthevent.errorcode", 0]}, + ["74", "79", "95", "109", "119"] + ] + }, + {"$lte": [{"$subtract": ["$healthevent.generatedtimestamp.seconds", "$$prevEvent.healthevent.generatedtimestamp.seconds"]}, 10800]} + ] + } + } + } + }, + "else": false + } + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"healthevent.generatedtimestamp.seconds": 1}, + "output": { + "burstId": { + "$sum": { + "$cond": { + "if": {"$eq": ["$prevTimestamp", null]}, + "then": 1, + "else": { + "$cond": { + "if": { + "$and": [ + "$isStickyXid", + "$stickyXidWithin3Hours" + ] + }, + "then": 0, + "else": { + "$cond": { + "if": {"$gt": [{"$subtract": ["$healthevent.generatedtimestamp.seconds", "$prevTimestamp"]}, 180]}, + "then": 1, + "else": 0 + } + } + } + } + } + }, + "window": {"documents": ["unbounded", "current"]} + } + } + } + } + ''', + ''' + { + "$group": { + "_id": {"burstId": "$burstId"}, + "targetXidCount": { + "$sum": { + "$cond": [ + {"$eq": [{"$arrayElemAt": ["$healthevent.errorcode", 0]}, "this.healthevent.errorcode.0"]}, + 1, + 0 + ] + } + } + } + } + ''', + ''' + { + "$setWindowFields": { + "sortBy": {"_id.burstId": 1}, + "output": {"maxBurstId": {"$max": "$_id.burstId"}} + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + {"$eq": ["$_id.burstId", "$maxBurstId"]}, + {"$eq": ["$targetXidCount", 1]} + ] + } + } + } + ''' + ] + + [[rules]] + name = "XID74Reg0SoloNVLinkError" + description = "Detect if XID 74 occurred with register 0 bits 1 or 20 set with no other active errors in the last 24 hours" + recommended_action = "CONTACT_SUPPORT" + message = "one of the bits (1 or 20) is set in register 0, unexpected error please open an NVBug" + evaluate_rule = {{.Values.enableXID74Reg0SoloNVLinkErrorRule}} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$in": [ + "this.healthevent.errorcode.0", + ["74"] + ] + } + } + } + ''', + ''' + { + "$addFields": { + "registers": { + "$arrayToObject": { + "$map": { + "input": { + "$filter": { + "input": "$healthevent.entitiesimpacted", + "cond": { + "$in": ["$$this.entitytype", ["REG0", "REG1", "REG2", "REG3", "REG4", "REG5", "REG6"]] + } + } + }, + "as": "reg", + "in": { + "k": "$$reg.entitytype", + "v": "$$reg.entityvalue" + } + } + } + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$or": [ + {"$eq": ["$registers.REG0", "00000000000000000000000000000010"]}, + {"$eq": ["$registers.REG0", "00000000000100000000000000000000"]} + ] + }, + {"$eq": ["$registers.REG1", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG2", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG3", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG5", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG6", "00000000000000000000000000000000"]} + ] + } + } + } + ''', + ''' + { + "$lookup": { + "from": "HealthEvents", + "let": { + "currentEventId": "$_id", + "currentNodeName": "$healthevent.nodename", + "gpuUuid": { + "$arrayElemAt": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + }, + "pipeline": [ + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": [{"$divide": [{"$toLong": "$$NOW"}, 1000]}, 86400]} + ] + }, + {"$ne": ["$_id", "$$currentEventId"]}, + {"$eq": ["$healthevent.nodename", "$$currentNodeName"]}, + {"$ne": [{"$arrayElemAt": ["$healthevent.errorcode", 0]}, "74"]}, + { + "$gt": [ + { + "$size": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": { + "$and": [ + {"$eq": ["$$this.entitytype", "GPU_UUID"]}, + {"$eq": ["$$this.entityvalue", "$$gpuUuid"]} + ] + } + } + } + }, + 0 + ] + } + ] + } + } + }, + { + "$sort": { + "healthevent.generatedtimestamp.seconds": -1 + } + }, + { + "$group": { + "_id": { + "$arrayElemAt": ["$healthevent.errorcode", 0] + }, + "mostRecentEvent": { + "$first": { + "id": "$_id", + "isHealthy": {"$ifNull": ["$healthevent.ishealthy", false]}, + "timestamp": "$healthevent.generatedtimestamp.seconds" + } + } + } + }, + { + "$match": { + "mostRecentEvent.isHealthy": false + } + } + ], + "as": "otherXidEvents" + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [{"$size": "$otherXidEvents"}, 0] + } + } + } + ''' + ] + + [[rules]] + name = "XID74Reg0ECCParityError" + description = "Detect if XID 74 with bits 4 or 5 set occurred 2 or more times on the same NVLink and GPU within last 24 hours" + recommended_action = "CONTACT_SUPPORT" + message = "one of the bits (4 or 5) is set in register 0 and its repeating on same NVLink and GPU, likely a HW issue with ECC/Parity" + evaluate_rule = {{.Values.enableXID74Reg0ECCParityErrorRule}} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "74" + ] + } + } + } + ''', + ''' + { + "$match": { + "healthevent.ishealthy": false, + "healthevent.nodename": "this.healthevent.nodename", + "$expr": { + "$gt": [ + { + "$size": { + "$setIntersection": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + { + "$map": { + "input": { + "$filter": { + "input": "this.healthevent.entitiesimpacted", + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + } + ] + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$addFields": { + "registers": { + "$arrayToObject": { + "$map": { + "input": { + "$filter": { + "input": "$healthevent.entitiesimpacted", + "cond": { + "$in": ["$$this.entitytype", ["REG0", "REG1", "REG2", "REG3", "REG4", "REG5", "REG6"]] + } + } + }, + "as": "reg", + "in": { + "k": "$$reg.entitytype", + "v": "$$reg.entityvalue" + } + } + } + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$or": [ + {"$eq": ["$registers.REG0", "00000000000000000000000000010000"]}, + {"$eq": ["$registers.REG0", "00000000000000000000000000100000"]} + ] + }, + {"$eq": ["$registers.REG1", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG2", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG3", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG5", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG6", "00000000000000000000000000000000"]} + ] + } + } + } + ''', + ''' + { + "$addFields": { + "nvlinkValue": { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, "cond": {"$eq": ["$$this.entitytype", "NVLINK"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "$nvlinkValue", + { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": "this.healthevent.entitiesimpacted", "cond": {"$eq": ["$$this.entitytype", "NVLINK"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + ] + } + } + } + ''', + '{"$count": "count"}', + '{"$match": {"count": {"$gte": 2}}}' + ] + + [[rules]] + name = "RepeatedXID74Reg0HardwareIssue" + description = "Detect if XID 74 with register 0 bits (8, 9, 12, 16, 17, 24 or 28) set occurred 2 or more times on same GPU within last 24 hours" + recommended_action = "CONTACT_SUPPORT" + message = "one of the bits (8, 9, 12, 16, 17, 24 or 28) is set in register 0 and its repeating on same GPU, could be a hardware issue, request to check link mechanical connections and run field diagnosis if issue persists" + evaluate_rule = {{.Values.enableRepeatedXID74Reg0HardwareIssueRule}} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "74" + ] + } + } + } + ''', + ''' + { + "$match": { + "healthevent.ishealthy": false, + "healthevent.nodename": "this.healthevent.nodename", + "$expr": { + "$gt": [ + { + "$size": { + "$setIntersection": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + { + "$map": { + "input": { + "$filter": { + "input": "this.healthevent.entitiesimpacted", + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + } + ] + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$addFields": { + "registers": { + "$arrayToObject": { + "$map": { + "input": { + "$filter": { + "input": "$healthevent.entitiesimpacted", + "cond": { + "$in": ["$$this.entitytype", ["REG0", "REG1", "REG2", "REG3", "REG4", "REG5", "REG6"]] + } + } + }, + "as": "reg", + "in": { + "k": "$$reg.entitytype", + "v": "$$reg.entityvalue" + } + } + } + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$or": [ + {"$eq": ["$registers.REG0", "00000000000000000000000100000000"]}, + {"$eq": ["$registers.REG0", "00000000000000000000001000000000"]}, + {"$eq": ["$registers.REG0", "00000000000000000001000000000000"]}, + {"$eq": ["$registers.REG0", "00000000000000010000000000000000"]}, + {"$eq": ["$registers.REG0", "00000000000000100000000000000000"]}, + {"$eq": ["$registers.REG0", "00000001000000000000000000000000"]}, + {"$eq": ["$registers.REG0", "00010000000000000000000000000000"]} + ] + }, + {"$eq": ["$registers.REG1", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG2", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG3", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG5", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG6", "00000000000000000000000000000000"]} + ] + } + } + } + ''', + '{"$count": "count"}', + '{"$match": {"count": {"$gte": 2}}}' + ] + + [[rules]] + name = "XID74Reg0SignalIntegrityError" + description = "Detect if XID 74 with register 0 bits (21 or 22) set occurred with no other active errors in the last 24 hours" + recommended_action = "CONTACT_SUPPORT" + message = "one of the bits (21 or 22) is set in register 0, could be a marginal SI (signal integrity) issue, request to check link mechanical connections and run field diagnosis if issue persists" + evaluate_rule = {{.Values.enableXID74Reg0SignalIntegrityErrorRule}} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "74" + ] + } + } + } + ''', + ''' + { + "$addFields": { + "registers": { + "$arrayToObject": { + "$map": { + "input": { + "$filter": { + "input": "$healthevent.entitiesimpacted", + "cond": { + "$in": ["$$this.entitytype", ["REG0", "REG1", "REG2", "REG3", "REG4", "REG5", "REG6"]] + } + } + }, + "as": "reg", + "in": { + "k": "$$reg.entitytype", + "v": "$$reg.entityvalue" + } + } + } + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$or": [ + {"$eq": ["$registers.REG0", "00000000001000000000000000000000"]}, + {"$eq": ["$registers.REG0", "00000000010000000000000000000000"]} + ] + }, + {"$eq": ["$registers.REG1", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG2", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG3", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG5", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG6", "00000000000000000000000000000000"]} + ] + } + } + } + ''', + ''' + { + "$lookup": { + "from": "HealthEvents", + "let": { + "currentEventId": "$_id", + "currentNodeName": "$healthevent.nodename", + "gpuUuid": { + "$arrayElemAt": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + }, + "pipeline": [ + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": [{"$divide": [{"$toLong": "$$NOW"}, 1000]}, 86400]} + ] + }, + {"$ne": ["$_id", "$$currentEventId"]}, + {"$eq": ["$healthevent.nodename", "$$currentNodeName"]}, + {"$ne": [{"$arrayElemAt": ["$healthevent.errorcode", 0]}, "74"]}, + { + "$gt": [ + { + "$size": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": { + "$and": [ + {"$eq": ["$$this.entitytype", "GPU_UUID"]}, + {"$eq": ["$$this.entityvalue", "$$gpuUuid"]} + ] + } + } + } + }, + 0 + ] + } + ] + } + } + }, + { + "$sort": { + "healthevent.generatedtimestamp.seconds": -1 + } + }, + { + "$group": { + "_id": { + "$arrayElemAt": ["$healthevent.errorcode", 0] + }, + "mostRecentEvent": { + "$first": { + "id": "$_id", + "isHealthy": {"$ifNull": ["$healthevent.ishealthy", false]}, + "timestamp": "$healthevent.generatedtimestamp.seconds" + } + } + } + }, + { + "$match": { + "mostRecentEvent.isHealthy": false + } + } + ], + "as": "otherXidEvents" + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [{"$size": "$otherXidEvents"}, 0] + } + } + } + ''' + ] + + [[rules]] + name = "XID74Reg0Bit27Or29Set" + description = "Detect if XID 74 with register 0 bits (27 or 29) set occurred 2 or more times on same GPU within last 24 hours" + recommended_action = "CONTACT_SUPPORT" + message = "one of the bits (27 or 29) is set in register 0 and its repeating on same GPU, unexpected error please open NVBug" + evaluate_rule = {{.Values.enableXID74Reg0Bit27Or29SetRule}} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "74" + ] + } + } + } + ''', + ''' + { + "$match": { + "healthevent.ishealthy": false, + "healthevent.nodename": "this.healthevent.nodename", + "$expr": { + "$gt": [ + { + "$size": { + "$setIntersection": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + { + "$map": { + "input": { + "$filter": { + "input": "this.healthevent.entitiesimpacted", + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + } + ] + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$addFields": { + "registers": { + "$arrayToObject": { + "$map": { + "input": { + "$filter": { + "input": "$healthevent.entitiesimpacted", + "cond": { + "$in": ["$$this.entitytype", ["REG0", "REG1", "REG2", "REG3", "REG4", "REG5", "REG6"]] + } + } + }, + "as": "reg", + "in": { + "k": "$$reg.entitytype", + "v": "$$reg.entityvalue" + } + } + } + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$or": [ + {"$eq": ["$registers.REG0", "00001000000000000000000000000000"]}, + {"$eq": ["$registers.REG0", "00100000000000000000000000000000"]} + ] + }, + {"$eq": ["$registers.REG1", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG2", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG3", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG5", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG6", "00000000000000000000000000000000"]} + ] + } + } + } + ''', + '{"$count": "count"}', + '{"$match": {"count": {"$gte": 2}}}' + ] + + [[rules]] + name = "RepeatedXID74Reg2HardwareIssue" + description = "Detect if XID 74 with register 2 bits (0, 1, 2 or 6) set occurred 2 or more times on same NVLink and same GPU within last 24 hours" + recommended_action = "CONTACT_SUPPORT" + message = "one of the bits (0, 1, 2 or 6) is set in register 2 and its repeating on same NVLink and GPU, likely a HW issue with ECC/Parity" + evaluate_rule = {{.Values.enableRepeatedXID74Reg2HardwareIssueRule}} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "74" + ] + } + } + } + ''', + ''' + { + "$match": { + "healthevent.ishealthy": false, + "healthevent.nodename": "this.healthevent.nodename", + "$expr": { + "$gt": [ + { + "$size": { + "$setIntersection": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + { + "$map": { + "input": { + "$filter": { + "input": "this.healthevent.entitiesimpacted", + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + } + ] + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$addFields": { + "registers": { + "$arrayToObject": { + "$map": { + "input": { + "$filter": { + "input": "$healthevent.entitiesimpacted", + "cond": { + "$in": ["$$this.entitytype", ["REG0", "REG1", "REG2", "REG3", "REG4", "REG5", "REG6"]] + } + } + }, + "as": "reg", + "in": { + "k": "$$reg.entitytype", + "v": "$$reg.entityvalue" + } + } + } + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$or": [ + {"$eq": ["$registers.REG2", "00000000000000000000000000000001"]}, + {"$eq": ["$registers.REG2", "00000000000000000000000000000010"]}, + {"$eq": ["$registers.REG2", "00000000000000000000000000000100"]}, + {"$eq": ["$registers.REG2", "00000000000000000000000001000000"]} + ] + }, + {"$eq": ["$registers.REG0", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG1", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG3", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG5", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG6", "00000000000000000000000000000000"]} + ] + } + } + } + ''', + ''' + { + "$addFields": { + "nvlinkValue": { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, "cond": {"$eq": ["$$this.entitytype", "NVLINK"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "$nvlinkValue", + { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": "this.healthevent.entitiesimpacted", "cond": {"$eq": ["$$this.entitytype", "NVLINK"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + ] + } + } + } + ''', + '{"$count": "count"}', + '{"$match": {"count": {"$gte": 2}}}' + ] + + [[rules]] + name = "XID74Reg2Bit13Set" + description = "Detect if XID 74 with register 2 and bit 13 set occurred" + recommended_action = "CONTACT_SUPPORT" + message = "bit 13 is set in register 2, its an unexpected error please open an NVBug" + evaluate_rule = {{.Values.enableXID74Reg2Bit13SetRule}} + stage = [ + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "74" + ] + } + } + } + ''', + ''' + { + "$addFields": { + "registers": { + "$arrayToObject": { + "$map": { + "input": { + "$filter": { + "input": "this.healthevent.entitiesimpacted", + "cond": { + "$in": ["$$this.entitytype", ["REG0", "REG1", "REG2", "REG3", "REG4", "REG5", "REG6"]] + } + } + }, + "as": "reg", + "in": { + "k": "$$reg.entitytype", + "v": "$$reg.entityvalue" + } + } + } + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + {"$eq": ["$registers.REG0", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG1", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG2", "00000000000000000010000000000000"]}, + {"$eq": ["$registers.REG3", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG5", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG6", "00000000000000000000000000000000"]} + ] + } + } + } + ''', + ] + + [[rules]] + name = "RepeatedXID74Reg2Bit16Or19Set" + description = "Detect if XID 74 with register 2 and bits (16 or 19) set occurred 2 or more times on same GPU within last 24 hours" + recommended_action = "CONTACT_SUPPORT" + message = "one of the bits (16 or 19) is set in register 2 and its repeating on same GPU, request for field diagnosis" + evaluate_rule = {{.Values.enableRepeatedXID74Reg2Bit16Or19SetRule}} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "74" + ] + } + } + } + ''', + ''' + { + "$match": { + "healthevent.ishealthy": false, + "healthevent.nodename": "this.healthevent.nodename", + "$expr": { + "$gt": [ + { + "$size": { + "$setIntersection": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + { + "$map": { + "input": { + "$filter": { + "input": "this.healthevent.entitiesimpacted", + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + } + ] + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$addFields": { + "registers": { + "$arrayToObject": { + "$map": { + "input": { + "$filter": { + "input": "$healthevent.entitiesimpacted", + "cond": { + "$in": ["$$this.entitytype", ["REG0", "REG1", "REG2", "REG3", "REG4", "REG5", "REG6"]] + } + } + }, + "as": "reg", + "in": { + "k": "$$reg.entitytype", + "v": "$$reg.entityvalue" + } + } + } + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$or": [ + {"$eq": ["$registers.REG2", "00000000000000010000000000000000"]}, + {"$eq": ["$registers.REG2", "00000000000010000000000000000000"]} + ] + }, + {"$eq": ["$registers.REG0", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG1", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG3", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG5", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG6", "00000000000000000000000000000000"]} + ] + } + } + } + ''', + '{"$count": "count"}', + '{"$match": {"count": {"$gte": 2}}}' + ] + + [[rules]] + name = "RepeatedXID74Reg2Bit17Or18Set" + description = "Detect if XID 74 with register 2 and bits (17 or 18) set occurred 2 or more times on same GPU within last 24 hours" + recommended_action = "CONTACT_SUPPORT" + message = "one of the bits (17 or 18) is set in register 2 and its repeating on same GPU, request for field diagnosis" + evaluate_rule = {{.Values.enableRepeatedXID74Reg2Bit17Or18SetRule}} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "74" + ] + } + } + } + ''', + ''' + { + "$match": { + "healthevent.ishealthy": false, + "healthevent.nodename": "this.healthevent.nodename", + "$expr": { + "$gt": [ + { + "$size": { + "$setIntersection": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + { + "$map": { + "input": { + "$filter": { + "input": "this.healthevent.entitiesimpacted", + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + } + ] + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$addFields": { + "registers": { + "$arrayToObject": { + "$map": { + "input": { + "$filter": { + "input": "$healthevent.entitiesimpacted", + "cond": { + "$in": ["$$this.entitytype", ["REG0", "REG1", "REG2", "REG3", "REG4", "REG5", "REG6"]] + } + } + }, + "as": "reg", + "in": { + "k": "$$reg.entitytype", + "v": "$$reg.entityvalue" + } + } + } + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$or": [ + {"$eq": ["$registers.REG2", "00000000000000100000000000000000"]}, + {"$eq": ["$registers.REG2", "00000000000001000000000000000000"]} + ] + }, + {"$eq": ["$registers.REG0", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG1", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG3", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG5", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG6", "00000000000000000000000000000000"]} + ] + } + } + } + ''', + '{"$count": "count"}', + '{"$match": {"count": {"$gte": 2}}}' + ] + + [[rules]] + name = "XID74Reg3UnexpectedError" + description = "Detect if XID 74 with register 3 and bits (16 or 17) set occurred with no other active errors in the last 24 hours" + recommended_action = "CONTACT_SUPPORT" + message = "one of the bits (16 or 17) is set in register 3, unexpected error please open an NVBug" + evaluate_rule = {{.Values.enableXID74Reg3UnexpectedErrorRule}} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "74" + ] + } + } + } + ''', + ''' + { + "$addFields": { + "registers": { + "$arrayToObject": { + "$map": { + "input": { + "$filter": { + "input": "$healthevent.entitiesimpacted", + "cond": { + "$in": ["$$this.entitytype", ["REG0", "REG1", "REG2", "REG3", "REG4", "REG5", "REG6"]] + } + } + }, + "as": "reg", + "in": { + "k": "$$reg.entitytype", + "v": "$$reg.entityvalue" + } + } + } + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$or": [ + {"$eq": ["$registers.REG3", "00000000000000010000000000000000"]}, + {"$eq": ["$registers.REG3", "00000000000000100000000000000000"]} + ] + }, + {"$eq": ["$registers.REG0", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG1", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG2", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG5", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG6", "00000000000000000000000000000000"]} + ] + } + } + } + ''', + ''' + { + "$lookup": { + "from": "HealthEvents", + "let": { + "currentEventId": "$_id", + "currentNodeName": "$healthevent.nodename", + "gpuUuid": { + "$arrayElemAt": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + }, + "pipeline": [ + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": [{"$divide": [{"$toLong": "$$NOW"}, 1000]}, 86400]} + ] + }, + {"$ne": ["$_id", "$$currentEventId"]}, + {"$eq": ["$healthevent.nodename", "$$currentNodeName"]}, + {"$ne": [{"$arrayElemAt": ["$healthevent.errorcode", 0]}, "74"]}, + { + "$gt": [ + { + "$size": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": { + "$and": [ + {"$eq": ["$$this.entitytype", "GPU_UUID"]}, + {"$eq": ["$$this.entityvalue", "$$gpuUuid"]} + ] + } + } + } + }, + 0 + ] + } + ] + } + } + }, + { + "$sort": { + "healthevent.generatedtimestamp.seconds": -1 + } + }, + { + "$group": { + "_id": { + "$arrayElemAt": ["$healthevent.errorcode", 0] + }, + "mostRecentEvent": { + "$first": { + "id": "$_id", + "isHealthy": {"$ifNull": ["$healthevent.ishealthy", false]}, + "timestamp": "$healthevent.generatedtimestamp.seconds" + } + } + } + }, + { + "$match": { + "mostRecentEvent.isHealthy": false + } + } + ], + "as": "otherXidEvents" + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [{"$size": "$otherXidEvents"}, 0] + } + } + } + ''' + ] + + [[rules]] + name = "XID74Reg3Bit18Set" + description = "Detect if XID 74 with bit 18 set on register 3 is occurred without any presence of any other error within last 24 hours" + recommended_action = "CONTACT_SUPPORT" + message = "bit 18 is set in register 3, reset of fabric is required" + evaluate_rule = {{.Values.enableXID74Reg3Bit18SetRule}} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "74" + ] + } + } + } + ''', + ''' + { + "$addFields": { + "registers": { + "$arrayToObject": { + "$map": { + "input": { + "$filter": { + "input": "$healthevent.entitiesimpacted", + "cond": { + "$in": ["$$this.entitytype", ["REG0", "REG1", "REG2", "REG3", "REG4", "REG5", "REG6"]] + } + } + }, + "as": "reg", + "in": { + "k": "$$reg.entitytype", + "v": "$$reg.entityvalue" + } + } + } + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + {"$eq": ["$registers.REG0", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG1", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG2", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG3", "00000000000001000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG5", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG6", "00000000000000000000000000000000"]} + ] + } + } + } + ''', + ''' + { + "$lookup": { + "from": "HealthEvents", + "let": { + "currentEventId": "$_id", + "currentNodeName": "$healthevent.nodename", + "gpuUuid": { + "$arrayElemAt": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + }, + "pipeline": [ + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": [{"$divide": [{"$toLong": "$$NOW"}, 1000]}, 86400]} + ] + }, + {"$ne": ["$_id", "$$currentEventId"]}, + {"$eq": ["$healthevent.nodename", "$$currentNodeName"]}, + {"$ne": [{"$arrayElemAt": ["$healthevent.errorcode", 0]}, "74"]}, + { + "$gt": [ + { + "$size": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": { + "$and": [ + {"$eq": ["$$this.entitytype", "GPU_UUID"]}, + {"$eq": ["$$this.entityvalue", "$$gpuUuid"]} + ] + } + } + } + }, + 0 + ] + } + ] + } + } + }, + { + "$sort": { + "healthevent.generatedtimestamp.seconds": -1 + } + }, + { + "$group": { + "_id": { + "$arrayElemAt": ["$healthevent.errorcode", 0] + }, + "mostRecentEvent": { + "$first": { + "id": "$_id", + "isHealthy": {"$ifNull": ["$healthevent.ishealthy", false]}, + "timestamp": "$healthevent.generatedtimestamp.seconds" + } + } + } + }, + { + "$match": { + "mostRecentEvent.isHealthy": false + } + } + ], + "as": "otherXidEvents" + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [{"$size": "$otherXidEvents"}, 0] + } + } + } + ''' + ] + + [[rules]] + name = "XID74Reg4HardwareIssue" + description = "Detect if XID 74 with register 4 bits (18, 19, 21, 22, 24, 25, 27, 28) set occurred 2 or more times on same NVLink and GPU within last 24 hours" + recommended_action = "CONTACT_SUPPORT" + message = "one of the bits (18, 19, 21, 22, 24, 25, 27, 28) is set in register 4 and its repeating on same NVLink, likely a HW issue with ECC/Parity" + evaluate_rule = {{.Values.enableXID74Reg4HardwareIssueRule}} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "74" + ] + } + } + } + ''', + ''' + { + "$match": { + "healthevent.ishealthy": false, + "healthevent.nodename": "this.healthevent.nodename", + "$expr": { + "$gt": [ + { + "$size": { + "$setIntersection": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + { + "$map": { + "input": { + "$filter": { + "input": "this.healthevent.entitiesimpacted", + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + } + ] + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$addFields": { + "registers": { + "$arrayToObject": { + "$map": { + "input": { + "$filter": { + "input": "$healthevent.entitiesimpacted", + "cond": { + "$in": ["$$this.entitytype", ["REG0", "REG1", "REG2", "REG3", "REG4", "REG5", "REG6"]] + } + } + }, + "as": "reg", + "in": { + "k": "$$reg.entitytype", + "v": "$$reg.entityvalue" + } + } + } + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$or": [ + {"$eq": ["$registers.REG4", "00000000000001000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000000010000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000001000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000010000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000001000000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000010000000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00001000000000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00010000000000000000000000000000"]} + ] + }, + {"$eq": ["$registers.REG0", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG1", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG2", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG3", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG5", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG6", "00000000000000000000000000000000"]} + ] + } + } + } + ''', + ''' + { + "$addFields": { + "nvlinkValue": { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, "cond": {"$eq": ["$$this.entitytype", "NVLINK"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "$nvlinkValue", + { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": "this.healthevent.entitiesimpacted", "cond": {"$eq": ["$$this.entitytype", "NVLINK"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + ] + } + } + } + ''', + '{"$count": "count"}', + '{"$match": {"count": {"$gte": 2}}}' + ] + + [[rules]] + name = "XID74Reg4ECCError" + description = "Detect if XID 74 with register 4 bits (20, 23, 26, 29) set occurred 2 or more times on same NVLink and GPU within last 24 hours" + recommended_action = "NONE" + message = "one of the bits (20, 23, 26, 29) is set in register 4, request for field diagnosis if user jobs are interrupted or error occurs repeatedly" + evaluate_rule = {{.Values.enableXID74Reg4ECCErrorRule}} + stage = [ + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$gte": [ + "$healthevent.generatedtimestamp.seconds", + {"$subtract": ["this.healthevent.generatedtimestamp.seconds", 86400]} + ] + }, + { + "$lte": [ + "$healthevent.generatedtimestamp.seconds", + "this.healthevent.generatedtimestamp.seconds" + ] + } + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "this.healthevent.errorcode.0", + "74" + ] + } + } + } + ''', + ''' + { + "$match": { + "healthevent.ishealthy": false, + "healthevent.nodename": "this.healthevent.nodename", + "$expr": { + "$gt": [ + { + "$size": { + "$setIntersection": [ + { + "$map": { + "input": { + "$filter": { + "input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + }, + { + "$map": { + "input": { + "$filter": { + "input": "this.healthevent.entitiesimpacted", + "cond": {"$eq": ["$$this.entitytype", "GPU_UUID"]} + } + }, + "in": "$$this.entityvalue" + } + } + ] + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$addFields": { + "registers": { + "$arrayToObject": { + "$map": { + "input": { + "$filter": { + "input": "$healthevent.entitiesimpacted", + "cond": { + "$in": ["$$this.entitytype", ["REG0", "REG1", "REG2", "REG3", "REG4", "REG5", "REG6"]] + } + } + }, + "as": "reg", + "in": { + "k": "$$reg.entitytype", + "v": "$$reg.entityvalue" + } + } + } + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$and": [ + { + "$or": [ + {"$eq": ["$registers.REG4", "00000000000100000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000000100000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00000100000000000000000000000000"]}, + {"$eq": ["$registers.REG4", "00100000000000000000000000000000"]} + ] + }, + {"$eq": ["$registers.REG0", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG1", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG2", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG3", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG5", "00000000000000000000000000000000"]}, + {"$eq": ["$registers.REG6", "00000000000000000000000000000000"]} + ] + } + } + } + ''', + ''' + { + "$addFields": { + "nvlinkValue": { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": {"$ifNull": ["$healthevent.entitiesimpacted", []]}, "cond": {"$eq": ["$$this.entitytype", "NVLINK"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + } + } + ''', + ''' + { + "$match": { + "$expr": { + "$eq": [ + "$nvlinkValue", + { + "$arrayElemAt": [ + { + "$map": { + "input": {"$filter": {"input": "this.healthevent.entitiesimpacted", "cond": {"$eq": ["$$this.entitytype", "NVLINK"]}}}, + "in": "$$this.entityvalue" + } + }, + 0 + ] + } + ] + } + } + } + ''', + '{"$count": "count"}', + '{"$match": {"count": {"$gte": 2}}}' + ] \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/Chart.yaml new file mode 100644 index 00000000..a951338c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.0.0 +description: Simple in-cluster nginx WebDAV file server for NVSentinel artifacts +name: incluster-file-server +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/templates/_helpers.tpl new file mode 100644 index 00000000..1db56bab --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "incluster-file-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "incluster-file-server.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "incluster-file-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "incluster-file-server.labels" -}} +helm.sh/chart: {{ include "incluster-file-server.chart" . }} +{{ include "incluster-file-server.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "incluster-file-server.selectorLabels" -}} +app.kubernetes.io/name: {{ include "incluster-file-server.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/templates/configmap-nginx.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/templates/configmap-nginx.yaml new file mode 100644 index 00000000..93e0067d --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/templates/configmap-nginx.yaml @@ -0,0 +1,102 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "incluster-file-server.fullname" . }}-nginx-conf + labels: + {{- include "incluster-file-server.labels" . | nindent 4 }} +data: + default.conf: | + log_format fileserver_format '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time'; + + server { + listen 8080; + server_name _; + charset utf-8; + + access_log /var/log/nginx/access.log fileserver_format; + error_log /dev/stderr info; + + client_max_body_size 0; + + location = /healthz { + access_log off; + return 200; + } + + location / { + root /usr/share/nginx/html; + autoindex on; + autoindex_exact_size off; + autoindex_localtime on; + } + + location /upload/ { + root /usr/share/nginx/html; + client_max_body_size 0; + create_full_put_path on; + dav_methods PUT DELETE MKCOL; + dav_access user:rw group:rw all:r; + autoindex on; + autoindex_exact_size off; + autoindex_localtime on; + disable_symlinks if_not_owner from=/usr/share/nginx/html; + } + } + +{{- if .Values.metrics.enabled }} + log-exporter-config.yml: | + listen: + port: {{ .Values.metricsPort }} + namespaces: + - name: fileserver + format: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time' + source: + files: + - /var/log/nginx/access.log + labels: + app: "nvsentinel-file-server" + relabel_configs: + - target_label: method + from: request + split: 2 + - target_label: status_code + from: status + metrics: + - name: http_response_count_total + help: "Total number of HTTP responses" + type: counter + labels: + method: $method + status: $status + - name: http_request_duration_seconds + help: "Request duration in seconds" + type: histogram + field: $request_time + buckets: [0.001, 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0, 2.5, 5.0, 10.0] + labels: + method: $method + status: $status +{{- end }} +--- +{{- if .Values.logCleanup.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: file-server-log-cleanup-config +data: + LOG_RETENTION_DAYS: "{{ .Values.logCleanup.retentionDays }}" + LOG_CLEANUP_SLEEP_INTERVAL: "{{ .Values.logCleanup.sleepInterval }}" +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/templates/deployment.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/templates/deployment.yaml new file mode 100644 index 00000000..43affabc --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/templates/deployment.yaml @@ -0,0 +1,203 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "incluster-file-server.fullname" . }} + labels: + {{- include "incluster-file-server.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + {{- include "incluster-file-server.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "incluster-file-server.selectorLabels" . | nindent 8 }} + spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml . | nindent 8 }} +{{- else }} +{{- with .Values.global }} +{{- with .imagePullSecrets }} + imagePullSecrets: +{{ toYaml . | nindent 8 }} +{{- end }} +{{- end }} +{{- end }} + securityContext: + fsGroup: {{ .Values.podSecurityContext.fsGroup }} + fsGroupChangePolicy: {{ .Values.podSecurityContext.fsGroupChangePolicy }} +{{- with (.Values.global.systemNodeSelector | default .Values.nodeSelector) }} + nodeSelector: +{{ toYaml . | nindent 8 }} +{{- end }} +{{- with (.Values.global.affinity | default .Values.affinity) }} + affinity: +{{ toYaml . | nindent 8 }} +{{- end }} +{{- with (.Values.global.systemNodeTolerations | default .Values.tolerations) }} + tolerations: +{{ toYaml . | nindent 8 }} +{{- end }} + initContainers: + - name: init-perms + image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}" + imagePullPolicy: {{ .Values.initImage.pullPolicy }} + command: ["sh", "-lc", "mkdir -p /usr/share/nginx/html/upload /var/cache/nginx /var/run /opt/bitnami/nginx/tmp/client_body /opt/bitnami/nginx/tmp/proxy /opt/bitnami/nginx/tmp/fastcgi /opt/bitnami/nginx/tmp/uwsgi /opt/bitnami/nginx/tmp/scgi && chmod -R 777 /usr/share/nginx/html/upload && chmod -R g+rwX /var/cache/nginx /opt/bitnami/nginx/tmp || true"] + volumeMounts: + - name: artifacts + mountPath: /usr/share/nginx/html + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-run + mountPath: /var/run + - name: nginx-tmp + mountPath: /opt/bitnami/nginx/tmp + containers: + - name: nginx + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + ports: + - name: http + containerPort: 8080 + securityContext: + runAsUser: {{ .Values.containerSecurityContext.runAsUser }} + runAsGroup: {{ .Values.containerSecurityContext.runAsGroup }} + allowPrivilegeEscalation: {{ .Values.containerSecurityContext.allowPrivilegeEscalation }} + readOnlyRootFilesystem: {{ .Values.containerSecurityContext.readOnlyRootFilesystem }} + volumeMounts: + - name: artifacts + mountPath: /usr/share/nginx/html + readOnly: false + - name: nginx-conf + mountPath: /etc/nginx/conf.d/default.conf + subPath: default.conf + # Also mount for Bitnami NGINX images, which read server blocks from this path + - name: nginx-conf + mountPath: /opt/bitnami/nginx/conf/server_blocks/file-server.conf + subPath: default.conf + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-run + mountPath: /var/run + - name: nginx-tmp + mountPath: /opt/bitnami/nginx/tmp + - name: nginx-logs + mountPath: /var/log/nginx +{{- if .Values.metrics.enabled }} + # HTTP metrics exporter + - name: nginx-log-exporter + image: "{{ .Values.metrics.image.repository }}:{{ .Values.metrics.image.tag }}" + imagePullPolicy: {{ .Values.metrics.image.pullPolicy }} + args: + - -config-file=/etc/prometheus-nginxlog-exporter/config.yml + ports: + - name: metrics + containerPort: {{ .Values.metricsPort }} + volumeMounts: + - name: nginx-logs + mountPath: /var/log/nginx + - name: nginx-conf + mountPath: /etc/prometheus-nginxlog-exporter/config.yml + subPath: log-exporter-config.yml + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 50m + memory: 64Mi +{{- end }} +{{- if .Values.logCleanup.enabled }} +{{- if lt (.Values.logCleanup.retentionDays | int) 1 }} +{{- fail "logCleanup.retentionDays must be at least 1 day to prevent accidental data loss" }} +{{- end }} + - name: log-cleanup + image: {{ .Values.cleanupMetrics.image.repository }}:{{ .Values.cleanupMetrics.image.tag | default .Values.global.image.tag | default "latest" }} + imagePullPolicy: {{ .Values.cleanupMetrics.image.pullPolicy }} + ports: + - name: cleanup-metrics + containerPort: {{ .Values.cleanupMetricsPort }} + env: + - name: CLEANUP_METRICS_PORT + value: "{{ .Values.cleanupMetricsPort }}" + - name: LOG_RETENTION_DAYS + value: "{{ .Values.logCleanup.retentionDays }}" + - name: LOG_CLEANUP_SLEEP_INTERVAL + value: "{{ .Values.logCleanup.sleepInterval }}" + - name: TARGET_DIRECTORY + value: "/usr/share/nginx/html" + volumeMounts: + - name: artifacts + mountPath: /usr/share/nginx/html + - name: nginx-logs + mountPath: /var/log/nginx + resources: + requests: + cpu: 10m + memory: 64Mi + limits: + cpu: 100m + memory: 128Mi +{{- end }} + volumes: + - name: artifacts +{{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ include "incluster-file-server.fullname" . }}-data +{{- else }} + emptyDir: {} +{{- end }} + - name: nginx-conf + configMap: + name: {{ include "incluster-file-server.fullname" . }}-nginx-conf + - name: nginx-cache + emptyDir: {} + - name: nginx-run + emptyDir: {} + - name: nginx-tmp + emptyDir: {} + - name: nginx-logs + emptyDir: {} +--- +{{- if .Values.persistence.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "incluster-file-server.fullname" . }}-data + labels: + {{- include "incluster-file-server.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + accessModes: +{{- range .Values.persistence.accessModes }} + - {{ . | quote }} +{{- end }} + resources: + requests: + storage: {{ .Values.persistence.size }} +{{- if .Values.persistence.storageClassName }} + storageClassName: {{ .Values.persistence.storageClassName | quote }} +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/templates/service.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/templates/service.yaml new file mode 100644 index 00000000..df7bcc8d --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/templates/service.yaml @@ -0,0 +1,33 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: Service +metadata: + name: {{ include "incluster-file-server.fullname" . }} + labels: + {{- include "incluster-file-server.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + selector: + {{- include "incluster-file-server.selectorLabels" . | nindent 4 }} + ports: + - name: http + port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + - name: metrics + port: {{ .Values.metricsPort }} + targetPort: {{ .Values.metricsPort }} + - name: cleanup-metrics + port: {{ .Values.cleanupMetricsPort }} + targetPort: {{ .Values.cleanupMetricsPort }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/values.yaml new file mode 100644 index 00000000..d5201e74 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/incluster-file-server/values.yaml @@ -0,0 +1,72 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +image: + repository: docker.io/bitnamilegacy/nginx + tag: 1.27.2-debian-12-r2 + pullPolicy: IfNotPresent + +initImage: + repository: public.ecr.aws/docker/library/busybox + tag: "1.37.0" + pullPolicy: IfNotPresent + +# Metrics ports configuration +metricsPort: 9001 +cleanupMetricsPort: 9002 + +service: + type: ClusterIP + port: 80 + targetPort: 8080 + +persistence: + enabled: true + storageClassName: "" + accessModes: + - ReadWriteOnce + size: 50Gi + +resources: {} + +podSecurityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + +containerSecurityContext: + runAsUser: 1001 + runAsGroup: 1001 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + + +# Log cleanup - delete files older than X days +logCleanup: + enabled: true + retentionDays: 7 # Must be >= 1 day (validated to prevent data loss) + sleepInterval: 86400 # Sleep interval in seconds between cleanup cycles (default: 24 hours) + +# Metrics configuration +metrics: + enabled: true + image: + repository: quay.io/martinhelmich/prometheus-nginxlog-exporter + tag: "v1.10.0" + pullPolicy: IfNotPresent + +# Cleanup metrics container image +cleanupMetrics: + image: + repository: ghcr.io/nvidia/nvsentinel/file-server-cleanup + tag: "" + pullPolicy: IfNotPresent diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/Chart.yaml new file mode 100644 index 00000000..fba0368f --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +description: Example provider for NVSentinel Janitor +name: janitor-provider +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/_helpers.tpl new file mode 100644 index 00000000..e43ceab3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "provider.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "provider.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "provider.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "provider.labels" -}} +helm.sh/chart: {{ include "provider.chart" . }} +{{ include "provider.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "provider.selectorLabels" -}} +app.kubernetes.io/name: {{ include "provider.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "provider.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "provider.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/certificate.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/certificate.yaml new file mode 100644 index 00000000..ad991c3c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/certificate.yaml @@ -0,0 +1,39 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if .Values.tls.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "provider.fullname" . }}-grpc-cert + labels: + {{- include "provider.labels" . | nindent 4 }} +spec: + secretName: {{ include "provider.fullname" . }}-grpc-cert + duration: 2160h # 90 days + renewBefore: 720h # 30 days + subject: + organizations: + - NVIDIA + commonName: {{ include "provider.fullname" . }}.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "provider.fullname" . }}.{{ .Release.Namespace }}.svc + - {{ include "provider.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + name: {{ .Values.tls.issuerName }} + kind: Issuer + usages: + - digital signature + - key encipherment + - server auth +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/clusterrole.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/clusterrole.yaml new file mode 100644 index 00000000..e8013d98 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/clusterrole.yaml @@ -0,0 +1,36 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "provider.fullname" . }} + labels: + {{- include "provider.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + {{- if .Values.auth.enabled }} + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/clusterrolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..f8670376 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/clusterrolebinding.yaml @@ -0,0 +1,27 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "provider.fullname" . }} + labels: + {{- include "provider.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "provider.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "provider.fullname" . }} + namespace: {{ .Release.Namespace }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/deployment.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/deployment.yaml new file mode 100644 index 00000000..0a0aeafb --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/deployment.yaml @@ -0,0 +1,208 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "provider.fullname" . }} + labels: + {{- include "provider.labels" . | nindent 4}} + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "provider.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with ((.Values.global).podAnnotations | default .Values.podAnnotations) }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "provider.selectorLabels" . | nindent 8 }} + {{- if eq (.Values.csp.provider | default "kind") "azure" }} + {{- if .Values.csp.azure.clientId }} + # Azure Workload Identity label (required for pod identity) + azure.workload.identity/use: "true" + {{- end }} + {{- end }} + spec: + {{- with ((.Values.global).imagePullSecrets | default .Values.imagePullSecrets) }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "provider.serviceAccountName" . }} + containers: + - name: janitor-provider + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + ports: + - name: metrics + containerPort: {{ ((.Values.global).metricsPort) | default "2112" }} + - name: service + containerPort: {{ .Values.service.port | default "50051" }} + env: + - name: JANITOR_PROVIDER_PORT + value: {{ .Values.service.port | default 50051 | quote }} + - name: METRICS_PORT + value: {{ ((.Values.global).metricsPort) | default 2112 | quote }} + # Cloud Service Provider configuration + - name: CSP + value: {{ .Values.csp.provider | default "kind" | quote }} + {{- if eq (.Values.csp.provider | default "kind") "generic" }} + # Generic provider environment variables + - name: GENERIC_REBOOT_IMAGE + value: {{ .Values.csp.generic.rebootImage | quote }} + - name: GENERIC_REBOOT_JOB_NAMESPACE + value: {{ .Values.csp.generic.rebootJobNamespace | default .Release.Namespace | quote }} + - name: GENERIC_REBOOT_JOB_TTL + value: {{ .Values.csp.generic.rebootJobTTLSeconds | quote }} + {{- if .Values.csp.generic.imagePullSecrets }} + - name: GENERIC_REBOOT_IMAGE_PULL_SECRETS + value: {{ .Values.csp.generic.imagePullSecrets | quote }} + {{- end }} + {{- end }} + {{- if eq (.Values.csp.provider | default "kind") "aws" }} + # AWS-specific environment variables + {{- if .Values.csp.aws.region }} + - name: AWS_REGION + value: {{ .Values.csp.aws.region | quote }} + {{- end }} + {{- end }} + {{- if eq (.Values.csp.provider | default "kind") "gcp" }} + # GCP-specific environment variables + {{- if .Values.csp.gcp.project }} + - name: GCP_PROJECT + value: {{ .Values.csp.gcp.project | quote }} + {{- end }} + {{- if .Values.csp.gcp.zone }} + - name: GCP_ZONE + value: {{ .Values.csp.gcp.zone | quote }} + {{- end }} + {{- end }} + {{- if eq (.Values.csp.provider | default "kind") "azure" }} + # Azure-specific environment variables + {{- if .Values.csp.azure.subscriptionId }} + - name: AZURE_SUBSCRIPTION_ID + value: {{ .Values.csp.azure.subscriptionId | quote }} + {{- end }} + {{- if .Values.csp.azure.resourceGroup }} + - name: AZURE_RESOURCE_GROUP + value: {{ .Values.csp.azure.resourceGroup | quote }} + {{- end }} + {{- if .Values.csp.azure.location }} + - name: AZURE_LOCATION + value: {{ .Values.csp.azure.location | quote }} + {{- end }} + {{- end }} + {{- if eq (.Values.csp.provider | default "kind") "oci" }} + # OCI-specific environment variables + {{- if .Values.csp.oci.region }} + - name: OCI_REGION + value: {{ .Values.csp.oci.region | quote }} + {{- end }} + {{- if .Values.csp.oci.compartment }} + - name: OCI_COMPARTMENT + value: {{ .Values.csp.oci.compartment | quote }} + {{- end }} + {{- if .Values.csp.oci.credentialsFile }} + - name: OCI_CREDENTIALS_FILE + value: {{ .Values.csp.oci.credentialsFile | quote }} + {{- end }} + {{- if .Values.csp.oci.profile }} + - name: OCI_PROFILE + value: {{ .Values.csp.oci.profile | quote }} + {{- end }} + {{- end }} + {{- if eq (.Values.csp.provider | default "kind") "nebius" }} + # Nebius-specific environment variables + {{- if .Values.csp.nebius.serviceAccountKeySecret }} + # When using serviceAccountKeySecret, the key is mounted at /etc/nebius/sa-credentials.json + - name: NEBIUS_SA_KEY_FILE + value: "/etc/nebius/sa-credentials.json" + {{- else if .Values.csp.nebius.serviceAccountKeyFile }} + - name: NEBIUS_SA_KEY_FILE + value: {{ .Values.csp.nebius.serviceAccountKeyFile | quote }} + {{- end }} + {{- /* iamTokenSecretRef takes precedence over iamToken if both are set */}} + {{- if .Values.csp.nebius.iamTokenSecretRef }} + - name: NEBIUS_IAM_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.csp.nebius.iamTokenSecretRef.name }} + key: {{ .Values.csp.nebius.iamTokenSecretRef.key | default "token" }} + {{- else if .Values.csp.nebius.iamToken }} + - name: NEBIUS_IAM_TOKEN + value: {{ .Values.csp.nebius.iamToken | quote }} + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: TLS_CERT_PATH + value: "{{ .Values.tls.certDir }}/tls.crt" + - name: TLS_KEY_PATH + value: "{{ .Values.tls.certDir }}/tls.key" + {{- end }} + {{- if .Values.auth.enabled }} + - name: AUTH_AUDIENCES + value: {{ .Values.auth.audiences | join "," | quote }} + {{- end }} + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} + readinessProbe: + {{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if or .Values.tls.enabled (and (eq (.Values.csp.provider | default "kind") "nebius") .Values.csp.nebius.serviceAccountKeySecret) }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: tls-cert + mountPath: {{ .Values.tls.certDir }} + readOnly: true + {{- end }} + {{- if and (eq (.Values.csp.provider | default "kind") "nebius") .Values.csp.nebius.serviceAccountKeySecret }} + - name: nebius-sa-key + mountPath: /etc/nebius + readOnly: true + {{- end }} + {{- end }} + {{- if or .Values.tls.enabled (and (eq (.Values.csp.provider | default "kind") "nebius") .Values.csp.nebius.serviceAccountKeySecret) }} + volumes: + {{- if .Values.tls.enabled }} + - name: tls-cert + secret: + secretName: {{ include "provider.fullname" . }}-grpc-cert + defaultMode: 420 + {{- end }} + {{- if and (eq (.Values.csp.provider | default "kind") "nebius") .Values.csp.nebius.serviceAccountKeySecret }} + - name: nebius-sa-key + secret: + secretName: {{ .Values.csp.nebius.serviceAccountKeySecret }} + defaultMode: 420 + {{- end }} + {{- end }} + restartPolicy: Always + {{- with (((.Values.global).systemNodeSelector) | default .Values.nodeSelector) }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (((.Values.global).affinity) | default .Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (((.Values.global).systemNodeTolerations) | default .Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/networkpolicy.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/networkpolicy.yaml new file mode 100644 index 00000000..a5866759 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/networkpolicy.yaml @@ -0,0 +1,30 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "provider.fullname" . }}-allow-service-traffic + labels: + {{- include "provider.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "provider.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + - ports: + - port: {{ .Values.service.port | default 50051 }} + protocol: TCP + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/role.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/role.yaml new file mode 100644 index 00000000..8de081dc --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/role.yaml @@ -0,0 +1,39 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if eq (.Values.csp.provider | default "kind") "generic" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "provider.fullname" . }}-jobs + labels: + {{- include "provider.labels" . | nindent 4 }} +rules: + - apiGroups: + - "batch" + resources: + - jobs + verbs: + - create + - get + - list + - watch + - delete + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/rolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/rolebinding.yaml new file mode 100644 index 00000000..cf76f0bf --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/rolebinding.yaml @@ -0,0 +1,29 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if eq (.Values.csp.provider | default "kind") "generic" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "provider.fullname" . }}-jobs + labels: + {{- include "provider.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "provider.fullname" . }}-jobs +subjects: + - kind: ServiceAccount + name: {{ include "provider.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/service.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/service.yaml new file mode 100644 index 00000000..6f3576c2 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/service.yaml @@ -0,0 +1,30 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: Service +metadata: + name: {{ include "provider.fullname" . }} + labels: + {{- include "provider.labels" . | nindent 4}} +spec: + type: {{ .Values.service.type | default "ClusterIP" }} + selector: + {{- include "provider.selectorLabels" . | nindent 4 }} + ports: + - name: service + port: {{ .Values.service.port | default 50051 }} + targetPort: {{ .Values.service.port | default 50051 }} + - name: metrics + port: {{ ((.Values.global).metricsPort) | default 2112 }} + targetPort: {{ ((.Values.global).metricsPort) | default 2112 }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/serviceaccount.yaml new file mode 100644 index 00000000..ca920e55 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/templates/serviceaccount.yaml @@ -0,0 +1,49 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "provider.serviceAccountName" . }} + labels: + {{- include "provider.labels" . | nindent 4 }} + annotations: + {{- with .Values.serviceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if eq (.Values.csp.provider | default "kind") "aws" }} + {{- if and .Values.csp.aws.accountId .Values.csp.aws.iamRoleName }} + # AWS IRSA (IAM Roles for Service Accounts) annotation + eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Values.csp.aws.accountId }}:role/{{ .Values.csp.aws.iamRoleName }} + {{- end }} + {{- end }} + {{- if eq (.Values.csp.provider | default "kind") "gcp" }} + {{- if and .Values.csp.gcp.project .Values.csp.gcp.serviceAccount }} + # GCP Workload Identity annotation + iam.gke.io/gcp-service-account: {{ .Values.csp.gcp.serviceAccount }}@{{ .Values.csp.gcp.project }}.iam.gserviceaccount.com + {{- end }} + {{- end }} + {{- if eq (.Values.csp.provider | default "kind") "azure" }} + {{- if .Values.csp.azure.clientId }} + # Azure Workload Identity annotations + azure.workload.identity/client-id: {{ .Values.csp.azure.clientId | quote }} + azure.workload.identity/use: "true" + {{- end }} + {{- end }} + {{- if eq (.Values.csp.provider | default "kind") "oci" }} + {{- if and .Values.csp.oci.compartment .Values.csp.oci.principalId }} + # OCI Workload Identity annotations + oke.oraclecloud.com/compartment-ocid: {{ .Values.csp.oci.compartment | quote }} + oke.oraclecloud.com/principal-ocid: {{ .Values.csp.oci.principalId | quote }} + {{- end }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/values.yaml new file mode 100644 index 00000000..cbe25793 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor-provider/values.yaml @@ -0,0 +1,223 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +replicaCount: 1 + +# Image configuration +image: + repository: ghcr.io/nvidia/nvsentinel/janitor-provider + pullPolicy: IfNotPresent + tag: "" + +nameOverride: "" +fullnameOverride: "janitor-provider" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +readinessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +service: + port: 50051 + +extraEnv: [] + +# gRPC TLS configuration for the provider server +tls: + # Enable TLS for the gRPC server + enabled: true + # Directory where the TLS cert and key are mounted + certDir: "/etc/nvsentinel/janitor-provider/tls" + # cert-manager Issuer name (uses the janitor's self-signed issuer by default) + issuerName: "janitor-selfsigned-issuer" + +# gRPC authentication configuration +# When enabled, the provider validates incoming requests using +# Kubernetes TokenReview API against projected SA tokens. +auth: + # Enable TokenReview-based authentication for incoming gRPC requests + enabled: true + # Audiences to validate in the TokenReview. + # Must match the audience configured on the janitor's projected SA token volume. + audiences: + - "nvsentinel-csp-provider" + +# Cloud Service Provider (CSP) Configuration +# The janitor-provider module supports multiple cloud providers for node reboot operations +# Configure the appropriate CSP for your environment +csp: + # CSP provider type (kind, kwok, aws, gcp, azure, oci, nebius, generic) + # - kind: For local development with kind clusters (simulated reboots) + # - kwok: For testing with kwok (simulated nodes) + # - aws: For AWS EKS clusters + # - gcp: For Google Cloud GKE clusters + # - azure: For Microsoft Azure AKS clusters + # - oci: For Oracle Cloud Infrastructure OKE clusters + # - nebius: For Nebius Managed Kubernetes (MK8s) clusters + # - generic: For bare-metal / on-premises clusters (reboots via privileged Job running chroot /host reboot) + provider: "kind" + + # Generic provider configuration (only used when provider=generic) + generic: + # Container image used for the reboot Job + rebootImage: "public.ecr.aws/docker/library/busybox:1.37.0" + # Namespace for reboot Jobs (defaults to the janitor-provider's namespace) + rebootJobNamespace: "" + # TTL in seconds for completed reboot Jobs (auto-cleanup) + rebootJobTTLSeconds: 3600 + # Comma-separated image pull secret names for the reboot Job (optional) + imagePullSecrets: "" + + # AWS-specific configuration (only required when provider=aws) + aws: + # AWS region where the EKS cluster is running + # This is required for EC2 API calls to reboot nodes + # Example: us-east-1, us-west-2, eu-west-1 + region: "" + # AWS Account ID (required for IRSA - IAM Roles for Service Accounts) + # Example: "123456789012" + accountId: "" + # IAM Role name for the janitor service account (IRSA) + # This role should have permissions to call EC2 RebootInstances + # Example: "eks-cluster-name-janitor" or "nvsentinel-janitor-role" + iamRoleName: "" + # Note: AWS credentials are typically provided via: + # - IAM roles for service accounts (IRSA) - RECOMMENDED for EKS + # Requires accountId and iamRoleName to be set + # The IAM role must have ec2:RebootInstances permission + + # Google Cloud Platform (GCP) specific configuration (only required when provider=gcp) + gcp: + # GCP project ID where the GKE cluster is running + # This is used for Compute Engine API calls + project: "" + # GCP zone where the GKE cluster nodes are located + # Example: us-central1-a, us-west1-b, europe-west1-c + zone: "" + # GCP Service Account email for Workload Identity (without @project.iam.gserviceaccount.com) + # Example: "nvsentinel-janitor" (will be formatted as nvsentinel-janitor@project-id.iam.gserviceaccount.com) + # This service account must have compute.instances.reset permission + serviceAccount: "" + # Note: GCP credentials are typically provided via: + # - Workload Identity - RECOMMENDED for GKE + # Requires project and serviceAccount to be set + # The GCP SA must have roles/compute.instanceAdmin.v1 or compute.instances.reset permission + # Must bind Kubernetes SA to GCP SA: gcloud iam service-accounts add-iam-policy-binding + + # Microsoft Azure specific configuration (only required when provider=azure) + azure: + # Azure subscription ID containing the AKS cluster + # Required for Azure Resource Manager API calls + subscriptionId: "" + # Azure resource group name containing the AKS cluster + # This can often be auto-detected from node provider IDs + resourceGroup: "" + # Azure region/location where the AKS cluster is deployed + # Example: eastus, westus2, westeurope + location: "" + # Azure Managed Identity Client ID for Workload Identity + # Example: "12345678-1234-1234-1234-123456789012" + # This managed identity must have Virtual Machine Contributor role or restart permission + clientId: "" + # Note: Azure credentials are typically provided via: + # - Managed Identity (Workload Identity) - RECOMMENDED for AKS + # Requires clientId to be set + # The managed identity must have Microsoft.Compute/virtualMachines/restart/action permission + # Must create federated identity credential for the Kubernetes service account + + # Oracle Cloud Infrastructure (OCI) specific configuration (only required when provider=oci) + oci: + # OCI region where the OKE cluster is running + # Example: us-ashburn-1, us-phoenix-1, uk-london-1 + region: "" + # OCI compartment OCID containing the cluster resources + # Format: ocid1.compartment.oc1..aaa... + compartment: "" + # Path to OCI credentials file (optional, uses workload identity by default) + credentialsFile: "" + # OCI profile name in credentials file (default: DEFAULT) + profile: "DEFAULT" + # OCI Principal OCID for Workload Identity + # Format: ocid1.principal.oc1..aaa... + # This is the OCID of the dynamic group or service principal + principalId: "" + # Note: OCI credentials are typically provided via: + # - OKE Workload Identity - RECOMMENDED for OKE (default) + # Requires compartment and principalId to be set + # The principal must have manage instance-family permission in compartment + # Must create dynamic group with matching rule for the pod + + # Nebius Managed Kubernetes (MK8s) specific configuration (only required when provider=nebius) + # Uses official Nebius Go SDK: github.com/nebius/gosdk + nebius: + # Path to service account key file (recommended for production) + # JSON format as documented at: https://github.com/nebius/gosdk#using-a-json-credentials-file + # Example: "/etc/nebius/sa-credentials.json" + # Set via NEBIUS_SA_KEY_FILE environment variable + serviceAccountKeyFile: "" + # Secret containing service account key (recommended for production with Kubernetes) + # The secret should contain the key file as 'sa-credentials.json' + # When set, automatically mounts at /etc/nebius and sets NEBIUS_SA_KEY_FILE + serviceAccountKeySecret: "" + # Direct IAM token (for testing only) + # Tokens expire and require manual refresh - not recommended for production + # Set via NEBIUS_IAM_TOKEN environment variable + # Obtain token: nebius iam get-access-token + iamToken: "" + # Reference to secret containing IAM token (alternative to iamToken value) + # Example: + # iamTokenSecretRef: + # name: nebius-janitor-token + # key: token + iamTokenSecretRef: {} + # Note: Nebius credentials are provided via environment variables: + # - NEBIUS_SA_KEY_FILE: Path to service account credentials JSON file (recommended) + # The service account must have compute.instances.stop and compute.instances.start permissions + # - NEBIUS_IAM_TOKEN: Direct IAM token (for testing only) diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/Chart.yaml new file mode 100644 index 00000000..470ab04a --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for Kubernetes +name: janitor +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/crds/janitor.dgxc.nvidia.com_gpuresets.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/crds/janitor.dgxc.nvidia.com_gpuresets.yaml new file mode 100644 index 00000000..869472dc --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/crds/janitor.dgxc.nvidia.com_gpuresets.yaml @@ -0,0 +1,225 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.20.0 + name: gpuresets.janitor.dgxc.nvidia.com +spec: + group: janitor.dgxc.nvidia.com + names: + kind: GPUReset + listKind: GPUResetList + plural: gpuresets + singular: gpureset + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The target node for the GPU reset + jsonPath: .spec.nodeName + name: Node + type: string + - description: The current status of the reset + jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: GPUReset is the Schema for the gpuresets API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired behavior of the GPU reset operation. + properties: + nodeName: + description: NodeName identifies the node which contains the GPUs + to reset. + minLength: 1 + type: string + selector: + description: |- + Selector is used to target one or more specific devices to reset. + If this field is omitted or empty, all GPUs on the node will be reset. + properties: + pciBusIDs: + description: |- + PCIBusIDs is a list of GPU PCI bus IDs. + Format: "domain:bus:device.function" (e.g., "0000:01:00.0"). + items: + pattern: ^[0-9a-fA-F]{4}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}\.[0-9a-fA-F]{1}$ + type: string + type: array + uuids: + description: UUIDs is a list of GPU UUIDs. + items: + pattern: ^GPU-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$ + type: string + type: array + type: object + required: + - nodeName + type: object + status: + description: |- + Most recently observed status of the GPU reset operation. + This data may not be up to date. + Populated by the system. + Read-only. + properties: + completionTime: + description: RFC 3339 date and time at which the reset operation finished, + regardless of the outcome (success or failure). + format: date-time + type: string + conditions: + description: Conditions represent the latest available observations + of a reset operations state. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + jobRef: + description: JobRef is a reference to the job that will execute the + GPU reset operation. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + phase: + description: |- + The phase of a GPUReset is a simple, high-level summary of where the reset operation is in its lifecycle. + The conditions array, the reason and message fields, and the individual reset job contain + more detail about the reset status. + type: string + startTime: + description: RFC 3339 date and time at which the object was acknowledged + by the GPUReset controller. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/crds/janitor.dgxc.nvidia.com_rebootnodes.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/crds/janitor.dgxc.nvidia.com_rebootnodes.yaml new file mode 100644 index 00000000..ee1d70a0 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/crds/janitor.dgxc.nvidia.com_rebootnodes.yaml @@ -0,0 +1,153 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.20.0 + name: rebootnodes.janitor.dgxc.nvidia.com +spec: + group: janitor.dgxc.nvidia.com + names: + kind: RebootNode + listKind: RebootNodeList + plural: rebootnodes + singular: rebootnode + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .spec.force + name: Force + type: boolean + - jsonPath: .status.conditions[?(@.type=='NodeReady')].status + name: NodeReady + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RebootNode is the Schema for the rebootnodes API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: RebootNodeSpec defines the desired state of RebootNode + properties: + force: + default: false + description: Force indicates whether to force reboot the node + type: boolean + nodeName: + description: NodeName is the name of the node to reboot + type: string + required: + - force + - nodeName + type: object + status: + description: RebootNodeStatus defines the observed state of RebootNode + properties: + completionTime: + description: CompletionTime is the time when the reboot was completed + format: date-time + type: string + conditions: + description: Conditions represent the latest available observations + of an object's current state. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + startTime: + description: StartTime is the time when the reboot was initiated + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/crds/janitor.dgxc.nvidia.com_terminatenodes.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/crds/janitor.dgxc.nvidia.com_terminatenodes.yaml new file mode 100644 index 00000000..6d05e8a6 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/crds/janitor.dgxc.nvidia.com_terminatenodes.yaml @@ -0,0 +1,153 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.20.0 + name: terminatenodes.janitor.dgxc.nvidia.com +spec: + group: janitor.dgxc.nvidia.com + names: + kind: TerminateNode + listKind: TerminateNodeList + plural: terminatenodes + singular: terminatenode + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.nodeName + name: Node + type: string + - jsonPath: .spec.force + name: Force + type: boolean + - jsonPath: .status.conditions[?(@.type=='NodeTerminated')].status + name: NodeTerminated + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TerminateNode is the Schema for the terminatenodes API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TerminateNodeSpec defines the desired state of TerminateNode + properties: + force: + default: false + description: Force indicates whether to force terminate the node + type: boolean + nodeName: + description: NodeName is the name of the node to terminate + type: string + required: + - force + - nodeName + type: object + status: + description: TerminateNodeStatus defines the observed state of TerminateNode + properties: + completionTime: + description: CompletionTime is the time when the termination was completed + format: date-time + type: string + conditions: + description: Conditions represent the latest available observations + of an object's current state. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + startTime: + description: StartTime is the time when the termination was initiated + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/_helpers.tpl new file mode 100644 index 00000000..c8aac2d0 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "janitor.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "janitor.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "janitor.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "janitor.labels" -}} +helm.sh/chart: {{ include "janitor.chart" . }} +{{ include "janitor.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "janitor.selectorLabels" -}} +app.kubernetes.io/name: {{ include "janitor.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "janitor.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "janitor.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/certificate-metrics.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/certificate-metrics.yaml new file mode 100644 index 00000000..9d64703e --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/certificate-metrics.yaml @@ -0,0 +1,44 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if .Values.metrics.tls.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "janitor.fullname" . }}-metrics-cert + labels: + {{- include "janitor.labels" . | nindent 4 }} +spec: + secretName: {{ include "janitor.fullname" . }}-metrics-cert + duration: {{ .Values.metrics.tls.duration | default "2160h" }} # 90 days + renewBefore: {{ .Values.metrics.tls.renewBefore | default "720h" }} # 30 days + subject: + organizations: + - {{ .Values.metrics.tls.organization | default "NVIDIA" }} + commonName: {{ include "janitor.fullname" . }}.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "janitor.fullname" . }}.{{ .Release.Namespace }}.svc + - {{ include "janitor.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + name: {{ .Values.metrics.tls.issuerName | default .Values.webhook.certIssuer }} + kind: {{ .Values.metrics.tls.issuerKind | default "Issuer" }} + {{- if .Values.metrics.tls.issuerGroup }} + group: {{ .Values.metrics.tls.issuerGroup }} + {{- end }} + usages: + - digital signature + - key encipherment + - server auth + - client auth +{{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/clusterrole.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/clusterrole.yaml new file mode 100644 index 00000000..1ce67a47 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/clusterrole.yaml @@ -0,0 +1,147 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "janitor.fullname" . }} + labels: + {{- include "janitor.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - patch + - update + - delete +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - patch +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - delete +- apiGroups: + - janitor.dgxc.nvidia.com + resources: + - rebootnodes + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - janitor.dgxc.nvidia.com + resources: + - rebootnodes/status + verbs: + - get + - update + - patch +- apiGroups: + - janitor.dgxc.nvidia.com + resources: + - rebootnodes/finalizers + verbs: + - update +- apiGroups: + - janitor.dgxc.nvidia.com + resources: + - terminatenodes + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - janitor.dgxc.nvidia.com + resources: + - terminatenodes/status + verbs: + - get + - update + - patch +- apiGroups: + - janitor.dgxc.nvidia.com + resources: + - terminatenodes/finalizers + verbs: + - update +- apiGroups: + - janitor.dgxc.nvidia.com + resources: + - gpuresets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - janitor.dgxc.nvidia.com + resources: + - gpuresets/status + verbs: + - get + - update + - patch +- apiGroups: + - janitor.dgxc.nvidia.com + resources: + - gpuresets/finalizers + verbs: + - update diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/clusterrolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..9e300bf3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/clusterrolebinding.yaml @@ -0,0 +1,28 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "janitor.fullname" . }} + labels: + {{- include "janitor.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "janitor.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "janitor.fullname" . }} + namespace: {{ .Release.Namespace }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/configmap.yaml new file mode 100644 index 00000000..e20a3109 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/configmap.yaml @@ -0,0 +1,101 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "janitor.fullname" . }} + labels: + {{- include "janitor.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + config.yaml: | + global: + timeout: {{ .Values.config.timeout | default "25m" }} + manualMode: {{ .Values.config.manualMode | default false }} + {{- if .Values.config.nodes.exclusions }} + nodes: + exclusions: + {{- range .Values.config.nodes.exclusions }} + - {{- if .matchLabels }} + matchLabels: + {{- range $key, $value := .matchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- if .matchExpressions }} + matchExpressions: + {{- range .matchExpressions }} + - key: {{ .key }} + operator: {{ .operator }} + {{- if .values }} + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + cspProviderHost: {{ .Values.config.cspProviderHost }} + {{- if and .Values.config.cspProvider .Values.config.cspProvider.tls .Values.config.cspProvider.tls.enabled }} + cspProviderCAPath: /etc/nvsentinel/janitor/csp-ca/ca.crt + {{- end }} + {{- if and .Values.config.cspProvider .Values.config.cspProvider.tls .Values.config.cspProvider.tls.insecure }} + cspProviderInsecure: true + {{- end }} + {{- if and .Values.config.cspProvider .Values.config.cspProvider.auth .Values.config.cspProvider.auth.enabled }} + cspProviderTokenPath: /var/run/secrets/nvsentinel/csp-provider/token + {{- end }} + + rebootNodeController: + enabled: {{ if (hasKey .Values.config.controllers.rebootNode "enabled") }}{{ .Values.config.controllers.rebootNode.enabled }}{{ else }}true{{ end }} + timeout: {{ .Values.config.controllers.rebootNode.timeout | default .Values.config.timeout | default "25m" }} + manualMode: {{ .Values.config.manualMode | default false }} + {{- if .Values.config.controllers.rebootNode.cspProviderHost }} + cspProviderHost: {{ .Values.config.controllers.rebootNode.cspProviderHost }} + {{- end }} + + terminateNodeController: + enabled: {{ if (hasKey .Values.config.controllers.terminateNode "enabled") }}{{ .Values.config.controllers.terminateNode.enabled }}{{ else }}true{{ end }} + timeout: {{ .Values.config.controllers.terminateNode.timeout | default .Values.config.timeout | default "25m" }} + manualMode: {{ .Values.config.manualMode | default false }} + {{- if .Values.config.controllers.terminateNode.cspProviderHost }} + cspProviderHost: {{ .Values.config.controllers.terminateNode.cspProviderHost }} + {{- end }} + + gpuResetController: + enabled: {{ if (hasKey .Values.config.controllers.gpuReset "enabled") }}{{ .Values.config.controllers.gpuReset.enabled }}{{ else }}true{{ end }} + timeout: {{ .Values.config.controllers.gpuReset.timeout | default .Values.config.timeout | default "25m" }} + manualMode: {{ .Values.config.manualMode | default false }} + {{- if .Values.config.controllers.gpuReset.cspProviderHost }} + cspProviderHost: {{ .Values.config.controllers.gpuReset.cspProviderHost }} + {{- end }} + {{- if .Values.config.controllers.gpuReset.resetJob }} + resetJob: + runtimeClassName: "{{ .Values.config.controllers.gpuReset.resetJob.runtimeClassName }}" + imageConfig: + image: "{{ .Values.config.controllers.gpuReset.resetJob.image.repository }}:{{ .Values.config.controllers.gpuReset.resetJob.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}" + {{- with (.Values.config.controllers.gpuReset.resetJob.image.imagePullSecrets | default (.Values.global).imagePullSecrets) }} + imagePullSecrets: + {{- toYaml . | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.config.controllers.gpuReset.resetJob.resources | nindent 10 }} + {{- end }} + {{- if .Values.config.controllers.gpuReset.serviceManager }} + serviceManager: + {{- toYaml .Values.config.controllers.gpuReset.serviceManager | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/deployment.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/deployment.yaml new file mode 100644 index 00000000..5ff62aa1 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/deployment.yaml @@ -0,0 +1,171 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "janitor.fullname" . }} + labels: + {{- include "janitor.labels" . | nindent 4}} + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "janitor.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + # Force pod restart when configmap changes + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with ((.Values.global).podAnnotations | default .Values.podAnnotations) }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "janitor.selectorLabels" . | nindent 8 }} + spec: + {{- with ((.Values.global).imagePullSecrets | default .Values.imagePullSecrets) }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "janitor.serviceAccountName" . }} + {{- if .Values.global.auditLogging.enabled }} + securityContext: + fsGroup: 65532 + {{- end }} + {{- if .Values.global.auditLogging.enabled }} + initContainers: + {{- include "nvsentinel.auditLogging.initContainer" . | nindent 8 }} + {{- end }} + containers: + - name: janitor + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - "--metrics-bind-address=:{{ ((.Values.global).metricsPort) | default 2112 }}" + - "--health-probe-bind-address=:8081" + - "--config=/etc/nvsentinel/janitor/config.yaml" + - "--webhook-cert-path={{ .Values.webhook.certDir }}" + - "--webhook-cert-name=tls.crt" + - "--webhook-cert-key=tls.key" + {{- if .Values.metrics.tls.enabled }} + - "--metrics-secure=true" + - "--metrics-cert-path={{ .Values.metrics.tls.certDir }}" + - "--metrics-cert-name=tls.crt" + - "--metrics-cert-key=tls.key" + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.envVars" . | nindent 12 }} + {{- end }} + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + ports: + - name: metrics + containerPort: {{ ((.Values.global).metricsPort) | default 2112 }} + - name: webhook + containerPort: {{ .Values.webhook.port }} + protocol: TCP + volumeMounts: + - name: config + mountPath: /etc/nvsentinel/janitor/config.yaml + subPath: config.yaml + readOnly: true + - name: webhook-certs + mountPath: {{ .Values.webhook.certDir }} + readOnly: true + {{- if .Values.metrics.tls.enabled }} + - name: metrics-certs + mountPath: {{ .Values.metrics.tls.certDir }} + readOnly: true + {{- end }} + {{- if and .Values.config.cspProvider .Values.config.cspProvider.tls .Values.config.cspProvider.tls.enabled }} + - name: csp-ca + mountPath: /etc/nvsentinel/janitor/csp-ca + readOnly: true + {{- end }} + {{- if and .Values.config.cspProvider .Values.config.cspProvider.auth .Values.config.cspProvider.auth.enabled }} + - name: csp-provider-token + mountPath: /var/run/secrets/nvsentinel/csp-provider + readOnly: true + {{- end }} + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.volumeMount" . | nindent 12 }} + {{- end }} + restartPolicy: Always + volumes: + - name: config + configMap: + name: {{ include "janitor.fullname" . }} + - name: webhook-certs + secret: + secretName: {{ include "janitor.fullname" . }}-webhook-cert + defaultMode: 420 + {{- if .Values.metrics.tls.enabled }} + - name: metrics-certs + secret: + secretName: {{ include "janitor.fullname" . }}-metrics-cert + items: + - key: ca.crt + path: ca.crt + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + defaultMode: 420 + {{- end }} + {{- if and .Values.config.cspProvider .Values.config.cspProvider.tls .Values.config.cspProvider.tls.enabled }} + - name: csp-ca + secret: + secretName: {{ .Values.config.cspProvider.tls.caSecretName }} + items: + - key: ca.crt + path: ca.crt + defaultMode: 420 + {{- end }} + {{- if and .Values.config.cspProvider .Values.config.cspProvider.auth .Values.config.cspProvider.auth.enabled }} + - name: csp-provider-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.config.cspProvider.auth.audience | quote }} + expirationSeconds: {{ .Values.config.cspProvider.auth.expirationSeconds | default 3600 }} + path: token + {{- end }} + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.volume" . | nindent 8 }} + {{- end }} + {{- with (((.Values.global).systemNodeSelector) | default .Values.nodeSelector) }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (((.Values.global).affinity) | default .Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (((.Values.global).systemNodeTolerations) | default .Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/issuer.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/issuer.yaml new file mode 100644 index 00000000..583a8391 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/issuer.yaml @@ -0,0 +1,24 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.webhook.certIssuer }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "janitor.labels" . | nindent 4 }} +spec: + selfSigned: {} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/networkpolicy.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/networkpolicy.yaml new file mode 100644 index 00000000..49189b8a --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/networkpolicy.yaml @@ -0,0 +1,51 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +# This NetworkPolicy allows ingress traffic to the webhook server. +# Webhook calls come from the Kubernetes API server, so we allow all namespaces. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "janitor.fullname" . }}-allow-webhook-traffic + labels: + {{- include "janitor.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "janitor.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + - ports: + - port: {{ .Values.webhook.port | default 9443 }} + protocol: TCP +--- +# This NetworkPolicy allows ingress traffic to the metrics endpoint. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "janitor.fullname" . }}-allow-metrics-traffic + labels: + {{- include "janitor.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "janitor.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + - ports: + - port: {{ ((.Values.global).metricsPort) | default 2112 }} + protocol: TCP + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/service.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/service.yaml new file mode 100644 index 00000000..c5a68c97 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/service.yaml @@ -0,0 +1,36 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: Service +metadata: + name: {{ include "janitor.fullname" . }} + labels: + {{- include "janitor.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + {{- include "janitor.selectorLabels" . | nindent 4 }} + ports: + - name: metrics + port: {{ ((.Values.global).metricsPort) | default 8080 }} + targetPort: metrics + - name: webhook + port: {{ .Values.webhook.port }} + targetPort: webhook + protocol: TCP + - name: config + port: {{ .Values.config.httpPort | default 8082 }} + targetPort: config + protocol: TCP + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/serviceaccount.yaml new file mode 100644 index 00000000..0724c9d6 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/serviceaccount.yaml @@ -0,0 +1,23 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "janitor.serviceAccountName" . }} + labels: + {{- include "janitor.labels" . | nindent 4 }} + annotations: + {{- with .Values.serviceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/webhook.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/webhook.yaml new file mode 100644 index 00000000..43557cb2 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/templates/webhook.yaml @@ -0,0 +1,116 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "janitor.fullname" . }}-webhook-cert + namespace: {{ .Release.Namespace }} + labels: + {{- include "janitor.labels" . | nindent 4 }} +spec: + secretName: {{ include "janitor.fullname" . }}-webhook-cert + duration: 8760h # 1 year + renewBefore: 360h # 15 days before expiration + commonName: {{ include "janitor.fullname" . }}.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "janitor.fullname" . }} + - {{ include "janitor.fullname" . }}.{{ .Release.Namespace }} + - {{ include "janitor.fullname" . }}.{{ .Release.Namespace }}.svc + - {{ include "janitor.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + name: {{ .Values.webhook.certIssuer | default "selfsigned-issuer" }} + kind: Issuer +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ include "janitor.fullname" . }}-validating-webhook + labels: + {{- include "janitor.labels" . | nindent 4 }} + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "janitor.fullname" . }}-webhook-cert +webhooks: + - name: vrebootnode-v1alpha1.kb.io + clientConfig: + service: + name: {{ include "janitor.fullname" . }} + namespace: {{ .Release.Namespace }} + path: /validate-janitor-dgxc-nvidia-com-v1alpha1-rebootnode + port: {{ .Values.webhook.port }} + rules: + - apiGroups: + - janitor.dgxc.nvidia.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - rebootnodes + scope: "*" + admissionReviewVersions: + - v1 + sideEffects: None + failurePolicy: Fail + timeoutSeconds: 10 + - name: vterminatenode-v1alpha1.kb.io + clientConfig: + service: + name: {{ include "janitor.fullname" . }} + namespace: {{ .Release.Namespace }} + path: /validate-janitor-dgxc-nvidia-com-v1alpha1-terminatenode + port: {{ .Values.webhook.port }} + rules: + - apiGroups: + - janitor.dgxc.nvidia.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - terminatenodes + scope: "*" + admissionReviewVersions: + - v1 + sideEffects: None + failurePolicy: Fail + timeoutSeconds: 10 + - name: vgpureset-v1alpha1.kb.io + clientConfig: + service: + name: {{ include "janitor.fullname" . }} + namespace: {{ .Release.Namespace }} + path: /validate-janitor-dgxc-nvidia-com-v1alpha1-gpureset + port: {{ .Values.webhook.port }} + rules: + - apiGroups: + - janitor.dgxc.nvidia.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - gpuresets + scope: "*" + admissionReviewVersions: + - v1 + sideEffects: None + failurePolicy: Fail + timeoutSeconds: 10 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/values.yaml new file mode 100644 index 00000000..e1692fab --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/janitor/values.yaml @@ -0,0 +1,211 @@ + +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +replicaCount: 1 + +# Image configuration +image: + repository: ghcr.io/nvidia/nvsentinel/janitor + pullPolicy: IfNotPresent + tag: "" + +nameOverride: "" +fullnameOverride: "janitor" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +livenessProbe: + httpGet: + path: / + port: http +readinessProbe: + httpGet: + path: / + port: http + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# Extra environment variables to add to the janitor container +# Example: +# extraEnv: +# - name: MY_VAR +# value: "my-value" +# - name: SECRET_VAR +# valueFrom: +# secretKeyRef: +# name: my-secret +# key: secret-key +extraEnv: [] + +config: + # Global timeout - used as default for controllers that don't specify their own timeout + # Should be set to a reasonable default that works for most operations + timeout: "25m" + # host where the provider is running + cspProviderHost: "janitor-provider.nvsentinel.svc.cluster.local:50051" + # CSP provider gRPC connection settings + cspProvider: + tls: + # Enable TLS for gRPC connection to CSP provider + enabled: true + # Name of the Secret containing the CA certificate (key: ca.crt). + # Defaults to the janitor-provider's cert secret name. + caSecretName: "janitor-provider-grpc-cert" + # Skip TLS verification (for local development only) + insecure: false + auth: + # Enable SA token authentication for gRPC connection to CSP provider + enabled: true + # Audience for the projected service account token. + # The provider validates this audience in TokenReview. + audience: "nvsentinel-csp-provider" + # Token expiration in seconds (default: 1 hour, K8s auto-rotates before expiry) + expirationSeconds: 3600 + # Manual mode - if true, controllers won't send actual reboot/terminate signals + manualMode: false + # HTTP endpoint port for exposing runtime configuration + httpPort: 8082 + # Node exclusions - nodes matching these label selectors will be excluded from janitor operations + nodes: + exclusions: [] + # Example: + # - matchLabels: + # node-role.kubernetes.io/control-plane: "" + # - matchExpressions: + # - key: app + # operator: In + # values: + # - critical + + # Controller-specific configuration + controllers: + # Reboot node controller configuration + rebootNode: + # Enable/disable the reboot node controller (default: true) + enabled: true + # Timeout for reboot operations (includes CSP API call + node recovery time) + # If not set or set to empty, defaults to config.timeout (25m) + # AWS/Azure/OCI: Typically 25m (includes 5min cooldown period) + # GCP: Can be shorter as operation status is tracked directly + # kind/kwok: Can be much shorter for testing (5m) + timeout: "25m" + + # Terminate node controller configuration + terminateNode: + # Enable/disable the terminate node controller (default: true) + enabled: true + # Timeout for terminate operations + # If not set or set to empty, defaults to config.timeout (25m) + timeout: "25m" + + # GPU reset controller configuration + gpuReset: + # Enable/disable the GPU reset controller (default: true) + enabled: true + timeout: "25m" + serviceManager: + name: "gpu-operator" + resetJob: + runtimeClassName: "nvidia" + # imagePullSecrets can be specified under image.imagePullSecrets, otherwise we will + # fall back to global.imagePullSecrets. + image: + repository: ghcr.io/nvidia/nvsentinel/gpu-reset + tag: "" + resources: + requests: + cpu: "50m" + memory: "64Mi" + limits: + cpu: "100m" + memory: "128Mi" + +# Webhook Configuration +webhook: + # Port for the webhook server + port: 9443 + # Directory containing webhook TLS certs + certDir: "/tmp/k8s-webhook-server/serving-certs" + # Cert-manager issuer to use for webhook certificate + # Janitor creates its own self-signed issuer + certIssuer: "janitor-selfsigned-issuer" + +# Metrics Configuration +metrics: + # TLS configuration for metrics server + tls: + # Enable TLS for metrics endpoint + enabled: false + # Directory containing metrics server TLS certs + certDir: "/tmp/k8s-metrics-server/metrics-certs" + # Cert-manager issuer name (defaults to webhook.certIssuer if not set) + issuerName: "" + # Cert-manager issuer kind (Issuer or ClusterIssuer) + issuerKind: "Issuer" + # Cert-manager issuer group (optional) + issuerGroup: "" + # Certificate duration (default: 90 days) + duration: "2160h" + # Certificate renewal time before expiry (default: 30 days) + renewBefore: "720h" + # Organization name for certificate subject + organization: "NVIDIA" diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/k8sdatastore-crds/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/k8sdatastore-crds/Chart.yaml new file mode 100644 index 00000000..d997a538 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/k8sdatastore-crds/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 0.1.0 +description: CRDs for k8sdatastore (HealthEventResource, etc) +name: k8sdatastore-crds +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/k8sdatastore-crds/crds/health_event.crd.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/k8sdatastore-crds/crds/health_event.crd.yaml new file mode 100644 index 00000000..e2bb32b6 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/k8sdatastore-crds/crds/health_event.crd.yaml @@ -0,0 +1,149 @@ +# Generated by protoc-gen-crd from health_event.proto + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: healtheventresources.healthevents.dgxc.nvidia.com + annotations: {} +spec: + group: healthevents.dgxc.nvidia.com + scope: Namespaced + names: + kind: HealthEventResource + listKind: HealthEventResourceList + plural: healtheventresources + singular: healtheventresource + shortNames: [] + categories: + - nvidia + - gpu + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + nullable: true + type: object + properties: + version: + type: integer + format: uint32 + agent: + type: string + componentClass: + type: string + checkName: + type: string + isFatal: + type: boolean + isHealthy: + type: boolean + message: + type: string + recommendedAction: + enum: + - 0 + - "NONE" + - 2 + - "COMPONENT_RESET" + - 5 + - "CONTACT_SUPPORT" + - 6 + - "RUN_FIELDDIAG" + - 15 + - "RESTART_VM" + - 24 + - "RESTART_BM" + - 25 + - "REPLACE_VM" + - 26 + - "RUN_DCGMEUD" + - 99 + - "UNKNOWN" + format: enum + x-kubernetes-int-or-string: true + errorCode: + type: array + items: + type: string + entitiesImpacted: + type: array + items: + nullable: true + type: object + properties: + entityType: + type: string + entityValue: + type: string + metadata: + type: object + additionalProperties: + type: string + generatedTimestamp: + type: string + format: RFC3339 + nodeName: + type: string + quarantineOverrides: + nullable: true + type: object + properties: + force: + type: boolean + skip: + type: boolean + drainOverrides: + nullable: true + type: object + properties: + force: + type: boolean + skip: + type: boolean + processingStrategy: + enum: + - 0 + - "UNSPECIFIED" + - 1 + - "EXECUTE_REMEDIATION" + - 2 + - "STORE_ONLY" + format: enum + x-kubernetes-int-or-string: true + id: + type: string + status: + nullable: true + type: object + properties: + nodeQuarantined: + type: string + quarantineFinishTimestamp: + type: string + format: RFC3339 + userPodsEvictionStatus: + nullable: true + type: object + properties: + status: + type: string + message: + type: string + drainFinishTimestamp: + type: string + format: RFC3339 + faultRemediated: + nullable: true + type: boolean + lastRemediationTimestamp: + type: string + format: RFC3339 + description: HealthEventResource is the root type for CRD generation. This will map to Kubernetes .spec and .status fields. + additionalPrinterColumns: [] diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/k8sdatastore-crds/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/k8sdatastore-crds/values.yaml new file mode 100644 index 00000000..f29648df --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/k8sdatastore-crds/values.yaml @@ -0,0 +1,17 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for k8s-datastore. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/Chart.yaml new file mode 100644 index 00000000..935f582e --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: Monitors Kubernetes objects and publishes health events based on CEL + policy predicates +name: kubernetes-object-monitor +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/_helpers.tpl new file mode 100644 index 00000000..e32104aa --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/_helpers.tpl @@ -0,0 +1,41 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-object-monitor.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "kubernetes-object-monitor.fullname" -}} +{{- "kubernetes-object-monitor" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-object-monitor.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kubernetes-object-monitor.labels" -}} +helm.sh/chart: {{ include "kubernetes-object-monitor.chart" . }} +{{ include "kubernetes-object-monitor.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kubernetes-object-monitor.selectorLabels" -}} +app.kubernetes.io/name: {{ include "kubernetes-object-monitor.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/clusterrole.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/clusterrole.yaml new file mode 100644 index 00000000..aeec8e71 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/clusterrole.yaml @@ -0,0 +1,65 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- $resourcesByGroup := dict }} +{{- range .Values.policies }} + {{- $group := .resource.group | default "" }} + {{- $kind := .resource.kind | lower }} + {{- $resource := printf "%ss" $kind }} + {{- $existing := index $resourcesByGroup $group | default list }} + {{- if not (has $resource $existing) }} + {{- $updated := append $existing $resource }} + {{- $_ := set $resourcesByGroup $group $updated }} + {{- end }} +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-object-monitor.fullname" . }} + labels: + {{- include "kubernetes-object-monitor.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - patch + - update + # This loop automatically generates rules for all resources defined in your policies. + {{- range $group, $resources := $resourcesByGroup }} + {{- /* Skip nodes in core group since we already added it above */}} + {{- $filteredResources := list }} + {{- range $resources }} + {{- if not (and (eq $group "") (eq . "nodes")) }} + {{- $filteredResources = append $filteredResources . }} + {{- end }} + {{- end }} + {{- if $filteredResources }} + - apiGroups: + - {{ $group | quote }} + resources: + {{- range $filteredResources }} + - {{ . }} + {{- end }} + verbs: + - get + - list + - watch + {{- end }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/clusterrolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..638f5b14 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/clusterrolebinding.yaml @@ -0,0 +1,29 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-object-monitor.fullname" . }} + labels: + {{- include "kubernetes-object-monitor.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "kubernetes-object-monitor.fullname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "kubernetes-object-monitor.fullname" . }} + apiGroup: rbac.authorization.k8s.io + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/configmap.yaml new file mode 100644 index 00000000..f3e8d761 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/configmap.yaml @@ -0,0 +1,58 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-object-monitor.fullname" . }} + labels: + {{- include "kubernetes-object-monitor.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + config.toml: | + {{- range .Values.policies }} + [[policies]] + name = {{ .name | quote }} + enabled = {{ .enabled }} + + [policies.resource] + group = {{ .resource.group | quote }} + version = {{ .resource.version | quote }} + kind = {{ .resource.kind | quote }} + + [policies.predicate] + expression = {{ if contains "\n" .predicate.expression }}''' +{{ .predicate.expression | trim | nindent 10 }} + '''{{ else }}{{ .predicate.expression | quote }}{{ end }} + + {{- if .nodeAssociation }} + [policies.nodeAssociation] + expression = {{ .nodeAssociation.expression | quote }} + {{- end }} + + [policies.healthEvent] + componentClass = {{ .healthEvent.componentClass | quote }} + isFatal = {{ .healthEvent.isFatal }} + message = {{ .healthEvent.message | quote }} + recommendedAction = {{ .healthEvent.recommendedAction | quote }} + {{- if .healthEvent.errorCode }} + errorCode = [{{- range $index, $code := .healthEvent.errorCode }}{{- if $index }}, {{ end }}{{ $code | quote }}{{- end }}] + {{- end }} + {{- if .healthEvent.processingStrategy }} + processingStrategy = {{ .healthEvent.processingStrategy | quote }} + {{- end }} + + {{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/deployment.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/deployment.yaml new file mode 100644 index 00000000..051a75fd --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/deployment.yaml @@ -0,0 +1,111 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-object-monitor.fullname" . }} + labels: + {{- include "kubernetes-object-monitor.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "kubernetes-object-monitor.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "kubernetes-object-monitor.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.global }} + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "kubernetes-object-monitor.fullname" . }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - "--policy-config-path=/config/config.toml" + - "--platform-connector-socket=unix://{{ ((.Values.global).socketPath) | default "/var/run/nvsentinel.sock" }}" + - "--metrics-bind-address=:{{ ((.Values.global).metricsPort) | default 2112 }}" + - "--health-probe-bind-address=:8081" + - "--max-concurrent-reconciles={{ .Values.maxConcurrentReconciles }}" + - "--resync-period={{ .Values.resyncPeriod }}" + - "--processing-strategy={{ .Values.processingStrategy }}" + resources: + {{- toYaml .Values.resources | nindent 12 }} + ports: + - name: metrics + containerPort: {{ ((.Values.global).metricsPort) | default 2112 }} + - name: health + containerPort: 8081 + livenessProbe: + httpGet: + path: /healthz + port: health + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /readyz + port: health + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + env: + - name: LOG_LEVEL + value: "{{ .Values.logLevel }}" + volumeMounts: + - name: config + mountPath: /config + readOnly: true + - name: socket + mountPath: /var/run + volumes: + - name: config + configMap: + name: {{ include "kubernetes-object-monitor.fullname" . }} + {{- range .Values.volumes }} + - {{- toYaml . | nindent 10 }} + {{- end }} + {{- with ((.Values.global).systemNodeSelector | default .Values.nodeSelector) }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with ((.Values.global).affinity | default .Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with ((.Values.global).systemNodeTolerations | default .Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/serviceaccount.yaml new file mode 100644 index 00000000..6ff7c779 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/templates/serviceaccount.yaml @@ -0,0 +1,20 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-object-monitor.fullname" . }} + labels: + {{- include "kubernetes-object-monitor.labels" . | nindent 4 }} \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/values.yaml new file mode 100644 index 00000000..ad988637 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/kubernetes-object-monitor/values.yaml @@ -0,0 +1,112 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for kubernetes-object-monitor. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +logLevel: info + +image: + repository: ghcr.io/nvidia/nvsentinel/kubernetes-object-monitor + pullPolicy: IfNotPresent + tag: "" + +podAnnotations: {} + +maxConcurrentReconciles: 1 +resyncPeriod: 5m + +# RBAC permissions are automatically generated based on the resources defined in policies. +# Nodes always get write permissions (patch/update) for annotations. +# All other resources get read-only permissions (get/list/watch). +policies: + - name: node-not-ready + enabled: true + resource: + group: "" + version: v1 + kind: Node + predicate: + expression: | + resource.status.conditions.filter(c, c.type == "Ready" && c.status == "False").size() > 0 + healthEvent: + componentClass: Node + isFatal: true + message: "Node is not ready" + recommendedAction: CONTACT_SUPPORT + errorCode: + - NODE_NOT_READY + + # Example: Monitor a custom resource (e.g., a GPU Job) + # Uncomment and modify to monitor your own custom resources + # + # - name: gpu-job-failed + # enabled: true + # resource: + # group: batch.example.com + # version: v1alpha1 + # kind: GPUJob + # predicate: + # # CEL expression to detect unhealthy state + # # Access the resource via 'resource' variable + # expression: | + # has(resource.status.state) && resource.status.state == "Failed" + # nodeAssociation: + # # Optional: CEL expression to map this resource to a specific node + # # This is useful for resources that run on specific nodes + # + # # Example 1: Direct node reference + # expression: resource.spec.nodeName + # + # # Example 2: Use lookup() to find the node from a related Pod + # # Useful when monitoring resources that reference other resources + # # expression: | + # # lookup('v1', 'Pod', resource.metadata.namespace, resource.spec.podName).spec.nodeName + # + # # Example 3: Chain lookup() calls to traverse multiple resources + # # expression: | + # # lookup('v1', 'Node', '', + # # lookup('v1', 'Pod', resource.metadata.namespace, resource.status.podName).spec.nodeName + # # ).metadata.name + # healthEvent: + # componentClass: GPU + # isFatal: false + # message: "GPU job failed on node" + # recommendedAction: CONTACT_SUPPORT + # errorCode: + # - GPU_JOB_FAILED + +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi + +volumes: + - name: socket + hostPath: + path: /var/run/nvsentinel + type: DirectoryOrCreate + +# Processing strategy for health events +# valid values: EXECUTE_REMEDIATION, STORE_ONLY +# default: EXECUTE_REMEDIATION +# EXECUTE_REMEDIATION: normal behavior; downstream modules may update cluster state. +# STORE_ONLY: observability-only behavior; event should be persisted/exported but should not modify cluster resources (i.e., no node conditions, no quarantine, no drain, no remediation). +processingStrategy: EXECUTE_REMEDIATION diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/Chart.yaml new file mode 100644 index 00000000..94646b40 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for Kubernetes +name: labeler +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/_helpers.tpl new file mode 100644 index 00000000..59aee689 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "labeler.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "labeler.fullname" -}} +{{- "labeler" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "labeler.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "labeler.labels" -}} +helm.sh/chart: {{ include "labeler.chart" . }} +{{ include "labeler.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "labeler.selectorLabels" -}} +app.kubernetes.io/name: {{ include "labeler.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/clusterrole.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/clusterrole.yaml new file mode 100644 index 00000000..c7755e97 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/clusterrole.yaml @@ -0,0 +1,39 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "labeler.fullname" . }} + labels: + {{- include "labeler.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - patch + - update diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/clusterrolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..4934a626 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/clusterrolebinding.yaml @@ -0,0 +1,28 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "labeler.fullname" . }} + labels: + {{- include "labeler.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "labeler.fullname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "labeler.fullname" . }} + apiGroup: rbac.authorization.k8s.io diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/deployment.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/deployment.yaml new file mode 100644 index 00000000..95f19eec --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/deployment.yaml @@ -0,0 +1,117 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "labeler.fullname" . }} + labels: + {{- include "labeler.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "labeler.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "labeler.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "labeler.fullname" . }} + {{- if .Values.global.auditLogging.enabled }} + securityContext: + fsGroup: 65532 + {{- end }} + {{- if .Values.global.auditLogging.enabled }} + initContainers: + {{- include "nvsentinel.auditLogging.initContainer" . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - "--metrics-port" + - "{{ .Values.global.metricsPort }}" + {{- if .Values.kataLabelOverride }} + - "--kata-label" + - "{{ .Values.kataLabelOverride }}" + {{- end }} + {{- if .Values.assumeDriverInstalled }} + - "--assume-driver-installed" + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + ports: + - name: metrics + containerPort: {{ .Values.global.metricsPort }} + livenessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + {{- if .Values.global.auditLogging.enabled }} + volumeMounts: + {{- include "nvsentinel.auditLogging.volumeMount" . | nindent 12 }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: LOG_LEVEL + value: "{{ .Values.logLevel }}" + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.envVars" . | nindent 12 }} + {{- end }} + {{- if .Values.global.auditLogging.enabled }} + volumes: + {{- include "nvsentinel.auditLogging.volume" . | nindent 8 }} + {{- end }} + {{- with (.Values.global.systemNodeSelector | default .Values.nodeSelector) }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (.Values.global.affinity | default .Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (.Values.global.systemNodeTolerations | default .Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/serviceaccount.yaml new file mode 100644 index 00000000..269dcfb9 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/templates/serviceaccount.yaml @@ -0,0 +1,20 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "labeler.fullname" . }} + labels: + {{- include "labeler.labels" . | nindent 4 }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/values.yaml new file mode 100644 index 00000000..1ef57287 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/labeler/values.yaml @@ -0,0 +1,51 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for labeler. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +logLevel: info + +image: + repository: ghcr.io/nvidia/nvsentinel/labeler + pullPolicy: IfNotPresent + tag: "" + +podAnnotations: {} + +# Kata Containers detection configuration +# Additional node label to check when detecting Kata Containers support. If specified, the labeler +# will check BOTH this custom label AND the default 'katacontainers.io/kata-runtime' label as +# input sources for detection. The labeler will then set the output label +# 'nvsentinel.dgxc.nvidia.com/kata.enabled' to "true" or "false" based on the detection result. +# Example: 'custom.kata.label' or 'io.katacontainers.config.runtime.oci_runtime' +# Note: The input label value must be truthy (case-insensitive): "true", "enabled", "1", or "yes" +kataLabelOverride: "" + +# Pre-installed driver configuration +# When enabled, the labeler unconditionally sets nvsentinel.dgxc.nvidia.com/driver.installed=true +# on all GPU nodes, skipping driver pod detection. Use this for clusters where NVIDIA drivers +# are installed directly on the host rather than via GPU Operator driver containers. +assumeDriverInstalled: false + +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/Chart.yaml new file mode 100644 index 00000000..79a947a3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.0.0 +description: A Helm chart for the GPU Metadata Collector DaemonSet +name: metadata-collector +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/_helpers.tpl new file mode 100644 index 00000000..c4edd4a8 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/_helpers.tpl @@ -0,0 +1,41 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "metadata-collector.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "metadata-collector.fullname" -}} +{{- "metadata-collector" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "metadata-collector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "metadata-collector.labels" -}} +helm.sh/chart: {{ include "metadata-collector.chart" . }} +{{ include "metadata-collector.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "metadata-collector.selectorLabels" -}} +app.kubernetes.io/name: {{ include "metadata-collector.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/clusterrole.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/clusterrole.yaml new file mode 100644 index 00000000..2ba61bac --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/clusterrole.yaml @@ -0,0 +1,33 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "metadata-collector.fullname" . }} + labels: + {{- include "metadata-collector.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - patch + - apiGroups: + - "" + resources: + - nodes/proxy + verbs: + - get \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/clusterrolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..e6fe8eda --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/clusterrolebinding.yaml @@ -0,0 +1,28 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "metadata-collector.fullname" . }} + labels: + {{- include "metadata-collector.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "metadata-collector.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "metadata-collector.fullname" . }} + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/daemonset.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/daemonset.yaml new file mode 100644 index 00000000..7a9e5d98 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/daemonset.yaml @@ -0,0 +1,101 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "metadata-collector.fullname" . }} + labels: + {{- include "metadata-collector.labels" . | nindent 4 }} +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + {{- include "metadata-collector.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "metadata-collector.selectorLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ include "metadata-collector.fullname" . }} + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + hostNetwork: true + hostPID: true + containers: + - name: metadata-collector + securityContext: + runAsUser: 0 + runAsGroup: 0 + privileged: true + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - --output-path={{ .Values.global.metadataPath }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: output + mountPath: /var/lib/nvsentinel + - name: sys + mountPath: /sys + readOnly: true + - mountPath: /var/lib/kubelet/pod-resources + name: pod-gpu-resources + readOnly: true + volumes: + - name: output + hostPath: + path: /var/lib/nvsentinel + type: DirectoryOrCreate + - name: sys + hostPath: + path: /sys + type: Directory + - name: pod-gpu-resources + hostPath: + path: /var/lib/kubelet/pod-resources + type: Directory + nodeSelector: + nvidia.com/gpu.present: "true" + nvsentinel.dgxc.nvidia.com/driver.installed: "true" + {{- with (.Values.global.nodeSelector | default .Values.nodeSelector) }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (.Values.global.affinity | default .Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (.Values.global.tolerations | default .Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.runtimeClassName }} + runtimeClassName: {{ .Values.runtimeClassName }} + {{- end }} \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/serviceaccount.yaml new file mode 100644 index 00000000..90e9d3ca --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/templates/serviceaccount.yaml @@ -0,0 +1,20 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "metadata-collector.fullname" . }} + labels: + {{- include "metadata-collector.labels" . | nindent 4 }} \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/values.yaml new file mode 100644 index 00000000..5951821c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/metadata-collector/values.yaml @@ -0,0 +1,31 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +image: + repository: ghcr.io/nvidia/nvsentinel/metadata-collector + pullPolicy: IfNotPresent + tag: "" + +podAnnotations: {} + +resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + +# Runtime class name for the pod. If empty or not set, the field will be omitted. +runtimeClassName: "nvidia" diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/.helmignore new file mode 100644 index 00000000..207983f3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/Chart.lock b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/Chart.lock new file mode 100644 index 00000000..c04c0e2c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/Chart.lock @@ -0,0 +1,12 @@ +dependencies: +- name: mongodb + repository: "" + version: 16.2.2 +- name: psmdb-operator + repository: "" + version: 1.21.1 +- name: psmdb-db + repository: "" + version: 1.21.1 +digest: sha256:52544f60c2e88079cc18da78164440e042103e5adc065668a648864e2ad938b9 +generated: "2025-11-19T15:26:21.985280107+05:30" diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/Chart.yaml new file mode 100644 index 00000000..925f063e --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: 1.16.0 +dependencies: +- condition: useBitnami + name: mongodb + repository: "" + version: 16.2.2 +- condition: usePerconaOperator + name: psmdb-operator + repository: "" + version: 1.21.1 +- condition: usePerconaOperator + name: psmdb-db + repository: "" + version: 1.21.1 +description: A Helm chart for mongodb store +name: mongodb-store +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/.helmignore new file mode 100644 index 00000000..207983f3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/Chart.lock b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/Chart.lock new file mode 100644 index 00000000..46ce374a --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + version: 2.26.0 +digest: sha256:5ff7837915aef0067bd32271ee2b10c990774c16c4b6fe0a7c5eb6e53530ce08 +generated: "2024-10-25T12:54:49.697596669Z" diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/Chart.yaml new file mode 100644 index 00000000..28c6b353 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/Chart.yaml @@ -0,0 +1,41 @@ +annotations: + category: Database + images: | + - name: kubectl + image: docker.io/bitnami/kubectl:1.31.2-debian-12-r3 + - name: mongodb + image: docker.io/bitnami/mongodb:8.0.3-debian-12-r0 + - name: mongodb-exporter + image: docker.io/bitnami/mongodb-exporter:0.41.2-debian-12-r1 + - name: nginx + image: docker.io/bitnami/nginx:1.27.2-debian-12-r2 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r32 + licenses: Apache-2.0 +apiVersion: v2 +appVersion: 8.0.3 +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x +description: MongoDB(R) is a relational open source NoSQL database. Easy to use, it + stores data in JSON-like documents. Automated scalability and high-performance. + Ideal for developing cloud native applications. +home: https://bitnami.com +icon: https://bitnami.com/assets/stacks/mongodb/img/mongodb-stack-220x234.png +keywords: +- mongodb +- database +- nosql +- cluster +- replicaset +- replication +maintainers: +- name: Broadcom, Inc. All Rights Reserved. + url: https://github.com/bitnami/charts +name: mongodb +sources: +- https://github.com/bitnami/charts/tree/main/bitnami/mongodb +version: 16.2.2 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/README.md b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/README.md new file mode 100644 index 00000000..d3fa34fa --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/README.md @@ -0,0 +1,1183 @@ + + +# MongoDB(R) packaged by Bitnami + +MongoDB(R) is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications. + +[Overview of MongoDB®](http://www.mongodb.org) + +Disclaimer: The respective trademarks mentioned in the offering are owned by the respective companies. We do not provide a commercial license for any of these products. This listing has an open-source license. MongoDB(R) is run and maintained by MongoDB, which is a completely separate project from Bitnami. + +## TL;DR + +```console +helm install my-release oci://registry-1.docker.io/bitnamicharts/mongodb +``` + +Looking to use MongoDBreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + +## Introduction + +This chart bootstraps a [MongoDB(®)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Architecture + +This chart allows installing MongoDB(®) using two different architecture setups: `standalone` or `replicaset`. Use the `architecture` parameter to choose the one to use: + +```console +architecture="standalone" +architecture="replicaset" +``` + +### Standalone architecture + +The *standalone* architecture installs a deployment (or StatefulSet) with one MongoDB® server (it cannot be scaled): + +```text + ---------------- + | MongoDB® | + | svc | + ---------------- + | + v + ------------ + |MongoDB®| + | Server | + | Pod | + ----------- +``` + +### Replicaset architecture + +The chart also supports the *replicaset* architecture with and without a MongoDB(®) Arbiter: + +When the MongoDB(®) Arbiter is enabled, the chart installs two StatefulSets: A StatefulSet with N MongoDB(®) servers (organised with one primary and N-1 secondary nodes), and a StatefulSet with one MongoDB(®) arbiter node (it cannot be scaled). + +```text + ---------------- ---------------- ---------------- ------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | | Arbiter | + | external svc | | external svc | | external svc | | svc | + ---------------- ---------------- ---------------- ------------- + | | | | + v v v v + ---------------- ---------------- ---------------- -------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | | MongoDB® | + | Server | | Server | | Server | | Arbiter | + | Pod | | Pod | | Pod | | Pod | + ---------------- ---------------- ---------------- -------------- + primary secondary secondary +``` + +The PSA model is useful when the third Availability Zone cannot hold a full MongoDB(®) instance. The MongoDB(®) Arbiter as decision maker is lightweight and can run alongside other workloads. + +> NOTE: An update takes your MongoDB(®) replicaset offline if the Arbiter is enabled and the number of MongoDB(®) replicas is two. Helm applies updates to the StatefulSets for the MongoDB(®) instance and the Arbiter at the same time so you lose two out of three quorum votes. + +Without the Arbiter, the chart deploys a single statefulset with N MongoDB(®) servers (organised with one primary and N-1 secondary nodes). + +```text + ---------------- ---------------- ---------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | + | external svc | | external svc | | external svc | + ---------------- ---------------- ---------------- + | | | + v v v + ---------------- ---------------- ---------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | + | Server | | Server | | Server | + | Pod | | Pod | | Pod | + ---------------- ---------------- ---------------- + primary secondary secondary +``` + +There are no services load balancing requests between MongoDB(®) nodes; instead, each node has an associated service to access them individually. + +> NOTE: Although the first replica is initially assigned the primary role, any of the secondary nodes can become the primary if it is down, or during upgrades. Do not make any assumption about what replica has the primary role. Instead, configure your MongoDB(®) client with the list of MongoDB(®) hostnames so it can dynamically choose the node to send requests. + +## Prerequisites + +- Kubernetes 1.25+ +- Helm 3.8.0+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The command deploys MongoDB(®) on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling vs Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customize a new MongoDB instance + +The [Bitnami MongoDB(®) image](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) supports the use of custom scripts to initialize a fresh instance. In order to execute the scripts, two options are available: + +- Specify them using the `initdbScripts` parameter as dict. +- Define an external Kubernetes ConfigMap with all the initialization scripts by setting the `initdbScriptsConfigMap` parameter. Note that this will override the previous option. + +The allowed script extensions are `.sh` and `.js`. + +### Replicaset: Access MongoDB(®) nodes from outside the cluster + +In order to access MongoDB(®) nodes from outside the cluster when using a replicaset architecture, a specific service per MongoDB(®) pod will be created. There are two ways of configuring external access: + +- Using LoadBalancer services +- Using NodePort services. + +#### Use LoadBalancer services + +Three alternatives are available to use *LoadBalancer* services: + +- Use random load balancer IP addresses using an *initContainer* that waits for the IP addresses to be ready and discovers them automatically. An example deployment configuration is shown below: + + ```yaml + architecture: replicaset + replicaCount: 2 + externalAccess: + enabled: true + service: + type: LoadBalancer + autoDiscovery: + enabled: true + serviceAccount: + create: true + automountServiceAccountToken: true + rbac: + create: true + ``` + + > NOTE: This option requires creating RBAC rules on clusters where RBAC policies are enabled. + +- Manually specify the load balancer IP addresses. An example deployment configuration is shown below, with the placeholder EXTERNAL-IP-ADDRESS-X used in place of the load balancer IP addresses: + + ```yaml + architecture: replicaset + replicaCount: 2 + externalAccess: + enabled: true + service: + type: LoadBalancer + loadBalancerIPs: + - 'EXTERNAL-IP-ADDRESS-1' + - 'EXTERNAL-IP-ADDRESS-2' + ``` + + > NOTE: This option requires knowing the load balancer IP addresses, so that each MongoDB® node's advertised hostname is configured with it. + +- Specify `externalAccess.service.publicNames`. These names must be resolvable by the MongoDB® containers. To ensure that, if this value is set, an initContainer is added to wait for the ip addresses associated to those names. We can combine this feature with `external-dns`, setting the required annotations to configure the load balancer names: + + ```yaml + architecture: replicaset + replicaCount: 2 + externalAccess: + enabled: true + service: + type: LoadBalancer + publicNames: + - 'mongodb-0.example.com' + - 'mongodb-1.example.com' + annotationsList: + - external-dns.alpha.kubernetes.io/hostname: mongodb-0.example.com + - external-dns.alpha.kubernetes.io/hostname: mongodb-1.example.com + ``` + + > NOTE: If register new DNS records for those names is not an option, the release can be upgraded setting `hostAliases` with the public IPs assigned to the external services. + +#### Use NodePort services + +Manually specify the node ports to use. An example deployment configuration is shown below, with the placeholder NODE-PORT-X used in place of the node ports: + +```text +architecture=replicaset +replicaCount=2 +externalAccess.enabled=true +externalAccess.service.type=NodePort +externalAccess.service.nodePorts[0]='NODE-PORT-1' +externalAccess.service.nodePorts[1]='NODE-PORT-2' +``` + +> NOTE: This option requires knowing the node ports that will be exposed, so each MongoDB® node's advertised hostname is configured with it. + +The pod will try to get the external IP address of the node using the command `curl -s https://ipinfo.io/IP-ADDRESS` unless the `externalAccess.service.domain` parameter is set. + +### Bootstrapping with an External Cluster + +This chart is equipped with the ability to bring online a set of Pods that connect to an existing MongoDB(®) deployment that lies outside of Kubernetes. This effectively creates a hybrid MongoDB(®) Deployment where both Pods in Kubernetes and Instances such as Virtual Machines can partake in a single MongoDB(®) Deployment. This is helpful in situations where one may be migrating MongoDB(®) from Virtual Machines into Kubernetes, for example. To take advantage of this, use the following as an example configuration: + +```yaml +externalAccess: + externalMaster: + enabled: true + host: external-mongodb-0.internal +``` + +:warning: To bootstrap MongoDB(®) with an external master that lies outside of Kubernetes, be sure to set up external access using any of the suggested methods in this chart to have connectivity between the MongoDB(®) members. :warning: + +### Add extra environment variables + +To add extra environment variables (useful for advanced operations like custom init scripts), use the `extraEnvVars` property. + +```yaml +extraEnvVars: + - name: LOG_LEVEL + value: error +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` properties. + +### Use Sidecars and Init Containers + +If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +### Backup and restore MongoDB(R) deployments + +Two different approaches are available to back up and restore Bitnami MongoDB® Helm chart deployments on Kubernetes: + +- Back up the data from the source deployment and restore it in a new deployment using MongoDB® built-in backup/restore tools. +- Back up the persistent volumes from the source deployment and attach them to a new deployment using Velero, a Kubernetes backup/restore tool. + +#### Method 1: Backup and restore data using MongoDB® built-in tools + +This method involves the following steps: + +- Use the *mongodump* tool to create a snapshot of the data in the source cluster. +- Create a new MongoDB® Cluster deployment and forward the MongoDB® Cluster service port for the new deployment. +- Restore the data using the *mongorestore* tool to import the backup to the new cluster. + +> NOTE: Under this approach, it is important to create the new deployment on the destination cluster using the same credentials as the original deployment on the source cluster. + +#### Method 2: Back up and restore persistent data volumes + +This method involves copying the persistent data volumes for the MongoDB® nodes and reusing them in a new deployment with [Velero](https://velero.io/), an open source Kubernetes backup/restore tool. This method is only suitable when: + +- The Kubernetes provider is [supported by Velero](https://velero.io/docs/latest/supported-providers/). +- Both clusters are on the same Kubernetes provider, as this is a requirement of [Velero's native support for migrating persistent volumes](https://velero.io/docs/latest/migration-case/). +- The restored deployment on the destination cluster will have the same name, namespace, topology and credentials as the original deployment on the source cluster. + +This method involves the following steps: + +- Install Velero on the source and destination clusters. +- Use Velero to back up the PersistentVolumes (PVs) used by the deployment on the source cluster. +- Use Velero to restore the backed-up PVs on the destination cluster. +- Create a new deployment on the destination cluster with the same chart, deployment name, credentials and other parameters as the original. This new deployment will use the restored PVs and hence the original data. + +Refer to our detailed [tutorial on backing up and restoring MongoDB® chart deployments on Kubernetes](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-backup-restore-data-mongodb-kubernetes-index.html), which covers both these approaches, for more information. + +### Use custom Prometheus rules + +Custom Prometheus rules can be defined for the Prometheus Operator by using the `prometheusRule` parameter. A basic configuration example is shown below: + +```text + metrics: + enabled: true + prometheusRule: + enabled: true + rules: + - name: rule1 + rules: + - alert: HighRequestLatency + expr: job:request_latency_seconds:mean5m{job="myjob"} > 0.5 + for: 10m + labels: + severity: page + annotations: + summary: High request latency +``` + +### Enable SSL/TLS + +This chart supports enabling SSL/TLS between nodes in the cluster, as well as between MongoDB(®) clients and nodes, by setting the `MONGODB_EXTRA_FLAGS` and `MONGODB_CLIENT_EXTRA_FLAGS` container environment variables, together with the correct `MONGODB_ADVERTISED_HOSTNAME`. To enable full TLS encryption, set the `tls.enabled` parameter to `true`. + +#### Generate the self-signed certificates via pre-install Helm hooks + +The `secrets-ca.yaml` file utilizes the Helm "pre-install" hook to ensure that the certificates will only be generated on chart install. + +The `genCA()` function will create a new self-signed x509 certificate authority. The `genSignedCert()` function creates an object with the certificate and key, which are base64-encoded and used in a YAML-like object. The `genSignedCert()` function is passed the CN, an empty IP list (the nil part), the validity and the CA created previously. + +A Kubernetes Secret is used to hold the signed certificate created above, and the `initContainer` sets up the rest. Using Helm's hook annotations ensures that the certificates will only be generated on chart install. This will prevent overriding the certificates if the chart is upgraded. + +#### Use your own CA + +To use your own CA, set `tls.caCert` and `tls.caKey` with appropriate base64 encoded data. The `secrets-ca.yaml` file will utilize this data to create the Secret. + +> NOTE: Currently, only RSA private keys are supported. + +#### Use your own certificates + +To use your own certificates, set `tls.standalone.existingSecret`, `tls.replicaset.existingSecrets`, `tls.hidden.existingSecrets` and/or `tls.arbiter.existingSecret` secrets according to your needs. All of them must be references to `kubernetes.io/tls` secrets and the certificates must be created using the same CA. The CA can be added directly to each secret using the `ca.crt` key: + +```shell +kubectl create secret tls "mongodb-0-cert" --cert="mongodb-0.crt" --key="mongodb-0.key" +kubectl patch secret "mongodb-0-cert" -p="{\"data\":{\"ca.crt\": \"$(cat ca.crt | base64 -w0 )\"}}" +``` + +Or adding it to the "endpoint certificate" and setting the value `tls.pemChainIncluded`. If we reuse the example above, the `mongodb-0.crt` file should include CA cert and we shouldn't need to patch the secret to add the `ca.crt` set key. + +> NOTE: Certificates should be signed for the fully qualified domain names. If `externalAccess.service.publicNames`is set, those names should be used in the certificates set in `tls.replicaset.existingSecrets`. + +#### Access the cluster + +To access the cluster, enable the init container which generates the MongoDB(®) server/client PEM key needed to access the cluster. Please be sure to include the `$my_hostname` section with your actual hostname, and the alternative hostnames section should contain the hostnames that should be allowed access to the MongoDB(®) replicaset. Additionally, if external access is enabled, the load balancer IP addresses are added to the alternative names list. + +> NOTE: You will be generating self-signed certificates for the MongoDB(®) deployment. The init container generates a new MongoDB(®) private key which will be used to create a Certificate Authority (CA) and the public certificate for the CA. The Certificate Signing Request will be created as well and signed using the private key of the CA previously created. Finally, the PEM bundle will be created using the private key and public certificate. This process will be repeated for each node in the cluster. + +#### Start the cluster + +After the certificates have been generated and made available to the containers at the correct mount points, the MongoDB(®) server will be started with TLS enabled. The options for the TLS mode will be one of `disabled`, `allowTLS`, `preferTLS`, or `requireTLS`. This value can be changed via the `MONGODB_EXTRA_FLAGS` field using the `tlsMode` parameter. The client should now be able to connect to the TLS-enabled cluster with the provided certificates. + +### Set Pod affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Persistence + +The [Bitnami MongoDB(®)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) image stores the MongoDB(®) data and configurations at the `/bitnami/mongodb` path of the container. + +The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at this location. The volume is created using dynamic volume provisioning. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | +| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | +| `global.namespaceOverride` | Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | + +### Common parameters + +| Name | Description | Value | +| ------------------------- | --------------------------------------------------------------------------------------------------------- | --------------- | +| `nameOverride` | String to partially override mongodb.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override mongodb.fullname template | `""` | +| `namespaceOverride` | String to fully override common.names.namespace | `""` | +| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | +| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `commonLabels` | Add labels to all the deployed resources (sub-charts are not considered). Evaluated as a template | `{}` | +| `commonAnnotations` | Common annotations to add to all Mongo resources (sub-charts are not considered). Evaluated as a template | `{}` | +| `topologyKey` | Override common lib default topology key. If empty - "kubernetes.io/hostname" is used | `""` | +| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | +| `enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | + +### MongoDB(®) parameters + +| Name | Description | Value | +| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `image.registry` | MongoDB(®) image registry | `REGISTRY_NAME` | +| `image.repository` | MongoDB(®) image registry | `REPOSITORY_NAME/mongodb` | +| `image.digest` | MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | MongoDB(®) image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Set to true if you would like to see extra information on logs | `false` | +| `schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `architecture` | MongoDB(®) architecture (`standalone` or `replicaset`) | `standalone` | +| `useStatefulSet` | Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) | `false` | +| `auth.enabled` | Enable authentication | `true` | +| `auth.rootUser` | MongoDB(®) root user | `root` | +| `auth.rootPassword` | MongoDB(®) root password | `""` | +| `auth.usernames` | List of custom users to be created during the initialization | `[]` | +| `auth.passwords` | List of passwords for the custom users set at `auth.usernames` | `[]` | +| `auth.databases` | List of custom databases to be created during the initialization | `[]` | +| `auth.username` | DEPRECATED: use `auth.usernames` instead | `""` | +| `auth.password` | DEPRECATED: use `auth.passwords` instead | `""` | +| `auth.database` | DEPRECATED: use `auth.databases` instead | `""` | +| `auth.replicaSetKey` | Key used for authentication in the replicaset (only when `architecture=replicaset`) | `""` | +| `auth.existingSecret` | Existing secret with MongoDB(®) credentials (keys: `mongodb-passwords`, `mongodb-root-password`, `mongodb-metrics-password`, `mongodb-replica-set-key`) | `""` | +| `tls.enabled` | Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes | `false` | +| `tls.mTLS.enabled` | IF TLS support is enabled, require clients to provide certificates | `true` | +| `tls.autoGenerated` | Generate a custom CA and self-signed certificates | `true` | +| `tls.existingSecret` | Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`) | `""` | +| `tls.caCert` | Custom CA certificated (base64 encoded) | `""` | +| `tls.caKey` | CA certificate private key (base64 encoded) | `""` | +| `tls.pemChainIncluded` | Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. | `false` | +| `tls.standalone.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `""` | +| `tls.replicaset.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `[]` | +| `tls.hidden.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `[]` | +| `tls.arbiter.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `""` | +| `tls.image.registry` | Init container TLS certs setup image registry | `REGISTRY_NAME` | +| `tls.image.repository` | Init container TLS certs setup image repository | `REPOSITORY_NAME/nginx` | +| `tls.image.digest` | Init container TLS certs setup image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `tls.image.pullPolicy` | Init container TLS certs setup image pull policy | `IfNotPresent` | +| `tls.image.pullSecrets` | Init container TLS certs specify docker-registry secret names as an array | `[]` | +| `tls.extraDnsNames` | Add extra dns names to the CA, can solve x509 auth issue for pod clients | `[]` | +| `tls.mode` | Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) | `requireTLS` | +| `tls.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). | `nano` | +| `tls.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `tls.securityContext` | Init container generate-tls-cert Security context | `{}` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hostAliases` | Add deployment host aliases | `[]` | +| `replicaSetName` | Name of the replica set (only when `architecture=replicaset`) | `rs0` | +| `replicaSetHostnames` | Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) | `true` | +| `enableIPv6` | Switch to enable/disable IPv6 on MongoDB(®) | `false` | +| `directoryPerDB` | Switch to enable/disable DirectoryPerDB on MongoDB(®) | `false` | +| `systemLogVerbosity` | MongoDB(®) system log verbosity level | `0` | +| `disableSystemLog` | Switch to enable/disable MongoDB(®) system log | `false` | +| `disableJavascript` | Switch to enable/disable MongoDB(®) server-side JavaScript execution | `false` | +| `enableJournal` | Switch to enable/disable MongoDB(®) Journaling | `true` | +| `configuration` | MongoDB(®) configuration file to be used for Primary and Secondary nodes | `""` | + +### replicaSetConfigurationSettings settings applied during runtime (not via configuration file) + +| Name | Description | Value | +| ----------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------- | +| `replicaSetConfigurationSettings.enabled` | Enable MongoDB(®) Switch to enable/disable configuring MongoDB(®) run time rs.conf settings | `false` | +| `replicaSetConfigurationSettings.configuration` | run-time rs.conf settings | `{}` | +| `existingConfigmap` | Name of existing ConfigMap with MongoDB(®) configuration for Primary and Secondary nodes | `""` | +| `initdbScripts` | Dictionary of initdb scripts | `{}` | +| `initdbScriptsConfigMap` | Existing ConfigMap with custom initdb scripts | `""` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `extraFlags` | MongoDB(®) additional command line flags | `[]` | +| `extraEnvVars` | Extra environment variables to add to MongoDB(®) pods | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | + +### MongoDB(®) statefulset parameters + +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `annotations` | Additional labels to be added to the MongoDB(®) statefulset. Evaluated as a template | `{}` | +| `labels` | Annotations to be added to the MongoDB(®) statefulset. Evaluated as a template | `{}` | +| `replicaCount` | Number of MongoDB(®) nodes | `2` | +| `updateStrategy.type` | Strategy to use to replace existing MongoDB(®) pods. When architecture=standalone and useStatefulSet=false, | `RollingUpdate` | +| `podManagementPolicy` | Pod management policy for MongoDB(®) | `OrderedReady` | +| `podAffinityPreset` | MongoDB(®) Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | MongoDB(®) Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | MongoDB(®) Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | MongoDB(®) Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | MongoDB(®) Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | MongoDB(®) Affinity for pod assignment | `{}` | +| `nodeSelector` | MongoDB(®) Node labels for pod assignment | `{}` | +| `tolerations` | MongoDB(®) Tolerations for pod assignment | `[]` | +| `topologySpreadConstraints` | MongoDB(®) Spread Constraints for Pods | `[]` | +| `lifecycleHooks` | LifecycleHook for the MongoDB(®) container(s) to automate configuration before or after startup | `{}` | +| `terminationGracePeriodSeconds` | MongoDB(®) Termination Grace Period | `""` | +| `podLabels` | MongoDB(®) pod labels | `{}` | +| `podAnnotations` | MongoDB(®) Pod annotations | `{}` | +| `priorityClassName` | Name of the existing priority class to be used by MongoDB(®) pod(s) | `""` | +| `runtimeClassName` | Name of the runtime class to be used by MongoDB(®) pod(s) | `""` | +| `podSecurityContext.enabled` | Enable MongoDB(®) pod(s)' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Group ID for the volumes of the MongoDB(®) pod(s) | `1001` | +| `podSecurityContext.sysctls` | sysctl settings of the MongoDB(®) pod(s)' | `[]` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `containerPorts.mongodb` | MongoDB(®) container port | `27017` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `20` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `10` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Override default liveness probe for MongoDB(®) containers | `{}` | +| `customReadinessProbe` | Override default readiness probe for MongoDB(®) containers | `{}` | +| `customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `initContainers` | Add additional init containers for the hidden node pod(s) | `[]` | +| `sidecars` | Add additional sidecar containers for the MongoDB(®) pod(s) | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MongoDB(®) container(s) | `[]` | +| `extraVolumes` | Optionally specify extra list of additional volumes to the MongoDB(®) statefulset | `[]` | +| `pdb.create` | Enable/disable a Pod Disruption Budget creation for MongoDB(®) pod(s) | `true` | +| `pdb.minAvailable` | Minimum number/percentage of MongoDB(®) pods that must still be available after the eviction | `""` | +| `pdb.maxUnavailable` | Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. | `""` | + +### Traffic exposure parameters + +| Name | Description | Value | +| ------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `service.nameOverride` | MongoDB(®) service name | `""` | +| `service.type` | Kubernetes Service type (only for standalone architecture) | `ClusterIP` | +| `service.portName` | MongoDB(®) service port name (only for standalone architecture) | `mongodb` | +| `service.ports.mongodb` | MongoDB(®) service port. | `27017` | +| `service.nodePorts.mongodb` | Port to bind to for NodePort and LoadBalancer service types (only for standalone architecture) | `""` | +| `service.clusterIP` | MongoDB(®) service cluster IP (only for standalone architecture) | `""` | +| `service.externalIPs` | Specify the externalIP value ClusterIP service type (only for standalone architecture) | `[]` | +| `service.loadBalancerIP` | loadBalancerIP for MongoDB(®) Service (only for standalone architecture) | `""` | +| `service.loadBalancerClass` | loadBalancerClass for MongoDB(®) Service (only for standalone architecture) | `""` | +| `service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer (only for standalone architecture) | `[]` | +| `service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | +| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `service.annotations` | Provide any additional annotations that may be required | `{}` | +| `service.externalTrafficPolicy` | service external traffic policy (only for standalone architecture) | `Local` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.headless.annotations` | Annotations for the headless service. | `{}` | +| `externalAccess.enabled` | Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) | `false` | +| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs by querying the K8s API | `false` | +| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `REGISTRY_NAME` | +| `externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image repository | `REPOSITORY_NAME/kubectl` | +| `externalAccess.autoDiscovery.image.digest` | Init container auto-discovery image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy | `IfNotPresent` | +| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` | +| `externalAccess.autoDiscovery.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). | `nano` | +| `externalAccess.autoDiscovery.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalAccess.dnsCheck.image.registry` | Init container dns-check image registry | `REGISTRY_NAME` | +| `externalAccess.dnsCheck.image.repository` | Init container dns-check image repository | `REPOSITORY_NAME/kubectl` | +| `externalAccess.dnsCheck.image.digest` | Init container dns-check image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `externalAccess.dnsCheck.image.pullPolicy` | Init container dns-check image pull policy | `IfNotPresent` | +| `externalAccess.dnsCheck.image.pullSecrets` | Init container dns-check image pull secrets | `[]` | +| `externalAccess.dnsCheck.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). | `nano` | +| `externalAccess.dnsCheck.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalAccess.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `externalAccess.externalMaster.host` | External master host to bootstrap from | `""` | +| `externalAccess.externalMaster.port` | Port for MongoDB(®) service external master host | `27017` | +| `externalAccess.service.type` | Kubernetes Service type for external access. Allowed values: NodePort, LoadBalancer or ClusterIP | `LoadBalancer` | +| `externalAccess.service.portName` | MongoDB(®) port name used for external access when service type is LoadBalancer | `mongodb` | +| `externalAccess.service.ports.mongodb` | MongoDB(®) port used for external access when service type is LoadBalancer | `27017` | +| `externalAccess.service.loadBalancerIPs` | Array of load balancer IPs for MongoDB(®) nodes | `[]` | +| `externalAccess.service.publicNames` | Array of public names. The size should be equal to the number of replicas. | `[]` | +| `externalAccess.service.loadBalancerClass` | loadBalancerClass when service type is LoadBalancer | `""` | +| `externalAccess.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.service.allocateLoadBalancerNodePorts` | Whether to allocate node ports when service type is LoadBalancer | `true` | +| `externalAccess.service.externalTrafficPolicy` | MongoDB(®) service external traffic policy | `Local` | +| `externalAccess.service.nodePorts` | Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort | `[]` | +| `externalAccess.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | +| `externalAccess.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `externalAccess.service.annotations` | Service annotations for external access. These annotations are common for all services created. | `{}` | +| `externalAccess.service.annotationsList` | Service annotations for eache external service. This value contains a list allowing different annotations per each external service. | `[]` | +| `externalAccess.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `externalAccess.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `externalAccess.hidden.enabled` | Enable Kubernetes external cluster access to MongoDB(®) hidden nodes | `false` | +| `externalAccess.hidden.service.type` | Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer | `LoadBalancer` | +| `externalAccess.hidden.service.portName` | MongoDB(®) port name used for external access when service type is LoadBalancer | `mongodb` | +| `externalAccess.hidden.service.ports.mongodb` | MongoDB(®) port used for external access when service type is LoadBalancer | `27017` | +| `externalAccess.hidden.service.loadBalancerIPs` | Array of load balancer IPs for MongoDB(®) nodes | `[]` | +| `externalAccess.hidden.service.loadBalancerClass` | loadBalancerClass when service type is LoadBalancer | `""` | +| `externalAccess.hidden.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.hidden.service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | +| `externalAccess.hidden.service.externalTrafficPolicy` | MongoDB(®) service external traffic policy | `Local` | +| `externalAccess.hidden.service.nodePorts` | Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort. Length must be the same as replicaCount | `[]` | +| `externalAccess.hidden.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | +| `externalAccess.hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `externalAccess.hidden.service.annotations` | Service annotations for external access | `{}` | +| `externalAccess.hidden.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `externalAccess.hidden.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | + +### Network policy parameters + +| Name | Description | Value | +| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `persistence.enabled` | Enable MongoDB(®) data persistence using PVC | `true` | +| `persistence.name` | Name of the PVC and mounted volume | `datadir` | +| `persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `persistence.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `persistence.storageClass` | PVC Storage Class for MongoDB(®) data volume | `""` | +| `persistence.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `persistence.size` | PVC Storage Request for MongoDB(®) data volume | `8Gi` | +| `persistence.annotations` | PVC annotations | `{}` | +| `persistence.labels` | PVC labels | `{}` | +| `persistence.mountPath` | Path to mount the volume at | `/bitnami/mongodb` | +| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `persistence.volumeClaimTemplates.requests` | Custom PVC requests attributes | `{}` | +| `persistence.volumeClaimTemplates.dataSource` | Add dataSource to the VolumeClaimTemplate | `{}` | +| `persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for MongoDB(®) Statefulset | `false` | +| `persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | + +### Backup parameters + +| Name | Description | Value | +| ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | +| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | +| `backup.cronjob.timeZone` | Set the cronjob parameter timeZone | `""` | +| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | +| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | +| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | +| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | +| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | +| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | +| `backup.cronjob.backoffLimit` | Set the cronjob parameter backoffLimit | `6` | +| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `backup.cronjob.command` | Set backup container's command to run | `[]` | +| `backup.cronjob.labels` | Set the cronjob labels | `{}` | +| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | +| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | +| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | +| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | +| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/mongodb` | +| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | +| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | + +### RBAC parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceAccount.create` | Enable creation of ServiceAccount for MongoDB(®) pods | `true` | +| `serviceAccount.name` | Name of the created serviceAccount | `""` | +| `serviceAccount.annotations` | Additional Service Account annotations | `{}` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | +| `rbac.create` | Whether to create & use RBAC resources or not | `false` | +| `rbac.rules` | Custom rules to create following the role specification | `[]` | +| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | +| `podSecurityPolicy.allowPrivilegeEscalation` | Enable privilege escalation | `false` | +| `podSecurityPolicy.privileged` | Allow privileged | `false` | +| `podSecurityPolicy.spec` | Specify the full spec to use for Pod Security Policy | `{}` | + +### Volume Permissions parameters + +| Name | Description | Value | +| -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.securityContext.runAsUser` | User ID for the volumePermissions container | `0` | + +### Arbiter parameters + +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `arbiter.enabled` | Enable deploying the arbiter | `true` | +| `arbiter.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `arbiter.hostAliases` | Add deployment host aliases | `[]` | +| `arbiter.configuration` | Arbiter configuration file to be used | `""` | +| `arbiter.existingConfigmap` | Name of existing ConfigMap with Arbiter configuration | `""` | +| `arbiter.command` | Override default container command (useful when using custom images) | `[]` | +| `arbiter.args` | Override default container args (useful when using custom images) | `[]` | +| `arbiter.extraFlags` | Arbiter additional command line flags | `[]` | +| `arbiter.extraEnvVars` | Extra environment variables to add to Arbiter pods | `[]` | +| `arbiter.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `arbiter.extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | +| `arbiter.annotations` | Additional labels to be added to the Arbiter statefulset | `{}` | +| `arbiter.labels` | Annotations to be added to the Arbiter statefulset | `{}` | +| `arbiter.topologySpreadConstraints` | MongoDB(®) Spread Constraints for arbiter Pods | `[]` | +| `arbiter.lifecycleHooks` | LifecycleHook for the Arbiter container to automate configuration before or after startup | `{}` | +| `arbiter.terminationGracePeriodSeconds` | Arbiter Termination Grace Period | `""` | +| `arbiter.updateStrategy.type` | Strategy that will be employed to update Pods in the StatefulSet | `RollingUpdate` | +| `arbiter.podManagementPolicy` | Pod management policy for MongoDB(®) | `OrderedReady` | +| `arbiter.schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `arbiter.podAffinityPreset` | Arbiter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `arbiter.podAntiAffinityPreset` | Arbiter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `arbiter.nodeAffinityPreset.type` | Arbiter Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `arbiter.nodeAffinityPreset.key` | Arbiter Node label key to match Ignored if `affinity` is set. | `""` | +| `arbiter.nodeAffinityPreset.values` | Arbiter Node label values to match. Ignored if `affinity` is set. | `[]` | +| `arbiter.affinity` | Arbiter Affinity for pod assignment | `{}` | +| `arbiter.nodeSelector` | Arbiter Node labels for pod assignment | `{}` | +| `arbiter.tolerations` | Arbiter Tolerations for pod assignment | `[]` | +| `arbiter.podLabels` | Arbiter pod labels | `{}` | +| `arbiter.podAnnotations` | Arbiter Pod annotations | `{}` | +| `arbiter.priorityClassName` | Name of the existing priority class to be used by Arbiter pod(s) | `""` | +| `arbiter.runtimeClassName` | Name of the runtime class to be used by Arbiter pod(s) | `""` | +| `arbiter.podSecurityContext.enabled` | Enable Arbiter pod(s)' Security Context | `true` | +| `arbiter.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `arbiter.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `arbiter.podSecurityContext.fsGroup` | Group ID for the volumes of the Arbiter pod(s) | `1001` | +| `arbiter.podSecurityContext.sysctls` | sysctl settings of the Arbiter pod(s)' | `[]` | +| `arbiter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `arbiter.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `arbiter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `arbiter.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `arbiter.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `arbiter.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `arbiter.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `arbiter.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `arbiter.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `arbiter.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `arbiter.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if arbiter.resources is set (arbiter.resources is recommended for production). | `small` | +| `arbiter.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `arbiter.containerPorts.mongodb` | MongoDB(®) arbiter container port | `27017` | +| `arbiter.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `arbiter.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `arbiter.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `arbiter.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `arbiter.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `arbiter.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `arbiter.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `arbiter.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `arbiter.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `20` | +| `arbiter.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `arbiter.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `arbiter.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `arbiter.startupProbe.enabled` | Enable startupProbe | `false` | +| `arbiter.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `arbiter.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `arbiter.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `arbiter.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `arbiter.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `arbiter.customLivenessProbe` | Override default liveness probe for Arbiter containers | `{}` | +| `arbiter.customReadinessProbe` | Override default readiness probe for Arbiter containers | `{}` | +| `arbiter.customStartupProbe` | Override default startup probe for Arbiter containers | `{}` | +| `arbiter.initContainers` | Add additional init containers for the Arbiter pod(s) | `[]` | +| `arbiter.sidecars` | Add additional sidecar containers for the Arbiter pod(s) | `[]` | +| `arbiter.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Arbiter container(s) | `[]` | +| `arbiter.extraVolumes` | Optionally specify extra list of additional volumes to the Arbiter statefulset | `[]` | +| `arbiter.pdb.create` | Enable/disable a Pod Disruption Budget creation for Arbiter pod(s) | `true` | +| `arbiter.pdb.minAvailable` | Minimum number/percentage of Arbiter pods that should remain scheduled | `""` | +| `arbiter.pdb.maxUnavailable` | Maximum number/percentage of Arbiter pods that may be made unavailable. Defaults to `1` if both `arbiter.pdb.minAvailable` and `arbiter.pdb.maxUnavailable` are empty. | `""` | +| `arbiter.service.nameOverride` | The arbiter service name | `""` | +| `arbiter.service.ports.mongodb` | MongoDB(®) service port | `27017` | +| `arbiter.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `arbiter.service.annotations` | Provide any additional annotations that may be required | `{}` | +| `arbiter.service.headless.annotations` | Annotations for the headless service. | `{}` | + +### Hidden Node parameters + +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `hidden.enabled` | Enable deploying the hidden nodes | `false` | +| `hidden.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hidden.hostAliases` | Add deployment host aliases | `[]` | +| `hidden.configuration` | Hidden node configuration file to be used | `""` | +| `hidden.existingConfigmap` | Name of existing ConfigMap with Hidden node configuration | `""` | +| `hidden.command` | Override default container command (useful when using custom images) | `[]` | +| `hidden.args` | Override default container args (useful when using custom images) | `[]` | +| `hidden.extraFlags` | Hidden node additional command line flags | `[]` | +| `hidden.extraEnvVars` | Extra environment variables to add to Hidden node pods | `[]` | +| `hidden.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `hidden.extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | +| `hidden.annotations` | Additional labels to be added to thehidden node statefulset | `{}` | +| `hidden.labels` | Annotations to be added to the hidden node statefulset | `{}` | +| `hidden.topologySpreadConstraints` | MongoDB(®) Spread Constraints for hidden Pods | `[]` | +| `hidden.lifecycleHooks` | LifecycleHook for the Hidden container to automate configuration before or after startup | `{}` | +| `hidden.replicaCount` | Number of hidden nodes (only when `architecture=replicaset`) | `1` | +| `hidden.terminationGracePeriodSeconds` | Hidden Termination Grace Period | `""` | +| `hidden.updateStrategy.type` | Strategy that will be employed to update Pods in the StatefulSet | `RollingUpdate` | +| `hidden.podManagementPolicy` | Pod management policy for hidden node | `OrderedReady` | +| `hidden.schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `hidden.podAffinityPreset` | Hidden node Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `hidden.podAntiAffinityPreset` | Hidden node Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `hidden.nodeAffinityPreset.type` | Hidden Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `hidden.nodeAffinityPreset.key` | Hidden Node label key to match Ignored if `affinity` is set. | `""` | +| `hidden.nodeAffinityPreset.values` | Hidden Node label values to match. Ignored if `affinity` is set. | `[]` | +| `hidden.affinity` | Hidden node Affinity for pod assignment | `{}` | +| `hidden.nodeSelector` | Hidden node Node labels for pod assignment | `{}` | +| `hidden.tolerations` | Hidden node Tolerations for pod assignment | `[]` | +| `hidden.podLabels` | Hidden node pod labels | `{}` | +| `hidden.podAnnotations` | Hidden node Pod annotations | `{}` | +| `hidden.priorityClassName` | Name of the existing priority class to be used by hidden node pod(s) | `""` | +| `hidden.runtimeClassName` | Name of the runtime class to be used by hidden node pod(s) | `""` | +| `hidden.podSecurityContext.enabled` | Enable Hidden pod(s)' Security Context | `true` | +| `hidden.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `hidden.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `hidden.podSecurityContext.fsGroup` | Group ID for the volumes of the Hidden pod(s) | `1001` | +| `hidden.podSecurityContext.sysctls` | sysctl settings of the Hidden pod(s)' | `[]` | +| `hidden.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `hidden.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `hidden.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `hidden.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `hidden.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `hidden.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `hidden.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `hidden.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `hidden.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `hidden.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `hidden.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). | `micro` | +| `hidden.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `hidden.containerPorts.mongodb` | MongoDB(®) hidden container port | `27017` | +| `hidden.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `hidden.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `hidden.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `hidden.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `hidden.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `hidden.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `hidden.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `hidden.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `hidden.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `20` | +| `hidden.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `hidden.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `hidden.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `hidden.startupProbe.enabled` | Enable startupProbe | `false` | +| `hidden.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `hidden.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `hidden.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `hidden.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `hidden.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `hidden.customLivenessProbe` | Override default liveness probe for hidden node containers | `{}` | +| `hidden.customReadinessProbe` | Override default readiness probe for hidden node containers | `{}` | +| `hidden.customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `hidden.initContainers` | Add init containers to the MongoDB(®) Hidden pods. | `[]` | +| `hidden.sidecars` | Add additional sidecar containers for the hidden node pod(s) | `[]` | +| `hidden.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the hidden node container(s) | `[]` | +| `hidden.extraVolumes` | Optionally specify extra list of additional volumes to the hidden node statefulset | `[]` | +| `hidden.pdb.create` | Enable/disable a Pod Disruption Budget creation for hidden node pod(s) | `true` | +| `hidden.pdb.minAvailable` | Minimum number/percentage of hidden node pods that should remain scheduled | `""` | +| `hidden.pdb.maxUnavailable` | Maximum number/percentage of hidden node pods that may be made unavailable. Defaults to `1` if both `hidden.pdb.minAvailable` and `hidden.pdb.maxUnavailable` are empty. | `""` | +| `hidden.persistence.enabled` | Enable hidden node data persistence using PVC | `true` | +| `hidden.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `hidden.persistence.storageClass` | PVC Storage Class for hidden node data volume | `""` | +| `hidden.persistence.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `hidden.persistence.size` | PVC Storage Request for hidden node data volume | `8Gi` | +| `hidden.persistence.annotations` | PVC annotations | `{}` | +| `hidden.persistence.mountPath` | The path the volume will be mounted at, useful when using different MongoDB(®) images. | `/bitnami/mongodb` | +| `hidden.persistence.subPath` | The subdirectory of the volume to mount to, useful in dev environments | `""` | +| `hidden.persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `hidden.persistence.volumeClaimTemplates.requests` | Custom PVC requests attributes | `{}` | +| `hidden.persistence.volumeClaimTemplates.dataSource` | Set volumeClaimTemplate dataSource | `{}` | +| `hidden.service.nameOverride` | The hidden service name | `""` | +| `hidden.service.portName` | MongoDB(®) service port name | `mongodb` | +| `hidden.service.ports.mongodb` | MongoDB(®) service port | `27017` | +| `hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `hidden.service.annotations` | Provide any additional annotations that may be required | `{}` | +| `hidden.service.headless.annotations` | Annotations for the headless service. | `{}` | + +### Metrics parameters + +| Name | Description | Value | +| -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | +| `metrics.enabled` | Enable using a sidecar Prometheus exporter | `false` | +| `metrics.image.registry` | MongoDB(®) Prometheus exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | MongoDB(®) Prometheus exporter image repository | `REPOSITORY_NAME/mongodb-exporter` | +| `metrics.image.digest` | MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | MongoDB(®) Prometheus exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.username` | String with username for the metrics exporter | `""` | +| `metrics.password` | String with password for the metrics exporter | `""` | +| `metrics.compatibleMode` | Enables old style mongodb-exporter metrics | `true` | +| `metrics.collector.all` | Enable all collectors. Same as enabling all individual metrics | `false` | +| `metrics.collector.diagnosticdata` | Boolean Enable collecting metrics from getDiagnosticData | `true` | +| `metrics.collector.replicasetstatus` | Boolean Enable collecting metrics from replSetGetStatus | `true` | +| `metrics.collector.dbstats` | Boolean Enable collecting metrics from dbStats | `false` | +| `metrics.collector.topmetrics` | Boolean Enable collecting metrics from top admin command | `false` | +| `metrics.collector.indexstats` | Boolean Enable collecting metrics from $indexStats | `false` | +| `metrics.collector.collstats` | Boolean Enable collecting metrics from $collStats | `false` | +| `metrics.collector.collstatsColls` | List of \.\ to get $collStats | `[]` | +| `metrics.collector.indexstatsColls` | List - List of \.\ to get $indexStats | `[]` | +| `metrics.collector.collstatsLimit` | Number - Disable collstats, dbstats, topmetrics and indexstats collector if there are more than \ collections. 0=No limit | `0` | +| `metrics.extraFlags` | String with extra flags to the metrics exporter | `""` | +| `metrics.command` | Override default container command (useful when using custom images) | `[]` | +| `metrics.args` | Override default container args (useful when using custom images) | `[]` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.containerPort` | Port of the Prometheus metrics container | `9216` | +| `metrics.service.annotations` | Annotations for Prometheus Exporter pods. Evaluated as a template. | `{}` | +| `metrics.service.type` | Type of the Prometheus metrics service | `ClusterIP` | +| `metrics.service.ports.metrics` | Port of the Prometheus metrics service | `9216` | +| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Override default liveness probe for MongoDB(®) containers | `{}` | +| `metrics.customReadinessProbe` | Override default readiness probe for MongoDB(®) containers | `{}` | +| `metrics.customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the metrics container(s) | `[]` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricsRelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.labels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.namespace` | Namespace where prometheusRules resource should be created | `""` | +| `metrics.prometheusRule.rules` | Rules to be created, check values for an example | `[]` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install my-release \ + --set auth.rootPassword=secretpassword,auth.username=my-user,auth.password=my-password,auth.database=my-database \ + oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The above command sets the MongoDB(®) `root` account password to `secretpassword`. Additionally, it creates a standard database user named `my-user`, with the password `my-password`, who has access to a database named `my-database`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/mongodb/values.yaml) + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +If authentication is enabled, it's necessary to set the `auth.rootPassword` (also `auth.replicaSetKey` when using a replicaset architecture) when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Credentials' section. Please note down the password, and run the command below to upgrade your chart: + +```console +helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb --set auth.rootPassword=[PASSWORD] (--set auth.replicaSetKey=[REPLICASETKEY]) +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> Note: you need to substitute the placeholders [PASSWORD] and [REPLICASETKEY] with the values obtained in the installation notes. + +### To 16.0.0 + +To upgrade to MongoDB `8.0` from a `7.0` deployment, the `7.0` deployment must have `featureCompatibilityVersion` set to `7.0`. Please refer to the [official documentation](https://www.mongodb.com/docs/manual/release-notes/8.0/#upgrade-procedures). + +### To 15.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + +### To 12.0.0 + +This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. + +Affected values: + +- `strategyType` is replaced by `updateStrategy` +- `service.port` is renamed to `service.ports.mongodb` +- `service.nodePort` is renamed to `service.nodePorts.mongodb` +- `externalAccess.service.port` is renamed to `externalAccess.hidden.service.ports.mongodb` +- `rbac.role.rules` is renamed to `rbac.rules` +- `externalAccess.hidden.service.port` is renamed ot `externalAccess.hidden.service.ports.mongodb` +- `hidden.strategyType` is replaced by `hidden.updateStrategy` +- `metrics.serviceMonitor.relabellings` is renamed to `metrics.serviceMonitor.relabelings`(typo fixed) +- `metrics.serviceMonitor.additionalLabels` is renamed to `metrics.serviceMonitor.labels` + +Additionally also updates the MongoDB image dependency to it newest major, 5.0 + +### To 11.0.0 + +In this version, the mongodb-exporter bundled as part of this Helm chart was updated to a new version which, even it is not a major change, can contain breaking changes (from `0.11.X` to `0.30.X`). +Please visit the release notes from the upstream project at + +### To 10.0.0 + +[On November 13, 2020, Helm v2 support formally ended](https://github.com/helm/charts#status-of-the-project). This major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +### To 9.0.0 + +MongoDB(®) container images were updated to `4.4.x` and it can affect compatibility with older versions of MongoDB(®). Refer to the following guides to upgrade your applications: + +- [Standalone](https://docs.mongodb.com/manual/release-notes/4.4-upgrade-standalone/) +- [Replica Set](https://docs.mongodb.com/manual/release-notes/4.4-upgrade-replica-set/) + +### To 8.0.0 + +- Architecture used to configure MongoDB(®) as a replicaset was completely refactored. Now, both primary and secondary nodes are part of the same statefulset. +- Chart labels were adapted to follow the Helm charts best practices. +- This version introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/main/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade. +- Several parameters were renamed or disappeared in favor of new ones on this major version. These are the most important ones: + - `replicas` is renamed to `replicaCount`. + - Authentication parameters are reorganized under the `auth.*` parameter: + - `usePassword` is renamed to `auth.enabled`. + - `mongodbRootPassword`, `mongodbUsername`, `mongodbPassword`, `mongodbDatabase`, and `replicaSet.key` are now `auth.rootPassword`, `auth.username`, `auth.password`, `auth.database`, and `auth.replicaSetKey` respectively. + - `securityContext.*` is deprecated in favor of `podSecurityContext` and `containerSecurityContext`. + - Parameters prefixed with `mongodb` are renamed removing the prefix. E.g. `mongodbEnableIPv6` is renamed to `enableIPv6`. + - Parameters affecting Arbiter nodes are reorganized under the `arbiter.*` parameter. + +Consequences: + +- Backwards compatibility is not guaranteed. To upgrade to `8.0.0`, install a new release of the MongoDB(®) chart, and migrate your data by creating a backup of the database, and restoring it on the new release. + +### To 7.0.0 + +From this version, the way of setting the ingress rules has changed. Instead of using `ingress.paths` and `ingress.hosts` as separate objects, you should now define the rules as objects inside the `ingress.hosts` value, for example: + +```yaml +ingress: + hosts: + - name: mongodb.local + path: / +``` + +### To 6.0.0 + +From this version, `mongodbEnableIPv6` is set to `false` by default in order to work properly in most k8s clusters, if you want to use IPv6 support, you need to set this variable to `true` by adding `--set mongodbEnableIPv6=true` to your `helm` command. +You can find more information in the [`bitnami/mongodb` image README](https://github.com/bitnami/containers/tree/main/bitnami/mongodb#readme). + +### To 5.0.0 + +When enabling replicaset configuration, backwards compatibility is not guaranteed unless you modify the labels used on the chart's statefulsets. +Use the workaround below to upgrade from versions previous to 5.0.0. The following example assumes that the release name is `my-release`: + +```console +kubectl delete statefulset my-release-mongodb-arbiter my-release-mongodb-primary my-release-mongodb-secondary --cascade=false +``` + +### Add extra deployment options + +To add extra deployments (useful for advanced features like sidecars), use the `extraDeploy` property. + +In the example below, you can find how to use a example here for a [MongoDB replica set pod labeler sidecar](https://github.com/combor/k8s-mongo-labeler-sidecar) to identify the primary pod and dynamically label it as the primary node: + +```yaml +extraDeploy: + - apiVersion: v1 + kind: Service + metadata: + name: mongodb-primary + namespace: default + labels: + app.kubernetes.io/component: mongodb + app.kubernetes.io/instance: mongodb + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mongodb + spec: + type: NodePort + externalTrafficPolicy: Cluster + ports: + - name: mongodb-primary + port: 30001 + nodePort: 30001 + protocol: TCP + targetPort: mongodb + selector: + app.kubernetes.io/component: mongodb + app.kubernetes.io/instance: mongodb + app.kubernetes.io/name: mongodb + primary: "true" +``` + +## License + +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/.helmignore new file mode 100644 index 00000000..d0e10845 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/.helmignore @@ -0,0 +1,26 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/Chart.yaml new file mode 100644 index 00000000..0d437c4c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + category: Infrastructure + licenses: Apache-2.0 +apiVersion: v2 +appVersion: 2.26.0 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://bitnami.com +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- name: Broadcom, Inc. All Rights Reserved. + url: https://github.com/bitnami/charts +name: common +sources: +- https://github.com/bitnami/charts/tree/main/bitnami/common +type: library +version: 2.26.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/README.md b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/README.md new file mode 100644 index 00000000..5fecb58d --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/README.md @@ -0,0 +1,235 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 2.x.x + repository: oci://registry-1.docker.io/bitnamicharts +``` + +```console +helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.25+ +- Helm 3.8.0+ + +## Parameters + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +#### What changes were introduced in this major version? + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +#### Useful links + +- +- +- + +## License + +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_affinities.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_affinities.tpl new file mode 100644 index 00000000..d387dbe6 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_affinities.tpl @@ -0,0 +1,155 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a topologyKey definition +{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}} +*/}} +{{- define "common.affinities.topologyKey" -}} +{{ .topologyKey | default "kubernetes.io/hostname" -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +{{- $extraNamespaces := default (list) .extraNamespaces -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if $extraNamespaces }} + namespaces: + - {{ .context.Release.Namespace }} + {{- with $extraNamespaces }} + {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: 1 + {{- range $extraPodAffinityTerms }} + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: {{ .weight | default 1 -}} + {{- end -}} +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +{{- $extraNamespaces := default (list) .extraNamespaces -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if $extraNamespaces }} + namespaces: + - {{ .context.Release.Namespace }} + {{- with $extraNamespaces }} + {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- range $extraPodAffinityTerms }} + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- end -}} +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_capabilities.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_capabilities.tpl new file mode 100644 index 00000000..2fe81d32 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_capabilities.tpl @@ -0,0 +1,229 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.7-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "common.capabilities.daemonset.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if (.Values.ingress).apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.17-0" $kubeVersion) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.10-0" $kubeVersion) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "common.capabilities.hpa.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Vertical Pod Autoscaler. +*/}} +{{- define "common.capabilities.vpa.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if PodSecurityPolicy is supported +*/}} +{{- define "common.capabilities.psp.supported" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (semverCompare "<1.25-0" $kubeVersion) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if AdmissionConfiguration is supported +*/}} +{{- define "common.capabilities.admissionConfiguration.supported" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (not (semverCompare "<1.23-0" $kubeVersion)) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for AdmissionConfiguration. +*/}} +{{- define "common.capabilities.admissionConfiguration.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- print "apiserver.config.k8s.io/v1alpha1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "apiserver.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiserver.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for PodSecurityConfiguration. +*/}} +{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "pod-security.admission.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "pod-security.admission.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_compatibility.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_compatibility.tpl new file mode 100644 index 00000000..a61588d6 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_compatibility.tpl @@ -0,0 +1,46 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} + +{{- if (((.context.Values.global).compatibility).openshift) -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{/* Remove empty seLinuxOptions object if global.compatibility.omitEmptySeLinuxOptions is set to true */}} +{{- if and (((.context.Values.global).compatibility).omitEmptySeLinuxOptions) (not .secContext.seLinuxOptions) -}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} +{{- end -}} +{{/* Remove fields that are disregarded when running the container in privileged mode */}} +{{- if $adaptedContext.privileged -}} + {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_errors.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_errors.tpl new file mode 100644 index 00000000..e9653651 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_errors.tpl @@ -0,0 +1,28 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_images.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_images.tpl new file mode 100644 index 00000000..76bb7ce4 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_images.tpl @@ -0,0 +1,115 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name. +If image tag and digest are not defined, termination fallbacks to chart appVersion. +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "chart" .Chart ) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := default .imageRoot.registry ((.global).imageRegistry) -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} + +{{- if not .imageRoot.tag }} + {{- if .chart }} + {{- $termination = .chart.AppVersion | toString -}} + {{- end -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- range ((.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end }} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) -}} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- range (($context.Values.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) -}} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion) +{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }} +*/}} +{{- define "common.images.version" -}} +{{- $imageTag := .imageRoot.tag | toString -}} +{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}} +{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}} + {{- $version := semver $imageTag -}} + {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}} +{{- else -}} + {{- print .chart.AppVersion -}} +{{- end -}} +{{- end -}} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_ingress.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_ingress.tpl new file mode 100644 index 00000000..7d2b8798 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_ingress.tpl @@ -0,0 +1,73 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_labels.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_labels.tpl new file mode 100644 index 00000000..0a0cc548 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_labels.tpl @@ -0,0 +1,46 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Kubernetes standard labels +{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}} +*/}} +{{- define "common.labels.standard" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}} +{{- with .context.Chart.AppVersion -}} +{{- $_ := set $default "app.kubernetes.io/version" . -}} +{{- end -}} +{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }} +{{- else -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Chart.AppVersion }} +app.kubernetes.io/version: {{ . | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector +{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}} + +We don't want to loop over custom labels appending them to the selector +since it's very likely that it will break deployments, services, etc. +However, it's important to overwrite the standard labels if the user +overwrote them on metadata.labels fields. +*/}} +{{- define "common.labels.matchLabels" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }} +{{- else -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_names.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_names.tpl new file mode 100644 index 00000000..ba839568 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_names.tpl @@ -0,0 +1,71 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a fully qualified app name adding the installation's namespace. +*/}} +{{- define "common.names.fullname.namespace" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_resources.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_resources.tpl new file mode 100644 index 00000000..d8a43e1c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi") + ) + "xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_secrets.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_secrets.tpl new file mode 100644 index 00000000..801918ce --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_secrets.tpl @@ -0,0 +1,185 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. +The order in which this function returns a secret password: + 1. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 2. Password provided via the values.yaml + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 3. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- end }} + +{{- if not $password }} + {{- if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} + {{- else }} + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- if not (eq .failOnNew false) }} + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + {{- end }} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} + {{- else }} + {{- $password = randAlphaNum $passwordLength }} + {{- end }} + {{- end -}} +{{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} +{{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Reuses the value from an existing secret, otherwise sets its value to a default value. + +Usage: +{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - context - Context - Required - Parent context. + +*/}} +{{- define "common.secrets.lookup" -}} +{{- $value := "" -}} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} +{{- end -}} +{{- if $value -}} +{{- printf "%s" $value -}} +{{- end -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_storage.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_storage.tpl new file mode 100644 index 00000000..aa75856c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_storage.tpl @@ -0,0 +1,21 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} +{{- $storageClass := (.global).storageClass | default .persistence.storageClass | default (.global).defaultStorageClass | default "" -}} +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else -}} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_tplvalues.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_tplvalues.tpl new file mode 100644 index 00000000..a04f4c1e --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,52 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template perhaps with scope if the scope is present. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} +*/}} +{{- define "common.tplvalues.render" -}} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge +Usage: +{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with https://masterminds.github.io/sprig/dicts.html#mergeoverwrite-mustmergeoverwrite +Usage: +{{ include "common.tplvalues.merge-overwrite" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge-overwrite" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | mergeOverwrite $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_utils.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_utils.tpl new file mode 100644 index 00000000..d53c74aa --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_utils.tpl @@ -0,0 +1,77 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376). +Usage: +{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }} +*/}} +{{- define "common.utils.checksumTemplate" -}} +{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}} +{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_warnings.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_warnings.tpl new file mode 100644 index 00000000..e4dbecde --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/_warnings.tpl @@ -0,0 +1,109 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html +{{- end }} +{{- end -}} + +{{/* +Warning about replaced images from the original. +Usage: +{{ include "common.warnings.modifiedImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} +*/}} +{{- define "common.warnings.modifiedImages" -}} +{{- $affectedImages := list -}} +{{- $printMessage := false -}} +{{- $originalImages := .context.Chart.Annotations.images -}} +{{- range .images -}} + {{- $fullImageName := printf (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- if not (contains $fullImageName $originalImages) }} + {{- $affectedImages = append $affectedImages (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- $printMessage = true -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +⚠ SECURITY WARNING: Original containers have been substituted. This Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables. + +Substituted images detected: +{{- range $affectedImages }} + - {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_cassandra.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 00000000..f8fd213b --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,51 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_mariadb.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 00000000..6ea8c0f4 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,108 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_mongodb.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 00000000..e678a6de --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,67 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_mysql.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_mysql.tpl new file mode 100644 index 00000000..fbb65c33 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_mysql.tpl @@ -0,0 +1,67 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mysql. + +Usage: +{{ include "common.mysql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mysql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mysql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.key.auth" -}} + {{- if .subchart -}} + mysql.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_postgresql.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 00000000..51d47162 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,105 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_redis.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_redis.tpl new file mode 100644 index 00000000..9fedfef9 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,48 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_validations.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_validations.tpl new file mode 100644 index 00000000..7cdee617 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,51 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/values.yaml new file mode 100644 index 00000000..de2cac57 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/charts/common/values.yaml @@ -0,0 +1,8 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/NOTES.txt b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/NOTES.txt new file mode 100644 index 00000000..0a335959 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/NOTES.txt @@ -0,0 +1,171 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash + +In order to replicate the container startup scripts execute this command: + + /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + +{{- else }} + +{{- $replicaCount := int .Values.replicaCount }} +{{- $portNumber := int .Values.service.ports.mongodb }} +{{- $fullname := include "mongodb.fullname" . }} +{{- $releaseNamespace := include "mongodb.namespace" . }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- $mongoList := list }} +{{- range $e, $i := until $replicaCount }} +{{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $portNumber) }} +{{- end }} + +{{- if and (or (and (eq .Values.architecture "standalone") (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort"))) (and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled)) (not .Values.auth.enabled) }} +------------------------------------------------------------------------------- + WARNING + + By not enabling "mongodb.auth.enabled" you have most likely exposed the + MongoDB® service externally without any authentication mechanism. + + For security reasons, we strongly suggest that you enable authentication + setting the "mongodb.auth.enabled" parameter to "true". + +------------------------------------------------------------------------------- +{{- end }} + +** Please be patient while the chart is being deployed ** + +MongoDB® can be accessed on the following DNS name(s) and ports from within your cluster: + +{{- if eq .Values.architecture "replicaset" }} +{{ join "\n" $mongoList | nindent 4 }} +{{- else }} + + {{ $fullname }}.{{ $releaseNamespace }}.svc.{{ .Values.clusterDomain }} + +{{- end }} + +{{- if .Values.auth.enabled }} + +To get the root password run: + + export MONGODB_ROOT_PASSWORD=$(kubectl get secret --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.secretName" . }} -o jsonpath="{.data.mongodb-root-password}" | base64 -d) + +{{- end }} +{{- $customUsers := include "mongodb.customUsers" . -}} +{{- $customDatabases := include "mongodb.customDatabases" . -}} +{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} +{{- $customUsersList := splitList "," $customUsers }} +{{- range $index, $user := $customUsersList }} + +To get the password for "{{ $user }}" run: + + export MONGODB_PASSWORD=$(kubectl get secret --namespace {{ include "mongodb.namespace" $ }} {{ include "mongodb.secretName" $ }} -o jsonpath="{.data.mongodb-passwords}" | base64 -d | awk -F',' '{print ${{ add 1 $index }}}') + +{{- end }} +{{- end }} + +To connect to your database, create a MongoDB® client container: + + kubectl run --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.fullname" . }}-client --rm --tty -i --restart='Never' --env="MONGODB_ROOT_PASSWORD=$MONGODB_ROOT_PASSWORD" --image {{ template "mongodb.image" . }} --command -- bash + +Then, run the following command: + + {{- if eq .Values.architecture "replicaset" }} + mongosh admin --host "{{ join "," $mongoList }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u $MONGODB_ROOT_USER -p $MONGODB_ROOT_PASSWORD{{- end }} + {{- else }} + mongosh admin --host "{{ template "mongodb.service.nameOverride" . }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u $MONGODB_ROOT_USER -p $MONGODB_ROOT_PASSWORD{{- end }} + {{- end }} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled }} + +To connect to your database nodes from outside, you need to add both primary and secondary nodes hostnames/IPs to your Mongo client. To obtain them, follow the instructions below: + +{{- if eq "NodePort" .Values.externalAccess.service.type }} +{{- if .Values.externalAccess.service.domain }} + + MongoDB® nodes domain: Use your provided hostname to reach MongoDB® nodes, {{ .Values.externalAccess.service.domain }} + +{{- else }} + + MongoDB® nodes domain: you can reach MongoDB® nodes on any of the K8s nodes external IPs. + + kubectl get nodes -o wide + +{{- end }} + + MongoDB® nodes port: You will have a different node port for each MongoDB® node. You can get the list of configured node ports using the command below: + + echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -o jsonpath='{.items[*].spec.ports[0].nodePort}' | tr ' ' '\n')" + +{{- else if contains "LoadBalancer" .Values.externalAccess.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IPs to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -w' + + MongoDB® nodes domain: You will have a different external IP for each MongoDB® node. You can get the list of external IPs using the command below: + + echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}' | tr ' ' '\n')" + + MongoDB® nodes port: {{ .Values.externalAccess.service.ports.mongodb }} + +{{- end }} + +{{- else if eq .Values.architecture "standalone" }} + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ template "mongodb.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ template "mongodb.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "mongodb.service.nameOverride" . }}) + mongo --host $NODE_IP --port $NODE_PORT {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- else if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ template "mongodb.namespace" . }} -w {{ template "mongodb.service.nameOverride" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.service.nameOverride" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + mongosh --host $SERVICE_IP --port {{ $portNumber }} {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- else if contains "ClusterIP" .Values.service.type }} + + kubectl port-forward --namespace {{ template "mongodb.namespace" . }} svc/{{ template "mongodb.service.nameOverride" . }} {{ $portNumber }}:{{ $portNumber }} & + mongosh --host 127.0.0.1 {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- end }} +{{- end }} + +{{- if .Values.metrics.enabled }} + +To access the MongoDB® Prometheus metrics, get the MongoDB® Prometheus URL by running: + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ printf "%s-metrics" (include "mongodb.fullname" .) }} {{ .Values.metrics.service.ports.metrics }}:{{ .Values.metrics.service.ports.metrics }} & + echo "Prometheus Metrics URL: http://127.0.0.1:{{ .Values.metrics.service.ports.metrics }}/metrics" + +Then, open the obtained URL in a browser. + +{{- end }} +{{- end }} +{{- include "common.warnings.rollingTag" .Values.image }} +{{- include "common.warnings.rollingTag" .Values.metrics.image }} +{{- include "common.warnings.rollingTag" .Values.externalAccess.autoDiscovery.image }} +{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} +{{- include "common.warnings.rollingTag" .Values.tls.image }} +{{- include "mongodb.validateValues" . }} +{{- include "common.warnings.resources" (dict "sections" (list "arbiter" "externalAccess.autoDiscovery" "hidden" "metrics" "" "tls" "volumePermissions") "context" $) }} +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.tls.image .Values.externalAccess.autoDiscovery.image .Values.externalAccess.dnsCheck.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/_helpers.tpl new file mode 100644 index 00000000..26baf66d --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/_helpers.tpl @@ -0,0 +1,686 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "mongodb.name" -}} +{{- include "common.names.name" . -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "mongodb.fullname" -}} +{{- include "common.names.fullname" . -}} +{{- end -}} + +{{/* +Create a default mongo service name which can be overridden. +*/}} +{{- define "mongodb.service.nameOverride" -}} + {{- if and .Values.service .Values.service.nameOverride -}} + {{- print .Values.service.nameOverride -}} + {{- else -}} + {{- if eq .Values.architecture "replicaset" -}} + {{- printf "%s-headless" (include "mongodb.fullname" .) -}} + {{- else -}} + {{- printf "%s" (include "mongodb.fullname" .) -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Create a default mongo arbiter service name which can be overridden. +*/}} +{{- define "mongodb.arbiter.service.nameOverride" -}} + {{- if and .Values.arbiter.service .Values.arbiter.service.nameOverride -}} + {{- print .Values.arbiter.service.nameOverride -}} + {{- else -}} + {{- printf "%s-arbiter-headless" (include "mongodb.fullname" .) -}} + {{- end }} +{{- end }} + +{{/* +Create a default mongo hidden service name which can be overridden. +*/}} +{{- define "mongodb.hidden.service.nameOverride" -}} + {{- if and .Values.hidden.service .Values.hidden.service.nameOverride -}} + {{- print .Values.hidden.service.nameOverride -}} + {{- else -}} + {{- printf "%s-hidden-headless" (include "mongodb.fullname" .) -}} + {{- end }} +{{- end }} + +{{/* +Return the proper MongoDB® image name +*/}} +{{- define "mongodb.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the metrics image) +*/}} +{{- define "mongodb.metrics.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "mongodb.volumePermissions.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the init container auto-discovery image) +*/}} +{{- define "mongodb.externalAccess.autoDiscovery.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.externalAccess.autoDiscovery.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the init container dns-check image) +*/}} +{{- define "mongodb.externalAccess.dnsCheck.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.externalAccess.dnsCheck.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the TLS Certs image) +*/}} +{{- define "mongodb.tls.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.tls.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "mongodb.imagePullSecrets" -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image .Values.tls.image .Values.externalAccess.dnsCheck.image .Values.externalAccess.autoDiscovery.image) "context" $) -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "mongodb.namespace" -}} + {{- if and .Values.global .Values.global.namespaceOverride -}} + {{- print .Values.global.namespaceOverride -}} + {{- else -}} + {{- print .Release.Namespace -}} + {{- end }} +{{- end -}} +{{- define "mongodb.serviceMonitor.namespace" -}} + {{- if .Values.metrics.serviceMonitor.namespace -}} + {{- print .Values.metrics.serviceMonitor.namespace -}} + {{- else -}} + {{- include "mongodb.namespace" . -}} + {{- end }} +{{- end -}} +{{- define "mongodb.prometheusRule.namespace" -}} + {{- if .Values.metrics.prometheusRule.namespace -}} + {{- print .Values.metrics.prometheusRule.namespace -}} + {{- else -}} + {{- include "mongodb.namespace" . -}} + {{- end }} +{{- end -}} + +{{/* +Returns the proper service account name depending if an explicit service account name is set +in the values file. If the name is not set it will default to either mongodb.fullname if serviceAccount.create +is true or default otherwise. +*/}} +{{- define "mongodb.serviceAccountName" -}} + {{- if .Values.serviceAccount.create -}} + {{- default (include "mongodb.fullname" .) (print .Values.serviceAccount.name) -}} + {{- else -}} + {{- default "default" (print .Values.serviceAccount.name) -}} + {{- end -}} +{{- end -}} + +{{/* +Return the list of custom users to create during the initialization (string format) +*/}} +{{- define "mongodb.customUsers" -}} + {{- $customUsers := list -}} + {{- if .Values.auth.username -}} + {{- $customUsers = append $customUsers .Values.auth.username }} + {{- end }} + {{- range .Values.auth.usernames }} + {{- $customUsers = append $customUsers . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customUsers)) -}} +{{- end -}} + +{{/* +Return the list of passwords for the custom users (string format) +*/}} +{{- define "mongodb.customPasswords" -}} + {{- $customPasswords := list -}} + {{- if .Values.auth.password -}} + {{- $customPasswords = append $customPasswords .Values.auth.password }} + {{- end }} + {{- range .Values.auth.passwords }} + {{- $customPasswords = append $customPasswords . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customPasswords)) -}} +{{- end -}} + +{{/* +Return the list of custom databases to create during the initialization (string format) +*/}} +{{- define "mongodb.customDatabases" -}} + {{- $customDatabases := list -}} + {{- if .Values.auth.database -}} + {{- $customDatabases = append $customDatabases .Values.auth.database }} + {{- end }} + {{- range .Values.auth.databases }} + {{- $customDatabases = append $customDatabases . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customDatabases)) -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration +*/}} +{{- define "mongodb.configmapName" -}} +{{- if .Values.existingConfigmap -}} + {{- printf "%s" (tpl .Values.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® +*/}} +{{- define "mongodb.createConfigmap" -}} +{{- if and .Values.configuration (not .Values.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret with MongoDB® credentials +*/}} +{{- define "mongodb.secretName" -}} + {{- if .Values.auth.existingSecret -}} + {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} + {{- else -}} + {{- printf "%s" (include "mongodb.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created for MongoDB® +*/}} +{{- define "mongodb.createSecret" -}} +{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "mongodb.initdbScriptsCM" -}} +{{- if .Values.initdbScriptsConfigMap -}} +{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}} +{{- else -}} +{{- printf "%s-init-scripts" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get initial primary host to configure MongoDB cluster. +*/}} +{{- define "mongodb.initialPrimaryHost" -}} +{{ ternary ( printf "%s-0.%s.$(MY_POD_NAMESPACE).svc.%s" (include "mongodb.fullname" .) (include "mongodb.service.nameOverride" .) .Values.clusterDomain ) ( first .Values.externalAccess.service.publicNames ) ( empty .Values.externalAccess.service.publicNames ) }} +{{- end -}} + +{{/* +Init container definition to change/establish volume permissions. +*/}} +{{- define "mongodb.initContainer.volumePermissions" }} +- name: volume-permissions + image: {{ include "mongodb.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + mkdir -p {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} + find {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.volumePermissions.resources "context" $) | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: {{ .Values.persistence.name | default "datadir" }} + mountPath: {{ .Values.persistence.mountPath }} +{{- end -}} + +{{/* +Init container definition to recover log dir. +*/}} +{{- define "mongodb.initContainer.prepareLogDir" }} +- name: log-dir + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + ln -sf /dev/stdout "/opt/bitnami/mongodb/logs/mongodb.log" + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.resources "context" $) | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir +{{- end -}} + +{{/* +Init container definition to get external IP addresses. +*/}} +{{- define "mongodb.initContainers.autoDiscovery" -}} +- name: auto-discovery + image: {{ include "mongodb.externalAccess.autoDiscovery.image" . }} + imagePullPolicy: {{ .Values.externalAccess.autoDiscovery.image.pullPolicy | quote }} + # We need the service account token for contacting the k8s API + command: + - /scripts/auto-discovery.sh + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SHARED_FILE + value: "/shared/info.txt" + {{- if .Values.externalAccess.autoDiscovery.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.externalAccess.autoDiscovery.resources "context" $) | nindent 12 }} + {{- else if ne .Values.externalAccess.autoDiscovery.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.autoDiscovery.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: shared + mountPath: /shared + - name: scripts + mountPath: /scripts/auto-discovery.sh + subPath: auto-discovery.sh + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir +{{- end -}} + +{{/* +Init container definition to wait external DNS names. +*/}} +{{- define "mongodb.initContainers.dnsCheck" -}} +- name: dns-check + image: {{ include "mongodb.externalAccess.dnsCheck.image" . }} + imagePullPolicy: {{ .Values.externalAccess.dnsCheck.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + # MONGODB_INITIAL_PRIMARY_HOST should be resolvable + while ! (getent ahosts "{{ include "mongodb.initialPrimaryHost" . }}" | grep STREAM); do + sleep 10 + done + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.externalAccess.dnsCheck.resources }} + resources: {{- toYaml .Values.externalAccess.dnsCheck.resources | nindent 12 }} + {{- else if ne .Values.externalAccess.dnsCheck.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.dnsCheck.resourcesPreset) | nindent 12 }} + {{- end }} +{{- end -}} + +{{/* +Return true if the Arbiter should be deployed +*/}} +{{- define "mongodb.arbiter.enabled" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.arbiter.enabled }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration for the Arbiter +*/}} +{{- define "mongodb.arbiter.configmapName" -}} +{{- if .Values.arbiter.existingConfigmap -}} + {{- printf "%s" (tpl .Values.arbiter.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-arbiter" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® Arbiter +*/}} +{{- define "mongodb.arbiter.createConfigmap" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.arbiter.enabled .Values.arbiter.configuration (not .Values.arbiter.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if the Hidden should be deployed +*/}} +{{- define "mongodb.hidden.enabled" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.hidden.enabled }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration for the Hidden +*/}} +{{- define "mongodb.hidden.configmapName" -}} +{{- if .Values.hidden.existingConfigmap -}} + {{- printf "%s" (tpl .Values.hidden.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-hidden" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® Hidden +*/}} +{{- define "mongodb.hidden.createConfigmap" -}} +{{- if and (include "mongodb.hidden.enabled" .) .Values.hidden.enabled .Values.hidden.configuration (not .Values.hidden.existingConfigmap) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "mongodb.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "mongodb.validateValues.pspAndRBAC" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.architecture" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.customUsersDBs" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.customUsersDBsLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.externalAccessServiceType" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.loadBalancerIPsListLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.nodePortListLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.externalAccessAutoDiscoveryRBAC" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.externalAccessAutoDiscoverySA" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.replicaset.existingSecrets" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.hidden.existingSecrets" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* Validate RBAC is created when using PSP */}} +{{- define "mongodb.validateValues.pspAndRBAC" -}} +{{- if and (.Values.podSecurityPolicy.create) (not .Values.rbac.create) -}} +mongodb: podSecurityPolicy.create, rbac.create + Both podSecurityPolicy.create and rbac.create must be true, if you want + to create podSecurityPolicy +{{- end -}} +{{- end -}} + +{{/* Validate values of MongoDB® - must provide a valid architecture */}} +{{- define "mongodb.validateValues.architecture" -}} +{{- if and (ne .Values.architecture "standalone") (ne .Values.architecture "replicaset") -}} +mongodb: architecture + Invalid architecture selected. Valid values are "standalone" and + "replicaset". Please set a valid architecture (--set mongodb.architecture="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - both auth.usernames and auth.databases are necessary +to create a custom user and database during 1st initialization +*/}} +{{- define "mongodb.validateValues.customUsersDBs" -}} +{{- $customUsers := include "mongodb.customUsers" . -}} +{{- $customDatabases := include "mongodb.customDatabases" . -}} +{{- if or (and (empty $customUsers) (not (empty $customDatabases))) (and (not (empty $customUsers)) (empty $customDatabases)) }} +mongodb: auth.usernames, auth.databases + Both auth.usernames and auth.databases must be provided to create + custom users and databases during 1st initialization. + Please set both of them (--set auth.usernames[0]="xxxx",auth.databases[0]="yyyy") +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - both auth.usernames and auth.databases arrays should have the same length +to create a custom user and database during 1st initialization +*/}} +{{- define "mongodb.validateValues.customUsersDBsLength" -}} +{{- if ne (len .Values.auth.usernames) (len .Values.auth.databases) }} +mongodb: auth.usernames, auth.databases + Both auth.usernames and auth.databases arrays should have the same length +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - service type for external access +*/}} +{{- define "mongodb.validateValues.externalAccessServiceType" -}} +{{- if and (eq .Values.architecture "replicaset") (not (eq .Values.externalAccess.service.type "NodePort")) (not (eq .Values.externalAccess.service.type "LoadBalancer")) (not (eq .Values.externalAccess.service.type "ClusterIP")) -}} +mongodb: externalAccess.service.type + Available service type for external access are NodePort, LoadBalancer or ClusterIP. +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - number of replicas must be the same than LoadBalancer IPs list +*/}} +{{- define "mongodb.validateValues.loadBalancerIPsListLength" -}} +{{- $replicaCount := int .Values.replicaCount }} +{{- $loadBalancerListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- $publicNamesListLength := len .Values.externalAccess.service.publicNames }} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "LoadBalancer") -}} +{{- if and (not .Values.externalAccess.autoDiscovery.enabled) (eq $loadBalancerListLength 0) (eq $publicNamesListLength 0) -}} +mongodb: .Values.externalAccess.service.loadBalancerIPs, .Values.externalAccess.service.publicNames + externalAccess.service.loadBalancerIPs, externalAccess.service.publicNames or externalAccess.autoDiscovery.enabled are required when externalAccess is enabled. +{{- else if and (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerListLength )) (not (eq $loadBalancerListLength 0)) -}} +mongodb: .Values.externalAccess.service.loadBalancerIPs + Number of replicas ({{ $replicaCount }}) and loadBalancerIPs array length ({{ $loadBalancerListLength }}) must be the same. +{{- else if and (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $publicNamesListLength )) (not (eq $publicNamesListLength 0)) -}} +mongodb: .Values.externalAccess.service.publicNames + Number of replicas ({{ $replicaCount }}) and publicNames array length ({{ $publicNamesListLength }}) must be the same. +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - number of replicas must be the same than NodePort list +*/}} +{{- define "mongodb.validateValues.nodePortListLength" -}} +{{- $replicaCount := int .Values.replicaCount }} +{{- $nodePortListLength := len .Values.externalAccess.service.nodePorts }} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "NodePort") -}} +{{- if and (not .Values.externalAccess.autoDiscovery.enabled) (eq $nodePortListLength 0) -}} +mongodb: .Values.externalAccess.service.nodePorts + externalAccess.service.nodePorts or externalAccess.autoDiscovery.enabled are required when externalAccess is enabled. +{{- else if and (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $nodePortListLength )) -}} +mongodb: .Values.externalAccess.service.nodePorts + Number of replicas ({{ $replicaCount }}) and nodePorts ({{ $nodePortListLength }}) array length must be the same. +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - RBAC should be enabled when autoDiscovery is enabled +*/}} +{{- define "mongodb.validateValues.externalAccessAutoDiscoveryRBAC" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (not .Values.rbac.create ) }} +mongodb: rbac.create + By specifying "externalAccess.enabled=true" and "externalAccess.autoDiscovery.enabled=true" + an initContainer will be used to autodetect the external IPs/ports by querying the + K8s API. Please note this initContainer requires specific RBAC resources. You can create them + by specifying "--set rbac.create=true". +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - automountServiceAccountToken should be enabled when autoDiscovery is enabled +*/}} +{{- define "mongodb.validateValues.externalAccessAutoDiscoverySA" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (not .Values.automountServiceAccountToken ) }} +mongodb: automountServiceAccountToken + By specifying "externalAccess.enabled=true" and "externalAccess.autoDiscovery.enabled=true" + an initContainer will be used to autodetect the external IPs/ports by querying the + K8s API. Please note this initContainer requires a service account to access K8S API. + You can attach it to the pod by specifying "--set automountServiceAccountToken=true". +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - Number of replicaset secrets must be the same than number of replicaset nodes. +*/}} +{{- define "mongodb.validateValues.replicaset.existingSecrets" -}} +{{- if and .Values.tls.enabled (eq .Values.architecture "replicaset") (not (empty .Values.tls.replicaset.existingSecrets)) }} +{{- $nbSecrets := len .Values.tls.replicaset.existingSecrets -}} +{{- if not (eq $nbSecrets (int .Values.replicaCount)) }} +mongodb: tls.replicaset.existingSecrets + tls.replicaset.existingSecrets Number of secrets and number of replicaset nodes must be the same. +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - Number of hidden secrets must be the same than number of hidden nodes. +*/}} +{{- define "mongodb.validateValues.hidden.existingSecrets" -}} +{{- if and .Values.tls.enabled (include "mongodb.hidden.enabled" .) (not (empty .Values.tls.hidden.existingSecrets)) }} +{{- $nbSecrets := len .Values.tls.hidden.existingSecrets -}} +{{- if not (eq $nbSecrets (int .Values.hidden.replicaCount)) }} +mongodb: tls.hidden.existingSecrets + tls.hidden.existingSecrets Number of secrets and number of hidden nodes must be the same. +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® exporter URI string - auth.enabled and/or tls.enabled must be enabled or it defaults +*/}} +{{- define "mongodb.mongodb_exporter.uri" -}} + {{- $tlsEnabled := .Values.tls.enabled -}} + {{- $mTlsEnabled := and $tlsEnabled .Values.tls.mTLS.enabled -}} + {{- $tlsArgs := "" -}} + {{- if $tlsEnabled -}} + {{- $tlsCertKeyFile := ternary "&tlsCertificateKeyFile=/certs/mongodb.pem" "" $mTlsEnabled -}} + {{- $tlsArgs = printf "tls=true%s&tlsCAFile=/certs/mongodb-ca-cert" $tlsCertKeyFile -}} + {{- end -}} + {{- if .Values.metrics.username -}} + {{- $uriAuth := ternary "$(echo $MONGODB_METRICS_USERNAME | sed -r \"s/@/%40/g;s/:/%3A/g\"):$(echo $MONGODB_METRICS_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}} + {{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}} + {{- else -}} + {{- $uriAuth := ternary "$MONGODB_ROOT_USER:$(echo $MONGODB_ROOT_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}} + {{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}} + {{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiGroup for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a TLS secret object should be created +*/}} +{{- define "mongodb.createTlsSecret" -}} +{{- if and .Values.tls.enabled (not .Values.tls.existingSecret) (include "mongodb.autoGenerateCerts" .) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret containing MongoDB® TLS certificates +*/}} +{{- define "mongodb.tlsSecretName" -}} +{{- $secretName := .Values.tls.existingSecret -}} +{{- if $secretName -}} + {{- printf "%s" (tpl $secretName $) -}} +{{- else -}} + {{- printf "%s-ca" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if certificates must be auto generated +*/}} +{{- define "mongodb.autoGenerateCerts" -}} +{{- $standalone := (eq .Values.architecture "standalone") | ternary (not .Values.tls.standalone.existingSecret) true -}} +{{- $replicaset := (eq .Values.architecture "replicaset") | ternary (empty .Values.tls.replicaset.existingSecrets) true -}} +{{- $arbiter := (eq (include "mongodb.arbiter.enabled" .) "true") | ternary (not .Values.tls.arbiter.existingSecret) true -}} +{{- $hidden := (eq (include "mongodb.hidden.enabled" .) "true") | ternary (empty .Values.tls.hidden.existingSecrets) true -}} +{{- if and $standalone $replicaset $arbiter $hidden -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Generate argument list for mongodb-exporter +reference: https://github.com/percona/mongodb_exporter/blob/main/REFERENCE.md +*/}} +{{- define "mongodb.exporterArgs" -}} +{{- with .Values.metrics.collector -}} +{{- ternary " --collect-all" "" .all -}} +{{- ternary " --collector.diagnosticdata" "" .diagnosticdata -}} +{{- ternary " --collector.replicasetstatus" "" .replicasetstatus -}} +{{- ternary " --collector.dbstats" "" .dbstats -}} +{{- ternary " --collector.topmetrics" "" .topmetrics -}} +{{- ternary " --collector.indexstats" "" .indexstats -}} +{{- ternary " --collector.collstats" "" .collstats -}} +{{- if .collstatsColls -}} +{{- " --mongodb.collstats-colls=" -}} +{{- join "," .collstatsColls -}} +{{- end -}} +{{- if .indexstatsColls -}} +{{- " --mongodb.indexstats-colls=" -}} +{{- join "," .indexstatsColls -}} +{{- end -}} +{{- $limitArg := print " --collector.collstats-limit=" .collstatsLimit -}} +{{- ne (print .collstatsLimit) "0" | ternary $limitArg "" -}} +{{- end -}} +{{- ternary " --compatible-mode" "" .Values.metrics.compatibleMode -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/arbiter/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/arbiter/configmap.yaml new file mode 100644 index 00000000..a3b3f4c0 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/arbiter/configmap.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.arbiter.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-arbiter" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/arbiter/headless-svc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/arbiter/headless-svc.yaml new file mode 100644 index 00000000..088eaf45 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/arbiter/headless-svc.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.arbiter.enabled" .) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.arbiter.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if or .Values.arbiter.service.headless.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: tcp-mongodb + port: {{ .Values.arbiter.service.ports.mongodb }} + targetPort: mongodb + {{- if .Values.arbiter.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/arbiter/pdb.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/arbiter/pdb.yaml new file mode 100644 index 00000000..0799eead --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/arbiter/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "mongodb.arbiter.enabled" .) .Values.arbiter.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ printf "%s-arbiter" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.arbiter.pdb.minAvailable }} + minAvailable: {{ .Values.arbiter.pdb.minAvailable }} + {{- end }} + {{- if or .Values.arbiter.pdb.maxUnavailable (not .Values.arbiter.pdb.minAvailable) }} + maxUnavailable: {{ .Values.arbiter.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: arbiter +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/arbiter/statefulset.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/arbiter/statefulset.yaml new file mode 100644 index 00000000..9ab8f768 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/arbiter/statefulset.yaml @@ -0,0 +1,318 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.arbiter.enabled" .) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-arbiter" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if or .Values.arbiter.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + serviceName: {{ include "mongodb.arbiter.service.nameOverride" . }} + podManagementPolicy: {{ .Values.arbiter.podManagementPolicy }} + replicas: 1 + {{- if .Values.arbiter.updateStrategy }} + updateStrategy: {{- toYaml .Values.arbiter.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: arbiter + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: arbiter + {{- if or (include "mongodb.arbiter.createConfigmap" .) .Values.arbiter.podAnnotations }} + annotations: + {{- if (include "mongodb.arbiter.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/arbiter/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.arbiter.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.arbiter.schedulerName }} + schedulerName: {{ .Values.arbiter.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + {{- if .Values.arbiter.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.arbiter.podAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.arbiter.podAntiAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.arbiter.nodeAffinityPreset.type "key" .Values.arbiter.nodeAffinityPreset.key "values" .Values.arbiter.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.arbiter.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.nodeSelector "context" $) | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.arbiter.automountServiceAccountToken }} + {{- if .Values.arbiter.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.priorityClassName }} + priorityClassName: {{ .Values.arbiter.priorityClassName }} + {{- end }} + {{- if .Values.arbiter.runtimeClassName }} + runtimeClassName: {{ .Values.arbiter.runtimeClassName }} + {{- end }} + {{- if .Values.arbiter.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.arbiter.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + {{ if .Values.arbiter.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.arbiter.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + initContainers: + {{- if .Values.arbiter.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.externalAccess.enabled ( or .Values.externalAccess.service.publicNames .Values.externalAccess.service.domain ) }} + {{- include "mongodb.initContainers.dnsCheck" . | nindent 8 }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.arbiter.service.nameOverride" . }} + {{- end }} + containers: + - name: mongodb-arbiter + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.arbiter.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.arbiter.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.arbiter.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.arbiter.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.arbiter.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MONGODB_REPLICA_SET_MODE + value: "arbiter" + - name: MONGODB_INITIAL_PRIMARY_HOST + value: {{ include "mongodb.initialPrimaryHost" . | quote }} + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).{{ include "mongodb.arbiter.service.nameOverride" . }}.$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + - name: MONGODB_PORT_NUMBER + value: {{ .Values.arbiter.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_INITIAL_PRIMARY_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + {{- $extraFlags := .Values.arbiter.extraFlags | join " " -}} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.arbiter.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.arbiter.extraEnvVarsCM .Values.arbiter.extraEnvVarsSecret }} + envFrom: + {{- if .Values.arbiter.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.arbiter.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.arbiter.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.arbiter.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - containerPort: {{ .Values.arbiter.containerPorts.mongodb }} + name: mongodb + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.arbiter.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.arbiter.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - pgrep + - mongod + {{- end }} + {{- if .Values.arbiter.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.arbiter.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.readinessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: mongodb + {{- end }} + {{- if .Values.arbiter.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.arbiter.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/startup-probe.sh + {{- end }} + {{- end }} + {{- if .Values.arbiter.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.resources "context" $) | nindent 12 }} + {{- else if ne .Values.arbiter.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.arbiter.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /bitnami/mongodb + subPath: app-volume-dir + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.arbiter.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.arbiter.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0555 + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.arbiter.configmapName" . }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + - name: mongodb-certs-0 + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" .Values.tls.arbiter.existingSecret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- if .Values.arbiter.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/backup/cronjob.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/backup/cronjob.yaml new file mode 100644 index 00000000..b373188f --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/backup/cronjob.yaml @@ -0,0 +1,215 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.backup.enabled }} +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ include "mongodb.fullname" . }}-mongodump + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodump + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + schedule: {{ quote .Values.backup.cronjob.schedule }} + {{- if .Values.backup.cronjob.timezone }} + timeZone: {{ .Values.backup.cronjob.timezone | quote }} + {{- end }} + concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }} + failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }} + successfulJobsHistoryLimit: {{ .Values.backup.cronjob.successfulJobsHistoryLimit }} + {{- if .Values.backup.cronjob.startingDeadlineSeconds }} + startingDeadlineSeconds: {{ .Values.backup.cronjob.startingDeadlineSeconds }} + {{- end }} + jobTemplate: + spec: + {{- if .Values.backup.cronjob.backoffLimit }} + backoffLimit: {{ .Values.backup.cronjob.backoffLimit }} + {{- end }} + {{- if .Values.backup.cronjob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.backup.cronjob.ttlSecondsAfterFinished }} + {{- end }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 12 }} + app.kubernetes.io/component: mongodump + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 12 }} + {{- end }} + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 10 }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 12 }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + {{- if .Values.tls.enabled }} + initContainers: + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.service.nameOverride" . }} + {{- if .Values.externalAccess.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.service.loadBalancerIPs }} + {{- end }} + {{- if or .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames }} + - -n {{ join "," ( concat .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames ) }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.tls.resources "context" $) | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 16 }} + {{- end }} + {{- end }} + containers: + - name: {{ include "mongodb.fullname" . }}-mongodump + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + env: + {{- if .Values.auth.enabled }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- end }} + - name: MONGODB_SERVICE_NAME + value: {{ include "mongodb.service.nameOverride" . }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.containerPorts.mongodb | quote }} + - name: MONGODUMP_DIR + value: {{ .Values.backup.cronjob.storage.mountPath }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --ssl --sslPEMKeyFile=/certs/mongodb.pem --sslCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.backup.cronjob.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }} + {{- else }} + command: + - /bin/sh + - -c + - "mongodump {{- if .Values.auth.enabled }} --username=${MONGODB_ROOT_USER} --password=${MONGODB_ROOT_PASSWORD} --authenticationDatabase=admin {{- end }} --host=${MONGODB_SERVICE_NAME} --port=${MONGODB_PORT_NUMBER} ${MONGODB_CLIENT_EXTRA_FLAGS} {{- if (eq $.Values.architecture "replicaset") }}--oplog{{- end }} --gzip --archive=${MONGODUMP_DIR}/mongodump-$(date '+%Y-%m-%d-%H-%M').gz" + {{- end }} + {{- if .Values.backup.cronjob.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.resources "context" $) | nindent 14 }} + {{- else if ne .Values.backup.cronjob.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.backup.cronjob.resourcesPreset) | nindent 14 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + {{- end }} + - name: datadir + mountPath: {{ .Values.backup.cronjob.storage.mountPath }} + subPath: {{ .Values.backup.cronjob.storage.subPath }} + {{- if .Values.backup.cronjob.containerSecurityContext.enabled }} + securityContext: + {{- include "common.tplvalues.render" ( dict "value" ( omit .Values.backup.cronjob.containerSecurityContext "enabled" ) "context" $) | nindent 14 }} + {{- end }} + restartPolicy: {{ .Values.backup.cronjob.restartPolicy }} + volumes: + - name: empty-dir + emptyDir: {} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0550 + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + - name: mongodb-certs-0 + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" .Values.tls.standalone.existingSecret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- if .Values.backup.cronjob.storage.existingClaim }} + - name: datadir + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.backup.cronjob.storage.existingClaim .) }} + {{- else }} + - name: datadir + persistentVolumeClaim: + claimName: {{ include "mongodb.fullname" . }}-mongodump + {{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/backup/pvc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/backup/pvc.yaml new file mode 100644 index 00000000..583ea411 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/backup/pvc.yaml @@ -0,0 +1,41 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.backup.enabled (not .Values.backup.cronjob.storage.existingClaim) -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "mongodb.fullname" . }}-mongodump + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodump + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations .Values.backup.cronjob.storage.resourcePolicy}} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.backup.cronjob.storage.resourcePolicy }} + helm.sh/resource-policy: {{ .Values.backup.cronjob.storage.resourcePolicy | quote }} + {{- end }} + {{- end }} +spec: + accessModes: + {{- range .Values.backup.cronjob.storage.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.backup.cronjob.storage.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.backup.cronjob.storage "global" .Values.global) | nindent 2 }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/common-scripts-cm.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/common-scripts-cm.yaml new file mode 100644 index 00000000..6f65de40 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/common-scripts-cm.yaml @@ -0,0 +1,143 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- $fullname := include "mongodb.fullname" . }} + startup-probe.sh: | + #!/bin/bash + {{- if .Values.tls.enabled }} + # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' + {{- end }} + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval 'if (!(db.hello().isWritablePrimary || db.hello().secondary)) { throw new Error("Not ready") }' + readiness-probe.sh: | + #!/bin/bash + {{- if .Values.tls.enabled }} + # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' + {{- end }} + # Run the proper check depending on the version + [[ $(mongod -version | grep "db version") =~ ([0-9]+\.[0-9]+\.[0-9]+) ]] && VERSION=${BASH_REMATCH[1]} + . /opt/bitnami/scripts/libversion.sh + VERSION_MAJOR="$(get_sematic_version "$VERSION" 1)" + VERSION_MINOR="$(get_sematic_version "$VERSION" 2)" + VERSION_PATCH="$(get_sematic_version "$VERSION" 3)" + readiness_test='db.isMaster().ismaster || db.isMaster().secondary' + if [[ ( "$VERSION_MAJOR" -ge 5 ) || ( "$VERSION_MAJOR" -ge 4 && "$VERSION_MINOR" -ge 4 && "$VERSION_PATCH" -ge 2 ) ]]; then + readiness_test='db.hello().isWritablePrimary || db.hello().secondary' + fi + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "if (!(${readiness_test})) { throw new Error(\"Not ready\") }" + ping-mongodb.sh: | + #!/bin/bash + {{- if .Values.tls.enabled }} + # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' + {{- end }} + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "db.adminCommand('ping')" + {{- if .Values.tls.enabled }} + generate-certs.sh: | + #!/bin/bash + {{- if (include "mongodb.autoGenerateCerts" .) }} + additional_ips=() + additional_names=() + while getopts "i:n:s:" flag + do + case "${flag}" in + i) read -a additional_ips <<< ${OPTARG//,/ } ;; + n) read -a additional_names <<< ${OPTARG//,/ } ;; + s) svc=${OPTARG// /} ;; + \?) exit 1 ;; + esac + done + + my_hostname=$(hostname) + cp /certs/CAs/* /certs/ + cat >/certs/openssl.cnf <>/certs/openssl.cnf <>/certs/openssl.cnf < /certs/mongodb.pem + cd /certs/ + shopt -s extglob + rm -rf !(mongodb-ca-cert|mongodb.pem|CAs|openssl.cnf) + chmod 0600 mongodb-ca-cert mongodb.pem + {{- else }} + {{- if eq .Values.architecture "standalone" }} + ID="0" + {{- else }} + if [[ "$MY_POD_NAME" =~ "arbiter-0"$ ]]; then + ID="0" + elif [[ "$MY_POD_NAME" =~ "hidden-"[0-9]{1,}$ ]]; then + ID="${MY_POD_NAME#"{{ printf "%s-hidden-" $fullname }}"}" + else + ID="${MY_POD_NAME#"{{ $fullname }}-"}" + fi + {{- end }} + + {{- if .Values.tls.pemChainIncluded }} + #Split the pem chain by the END CERTIFICATE string and store in files /certs/xx00, /certs/xx01 etc. + cat /certs-${ID}/tls.crt | csplit - -s -z '/\-*END CERTIFICATE\-*/+1' '{*}' -f /certs/xx + + #Use first certificate as leaf node and combine with key to store in pem file + cat "/certs/xx00" "/certs-${ID}/tls.key" > "/certs/mongodb.pem" + + #Use remaining intermediate certificates for ca.crt + echo $(find /certs/ -not -name 'xx00' -name 'xx*') | sort | xargs cat > "/certs/mongodb-ca-cert" + + rm -rf /certs/xx* + {{- else }} + cat "/certs-${ID}/tls.crt" "/certs-${ID}/tls.key" > "/certs/mongodb.pem" + cp "/certs-${ID}/ca.crt" "/certs/mongodb-ca-cert" + {{- end }} + + chmod 0600 /certs/mongodb-ca-cert /certs/mongodb.pem + {{- end }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/configmap.yaml new file mode 100644 index 00000000..01104454 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/configmap.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/extra-list.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/extra-list.yaml new file mode 100644 index 00000000..329f5c65 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/extra-list.yaml @@ -0,0 +1,9 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/configmap.yaml new file mode 100644 index 00000000..fb26bdd3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/configmap.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.hidden.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-hidden" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/external-access-svc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/external-access-svc.yaml new file mode 100644 index 00000000..4cfa5314 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/external-access-svc.yaml @@ -0,0 +1,69 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "mongodb.hidden.enabled" .) .Values.externalAccess.hidden.enabled }} +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.hidden.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-hidden-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-hidden-%d-external" $fullName $i }} + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $root.Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + pod: {{ $targetPod }} + {{- if or $root.Values.externalAccess.hidden.service.annotations $root.Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.externalAccess.hidden.service.annotations $root.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ $root.Values.externalAccess.hidden.service.type }} + {{- if eq $root.Values.externalAccess.hidden.service.type "LoadBalancer" }} + {{- if not (empty $root.Values.externalAccess.hidden.service.loadBalancerIPs) }} + loadBalancerIP: {{ index $root.Values.externalAccess.hidden.service.loadBalancerIPs $i }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.loadBalancerClass }} + loadBalancerClass: {{ $root.Values.externalAccess.hidden.service.loadBalancerClass }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.hidden.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + allocateLoadBalancerNodePorts: {{ $root.Values.externalAccess.hidden.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if (or (eq $root.Values.externalAccess.hidden.service.type "LoadBalancer") (eq $root.Values.externalAccess.hidden.service.type "NodePort")) }} + externalTrafficPolicy: {{ $root.Values.externalAccess.hidden.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.sessionAffinity }} + sessionAffinity: {{ $root.Values.externalAccess.hidden.service.sessionAffinity }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.hidden.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + publishNotReadyAddresses: true + ports: + - name: {{ $root.Values.externalAccess.hidden.service.portName | quote }} + port: {{ $root.Values.externalAccess.hidden.service.ports.mongodb }} + {{- if not (empty $root.Values.externalAccess.hidden.service.nodePorts) }} + {{- $nodePort := index $root.Values.externalAccess.hidden.service.nodePorts $i }} + nodePort: {{ $nodePort }} + {{- else }} + nodePort: null + {{- end }} + targetPort: mongodb + {{- if $root.Values.externalAccess.hidden.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.hidden.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.hidden.podLabels $root.Values.commonLabels ) "context" $ ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/headless-svc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/headless-svc.yaml new file mode 100644 index 00000000..a2af5197 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/headless-svc.yaml @@ -0,0 +1,32 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.hidden.enabled" .) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.hidden.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if or .Values.hidden.service.headless.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: {{ .Values.hidden.service.portName | quote }} + port: {{ .Values.hidden.service.ports.mongodb }} + targetPort: mongodb + {{- if .Values.hidden.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/pdb.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/pdb.yaml new file mode 100644 index 00000000..91250677 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "mongodb.hidden.enabled" .) .Values.hidden.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ printf "%s-hidden" (include "mongodb.fullname" . )}} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.hidden.pdb.minAvailable }} + minAvailable: {{ .Values.hidden.pdb.minAvailable }} + {{- end }} + {{- if or .Values.hidden.pdb.maxUnavailable (not .Values.hidden.pdb.minAvailable) }} + maxUnavailable: {{ .Values.hidden.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: hidden +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/statefulset.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/statefulset.yaml new file mode 100644 index 00000000..8a70869f --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/hidden/statefulset.yaml @@ -0,0 +1,551 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.hidden.enabled" .) }} +{{- $replicaCount := int .Values.hidden.replicaCount }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.hidden.service.loadBalancerIPs }} +{{- if not (and .Values.externalAccess.hidden.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.hidden.service.type "LoadBalancer")) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-hidden" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if or .Values.hidden.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + serviceName: {{ include "mongodb.hidden.service.nameOverride" . }} + podManagementPolicy: {{ .Values.hidden.podManagementPolicy }} + replicas: {{ .Values.hidden.replicaCount }} + {{- if .Values.hidden.updateStrategy }} + updateStrategy: {{- toYaml .Values.hidden.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: hidden + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: hidden + {{- if or (include "mongodb.hidden.createConfigmap" .) .Values.hidden.podAnnotations }} + annotations: + {{- if (include "mongodb.hidden.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/hidden/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.hidden.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.hidden.schedulerName }} + schedulerName: {{ .Values.hidden.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.hidden.automountServiceAccountToken }} + {{- if .Values.hidden.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.hidden.podAffinityPreset "component" "hidden" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.hidden.podAntiAffinityPreset "component" "hidden" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.hidden.nodeAffinityPreset.type "key" .Values.hidden.nodeAffinityPreset.key "values" .Values.hidden.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.hidden.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.priorityClassName }} + priorityClassName: {{ .Values.hidden.priorityClassName }} + {{- end }} + {{- if .Values.hidden.runtimeClassName }} + runtimeClassName: {{ .Values.hidden.runtimeClassName }} + {{- end }} + {{- if .Values.hidden.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.hidden.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + {{ if .Values.hidden.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.hidden.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + initContainers: + {{- if .Values.hidden.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.hidden.persistence.enabled }} + {{- include "mongodb.initContainer.volumePermissions" . | indent 8 }} + {{- end }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + {{- include "mongodb.initContainers.autoDiscovery" . | indent 8 }} + {{- end }} + {{- if and .Values.externalAccess.enabled ( or .Values.externalAccess.service.publicNames .Values.externalAccess.service.domain ) }} + {{- include "mongodb.initContainers.dnsCheck" . | indent 8 }} + {{- end }} + {{- include "mongodb.initContainer.prepareLogDir" . | nindent 8 }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + {{- range $index, $_ := .Values.tls.hidden.existingSecrets }} + - name: mongodb-certs-{{ $index }} + mountPath: /certs-{{ $index }} + {{- end }} + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.hidden.service.nameOverride" . }} + {{- if .Values.externalAccess.hidden.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.hidden.service.loadBalancerIPs }} + {{- end }} + {{- if or .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames }} + - -n {{ join "," ( concat .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames ) }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.tls.resources "context" $) | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.hidden.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.hidden.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.hidden.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.command "context" $) | nindent 12 }} + {{- else }} + command: + - /scripts/setup-hidden.sh + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.hidden.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.hidden.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: SHARED_FILE + value: "/shared/info.txt" + {{- end }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MONGODB_REPLICA_SET_MODE + value: "hidden" + - name: MONGODB_INITIAL_PRIMARY_HOST + value: {{ include "mongodb.initialPrimaryHost" . | quote }} + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + {{- if and .Values.replicaSetHostnames (not .Values.externalAccess.hidden.enabled) }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).{{ include "mongodb.hidden.service.nameOverride" . }}.$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + {{- end }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.hidden.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.hidden.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.hidden.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.hidden.extraEnvVarsCM .Values.hidden.extraEnvVarsSecret }} + envFrom: + {{- if .Values.hidden.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.hidden.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.hidden.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.hidden.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - containerPort: {{ .Values.hidden.containerPorts.mongodb }} + name: mongodb + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.hidden.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.hidden.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/ping-mongodb.sh + {{- end }} + {{- if .Values.hidden.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.hidden.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/readiness-probe.sh + {{- end }} + {{- if .Values.hidden.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.hidden.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/startup-probe.sh + {{- end }} + {{- end }} + {{- if .Values.hidden.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.resources "context" $) | nindent 12 }} + {{- else if ne .Values.hidden.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.hidden.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: datadir + mountPath: {{ .Values.hidden.persistence.mountPath }} + subPath: {{ .Values.hidden.persistence.subPath }} + - name: common-scripts + mountPath: /bitnami/scripts + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.hidden.configuration .Values.hidden.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + - name: scripts + mountPath: /scripts/setup-hidden.sh + subPath: setup-hidden.sh + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: shared + mountPath: /shared + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /.mongodb + subPath: mongosh-home + {{- if .Values.hidden.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.metrics.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + {{- end }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + - name: empty-dir + mountPath: /opt/bitnami/redis-cluster/tmp + subPath: app-tmp-dir + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: 9216 + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.resources "context" $) | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.hidden.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0555 + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.hidden.configuration .Values.hidden.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.hidden.configmapName" . }} + {{- end }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: shared + emptyDir: {} + {{- end }} + - name: scripts + configMap: + name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0755 + {{- if .Values.hidden.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + {{- range $index, $secret := .Values.tls.hidden.existingSecrets }} + - name: mongodb-certs-{{ $index }} + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" $secret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- end }} + {{- if not .Values.hidden.persistence.enabled }} + - name: datadir + {{- if .Values.hidden.persistence.medium }} + emptyDir: + medium: {{ .Values.hidden.persistence.medium | quote }} + {{- else }} + emptyDir: {} + {{- end }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: datadir + {{- if .Values.hidden.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.labels "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.hidden.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.hidden.persistence.size | quote }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.requests }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.requests "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.hidden.persistence "global" .Values.global) }} + {{- end }} +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/initialization-configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/initialization-configmap.yaml new file mode 100644 index 00000000..2c1273cf --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/initialization-configmap.yaml @@ -0,0 +1,19 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.initdbScripts (not .Values.initdbScriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-init-scripts" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: +{{- include "common.tplvalues.render" (dict "value" .Values.initdbScripts "context" .) | nindent 2 }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/metrics-svc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/metrics-svc.yaml new file mode 100644 index 00000000..b6bd266d --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/metrics-svc.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-metrics" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type }} + ports: + - port: {{ .Values.metrics.service.ports.metrics }} + targetPort: metrics + protocol: TCP + name: http-metrics + {{- if .Values.metrics.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/networkpolicy.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/networkpolicy.yaml new file mode 100644 index 00000000..fd4b6d6d --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/networkpolicy.yaml @@ -0,0 +1,98 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.annotations .Values.commonAnnotation }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow connection to other cluster pods + - ports: + - port: {{ .Values.containerPorts.mongodb }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if (and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled) }} + {{- $kubernetesEndpoints := lookup "v1" "Endpoints" (include "common.names.namespace" .) "kubernetes" }} + {{- range $kubernetesEndpoints.subsets }} + # Allow connection to API server, required by auto-discovery containers + - ports: + {{- range .ports }} + - port: {{ .port }} + {{- end }} + to: + {{- range .addresses }} + - ipBlock: + cidr: {{ printf "%s/32" .ip }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.mongodb }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPort }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: mongodb + {{- if .Values.networkPolicy.addExternalClientAccess }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- end }} + {{- if .Values.networkPolicy.ingressPodMatchLabels }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} + {{- $ingressNSMatchLabels := coalesce .Values.networkPolicy.ingressNSMatchLabels .Values.networkPolicy.namespaceSelector }} + {{- if $ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSMatchLabels "context" $ ) | nindent 14 }} + {{- $ingressNSPodMatchLabels := coalesce .Values.networkPolicy.ingressNSPodMatchLabels .Values.networkPolicy.podSelector }} + {{- if $ingressNSPodMatchLabels }} + podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} + {{- end }} + {{- end }} + {{- $extraIngress := coalesce .Values.networkPolicy.extraIngress .Values.networkPolicy.customRules }} + {{- if $extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" $extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/prometheusrule.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/prometheusrule.yaml new file mode 100644 index 00000000..e0d0f284 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/prometheusrule.yaml @@ -0,0 +1,23 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.prometheusRule.namespace" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.metrics.prometheusRule.additionalLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + groups: + - name: {{ include "mongodb.fullname" . }} + rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/psp.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/psp.yaml new file mode 100644 index 00000000..4b93f4f7 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/psp.yaml @@ -0,0 +1,51 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "common.capabilities.psp.supported" .) .Values.podSecurityPolicy.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: +{{- if .Values.podSecurityPolicy.spec }} +{{ include "common.tplvalues.render" ( dict "value" .Values.podSecurityPolicy.spec "context" $ ) | nindent 2 }} +{{- else }} + allowPrivilegeEscalation: {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }} + fsGroup: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.podSecurityContext.fsGroup }} + max: {{ .Values.podSecurityContext.fsGroup }} + hostIPC: false + hostNetwork: false + hostPID: false + privileged: {{ .Values.podSecurityPolicy.privileged }} + readOnlyRootFilesystem: false + requiredDropCapabilities: + - ALL + runAsUser: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + volumes: + - 'configMap' + - 'secret' + - 'emptyDir' + - 'persistentVolumeClaim' +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/external-access-svc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/external-access-svc.yaml new file mode 100644 index 00000000..400db8eb --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/external-access-svc.yaml @@ -0,0 +1,73 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (not (eq .Values.externalAccess.service.type "ClusterIP")) }} +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-%d-external" $fullName $i }} + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $root.Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + pod: {{ $targetPod }} + {{- if or $root.Values.externalAccess.service.annotations $root.Values.commonAnnotations $root.Values.externalAccess.service.annotationsList }} + {{- $exclusiveAnnotations := dict }} + {{- if gt (len $root.Values.externalAccess.service.annotationsList) $i }} + {{- $exclusiveAnnotations = index $root.Values.externalAccess.service.annotationsList $i }} + {{- end }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.externalAccess.service.annotations $root.Values.commonAnnotations $exclusiveAnnotations ) "context" $ ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ $root.Values.externalAccess.service.type }} + {{- if eq $root.Values.externalAccess.service.type "LoadBalancer" }} + {{- if not (empty $root.Values.externalAccess.service.loadBalancerIPs) }} + loadBalancerIP: {{ index $root.Values.externalAccess.service.loadBalancerIPs $i }} + {{- end }} + {{- if and (eq $root.Values.externalAccess.service.type "LoadBalancer") $root.Values.externalAccess.service.loadBalancerClass }} + loadBalancerClass: {{ $root.Values.externalAccess.service.loadBalancerClass }} + {{- end }} + {{- if $root.Values.externalAccess.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + allocateLoadBalancerNodePorts: {{ $root.Values.externalAccess.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if (or (eq $root.Values.externalAccess.service.type "LoadBalancer") (eq $root.Values.externalAccess.service.type "NodePort")) }} + externalTrafficPolicy: {{ $root.Values.externalAccess.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if $root.Values.externalAccess.service.sessionAffinity }} + sessionAffinity: {{ $root.Values.externalAccess.service.sessionAffinity }} + {{- end }} + {{- if $root.Values.externalAccess.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + publishNotReadyAddresses: true + ports: + - name: {{ $root.Values.externalAccess.service.portName | quote }} + port: {{ $root.Values.externalAccess.service.ports.mongodb }} + {{- if not (empty $root.Values.externalAccess.service.nodePorts) }} + {{- $nodePort := index $root.Values.externalAccess.service.nodePorts $i }} + nodePort: {{ $nodePort }} + {{- else }} + nodePort: null + {{- end }} + targetPort: mongodb + {{- if $root.Values.externalAccess.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.podLabels $root.Values.commonLabels ) "context" $ ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/headless-svc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/headless-svc.yaml new file mode 100644 index 00000000..eb6337d4 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/headless-svc.yaml @@ -0,0 +1,32 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replicaset" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.commonAnnotations .Values.service.headless.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: {{ .Values.service.portName | quote }} + port: {{ .Values.service.ports.mongodb }} + targetPort: mongodb + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/pdb.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/pdb.yaml new file mode 100644 index 00000000..a193ed2c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (eq .Values.architecture "replicaset") .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/scripts-configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/scripts-configmap.yaml new file mode 100644 index 00000000..ad5effaf --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/scripts-configmap.yaml @@ -0,0 +1,316 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replicaset" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- $fullname := include "mongodb.fullname" . }} + {{- $releaseNamespace := include "mongodb.namespace" . }} + {{- if and .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + auto-discovery.sh: |- + #!/bin/bash + + SVC_NAME="${MY_POD_NAME}-external" + + # Auxiliary functions + retry_while() { + local -r cmd="${1:?cmd is missing}" + local -r retries="${2:-12}" + local -r sleep_time="${3:-5}" + local return_value=1 + + read -r -a command <<< "$cmd" + for ((i = 1 ; i <= retries ; i+=1 )); do + "${command[@]}" && return_value=0 && break + sleep "$sleep_time" + done + return $return_value + } + k8s_svc_lb_ip() { + local namespace=${1:?namespace is missing} + local service=${2:?service is missing} + local service_ip=$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.status.loadBalancer.ingress[0].ip}") + local service_hostname=$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.status.loadBalancer.ingress[0].hostname}") + + if [[ -n ${service_ip} ]]; then + echo "${service_ip}" + else + echo "${service_hostname}" + fi + } + k8s_svc_lb_ip_ready() { + local namespace=${1:?namespace is missing} + local service=${2:?service is missing} + [[ -n "$(k8s_svc_lb_ip "$namespace" "$service")" ]] + } + # Wait until LoadBalancer IP is ready + retry_while "k8s_svc_lb_ip_ready {{ $releaseNamespace }} $SVC_NAME" || exit 1 + # Obtain LoadBalancer external IP + k8s_svc_lb_ip "{{ $releaseNamespace }}" "$SVC_NAME" | tee "$SHARED_FILE" + {{- end }} + setup.sh: |- + #!/bin/bash + + . /opt/bitnami/scripts/mongodb-env.sh + . /opt/bitnami/scripts/libfs.sh + . /opt/bitnami/scripts/liblog.sh + . /opt/bitnami/scripts/libvalidations.sh + + {{- if .Values.externalAccess.enabled }} + {{- if eq .Values.externalAccess.service.type "LoadBalancer" }} + {{- if .Values.externalAccess.autoDiscovery.enabled }} + export MONGODB_ADVERTISED_HOSTNAME="$(<${SHARED_FILE})" + {{- else }} + ID="${MY_POD_NAME#"{{ $fullname }}-"}" + export MONGODB_ADVERTISED_HOSTNAME=$(echo '{{ coalesce .Values.externalAccess.service.publicNames .Values.externalAccess.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + {{- end }} + {{- else if eq .Values.externalAccess.service.type "NodePort" }} + ID="${MY_POD_NAME#"{{ $fullname }}-"}" + if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then + export MONGODB_ADVERTISED_PORT_NUMBER=$(echo '{{ .Values.externalAccess.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + fi + {{- if .Values.externalAccess.service.domain }} + export MONGODB_ADVERTISED_HOSTNAME={{ .Values.externalAccess.service.domain }} + {{- else }} + export MONGODB_ADVERTISED_HOSTNAME=$MY_POD_HOST_IP + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.replicaSetConfigurationSettings.enabled }} + # placed here before root password env is overwritten + # makes no assumption about starting state + # ensures that any stepDown or non-default starting state is handled + /scripts/replicaSetConfigurationSettings.sh & + {{- end }} + + if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then + export MONGODB_ADVERTISED_PORT_NUMBER="$MONGODB_PORT_NUMBER" + fi + + info "Advertised Hostname: $MONGODB_ADVERTISED_HOSTNAME" + info "Advertised Port: $MONGODB_ADVERTISED_PORT_NUMBER" + + # Check for existing replica set in case there is no data in the PVC + # This is for cases where the PVC is lost or for MongoDB caches without + # persistence + current_primary="" + if is_dir_empty "${MONGODB_DATA_DIR}/db"; then + info "Data dir empty, checking if the replica set already exists" + {{- $replicaCount := int .Values.replicaCount }} + {{- $portNumber := int .Values.service.ports.mongodb }} + {{- $fullname := include "mongodb.fullname" . }} + {{- $releaseNamespace := include "mongodb.namespace" . }} + {{- $clusterDomain := .Values.clusterDomain }} + {{- $mongoList := list }} + {{- range $e, $i := until $replicaCount }} + {{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $portNumber) }} + {{- end }} + + {{- if .Values.externalAccess.externalMaster.enabled }} + current_primary={{ printf "%s:%d" (.Values.externalAccess.externalMaster.host) ( int .Values.externalAccess.externalMaster.port) }} + {{- else }} + current_primary=$(mongosh admin --host "{{ join "," $mongoList }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u $MONGODB_ROOT_USER -p $MONGODB_ROOT_PASSWORD{{- end }}{{- if .Values.tls.enabled}} --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert{{- end }} --eval 'db.runCommand("ismaster")' | awk -F\' '/primary:/ {print $2}') + {{- end }} + if ! is_empty_value "$current_primary"; then + info "Detected existing primary: ${current_primary}" + fi + fi + + if ! is_empty_value "$current_primary" && [[ "$MONGODB_ADVERTISED_HOSTNAME:$MONGODB_ADVERTISED_PORT_NUMBER" == "$current_primary" ]]; then + info "Advertised name matches current primary, configuring node as a primary" + export MONGODB_REPLICA_SET_MODE="primary" + elif ! is_empty_value "$current_primary" && [[ "$MONGODB_ADVERTISED_HOSTNAME:$MONGODB_ADVERTISED_PORT_NUMBER" != "$current_primary" ]]; then + info "Current primary is different from this node. Configuring the node as replica of ${current_primary}" + export MONGODB_REPLICA_SET_MODE="secondary" + export MONGODB_INITIAL_PRIMARY_HOST="${current_primary%:*}" + export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="${current_primary#*:}" + export MONGODB_SET_SECONDARY_OK="yes" + elif [[ "$MY_POD_NAME" = "{{ $fullname }}-0" ]]; then + info "Pod name matches initial primary pod name, configuring node as a primary" + export MONGODB_REPLICA_SET_MODE="primary" + else + info "Pod name doesn't match initial primary pod name, configuring node as a secondary" + export MONGODB_REPLICA_SET_MODE="secondary" + export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="$MONGODB_PORT_NUMBER" + fi + + if [[ "$MONGODB_REPLICA_SET_MODE" == "secondary" ]]; then + export MONGODB_INITIAL_PRIMARY_ROOT_USER="$MONGODB_ROOT_USER" + export MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD="$MONGODB_ROOT_PASSWORD" + export MONGODB_ROOT_PASSWORD="" + export MONGODB_EXTRA_USERNAMES="" + export MONGODB_EXTRA_DATABASES="" + export MONGODB_EXTRA_PASSWORDS="" + export MONGODB_ROOT_PASSWORD_FILE="" + export MONGODB_EXTRA_USERNAMES_FILE="" + export MONGODB_EXTRA_DATABASES_FILE="" + export MONGODB_EXTRA_PASSWORDS_FILE="" + fi + exec /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + setup-hidden.sh: |- + #!/bin/bash + + . /opt/bitnami/scripts/mongodb-env.sh + + {{- if .Values.externalAccess.hidden.enabled }} + {{- if eq .Values.externalAccess.hidden.service.type "LoadBalancer" }} + {{- if .Values.externalAccess.autoDiscovery.enabled }} + export MONGODB_ADVERTISED_HOSTNAME="$(<${SHARED_FILE})" + {{- else }} + ID="${MY_POD_NAME#"{{ $fullname }}-hidden-"}" + export MONGODB_ADVERTISED_HOSTNAME=$(echo '{{ .Values.externalAccess.hidden.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + {{- end }} + {{- else if eq .Values.externalAccess.hidden.service.type "NodePort" }} + ID="${MY_POD_NAME#"{{ $fullname }}-hidden-"}" + if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then + export MONGODB_ADVERTISED_PORT_NUMBER=$(echo '{{ .Values.externalAccess.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + fi + {{- if .Values.externalAccess.hidden.service.domain }} + export MONGODB_ADVERTISED_HOSTNAME={{ .Values.externalAccess.hidden.service.domain }} + {{- else }} + export MONGODB_ADVERTISED_HOSTNAME=$MY_POD_HOST_IP + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.replicaSetConfigurationSettings.enabled }} + # placed here before root password env is overwritten + # makes no assumption about starting state + # ensures that any stepDown or non-default starting state is handled + /scripts/replicaSetConfigurationSettings.sh & + {{- end }} + + echo "Advertised Hostname: $MONGODB_ADVERTISED_HOSTNAME" + echo "Advertised Port: $MONGODB_ADVERTISED_PORT_NUMBER" + echo "Configuring node as a hidden node" + export MONGODB_REPLICA_SET_MODE="hidden" + export MONGODB_INITIAL_PRIMARY_ROOT_USER="$MONGODB_ROOT_USER" + export MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD="$MONGODB_ROOT_PASSWORD" + export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="$MONGODB_PORT_NUMBER" + export MONGODB_ROOT_PASSWORD="" + export MONGODB_EXTRA_USERNAMES="" + export MONGODB_EXTRA_DATABASES="" + export MONGODB_EXTRA_PASSWORDS="" + export MONGODB_ROOT_PASSWORD_FILE="" + export MONGODB_EXTRA_USERNAMES_FILE="" + export MONGODB_EXTRA_DATABASES_FILE="" + export MONGODB_EXTRA_PASSWORDS_FILE="" + exec /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + {{- if .Values.replicaSetConfigurationSettings.enabled }} + replicaSetConfigurationSettings.sh: |- + #!/bin/bash + # This script to be called when pod starts. + # This script sets rs settings which can not be applied via conf file + + function logger () + #$1 is the line to be logged + { + echo "replicaSetConfigurationSettings.sh -- ${1}" >&1 + } + + SLEEP_PERIOD=10 + + {{- if and .Values.auth.enabled (or .Values.auth.rootPassword .Values.auth.existingSecret)}} + usernameAndPassword="{{- if .Values.tls.enabled}} --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert{{- end }} -u ${MONGODB_ROOT_USER} -p ${MONGODB_ROOT_PASSWORD}" + {{- else }} + usernameAndPassword="" + {{- end }} + + # load Values.replicaSetConfigurationSettings.configuration into associtive array which makes iterating and string manipulation easy + declare -A desiredRsConf + {{ range $setting, $value := .Values.replicaSetConfigurationSettings.configuration -}} + {{ printf "desiredRsConf[%s]='%v'" $setting $value }} + {{ end }} + + rsConfWriteAttempts=0 + rs_conf_configured_ok=unknown + + while [[ "${rs_conf_configured_ok}" != "true" ]]; do + + # give the rs setup a chance to succeed before attempting to read or configure + sleep ${SLEEP_PERIOD} + + counter=0 + while ! mongosh ${usernameAndPassword} --eval 'rs.conf()'; do + counter=$((${counter} +1)) + logger "not yet able to read rs.conf settings from the currently running rs (after ${counter} attempts)" + sleep ${SLEEP_PERIOD} + done + counter=$((${counter} +1)) + logger "rs.conf settings have been read from the currently running rs (after ${counter} attempts)" + + # read rs.conf again and store it. settings format is '"" : ,' + currentRsConf=$(mongosh ${usernameAndPassword} --eval 'rs.conf()') + + desiredEqualsactual=unknown + settingsToConfigure="" + for key in ${!desiredRsConf[@]}; do + value=${desiredRsConf[$key]} + if ! $(echo "\"${currentRsConf}"\" | grep -q -e "${key}: ${value},"); then + if [[ $key =~ ^members\[[0-9]+\]\..+ ]]; then + memberIndex=$(echo $key | grep -o -E '[0-9]+') + nodeConfigKey=${key#*.} + settingsToConfigure="${settingsToConfigure}cfg.members[${memberIndex}].${nodeConfigKey} = ${value}; " + else + # General rs settings + settingsToConfigure="${settingsToConfigure}cfg.settings.${key} = ${value}; " + fi + desiredEqualsactual=false + else + logger "rs conf: ${key} is already at desired value: ${value}" + fi + done + + if [[ "${desiredEqualsactual}" != "false" ]]; then + logger "replicaSetConfigurationSettings match the settings of the currently running rs" + desiredEqualsactual=true + rs_conf_configured_ok=true + logger "Current settings match desired settings (There have been ${rsConfWriteAttempts} attempts to write to mongoDB rs configuration)" + exit + fi + + # apply the settings only if this member is currently the mongo replicaset PRIMARY + # it might take a little time before any pod is PRIMARY + isMaster=unknown + if ! mongosh ${usernameAndPassword} --eval 'rs.isMaster()' | grep -q "ismaster: true"; then + isMaster=false + logger "This node is not yet PRIMARY - replicaSetConfigurationSettings will only be set on the member that is currently PRIMARY" + else + isMaster=true + logger "This node is PRIMARY" + fi + + if [[ "${isMaster}" == "true" ]]; then + logger "This node is currently PRIMARY - will apply rs.conf settings" + + # avoiding tricky string substitution with single quotes by making the eval string a set of vars + rsconf="cfg = rs.conf();" + rsreconf="rs.reconfig(cfg);" + rsCommand="${rsconf} ${settingsToConfigure} ${rsreconf}" + + mongosh ${usernameAndPassword} --eval "${rsCommand}" + if [ $? -ne 0 ]; then + logger "Failed to apply mongodb cfg.settings configuration" + else + logger "mongodb replicaset cfg.settings configuration applied" + logger "Will check rs conf" + # don't exit just yet - the settings will be checked in the next loop + fi + rsConfWriteAttempts=$((${rsConfWriteAttempts} + 1 )) + fi + done + {{- end }} +{{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/statefulset.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/statefulset.yaml new file mode 100644 index 00000000..60315f62 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/statefulset.yaml @@ -0,0 +1,562 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replicaset" }} +{{- $replicaCount := int .Values.replicaCount }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- $publicNamesLength := len .Values.externalAccess.service.publicNames }} +{{- if not (and .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (eq .Values.externalAccess.service.type "LoadBalancer") (not (eq $replicaCount $loadBalancerIPListLength)) (not (eq $replicaCount $publicNamesLength))) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + serviceName: {{ include "mongodb.service.nameOverride" . }} + podManagementPolicy: {{ .Values.podManagementPolicy }} + replicas: {{ .Values.replicaCount }} + {{- if .Values.updateStrategy }} + updateStrategy: {{- toYaml .Values.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: mongodb + {{- if or (include "mongodb.createConfigmap" .) .Values.podAnnotations }} + annotations: + {{- if (include "mongodb.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.runtimeClassName }} + runtimeClassName: {{ .Values.runtimeClassName }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + {{ if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + initContainers: + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + {{- include "mongodb.initContainer.volumePermissions" . | nindent 8 }} + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + {{- include "mongodb.initContainers.autoDiscovery" . | nindent 8 }} + {{- end }} + {{- if and .Values.externalAccess.enabled ( or .Values.externalAccess.service.publicNames .Values.externalAccess.service.domain ) }} + {{- include "mongodb.initContainers.dnsCheck" . | nindent 8 }} + {{- end }} + {{- include "mongodb.initContainer.prepareLogDir" . | nindent 8 }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + {{- range $index, $_ := .Values.tls.replicaset.existingSecrets }} + - name: mongodb-certs-{{ $index }} + mountPath: /certs-{{ $index }} + {{- end }} + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.service.nameOverride" . }} + {{- if .Values.externalAccess.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.service.loadBalancerIPs }} + {{- end }} + {{- if or .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames }} + - -n {{ join "," ( concat .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames ) }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.tls.resources "context" $) | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.tls.securityContext }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.tls.securityContext "context" $) | nindent 12 }} + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- else }} + command: + - /scripts/setup.sh + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: SHARED_FILE + value: "/shared/info.txt" + {{- end }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MONGODB_INITIAL_PRIMARY_HOST + value: {{ include "mongodb.initialPrimaryHost" . | quote }} + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + {{- if and .Values.replicaSetHostnames (not .Values.externalAccess.enabled) }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).{{ include "mongodb.service.nameOverride" . }}.$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + {{- end }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - name: mongodb + containerPort: {{ .Values.containerPorts.mongodb }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/ping-mongodb.sh + {{- end }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/readiness-probe.sh + {{- end }} + {{- if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/startup-probe.sh + {{- end }} + {{- end }} + {{- if .Values.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.resources "context" $) | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /.mongodb + subPath: mongosh-home + - name: {{ .Values.persistence.name | default "datadir" }} + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + - name: common-scripts + mountPath: /bitnami/scripts + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + - name: scripts + mountPath: /scripts/setup.sh + subPath: setup.sh + {{ if .Values.replicaSetConfigurationSettings.enabled }} + - name: scripts + mountPath: /scripts/replicaSetConfigurationSettings.sh + subPath: replicaSetConfigurationSettings.sh + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: shared + mountPath: /shared + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.metrics.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + {{- end }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.containerPort }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.resources "context" $) | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0550 + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.configmapName" . }} + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: shared + emptyDir: {} + {{- end }} + - name: scripts + configMap: + name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0755 + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + {{- range $index, $secret := .Values.tls.replicaset.existingSecrets }} + - name: mongodb-certs-{{ $index }} + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" $secret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: datadir + {{- if .Values.persistence.medium }} + emptyDir: + medium: {{ .Values.persistence.medium | quote }} + {{- else }} + emptyDir: {} + {{- end }} + {{- else }} + {{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: datadir + {{- if .Values.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.labels "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.volumeClaimTemplates.requests }} + {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.requests "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.persistence.volumeClaimTemplates.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- end }} +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/svc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/svc.yaml new file mode 100644 index 00000000..20b347fd --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/replicaset/svc.yaml @@ -0,0 +1,41 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "ClusterIP") }} + +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-%d" $fullName $i }} + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $root.Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or $root.Values.service.annotations $root.Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.service.annotations $root.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + ports: + - name: {{ $root.Values.service.portName | quote }} + port: {{ $root.Values.service.ports.mongodb }} + targetPort: mongodb + {{- if $root.Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" $root.Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.podLabels $root.Values.commonLabels ) "context" $ ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/role.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/role.yaml new file mode 100644 index 00000000..062e8f39 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/role.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +{{- if .Values.rbac.rules }} +{{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} +{{- end -}} +{{- if and (include "common.capabilities.psp.supported" .) .Values.podSecurityPolicy.create }} + - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "mongodb.fullname" . }}] +{{- end -}} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/rolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/rolebinding.yaml new file mode 100644 index 00000000..7ff6b185 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +roleRef: + kind: Role + name: {{ include "mongodb.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "mongodb.serviceAccountName" . }} + namespace: {{ include "mongodb.namespace" . | quote }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/secrets-ca.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/secrets-ca.yaml new file mode 100644 index 00000000..932b0e6c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/secrets-ca.yaml @@ -0,0 +1,33 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.createTlsSecret" .) }} +{{- $secretName := printf "%s" (include "mongodb.tlsSecretName" .) }} +{{- $fullname := include "mongodb.fullname" . }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $cn := printf "%s.%s.svc.%s" $fullname .Release.Namespace $clusterDomain }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ template "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if or .Values.tls.caCert .Values.tls.caKey (not .Values.tls.autoGenerated) }} + {{- $ca := buildCustomCert (required "A valid .Values.tls.caCert is required!" .Values.tls.caCert) (required "A valid .Values.tls.caKey is required!" .Values.tls.caKey) }} + mongodb-ca-cert: {{ b64enc $ca.Cert }} + mongodb-ca-key: {{ b64enc $ca.Key }} + {{- else }} + {{- $ca := genCA "myMongo-ca" 3650 }} + mongodb-ca-cert: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "mongodb-ca-cert" "defaultValue" $ca.Cert "context" $) }} + mongodb-ca-key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "mongodb-ca-key" "defaultValue" $ca.Key "context" $) }} + {{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/secrets.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/secrets.yaml new file mode 100644 index 00000000..4ff27c16 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/secrets.yaml @@ -0,0 +1,128 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.auth.enabled }} +{{- $replicaCount := int .Values.replicaCount }} +{{- $port := .Values.service.ports.mongodb }} +{{- $host := include "mongodb.service.nameOverride" . }} +{{- $hostForURI := printf "%s:%s" (include "mongodb.service.nameOverride" .) (print $port) }} +{{- if (eq .Values.architecture "replicaset") }} + {{- $fullname := include "mongodb.fullname" . }} + {{- $releaseNamespace := include "mongodb.namespace" . }} + {{- $clusterDomain := .Values.clusterDomain }} + {{- $mongoList := list }} + {{- $mongoOnlyHostList := list }} + {{- range $e, $i := until $replicaCount }} + {{- $mongoOnlyHostList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s" $fullname $i $fullname $releaseNamespace $clusterDomain) }} + {{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%s" $fullname $i $fullname $releaseNamespace $clusterDomain (print $port)) }} + {{- end }} + {{- $host = (join "," $mongoOnlyHostList) }} + {{- $hostForURI = (join "," $mongoList) }} +{{- end }} + +{{/* Root user section. */}} +{{- $rootPassword := include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.secretName" .) "key" "mongodb-root-password" "providedValues" (list "auth.rootPassword" ) "context" $) | trimAll "\"" | b64dec }} + +{{/* Custom user section. This chart allows creating multiple users */}} +{{- $customUsers := include "mongodb.customUsers" . }} +{{- $customDatabases := include "mongodb.customDatabases" . }} +{{- $customPasswords := include "mongodb.customPasswords" . }} +{{- $passwords := "" }} +{{- $passwordList := list -}} +{{- $customUsersList := list }} +{{- $customDatabasesList := list }} +{{- $customPasswordsList := list }} +{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} +{{- $customUsersList = splitList "," $customUsers }} +{{- $customDatabasesList = splitList "," $customDatabases }} +{{- if not (empty $customPasswords) }} +{{- $passwordList = $customPasswords }} +{{- $customPasswordsList = splitList "," $customPasswords }} +{{- else }} +{{- range $customUsersList }} +{{- $customPasswordsList = append $customPasswordsList (randAlphaNum 10) }} +{{- end -}} +{{- $passwordList = (join "," $customPasswordsList) }} +{{- end }} +{{- $passwords = include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.secretName" .) "key" "mongodb-passwords" "providedValues" (list "mongodbPasswords") "context" (set (deepCopy $) "Values" (dict "mongodbPasswords" $passwordList))) | trimAll "\"" | b64dec }} +{{- end }} + +{{- if (include "mongodb.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ template "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + mongodb-root-password: {{ print $rootPassword | b64enc | quote }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + mongodb-passwords: {{ print $passwords | b64enc | quote }} + {{- end }} + {{- if .Values.metrics.username }} + mongodb-metrics-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.fullname" .) "key" "mongodb-metrics-password" "providedValues" (list "metrics.password" ) "context" $) }} + {{- end }} + {{- if eq .Values.architecture "replicaset" }} + mongodb-replica-set-key: {{ include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.fullname" .) "key" "mongodb-replica-set-key" "providedValues" (list "auth.replicaSetKey" ) "context" $) }} + {{- end }} +{{- end }} +{{- if .Values.serviceBindings.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-svcbind-root + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/mongodb +data: + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "mongodb" | b64enc | quote }} + host: {{ print $host | b64enc | quote }} + port: {{ print $port | b64enc | quote }} + username: {{ print .Values.auth.rootUser | b64enc | quote }} + password: {{ print $rootPassword | b64enc | quote }} + database: {{ print "admin" | b64enc | quote }} + uri: {{ printf "mongodb://%s:%s@%s/admin" .Values.auth.rootUser $rootPassword $hostForURI | b64enc | quote }} +{{- range $e, $i := until (len $customUsersList) }} +--- +{{- $currentSecret := printf "%s-svcbind-%d" (include "common.names.fullname" $) $i }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $currentSecret }} + namespace: {{ $.Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/mongodb +data: + {{- $currentUser := index $customUsersList $i }} + {{- $currentDatabase := last $customDatabasesList }} + {{- if gt (len $customDatabasesList) $i }} + {{- $currentDatabase = index $customDatabasesList $i }} + {{- end }} + {{- $currentProvidedPassword := index $customPasswordsList $i }} + {{- $currentPassword := include "common.secrets.lookup" (dict "secret" $currentSecret "key" "password" "defaultValue" $currentProvidedPassword "context" $) | b64dec }} + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "mongodb" | b64enc | quote }} + host: {{ print $host | b64enc | quote }} + port: {{ print $port | b64enc | quote }} + username: {{ print $currentUser | b64enc | quote }} + password: {{ print $currentPassword | b64enc | quote }} + database: {{ print $currentDatabase | b64enc | quote }} + uri: {{ printf "mongodb://%s:%s@%s/%s" $currentUser $currentPassword $hostForURI $currentDatabase | b64enc | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/serviceaccount.yaml new file mode 100644 index 00000000..b54e8a0d --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/serviceaccount.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "mongodb.serviceAccountName" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +secrets: + - name: {{ include "mongodb.secretName" . }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/servicemonitor.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/servicemonitor.yaml new file mode 100644 index 00000000..7849d461 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/servicemonitor.yaml @@ -0,0 +1,48 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.serviceMonitor.namespace" . }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} + app.kubernetes.io/component: metrics + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + namespaceSelector: + matchNames: + - "{{ include "mongodb.namespace" . }}" +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/standalone/dep-sts.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/standalone/dep-sts.yaml new file mode 100644 index 00000000..fdf55f23 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/standalone/dep-sts.yaml @@ -0,0 +1,498 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if not (eq .Values.architecture "replicaset") }} +apiVersion: {{ if .Values.useStatefulSet }}{{ include "common.capabilities.statefulset.apiVersion" . }}{{- else }}{{ include "common.capabilities.deployment.apiVersion" . }}{{- end }} +kind: {{ if .Values.useStatefulSet }}StatefulSet{{- else }}Deployment{{- end }} +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + replicas: {{ gt (.Values.replicaCount | int) 1 | ternary 1 .Values.replicaCount }} + {{- if .Values.useStatefulSet }} + serviceName: {{ include "mongodb.service.nameOverride" . }} + {{- end }} + {{- if .Values.updateStrategy}} + {{- if .Values.useStatefulSet }} + updateStrategy: + {{- else }} + strategy: + {{- end }} + {{- toYaml .Values.updateStrategy | nindent 4 }} + {{- end}} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: mongodb + {{- if or (include "mongodb.createConfigmap" .) .Values.podAnnotations }} + annotations: + {{- if (include "mongodb.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.runtimeClassName }} + runtimeClassName: {{ .Values.runtimeClassName }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + {{ if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + initContainers: + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + {{- include "mongodb.initContainer.volumePermissions" . | indent 8 }} + {{- end }} + {{- include "mongodb.initContainer.prepareLogDir" . | nindent 8 }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.service.nameOverride" . }} + {{- if .Values.externalAccess.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.service.loadBalancerIPs }} + {{- end }} + {{- if or .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames }} + - -n {{ join "," ( concat .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames ) }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.tls.resources "context" $) | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.tls.securityContext }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.tls.securityContext "context" $) | nindent 12 }} + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - name: mongodb + containerPort: {{ .Values.containerPorts.mongodb }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/ping-mongodb.sh + {{- end }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/readiness-probe.sh + {{- end }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/startup-probe.sh + {{- end }} + {{- end }} + {{- if .Values.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.resources "context" $) | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /.mongodb + subPath: mongosh-home + - name: {{ .Values.persistence.name | default "datadir" }} + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + - name: common-scripts + mountPath: /bitnami/scripts + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.metrics.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + {{- end }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.containerPort }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.resources "context" $) | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0550 + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.configmapName" . }} + {{- end }} + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + - name: mongodb-certs-0 + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" .Values.tls.standalone.existingSecret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: {{ .Values.persistence.name | default "datadir" }} + {{- if .Values.persistence.medium }} + emptyDir: + medium: {{ .Values.persistence.medium | quote }} + {{- else }} + emptyDir: {} + {{- end }} + {{- else if .Values.persistence.existingClaim }} + - name: {{ .Values.persistence.name | default "datadir" }} + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.persistence.existingClaim .) }} + {{- else if not .Values.useStatefulSet }} + - name: {{ .Values.persistence.name | default "datadir" }} + persistentVolumeClaim: + claimName: {{ template "mongodb.fullname" . }} + {{- else }} + {{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: {{ .Values.persistence.name | default "datadir" }} + {{- if .Values.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.labels "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/standalone/pdb.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/standalone/pdb.yaml new file mode 100644 index 00000000..d11b39a5 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/standalone/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (not (eq .Values.architecture "replicaset")) .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/standalone/pvc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/standalone/pvc.yaml new file mode 100644 index 00000000..16098580 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/standalone/pvc.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) (not (eq .Values.architecture "replicaset")) (not .Values.useStatefulSet) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + annotations: + {{- if .Values.persistence.resourcePolicy }} + helm.sh/resource-policy: {{ .Values.persistence.resourcePolicy | quote }} + {{- end }} + {{- if or .Values.persistence.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.persistence.annotations .Values.commonAnnotations ) "context" . ) }} + {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/standalone/svc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/standalone/svc.yaml new file mode 100644 index 00000000..c1ec6f74 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/templates/standalone/svc.yaml @@ -0,0 +1,62 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if not (eq .Values.architecture "replicaset") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} + {{- if .Values.service.externalIPs }} + externalIPs: {{ toYaml .Values.service.externalIPs | nindent 4 }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if (eq .Values.service.type "LoadBalancer") }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + ports: + - name: {{ .Values.service.portName | quote }} + port: {{ .Values.service.ports.mongodb }} + targetPort: mongodb + {{- if and (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) .Values.service.nodePorts.mongodb }} + nodePort: {{ .Values.service.nodePorts.mongodb }} + {{- else if eq .Values.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/values.schema.json b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/values.schema.json new file mode 100644 index 00000000..3eb6a64c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/values.schema.json @@ -0,0 +1,232 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "architecture": { + "type": "string", + "title": "MongoDB® architecture", + "form": true, + "description": "Allowed values: `standalone` or `replicaset`" + }, + "auth": { + "type": "object", + "title": "Authentication configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Authentication", + "form": true + }, + "rootUser": { + "type": "string", + "title": "MongoDB® admin user", + "form": true, + "description": "Name of the admin user. Default is root" + }, + "rootPassword": { + "type": "string", + "title": "MongoDB® admin password", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": false, + "path": "auth/enabled" + } + }, + "database": { + "type": "string", + "title": "MongoDB® custom database", + "description": "Name of the custom database to be created during the 1st initialization of MongoDB®", + "form": true + }, + "username": { + "type": "string", + "title": "MongoDB® custom user", + "description": "Name of the custom user to be created during the 1st initialization of MongoDB®. This user only has permissions on the MongoDB® custom database", + "form": true + }, + "password": { + "type": "string", + "title": "Password for MongoDB® custom user", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": false, + "path": "auth/enabled" + } + }, + "replicaSetKey": { + "type": "string", + "title": "Key used for replica set authentication", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "replicaCount": { + "type": "integer", + "form": true, + "title": "Number of MongoDB® replicas", + "hidden": { + "value": "standalone", + "path": "architecture" + } + }, + "configuration": { + "type": "string", + "title": "MongoDB® Custom Configuration", + "form": true, + "render": "textArea" + }, + "arbiter": { + "type": "object", + "title": "Arbiter configuration", + "form": true, + "properties": { + "configuration": { + "type": "string", + "title": "Arbiter Custom Configuration", + "form": true, + "render": "textArea", + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "networkPolicy": { + "type": "object", + "title": "Network policy configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable network policy", + "description": "Enable network policy using Kubernetes native NP", + "hidden": { + "value": false, + "path": "networkPolicy/enabled" + } + }, + "ingress": { + "type": "object", + "properties": { + "namespaceSelector": { + "type": "object", + "title": "Namespace selector label that is allowed to access this instance", + "hidden": { + "value": {}, + "path": "networkPolicy/ingress/namespaceSelector" + } + }, + "podSelector": { + "type": "object", + "title": "Pod selector label that is allowed to access this instance", + "hidden": { + "value": {}, + "path": "networkPolicy/ingress/podSelector" + } + }, + "customRules": { + "type": "array", + "title": "Custom rules for ingress network policy", + "hidden": { + "value": [], + "path": "networkPolicy/ingress/customRules" + } + } + } + }, + "egress": { + "type": "object", + "properties": { + "customRules": { + "type": "array", + "title": "Custom rules for egress network policy", + "hidden": { + "value": [], + "path": "networkPolicy/egress/customRules" + } + } + } + } + } + }, + "persistence": { + "type": "object", + "title": "Persistence configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "value": false, + "path": "persistence/enabled" + } + } + } + }, + "volumePermissions": { + "type": "object", + "hidden": { + "value": false, + "path": "persistence/enabled" + }, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination" + } + } + }, + "metrics": { + "type": "object", + "form": true, + "title": "Prometheus metrics details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus metrics exporter", + "description": "Create a side-car container to expose Prometheus metrics", + "form": true + }, + "serviceMonitor": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus Operator ServiceMonitor", + "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", + "form": true, + "hidden": { + "value": false, + "path": "metrics/enabled" + } + } + } + } + } + } + } +} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/values.yaml new file mode 100644 index 00000000..97d86585 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/mongodb/values.yaml @@ -0,0 +1,2524 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) +## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead +## @param global.namespaceOverride Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + defaultStorageClass: "" + storageClass: "" + namespaceOverride: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto +## @section Common parameters +## + +## @param nameOverride String to partially override mongodb.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override mongodb.fullname template +## +fullnameOverride: "mongodb" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param clusterDomain Default Kubernetes cluster domain +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## extraDeploy: +## This needs to be uncommented and added to 'extraDeploy' in order to use the replicaset 'mongo-labeler' sidecar +## for dynamically discovering the mongodb primary pod +## suggestion is to use a hard-coded and predictable TCP port for the primary mongodb pod (here is 30001, choose your own) +## - apiVersion: v1 +## kind: Service +## metadata: +## name: mongodb-primary +## namespace: the-mongodb-namespace +## labels: +## app.kubernetes.io/component: mongodb +## app.kubernetes.io/instance: mongodb +## app.kubernetes.io/managed-by: Helm +## app.kubernetes.io/name: mongodb +## spec: +## type: NodePort +## externalTrafficPolicy: Cluster +## ports: +## - name: mongodb +## port: 30001 +## nodePort: 30001 +## protocol: TCP +## targetPort: mongodb +## selector: +## app.kubernetes.io/component: mongodb +## app.kubernetes.io/instance: mongodb +## app.kubernetes.io/name: mongodb +## primary: "true" +## +extraDeploy: [] +## @param commonLabels Add labels to all the deployed resources (sub-charts are not considered). Evaluated as a template +## +commonLabels: {} +## @param commonAnnotations Common annotations to add to all Mongo resources (sub-charts are not considered). Evaluated as a template +## +commonAnnotations: {} +## @param topologyKey Override common lib default topology key. If empty - "kubernetes.io/hostname" is used +## i.e. topologyKey: topology.kubernetes.io/zone +## +topologyKey: "" +## @param serviceBindings.enabled Create secret for service binding (Experimental) +## Ref: https://servicebinding.io/service-provider/ +## +serviceBindings: + enabled: false +## @param enableServiceLinks Whether information about services should be injected into pod's environment variable +## The environment variables injected by service links are not used, but can lead to slow boot times or slow running of the scripts when there are many services in the current namespace. +## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. +## +enableServiceLinks: true +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity +## @section MongoDB(®) parameters +## + +## Bitnami MongoDB(®) image +## ref: https://hub.docker.com/r/bitnami/mongodb/tags/ +## @param image.registry [default: REGISTRY_NAME] MongoDB(®) image registry +## @param image.repository [default: REPOSITORY_NAME/mongodb] MongoDB(®) image registry +## @skip image.tag MongoDB(®) image tag (immutable tags are recommended) +## @param image.digest MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy MongoDB(®) image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Set to true if you would like to see extra information on logs +## +image: + registry: docker.io + repository: bitnami/mongodb + tag: 8.0.3-debian-12-r0 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## @param schedulerName Name of the scheduler (other than default) to dispatch pods +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param architecture MongoDB(®) architecture (`standalone` or `replicaset`) +## +architecture: standalone +## @param useStatefulSet Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) +## +useStatefulSet: false +## MongoDB(®) Authentication parameters +## +auth: + ## @param auth.enabled Enable authentication + ## ref: https://docs.mongodb.com/manual/tutorial/enable-authentication/ + ## + enabled: true + ## @param auth.rootUser MongoDB(®) root user + ## + rootUser: root + ## @param auth.rootPassword MongoDB(®) root password + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#setting-the-root-user-and-password-on-first-run + ## + rootPassword: "" + ## MongoDB(®) custom users and databases + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#creating-a-user-and-database-on-first-run + ## @param auth.usernames List of custom users to be created during the initialization + ## @param auth.passwords List of passwords for the custom users set at `auth.usernames` + ## @param auth.databases List of custom databases to be created during the initialization + ## + usernames: [] + passwords: [] + databases: [] + ## @param auth.username DEPRECATED: use `auth.usernames` instead + ## @param auth.password DEPRECATED: use `auth.passwords` instead + ## @param auth.database DEPRECATED: use `auth.databases` instead + ## + username: "" + password: "" + database: "" + ## @param auth.replicaSetKey Key used for authentication in the replicaset (only when `architecture=replicaset`) + ## + replicaSetKey: "" + ## @param auth.existingSecret Existing secret with MongoDB(®) credentials (keys: `mongodb-passwords`, `mongodb-root-password`, `mongodb-metrics-password`, `mongodb-replica-set-key`) + ## NOTE: When it's set the previous parameters are ignored. + ## + existingSecret: "" +tls: + ## @param tls.enabled Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes + ## + enabled: false + mTLS: + ## @param tls.mTLS.enabled IF TLS support is enabled, require clients to provide certificates + enabled: true + ## @param tls.autoGenerated Generate a custom CA and self-signed certificates + ## + autoGenerated: true + ## @param tls.existingSecret Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`) + ## NOTE: When it's set it will disable secret creation. + ## + existingSecret: "" + ## Add Custom CA certificate + ## @param tls.caCert Custom CA certificated (base64 encoded) + ## @param tls.caKey CA certificate private key (base64 encoded) + ## + caCert: "" + caKey: "" + ## @param tls.pemChainIncluded Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. + ## Certificates must be in proper order, where the top certificate is the leaf and the bottom certificate is the top-most intermediate CA. + ## + pemChainIncluded: false + standalone: + ## @param tls.standalone.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecret: "" + replicaset: + ## @param tls.replicaset.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## existingSecrets: + ## - "mySecret-0" + ## - "mySecret-1" + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecrets: [] + hidden: + ## @param tls.hidden.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## existingSecrets: + ## - "mySecret-0" + ## - "mySecret-1" + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecrets: [] + arbiter: + ## @param tls.arbiter.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecret: "" + ## Bitnami Nginx image + ## @param tls.image.registry [default: REGISTRY_NAME] Init container TLS certs setup image registry + ## @param tls.image.repository [default: REPOSITORY_NAME/nginx] Init container TLS certs setup image repository + ## @skip tls.image.tag Init container TLS certs setup image tag (immutable tags are recommended) + ## @param tls.image.digest Init container TLS certs setup image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param tls.image.pullPolicy Init container TLS certs setup image pull policy + ## @param tls.image.pullSecrets Init container TLS certs specify docker-registry secret names as an array + ## @param tls.extraDnsNames Add extra dns names to the CA, can solve x509 auth issue for pod clients + ## + image: + registry: docker.io + repository: bitnami/nginx + tag: 1.27.2-debian-12-r2 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## e.g: + ## extraDnsNames + ## "DNS.6": "$my_host" + ## "DNS.7": "$test" + ## + extraDnsNames: [] + ## @param tls.mode Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) + ## + mode: requireTLS + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param tls.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param tls.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init Container securityContext + ## ref: https://kubernetes.io/docs/concepts/security/pod-security-policy/ + ## @param tls.securityContext Init container generate-tls-cert Security context + ## + securityContext: {} + ## Example: + ## allowPrivilegeEscalation: false + ## capabilities: + ## drop: ["ALL"] + ## +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false +## @param hostAliases Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param replicaSetName Name of the replica set (only when `architecture=replicaset`) +## Ignored when mongodb.architecture=standalone +## +replicaSetName: rs0 +## @param replicaSetHostnames Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) +## Ignored when mongodb.architecture=standalone +## Ignored when externalAccess.enabled=true +## +replicaSetHostnames: true +## @param enableIPv6 Switch to enable/disable IPv6 on MongoDB(®) +## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#enablingdisabling-ipv6 +## +enableIPv6: false +## @param directoryPerDB Switch to enable/disable DirectoryPerDB on MongoDB(®) +## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#enablingdisabling-directoryperdb +## +directoryPerDB: false +## MongoDB(®) System Log configuration +## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#configuring-system-log-verbosity-level +## @param systemLogVerbosity MongoDB(®) system log verbosity level +## @param disableSystemLog Switch to enable/disable MongoDB(®) system log +## +systemLogVerbosity: 0 +disableSystemLog: false +## @param disableJavascript Switch to enable/disable MongoDB(®) server-side JavaScript execution +## ref: https://docs.mongodb.com/manual/core/server-side-javascript/ +## +disableJavascript: false +## @param enableJournal Switch to enable/disable MongoDB(®) Journaling +## ref: https://docs.mongodb.com/manual/reference/configuration-options/#mongodb-setting-storage.journal.enabled +## +enableJournal: true +## @param configuration MongoDB(®) configuration file to be used for Primary and Secondary nodes +## For documentation of all options, see: http://docs.mongodb.org/manual/reference/configuration-options/ +## Example: +## configuration: |- +## # where and how to store data. +## storage: +## dbPath: /bitnami/mongodb/data/db +## journal: +## enabled: true +## directoryPerDB: false +## # where to write logging data +## systemLog: +## destination: file +## quiet: false +## logAppend: true +## logRotate: reopen +## path: /opt/bitnami/mongodb/logs/mongodb.log +## verbosity: 0 +## # network interfaces +## net: +## port: 27017 +## unixDomainSocket: +## enabled: true +## pathPrefix: /opt/bitnami/mongodb/tmp +## ipv6: false +## bindIpAll: true +## # replica set options +## #replication: +## #replSetName: replicaset +## #enableMajorityReadConcern: true +## # process management options +## processManagement: +## fork: false +## pidFilePath: /opt/bitnami/mongodb/tmp/mongodb.pid +## # set parameter options +## setParameter: +## enableLocalhostAuthBypass: true +## # security options +## security: +## authorization: disabled +## #keyFile: /opt/bitnami/mongodb/conf/keyfile +## +configuration: "" +## @section replicaSetConfigurationSettings settings applied during runtime (not via configuration file) +## If enabled, these are applied by a script which is called within setup.sh +## for documentation see https://docs.mongodb.com/manual/reference/replica-configuration/#replica-set-configuration-fields +## @param replicaSetConfigurationSettings.enabled Enable MongoDB(®) Switch to enable/disable configuring MongoDB(®) run time rs.conf settings +## @param replicaSetConfigurationSettings.configuration run-time rs.conf settings +## +replicaSetConfigurationSettings: + enabled: false + configuration: {} +## Custom configurations for individual replica set members. +## Use the prefix 'members[X].' to apply settings to the member X of the replica set. +## Example: 'members[0].priority: 3' sets the priority of the first replica set member to 3. +## The index X in 'members[X]' corresponds to the member's position in the replica set. +## members[0].priority: 3 +## chainingAllowed : false +## heartbeatTimeoutSecs : 10 +## heartbeatIntervalMillis : 2000 +## electionTimeoutMillis : 10000 +## catchUpTimeoutMillis : 30000 +## @param existingConfigmap Name of existing ConfigMap with MongoDB(®) configuration for Primary and Secondary nodes +## NOTE: When it's set the arbiter.configuration parameter is ignored +## +existingConfigmap: "" +## @param initdbScripts Dictionary of initdb scripts +## Specify dictionary of scripts to be run at first boot +## Example: +## initdbScripts: +## my_init_script.sh: | +## #!/bin/bash +## echo "Do something." +## +initdbScripts: {} +## @param initdbScriptsConfigMap Existing ConfigMap with custom initdb scripts +## +initdbScriptsConfigMap: "" +## Command and args for running the container (set to default if not set). Use array form +## @param command Override default container command (useful when using custom images) +## @param args Override default container args (useful when using custom images) +## +command: [] +args: [] +## @param extraFlags MongoDB(®) additional command line flags +## Example: +## extraFlags: +## - "--wiredTigerCacheSizeGB=2" +## +extraFlags: [] +## @param extraEnvVars Extra environment variables to add to MongoDB(®) pods +## E.g: +## extraEnvVars: +## - name: FOO +## value: BAR +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) +## +extraEnvVarsSecret: "" +## @section MongoDB(®) statefulset parameters +## + +## @param annotations Additional labels to be added to the MongoDB(®) statefulset. Evaluated as a template +## +annotations: {} +## @param labels Annotations to be added to the MongoDB(®) statefulset. Evaluated as a template +## +labels: {} +## @param replicaCount Number of MongoDB(®) nodes +## When `mongodb.architecture=replicaset`, the number of replicas is taken in account +## When `mongodb.architecture=standalone`, the number of replicas can only be 0 or 1 (value higher then 1 will not be taken in account) +## +replicaCount: 2 +## @param updateStrategy.type Strategy to use to replace existing MongoDB(®) pods. When architecture=standalone and useStatefulSet=false, +## this parameter will be applied on a deployment object. In other case it will be applied on a statefulset object +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## Example: +## updateStrategy: +## type: RollingUpdate +## rollingUpdate: +## maxSurge: 25% +## maxUnavailable: 25% +## +updateStrategy: + type: RollingUpdate +## @param podManagementPolicy Pod management policy for MongoDB(®) +## Should be initialized one by one when building the replicaset for the first time +## +podManagementPolicy: OrderedReady +## @param podAffinityPreset MongoDB(®) Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset MongoDB(®) Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type MongoDB(®) Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key MongoDB(®) Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values MongoDB(®) Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity MongoDB(®) Affinity for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param nodeSelector MongoDB(®) Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param tolerations MongoDB(®) Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param topologySpreadConstraints MongoDB(®) Spread Constraints for Pods +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## +topologySpreadConstraints: [] +## @param lifecycleHooks LifecycleHook for the MongoDB(®) container(s) to automate configuration before or after startup +## +lifecycleHooks: {} +## @param terminationGracePeriodSeconds MongoDB(®) Termination Grace Period +## +terminationGracePeriodSeconds: "" +## @param podLabels MongoDB(®) pod labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations MongoDB(®) Pod annotations +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param priorityClassName Name of the existing priority class to be used by MongoDB(®) pod(s) +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" +## @param runtimeClassName Name of the runtime class to be used by MongoDB(®) pod(s) +## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ +## +runtimeClassName: "" +## MongoDB(®) pods' Security Context. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enable MongoDB(®) pod(s)' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Group ID for the volumes of the MongoDB(®) pod(s) +## @param podSecurityContext.sysctls sysctl settings of the MongoDB(®) pod(s)' +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] +## MongoDB(®) containers' Security Context (main and metrics container). +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## MongoDB(®) containers' resource requests and limits. +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "small" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} +## @param containerPorts.mongodb MongoDB(®) container port +## +containerPorts: + mongodb: 27017 +## MongoDB(®) pods' liveness probe. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 +## MongoDB(®) pods' readiness probe. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 +## Slow starting containers can be protected through startup probes +## Startup probes are available in Kubernetes version 1.16 and above +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 20 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 30 +## @param customLivenessProbe Override default liveness probe for MongoDB(®) containers +## Ignored when livenessProbe.enabled=true +## +customLivenessProbe: {} +## @param customReadinessProbe Override default readiness probe for MongoDB(®) containers +## Ignored when readinessProbe.enabled=true +## +customReadinessProbe: {} +## @param customStartupProbe Override default startup probe for MongoDB(®) containers +## Ignored when startupProbe.enabled=true +## +customStartupProbe: {} +## @param initContainers Add additional init containers for the hidden node pod(s) +## Example: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +initContainers: [] +## @param sidecars Add additional sidecar containers for the MongoDB(®) pod(s) +## Example: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## This is an optional 'mongo-labeler' sidecar container that tracks replica-set for the primary mongodb pod +## and labels it dynamically with ' primary: "true" ' in order for an extra-deployed service to always expose +## and attach to the primary pod, this needs to be uncommented along with the suggested 'extraDeploy' example +## and the suggested rbac example for the pod to be allowed adding labels to mongo replica pods +## search 'mongo-labeler' through this file to find the sections that needs to be uncommented to make it work +## +## - name: mongo-labeler +## image: korenlev/k8s-mongo-labeler-sidecar +## imagePullPolicy: Always +## env: +## - name: LABEL_SELECTOR +## value: "app.kubernetes.io/component=mongodb,app.kubernetes.io/instance=mongodb,app.kubernetes.io/name=mongodb" +## - name: NAMESPACE +## value: "the-mongodb-namespace" +## - name: DEBUG +## value: "true" +## +sidecars: [] +## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MongoDB(®) container(s) +## Examples: +## extraVolumeMounts: +## - name: extras +## mountPath: /usr/share/extras +## readOnly: true +## +extraVolumeMounts: [] +## @param extraVolumes Optionally specify extra list of additional volumes to the MongoDB(®) statefulset +## extraVolumes: +## - name: extras +## emptyDir: {} +## +extraVolumes: [] +## MongoDB(®) Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## +pdb: + ## @param pdb.create Enable/disable a Pod Disruption Budget creation for MongoDB(®) pod(s) + ## + create: true + ## @param pdb.minAvailable Minimum number/percentage of MongoDB(®) pods that must still be available after the eviction + ## + minAvailable: "" + ## @param pdb.maxUnavailable Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. + ## + maxUnavailable: "" +## @section Traffic exposure parameters +## + +## Service parameters +## +service: + ## @param service.nameOverride MongoDB(®) service name + ## + nameOverride: "" + ## @param service.type Kubernetes Service type (only for standalone architecture) + ## + type: ClusterIP + ## @param service.portName MongoDB(®) service port name (only for standalone architecture) + ## + portName: mongodb + ## @param service.ports.mongodb MongoDB(®) service port. + ## + ports: + mongodb: 27017 + ## @param service.nodePorts.mongodb Port to bind to for NodePort and LoadBalancer service types (only for standalone architecture) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + mongodb: "" + ## @param service.clusterIP MongoDB(®) service cluster IP (only for standalone architecture) + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.externalIPs Specify the externalIP value ClusterIP service type (only for standalone architecture) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + ## + externalIPs: [] + ## @param service.loadBalancerIP loadBalancerIP for MongoDB(®) Service (only for standalone architecture) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerClass loadBalancerClass for MongoDB(®) Service (only for standalone architecture) + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + ## @param service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer (only for standalone architecture) + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + loadBalancerSourceRanges: [] + ## @param service.allocateLoadBalancerNodePorts Wheter to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true + ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param service.annotations Provide any additional annotations that may be required + ## + annotations: {} + ## @param service.externalTrafficPolicy service external traffic policy (only for standalone architecture) + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Local + ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## + annotations: {} +## External Access to MongoDB(®) nodes configuration +## +externalAccess: + ## @param externalAccess.enabled Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) + ## + enabled: false + ## External IPs auto-discovery configuration + ## An init container is used to auto-detect LB IPs or node ports by querying the K8s API + ## Note: RBAC might be required + ## + autoDiscovery: + ## @param externalAccess.autoDiscovery.enabled Enable using an init container to auto-detect external IPs by querying the K8s API + ## + enabled: false + ## Bitnami Kubectl image + ## ref: https://hub.docker.com/r/bitnami/kubectl/tags/ + ## @param externalAccess.autoDiscovery.image.registry [default: REGISTRY_NAME] Init container auto-discovery image registry + ## @param externalAccess.autoDiscovery.image.repository [default: REPOSITORY_NAME/kubectl] Init container auto-discovery image repository + ## @skip externalAccess.autoDiscovery.image.tag Init container auto-discovery image tag (immutable tags are recommended) + ## @param externalAccess.autoDiscovery.image.digest Init container auto-discovery image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param externalAccess.autoDiscovery.image.pullPolicy Init container auto-discovery image pull policy + ## @param externalAccess.autoDiscovery.image.pullSecrets Init container auto-discovery image pull secrets + ## + image: + registry: docker.io + repository: bitnami/kubectl + tag: 1.31.2-debian-12-r3 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param externalAccess.autoDiscovery.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param externalAccess.autoDiscovery.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init container what mission is ensure public names can be resolved. + ## + dnsCheck: + ## Bitnami os-shell image + ## ref: https://hub.docker.com/r/bitnami/os-shell/tags/ + ## @param externalAccess.dnsCheck.image.registry [default: REGISTRY_NAME] Init container dns-check image registry + ## @param externalAccess.dnsCheck.image.repository [default: REPOSITORY_NAME/kubectl] Init container dns-check image repository + ## @skip externalAccess.dnsCheck.image.tag Init container dns-check image tag (immutable tags are recommended) + ## @param externalAccess.dnsCheck.image.digest Init container dns-check image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param externalAccess.dnsCheck.image.pullPolicy Init container dns-check image pull policy + ## @param externalAccess.dnsCheck.image.pullSecrets Init container dns-check image pull secrets + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 12-debian-12-r32 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param externalAccess.dnsCheck.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param externalAccess.dnsCheck.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Parameters to configure a set of Pods that connect to an existing MongoDB(®) deployment that lies outside of Kubernetes. + ## @param externalAccess.externalMaster.enabled Use external master for bootstrapping + ## @param externalAccess.externalMaster.host External master host to bootstrap from + ## @param externalAccess.externalMaster.port Port for MongoDB(®) service external master host + ## + externalMaster: + enabled: false + host: "" + port: 27017 + ## Parameters to configure K8s service(s) used to externally access MongoDB(®) + ## A new service per broker will be created + ## + service: + ## @param externalAccess.service.type Kubernetes Service type for external access. Allowed values: NodePort, LoadBalancer or ClusterIP + ## + type: LoadBalancer + ## @param externalAccess.service.portName MongoDB(®) port name used for external access when service type is LoadBalancer + ## + portName: "mongodb" + ## @param externalAccess.service.ports.mongodb MongoDB(®) port used for external access when service type is LoadBalancer + ## + ports: + mongodb: 27017 + ## @param externalAccess.service.loadBalancerIPs Array of load balancer IPs for MongoDB(®) nodes + ## Example: + ## loadBalancerIPs: + ## - X.X.X.X + ## - Y.Y.Y.Y + ## + loadBalancerIPs: [] + ## @param externalAccess.service.publicNames Array of public names. The size should be equal to the number of replicas. + ## + publicNames: [] + ## @param externalAccess.service.loadBalancerClass loadBalancerClass when service type is LoadBalancer + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + ## @param externalAccess.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param externalAccess.service.allocateLoadBalancerNodePorts Whether to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true + ## @param externalAccess.service.externalTrafficPolicy MongoDB(®) service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Local + ## @param externalAccess.service.nodePorts Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort + ## Example: + ## nodePorts: + ## - 30001 + ## - 30002 + ## + nodePorts: [] + ## @param externalAccess.service.domain Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort + ## If not specified, the container will try to get the kubernetes node external IP + ## e.g: + ## domain: mydomain.com + ## + domain: "" + ## @param externalAccess.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param externalAccess.service.annotations Service annotations for external access. These annotations are common for all services created. + ## + annotations: {} + ## @param externalAccess.service.annotationsList Service annotations for eache external service. This value contains a list allowing different annotations per each external service. + ## Eg: + ## annotationsList: + ## - external-dns.alpha.kubernetes.io/hostname: mongodb-0.example.com + ## - external-dns.alpha.kubernetes.io/hostname: mongodb-1.example.com + ## + annotationsList: [] + ## @param externalAccess.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param externalAccess.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## External Access to MongoDB(®) Hidden nodes configuration + ## + hidden: + ## @param externalAccess.hidden.enabled Enable Kubernetes external cluster access to MongoDB(®) hidden nodes + ## + enabled: false + ## Parameters to configure K8s service(s) used to externally access MongoDB(®) + ## A new service per broker will be created + ## + service: + ## @param externalAccess.hidden.service.type Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer + ## + type: LoadBalancer + ## @param externalAccess.hidden.service.portName MongoDB(®) port name used for external access when service type is LoadBalancer + ## + portName: "mongodb" + ## @param externalAccess.hidden.service.ports.mongodb MongoDB(®) port used for external access when service type is LoadBalancer + ## + ports: + mongodb: 27017 + ## @param externalAccess.hidden.service.loadBalancerIPs Array of load balancer IPs for MongoDB(®) nodes + ## Example: + ## loadBalancerIPs: + ## - X.X.X.X + ## - Y.Y.Y.Y + ## + loadBalancerIPs: [] + ## @param externalAccess.hidden.service.loadBalancerClass loadBalancerClass when service type is LoadBalancer + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + ## @param externalAccess.hidden.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param externalAccess.hidden.service.allocateLoadBalancerNodePorts Wheter to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true + ## @param externalAccess.hidden.service.externalTrafficPolicy MongoDB(®) service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Local + ## @param externalAccess.hidden.service.nodePorts Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort. Length must be the same as replicaCount + ## Example: + ## nodePorts: + ## - 30001 + ## - 30002 + ## + nodePorts: [] + ## @param externalAccess.hidden.service.domain Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort + ## If not specified, the container will try to get the kubernetes node external IP + ## e.g: + ## domain: mydomain.com + ## + domain: "" + ## @param externalAccess.hidden.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param externalAccess.hidden.service.annotations Service annotations for external access + ## + annotations: {} + ## @param externalAccess.hidden.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param externalAccess.hidden.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} +## @section Network policy parameters +## + +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +persistence: + ## @param persistence.enabled Enable MongoDB(®) data persistence using PVC + ## + enabled: true + ## @param persistence.name Name of the PVC and mounted volume + ## + name: "datadir" + ## @param persistence.medium Provide a medium for `emptyDir` volumes. + ## Requires persistence.enabled: false + ## + medium: "" + ## @param persistence.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## Ignored when mongodb.architecture=replicaset + ## + existingClaim: "" + ## @param persistence.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted + ## + resourcePolicy: "" + ## @param persistence.storageClass PVC Storage Class for MongoDB(®) data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param persistence.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size PVC Storage Request for MongoDB(®) data volume + ## + size: 8Gi + ## @param persistence.annotations PVC annotations + ## + annotations: {} + ## @param persistence.labels PVC labels + ## + labels: {} + ## @param persistence.mountPath Path to mount the volume at + ## MongoDB(®) images. + ## + mountPath: /bitnami/mongodb + ## @param persistence.subPath Subdirectory of the volume to mount at + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param persistence.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} + ## @param persistence.volumeClaimTemplates.requests Custom PVC requests attributes + ## Sometime cloud providers use additional requests attributes to provision custom storage instance + ## See https://cloud.ibm.com/docs/containers?topic=containers-file_storage#file_dynamic_statefulset + ## + requests: {} + ## @param persistence.volumeClaimTemplates.dataSource Add dataSource to the VolumeClaimTemplate + ## + dataSource: {} +## Persistent Volume Claim Retention Policy +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention +## +persistentVolumeClaimRetentionPolicy: + ## @param persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for MongoDB(®) Statefulset + ## + enabled: false + ## @param persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced + ## + whenScaled: Retain + ## @param persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted + ## + whenDeleted: Retain +## @section Backup parameters +## This section implements a trivial logical dump cronjob of the database. +## This only comes with the consistency guarantees of the dump program. +## This is not a snapshot based roll forward/backward recovery backup. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ +## +backup: + ## @param backup.enabled Enable the logical dump of the database "regularly" + ## + enabled: false + ## Fine tuning cronjob's config + ## + cronjob: + ## @param backup.cronjob.schedule Set the cronjob parameter schedule + ## + schedule: "@daily" + ## @param backup.cronjob.timeZone Set the cronjob parameter timeZone + ## + timeZone: "" + ## @param backup.cronjob.concurrencyPolicy Set the cronjob parameter concurrencyPolicy + ## + concurrencyPolicy: Allow + ## @param backup.cronjob.failedJobsHistoryLimit Set the cronjob parameter failedJobsHistoryLimit + ## + failedJobsHistoryLimit: 1 + ## @param backup.cronjob.successfulJobsHistoryLimit Set the cronjob parameter successfulJobsHistoryLimit + ## + successfulJobsHistoryLimit: 3 + ## @param backup.cronjob.startingDeadlineSeconds Set the cronjob parameter startingDeadlineSeconds + ## + startingDeadlineSeconds: "" + ## @param backup.cronjob.ttlSecondsAfterFinished Set the cronjob parameter ttlSecondsAfterFinished + ## + ttlSecondsAfterFinished: "" + ## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy + ## + restartPolicy: OnFailure + ## @param backup.cronjob.backoffLimit Set the cronjob parameter backoffLimit + backoffLimit: 6 + ## backup container's Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context + ## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param backup.cronjob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged + ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param backup.cronjob.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param backup.cronjob.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## backup container's resource requests and limits. + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param backup.cronjob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param backup.cronjob.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param backup.cronjob.command Set backup container's command to run + ## + command: [] + ## @param backup.cronjob.labels Set the cronjob labels + ## + labels: {} + ## @param backup.cronjob.annotations Set the cronjob annotations + ## + annotations: {} + ## Backup container's + ## + storage: + ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) + ## If defined, PVC must be created manually before volume will be bound + ## + existingClaim: "" + ## @param backup.cronjob.storage.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted + ## + resourcePolicy: "" + ## @param backup.cronjob.storage.storageClass PVC Storage Class for the backup data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param backup.cronjob.storage.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param backup.cronjob.storage.size PVC Storage Request for the backup data volume + ## + size: 8Gi + ## @param backup.cronjob.storage.annotations PVC annotations + ## + annotations: {} + ## @param backup.cronjob.storage.mountPath Path to mount the volume at + ## + mountPath: /backup/mongodb + ## @param backup.cronjob.storage.subPath Subdirectory of the volume to mount at + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param backup.cronjob.storage.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} +## @section RBAC parameters +## + +## ServiceAccount +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for MongoDB(®) pods + ## + create: true + ## @param serviceAccount.name Name of the created serviceAccount + ## If not set and create is true, a name is generated using the mongodb.fullname template + ## + name: "" + ## @param serviceAccount.annotations Additional Service Account annotations + ## + annotations: {} + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: false +## Role Based Access +## ref: https://kubernetes.io/docs/admin/authorization/rbac/ +## +rbac: + ## @param rbac.create Whether to create & use RBAC resources or not + ## binding MongoDB(®) ServiceAccount to a role + ## that allows MongoDB(®) pods querying the K8s API + ## this needs to be set to 'true' to enable the mongo-labeler sidecar primary mongodb discovery + ## + create: false + ## @param rbac.rules Custom rules to create following the role specification + ## The example below needs to be uncommented to use the 'mongo-labeler' sidecar for dynamic discovery of the primary mongodb pod: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## - watch + ## - update + ## + rules: [] +## PodSecurityPolicy configuration +## Be sure to also set rbac.create to true, otherwise Role and RoleBinding won't be created. +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + ## @param podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later + ## + create: false + ## @param podSecurityPolicy.allowPrivilegeEscalation Enable privilege escalation + ## Either use predefined policy with some adjustments or use `podSecurityPolicy.spec` + ## + allowPrivilegeEscalation: false + ## @param podSecurityPolicy.privileged Allow privileged + ## + privileged: false + ## @param podSecurityPolicy.spec Specify the full spec to use for Pod Security Policy + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## Defining a spec ignores the above values. + ## + spec: {} + ## Example: + ## allowPrivilegeEscalation: false + ## fsGroup: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## hostIPC: false + ## hostNetwork: false + ## hostPID: false + ## privileged: false + ## readOnlyRootFilesystem: true + ## requiredDropCapabilities: + ## - ALL + ## runAsUser: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## seLinux: + ## rule: 'RunAsAny' + ## supplementalGroups: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## volumes: + ## - 'configMap' + ## - 'secret' + ## - 'emptyDir' + ## - 'persistentVolumeClaim' + ## +## @section Volume Permissions parameters +## +## Init Container parameters +## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component +## values from the securityContext section of the component +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` + ## + enabled: false + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository + ## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 12-debian-12-r32 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init container Security Context + ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser + ## and not the below volumePermissions.securityContext.runAsUser + ## When runAsUser is set to special value "auto", init container will try to chwon the + ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). + ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with + ## podSecurityContext.enabled=false,containerSecurityContext.enabled=false and shmVolume.chmod.enabled=false + ## @param volumePermissions.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param volumePermissions.securityContext.runAsUser User ID for the volumePermissions container + ## + securityContext: + seLinuxOptions: {} + runAsUser: 0 +## @section Arbiter parameters +## +arbiter: + ## @param arbiter.enabled Enable deploying the arbiter + ## https://docs.mongodb.com/manual/tutorial/add-replica-set-arbiter/ + ## + enabled: true + ## @param arbiter.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## @param arbiter.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param arbiter.configuration Arbiter configuration file to be used + ## http://docs.mongodb.org/manual/reference/configuration-options/ + ## + configuration: "" + ## @param arbiter.existingConfigmap Name of existing ConfigMap with Arbiter configuration + ## NOTE: When it's set the arbiter.configuration parameter is ignored + ## + existingConfigmap: "" + ## Command and args for running the container (set to default if not set). Use array form + ## @param arbiter.command Override default container command (useful when using custom images) + ## @param arbiter.args Override default container args (useful when using custom images) + ## + command: [] + args: [] + ## @param arbiter.extraFlags Arbiter additional command line flags + ## Example: + ## extraFlags: + ## - "--wiredTigerCacheSizeGB=2" + ## + extraFlags: [] + ## @param arbiter.extraEnvVars Extra environment variables to add to Arbiter pods + ## E.g: + ## extraEnvVars: + ## - name: FOO + ## value: BAR + ## + extraEnvVars: [] + ## @param arbiter.extraEnvVarsCM Name of existing ConfigMap containing extra env vars + ## + extraEnvVarsCM: "" + ## @param arbiter.extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) + ## + extraEnvVarsSecret: "" + ## @param arbiter.annotations Additional labels to be added to the Arbiter statefulset + ## + annotations: {} + ## @param arbiter.labels Annotations to be added to the Arbiter statefulset + ## + labels: {} + ## @param arbiter.topologySpreadConstraints MongoDB(®) Spread Constraints for arbiter Pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + ## @param arbiter.lifecycleHooks LifecycleHook for the Arbiter container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param arbiter.terminationGracePeriodSeconds Arbiter Termination Grace Period + ## + terminationGracePeriodSeconds: "" + ## @param arbiter.updateStrategy.type Strategy that will be employed to update Pods in the StatefulSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## updateStrategy: + ## type: RollingUpdate + ## rollingUpdate: + ## maxSurge: 25% + ## maxUnavailable: 25% + ## + updateStrategy: + type: RollingUpdate + ## @param arbiter.podManagementPolicy Pod management policy for MongoDB(®) + ## Should be initialized one by one when building the replicaset for the first time + ## + podManagementPolicy: OrderedReady + ## @param arbiter.schedulerName Name of the scheduler (other than default) to dispatch pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param arbiter.podAffinityPreset Arbiter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param arbiter.podAntiAffinityPreset Arbiter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param arbiter.nodeAffinityPreset.type Arbiter Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param arbiter.nodeAffinityPreset.key Arbiter Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param arbiter.nodeAffinityPreset.values Arbiter Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param arbiter.affinity Arbiter Affinity for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: arbiter.podAffinityPreset, arbiter.podAntiAffinityPreset, and arbiter.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param arbiter.nodeSelector Arbiter Node labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param arbiter.tolerations Arbiter Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param arbiter.podLabels Arbiter pod labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param arbiter.podAnnotations Arbiter Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param arbiter.priorityClassName Name of the existing priority class to be used by Arbiter pod(s) + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param arbiter.runtimeClassName Name of the runtime class to be used by Arbiter pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## MongoDB(®) Arbiter pods' Security Context. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param arbiter.podSecurityContext.enabled Enable Arbiter pod(s)' Security Context + ## @param arbiter.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param arbiter.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param arbiter.podSecurityContext.fsGroup Group ID for the volumes of the Arbiter pod(s) + ## @param arbiter.podSecurityContext.sysctls sysctl settings of the Arbiter pod(s)' + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] + ## MongoDB(®) Arbiter containers' Security Context (only main container). + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param arbiter.containerSecurityContext.enabled Enabled containers' Security Context + ## @param arbiter.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param arbiter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param arbiter.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param arbiter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param arbiter.containerSecurityContext.privileged Set container's Security Context privileged + ## @param arbiter.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param arbiter.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param arbiter.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param arbiter.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## MongoDB(®) Arbiter containers' resource requests and limits. + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param arbiter.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if arbiter.resources is set (arbiter.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param arbiter.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param arbiter.containerPorts.mongodb MongoDB(®) arbiter container port + ## + containerPorts: + mongodb: 27017 + ## MongoDB(®) Arbiter pods' liveness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param arbiter.livenessProbe.enabled Enable livenessProbe + ## @param arbiter.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param arbiter.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param arbiter.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param arbiter.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param arbiter.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## MongoDB(®) Arbiter pods' readiness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param arbiter.readinessProbe.enabled Enable readinessProbe + ## @param arbiter.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param arbiter.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param arbiter.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param arbiter.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param arbiter.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## MongoDB(®) Arbiter pods' startup probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param arbiter.startupProbe.enabled Enable startupProbe + ## @param arbiter.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param arbiter.startupProbe.periodSeconds Period seconds for startupProbe + ## @param arbiter.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param arbiter.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param arbiter.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + ## @param arbiter.customLivenessProbe Override default liveness probe for Arbiter containers + ## Ignored when arbiter.livenessProbe.enabled=true + ## + customLivenessProbe: {} + ## @param arbiter.customReadinessProbe Override default readiness probe for Arbiter containers + ## Ignored when arbiter.readinessProbe.enabled=true + ## + customReadinessProbe: {} + ## @param arbiter.customStartupProbe Override default startup probe for Arbiter containers + ## Ignored when arbiter.startupProbe.enabled=true + ## + customStartupProbe: {} + ## @param arbiter.initContainers Add additional init containers for the Arbiter pod(s) + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## @param arbiter.sidecars Add additional sidecar containers for the Arbiter pod(s) + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param arbiter.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Arbiter container(s) + ## Examples: + ## extraVolumeMounts: + ## - name: extras + ## mountPath: /usr/share/extras + ## readOnly: true + ## + extraVolumeMounts: [] + ## @param arbiter.extraVolumes Optionally specify extra list of additional volumes to the Arbiter statefulset + ## extraVolumes: + ## - name: extras + ## emptyDir: {} + ## + extraVolumes: [] + ## MongoDB(®) Arbiter Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param arbiter.pdb.create Enable/disable a Pod Disruption Budget creation for Arbiter pod(s) + ## + create: true + ## @param arbiter.pdb.minAvailable Minimum number/percentage of Arbiter pods that should remain scheduled + ## + minAvailable: "" + ## @param arbiter.pdb.maxUnavailable Maximum number/percentage of Arbiter pods that may be made unavailable. Defaults to `1` if both `arbiter.pdb.minAvailable` and `arbiter.pdb.maxUnavailable` are empty. + ## + maxUnavailable: "" + ## MongoDB(®) Arbiter service parameters + ## + service: + ## @param arbiter.service.nameOverride The arbiter service name + ## + nameOverride: "" + ## @param arbiter.service.ports.mongodb MongoDB(®) service port + ## + ports: + mongodb: 27017 + ## @param arbiter.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param arbiter.service.annotations Provide any additional annotations that may be required + ## + annotations: {} + ## Headless service properties + ## + headless: + ## @param arbiter.service.headless.annotations Annotations for the headless service. + ## + annotations: {} +## @section Hidden Node parameters +## +hidden: + ## @param hidden.enabled Enable deploying the hidden nodes + ## https://docs.mongodb.com/manual/tutorial/configure-a-hidden-replica-set-member/ + ## + enabled: false + ## @param hidden.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## @param hidden.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param hidden.configuration Hidden node configuration file to be used + ## http://docs.mongodb.org/manual/reference/configuration-options/ + ## + configuration: "" + ## @param hidden.existingConfigmap Name of existing ConfigMap with Hidden node configuration + ## NOTE: When it's set the hidden.configuration parameter is ignored + ## + existingConfigmap: "" + ## Command and args for running the container (set to default if not set). Use array form + ## @param hidden.command Override default container command (useful when using custom images) + ## @param hidden.args Override default container args (useful when using custom images) + ## + command: [] + args: [] + ## @param hidden.extraFlags Hidden node additional command line flags + ## Example: + ## extraFlags: + ## - "--wiredTigerCacheSizeGB=2" + ## + extraFlags: [] + ## @param hidden.extraEnvVars Extra environment variables to add to Hidden node pods + ## E.g: + ## extraEnvVars: + ## - name: FOO + ## value: BAR + ## + extraEnvVars: [] + ## @param hidden.extraEnvVarsCM Name of existing ConfigMap containing extra env vars + ## + extraEnvVarsCM: "" + ## @param hidden.extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) + ## + extraEnvVarsSecret: "" + ## @param hidden.annotations Additional labels to be added to thehidden node statefulset + ## + annotations: {} + ## @param hidden.labels Annotations to be added to the hidden node statefulset + ## + labels: {} + ## @param hidden.topologySpreadConstraints MongoDB(®) Spread Constraints for hidden Pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + ## @param hidden.lifecycleHooks LifecycleHook for the Hidden container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param hidden.replicaCount Number of hidden nodes (only when `architecture=replicaset`) + ## Ignored when mongodb.architecture=standalone + ## + replicaCount: 1 + ## @param hidden.terminationGracePeriodSeconds Hidden Termination Grace Period + ## + terminationGracePeriodSeconds: "" + ## @param hidden.updateStrategy.type Strategy that will be employed to update Pods in the StatefulSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## updateStrategy: + ## type: RollingUpdate + ## rollingUpdate: + ## maxSurge: 25% + ## maxUnavailable: 25% + ## + updateStrategy: + type: RollingUpdate + ## @param hidden.podManagementPolicy Pod management policy for hidden node + ## + podManagementPolicy: OrderedReady + ## @param hidden.schedulerName Name of the scheduler (other than default) to dispatch pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param hidden.podAffinityPreset Hidden node Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param hidden.podAntiAffinityPreset Hidden node Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## @param hidden.nodeAffinityPreset.type Hidden Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param hidden.nodeAffinityPreset.key Hidden Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param hidden.nodeAffinityPreset.values Hidden Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param hidden.affinity Hidden node Affinity for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param hidden.nodeSelector Hidden node Node labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param hidden.tolerations Hidden node Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param hidden.podLabels Hidden node pod labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param hidden.podAnnotations Hidden node Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param hidden.priorityClassName Name of the existing priority class to be used by hidden node pod(s) + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param hidden.runtimeClassName Name of the runtime class to be used by hidden node pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## MongoDB(®) Hidden pods' Security Context. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param hidden.podSecurityContext.enabled Enable Hidden pod(s)' Security Context + ## @param hidden.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param hidden.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param hidden.podSecurityContext.fsGroup Group ID for the volumes of the Hidden pod(s) + ## @param hidden.podSecurityContext.sysctls sysctl settings of the Hidden pod(s)' + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] + ## MongoDB(®) Hidden containers' Security Context (only main container). + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param hidden.containerSecurityContext.enabled Enabled containers' Security Context + ## @param hidden.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param hidden.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param hidden.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param hidden.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param hidden.containerSecurityContext.privileged Set container's Security Context privileged + ## @param hidden.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param hidden.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param hidden.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param hidden.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## MongoDB(®) Hidden containers' resource requests and limits. + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param hidden.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param hidden.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param hidden.containerPorts.mongodb MongoDB(®) hidden container port + ## + containerPorts: + mongodb: 27017 + ## MongoDB(®) Hidden pods' liveness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param hidden.livenessProbe.enabled Enable livenessProbe + ## @param hidden.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param hidden.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param hidden.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param hidden.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param hidden.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## MongoDB(®) Hidden pods' readiness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param hidden.readinessProbe.enabled Enable readinessProbe + ## @param hidden.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param hidden.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param hidden.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param hidden.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param hidden.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## Slow starting containers can be protected through startup probes + ## Startup probes are available in Kubernetes version 1.16 and above + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes + ## @param hidden.startupProbe.enabled Enable startupProbe + ## @param hidden.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param hidden.startupProbe.periodSeconds Period seconds for startupProbe + ## @param hidden.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param hidden.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param hidden.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + ## @param hidden.customLivenessProbe Override default liveness probe for hidden node containers + ## Ignored when hidden.livenessProbe.enabled=true + ## + customLivenessProbe: {} + ## @param hidden.customReadinessProbe Override default readiness probe for hidden node containers + ## Ignored when hidden.readinessProbe.enabled=true + ## + customReadinessProbe: {} + ## @param hidden.customStartupProbe Override default startup probe for MongoDB(®) containers + ## Ignored when hidden.startupProbe.enabled=true + ## + customStartupProbe: {} + ## @param hidden.initContainers Add init containers to the MongoDB(®) Hidden pods. + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## @param hidden.sidecars Add additional sidecar containers for the hidden node pod(s) + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param hidden.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the hidden node container(s) + ## Examples: + ## extraVolumeMounts: + ## - name: extras + ## mountPath: /usr/share/extras + ## readOnly: true + ## + extraVolumeMounts: [] + ## @param hidden.extraVolumes Optionally specify extra list of additional volumes to the hidden node statefulset + ## extraVolumes: + ## - name: extras + ## emptyDir: {} + ## + extraVolumes: [] + ## MongoDB(®) Hidden Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param hidden.pdb.create Enable/disable a Pod Disruption Budget creation for hidden node pod(s) + ## + create: true + ## @param hidden.pdb.minAvailable Minimum number/percentage of hidden node pods that should remain scheduled + ## + minAvailable: "" + ## @param hidden.pdb.maxUnavailable Maximum number/percentage of hidden node pods that may be made unavailable. Defaults to `1` if both `hidden.pdb.minAvailable` and `hidden.pdb.maxUnavailable` are empty. + ## + maxUnavailable: "" + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + ## + persistence: + ## @param hidden.persistence.enabled Enable hidden node data persistence using PVC + ## + enabled: true + ## @param hidden.persistence.medium Provide a medium for `emptyDir` volumes. + ## Requires hidden.persistence.enabled: false + ## + medium: "" + ## @param hidden.persistence.storageClass PVC Storage Class for hidden node data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param hidden.persistence.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param hidden.persistence.size PVC Storage Request for hidden node data volume + ## + size: 8Gi + ## @param hidden.persistence.annotations PVC annotations + ## + annotations: {} + ## @param hidden.persistence.mountPath The path the volume will be mounted at, useful when using different MongoDB(®) images. + ## + mountPath: /bitnami/mongodb + ## @param hidden.persistence.subPath The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param hidden.persistence.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} + ## @param hidden.persistence.volumeClaimTemplates.requests Custom PVC requests attributes + ## Sometime cloud providers use additional requests attributes to provision custom storage instance + ## See https://cloud.ibm.com/docs/containers?topic=containers-file_storage#file_dynamic_statefulset + ## + requests: {} + ## @param hidden.persistence.volumeClaimTemplates.dataSource Set volumeClaimTemplate dataSource + ## + dataSource: {} + service: + ## @param hidden.service.nameOverride The hidden service name + ## + nameOverride: "" + ## @param hidden.service.portName MongoDB(®) service port name + ## + portName: "mongodb" + ## @param hidden.service.ports.mongodb MongoDB(®) service port + ## + ports: + mongodb: 27017 + ## @param hidden.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param hidden.service.annotations Provide any additional annotations that may be required + ## + annotations: {} + ## Headless service properties + ## + headless: + ## @param hidden.service.headless.annotations Annotations for the headless service. + ## + annotations: {} +## @section Metrics parameters +## +metrics: + ## @param metrics.enabled Enable using a sidecar Prometheus exporter + ## + enabled: false + ## Bitnami MongoDB(®) Promtheus Exporter image + ## ref: https://hub.docker.com/r/bitnami/mongodb-exporter/tags/ + ## @param metrics.image.registry [default: REGISTRY_NAME] MongoDB(®) Prometheus exporter image registry + ## @param metrics.image.repository [default: REPOSITORY_NAME/mongodb-exporter] MongoDB(®) Prometheus exporter image repository + ## @skip metrics.image.tag MongoDB(®) Prometheus exporter image tag (immutable tags are recommended) + ## @param metrics.image.digest MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param metrics.image.pullPolicy MongoDB(®) Prometheus exporter image pull policy + ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/mongodb-exporter + tag: 0.41.2-debian-12-r1 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.username String with username for the metrics exporter + ## If undefined the root user will be used for the metrics exporter + ## + username: "" + ## @param metrics.password String with password for the metrics exporter + ## If undefined but metrics.username is defined, a random password will be generated + ## + password: "" + ## @param metrics.compatibleMode Enables old style mongodb-exporter metrics + compatibleMode: true + collector: + ## @param metrics.collector.all Enable all collectors. Same as enabling all individual metrics + ## Enabling all metrics will cause significant CPU load on mongod + all: false + ## @param metrics.collector.diagnosticdata Boolean Enable collecting metrics from getDiagnosticData + diagnosticdata: true + ## @param metrics.collector.replicasetstatus Boolean Enable collecting metrics from replSetGetStatus + replicasetstatus: true + ## @param metrics.collector.dbstats Boolean Enable collecting metrics from dbStats + dbstats: false + ## @param metrics.collector.topmetrics Boolean Enable collecting metrics from top admin command + topmetrics: false + ## @param metrics.collector.indexstats Boolean Enable collecting metrics from $indexStats + indexstats: false + ## @param metrics.collector.collstats Boolean Enable collecting metrics from $collStats + collstats: false + ## @param metrics.collector.collstatsColls List of \.\ to get $collStats + collstatsColls: [] + ## @param metrics.collector.indexstatsColls List - List of \.\ to get $indexStats + indexstatsColls: [] + ## @param metrics.collector.collstatsLimit Number - Disable collstats, dbstats, topmetrics and indexstats collector if there are more than \ collections. 0=No limit + collstatsLimit: 0 + ## @param metrics.extraFlags String with extra flags to the metrics exporter + ## ref: https://github.com/percona/mongodb_exporter/blob/main/main.go + ## + extraFlags: "" + ## Command and args for running the container (set to default if not set). Use array form + ## @param metrics.command Override default container command (useful when using custom images) + ## @param metrics.args Override default container args (useful when using custom images) + ## + command: [] + args: [] + ## Metrics exporter container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param metrics.containerPort Port of the Prometheus metrics container + ## + containerPort: 9216 + ## Prometheus Exporter service configuration + ## + service: + ## @param metrics.service.annotations [object] Annotations for Prometheus Exporter pods. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" + prometheus.io/path: "/metrics" + ## @param metrics.service.type Type of the Prometheus metrics service + ## + type: ClusterIP + ## @param metrics.service.ports.metrics Port of the Prometheus metrics service + ## + ports: + metrics: 9216 + ## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## Metrics exporter liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param metrics.livenessProbe.enabled Enable livenessProbe + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 15 + periodSeconds: 5 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + ## Metrics exporter readiness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param metrics.readinessProbe.enabled Enable readinessProbe + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + ## Slow starting containers can be protected through startup probes + ## Startup probes are available in Kubernetes version 1.16 and above + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes + ## @param metrics.startupProbe.enabled Enable startupProbe + ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe + ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + ## @param metrics.customLivenessProbe Override default liveness probe for MongoDB(®) containers + ## Ignored when livenessProbe.enabled=true + ## + customLivenessProbe: {} + ## @param metrics.customReadinessProbe Override default readiness probe for MongoDB(®) containers + ## Ignored when readinessProbe.enabled=true + ## + customReadinessProbe: {} + ## @param metrics.customStartupProbe Override default startup probe for MongoDB(®) containers + ## Ignored when startupProbe.enabled=true + ## + customStartupProbe: {} + ## @param metrics.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the metrics container(s) + ## Examples: + ## extraVolumeMounts: + ## - name: extras + ## mountPath: /usr/share/extras + ## readOnly: true + ## + extraVolumeMounts: [] + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 30s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricsRelabelConfigs to apply to samples before ingestion. + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.labels Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## Custom PrometheusRule to be defined + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Set this to true to create prometheusRules for Prometheus operator + ## + enabled: false + ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so prometheusRules will be discovered by Prometheus + ## + additionalLabels: {} + ## @param metrics.prometheusRule.namespace Namespace where prometheusRules resource should be created + ## + namespace: "" + ## @param metrics.prometheusRule.rules Rules to be created, check values for an example + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#rulegroup + ## https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + ## + ## This is an example of a rule, you should add the below code block under the "rules" param, removing the brackets + ## rules: + ## - alert: HighRequestLatency + ## expr: job:request_latency_seconds:mean5m{job="myjob"} > 0.5 + ## for: 10m + ## labels: + ## severity: page + ## annotations: + ## summary: High request latency + ## + rules: [] diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/Chart.yaml new file mode 100644 index 00000000..9bcb11b7 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +appVersion: 1.21.1 +description: A Helm chart for installing Percona Server MongoDB Cluster Databases + using the PSMDB Operator. +home: https://www.percona.com/doc/kubernetes-operator-for-psmongodb/index.html +maintainers: +- email: natalia.marukovich@percona.com + name: nmarukovich +- email: julio.pasinatto@percona.com + name: jvpasinatto +- email: eleonora.zinchenko@percona.com + name: eleo007 +name: psmdb-db +version: 1.21.1 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/README.md b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/README.md new file mode 100644 index 00000000..7a6625a5 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/README.md @@ -0,0 +1,363 @@ +# Percona Server for MongoDB + +This chart deploys Percona Server for MongoDB Cluster on Kubernetes controlled by Percona Operator for MongoDB. + +Useful links: + +- [Operator Github repository](https://github.com/percona/percona-server-mongodb-operator) +- [Operator Documentation](https://www.percona.com/doc/kubernetes-operator-for-psmongodb/index.html) + +## Pre-requisites + +- Percona Operator for MongoDB running in your Kubernetes cluster. See installation details [here](https://github.com/percona/percona-helm-charts/blob/main/charts/psmdb-operator) or in the [Operator Documentation](https://www.percona.com/doc/kubernetes-operator-for-psmongodb/helm.html). +- Kubernetes 1.31+ +- Helm v3 + +# Chart Details + +This chart will deploy Percona Server for MongoDB Cluster in Kubernetes. It will create a Custom Resource, and the Operator will trigger the creation of corresponding Kubernetes primitives: StatefulSets, Pods, Secrets, etc. + +## Installing the Chart + +To install the chart with the `psmdb` release name using a dedicated namespace (recommended): + +```sh +helm repo add percona https://percona.github.io/percona-helm-charts/ +helm install my-db percona/psmdb-db --version 1.21.1 --namespace my-namespace +``` + +The chart can be customized using the following configurable parameters: + +| Parameter | Description | Default | +| --------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| `crVersion` | CR Cluster Manifest version | `1.21.1` | +| `pause` | Stop PSMDB Database safely | `false` | +| `unmanaged` | Start cluster and don't manage it (cross cluster replication) | `false` | +| `enableVolumeExpansion` | Allows to resize `PersistentVolumeClaim`s by changing `.volumeSpec.persistentVolumeClaim.resources` field | `false` | +| `enableExternalVolumeAutoscaling` | Supress storage discrepancy error if external volume autoscaling is enabled | `false` | +| `unsafeFlags.tls` | Allows users from configuring a cluster without TLS/SSL certificates | `false` | +| `unsafeFlags.replsetSize` | Allows users from configuring a cluster with unsafe parameters: starting it with less than 3 replica set instances or with an even number of replica set instances without additional arbiter | `false` | +| `unsafeFlags.mongosSize` | Allows users from configuring a sharded cluster with less than 3 config server Pods or less than 2 mongos Pods | `false` | +| `unsafeFlags.terminationGracePeriod` | Allows users from configuring a sharded cluster without termination grace period for replica set | `false` | +| `unsafeFlags.backupIfUnhealthy` | Allows running backup on a cluster with failed health checks | `false` | +| `clusterServiceDNSSuffix` | The (non-standard) cluster domain to be used as a suffix of the Service name | `""` | +| `clusterServiceDNSMode` | Mode for the cluster service dns (Internal/ServiceMesh) | `""` | +| `annotations` | PSMDB custom resource annotations | `{}` | +| `ignoreAnnotations` | The list of annotations to be ignored by the Operator | `[]` | +| `ignoreLabels` | The list of labels to be ignored by the Operator | `[]` | +| `multiCluster.enabled` | Enable Multi Cluster Services (MCS) cluster mode | `false` | +| `multiCluster.DNSSuffix` | The cluster domain to be used as a suffix for multi-cluster Services used by Kubernetes | `""` | +| `updateStrategy` | Regulates the way how PSMDB Cluster Pods will be updated after setting a new image | `SmartUpdate` | +| `upgradeOptions.versionServiceEndpoint` | Endpoint for actual PSMDB Versions provider | `https://check.percona.com/versions/` | +| `upgradeOptions.apply` | PSMDB image to apply from version service - recommended, latest, actual version like 4.4.2-4 | `disabled` | +| `upgradeOptions.schedule` | Cron formatted time to execute the update | `"0 2 * * *"` | +| `upgradeOptions.setFCV` | Set feature compatibility version on major upgrade | `false` | +| `finalizers:percona.com/delete-psmdb-pvc` | Set this if you want to delete database persistent volumes on cluster deletion | `[]` | +| `finalizers:percona.com/delete-psmdb-pods-in-order` | Set this if you want to delete PSMDB pods in order (primary last) | `[]` | +| `finalizers:percona.com/delete-pitr-chunks` | Set this if you want to delete all pitr chunks on cluster deletion | `[]` | +| `image.repository` | PSMDB Container image repository | `percona/percona-server-mongodb` | +| `image.tag` | PSMDB Container image tag | `8.0.12-4` | +| `imagePullPolicy` | The policy used to update images | `Always` | +| `imagePullSecrets` | PSMDB Container pull secret | `[]` | +| `initImage.repository` | Repository for custom init image | `""` | +| `initImage.tag` | Tag for custom init image | `""` | +| `initContainerSecurityContext` | A custom Kubernetes Security Context for a Container for the initImage | `{}` | +| | +| `tls.mode` | Control usage of TLS (allowTLS, preferTLS, requireTLS, disabled) | `preferTLS` | +| `tls.certValidityDuration` | The validity duration of the external certificate for cert manager | `""` | +| `tls.allowInvalidCertificates` | If enabled the mongo shell will not attempt to validate the server certificates | `true` | +| `tls.issuerConf.name` | A cert-manager issuer name | `""` | +| `tls.issuerConf.kind` | A cert-manager issuer kind | `""` | +| `tls.issuerConf.group` | A cert-manager issuer group | `""` | +| | +| `secrets.users` | The name of the Secrets object for the MongoDB users required to run the operator | `""` | +| `secrets.encryptionKey` | Set secret for data at rest encryption key | `""` | +| `secrets.keyFile` | Specifies a secret key file for authenticating MongoDB instances | `""` | +| `secrets.vault` | Specifies a secret object to provide integration with HashiCorp Vault | `""` | +| `secrets.ldapSecret` | Specifies a secret object for LDAP over TLS connection between MongoDB and OpenLDAP server | `""` | +| `secrets.sse` | The name of the Secrets object for server side encryption credentials | `""` | +| `secrets.ssl` | A secret with TLS certificate generated for external communications | `""` | +| `secrets.sslInternal` | A secret with TLS certificate generated for internal communications | `""` | +| | +| `pmm.enabled` | Enable integration with [Percona Monitoring and Management software](https://www.percona.com/blog/2020/07/23/using-percona-kubernetes-operators-with-percona-monitoring-and-management/) | `false` | +| `pmm.image.repository` | PMM Container image repository | `percona/pmm-client` | +| `pmm.image.tag` | PMM Container image tag | `3.4.1` | +| `pmm.serverHost` | PMM server related K8S service hostname | `monitoring-service` | +| `pmm.containerSecurityContext` | Set the security context for PMM container | `{}` | +| `pmm.resources` | Set resources for PMM container | `{}` | +| `pmm.mongodParams` | PMM mongod params | `""` | +| `pmm.mongosParams` | PMM mongos params | `""` | +| `pmm.customClusterName` | PMM cluster name. If not set Operator uses cr.Name for PMM cluster name | `""` | +| | +| `replsets.rs0.name` | ReplicaSet name | `rs0` | +| `replsets.rs0.size` | ReplicaSet size (pod quantity) | `3` | +| `replsets.rs0.terminationGracePeriodSeconds` | The amount of seconds Kubernetes will wait for a clean replica set Pods termination | `""` | +| `replsets.rs0.externalNodes.host` | The URL or IP address of the external replset instance | `""` | +| `replsets.rs0.externalNodes.port` | The port number of the external replset instance | `""` | +| `replsets.rs0.externalNodes.votes` | The number of [votes](https://docs.mongodb.com/manual/reference/replica-configuration/#mongodb-rsconf-rsconf.members-n-.votes) of the external replset instance | `""` | +| `replsets.rs0.externalNodes.priority` | The [priority](https://docs.mongodb.com/manual/reference/replica-configuration/#mongodb-rsconf-rsconf.members-n-.priority) of the external replset instance | `""` | +| `replsets.rs0.configuration` | Custom config for mongod in replica set | `""` | +| `replsets.rs0.topologySpreadConstraints` | Control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains | `{}` | +| `replsets.rs0.replsetOverrides` | Use if you need tooverride the replica set members FQDNs with custom hostnames. Each key under `replsetOverrides` should be name of a Pod. The Operator won’t perform any validation for hostnames, so it's the user’s responsibility to ensure connectivity | `{}` | +| `replsets.rs0.serviceAccountName` | Run replicaset Containers under specified K8S SA | `""` | +| `replsets.rs0.affinity.antiAffinityTopologyKey` | ReplicaSet Pod affinity | `kubernetes.io/hostname` | +| `replsets.rs0.affinity.advanced` | ReplicaSet Pod advanced affinity | `{}` | +| `replsets.rs0.tolerations` | ReplicaSet Pod tolerations | `[]` | +| `replsets.rs0.priorityClass` | ReplicaSet Pod priorityClassName | `""` | +| `replsets.rs0.annotations` | ReplicaSet Pod annotations | `{}` | +| `replsets.rs0.labels` | ReplicaSet Pod labels | `{}` | +| `replsets.rs0.nodeSelector` | ReplicaSet Pod nodeSelector labels | `{}` | +| `replsets.rs0.livenessProbe` | ReplicaSet Pod livenessProbe structure | `{}` | +| `replsets.rs0.readinessProbe` | ReplicaSet Pod readinessProbe structure | `{}` | +| `replsets.rs0.storage` | Set cacheSizeRatio or other custom MongoDB storage options | `{}` | +| `replsets.rs0.podSecurityContext` | Set the security context for a Pod | `{}` | +| `replsets.rs0.containerSecurityContext` | Set the security context for a Container | `{}` | +| `replsets.rs0.runtimeClass` | ReplicaSet Pod runtimeClassName | `""` | +| `replsets.rs0.sidecars` | ReplicaSet Pod sidecars | `{}` | +| `replsets.rs0.sidecarVolumes` | ReplicaSet Pod sidecar volumes | `[]` | +| `replsets.rs0.sidecarVolumes.nfs.server` | The hostname of the NFS server that will provide remote filesystem to the custom sidecar container volume for Replica Set Pods. | `""` | +| `replsets.rs0.sidecarVolumes.nfs.path` | The path on the NFS server that will be provided as a remote filesystem to the custom sidecar container volume for Replica Set Pods. | `""` | +| `replsets.rs0.sidecarPVCs` | ReplicaSet Pod sidecar PVCs | `[]` | +| `replsets.rs0.podDisruptionBudget.maxUnavailable` | ReplicaSet failed Pods maximum quantity | `1` | +| `replsets.rs0.splitHorizons` | External URI for Split-horizon for replica set Pods of the exposed cluster | `{}` | +| `replsets.rs0.expose.enabled` | Allow access to replicaSet from outside of Kubernetes | `false` | +| `replsets.rs0.expose.type` | Network service access point type | `ClusterIP` | +| `replsets.rs0.expose.loadBalancerClass` | Class of the load balancer implementation the Service belongs to | `""` | +| `replsets.rs0.expose.loadBalancerIP` | Set client IP to Load Balancer | `""` | +| `replsets.rs0.expose.loadBalancerSourceRanges` | Limit client IP's access to Load Balancer | `{}` | +| `replsets.rs0.expose.annotations` | ReplicaSet service annotations | `{}` | +| `replsets.rs0.expose.labels` | ReplicaSet service labels | `{}` | +| `replsets.rs0.expose.internalTrafficPolicy` | ReplicaSet service internal traffic policy | `Local` | +| `replsets.rs0.expose.externalTrafficPolicy` | ReplicaSet service external traffic policy | `Local` | +| `replsets.rs0.schedulerName` | ReplicaSet Pod schedulerName | `""` | +| `replsets.rs0.resources` | ReplicaSet Pods resource requests and limits | `{}` | +| `replsets.rs0.volumeSpec` | ReplicaSet Pods storage resources | `{}` | +| `replsets.rs0.volumeSpec.emptyDir` | ReplicaSet Pods emptyDir K8S storage | `{}` | +| `replsets.rs0.volumeSpec.hostPath` | ReplicaSet Pods hostPath K8S storage | | +| `replsets.rs0.volumeSpec.hostPath.path` | ReplicaSet Pods hostPath K8S storage path | `""` | +| `replsets.rs0.volumeSpec.hostPath.type` | Type for hostPath volume | `Directory` | +| `replsets.rs0.volumeSpec.pvc` | ReplicaSet Pods PVC request parameters | | +| `replsets.rs0.volumeSpec.pvc.annotations` | The Kubernetes annotations metadata for Persistent Volume Claim | `{}` | +| `replsets.rs0.volumeSpec.pvc.labels` | The Kubernetes labels metadata for Persistent Volume Claim | `{}` | +| `replsets.rs0.volumeSpec.pvc.storageClassName` | ReplicaSet Pods PVC target storageClass | `""` | +| `replsets.rs0.volumeSpec.pvc.accessModes` | ReplicaSet Pods PVC access policy | `[]` | +| `replsets.rs0.volumeSpec.pvc.resources.requests.storage` | ReplicaSet Pods PVC storage size | `3Gi` | +| `replsets.rs0.hostAliases` | The IP address for Kubernetes host aliases | `[]` | +| `replsets.rs0.nonvoting.enabled` | Add MongoDB nonvoting Pods | `false` | +| `replsets.rs0.nonvoting.podSecurityContext` | Set the security context for a Pod | `{}` | +| `replsets.rs0.nonvoting.containerSecurityContext` | Set the security context for a Container | `{}` | +| `replsets.rs0.nonvoting.size` | Number of nonvoting Pods | `1` | +| `replsets.rs0.nonvoting.configuration` | Custom config for mongod nonvoting member | `""` | +| `replsets.rs0.nonvoting.serviceAccountName` | Run replicaset nonvoting Container under specified K8S SA | `""` | +| `replsets.rs0.nonvoting.affinity.antiAffinityTopologyKey` | Nonvoting Pods affinity | `kubernetes.io/hostname` | +| `replsets.rs0.nonvoting.affinity.advanced` | Nonvoting Pods advanced affinity | `{}` | +| `replsets.rs0.nonvoting.tolerations` | Nonvoting Pod tolerations | `[]` | +| `replsets.rs0.nonvoting.priorityClass` | Nonvoting Pod priorityClassName | `""` | +| `replsets.rs0.primaryPreferTagSelector.region` | Makes MongoDB instance to be selected as Primary based on specified region | `""` | +| `replsets.rs0.primaryPreferTagSelector.zone` | Makes MongoDB instance to be selected as Primary based on specified zone | `""` | +| `replsets.rs0.nonvoting.annotations` | Nonvoting Pod annotations | `{}` | +| `replsets.rs0.nonvoting.labels` | Nonvoting Pod labels | `{}` | +| `replsets.rs0.nonvoting.nodeSelector` | Nonvoting Pod nodeSelector labels | `{}` | +| `replsets.rs0.nonvoting.podDisruptionBudget.maxUnavailable` | Nonvoting failed Pods maximum quantity | `1` | +| `replsets.rs0.nonvoting.resources` | Nonvoting Pods resource requests and limits | `{}` | +| `replsets.rs0.nonvoting.volumeSpec` | Nonvoting Pods storage resources | `{}` | +| `replsets.rs0.nonvoting.volumeSpec.emptyDir` | Nonvoting Pods emptyDir K8S storage | `{}` | +| `replsets.rs0.nonvoting.volumeSpec.hostPath` | Nonvoting Pods hostPath K8S storage | | +| `replsets.rs0.nonvoting.volumeSpec.hostPath.path` | Nonvoting Pods hostPath K8S storage path | `""` | +| `replsets.rs0.nonvoting.volumeSpec.hostPath.type` | Type for hostPath volume | `Directory` | +| `replsets.rs0.nonvoting.volumeSpec.pvc` | Nonvoting Pods PVC request parameters | | +| `replsets.rs0.nonvoting.volumeSpec.pvc.annotations` | The Kubernetes annotations metadata for Persistent Volume Claim | `{}` | +| `replsets.rs0.nonvoting.volumeSpec.pvc.labels` | The Kubernetes labels metadata for Persistent Volume Claim | `{}` | +| `replsets.rs0.nonvoting.volumeSpec.pvc.storageClassName` | Nonvoting Pods PVC target storageClass | `""` | +| `replsets.rs0.nonvoting.volumeSpec.pvc.accessModes` | Nonvoting Pods PVC access policy | `[]` | +| `replsets.rs0.nonvoting.volumeSpec.pvc.resources.requests.storage` | Nonvoting Pods PVC storage size | `3Gi` | +| `replsets.rs0.arbiter.enabled` | Create MongoDB arbiter service | `false` | +| `replsets.rs0.arbiter.size` | MongoDB arbiter Pod quantity | `1` | +| `replsets.rs0.arbiter.serviceAccountName` | Run replicaset arbiter Container under specified K8S SA | `""` | +| `replsets.rs0.arbiter.affinity.antiAffinityTopologyKey` | MongoDB arbiter Pod affinity | `kubernetes.io/hostname` | +| `replsets.rs0.arbiter.affinity.advanced` | MongoDB arbiter Pod advanced affinity | `{}` | +| `replsets.rs0.arbiter.tolerations` | MongoDB arbiter Pod tolerations | `[]` | +| `replsets.rs0.arbiter.priorityClass` | MongoDB arbiter priorityClassName | `""` | +| `replsets.rs0.arbiter.annotations` | MongoDB arbiter Pod annotations | `{}` | +| `replsets.rs0.arbiter.labels` | MongoDB arbiter Pod labels | `{}` | +| `replsets.rs0.arbiter.nodeSelector` | MongoDB arbiter Pod nodeSelector labels | `{}` | +| `replsets.rs0.arbiter.resources` | MongoDB arbiter Pod resource requests and limits | `{}` | +| `replsets.rs0.hidden.enabled` | Enable or disable creation of Replica Set hidden instances within the cluster. | `false` | +| `replsets.rs0.hidden.size` | The number of Replica Set hidden instances within the cluster. | `2` | +| `replsets.rs0.hidden.podSecurityContext` | A custom [Kubernetes Security Context for a Pod](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) to be used instead of the default one. | `{}` | +| `replsets.rs0.hidden.containerSecurityContext` | A custom [Kubernetes Security Context for a Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) to be used instead of the default one. | `{}` | +| `replsets.rs0.hidden.affinity.antiAffinityTopologyKey` | The [Kubernetes topologyKey](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity-beta-feature) node affinity constraint for the hidden nodes. | `kubernetes.io/hostname` | +| `replsets.rs0.hidden.affinity.advanced` | In cases where the pods require complex tuning, the advanced option turns off the `topologykey` effect. This setting allows the standard Kubernetes affinity constraints of any complexity to be used. | `{}` | +| `replsets.rs0.hidden.tolerations` | MongoDB hidden Pod tolerations | `[]` | +| `replsets.rs0.hidden.priorityClassName` | The [Kuberentes Pod priority class](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass) for the hidden nodes | `""` | +| `replsets.rs0.hidden.annotations` | The [Kubernetes annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) metadata for the hidden nodes. | `{}` | +| `replsets.rs0.hidden.labels` | The [Kubernetes affinity labels](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) for the hidden nodes. | `{}` | +| `replsets.rs0.hidden.nodeSelector` | The [Kubernetes nodeSelector](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) affinity constraint for the hidden nodes | `{}` | +| `replsets.rs0.hidden.resources` | MongoDB hidden Pod resource requests and limits | `{}` | +| `replsets.rs0.hidden.podDisruptionBudget.maxUnavailable` | The [Kubernetes Pod distribution budget](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/) limit specifying the maximum value for unavailable Pods among hidden nodes | `1` | +| `replsets.rs0.hidden.podDisruptionBudget.minUnavailable` | The [Kubernetes Pod distribution budget](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/) limit specifying the minimum value for unavailable Pods among hidden nodes | `1` | +| | +| `sharding.enabled` | Enable sharding setup | `true` | +| `sharding.balancer.enabled` | Enable/disable balancer | `true` | +| `sharding.configrs.size` | Config ReplicaSet size (pod quantity) | `3` | +| `sharding.configrs.terminationGracePeriodSeconds` | The amount of seconds Kubernetes will wait for a clean replica set Pods termination | `""` | +| `sharding.configrs.externalNodes.host` | The URL or IP address of the external config server instance | `""` | +| `sharding.configrs.externalNodes.port` | The port number of the external config server instance | `""` | +| `sharding.configrs.externalNodes.votes` | The number of [votes :octicons-link-external-16:](https://docs.mongodb.com/manual/reference/replica-configuration/#mongodb-rsconf-rsconf.members-n-.votes) of the [external config server instance](replication-main.md) | `""` | +| `sharding.configrs.externalNodes.priority` | The [priority :octicons-link-external-16:](https://docs.mongodb.com/manual/reference/replica-configuration/#mongodb-rsconf-rsconf.members-n-.priority) of the [external config server instance](replication-main.md) | `""` | +| `sharding.configrs.configuration` | Custom config for mongod in config replica set | `""` | +| `sharding.configrs.topologySpreadConstraints` | Control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains | `{}` | +| `sharding.configrs.serviceAccountName` | Run sharding configrs Containers under specified K8S SA | `""` | +| `sharding.configrs.affinity.antiAffinityTopologyKey` | Config ReplicaSet Pod affinity | `kubernetes.io/hostname` | +| `sharding.configrs.affinity.advanced` | Config ReplicaSet Pod advanced affinity | `{}` | +| `sharding.configrs.tolerations` | Config ReplicaSet Pod tolerations | `[]` | +| `sharding.configrs.priorityClass` | Config ReplicaSet Pod priorityClassName | `""` | +| `sharding.configrs.annotations` | Config ReplicaSet Pod annotations | `{}` | +| `sharding.configrs.labels` | Config ReplicaSet Pod labels | `{}` | +| `sharding.configrs.nodeSelector` | Config ReplicaSet Pod nodeSelector labels | `{}` | +| `sharding.configrs.livenessProbe` | Config ReplicaSet Pod livenessProbe structure | `{}` | +| `sharding.configrs.readinessProbe` | Config ReplicaSet Pod readinessProbe structure | `{}` | +| `sharding.configrs.storage` | Set cacheSizeRatio or other custom MongoDB storage options | `{}` | +| `sharding.configrs.podSecurityContext` | Set the security context for a Pod | `{}` | +| `sharding.configrs.containerSecurityContext` | Set the security context for a Container | `{}` | +| `sharding.configrs.runtimeClass` | Config ReplicaSet Pod runtimeClassName | `""` | +| `sharding.configrs.sidecars` | Config ReplicaSet Pod sidecars | `{}` | +| `sharding.configrs.sidecarVolumes` | Config ReplicaSet Pod sidecar volumes | `[]` | +| `sharding.configrs.sidecarVolumes.name` | Name of the custom sidecar container volume for Config Server Pods | `""` | +| `sharding.configrs.sidecarVolumes.nfs.server` | The hostname of the NFS server that will provide remote filesystem to the custom sidecar container volume for Config Server Pods | `""` | +| `sharding.configrs.sidecarVolumesnfs.path` | The path on the NFS server that will be provided as a remote filesystem to the custom sidecar container volume for Config Server Pods | `""` | +| `sharding.configrs.sidecarPVCs` | Config ReplicaSet Pod sidecar PVCs | `[]` | +| `sharding.configrs.podDisruptionBudget.maxUnavailable` | Config ReplicaSet failed Pods maximum quantity | `1` | +| `sharding.configrs.expose.enabled` | Allow access to cfg replica from outside of Kubernetes | `false` | +| `sharding.configrs.expose.type` | Network service access point type | `ClusterIP` | +| `sharding.configrs.expose.loadBalancerClass` | Class of the load balancer implementation the Service belongs to | `""` | +| `sharding.configrs.expose.loadBalancerIP` | Set client IP to Load Balancer | `""` | +| `sharding.configrs.expose.loadBalancerSourceRanges` | Limit client IP's access to Load Balancer | `{}` | +| `sharding.configrs.expose.annotations` | Config ReplicaSet service annotations | `{}` | +| `sharding.configrs.expose.labels` | Config ReplicaSet service labels | `{}` | +| `sharding.configrs.expose.internalTrafficPolicy` | Config ReplicaSet service internal traffic policy | `Local` | +| `sharding.configrs.expose.externalTrafficPolicy` | Config ReplicaSet service external traffic policy | `Local` | +| `sharding.configrs.resources.limits.cpu` | Config ReplicaSet resource limits CPU | `300m` | +| `sharding.configrs.resources.limits.memory` | Config ReplicaSet resource limits memory | `0.5G` | +| `sharding.configrs.resources.requests.cpu` | Config ReplicaSet resource requests CPU | `300m` | +| `sharding.configrs.resources.requests.memory` | Config ReplicaSet resource requests memory | `0.5G` | +| `sharding.configrs.volumeSpec.hostPath` | Config ReplicaSet hostPath K8S storage | | +| `sharding.configrs.volumeSpec.hostPath.path` | Config ReplicaSet hostPath K8S storage path | `""` | +| `sharding.configrs.volumeSpec.hostPath.type` | Type for hostPath volum | `Directory` | +| `sharding.configrs.volumeSpec.emptyDir` | Config ReplicaSet Pods emptyDir K8S storage | | +| `sharding.configrs.volumeSpec.pvc` | Config ReplicaSet Pods PVC request parameters | | +| `sharding.configrs.volumeSpec.pvc.annotations` | The Kubernetes annotations metadata for Persistent Volume Claim | `{}` | +| `sharding.configrs.volumeSpec.pvc.labels` | The Kubernetes labels metadata for Persistent Volume Claim | `{}` | +| `sharding.configrs.volumeSpec.pvc.storageClassName` | Config ReplicaSet Pods PVC storageClass | `""` | +| `sharding.configrs.volumeSpec.pvc.accessModes` | Config ReplicaSet Pods PVC access policy | `[]` | +| `sharding.configrs.volumeSpec.pvc.resources.requests.storage` | Config ReplicaSet Pods PVC storage size | `3Gi` | +| `sharding.configrs.hostAliases` | The IP address for Kubernetes host aliases | `[]` | +| `sharding.mongos.size` | Mongos size (pod quantity) | `3` | +| `sharding.mongos.terminationGracePeriodSeconds` | The amount of seconds Kubernetes will wait for a clean mongos Pods termination | `""` | +| `sharding.mongos.configuration` | Custom config for mongos | `""` | +| `sharding.mongos.topologySpreadConstraints` | Control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains | `{}` | +| `sharding.mongos.serviceAccountName` | Run sharding mongos Containers under specified K8S SA | `""` | +| `sharding.mongos.affinity.antiAffinityTopologyKey` | Mongos Pods affinity | `kubernetes.io/hostname` | +| `sharding.mongos.affinity.advanced` | Mongos Pods advanced affinity | `{}` | +| `sharding.mongos.tolerations` | Mongos Pods tolerations | `[]` | +| `sharding.mongos.priorityClass` | Mongos Pods priorityClassName | `""` | +| `sharding.mongos.annotations` | Mongos Pods annotations | `{}` | +| `sharding.mongos.labels` | Mongos Pods labels | `{}` | +| `sharding.mongos.nodeSelector` | Mongos Pods nodeSelector labels | `{}` | +| `sharding.mongos.livenessProbe` | Mongos Pod livenessProbe structure | `{}` | +| `sharding.mongos.readinessProbe` | Mongos Pod readinessProbe structure | `{}` | +| `sharding.mongos.podSecurityContext` | Set the security context for a Pod | `{}` | +| `sharding.mongos.containerSecurityContext` | Set the security context for a Container | `{}` | +| `sharding.mongos.runtimeClass` | Mongos Pod runtimeClassName | `""` | +| `sharding.mongos.sidecars` | Mongos Pod sidecars | `{}` | +| `sharding.mongos.sidecarVolumes` | Mongos Pod sidecar volumes | `[]` | +| `sharding.mongos.sidecarPVCs` | Mongos Pod sidecar PVCs | `[]` | +| `sharding.mongos.podDisruptionBudget.maxUnavailable` | Mongos failed Pods maximum quantity | `1` | +| `sharding.mongos.resources.limits.cpu` | Mongos Pods resource limits CPU | `300m` | +| `sharding.mongos.resources.limits.memory` | Mongos Pods resource limits memory | `0.5G` | +| `sharding.mongos.resources.requests.cpu` | Mongos Pods resource requests CPU | `300m` | +| `sharding.mongos.resources.requests.memory` | Mongos Pods resource requests memory | `0.5G` | +| `sharding.mongos.expose.type` | Mongos service type | `ClusterIP` | +| `sharding.mongos.expose.loadBalancerClass` | Class of the load balancer implementation the Service belongs to | `""` | +| `sharding.mongos.expose.loadBalancerIP` | Set client IP to Load Balancer | `""` | +| `sharding.mongos.expose.servicePerPod` | Create a separate ClusterIP Service for each mongos instance | `false` | +| `sharding.mongos.expose.loadBalancerSourceRanges` | Limit client IP's access to Load Balancer | `{}` | +| `sharding.mongos.expose.annotations` | Mongos service annotations | `{}` | +| `sharding.mongos.expose.labels` | Mongos service labels | `{}` | +| `sharding.mongos.expose.internalTrafficPolicy` | Mongos service internal traffic policy | `Local` | +| `sharding.mongos.expose.externalTrafficPolicy` | Mongos service external traffic policy | `Local` | +| `sharding.mongos.expose.nodePort` | Custom port if exposing mongos via NodePort | `""` | +| `sharding.mongos.hostAliases` | The IP address for Kubernetes host aliases | `[]` | +| | +| `users.name` | The username of the MongoDB application user | `""` | +| `users.db` | Database that the user authenticates against | `""` | +| `users.passwordSecretRef.name` | Name of the secret that contains the user's password | `""` | +| `users.passwordSecretRef.key` | Key in the secret that corresponds to the value of the user's password | `""` | +| `users.roles.role.name` | Name of the MongoDB role assigned to the user. As [built-in roles](https://www.mongodb.com/docs/manual/reference/built-in-roles/#built-in-roles), so [custom roles](https://github.com/mongodb/mongodb-kubernetes-operator/blob/master/docs/deploy-configure.md#define-a-custom-database-role) are supported | `""` | +| `users.roles.role.db` | Database that the MongoDB role applies to | `""` | +| | +| `roles.role` | Name of the custom role. | `""` | +| `roles.db` | Database in which you want to store the user-defined role. | `admin` | +| `roles.authenticationRestrictions.clientSource` | Array of IP addresses or CIDR blocks from which users assigned this role can connect.MongoDB servers reject connection requests from users with this role if the requests come from a client that is not present in this array. | `""` | +| `roles.authenticationRestrictions.serverAddress` | Array of IP addresses or CIDR blocks to which users assigned this role can connect.MongoDB servers reject connection requests from users with this role if the client requests to connect to a server that is not present in this array. | `""` | +| `roles.privileges.actions` | Name of the role. Valid values are built-in roles. | `[]` | +| `roles.privileges.resource.db` | Database for which the privilege `security.roles.privileges.actions` apply. An empty string ("") indicates that the privilege actions apply to all databases. | `""` | +| `roles.privileges.resource.collection` | Collection for which the privilege `security.roles.privileges.actions` apply. An empty string ("") indicates that the privilege actions apply to all of the database's collections. | `""` | +| `roles.privileges.resource.cluster` | Flag that indicates that the privilege `security.roles.privileges.actions` apply to all databases and collections in the MongoDB deployment. If omitted, defaults to false.If set to true, do not provide values for `security.roles.privileges.resource.database` and `security.roles.privileges.resource.collection`. | `""` | +| `roles.roles.role` | Name of the role to inherit from. | `""` | +| `roles.roles.db` | Name of database that contains the role to inherit from. | `""` | +| | +| `backup.enabled` | Enable backup PBM agent | `true` | +| `backup.startingDeadlineSeconds` | The maximum time in seconds for a backup to start | `300` | +| `backup.annotations` | Backup job annotations | `{}` | +| `backup.podSecurityContext` | Set the security context for a Pod | `{}` | +| `backup.containerSecurityContext` | Set the security context for a Container | `{}` | +| `backup.restartOnFailure` | Backup Pods restart policy | `true` | +| `backup.image.repository` | PBM Container image repository | `percona/percona-backup-mongodb` | +| `backup.image.tag` | PBM Container image tag | `2.11.0` | +| `backup.storages` | Local/remote backup storages settings | `{}` | +| `backup.volumeMounts` | Name of the remote backup storage | `""` | +| `backup.pitr.enabled` | Enable point in time recovery for backup | `false` | +| `backup.pitr.oplogOnly` | Start collecting oplogs even if full logical backup doesn't exist | `false` | +| `backup.pitr.oplogSpanMin` | Number of minutes between the uploads of oplogs | `10` | +| `backup.pitr.compressionType` | The point-in-time-recovery chunks compression format | `""` | +| `backup.pitr.compressionLevel` | The point-in-time-recovery chunks compression level | `""` | +| `backup.configuration.backupOptions` | Custom configuration settings for backup | `{}` | +| `backup.configuration.restoreOptions` | Custom configuration settings for restore | `{}` | +| `backup.tasks` | Backup working schedule | `[]` | +| `backup.tasks[].name` | Name of the backup schedule | `""` | +| `backup.tasks[].enabled` | Enable scheduled backup task | `false` | +| `backup.tasks[].schedule` | Backup execution timetable cron timing | `false` | +| `backup.tasks[].retention.count` | Backup jobs to keep | `0` | +| `backup.tasks[].retention.type` | Backup retention type | `count` | +| `backup.tasks[].retention.deleteFromStorage` | Whether to add the "percona.com/delete-backup" finalizer to new backups | `true` | +| `backup.tasks[].storageName` | Backup storage name | `""` | +| `backup.tasks[].compressionType` | Backup compression type | `gzip` | +| `systemUsers` | PSMDB operator system users | `{}` | +| `logcollector.enabled` | Enable or disable the log collector sidecar container | `true` | +| `logcollector.image.repository` | Container image repository for the log collector (Fluent Bit) | `percona/fluentbit` | +| `logcollector.image.tag` | Image tag for the log collector | `main-logcollector` | +| `logcollector.resources` | Resource requests and limits | `{}` | +| `logcollector.configuration` | Custom configuration (optional, if not commented out) | `""` | + +Specify parameters using `--set key=value[,key=value]` argument to `helm install` +Notice that you can use multiple replica sets only with sharding enabled. + +## Examples + +### Deploy a replica set with disabled backups and no mongos pods + +This is great for a dev PSMDB/MongoDB cluster as it doesn't bother with backups and sharding setup. + +```bash +$ helm install dev --namespace psmdb . \ + --set runUid=1001 --set "replsets.rs0.volumeSpec.pvc.resources.requests.storage=20Gi" \ + --set backup.enabled=false --set sharding.enabled=false +``` + +# Need help? + +**Commercial Support** | **Community Support** | +:-: | :-: | +|
Enterprise-grade assistance for your mission-critical database deployments in containers and Kubernetes. Get expert guidance for complex tasks like multi-cloud replication, database migration and building platforms.

|
Connect with our engineers and fellow users for general questions, troubleshooting, and sharing feedback and ideas.

| +| **[Get Percona Support](https://hubs.ly/Q02ZTH8Q0)** | **[Visit our Forum](https://forums.percona.com/)** | diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/templates/NOTES.txt b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/templates/NOTES.txt new file mode 100644 index 00000000..3f294ce2 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/templates/NOTES.txt @@ -0,0 +1,40 @@ +# + + % _____ + %%% | __ \ + ###%%%%%%%%%%%%* | |__) |__ _ __ ___ ___ _ __ __ _ + ### ##%% %%%% | ___/ _ \ '__/ __/ _ \| '_ \ / _` | + #### ##% %%%% | | | __/ | | (_| (_) | | | | (_| | + ### #### %%% |_| \___|_| \___\___/|_| |_|\__,_| + ,((### ### %%% _ _ _____ _ + (((( (### #### %%%% | | / _ \ / ____| | | + ((( ((# ###### | | _| (_) |___ | (___ __ _ _ _ __ _ __| | + (((( (((# #### | |/ /> _ >> https://percona.com/k8s <<< + +Percona Server for MongoDB cluster is deployed now. Get the username and password: + + ADMIN_USER=$(kubectl -n {{ .Release.Namespace }} get secrets {{ include "psmdb-database.fullname" . }}-secrets -o jsonpath="{.data.MONGODB_USER_ADMIN_USER}" | base64 --decode) + ADMIN_PASSWORD=$(kubectl -n {{ .Release.Namespace }} get secrets {{ include "psmdb-database.fullname" . }}-secrets -o jsonpath="{.data.MONGODB_USER_ADMIN_PASSWORD}" | base64 --decode) + +Connect to the cluster: +{{- if .Values.sharding.enabled }} + + kubectl run -i --rm --tty percona-client --image=percona/percona-server-mongodb:7.0 --restart=Never \ + -- mongosh "mongodb://${ADMIN_USER}:${ADMIN_PASSWORD}@{{ include "psmdb-database.fullname" . }}-mongos.{{ .Release.Namespace }}.svc.cluster.local/admin?ssl=false" + +{{- else }} + + kubectl run -i --rm --tty percona-client --image=percona/percona-server-mongodb:7.0 --restart=Never \ + -- mongosh "mongodb+srv://${ADMIN_USER}:${ADMIN_PASSWORD}@{{ include "psmdb-database.fullname" . }}-{{ .Values.replsets.rs0.name }}.{{ .Release.Namespace }}.svc.cluster.local/admin?replicaSet=rs0&ssl=false" + +{{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/templates/_helpers.tpl new file mode 100644 index 00000000..47b33a5a --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/templates/_helpers.tpl @@ -0,0 +1,45 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "psmdb-database.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "psmdb-database.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 21 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 21 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 21 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "psmdb-database.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 21 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "psmdb-database.labels" -}} +app.kubernetes.io/name: {{ include "psmdb-database.name" . }} +helm.sh/chart: {{ include "psmdb-database.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/templates/cluster-secret.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/templates/cluster-secret.yaml new file mode 100644 index 00000000..a3bf7a79 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/templates/cluster-secret.yaml @@ -0,0 +1,12 @@ +{{- if hasKey .Values "systemUsers" }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "psmdb-database.fullname" . }}-secrets + namespace: {{ .Release.Namespace }} + labels: +{{ include "psmdb-database.labels" . | indent 4 }} +type: Opaque +stringData: +{{ .Values.systemUsers | toYaml | indent 2 }} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/templates/cluster.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/templates/cluster.yaml new file mode 100644 index 00000000..823fa0cf --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/templates/cluster.yaml @@ -0,0 +1,780 @@ +apiVersion: psmdb.percona.com/v1 +kind: PerconaServerMongoDB +metadata: + {{- if .Values.annotations }} + annotations: +{{ .Values.annotations | toYaml | indent 4 }} + {{- end }} + name: {{ include "psmdb-database.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "psmdb-database.labels" . | indent 4 }} + finalizers: +{{ .Values.finalizers | toYaml | indent 4 }} +spec: + crVersion: {{ .Values.crVersion }} + pause: {{ .Values.pause }} + unmanaged: {{ .Values.unmanaged }} + {{- if .Values.platform }} + platform: {{ .Values.platform }} + {{- end }} + enableVolumeExpansion: {{ .Values.enableVolumeExpansion }} + {{- if hasKey .Values "enableExternalVolumeAutoscaling" }} + enableExternalVolumeAutoscaling: {{ .Values.enableExternalVolumeAutoscaling }} + {{- end }} + {{- if .Values.clusterServiceDNSSuffix }} + clusterServiceDNSSuffix: {{ .Values.clusterServiceDNSSuffix }} + {{- end }} + {{- if .Values.clusterServiceDNSMode }} + clusterServiceDNSMode: {{ .Values.clusterServiceDNSMode }} + {{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: "{{ .Values.imagePullPolicy }}" + {{- if .Values.unsafeFlags }} + unsafeFlags: +{{ .Values.unsafeFlags | toYaml | indent 4 }} + {{- end }} + {{- if .Values.ignoreAnnotations }} + ignoreAnnotations: +{{ .Values.ignoreAnnotations | toYaml | indent 4 }} + {{- end }} + {{- if .Values.ignoreLabels }} + ignoreLabels: +{{ .Values.ignoreLabels | toYaml | indent 4 }} + {{- end }} + multiCluster: + enabled: {{ .Values.multiCluster.enabled }} + {{- if .Values.multiCluster.DNSSuffix }} + DNSSuffix: {{ .Values.multiCluster.DNSSuffix }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ .Values.imagePullSecrets | toYaml | indent 4 }} + {{- end }} + {{- if .Values.initImage }} + initImage: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}" + {{- end }} + {{- if .Values.initContainerSecurityContext }} + initContainerSecurityContext: +{{ .Values.initContainerSecurityContext | toYaml | indent 4 }} + {{- end }} + {{- if .Values.tls }} + tls: +{{ .Values.tls | toYaml | indent 4 }} + {{- end }} + {{- if .Values.secrets }} + secrets: +{{ tpl (.Values.secrets | toYaml) . | indent 4 }} + {{- else }} + secrets: + users: {{ include "psmdb-database.fullname" . }}-secrets + {{- end }} + {{- if .Values.updateStrategy }} + updateStrategy: {{ .Values.updateStrategy }} + upgradeOptions: + versionServiceEndpoint: {{ .Values.upgradeOptions.versionServiceEndpoint }} + apply: {{ .Values.upgradeOptions.apply }} + schedule: {{ .Values.upgradeOptions.schedule }} + setFCV: {{ .Values.upgradeOptions.setFCV }} + {{- end }} + pmm: + enabled: {{ .Values.pmm.enabled }} + image: "{{ .Values.pmm.image.repository }}:{{ .Values.pmm.image.tag }}" + serverHost: {{ .Values.pmm.serverHost }} + {{- if .Values.pmm.mongodParams }} + mongodParams: {{ .Values.pmm.mongodParams }} + {{- end }} + {{- if .Values.pmm.mongosParams }} + mongosParams: {{ .Values.pmm.mongosParams }} + {{- end }} + {{- if .Values.pmm.resources }} + resources: +{{ .Values.pmm.resources | toYaml | indent 6 }} + {{- end }} + {{- if .Values.pmm.containerSecurityContext }} + containerSecurityContext: +{{ .Values.pmm.containerSecurityContext | toYaml | indent 6 }} + {{- end }} + {{- if .Values.pmm.customClusterName }} + customClusterName: {{ .Values.pmm.customClusterName }} + {{- end }} + + replsets: + {{- range $k,$replset := .Values.replsets }} + {{- if $replset.name }} + - name: {{ $replset.name }} + {{- else }} + - name: {{ $k }} + {{- end }} + size: {{ $replset.size }} + {{- if $replset.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ $replset.terminationGracePeriodSeconds }} + {{- end }} + {{- if $replset.externalNodes }} + externalNodes: +{{ $replset.externalNodes | toYaml | indent 6 }} + {{- end }} + {{- if $replset.configuration }} + configuration: | +{{ $replset.configuration | indent 6 }} + {{- end }} + {{- if $replset.topologySpreadConstraints }} + topologySpreadConstraints: +{{ $replset.topologySpreadConstraints | toYaml | indent 6 }} + {{- end }} +{{- if $replset.replsetOverrides }} + replsetOverrides: +{{ $replset.replsetOverrides | toYaml | indent 6 }} + {{- end }} + {{- if $replset.serviceAccountName }} + serviceAccountName: {{ $replset.serviceAccountName }} + {{- end }} + {{- if $replset.affinity }} + affinity: +{{ $replset.affinity | toYaml | indent 6 }} + {{- end }} + {{- if $replset.priorityClass }} + priorityClassName: {{ $replset.priorityClass }} + {{- end }} + {{- if $replset.primaryPreferTagSelector }} + primaryPreferTagSelector: +{{ $replset.primaryPreferTagSelector | toYaml | indent 6 }} + {{- end }} + {{- if $replset.annotations }} + annotations: +{{ $replset.annotations | toYaml | indent 6 }} + {{- end }} + {{- if $replset.labels }} + labels: +{{ $replset.labels | toYaml | indent 6 }} + {{- end }} + {{- if $replset.nodeSelector }} + nodeSelector: +{{ $replset.nodeSelector | toYaml | indent 6 }} + {{- end }} + {{- if $replset.tolerations }} + tolerations: +{{ $replset.tolerations | toYaml | indent 6 }} + {{- end }} + {{- if $replset.livenessProbe }} + livenessProbe: +{{ $replset.livenessProbe | toYaml | indent 6 }} + {{- end }} + {{- if $replset.readinessProbe }} + readinessProbe: +{{ $replset.readinessProbe | toYaml | indent 6 }} + {{- end }} + {{- if $replset.storage }} + storage: +{{ $replset.storage | toYaml | indent 6 }} + {{- end }} + {{- if $replset.podSecurityContext }} + podSecurityContext: +{{ $replset.podSecurityContext | toYaml | indent 6 }} + {{- end }} + {{- if $replset.containerSecurityContext }} + containerSecurityContext: +{{ $replset.containerSecurityContext | toYaml | indent 6 }} + {{- end }} + {{- if $replset.runtimeClass }} + runtimeClassName: {{ $replset.runtimeClass }} + {{- end }} + {{- if $replset.sidecars }} + sidecars: +{{ $replset.sidecars | toYaml | indent 6 }} + {{- end }} + {{- if $replset.sidecarVolumes }} + sidecarVolumes: +{{ $replset.sidecarVolumes | toYaml | indent 6 }} + {{- end }} + {{- if $replset.sidecarPVCs }} + sidecarPVCs: +{{ $replset.sidecarPVCs | toYaml | indent 6 }} + {{- end }} + {{- if $replset.podDisruptionBudget }} + podDisruptionBudget: + {{- if $replset.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ $replset.podDisruptionBudget.maxUnavailable }} + {{- else }} + minAvailable: {{ $replset.podDisruptionBudget.minAvailable }} + {{- end }} + {{- end }} + {{- if $replset.splitHorizons }} + splitHorizons: +{{ $replset.splitHorizons | toYaml | indent 6 }} + {{- end }} + {{- if $replset.expose }} + expose: + enabled: {{ $replset.expose.enabled }} + type: {{ $replset.expose.type }} + {{- if $replset.expose.loadBalancerClass }} + loadBalancerClass: {{ $replset.expose.loadBalancerClass }} + {{- end }} + {{- if $replset.expose.loadBalancerIP }} + loadBalancerIP: {{ $replset.expose.loadBalancerIP }} + {{- end }} + {{- if $replset.expose.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ $replset.expose.loadBalancerSourceRanges | toYaml | indent 8 }} + {{- end }} + {{- if $replset.expose.annotations }} + annotations: +{{ $replset.expose.annotations | toYaml | indent 8 }} + {{- end }} + {{- if $replset.expose.labels }} + labels: +{{ $replset.expose.labels | toYaml | indent 8 }} + {{- end }} + {{- if $replset.expose.internalTrafficPolicy }} + internalTrafficPolicy: {{ $replset.expose.internalTrafficPolicy }} + {{- end }} + {{- if $replset.expose.externalTrafficPolicy }} + externalTrafficPolicy: {{ $replset.expose.externalTrafficPolicy }} + {{- end }} + {{- end }} + {{- if $replset.schedulerName }} + schedulerName: {{ $replset.schedulerName }} + {{- end }} + resources: + {{- if $replset.resources }} +{{ $replset.resources | toYaml | indent 6 }} + {{- end }} + volumeSpec: + {{- if $replset.volumeSpec }} + {{- if $replset.volumeSpec.hostPath }} + hostPath: + path: {{ $replset.volumeSpec.hostPath.path }} + {{- if $replset.volumeSpec.hostPath.type }} + type: {{ $replset.volumeSpec.hostPath.type }} + {{- else }} + type: Directory + {{- end }} + {{- else if $replset.volumeSpec.pvc }} + persistentVolumeClaim: +{{ $replset.volumeSpec.pvc | toYaml | indent 8 }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + {{- if $replset.hostAliases }} + hostAliases: +{{ $replset.hostAliases | toYaml | indent 6 }} + {{- end }} + +{{- if $replset.hidden }} + hidden: + enabled: {{ $replset.hidden.enabled }} + size: {{ $replset.hidden.size }} + {{- if $replset.hidden.configuration }} + configuration: | +{{ $replset.hidden.configuration | indent 8 }} + {{- end }} + affinity: + {{- if $replset.hidden.affinity }} +{{ $replset.hidden.affinity | toYaml | indent 8 }} + {{- end }} + {{- if $replset.hidden.priorityClassName }} + priorityClassName: {{ $replset.hidden.priorityClassName }} + {{- end }} + {{- if $replset.hidden.annotations }} + annotations: +{{ $replset.hidden.annotations | toYaml | indent 8 }} + {{- end }} + {{- if $replset.hidden.labels }} + labels: +{{ $replset.hidden.labels | toYaml | indent 8 }} + {{- end }} + {{- if $replset.hidden.podSecurityContext }} + podSecurityContext: +{{ $replset.hidden.podSecurityContext | toYaml | indent 8 }} + {{- end }} + {{- if $replset.hidden.containerSecurityContext }} + containerSecurityContext: +{{ $replset.hidden.containerSecurityContext | toYaml | indent 8 }} + {{- end }} + {{- if $replset.hidden.nodeSelector }} + nodeSelector: +{{ $replset.hidden.nodeSelector | toYaml | indent 8 }} + {{- end }} + {{- if $replset.hidden.tolerations }} + tolerations: +{{ $replset.hidden.tolerations | toYaml | indent 8 }} + {{- end }} + {{- if $replset.hidden.podDisruptionBudget }} + podDisruptionBudget: + {{- if $replset.hidden.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ $replset.hidden.podDisruptionBudget.maxUnavailable }} + {{- else }} + minAvailable: {{ $replset.hidden.podDisruptionBudget.minAvailable }} + {{- end }} + {{- end }} + {{- if $replset.hidden.resources }} + resources: +{{ $replset.hidden.resources | toYaml | indent 8 }} + {{- end }} + {{- if $replset.hidden.volumeSpec }} + volumeSpec: + {{- if $replset.hidden.volumeSpec.hostPath }} + hostPath: + path: {{ $replset.hidden.volumeSpec.hostPath.path }} + {{- if $replset.hidden.volumeSpec.hostPath.type }} + type: {{ $replset.hidden.volumeSpec.hostPath.type }} + {{- else }} + type: Directory + {{- end }} + {{- else if $replset.hidden.volumeSpec.pvc }} + persistentVolumeClaim: +{{ $replset.hidden.volumeSpec.pvc | toYaml | indent 10 }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + {{- end }} + {{- if $replset.nonvoting }} + nonvoting: + enabled: {{ $replset.nonvoting.enabled }} + size: {{ $replset.nonvoting.size }} + {{- if $replset.nonvoting.configuration }} + configuration: | +{{ $replset.nonvoting.configuration | indent 8 }} + {{- end }} + {{- if $replset.nonvoting.serviceAccountName }} + serviceAccountName: {{ $replset.nonvoting.serviceAccountName }} + {{- end }} + affinity: + {{- if $replset.nonvoting.affinity }} +{{ $replset.nonvoting.affinity | toYaml | indent 8 }} + {{- end }} + {{- if $replset.nonvoting.priorityClass }} + priorityClassName: {{ $replset.nonvoting.priorityClass }} + {{- end }} + {{- if $replset.nonvoting.annotations }} + annotations: +{{ $replset.nonvoting.annotations | toYaml | indent 8 }} + {{- end }} + {{- if $replset.nonvoting.labels }} + labels: +{{ $replset.nonvoting.labels | toYaml | indent 8 }} + {{- end }} + {{- if $replset.nonvoting.podSecurityContext }} + podSecurityContext: +{{ $replset.nonvoting.podSecurityContext | toYaml | indent 8 }} + {{- end }} + {{- if $replset.nonvoting.containerSecurityContext }} + containerSecurityContext: +{{ $replset.nonvoting.containerSecurityContext | toYaml | indent 8 }} + {{- end }} + {{- if $replset.nonvoting.nodeSelector }} + nodeSelector: +{{ $replset.nonvoting.nodeSelector | toYaml | indent 8 }} + {{- end }} + {{- if $replset.nonvoting.tolerations }} + tolerations: +{{ $replset.nonvoting.tolerations | toYaml | indent 8 }} + {{- end }} + {{- if $replset.nonvoting.podDisruptionBudget }} + podDisruptionBudget: + {{- if $replset.nonvoting.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ $replset.nonvoting.podDisruptionBudget.maxUnavailable }} + {{- else }} + minAvailable: {{ $replset.nonvoting.podDisruptionBudget.minAvailable }} + {{- end }} + {{- end }} + {{- if $replset.nonvoting.resources }} + resources: +{{ $replset.nonvoting.resources | toYaml | indent 8 }} + {{- end }} + {{- if $replset.nonvoting.volumeSpec }} + volumeSpec: + {{- if $replset.nonvoting.volumeSpec.hostPath }} + hostPath: + path: {{ $replset.nonvoting.volumeSpec.hostPath.path }} + {{- if $replset.nonvoting.volumeSpec.hostPath.type }} + type: {{ $replset.nonvoting.volumeSpec.hostPath.type }} + {{- else }} + type: Directory + {{- end }} + {{- else if $replset.nonvoting.volumeSpec.pvc }} + persistentVolumeClaim: +{{ $replset.nonvoting.volumeSpec.pvc | toYaml | indent 10 }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + {{- end }} + {{- if $replset.arbiter }} + arbiter: + enabled: {{ $replset.arbiter.enabled }} + size: {{ $replset.arbiter.size }} + {{- if $replset.arbiter.serviceAccountName }} + serviceAccountName: {{ $replset.arbiter.serviceAccountName }} + {{- end }} + {{- if $replset.affinity }} + affinity: +{{ $replset.arbiter.affinity | toYaml | indent 8 }} + {{- end }} + {{- if $replset.arbiter.priorityClass }} + priorityClassName: {{ $replset.arbiter.priorityClass }} + {{- end }} + {{- if $replset.arbiter.annotations }} + annotations: +{{ $replset.arbiter.annotations | toYaml | indent 8 }} + {{- end }} + {{- if $replset.arbiter.labels }} + labels: +{{ $replset.arbiter.labels | toYaml | indent 8 }} + {{- end }} + {{- if $replset.arbiter.nodeSelector }} + nodeSelector: +{{ $replset.arbiter.nodeSelector | toYaml | indent 8 }} + {{- end }} + {{- if $replset.arbiter.tolerations }} + tolerations: +{{ $replset.arbiter.tolerations | toYaml | indent 8 }} + {{- end }} + {{- if $replset.arbiter.resources }} + resources: +{{ $replset.arbiter.resources | toYaml | indent 8 }} + {{- end }} + {{- end }} + {{- end }} + + sharding: + enabled: {{ .Values.sharding.enabled }} + balancer: + enabled: {{ .Values.sharding.balancer.enabled }} + + configsvrReplSet: + size: {{ .Values.sharding.configrs.size }} + {{- if .Values.sharding.configrs.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.sharding.configrs.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.sharding.configrs.externalNodes }} + externalNodes: +{{ .Values.sharding.configrs.externalNodes | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.configuration }} + configuration: | +{{ .Values.sharding.configrs.configuration | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.topologySpreadConstraints }} + topologySpreadConstraints: +{{ .Values.sharding.configrs.topologySpreadConstraints | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.serviceAccountName }} + serviceAccountName: {{ .Values.sharding.configrs.serviceAccountName }} + {{- end }} + affinity: +{{ .Values.sharding.configrs.affinity | toYaml | indent 8 }} + {{- if .Values.sharding.configrs.priorityClass }} + priorityClassName: {{ .Values.sharding.configrs.priorityClass }} + {{- end }} + {{- if .Values.sharding.configrs.annotations }} + annotations: +{{ .Values.sharding.configrs.annotations | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.labels }} + labels: +{{ .Values.sharding.configrs.labels | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.nodeSelector }} + nodeSelector: +{{ .Values.sharding.configrs.nodeSelector | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.tolerations }} + tolerations: +{{ .Values.sharding.configrs.tolerations | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.livenessProbe }} + livenessProbe: +{{ .Values.sharding.configrs.livenessProbe | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.readinessProbe }} + readinessProbe: +{{ .Values.sharding.configrs.readinessProbe | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.storage }} + storage: +{{ .Values.sharding.configrs.storage | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.podSecurityContext }} + podSecurityContext: +{{ .Values.sharding.configrs.podSecurityContext | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.containerSecurityContext }} + containerSecurityContext: +{{ .Values.sharding.configrs.containerSecurityContext | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.runtimeClass }} + runtimeClassName: {{ .Values.sharding.configrs.runtimeClass }} + {{- end }} + {{- if .Values.sharding.configrs.sidecars }} + sidecars: +{{ .Values.sharding.configrs.sidecars | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.sidecarVolumes }} + sidecarVolumes: +{{ .Values.sharding.configrs.sidecarVolumes | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.sidecarPVCs }} + sidecarPVCs: +{{ .Values.sharding.configrs.sidecarPVCs | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.configrs.podDisruptionBudget }} + podDisruptionBudget: + {{- if .Values.sharding.configrs.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.sharding.configrs.podDisruptionBudget.maxUnavailable }} + {{- else }} + minAvailable: {{ .Values.sharding.configrs.podDisruptionBudget.minAvailable }} + {{- end }} + {{- end }} + {{- if .Values.sharding.configrs.expose }} + expose: + enabled: {{ .Values.sharding.configrs.expose.enabled }} + type: {{ .Values.sharding.configrs.expose.type }} + {{- if .Values.sharding.configrs.expose.loadBalancerClass }} + loadBalancerClass: {{ .Values.sharding.configrs.expose.loadBalancerClass }} + {{- end }} + {{- if .Values.sharding.configrs.expose.loadBalancerIP }} + loadBalancerIP: {{ .Values.sharding.configrs.expose.loadBalancerIP }} + {{- end }} + {{- if .Values.sharding.configrs.expose.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ .Values.sharding.configrs.expose.loadBalancerSourceRanges | toYaml | indent 10 }} + {{- end }} + {{- if .Values.sharding.configrs.expose.annotations }} + annotations: +{{ .Values.sharding.configrs.expose.annotations | toYaml | indent 10 }} + {{- end }} + {{- if .Values.sharding.configrs.expose.labels }} + labels: +{{ .Values.sharding.configrs.expose.labels | toYaml | indent 10 }} + {{- end }} + {{- if .Values.sharding.configrs.expose.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.sharding.configrs.expose.internalTrafficPolicy }} + {{- end }} + {{- if .Values.sharding.configrs.expose.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.sharding.configrs.expose.externalTrafficPolicy }} + {{- end }} + {{- end }} + resources: + limits: + cpu: {{ .Values.sharding.configrs.resources.limits.cpu }} + memory: {{ .Values.sharding.configrs.resources.limits.memory }} + requests: + cpu: {{ .Values.sharding.configrs.resources.requests.cpu }} + memory: {{ .Values.sharding.configrs.resources.requests.memory }} + volumeSpec: + {{- if .Values.sharding.configrs.volumeSpec.hostPath }} + hostPath: + path: {{ .Values.sharding.configrs.volumeSpec.hostPath.path }} + {{- if .Values.sharding.configrs.volumeSpec.hostPath.type }} + type: {{ .Values.sharding.configrs.volumeSpec.hostPath.type }} + {{- else }} + type: Directory + {{- end }} + {{- else if .Values.sharding.configrs.volumeSpec.pvc }} + persistentVolumeClaim: +{{ .Values.sharding.configrs.volumeSpec.pvc | toYaml | indent 10 }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.sharding.configrs.hostAliases }} + hostAliases: +{{ .Values.sharding.configrs.hostAliases | toYaml | indent 8 }} + {{- end }} + + mongos: + size: {{ .Values.sharding.mongos.size }} + {{- if .Values.sharding.mongos.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.sharding.mongos.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.sharding.mongos.configuration }} + configuration: | +{{ .Values.sharding.mongos.configuration | indent 8 }} + {{- end }} + {{- if .Values.sharding.mongos.topologySpreadConstraints }} + topologySpreadConstraints: +{{ .Values.sharding.mongos.topologySpreadConstraints | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.mongos.serviceAccountName }} + serviceAccountName: {{ .Values.sharding.mongos.serviceAccountName }} + {{- end }} + affinity: +{{ .Values.sharding.mongos.affinity | toYaml | indent 8 }} + {{- if .Values.sharding.mongos.priorityClass }} + priorityClassName: {{ .Values.sharding.mongos.priorityClass }} + {{- end }} + {{- if .Values.sharding.mongos.annotations }} + annotations: +{{ .Values.sharding.mongos.annotations | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.mongos.labels }} + labels: +{{ .Values.sharding.mongos.labels | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.mongos.nodeSelector }} + nodeSelector: +{{ .Values.sharding.mongos.nodeSelector | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.mongos.tolerations }} + tolerations: +{{ .Values.sharding.mongos.tolerations | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.mongos.livenessProbe }} + livenessProbe: +{{ .Values.sharding.mongos.livenessProbe | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.mongos.readinessProbe }} + readinessProbe: +{{ .Values.sharding.mongos.readinessProbe | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.mongos.podSecurityContext }} + podSecurityContext: +{{ .Values.sharding.mongos.podSecurityContext | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.mongos.containerSecurityContext }} + containerSecurityContext: +{{ .Values.sharding.mongos.containerSecurityContext | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.mongos.runtimeClass }} + runtimeClassName: {{ .Values.sharding.mongos.runtimeClass }} + {{- end }} + {{- if .Values.sharding.mongos.sidecars }} + sidecars: +{{ .Values.sharding.mongos.sidecars | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.mongos.sidecarVolumes }} + sidecarVolumes: +{{ .Values.sharding.mongos.sidecarVolumes | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.mongos.sidecarPVCs }} + sidecarPVCs: +{{ .Values.sharding.mongos.sidecarPVCs | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.mongos.podDisruptionBudget }} + podDisruptionBudget: + {{- if .Values.sharding.mongos.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.sharding.mongos.podDisruptionBudget.maxUnavailable }} + {{- else }} + minAvailable: {{ .Values.sharding.mongos.podDisruptionBudget.minAvailable }} + {{- end }} + {{- end }} + resources: + limits: + cpu: {{ .Values.sharding.mongos.resources.limits.cpu }} + memory: {{ .Values.sharding.mongos.resources.limits.memory }} + requests: + cpu: {{ .Values.sharding.mongos.resources.requests.cpu }} + memory: {{ .Values.sharding.mongos.resources.requests.memory }} + expose: + type: {{ .Values.sharding.mongos.expose.type }} + {{- if .Values.sharding.mongos.expose.loadBalancerClass }} + loadBalancerClass: {{ .Values.sharding.mongos.expose.loadBalancerClass }} + {{- end }} + {{- if .Values.sharding.mongos.expose.loadBalancerIP }} + loadBalancerIP: {{ .Values.sharding.mongos.expose.loadBalancerIP }} + {{- end }} + {{- if .Values.sharding.mongos.expose.servicePerPod }} + servicePerPod: {{ .Values.sharding.mongos.expose.servicePerPod }} + {{- end }} + {{- if .Values.sharding.mongos.expose.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ .Values.sharding.mongos.expose.loadBalancerSourceRanges | toYaml | indent 10 }} + {{- end }} + {{- if .Values.sharding.mongos.expose.annotations }} + annotations: +{{ .Values.sharding.mongos.expose.annotations | toYaml | indent 10 }} + {{- end }} + {{- if .Values.sharding.mongos.expose.labels }} + labels: +{{ .Values.sharding.mongos.expose.labels | toYaml | indent 10 }} + {{- end }} + {{- if .Values.sharding.mongos.expose.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.sharding.mongos.expose.internalTrafficPolicy }} + {{- end }} + {{- if .Values.sharding.mongos.expose.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.sharding.mongos.expose.externalTrafficPolicy }} + {{- end }} + {{- if .Values.sharding.mongos.expose.nodePort }} + nodePort: {{ .Values.sharding.mongos.expose.nodePort }} + {{- end }} + {{- if .Values.sharding.mongos.auditLog }} + auditLog: +{{ .Values.sharding.mongos.auditLog | toYaml | indent 8 }} + {{- end }} + {{- if .Values.sharding.mongos.hostAliases }} + hostAliases: +{{ .Values.sharding.mongos.hostAliases | toYaml | indent 8 }} + {{- end }} + + {{- if .Values.users }} + users: +{{ .Values.users | toYaml | indent 2 }} + {{- end }} + + {{- if .Values.roles }} + roles: +{{ .Values.roles | toYaml | indent 2 }} + {{- end }} + + backup: + enabled: {{ .Values.backup.enabled }} + {{- if .Values.backup.startingDeadlineSeconds }} + startingDeadlineSeconds: {{ .Values.backup.startingDeadlineSeconds }} + {{- end }} + {{- if .Values.backup.annotations }} + annotations: +{{ .Values.backup.annotations | toYaml | indent 6 }} + {{- end }} + {{- if .Values.backup.podSecurityContext }} + podSecurityContext: +{{ .Values.backup.podSecurityContext | toYaml | indent 6 }} + {{- end }} + {{- if .Values.backup.containerSecurityContext }} + containerSecurityContext: +{{ .Values.backup.containerSecurityContext | toYaml | indent 6 }} + {{- end }} + image: "{{ .Values.backup.image.repository }}:{{ .Values.backup.image.tag }}" + {{- if .Values.backup.resources }} + resources: +{{ .Values.backup.resources | toYaml | indent 6 }} + {{- end }} + storages: +{{ .Values.backup.storages | toYaml | indent 6 }} + volumeMounts: +{{ .Values.backup.volumeMounts | toYaml | indent 6 }} + pitr: + {{- if and .Values.backup.enabled .Values.backup.pitr.enabled }} + enabled: true + {{- if .Values.backup.pitr.oplogOnly }} + oplogOnly: {{ .Values.backup.pitr.oplogOnly }} + {{- end }} + {{- if .Values.backup.pitr.oplogSpanMin }} + oplogSpanMin: {{ .Values.backup.pitr.oplogSpanMin }} + {{- end }} + {{- if .Values.backup.pitr.compressionType }} + compressionType: {{ .Values.backup.pitr.compressionType }} + {{- end }} + {{- if .Values.backup.pitr.compressionLevel }} + compressionLevel: {{ .Values.backup.pitr.compressionLevel }} + {{- end }} + {{- else }} + enabled: false + {{- end }} + {{- if .Values.backup.configuration }} + configuration: +{{ .Values.backup.configuration | toYaml | indent 6 }} + {{- end }} + tasks: +{{ .Values.backup.tasks | toYaml | indent 6 }} + logcollector: + enabled: {{ .Values.logcollector.enabled }} + image: "{{ .Values.logcollector.image.repository }}:{{ .Values.logcollector.image.tag }}" + {{- if .Values.logcollector.configuration }} + configuration: {{ .Values.logcollector.configuration }} + {{- end }} + {{- if .Values.logcollector.resources }} + resources: +{{ .Values.logcollector.resources | toYaml | indent 6 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/values.yaml new file mode 100644 index 00000000..ea264c53 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-db/values.yaml @@ -0,0 +1,806 @@ +# Default values for psmdb-cluster. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Platform type: kubernetes, openshift +# platform: kubernetes + +# Cluster DNS Suffix +# clusterServiceDNSSuffix: svc.cluster.local +# clusterServiceDNSMode: "Internal" + +finalizers: +## Set this if you want that operator deletes the primary pod last + - percona.com/delete-psmdb-pods-in-order +## Set this if you want to delete database persistent volumes on cluster deletion +# - percona.com/delete-psmdb-pvc +## Set this if you want to delete all pitr chunks on cluster deletion +# - percona.com/delete-pitr-chunks + +nameOverride: "" +fullnameOverride: "" + + +crVersion: 1.21.1 +pause: false +unmanaged: false +unsafeFlags: + tls: false + replsetSize: false + mongosSize: false + terminationGracePeriod: false + backupIfUnhealthy: false + +enableVolumeExpansion: false +# enableExternalVolumeAutoscaling: false +annotations: {} + +# ignoreAnnotations: +# - service.beta.kubernetes.io/aws-load-balancer-backend-protocol +# ignoreLabels: +# - rack +multiCluster: + enabled: false + # DNSSuffix: svc.clusterset.local +updateStrategy: SmartUpdate +upgradeOptions: + versionServiceEndpoint: https://check.percona.com + apply: disabled + schedule: "0 2 * * *" + setFCV: false + +image: + repository: percona/percona-server-mongodb + tag: 8.0.12-4 + +imagePullPolicy: Always +# imagePullSecrets: [] +# initImage: +# repository: percona/percona-server-mongodb-operator +# tag: 1.21.1 +# initContainerSecurityContext: {} +# tls: +# mode: preferTLS +# # 90 days in hours +# certValidityDuration: 2160h +# allowInvalidCertificates: true +# issuerConf: +# name: special-selfsigned-issuer +# kind: ClusterIssuer +# group: cert-manager.io +secrets: {} + # If you set users secret here the operator will use existing one or generate random values + # If not set the operator generates the default secret with name -secrets + # users: my-cluster-name-secrets + # encryptionKey: my-cluster-name-mongodb-encryption-key + # ssl: my-cluster-name-ssl + # sslInternal: my-cluster-name-ssl-internal + # keyFile: my-cluster-name-mongodb-keyfile + # vault: my-cluster-name-vault + # ldapSecret: my-ldap-secret + # sse: my-cluster-name-sse + +pmm: + enabled: false + image: + repository: percona/pmm-client + tag: 3.4.1 + serverHost: monitoring-service +# customClusterName: "" +# mongodParams: "" +# mongosParams: "" +# resources: {} +# containerSecurityContext: {} + +replsets: + rs0: + name: rs0 + size: 3 + # terminationGracePeriodSeconds: 300 + # externalNodes: + # - host: 34.124.76.90 + # - host: 34.124.76.91 + # port: 27017 + # votes: 0 + # priority: 0 + # - host: 34.124.76.92 + # configuration: | + # operationProfiling: + # mode: slowOp + # systemLog: + # verbosity: 1 + # serviceAccountName: percona-server-mongodb-operator + # topologySpreadConstraints: + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: percona-server-mongodb + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # replsetOverrides: + # my-cluster-name-rs0-0: + # host: my-cluster-name-rs0-0.example.net:27017 + # priority: 3 + # tags: + # key: value-0 + # my-cluster-name-rs0-1: + # host: my-cluster-name-rs0-1.example.net:27017 + # tags: + # key: value-1 + # my-cluster-name-rs0-2: + # host: my-cluster-name-rs0-2.example.net:27017 + # tags: + # key: value-2 + affinity: + antiAffinityTopologyKey: "kubernetes.io/hostname" + # advanced: + # podAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: security + # operator: In + # values: + # - S1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # tolerations: [] + # primaryPreferTagSelector: + # region: us-west-2 + # zone: us-west-2c + # priorityClass: "" + # annotations: {} + # labels: {} + # podSecurityContext: {} + # containerSecurityContext: {} + # nodeSelector: {} + # livenessProbe: + # failureThreshold: 4 + # initialDelaySeconds: 60 + # periodSeconds: 30 + # timeoutSeconds: 10 + # startupDelaySeconds: 7200 + # readinessProbe: + # failureThreshold: 8 + # initialDelaySeconds: 10 + # periodSeconds: 3 + # successThreshold: 1 + # timeoutSeconds: 2 + # runtimeClassName: image-rc + # storage: + # engine: wiredTiger + # wiredTiger: + # engineConfig: + # cacheSizeRatio: 0.5 + # directoryForIndexes: false + # journalCompressor: snappy + # collectionConfig: + # blockCompressor: snappy + # indexConfig: + # prefixCompression: true + # inMemory: + # engineConfig: + # inMemorySizeRatio: 0.5 + # sidecars: + # - image: busybox + # command: ["/bin/sh"] + # args: ["-c", "while true; do echo echo $(date -u) 'test' >> /dev/null; sleep 5;done"] + # name: rs-sidecar-1 + # volumeMounts: + # - mountPath: /volume1 + # name: sidecar-volume-claim + # - mountPath: /secret + # name: sidecar-secret + # - mountPath: /configmap + # name: sidecar-config + # sidecarVolumes: + # - name: sidecar-secret + # secret: + # secretName: mysecret + # - name: sidecar-config + # configMap: + # name: myconfigmap + # - name: backup-nfs + # nfs: + # server: "nfs-service.storage.svc.cluster.local" + # path: "/psmdb-some-name-rs0" + # sidecarPVCs: + # - apiVersion: v1 + # kind: PersistentVolumeClaim + # metadata: + # name: sidecar-volume-claim + # spec: + # resources: + # requests: + # storage: 1Gi + # volumeMode: Filesystem + # accessModes: + # - ReadWriteOnce + podDisruptionBudget: + maxUnavailable: 1 + # splitHorizons: + # my-cluster-name-rs0-0: + # external: rs0-0.mycluster.xyz + # external-2: rs0-0.mycluster2.xyz + # my-cluster-name-rs0-1: + # external: rs0-1.mycluster.xyz + # external-2: rs0-1.mycluster2.xyz + # my-cluster-name-rs0-2: + # external: rs0-2.mycluster.xyz + # external-2: rs0-2.mycluster2.xyz + expose: + enabled: false + type: ClusterIP + # loadBalancerClass: "" + # loadBalancerIP: 10.0.0.0 + # loadBalancerSourceRanges: + # - 10.0.0.0/8 + # annotations: + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http + # labels: + # some-label: some-key + # internalTrafficPolicy: Local + # externalTrafficPolicy: Local + # schedulerName: "" + resources: + limits: + cpu: "600m" + memory: "1Gi" + requests: + cpu: "300m" + memory: "1Gi" + volumeSpec: + # emptyDir: {} + # hostPath: + # path: /data + # type: Directory + pvc: + # annotations: + # volume.beta.kubernetes.io/storage-class: example-hostpath + # labels: + # rack: rack-22 + # storageClassName: standard + # accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 3Gi + # hostAliases: + # - ip: "10.10.0.2" + # hostnames: + # - "host1" + # - "host2" + + hidden: + enabled: false +# podSecurityContext: {} +# containerSecurityContext: {} + size: 2 +# # for more configuration fields refer to https://docs.mongodb.com/manual/reference/configuration-options/ +# configuration: | +# operationProfiling: +# mode: slowOp +# systemLog: +# verbosity: 1 + affinity: + antiAffinityTopologyKey: "kubernetes.io/hostname" +# advanced: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: kubernetes.io/e2e-az-name +# operator: In +# values: +# - e2e-az1 +# - e2e-az2 +# tolerations: +# - key: "node.alpha.kubernetes.io/unreachable" +# operator: "Exists" +# effect: "NoExecute" +# tolerationSeconds: 6000 +# priorityClassName: high-priority +# annotations: +# iam.amazonaws.com/role: role-arn +# labels: +# rack: rack-22 +# nodeSelector: +# disktype: ssd + podDisruptionBudget: + maxUnavailable: 1 +# minAvailable: 0 + resources: + limits: + cpu: "600m" + memory: "1Gi" + requests: + cpu: "300m" + memory: "1Gi" + volumeSpec: +# emptyDir: {} +# hostPath: +# path: /data +# type: Directory + pvc: +# annotations: +# volume.beta.kubernetes.io/storage-class: example-hostpath +# labels: +# rack: rack-22 +# storageClassName: standard +# accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 3Gi + + nonvoting: + enabled: false + # podSecurityContext: {} + # containerSecurityContext: {} + size: 3 + # configuration: | + # operationProfiling: + # mode: slowOp + # systemLog: + # verbosity: 1 + # serviceAccountName: percona-server-mongodb-operator + affinity: + antiAffinityTopologyKey: "kubernetes.io/hostname" + # advanced: + # podAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: security + # operator: In + # values: + # - S1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # tolerations: [] + # priorityClass: "" + # annotations: {} + # labels: {} + # nodeSelector: {} + podDisruptionBudget: + maxUnavailable: 1 + resources: + limits: + cpu: "600m" + memory: "1Gi" + requests: + cpu: "300m" + memory: "1Gi" + volumeSpec: + # emptyDir: {} + # hostPath: + # path: /data + # type: Directory + pvc: + # annotations: + # volume.beta.kubernetes.io/storage-class: example-hostpath + # labels: + # rack: rack-22 + # storageClassName: standard + # accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 3Gi + arbiter: + enabled: false + size: 1 + # serviceAccountName: percona-server-mongodb-operator + affinity: + antiAffinityTopologyKey: "kubernetes.io/hostname" + # advanced: + # podAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: security + # operator: In + # values: + # - S1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # tolerations: [] + # priorityClass: "" + # annotations: {} + # labels: {} + # nodeSelector: {} + resources: + limits: + cpu: "600m" + memory: "1Gi" + requests: + cpu: "300m" + memory: "1Gi" + +sharding: + enabled: true + balancer: + enabled: true + + configrs: + size: 3 + # terminationGracePeriodSeconds: 300 + # externalNodes: + # - host: 34.124.76.90 + # - host: 34.124.76.91 + # port: 27017 + # votes: 0 + # priority: 0 + # - host: 34.124.76.92 + # configuration: | + # operationProfiling: + # mode: slowOp + # systemLog: + # verbosity: 1 + # serviceAccountName: percona-server-mongodb-operator + # topologySpreadConstraints: + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: percona-server-mongodb + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + affinity: + antiAffinityTopologyKey: "kubernetes.io/hostname" + # advanced: + # podAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: security + # operator: In + # values: + # - S1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # tolerations: [] + # priorityClass: "" + # annotations: {} + # labels: {} + # podSecurityContext: {} + # containerSecurityContext: {} + # nodeSelector: {} + # livenessProbe: {} + # readinessProbe: {} + # runtimeClassName: image-rc + # sidecars: + # - image: busybox + # command: ["/bin/sh"] + # args: ["-c", "while true; do echo echo $(date -u) 'test' >> /dev/null; sleep 5;done"] + # name: rs-sidecar-1 + # volumeMounts: + # - mountPath: /volume1 + # name: sidecar-volume-claim + # sidecarPVCs: [] + # sidecarVolumes: [] + podDisruptionBudget: + maxUnavailable: 1 + expose: + enabled: false + type: ClusterIP + # loadBalancerClass: "" + # loadBalancerIP: 10.0.0.0 + # loadBalancerSourceRanges: + # - 10.0.0.0/8 + # annotations: + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http + # labels: + # some-label: some-key + # internalTrafficPolicy: Local + # externalTrafficPolicy: Local + resources: + limits: + cpu: "600m" + memory: "1Gi" + requests: + cpu: "300m" + memory: "1Gi" + volumeSpec: + # emptyDir: {} + # hostPath: + # path: /data + # type: Directory + pvc: + # annotations: + # volume.beta.kubernetes.io/storage-class: example-hostpath + # labels: + # rack: rack-22 + # storageClassName: standard + # accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 3Gi + # hostAliases: + # - ip: "10.10.0.2" + # hostnames: + # - "host1" + # - "host2" + + mongos: + size: 3 + # terminationGracePeriodSeconds: 300 + # configuration: | + # systemLog: + # verbosity: 1 + # serviceAccountName: percona-server-mongodb-operator + # topologySpreadConstraints: + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: percona-server-mongodb + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + affinity: + antiAffinityTopologyKey: "kubernetes.io/hostname" + # advanced: + # podAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: security + # operator: In + # values: + # - S1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # tolerations: [] + # priorityClass: "" + # annotations: {} + # labels: {} + # podSecurityContext: {} + # containerSecurityContext: {} + # nodeSelector: {} + # livenessProbe: {} + # readinessProbe: {} + # runtimeClassName: image-rc + # sidecars: + # - image: busybox + # command: ["/bin/sh"] + # args: ["-c", "while true; do echo echo $(date -u) 'test' >> /dev/null; sleep 5;done"] + # name: rs-sidecar-1 + # volumeMounts: + # - mountPath: /volume1 + # name: sidecar-volume-claim + # sidecarPVCs: [] + # sidecarVolumes: [] + podDisruptionBudget: + maxUnavailable: 1 + resources: + limits: + cpu: "600m" + memory: "1Gi" + requests: + cpu: "300m" + memory: "1Gi" + expose: + enabled: false + type: ClusterIP + # loadBalancerClass: "" + # loadBalancerIP: 10.0.0.0/8 + # loadBalancerSourceRanges: + # - 10.0.0.0/8 + # annotations: + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http + # labels: + # some-label: some-key + # internalTrafficPolicy: Local + # externalTrafficPolicy: Local + # nodePort: 32017 + # auditLog: + # destination: file + # format: BSON + # filter: '{}' + # hostAliases: + # - ip: "10.10.0.2" + # hostnames: + # - "host1" + # - "host2" + +# users: +# - name: my-user +# db: admin +# passwordSecretRef: +# name: my-user-password +# key: my-user-password-key +# roles: +# - name: clusterAdmin +# db: admin +# - name: userAdminAnyDatabase +# db: admin +# - name: my-usr +# db: admin +# passwordSecretRef: +# name: my-user-pwd +# key: my-user-pwd-key +# roles: +# - name: dbOwner +# db: sometest + +# roles: +# - role: myClusterwideAdmin +# db: admin +# privileges: +# - resource: +# cluster: true +# actions: +# - addShard +# - resource: +# db: config +# collection: '' +# actions: +# - find +# - update +# - insert +# - remove +# roles: +# - role: read +# db: admin +# - role: my-role +# db: myDb +# privileges: +# - resource: +# db: '' +# collection: '' +# actions: +# - find +# authenticationRestrictions: +# - clientSource: +# - 127.0.0.1 +# serverAddress: +# - 127.0.0.1 + + +backup: + enabled: true + image: + repository: percona/percona-backup-mongodb + tag: 2.11.0 + # startingDeadlineSeconds: 300 + # annotations: + # iam.amazonaws.com/role: role-arn + # podSecurityContext: {} + # containerSecurityContext: {} + # resources: + # limits: + # cpu: "300m" + # memory: "1.2Gi" + # requests: + # cpu: "300m" + # memory: "1Gi" + storages: + # s3-us-west: + # main: true + # type: s3 + # s3: + # bucket: S3-BACKUP-BUCKET-NAME-HERE + # credentialsSecret: my-cluster-name-backup-s3 + # serverSideEncryption: + # kmsKeyID: 1234abcd-12ab-34cd-56ef-1234567890ab + # sseAlgorithm: aws:kms + # sseCustomerAlgorithm: AES256 + # sseCustomerKey: Y3VzdG9tZXIta2V5 + # retryer: + # numMaxRetries: 3 + # minRetryDelay: 30ms + # maxRetryDelay: 5m + # region: us-west-2 + # prefix: "" + # uploadPartSize: 10485760 + # maxUploadParts: 10000 + # storageClass: STANDARD + # insecureSkipTLSVerify: false + # gcs: + # type: gcs + # gcs: + # bucket: GCS-BACKUP-BUCKET-NAME-HERE + # prefix: "" + # credentialsSecret: my-cluster-name-backup-gcs + # chunkSize: 10485760 + # retryer: + # backoffInitial: 1 + # backoffMax: 30 + # backoffMultiplier: 2 + # minio: + # type: s3 + # s3: + # bucket: MINIO-BACKUP-BUCKET-NAME-HERE + # region: us-east-1 + # credentialsSecret: my-cluster-name-backup-minio + # endpointUrl: http://minio.psmdb.svc.cluster.local:9000/minio/ + # prefix: "" + # azure-blob: + # type: azure + # azure: + # container: CONTAINER-NAME + # prefix: PREFIX-NAME + # endpointUrl: https://accountName.blob.core.windows.net + # credentialsSecret: SECRET-NAME + # backup-nfs: + # type: filesystem + # filesystem: + # path: /mnt/nfs/ +# volumeMounts: +# - mountPath: /mnt/nfs/ +# name: backup-nfs + pitr: + enabled: false + oplogOnly: false + # oplogSpanMin: 10 + compressionType: gzip + compressionLevel: 6 + # configuration: + # backupOptions: + # priority: + # "localhost:28019": 2.5 + # "localhost:27018": 2.5 + # timeouts: + # startingStatus: 33 + # oplogSpanMin: 10 + # restoreOptions: + # batchSize: 500 + # numInsertionWorkers: 10 + # numDownloadWorkers: 4 + # maxDownloadBufferMb: 0 + # downloadChunkMb: 32 + # mongodLocation: /usr/bin/mongo + # mongodLocationMap: + # "node01:2017": /usr/bin/mongo + # "node03:27017": /usr/bin/mongo + tasks: + # - name: daily-s3-us-west + # enabled: true + # schedule: "0 0 * * *" + # retention: + # count: 3 + # type: count + # deleteFromStorage: true + # storageName: s3-us-west + # compressionType: gzip + # - name: weekly-s3-us-west + # enabled: false + # schedule: "0 0 * * 0" + # retention: + # count: 3 + # type: count + # deleteFromStorage: true + # storageName: s3-us-west + # compressionType: gzip + # - name: weekly-s3-us-west-physical + # enabled: false + # schedule: "0 5 * * 0" + # retention: + # count: 3 + # type: count + # deleteFromStorage: true + # type: physical + # storageName: s3-us-west + # compressionType: gzip + # compressionLevel: 6 + +# If you set systemUsers here the secret will be constructed by helm with these values +# systemUsers: +# MONGODB_BACKUP_USER: backup +# MONGODB_BACKUP_PASSWORD: backup123456 +# MONGODB_DATABASE_ADMIN_USER: databaseAdmin +# MONGODB_DATABASE_ADMIN_PASSWORD: databaseAdmin123456 +# MONGODB_CLUSTER_ADMIN_USER: clusterAdmin +# MONGODB_CLUSTER_ADMIN_PASSWORD: clusterAdmin123456 +# MONGODB_CLUSTER_MONITOR_USER: clusterMonitor +# MONGODB_CLUSTER_MONITOR_PASSWORD: clusterMonitor123456 +# MONGODB_USER_ADMIN_USER: userAdmin +# MONGODB_USER_ADMIN_PASSWORD: userAdmin123456 +# PMM_SERVER_API_KEY: apikey +# # PMM_SERVER_USER: admin +# # PMM_SERVER_PASSWORD: admin + +logcollector: + enabled: true + image: + repository: percona/fluentbit + tag: 4.0.1 +# configuration: | +# [SERVICE] +# Flush 1 +# Log_Level error +# Daemon off + resources: + requests: + memory: 100M + cpu: 200m diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/Chart.yaml new file mode 100644 index 00000000..2cf39bc0 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +appVersion: 1.21.0 +description: A Helm chart for deploying the Percona Operator for MongoDB +home: https://docs.percona.com/percona-operator-for-mongodb/ +maintainers: +- email: natalia.marukovich@percona.com + name: nmarukovich +- email: julio.pasinatto@percona.com + name: jvpasinatto +- email: eleonora.zinchenko@percona.com + name: eleo007 +name: psmdb-operator +version: 1.21.1 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/LICENSE.txt b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/LICENSE.txt new file mode 100644 index 00000000..6a31453a --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/LICENSE.txt @@ -0,0 +1,13 @@ +Copyright 2019 Paul Czarkowski + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/README.md b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/README.md new file mode 100644 index 00000000..641ba820 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/README.md @@ -0,0 +1,77 @@ +# Percona Operator for MongoDB + +Percona Operator for MongoDB allows users to deploy and manage Percona Server for MongoDB Clusters on Kubernetes. +Useful links: +- [Operator Github repository](https://github.com/percona/percona-server-mongodb-operator) +- [Operator Documentation](https://www.percona.com/doc/kubernetes-operator-for-psmongodb/index.html) + +## Pre-requisites +* Kubernetes 1.30+ +* Helm v3 + +# Installation + +This chart will deploy the Operator Pod for the further Percona Server for MongoDB creation in Kubernetes. + +## Installing the chart + +To install the chart with the `psmdb` release name using a dedicated namespace (recommended): + +```sh +helm repo add percona https://percona.github.io/percona-helm-charts/ +helm install my-operator percona/psmdb-operator --version 1.21.0 --namespace my-namespace +``` + +The chart can be customized using the following configurable parameters: + +| Parameter | Description | Default | +| ---------------------------- | ------------------------------------------------------------------------------------------------------------ | ----------------------------------------- | +| `image.repository` | PSMDB Operator Container image name | `percona/percona-server-mongodb-operator` | +| `image.tag` | PSMDB Operator Container image tag | `1.21.0` | +| `image.pullPolicy` | PSMDB Operator Container pull policy | `Always` | +| `image.pullSecrets` | PSMDB Operator Pod pull secret | `[]` | +| `replicaCount` | PSMDB Operator Pod quantity | `1` | +| `tolerations` | List of node taints to tolerate | `[]` | +| `annotations` | PSMDB Operator Deployment annotations | `{}` | +| `podAnnotations` | PSMDB Operator Pod annotations | `{}` | +| `labels` | PSMDB Operator Deployment labels | `{}` | +| `podLabels` | PSMDB Operator Pod labels | `{}` | +| `resources` | Resource requests and limits | `{}` | +| `nodeSelector` | Labels for Pod assignment | `{}` | +| `podAnnotations` | Annotations for pod | `{}` | +| `podSecurityContext` | Pod Security Context | `{}` | +| `watchNamespace` | Set when a different from default namespace is needed to watch (comma separated if multiple needed) | `""` | +| `createNamespace` | Set if you want to create watched namespaces with helm | `false` | +| `rbac.create` | If false RBAC will not be created. RBAC resources will need to be created manually | `true` | +| `securityContext` | Container Security Context | `{}` | +| `serviceAccount.create` | If false the ServiceAccounts will not be created. The ServiceAccounts must be created manually | `true` | +| `serviceAccount.annotations` | PSMDB Operator ServiceAccount annotations | `{}` | +| `logStructured` | Force PSMDB operator to print JSON-wrapped log messages | `false` | +| `logLevel` | PSMDB Operator logging level | `INFO` | +| `disableTelemetry` | Disable sending PSMDB Operator telemetry data to Percona | `false` | +| `maxConcurrentReconciles` | Number of concurrent workers that can reconcile resources in Percona Server for MongoDB clusters in parallel | `1` | + +Specify parameters using `--set key=value[,key=value]` argument to `helm install` + +Alternatively a YAML file that specifies the values for the parameters can be provided like this: + +```sh +helm install psmdb-operator -f values.yaml percona/psmdb-operator +``` + +## Deploy the database + +To deploy Percona Server for MongoDB run the following command: + +```sh +helm install my-db percona/psmdb-db +``` + +See more about Percona Server for MongoDB deployment in its chart [here](https://github.com/percona/percona-helm-charts/tree/main/charts/psmdb-db) or in the [Helm chart installation guide](https://www.percona.com/doc/kubernetes-operator-for-psmongodb/helm.html). + +# Need help? + +**Commercial Support** | **Community Support** | +:-: | :-: | +|
Enterprise-grade assistance for your mission-critical database deployments in containers and Kubernetes. Get expert guidance for complex tasks like multi-cloud replication, database migration and building platforms.

|
Connect with our engineers and fellow users for general questions, troubleshooting, and sharing feedback and ideas.

| +| **[Get Percona Support](https://hubs.ly/Q02ZTH8Q0)** | **[Visit our Forum](https://forums.percona.com/)** | diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/crds/crd.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/crds/crd.yaml new file mode 100644 index 00000000..22c2882b --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/crds/crd.yaml @@ -0,0 +1,25729 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + labels: + app.kubernetes.io/component: crd + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb-operator + app.kubernetes.io/version: v1.21.0 + name: perconaservermongodbbackups.psmdb.percona.com +spec: + group: psmdb.percona.com + names: + kind: PerconaServerMongoDBBackup + listKind: PerconaServerMongoDBBackupList + plural: perconaservermongodbbackups + shortNames: + - psmdb-backup + singular: perconaservermongodbbackup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Cluster name + jsonPath: .spec.clusterName + name: Cluster + type: string + - description: Storage name + jsonPath: .spec.storageName + name: Storage + type: string + - description: Backup destination + jsonPath: .status.destination + name: Destination + type: string + - description: Backup type + jsonPath: .status.type + name: Type + type: string + - description: Backup size + jsonPath: .status.size + name: Size + type: string + - description: Job status + jsonPath: .status.state + name: Status + type: string + - description: Completed time + jsonPath: .status.completed + name: Completed + type: date + - description: Created time + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + clusterName: + type: string + compressionLevel: + type: integer + compressionType: + type: string + startingDeadlineSeconds: + format: int64 + type: integer + storageName: + type: string + type: + enum: + - logical + - physical + - incremental + - incremental-base + type: string + type: object + status: + properties: + azure: + properties: + container: + type: string + credentialsSecret: + type: string + endpointUrl: + type: string + prefix: + type: string + required: + - credentialsSecret + type: object + completed: + format: date-time + type: string + destination: + type: string + error: + type: string + filesystem: + properties: + path: + type: string + required: + - path + type: object + gcs: + properties: + bucket: + type: string + chunkSize: + type: integer + credentialsSecret: + type: string + prefix: + type: string + retryer: + properties: + backoffInitial: + format: int64 + type: integer + backoffMax: + format: int64 + type: integer + backoffMultiplier: + type: number + required: + - backoffInitial + - backoffMax + - backoffMultiplier + type: object + required: + - bucket + - credentialsSecret + type: object + lastTransition: + format: date-time + type: string + lastWriteAt: + format: date-time + type: string + latestRestorableTime: + format: date-time + type: string + pbmName: + type: string + pbmPod: + type: string + pbmPods: + additionalProperties: + type: string + type: object + replsetNames: + items: + type: string + type: array + s3: + properties: + bucket: + type: string + credentialsSecret: + type: string + debugLogLevels: + type: string + endpointUrl: + type: string + forcePathStyle: + type: boolean + insecureSkipTLSVerify: + type: boolean + maxUploadParts: + format: int32 + type: integer + prefix: + type: string + region: + type: string + retryer: + properties: + maxRetryDelay: + type: string + minRetryDelay: + type: string + numMaxRetries: + type: integer + type: object + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + type: object + storageClass: + type: string + uploadPartSize: + type: integer + required: + - bucket + type: object + size: + type: string + start: + format: date-time + type: string + state: + type: string + storageName: + type: string + type: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + labels: + app.kubernetes.io/component: crd + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb-operator + app.kubernetes.io/version: v1.21.0 + name: perconaservermongodbrestores.psmdb.percona.com +spec: + group: psmdb.percona.com + names: + kind: PerconaServerMongoDBRestore + listKind: PerconaServerMongoDBRestoreList + plural: perconaservermongodbrestores + shortNames: + - psmdb-restore + singular: perconaservermongodbrestore + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Cluster name + jsonPath: .spec.clusterName + name: Cluster + type: string + - description: Job status + jsonPath: .status.state + name: Status + type: string + - description: Created time + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + backupName: + type: string + backupSource: + properties: + azure: + properties: + container: + type: string + credentialsSecret: + type: string + endpointUrl: + type: string + prefix: + type: string + required: + - credentialsSecret + type: object + completed: + format: date-time + type: string + destination: + type: string + error: + type: string + filesystem: + properties: + path: + type: string + required: + - path + type: object + gcs: + properties: + bucket: + type: string + chunkSize: + type: integer + credentialsSecret: + type: string + prefix: + type: string + retryer: + properties: + backoffInitial: + format: int64 + type: integer + backoffMax: + format: int64 + type: integer + backoffMultiplier: + type: number + required: + - backoffInitial + - backoffMax + - backoffMultiplier + type: object + required: + - bucket + - credentialsSecret + type: object + lastTransition: + format: date-time + type: string + lastWriteAt: + format: date-time + type: string + latestRestorableTime: + format: date-time + type: string + pbmName: + type: string + pbmPod: + type: string + pbmPods: + additionalProperties: + type: string + type: object + replsetNames: + items: + type: string + type: array + s3: + properties: + bucket: + type: string + credentialsSecret: + type: string + debugLogLevels: + type: string + endpointUrl: + type: string + forcePathStyle: + type: boolean + insecureSkipTLSVerify: + type: boolean + maxUploadParts: + format: int32 + type: integer + prefix: + type: string + region: + type: string + retryer: + properties: + maxRetryDelay: + type: string + minRetryDelay: + type: string + numMaxRetries: + type: integer + type: object + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + type: object + storageClass: + type: string + uploadPartSize: + type: integer + required: + - bucket + type: object + size: + type: string + start: + format: date-time + type: string + state: + type: string + storageName: + type: string + type: + type: string + type: object + clusterName: + type: string + pitr: + properties: + date: + type: string + type: + type: string + type: object + x-kubernetes-validations: + - message: 'Time should be in format YYYY-MM-DD HH:MM:SS with valid + ranges (MM: 01-12, DD: 01-31, HH: 00-23, MM/SS: 00-59)' + rule: self.type != 'date' || (has(self.date) && self.date.matches('^[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[12][0-9]|3[01]) + ([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]$')) + - message: Date should not be used when 'latest' type is used + rule: self.type != 'latest' || !has(self.date) + replset: + type: string + selective: + properties: + namespaces: + items: + type: string + type: array + withUsersAndRoles: + type: boolean + type: object + storageName: + type: string + type: object + status: + properties: + completed: + format: date-time + type: string + error: + type: string + lastTransition: + format: date-time + type: string + pbmName: + type: string + pitrTarget: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + labels: + app.kubernetes.io/component: crd + app.kubernetes.io/name: percona-server-mongodb + app.kubernetes.io/part-of: percona-server-mongodb-operator + app.kubernetes.io/version: v1.21.0 + name: perconaservermongodbs.psmdb.percona.com +spec: + group: psmdb.percona.com + names: + kind: PerconaServerMongoDB + listKind: PerconaServerMongoDBList + plural: perconaservermongodbs + shortNames: + - psmdb + singular: perconaservermongodb + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.host + name: ENDPOINT + type: string + - jsonPath: .status.state + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: psmdb.percona.com/v1-2-0 PerconaServerMongoDB is deprecated + and will be removed in v1.17.0; see v1.13.0 release notes for instructions to + migrate to psmdb.percona.com/v1 + name: v1-2-0 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.host + name: ENDPOINT + type: string + - jsonPath: .status.state + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: psmdb.percona.com/v1-3-0 PerconaServerMongoDB is deprecated + and will be removed in v1.17.0; see v1.13.0 release notes for instructions to + migrate to psmdb.percona.com/v1 + name: v1-3-0 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.host + name: ENDPOINT + type: string + - jsonPath: .status.state + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: psmdb.percona.com/v1-4-0 PerconaServerMongoDB is deprecated + and will be removed in v1.17.0; see v1.13.0 release notes for instructions to + migrate to psmdb.percona.com/v1 + name: v1-4-0 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.host + name: ENDPOINT + type: string + - jsonPath: .status.state + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: psmdb.percona.com/v1-5-0 PerconaServerMongoDB is deprecated + and will be removed in v1.17.0; see v1.13.0 release notes for instructions to + migrate to psmdb.percona.com/v1 + name: v1-5-0 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.host + name: ENDPOINT + type: string + - jsonPath: .status.state + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: psmdb.percona.com/v1-6-0 PerconaServerMongoDB is deprecated + and will be removed in v1.17.0; see v1.13.0 release notes for instructions to + migrate to psmdb.percona.com/v1 + name: v1-6-0 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.host + name: ENDPOINT + type: string + - jsonPath: .status.state + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: psmdb.percona.com/v1-7-0 PerconaServerMongoDB is deprecated + and will be removed in v1.17.0; see v1.13.0 release notes for instructions to + migrate to psmdb.percona.com/v1 + name: v1-7-0 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.host + name: ENDPOINT + type: string + - jsonPath: .status.state + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: psmdb.percona.com/v1-8-0 PerconaServerMongoDB is deprecated + and will be removed in v1.17.0; see v1.13.0 release notes for instructions to + migrate to psmdb.percona.com/v1 + name: v1-8-0 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.host + name: ENDPOINT + type: string + - jsonPath: .status.state + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: psmdb.percona.com/v1-9-0 PerconaServerMongoDB is deprecated + and will be removed in v1.17.0; see v1.13.0 release notes for instructions to + migrate to psmdb.percona.com/v1 + name: v1-9-0 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: false + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.host + name: ENDPOINT + type: string + - jsonPath: .status.state + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: psmdb.percona.com/v1-10-0 PerconaServerMongoDB is deprecated + and will be removed in v1.17.0; see v1.13.0 release notes for instructions to + migrate to psmdb.percona.com/v1 + name: v1-10-0 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.host + name: ENDPOINT + type: string + - jsonPath: .status.state + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: psmdb.percona.com/v1-11-0 PerconaServerMongoDB is deprecated + and will be removed in v1.17.0; see v1.13.0 release notes for instructions to + migrate to psmdb.percona.com/v1 + name: v1-11-0 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.host + name: ENDPOINT + type: string + - jsonPath: .status.state + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: psmdb.percona.com/v1-12-0 PerconaServerMongoDB is deprecated + and will be removed in v1.17.0; see v1.13.0 release notes for instructions to + migrate to psmdb.percona.com/v1 + name: v1-12-0 + schema: + openAPIV3Schema: + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.host + name: ENDPOINT + type: string + - jsonPath: .status.state + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + allowUnsafeConfigurations: + type: boolean + backup: + properties: + annotations: + additionalProperties: + type: string + type: object + configuration: + properties: + backupOptions: + properties: + numParallelCollections: + type: integer + oplogSpanMin: + type: number + priority: + additionalProperties: + type: number + type: object + timeouts: + properties: + startingStatus: + format: int32 + type: integer + type: object + required: + - oplogSpanMin + type: object + restoreOptions: + properties: + batchSize: + type: integer + downloadChunkMb: + type: integer + maxDownloadBufferMb: + type: integer + mongodLocation: + type: string + mongodLocationMap: + additionalProperties: + type: string + type: object + numDownloadWorkers: + type: integer + numInsertionWorkers: + type: integer + numParallelCollections: + type: integer + type: object + type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + enabled: + type: boolean + image: + type: string + labels: + additionalProperties: + type: string + type: object + pitr: + properties: + compressionLevel: + type: integer + compressionType: + type: string + enabled: + type: boolean + oplogOnly: + type: boolean + oplogSpanMin: + type: number + type: object + podSecurityContext: + properties: + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxChangePolicy: + type: string + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + type: string + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + runtimeClassName: + type: string + serviceAccountName: + type: string + startingDeadlineSeconds: + format: int64 + type: integer + storages: + additionalProperties: + properties: + azure: + properties: + container: + type: string + credentialsSecret: + type: string + endpointUrl: + type: string + prefix: + type: string + required: + - credentialsSecret + type: object + filesystem: + properties: + path: + type: string + required: + - path + type: object + gcs: + properties: + bucket: + type: string + chunkSize: + type: integer + credentialsSecret: + type: string + prefix: + type: string + retryer: + properties: + backoffInitial: + format: int64 + type: integer + backoffMax: + format: int64 + type: integer + backoffMultiplier: + type: number + required: + - backoffInitial + - backoffMax + - backoffMultiplier + type: object + required: + - bucket + - credentialsSecret + type: object + main: + type: boolean + s3: + properties: + bucket: + type: string + credentialsSecret: + type: string + debugLogLevels: + type: string + endpointUrl: + type: string + forcePathStyle: + type: boolean + insecureSkipTLSVerify: + type: boolean + maxUploadParts: + format: int32 + type: integer + prefix: + type: string + region: + type: string + retryer: + properties: + maxRetryDelay: + type: string + minRetryDelay: + type: string + numMaxRetries: + type: integer + type: object + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + type: object + storageClass: + type: string + uploadPartSize: + type: integer + required: + - bucket + type: object + type: + type: string + required: + - type + type: object + type: object + tasks: + items: + properties: + compressionLevel: + type: integer + compressionType: + type: string + enabled: + type: boolean + keep: + type: integer + name: + type: string + retention: + properties: + count: + minimum: 0 + type: integer + deleteFromStorage: + default: true + type: boolean + type: + enum: + - count + type: string + required: + - deleteFromStorage + - type + type: object + schedule: + type: string + storageName: + type: string + type: + enum: + - logical + - physical + - incremental + - incremental-base + type: string + required: + - enabled + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + required: + - enabled + - image + type: object + clusterServiceDNSMode: + type: string + clusterServiceDNSSuffix: + type: string + crVersion: + type: string + enableExternalVolumeAutoscaling: + type: boolean + enableVolumeExpansion: + type: boolean + ignoreAnnotations: + items: + type: string + type: array + ignoreLabels: + items: + type: string + type: array + image: + type: string + imagePullPolicy: + type: string + imagePullSecrets: + items: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + initImage: + type: string + logcollector: + properties: + configuration: + type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + enabled: + type: boolean + image: + type: string + imagePullPolicy: + type: string + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + type: object + multiCluster: + properties: + DNSSuffix: + type: string + enabled: + type: boolean + required: + - enabled + type: object + pause: + type: boolean + platform: + type: string + pmm: + properties: + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + customClusterName: + type: string + enabled: + type: boolean + image: + type: string + mongodParams: + type: string + mongosParams: + type: string + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + serverHost: + type: string + required: + - image + type: object + replsets: + items: + properties: + affinity: + properties: + advanced: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + antiAffinityTopologyKey: + type: string + type: object + annotations: + additionalProperties: + type: string + type: object + arbiter: + properties: + affinity: + properties: + advanced: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + antiAffinityTopologyKey: + type: string + type: object + annotations: + additionalProperties: + type: string + type: object + enabled: + type: boolean + labels: + additionalProperties: + type: string + type: object + nodeSelector: + additionalProperties: + type: string + type: object + podDisruptionBudget: + properties: + maxUnavailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + minAvailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + priorityClassName: + type: string + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + runtimeClassName: + type: string + serviceAccountName: + type: string + sidecarPVCs: + items: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + status: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + conditions: + items: + properties: + lastProbeTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: + type: string + type: object + type: object + type: array + sidecarVolumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + default: ext4 + type: string + kind: + type: string + readOnly: + default: false + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + image: + properties: + pullPolicy: + type: string + reference: + type: string + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + default: default + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + properties: + certificateChainPath: + type: string + credentialBundlePath: + type: string + keyPath: + type: string + keyType: + type: string + maxExpirationSeconds: + format: int32 + type: integer + signerName: + type: string + required: + - keyType + - signerName + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + default: /etc/ceph/keyring + type: string + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + default: xfs + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + default: ThinProvisioned + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + sidecars: + items: + properties: + args: + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + properties: + key: + type: string + optional: + default: false + type: boolean + path: + type: string + volumeName: + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + stopSignal: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + restartPolicy: + type: string + restartPolicyRules: + items: + properties: + action: + type: string + exitCodes: + properties: + operator: + type: string + values: + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + type: string + required: + - name + type: object + type: array + size: + format: int32 + type: integer + terminationGracePeriodSeconds: + format: int64 + type: integer + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + required: + - enabled + - size + type: object + clusterRole: + type: string + configuration: + type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + expose: + properties: + annotations: + additionalProperties: + type: string + type: object + enabled: + type: boolean + exposeType: + type: string + externalTrafficPolicy: + type: string + internalTrafficPolicy: + type: string + labels: + additionalProperties: + type: string + type: object + loadBalancerClass: + type: string + loadBalancerSourceRanges: + items: + type: string + type: array + serviceAnnotations: + additionalProperties: + type: string + type: object + serviceLabels: + additionalProperties: + type: string + type: object + type: + type: string + required: + - enabled + type: object + externalNodes: + items: + properties: + horizons: + additionalProperties: + type: string + type: object + host: + type: string + port: + type: integer + priority: + type: integer + tags: + additionalProperties: + type: string + type: object + votes: + type: integer + required: + - host + - priority + - votes + type: object + type: array + hidden: + properties: + affinity: + properties: + advanced: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + antiAffinityTopologyKey: + type: string + type: object + annotations: + additionalProperties: + type: string + type: object + configuration: + type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + enabled: + type: boolean + labels: + additionalProperties: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + startupDelaySeconds: + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + nodeSelector: + additionalProperties: + type: string + type: object + podDisruptionBudget: + properties: + maxUnavailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + minAvailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + podSecurityContext: + properties: + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxChangePolicy: + type: string + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + type: string + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + priorityClassName: + type: string + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + runtimeClassName: + type: string + serviceAccountName: + type: string + sidecarPVCs: + items: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + status: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + conditions: + items: + properties: + lastProbeTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: + type: string + type: object + type: object + type: array + sidecarVolumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + default: ext4 + type: string + kind: + type: string + readOnly: + default: false + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + image: + properties: + pullPolicy: + type: string + reference: + type: string + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + default: default + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + properties: + certificateChainPath: + type: string + credentialBundlePath: + type: string + keyPath: + type: string + keyType: + type: string + maxExpirationSeconds: + format: int32 + type: integer + signerName: + type: string + required: + - keyType + - signerName + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + default: /etc/ceph/keyring + type: string + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + default: xfs + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + default: ThinProvisioned + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + sidecars: + items: + properties: + args: + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + properties: + key: + type: string + optional: + default: false + type: boolean + path: + type: string + volumeName: + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + stopSignal: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + restartPolicy: + type: string + restartPolicyRules: + items: + properties: + action: + type: string + exitCodes: + properties: + operator: + type: string + values: + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + type: string + required: + - name + type: object + type: array + size: + format: int32 + type: integer + terminationGracePeriodSeconds: + format: int64 + type: integer + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + volumeSpec: + properties: + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + persistentVolumeClaim: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + annotations: + additionalProperties: + type: string + type: object + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + labels: + additionalProperties: + type: string + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + type: object + required: + - enabled + - size + type: object + hostAliases: + items: + properties: + hostnames: + items: + type: string + type: array + x-kubernetes-list-type: atomic + ip: + type: string + required: + - ip + type: object + type: array + labels: + additionalProperties: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + startupDelaySeconds: + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + nonvoting: + properties: + affinity: + properties: + advanced: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + antiAffinityTopologyKey: + type: string + type: object + annotations: + additionalProperties: + type: string + type: object + configuration: + type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + enabled: + type: boolean + labels: + additionalProperties: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + startupDelaySeconds: + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + nodeSelector: + additionalProperties: + type: string + type: object + podDisruptionBudget: + properties: + maxUnavailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + minAvailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + podSecurityContext: + properties: + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxChangePolicy: + type: string + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + type: string + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + priorityClassName: + type: string + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + runtimeClassName: + type: string + serviceAccountName: + type: string + sidecarPVCs: + items: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + status: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + conditions: + items: + properties: + lastProbeTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: + type: string + type: object + type: object + type: array + sidecarVolumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + default: ext4 + type: string + kind: + type: string + readOnly: + default: false + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + image: + properties: + pullPolicy: + type: string + reference: + type: string + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + default: default + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + properties: + certificateChainPath: + type: string + credentialBundlePath: + type: string + keyPath: + type: string + keyType: + type: string + maxExpirationSeconds: + format: int32 + type: integer + signerName: + type: string + required: + - keyType + - signerName + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + default: /etc/ceph/keyring + type: string + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + default: xfs + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + default: ThinProvisioned + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + sidecars: + items: + properties: + args: + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + properties: + key: + type: string + optional: + default: false + type: boolean + path: + type: string + volumeName: + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + stopSignal: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + restartPolicy: + type: string + restartPolicyRules: + items: + properties: + action: + type: string + exitCodes: + properties: + operator: + type: string + values: + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + type: string + required: + - name + type: object + type: array + size: + format: int32 + type: integer + terminationGracePeriodSeconds: + format: int64 + type: integer + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + volumeSpec: + properties: + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + persistentVolumeClaim: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + annotations: + additionalProperties: + type: string + type: object + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + labels: + additionalProperties: + type: string + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + type: object + required: + - enabled + - size + type: object + podDisruptionBudget: + properties: + maxUnavailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + minAvailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + podSecurityContext: + properties: + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxChangePolicy: + type: string + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + type: string + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + primaryPreferTagSelector: + additionalProperties: + type: string + type: object + priorityClassName: + type: string + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + replsetOverrides: + additionalProperties: + properties: + horizons: + additionalProperties: + type: string + type: object + host: + type: string + priority: + type: integer + tags: + additionalProperties: + type: string + type: object + type: object + type: object + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + runtimeClassName: + type: string + serviceAccountName: + type: string + sidecarPVCs: + items: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + status: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + conditions: + items: + properties: + lastProbeTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: + type: string + type: object + type: object + type: array + sidecarVolumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + default: ext4 + type: string + kind: + type: string + readOnly: + default: false + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + image: + properties: + pullPolicy: + type: string + reference: + type: string + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + default: default + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + properties: + certificateChainPath: + type: string + credentialBundlePath: + type: string + keyPath: + type: string + keyType: + type: string + maxExpirationSeconds: + format: int32 + type: integer + signerName: + type: string + required: + - keyType + - signerName + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + default: /etc/ceph/keyring + type: string + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + default: xfs + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + default: ThinProvisioned + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + sidecars: + items: + properties: + args: + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + properties: + key: + type: string + optional: + default: false + type: boolean + path: + type: string + volumeName: + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + stopSignal: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + restartPolicy: + type: string + restartPolicyRules: + items: + properties: + action: + type: string + exitCodes: + properties: + operator: + type: string + values: + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + type: string + required: + - name + type: object + type: array + size: + format: int32 + type: integer + splitHorizons: + additionalProperties: + additionalProperties: + type: string + type: object + type: object + storage: + properties: + directoryPerDB: + type: boolean + engine: + type: string + inMemory: + properties: + engineConfig: + properties: + inMemorySizeRatio: + type: number + type: object + type: object + mmapv1: + properties: + nsSize: + type: integer + smallfiles: + type: boolean + type: object + syncPeriodSecs: + type: integer + wiredTiger: + properties: + collectionConfig: + properties: + blockCompressor: + type: string + type: object + engineConfig: + properties: + cacheSizeRatio: + type: number + directoryForIndexes: + type: boolean + journalCompressor: + type: string + type: object + indexConfig: + properties: + prefixCompression: + type: boolean + type: object + type: object + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + volumeSpec: + properties: + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + persistentVolumeClaim: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + annotations: + additionalProperties: + type: string + type: object + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + labels: + additionalProperties: + type: string + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + type: object + required: + - size + type: object + type: array + roles: + items: + properties: + authenticationRestrictions: + items: + properties: + clientSource: + items: + type: string + type: array + serverAddress: + items: + type: string + type: array + type: object + type: array + db: + type: string + privileges: + items: + properties: + actions: + items: + type: string + type: array + resource: + properties: + cluster: + type: boolean + collection: + type: string + db: + type: string + type: object + required: + - actions + type: object + type: array + role: + type: string + roles: + items: + properties: + db: + type: string + role: + type: string + required: + - db + - role + type: object + type: array + required: + - db + - privileges + - role + type: object + type: array + schedulerName: + type: string + secrets: + properties: + encryptionKey: + type: string + keyFile: + type: string + ldapSecret: + type: string + sse: + type: string + ssl: + type: string + sslInternal: + type: string + users: + type: string + vault: + type: string + type: object + sharding: + properties: + balancer: + properties: + enabled: + type: boolean + type: object + configsvrReplSet: + properties: + affinity: + properties: + advanced: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + antiAffinityTopologyKey: + type: string + type: object + annotations: + additionalProperties: + type: string + type: object + arbiter: + properties: + affinity: + properties: + advanced: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + antiAffinityTopologyKey: + type: string + type: object + annotations: + additionalProperties: + type: string + type: object + enabled: + type: boolean + labels: + additionalProperties: + type: string + type: object + nodeSelector: + additionalProperties: + type: string + type: object + podDisruptionBudget: + properties: + maxUnavailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + minAvailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + priorityClassName: + type: string + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + runtimeClassName: + type: string + serviceAccountName: + type: string + sidecarPVCs: + items: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + status: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + conditions: + items: + properties: + lastProbeTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: + type: string + type: object + type: object + type: array + sidecarVolumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + default: ext4 + type: string + kind: + type: string + readOnly: + default: false + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + image: + properties: + pullPolicy: + type: string + reference: + type: string + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + default: default + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + properties: + certificateChainPath: + type: string + credentialBundlePath: + type: string + keyPath: + type: string + keyType: + type: string + maxExpirationSeconds: + format: int32 + type: integer + signerName: + type: string + required: + - keyType + - signerName + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + default: /etc/ceph/keyring + type: string + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + default: xfs + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + default: ThinProvisioned + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + sidecars: + items: + properties: + args: + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + properties: + key: + type: string + optional: + default: false + type: boolean + path: + type: string + volumeName: + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + stopSignal: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + restartPolicy: + type: string + restartPolicyRules: + items: + properties: + action: + type: string + exitCodes: + properties: + operator: + type: string + values: + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + type: string + required: + - name + type: object + type: array + size: + format: int32 + type: integer + terminationGracePeriodSeconds: + format: int64 + type: integer + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + required: + - enabled + - size + type: object + clusterRole: + type: string + configuration: + type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + expose: + properties: + annotations: + additionalProperties: + type: string + type: object + enabled: + type: boolean + exposeType: + type: string + externalTrafficPolicy: + type: string + internalTrafficPolicy: + type: string + labels: + additionalProperties: + type: string + type: object + loadBalancerClass: + type: string + loadBalancerSourceRanges: + items: + type: string + type: array + serviceAnnotations: + additionalProperties: + type: string + type: object + serviceLabels: + additionalProperties: + type: string + type: object + type: + type: string + required: + - enabled + type: object + externalNodes: + items: + properties: + horizons: + additionalProperties: + type: string + type: object + host: + type: string + port: + type: integer + priority: + type: integer + tags: + additionalProperties: + type: string + type: object + votes: + type: integer + required: + - host + - priority + - votes + type: object + type: array + hidden: + properties: + affinity: + properties: + advanced: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + antiAffinityTopologyKey: + type: string + type: object + annotations: + additionalProperties: + type: string + type: object + configuration: + type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + enabled: + type: boolean + labels: + additionalProperties: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + startupDelaySeconds: + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + nodeSelector: + additionalProperties: + type: string + type: object + podDisruptionBudget: + properties: + maxUnavailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + minAvailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + podSecurityContext: + properties: + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxChangePolicy: + type: string + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + type: string + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + priorityClassName: + type: string + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + runtimeClassName: + type: string + serviceAccountName: + type: string + sidecarPVCs: + items: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + status: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + conditions: + items: + properties: + lastProbeTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: + type: string + type: object + type: object + type: array + sidecarVolumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + default: ext4 + type: string + kind: + type: string + readOnly: + default: false + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + image: + properties: + pullPolicy: + type: string + reference: + type: string + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + default: default + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + properties: + certificateChainPath: + type: string + credentialBundlePath: + type: string + keyPath: + type: string + keyType: + type: string + maxExpirationSeconds: + format: int32 + type: integer + signerName: + type: string + required: + - keyType + - signerName + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + default: /etc/ceph/keyring + type: string + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + default: xfs + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + default: ThinProvisioned + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + sidecars: + items: + properties: + args: + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + properties: + key: + type: string + optional: + default: false + type: boolean + path: + type: string + volumeName: + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + stopSignal: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + restartPolicy: + type: string + restartPolicyRules: + items: + properties: + action: + type: string + exitCodes: + properties: + operator: + type: string + values: + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + type: string + required: + - name + type: object + type: array + size: + format: int32 + type: integer + terminationGracePeriodSeconds: + format: int64 + type: integer + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + volumeSpec: + properties: + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + persistentVolumeClaim: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + annotations: + additionalProperties: + type: string + type: object + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + labels: + additionalProperties: + type: string + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + type: object + required: + - enabled + - size + type: object + hostAliases: + items: + properties: + hostnames: + items: + type: string + type: array + x-kubernetes-list-type: atomic + ip: + type: string + required: + - ip + type: object + type: array + labels: + additionalProperties: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + startupDelaySeconds: + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + nonvoting: + properties: + affinity: + properties: + advanced: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + antiAffinityTopologyKey: + type: string + type: object + annotations: + additionalProperties: + type: string + type: object + configuration: + type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + enabled: + type: boolean + labels: + additionalProperties: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + startupDelaySeconds: + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + nodeSelector: + additionalProperties: + type: string + type: object + podDisruptionBudget: + properties: + maxUnavailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + minAvailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + podSecurityContext: + properties: + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxChangePolicy: + type: string + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + type: string + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + priorityClassName: + type: string + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + runtimeClassName: + type: string + serviceAccountName: + type: string + sidecarPVCs: + items: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + status: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + conditions: + items: + properties: + lastProbeTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: + type: string + type: object + type: object + type: array + sidecarVolumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + default: ext4 + type: string + kind: + type: string + readOnly: + default: false + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + image: + properties: + pullPolicy: + type: string + reference: + type: string + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + default: default + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + properties: + certificateChainPath: + type: string + credentialBundlePath: + type: string + keyPath: + type: string + keyType: + type: string + maxExpirationSeconds: + format: int32 + type: integer + signerName: + type: string + required: + - keyType + - signerName + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + default: /etc/ceph/keyring + type: string + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + default: xfs + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + default: ThinProvisioned + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + sidecars: + items: + properties: + args: + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + properties: + key: + type: string + optional: + default: false + type: boolean + path: + type: string + volumeName: + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + stopSignal: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + restartPolicy: + type: string + restartPolicyRules: + items: + properties: + action: + type: string + exitCodes: + properties: + operator: + type: string + values: + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + type: string + required: + - name + type: object + type: array + size: + format: int32 + type: integer + terminationGracePeriodSeconds: + format: int64 + type: integer + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + volumeSpec: + properties: + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + persistentVolumeClaim: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + annotations: + additionalProperties: + type: string + type: object + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + labels: + additionalProperties: + type: string + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + type: object + required: + - enabled + - size + type: object + podDisruptionBudget: + properties: + maxUnavailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + minAvailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + podSecurityContext: + properties: + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxChangePolicy: + type: string + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + type: string + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + primaryPreferTagSelector: + additionalProperties: + type: string + type: object + priorityClassName: + type: string + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + replsetOverrides: + additionalProperties: + properties: + horizons: + additionalProperties: + type: string + type: object + host: + type: string + priority: + type: integer + tags: + additionalProperties: + type: string + type: object + type: object + type: object + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + runtimeClassName: + type: string + serviceAccountName: + type: string + sidecarPVCs: + items: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + status: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + conditions: + items: + properties: + lastProbeTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: + type: string + type: object + type: object + type: array + sidecarVolumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + default: ext4 + type: string + kind: + type: string + readOnly: + default: false + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + image: + properties: + pullPolicy: + type: string + reference: + type: string + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + default: default + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + properties: + certificateChainPath: + type: string + credentialBundlePath: + type: string + keyPath: + type: string + keyType: + type: string + maxExpirationSeconds: + format: int32 + type: integer + signerName: + type: string + required: + - keyType + - signerName + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + default: /etc/ceph/keyring + type: string + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + default: xfs + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + default: ThinProvisioned + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + sidecars: + items: + properties: + args: + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + properties: + key: + type: string + optional: + default: false + type: boolean + path: + type: string + volumeName: + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + stopSignal: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + restartPolicy: + type: string + restartPolicyRules: + items: + properties: + action: + type: string + exitCodes: + properties: + operator: + type: string + values: + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + type: string + required: + - name + type: object + type: array + size: + format: int32 + type: integer + splitHorizons: + additionalProperties: + additionalProperties: + type: string + type: object + type: object + storage: + properties: + directoryPerDB: + type: boolean + engine: + type: string + inMemory: + properties: + engineConfig: + properties: + inMemorySizeRatio: + type: number + type: object + type: object + mmapv1: + properties: + nsSize: + type: integer + smallfiles: + type: boolean + type: object + syncPeriodSecs: + type: integer + wiredTiger: + properties: + collectionConfig: + properties: + blockCompressor: + type: string + type: object + engineConfig: + properties: + cacheSizeRatio: + type: number + directoryForIndexes: + type: boolean + journalCompressor: + type: string + type: object + indexConfig: + properties: + prefixCompression: + type: boolean + type: object + type: object + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + volumeSpec: + properties: + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + persistentVolumeClaim: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + annotations: + additionalProperties: + type: string + type: object + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + labels: + additionalProperties: + type: string + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + type: object + required: + - size + type: object + enabled: + type: boolean + mongos: + properties: + affinity: + properties: + advanced: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + antiAffinityTopologyKey: + type: string + type: object + annotations: + additionalProperties: + type: string + type: object + configuration: + type: string + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + expose: + properties: + annotations: + additionalProperties: + type: string + type: object + exposeType: + type: string + externalTrafficPolicy: + type: string + internalTrafficPolicy: + type: string + labels: + additionalProperties: + type: string + type: object + loadBalancerClass: + type: string + loadBalancerSourceRanges: + items: + type: string + type: array + nodePort: + format: int32 + type: integer + serviceAnnotations: + additionalProperties: + type: string + type: object + serviceLabels: + additionalProperties: + type: string + type: object + servicePerPod: + type: boolean + type: + type: string + type: object + hostAliases: + items: + properties: + hostnames: + items: + type: string + type: array + x-kubernetes-list-type: atomic + ip: + type: string + required: + - ip + type: object + type: array + hostPort: + format: int32 + type: integer + labels: + additionalProperties: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + startupDelaySeconds: + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + nodeSelector: + additionalProperties: + type: string + type: object + podDisruptionBudget: + properties: + maxUnavailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + minAvailable: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + podSecurityContext: + properties: + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxChangePolicy: + type: string + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + type: string + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + port: + format: int32 + type: integer + priorityClassName: + type: string + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + runtimeClassName: + type: string + serviceAccountName: + type: string + setParameter: + properties: + cursorTimeoutMillis: + type: integer + type: object + sidecarPVCs: + items: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + status: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + conditions: + items: + properties: + lastProbeTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: + type: string + type: object + type: object + type: array + sidecarVolumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + default: ext4 + type: string + kind: + type: string + readOnly: + default: false + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + image: + properties: + pullPolicy: + type: string + reference: + type: string + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + default: default + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + properties: + certificateChainPath: + type: string + credentialBundlePath: + type: string + keyPath: + type: string + keyType: + type: string + maxExpirationSeconds: + format: int32 + type: integer + signerName: + type: string + required: + - keyType + - signerName + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + default: /etc/ceph/keyring + type: string + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + default: xfs + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + default: ThinProvisioned + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + sidecars: + items: + properties: + args: + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + properties: + key: + type: string + optional: + default: false + type: boolean + path: + type: string + volumeName: + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + stopSignal: + type: string + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + restartPolicy: + type: string + restartPolicyRules: + items: + properties: + action: + type: string + exitCodes: + properties: + operator: + type: string + values: + items: + format: int32 + type: integer + type: array + x-kubernetes-list-type: set + required: + - operator + type: object + required: + - action + type: object + type: array + x-kubernetes-list-type: atomic + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + type: string + required: + - name + type: object + type: array + size: + format: int32 + type: integer + terminationGracePeriodSeconds: + format: int64 + type: integer + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + required: + - enabled + type: object + tls: + properties: + allowInvalidCertificates: + type: boolean + certValidityDuration: + type: string + issuerConf: + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + mode: + type: string + type: object + unmanaged: + type: boolean + unsafeFlags: + properties: + backupIfUnhealthy: + type: boolean + mongosSize: + type: boolean + replsetSize: + type: boolean + terminationGracePeriod: + type: boolean + tls: + type: boolean + type: object + updateStrategy: + type: string + upgradeOptions: + properties: + apply: + type: string + schedule: + type: string + setFCV: + type: boolean + versionServiceEndpoint: + type: string + type: object + users: + items: + properties: + db: + type: string + name: + type: string + passwordSecretRef: + properties: + key: + type: string + name: + type: string + required: + - name + type: object + roles: + items: + properties: + db: + type: string + name: + type: string + required: + - db + - name + type: object + type: array + required: + - name + - roles + type: object + type: array + required: + - image + type: object + status: + properties: + backupConfigHash: + type: string + backupImage: + type: string + backupVersion: + type: string + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + host: + type: string + message: + type: string + mongoImage: + type: string + mongoVersion: + type: string + mongos: + properties: + message: + type: string + ready: + type: integer + size: + type: integer + status: + type: string + required: + - ready + - size + type: object + observedGeneration: + format: int64 + type: integer + pmmStatus: + type: string + pmmVersion: + type: string + ready: + format: int32 + type: integer + replsets: + additionalProperties: + properties: + added_as_shard: + type: boolean + clusterRole: + type: string + initialized: + type: boolean + members: + additionalProperties: + properties: + name: + type: string + state: + type: integer + stateStr: + type: string + type: object + type: object + message: + type: string + ready: + format: int32 + type: integer + size: + format: int32 + type: integer + status: + type: string + required: + - ready + - size + type: object + type: object + size: + format: int32 + type: integer + state: + type: string + required: + - ready + - size + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/NOTES.txt b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/NOTES.txt new file mode 100644 index 00000000..9276ae03 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/NOTES.txt @@ -0,0 +1,40 @@ +1. Percona Operator for MongoDB is deployed. + See if the operator Pod is running: + + kubectl get pods -l app.kubernetes.io/name=psmdb-operator --namespace {{ .Release.Namespace }} + + Check the operator logs if the Pod is not starting: + + export POD=$(kubectl get pods -l app.kubernetes.io/name=psmdb-operator --namespace {{ .Release.Namespace }} --output name) + kubectl logs $POD --namespace={{ .Release.Namespace }} + +2. Deploy the database cluster from psmdb-db chart: + + helm install my-db percona/psmdb-db --namespace={{ .Release.Namespace }} + +{{- if .Release.IsUpgrade }} + {{- $ctx := dict "upgradeCrd" false }} + {{- $crdNames := list "perconaservermongodbbackups.psmdb.percona.com" "perconaservermongodbrestores.psmdb.percona.com " "perconaservermongodbs.psmdb.percona.com" }} + {{- range $name := $crdNames }} + {{- $crd := lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $name }} + {{- if $crd }} + {{- $crdLabels := (($crd).metadata).labels | default dict }} + {{- $crdVersion := index $crdLabels "app.kubernetes.io/version" }} + {{- if or (not $crdVersion) (semverCompare (printf "< %s" $.Chart.AppVersion) (trimPrefix "v" $crdVersion)) }} + {{- $_ := set $ctx "upgradeCrd" true }} + {{- end }} + {{- end }} + {{- end }} + {{- if $ctx.upgradeCrd }} + +** WARNING ** During Helm upgrade CRDs are not automatically upgraded. + +Consider upgrading to the latest version of the CRDs using the command below: + + kubectl apply --server-side --force-conflicts -f https://raw.githubusercontent.com/percona/percona-server-mongodb-operator/v{{ .Chart.AppVersion }}/deploy/crd.yaml + +Ensure all deprecated fields are reviewed as part of the upgrade process, especially when running multiple PSMDB Operator versions in the same cluster. Deprecated fields may be removed or unsupported in newer CRD versions. + {{- end }} +{{- end }} + +Read more in our documentation: https://docs.percona.com/percona-operator-for-mongodb/ diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/_helpers.tpl new file mode 100644 index 00000000..1bf81ed1 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/_helpers.tpl @@ -0,0 +1,45 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "psmdb-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "psmdb-operator.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "psmdb-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "psmdb-operator.labels" -}} +app.kubernetes.io/name: {{ include "psmdb-operator.name" . }} +helm.sh/chart: {{ include "psmdb-operator.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/deployment.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/deployment.yaml new file mode 100644 index 00000000..14e2eb89 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/deployment.yaml @@ -0,0 +1,112 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "psmdb-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "psmdb-operator.labels" . | nindent 4 }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "psmdb-operator.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "psmdb-operator.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "psmdb-operator.fullname" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - containerPort: 8080 + protocol: TCP + name: metrics + - containerPort: 8081 + protocol: TCP + name: health + command: + - percona-server-mongodb-operator + {{- if .Values.securityContext.readOnlyRootFilesystem }} + volumeMounts: + - name: tmpdir + mountPath: /tmp + {{- end }} + env: + - name: LOG_STRUCTURED + value: "{{ .Values.logStructured }}" + - name: LOG_LEVEL + value: "{{ .Values.logLevel }}" + - name: WATCH_NAMESPACE + {{- if .Values.watchAllNamespaces }} + value: "" + {{- else }} + value: "{{ default .Release.Namespace .Values.watchNamespace }}" + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: {{ default "percona-server-mongodb-operator" .Values.operatorName }} + - name: RESYNC_PERIOD + value: "{{ .Values.env.resyncPeriod }}" + - name: DISABLE_TELEMETRY + value: "{{ .Values.disableTelemetry }}" + {{- if .Values.maxConcurrentReconciles }} + - name: MAX_CONCURRENT_RECONCILES + value: "{{ .Values.maxConcurrentReconciles }}" + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: health + readinessProbe: + httpGet: + path: /healthz + port: health + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.securityContext.readOnlyRootFilesystem }} + volumes: + - name: tmpdir + emptyDir: {} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/namespace.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/namespace.yaml new file mode 100644 index 00000000..cfc96d4d --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/namespace.yaml @@ -0,0 +1,11 @@ +{{ if and .Values.watchNamespace .Values.createNamespace }} +{{ range ( split "," .Values.watchNamespace ) }} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ trim . }} + annotations: + helm.sh/resource-policy: keep +--- +{{ end }} +{{ end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/role-binding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/role-binding.yaml new file mode 100644 index 00000000..a815869d --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/role-binding.yaml @@ -0,0 +1,41 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "psmdb-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- if .Values.rbac.create }} +{{- if or .Values.watchNamespace .Values.watchAllNamespaces }} +kind: ClusterRoleBinding +{{- else }} +kind: RoleBinding +{{- end }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: service-account-{{ include "psmdb-operator.fullname" . }} +{{- if not (or .Values.watchNamespace .Values.watchAllNamespaces) }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: +{{ include "psmdb-operator.labels" . | indent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "psmdb-operator.fullname" . }} + {{- if or .Values.watchNamespace .Values.watchAllNamespaces }} + namespace: {{ .Release.Namespace }} + {{- end }} +roleRef: + {{- if or .Values.watchNamespace .Values.watchAllNamespaces }} + kind: ClusterRole + {{- else }} + kind: Role + {{- end }} + name: {{ include "psmdb-operator.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/role.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/role.yaml new file mode 100644 index 00000000..4d65e6a7 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/templates/role.yaml @@ -0,0 +1,167 @@ +{{- if .Values.rbac.create }} +{{- if or .Values.watchNamespace .Values.watchAllNamespaces }} +kind: ClusterRole +{{- else }} +kind: Role +{{- end }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "psmdb-operator.fullname" . }} +{{- if not (or .Values.watchNamespace .Values.watchAllNamespaces) }} + namespace: {{ .Release.Namespace }} +{{- end }} + labels: +{{ include "psmdb-operator.labels" . | indent 4 }} +rules: + - apiGroups: + - psmdb.percona.com + resources: + - perconaservermongodbs + - perconaservermongodbs/status + - perconaservermongodbs/finalizers + - perconaservermongodbbackups + - perconaservermongodbbackups/status + - perconaservermongodbbackups/finalizers + - perconaservermongodbrestores + - perconaservermongodbrestores/status + - perconaservermongodbrestores/finalizers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if or .Values.watchNamespace .Values.watchAllNamespaces }} + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +{{- end }} + - apiGroups: + - "" + resources: + - pods + - pods/exec + - services + - persistentvolumeclaims + - secrets + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - apps + resources: + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - batch + resources: + - cronjobs + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - events.k8s.io + - "" + resources: + - events + verbs: + - get + - list + - watch + - create + - patch + - apiGroups: + - certmanager.k8s.io + - cert-manager.io + resources: + - issuers + - certificates + - certificaterequests + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - deletecollection + - apiGroups: + - net.gke.io + - multicluster.x-k8s.io + resources: + - serviceexports + - serviceimports + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - deletecollection +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/values.yaml new file mode 100644 index 00000000..efe85940 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/charts/psmdb-operator/values.yaml @@ -0,0 +1,103 @@ +# Default values for psmdb-operator. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: percona/percona-server-mongodb-operator + tag: 1.21.0 + pullPolicy: IfNotPresent + +# disableTelemetry: according to +# https://docs.percona.com/percona-operator-for-mongodb/telemetry.html +# this is how you can disable telemetry collection +# default is false which means telemetry will be collected +disableTelemetry: false + +# set if you want to specify a namespace to watch +# defaults to `.Release.namespace` if left blank +# multiple namespaces can be specified and separated by comma +# watchNamespace: +# set if you want that watched namespaces are created by helm +# createNamespace: false + +# set if operator should be deployed in cluster wide mode. defaults to false +watchAllNamespaces: false + +# rbac: settings for deployer RBAC creation +rbac: + # rbac.create: if false RBAC resources should be in place + create: true + +# serviceAccount: settings for Service Accounts used by the deployer +serviceAccount: + # serviceAccount.create: Whether to create the Service Accounts or not + create: true + # annotations to add to the service account + annotations: {} + +# annotations to add to the operator deployment +annotations: {} + +# labels to add to the operator deployment +labels: {} + +# annotations to add to the operator pod +podAnnotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: "8080" + +# labels to the operator pod +podLabels: {} + +podSecurityContext: {} + # runAsNonRoot: true + # runAsUser: 2 + # runAsGroup: 2 + # fsGroup: 2 + # fsGroupChangePolicy: "OnRootMismatch" + +securityContext: {} + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - ALL + # seccompProfile: + # type: RuntimeDefault + +# set if you want to use a different operator name +# defaults to `percona-server-mongodb-operator` +# operatorName: + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +env: + resyncPeriod: 5s + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +logStructured: false +logLevel: "INFO" + +# maxConcurrentReconciles controls the number of concurrent workers +# that can reconcile resources in Percona Server for MongoDB clusters in parallel. +maxConcurrentReconciles: "1" diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/_helpers.tpl new file mode 100644 index 00000000..189c2f91 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "nvsentinel.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nvsentinel.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nvsentinel.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "nvsentinel.labels" -}} +helm.sh/chart: {{ include "nvsentinel.chart" . }} +{{ include "nvsentinel.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nvsentinel.selectorLabels" -}} +app.kubernetes.io/name: {{ include "nvsentinel.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "nvsentinel.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "nvsentinel.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/certmanager.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/certmanager.yaml new file mode 100644 index 00000000..87a201c6 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/certmanager.yaml @@ -0,0 +1,126 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.mongodb.tls.enabled }} +{{- if .Values.usePerconaOperator }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mongo-app-client-cert + namespace: {{ $.Release.Namespace }} +spec: + secretName: {{ include "nvsentinel.certificates.secretName" . }} + duration: 8760h + renewBefore: 360h + commonName: mongo-user-client + subject: + organizations: + - Nvidia + organizationalUnits: + - DGXC + localities: + - SantaClara + provinces: + - California + countries: + - US + issuerRef: + name: mongodb-psmdb-issuer + kind: Issuer + group: cert-manager.io +{{- else }} + +{{- $replicaCount := int .Values.mongodb.replicaCount }} +{{- range $i := until $replicaCount }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mongo-server-cert-{{ $i }} + namespace: {{ $.Release.Namespace }} +spec: + secretName: mongo-server-cert-{{ $i }} + duration: 8760h # 1 year + renewBefore: 360h # 15 days before expiration + commonName: {{ printf "%s-mongo-%d" $.Release.Namespace $i }} + dnsNames: + - {{ printf "mongodb-%d.mongodb-headless.%s.svc.cluster.local" $i $.Release.Namespace }} + - {{ printf "mongodb-headless.%s.svc.cluster.local" $.Release.Namespace }} + issuerRef: + name: mongo-ca-issuer + kind: Issuer +--- +{{- end }} + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mongo-app-client-cert + namespace: {{ $.Release.Namespace }} +spec: + secretName: {{ include "nvsentinel.certificates.secretName" . }} + duration: 8760h + renewBefore: 360h + commonName: mongo-user-client + subject: + organizations: + - Nvidia + organizationalUnits: + - DGXC + localities: + - SantaClara + provinces: + - California + countries: + - US + issuerRef: + name: mongo-ca-issuer + kind: Issuer +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: mongo-ca-issuer + namespace: {{ $.Release.Namespace }} +spec: + ca: + secretName: mongo-root-ca-secret +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-ca-issuer + namespace: {{ $.Release.Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mongo-root-ca + namespace: {{ $.Release.Namespace }} +spec: + isCA: true + commonName: mongo-root-ca + secretName: mongo-root-ca-secret + duration: 87600h # 10 years + renewBefore: 720h # 30 days before expiration + privateKey: + algorithm: RSA + size: 4096 + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/configmap.yaml new file mode 100644 index 00000000..dbb5bf84 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/configmap.yaml @@ -0,0 +1,51 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: mongodb-config +data: + # Datastore provider configuration for new abstraction layer + DATASTORE_PROVIDER: "mongodb" + # Legacy MongoDB configuration (maintained for backward compatibility) + # When TLS is disabled and SCRAM auth is needed, override MONGODB_URI in your + # Helm values to include credentials: mongodb://user:pass@host:port/?replicaSet=rs0 + # ConfigMaps cannot reference Secret values, so credentials must be provided + # via values override or a separate Secret-backed env var. +{{- if .Values.usePerconaOperator }} + {{- if .Values.mongodb.tls.enabled }} + MONGODB_URI: {{ printf "mongodb://mongodb-rs0.%s.svc.cluster.local:27017/?replicaSet=rs0&tls=true" .Release.Namespace }} + {{- else }} + MONGODB_URI: {{ printf "mongodb://mongodb-rs0.%s.svc.cluster.local:27017/?replicaSet=rs0" .Release.Namespace }} + {{- end }} +{{- else }} + {{- if .Values.mongodb.tls.enabled }} + MONGODB_URI: {{ printf "mongodb://mongodb-headless.%s.svc.cluster.local:27017/?replicaSet=rs0&tls=true" .Release.Namespace }} + {{- else }} + MONGODB_URI: {{ printf "mongodb://mongodb-headless.%s.svc.cluster.local:27017/?replicaSet=rs0" .Release.Namespace }} + {{- end }} +{{- end }} + MONGODB_DATABASE_NAME: "HealthEventsDatabase" + MONGODB_COLLECTION_NAME: "HealthEvents" + MONGODB_MAINTENANCE_EVENT_COLLECTION_NAME: "MaintenanceEvents" + MONGODB_TOKEN_COLLECTION_NAME: "ResumeTokens" + MONGODB_PING_TIMEOUT_TOTAL_SECONDS: "30" + MONGODB_PING_INTERVAL_SECONDS: "5" + CA_CERT_MOUNT_TIMEOUT_TOTAL_SECONDS: "360" + CA_CERT_READ_INTERVAL_SECONDS: "5" + MONGODB_CHANGE_STREAM_RETRY_DEADLINE_SECONDS: "300" + MONGODB_CHANGE_STREAM_RETRY_INTERVAL_SECONDS: "5" + UNPROCESSED_EVENTS_METRIC_UPDATE_INTERVAL_SECONDS: "25" + MONGODB_COLLECTION_EXPIRY_SECONDS: "2592000" diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/jobs.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/jobs.yaml new file mode 100644 index 00000000..bb20328e --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/jobs.yaml @@ -0,0 +1,424 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mongodb-job-sa +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mongodb-job-role +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mongodb-job-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mongodb-job-role +subjects: +- kind: ServiceAccount + name: mongodb-job-sa + namespace: {{ .Release.Namespace }} +--- +{{- $helperImages := .Values.mongodb.helperImages }} +{{- $rootUsername := "root" }} +{{- $issuerSecret := "mongo-root-ca-secret" }} +{{- $passwordSecretName := "mongodb" }} +{{- $passwordSecretKey := "mongodb-root-password" }} +{{- if .Values.usePerconaOperator }} + {{- $helperImages = .Values.psmdb.helperImages }} + {{- $rootUsername = "$MONGODB_ROOT_USER" }} + {{- $issuerSecret = "mongodb-ca-cert" }} + {{- $passwordSecretName = "internal-mongodb-users" }} + {{- $passwordSecretKey = "MONGODB_DATABASE_ADMIN_PASSWORD" }} +{{- end }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: create-mongodb-database + annotations: + argocd.argoproj.io/sync-options: Force=true,Replace=true +spec: + activeDeadlineSeconds: 600 + template: + spec: + serviceAccountName: mongodb-job-sa + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + initContainers: +{{- if .Values.usePerconaOperator }} + # Percona-specific init containers + # Create MongoDB keyfile and encryption key secrets if they don't exist + - name: create-mongodb-secrets + image: "{{ $helperImages.kubectl.repository }}:{{ $helperImages.kubectl.tag }}" + imagePullPolicy: {{ $helperImages.kubectl.pullPolicy }} + command: + - sh + - -c + - | + set -e + + NAMESPACE="{{ .Release.Namespace }}" + + echo "Initializing MongoDB secrets..." + + # Create MongoDB keyfile secret + SECRET_NAME="mongodb-keyfile" + if kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" >/dev/null 2>&1; then + echo "[INFO] Keyfile secret already exists. Reusing." + else + KEYFILE=$(head -c 768 /dev/urandom | base64 | tr -d '\n' | head -c 1024) + if [ -z "$KEYFILE" ]; then + echo "[ERROR] Failed to generate keyfile" + exit 1 + fi + + if kubectl create secret generic "$SECRET_NAME" \ + -n "$NAMESPACE" \ + --from-literal=mongodb-key="$KEYFILE" \ + --dry-run=client -o yaml | \ + sed '/^metadata:/a\ annotations:\n helm.sh/resource-policy: keep' | \ + kubectl apply -f -; then + echo "[SUCCESS] Keyfile secret created." + else + echo "[ERROR] Failed to create keyfile secret" + exit 1 + fi + fi + + # Create MongoDB encryption key secret + SECRET_NAME="mongodb-encryption-key" + if kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" >/dev/null 2>&1; then + echo "[INFO] Encryption key secret already exists. Reusing." + else + # Generate 32 bytes and base64 encode (MongoDB accepts base64-encoded 32-byte keys) + ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64 | tr -d '\n') + if [ -z "$ENCRYPTION_KEY" ]; then + echo "[ERROR] Failed to generate encryption key" + exit 1 + fi + + if kubectl create secret generic "$SECRET_NAME" \ + -n "$NAMESPACE" \ + --from-literal=encryption-key="$ENCRYPTION_KEY" \ + --dry-run=client -o yaml | \ + sed '/^metadata:/a\ annotations:\n helm.sh/resource-policy: keep' | \ + kubectl apply -f -; then + echo "[SUCCESS] Encryption key secret created." + else + echo "[ERROR] Failed to create encryption key secret" + exit 1 + fi + fi + + echo "MongoDB secrets initialization completed." + + # Check if client cert CA matches current issuer CA, delete secret if mismatched + - name: validate-client-cert-ca + image: "{{ $helperImages.kubectl.repository }}:{{ $helperImages.kubectl.tag }}" + imagePullPolicy: {{ $helperImages.kubectl.pullPolicy }} + command: + - sh + - -c + - | + set -e + + NAMESPACE="{{ .Release.Namespace }}" + CLIENT_CERT_SECRET="{{ include "nvsentinel.certificates.secretName" . }}" + ISSUER_SECRET="{{ $issuerSecret }}" + + echo "Validating client certificate CA..." + + if ! kubectl get secret "$CLIENT_CERT_SECRET" -n "$NAMESPACE" >/dev/null 2>&1; then + echo "[INFO] Client cert secret does not exist yet. Skipping validation." + exit 0 + fi + + WAIT_COUNT=0 + MAX_WAIT=60 # Wait up to 5 minutes + while ! kubectl get secret "$ISSUER_SECRET" -n "$NAMESPACE" >/dev/null 2>&1; do + WAIT_COUNT=$((WAIT_COUNT + 1)) + if [ $WAIT_COUNT -ge $MAX_WAIT ]; then + echo "[ERROR] Timeout waiting for issuer CA secret '$ISSUER_SECRET'" + exit 1 + fi + [ $((WAIT_COUNT % 12)) -eq 0 ] && echo "[INFO] Waiting for issuer CA secret..." + sleep 5 + done + + # Extract and compare CAs + CLIENT_CA=$(kubectl get secret "$CLIENT_CERT_SECRET" -n "$NAMESPACE" -o jsonpath='{.data.ca\.crt}' | base64 -d | head -n 20) + ISSUER_CA=$(kubectl get secret "$ISSUER_SECRET" -n "$NAMESPACE" -o jsonpath='{.data.tls\.crt}' | base64 -d | head -n 20) + + if [ -z "$CLIENT_CA" ] || [ -z "$ISSUER_CA" ]; then + echo "[ERROR] Failed to extract CA certificates" + exit 1 + fi + + if [ "$CLIENT_CA" = "$ISSUER_CA" ]; then + echo "[INFO] Client cert CA matches issuer CA. No action needed." + else + echo "[WARN] Client cert CA mismatch detected!" + echo "[INFO] Deleting old client cert secret..." + + if kubectl delete secret "$CLIENT_CERT_SECRET" -n "$NAMESPACE" --ignore-not-found=true; then + echo "[SUCCESS] Secret deleted. Cert-manager will reissue with current CA." + else + echo "[ERROR] Failed to delete secret" + exit 1 + fi + fi + + echo "Client cert CA validation completed." + + - name: wait-for-mongodb-users + image: "{{ $helperImages.kubectl.repository }}:{{ $helperImages.kubectl.tag }}" + imagePullPolicy: {{ $helperImages.kubectl.pullPolicy }} + command: + - sh + - -c + - | + echo "Waiting for MongoDB operator-generated users secret..." + while ! kubectl get secret internal-mongodb-users -n {{ .Release.Namespace }} >/dev/null 2>&1; do + echo "Secret internal-mongodb-users not found yet, waiting..." + sleep 5 + done + echo "MongoDB users secret is available, proceeding..." +{{- else }} + - name: wait-for-mongodb-secret + image: "{{ $helperImages.kubectl.repository }}:{{ $helperImages.kubectl.tag }}" + imagePullPolicy: {{ $helperImages.kubectl.pullPolicy }} + command: + - sh + - -c + - | + echo "Waiting for MongoDB secret to be available..." + while ! kubectl get secret mongodb -n {{ .Release.Namespace }} >/dev/null 2>&1; do + echo "Secret mongodb not found yet, waiting..." + sleep 5 + done + echo "Secret mongodb is available, proceeding..." +{{- end }} + containers: + - name: mongo-client + image: "{{ $helperImages.mongosh.repository }}:{{ $helperImages.mongosh.tag }}" + imagePullPolicy: {{ $helperImages.mongosh.pullPolicy }} + command: + - sh + - -c + - | + set -e + + echo "==============================" + echo "Starting mongodb client job..." + echo "==============================" + + echo "MONGODB_URI: $MONGODB_URI" + echo "MONGODB_APPLICATION_USER_DN: $MONGODB_APPLICATION_USER_DN" + echo "MONGODB_DATABASE_NAME: $MONGODB_DATABASE_NAME" + echo "MONGODB_COLLECTION_NAME: $MONGODB_COLLECTION_NAME" + echo "MONGODB_TOKEN_COLLECTION_NAME: $MONGODB_TOKEN_COLLECTION_NAME" + + {{- if .Values.mongodb.tls.enabled }} + cat /certs/tls.crt /certs/tls.key > /tmp/tls.pem + {{- end }} + + echo "==============================" + echo "Connecting to mongodb..." + echo "==============================" + + until mongosh "$MONGODB_URI" \ + {{- if .Values.mongodb.auth.enabled }} + --authenticationMechanism SCRAM-SHA-256 \ + --username {{ $rootUsername }} --password "$MONGODB_ROOT_PASSWORD" --authenticationDatabase admin \ + {{- end }} + {{- if .Values.mongodb.tls.enabled }} + --tls \ + --tlsCAFile /certs/ca.crt \ + --tlsCertificateKeyFile /tmp/tls.pem \ + {{- end }} + --eval " + db = db.getSiblingDB('$MONGODB_DATABASE_NAME'); + + // Create collections if they don't exist + if (!db.getCollectionNames().includes('$MONGODB_COLLECTION_NAME')) { + db.createCollection('$MONGODB_COLLECTION_NAME'); + print('Created collection: $MONGODB_COLLECTION_NAME'); + } else { + print('Collection already exists: $MONGODB_COLLECTION_NAME'); + } + + if (!db.getCollectionNames().includes('$MONGODB_TOKEN_COLLECTION_NAME')) { + db.createCollection('$MONGODB_TOKEN_COLLECTION_NAME'); + print('Created collection: $MONGODB_TOKEN_COLLECTION_NAME'); + } else { + print('Collection already exists: $MONGODB_TOKEN_COLLECTION_NAME'); + } + + if (!db.getCollectionNames().includes('$MONGODB_MAINTENANCE_EVENT_COLLECTION_NAME')) { + db.createCollection('$MONGODB_MAINTENANCE_EVENT_COLLECTION_NAME'); + print('Created collection: $MONGODB_MAINTENANCE_EVENT_COLLECTION_NAME'); + } else { + print('Collection already exists: $MONGODB_MAINTENANCE_EVENT_COLLECTION_NAME'); + } + + // Create indexes (MongoDB handles duplicates gracefully) + db.$MONGODB_COLLECTION_NAME.createIndex( + { 'createdAt': 1 }, + { expireAfterSeconds: $MONGODB_COLLECTION_EXPIRY_SECONDS } + ); + db.$MONGODB_MAINTENANCE_EVENT_COLLECTION_NAME.createIndex( + { 'actualEndTime': 1 }, + { expireAfterSeconds: $MONGODB_COLLECTION_EXPIRY_SECONDS } + ); + db.$MONGODB_MAINTENANCE_EVENT_COLLECTION_NAME.createIndex( + { 'scheduledStartTime': 1 }, + ); + db.$MONGODB_MAINTENANCE_EVENT_COLLECTION_NAME.createIndex( + { 'cspStatus': 1 }, + ); + db.$MONGODB_COLLECTION_NAME.createIndex({ + 'healthevent.nodename': 1, + 'healthevent.entitiesimpacted.entitytype': 1, + 'healthevent.entitiesimpacted.entityvalue': 1, + 'healthevent.generatedtimestamp.seconds': 1 + }); + {{- if .Values.mongodb.tls.enabled }} + // Create X.509 users (TLS only) + var userExists = db.getSiblingDB('\$external').getUser('$MONGODB_APPLICATION_USER_DN'); + if (userExists) { + print('User already exists, skipping creation.'); + } else { + print('Creating new X.509 user...'); + db.getSiblingDB('\$external').runCommand({ + createUser: '$MONGODB_APPLICATION_USER_DN', + roles: [{ role: 'readWrite', db: '$MONGODB_DATABASE_NAME' }] + }); + print('X.509 user created successfully.'); + } + var dgxcopsUserExists = db.getSiblingDB('\$external').getUser('$MONGODB_DGXCOPS_USER_DN'); + if (dgxcopsUserExists) { + print('Dgxcops user already exists, skipping creation.'); + } else { + print('Creating new dgxcops X.509 user...'); + db.getSiblingDB('\$external').runCommand({ + createUser: '$MONGODB_DGXCOPS_USER_DN', + roles: [{ role: 'read', db: '$MONGODB_DATABASE_NAME' }] + }); + print('Dgxcops X.509 user created successfully.'); + } + {{- else }} + // Create SCRAM application user (non-TLS mode) + var scramUser = db.getUser('$MONGODB_SCRAM_APP_USERNAME'); + if (scramUser) { + print('SCRAM application user already exists, updating password...'); + db.changeUserPassword('$MONGODB_SCRAM_APP_USERNAME', '$MONGODB_SCRAM_APP_PASSWORD'); + print('SCRAM application user password updated.'); + } else { + print('Creating SCRAM application user...'); + db.createUser({ + user: '$MONGODB_SCRAM_APP_USERNAME', + pwd: '$MONGODB_SCRAM_APP_PASSWORD', + roles: [{ role: 'readWrite', db: '$MONGODB_DATABASE_NAME' }] + }); + print('SCRAM application user created successfully.'); + } + {{- end }}" + do + echo "Waiting for mongodb to be ready..."; + sleep 5; + done + + echo "==============================" + echo "mongodb user creation completed." + echo "==============================" + env: +{{- if .Values.usePerconaOperator }} + - name: MONGODB_CLUSTER_MONITOR_USER + valueFrom: + secretKeyRef: + name: internal-mongodb-users + key: MONGODB_CLUSTER_MONITOR_USER + - name: MONGODB_ROOT_USER + valueFrom: + secretKeyRef: + name: internal-mongodb-users + key: MONGODB_DATABASE_ADMIN_USER +{{- end }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $passwordSecretName }} + key: {{ $passwordSecretKey }} + - name: MONGODB_APPLICATION_USER_DN + value: "CN=mongo-user-client,OU=DGXC,O=Nvidia,L=SantaClara,ST=California,C=US" + - name: MONGODB_DGXCOPS_USER_DN + value: "CN=mongo-dgxcops-client,OU=DGXC,O=Nvidia,L=SantaClara,ST=California,C=US" + {{- if not .Values.mongodb.tls.enabled }} + - name: MONGODB_SCRAM_APP_USERNAME + value: {{ .Values.scramAppUser.username | default "nvsentinel" | quote }} + - name: MONGODB_SCRAM_APP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.scramAppUser.existingSecret | default $passwordSecretName }} + key: {{ .Values.scramAppUser.passwordKey | default "mongodb-app-password" }} + optional: true + {{- end }} + envFrom: + - configMapRef: + name: mongodb-config + {{- if .Values.mongodb.tls.enabled }} + volumeMounts: + - name: mongo-certificates + mountPath: /certs + readOnly: true + {{- end }} + {{- if .Values.mongodb.tls.enabled }} + volumes: + - name: mongo-certificates + secret: + secretName: {{ include "nvsentinel.certificates.secretName" . }} + {{- include "nvsentinel.certificates.volumeItems" . | nindent 12 }} + {{- end }} + # Job scheduling configuration with backward-compatible fallback + # Prefers: job.nodeSelector -> Falls back to: mongodb.nodeSelector + {{- $jobNodeSelector := .Values.mongodb.nodeSelector }} + {{- if .Values.job }} + {{- $jobNodeSelector = .Values.job.nodeSelector | default .Values.mongodb.nodeSelector }} + {{- end }} + {{- with $jobNodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + # Prefers: job.tolerations -> Falls back to: mongodb.jobTolerations + {{- $jobTolerations := .Values.mongodb.jobTolerations }} + {{- if .Values.job }} + {{- $jobTolerations = .Values.job.tolerations | default .Values.mongodb.jobTolerations }} + {{- end }} + {{- with $jobTolerations }} + tolerations: + {{- toYaml . | nindent 8 }} +{{- end }} + restartPolicy: OnFailure diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/metrics-service.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/metrics-service.yaml new file mode 100644 index 00000000..2de10926 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/metrics-service.yaml @@ -0,0 +1,21 @@ +{{- if .Values.usePerconaOperator }} +apiVersion: v1 +kind: Service +metadata: + name: mongodb-metrics + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: percona-server-mongodb + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9216" + prometheus.io/path: "/metrics" +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: percona-server-mongodb + ports: + - name: metrics + port: 9216 + targetPort: metrics +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/networkpolicy.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/networkpolicy.yaml new file mode 100644 index 00000000..f570e6a6 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/networkpolicy.yaml @@ -0,0 +1,43 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: mongodb-networkpolicy +spec: + podSelector: +{{- if .Values.usePerconaOperator }} + matchLabels: + app.kubernetes.io/name: percona-server-mongodb +{{- else }} + matchLabels: + app.kubernetes.io/component: mongodb + app.kubernetes.io/instance: {{ .Release.Namespace }} + app.kubernetes.io/name: mongodb +{{- end }} + policyTypes: + - Ingress + ingress: + - ports: + - port: 27017 + protocol: TCP +{{- if .Values.usePerconaOperator }} + - port: 9216 + protocol: TCP +{{- end }} + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/pv.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/pv.yaml new file mode 100644 index 00000000..2f837abe --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/pv.yaml @@ -0,0 +1,62 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if (eq .Values.mode "manual") }} +{{- if .Values.usePerconaOperator }} +{{- /* Percona PVs - one per replica */ -}} +{{- $replicaCount := index .Values "psmdb-db" "replsets" "rs0" "size" | default 3 | int }} +{{- range $i := until $replicaCount }} +--- +# PV for Percona MongoDB replica {{ $i }} +apiVersion: v1 +kind: PersistentVolume +metadata: + name: mongodb-rs0-pv-{{ $i }} + labels: + type: local +spec: + capacity: + storage: "8Gi" + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + storageClassName: manual-mongodb + hostPath: + path: /data/mongodb-rs0-{{ $i }} + type: DirectoryOrCreate +{{- end }} +{{- else }} +{{- range $i := until (.Values.mongodb.replicaCount | default 3 | int) }} +--- +# PV for Bitnami MongoDB replica {{ $i }} +apiVersion: v1 +kind: PersistentVolume +metadata: + name: mongodb-pv-{{ $i }} + labels: + type: local +spec: + capacity: + storage: "8Gi" + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + storageClassName: manual-mongodb + hostPath: + path: /data/mongodb-{{ $i }} + type: DirectoryOrCreate +{{- end }} +{{- end }} +{{ end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/role.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/role.yaml new file mode 100644 index 00000000..0268734c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/role.yaml @@ -0,0 +1,29 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if not .Values.usePerconaOperator }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: "{{ .Release.Namespace }}-mongodb-role" + labels: + {{- include "nvsentinel.labels" . | nindent 4 }} +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "list", "get", "patch", "update"] +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/rolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/rolebinding.yaml new file mode 100644 index 00000000..c2eba928 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/templates/rolebinding.yaml @@ -0,0 +1,30 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if not .Values.usePerconaOperator }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "{{ .Release.Namespace }}-mongodb-rolebinding" + labels: + {{- include "nvsentinel.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: "{{ .Values.mongodb.serviceAccount.name }}" + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: "{{ .Release.Namespace }}-mongodb-role" + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/values.yaml new file mode 100644 index 00000000..096926cf --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/mongodb-store/values.yaml @@ -0,0 +1,367 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Feature flags to switch between Bitnami MongoDB and Percona MongoDB Operator +# Due to Helm limitations, both flags must be explicitly set when switching modes +# +# Default (Bitnami MongoDB - backward compatible): +# global.mongodbStore.enabled: true +# mongodb-store.useBitnami: true # Default +# mongodb-store.usePerconaOperator: false # Default +# +# Percona MongoDB Operator: +# global.mongodbStore.enabled: true +# mongodb-store.useBitnami: false # Must explicitly disable +# mongodb-store.usePerconaOperator: true # Must explicitly enable +# +# IMPORTANT: These flags control which chart dependencies are loaded. +# Both must be set correctly to avoid loading unnecessary charts. + +useBitnami: true +usePerconaOperator: false + +# SCRAM application user (created when mongodb.tls.enabled is false). +# Instead of X.509 cert-based users, the Job creates a SCRAM-SHA-256 user +# with readWrite access to the NVSentinel database. +# NOTE: This only provisions the user in MongoDB. To use it, configure +# MONGODB_URI with the SCRAM credentials (e.g. mongodb://nvsentinel:pass@host/db). +scramAppUser: + username: nvsentinel + # Secret and key containing the application user password. + # Defaults to the MongoDB root password for out-of-the-box functionality. + # For production, set a dedicated secret with a separate password. + existingSecret: "" + passwordKey: "mongodb-root-password" + +# Common Job configuration (applies to both Bitnami and Percona) +# If not set, falls back to mongodb.jobTolerations and mongodb.nodeSelector for backward compatibility +job: + nodeSelector: {} + tolerations: [] + +# ============================================================================= +# Bitnami MongoDB Configuration (used when usePerconaOperator=false) +# ============================================================================= +mongodb: + # Helper images for MongoDB operations + helperImages: + # kubectl image for Kubernetes operations in init containers + kubectl: + repository: docker.io/bitnamilegacy/kubectl + tag: "1.30.6" + pullPolicy: IfNotPresent + # mongosh image for MongoDB shell operations + mongosh: + repository: ghcr.io/rtsp/docker-mongosh + tag: "2.5.2" + pullPolicy: IfNotPresent + + global: + imagePullSecrets: [] + image: + registry: docker.io + repository: bitnamilegacy/mongodb + tag: 8.0.3-debian-12-r0 + pullPolicy: IfNotPresent + + commonAnnotations: + dgxc.nvidia.com/resource-category: management + + architecture: replicaset + replicaCount: 3 + + readinessProbe: + timeoutSeconds: 10 + initialDelaySeconds: 60 + + replicaSetName: rs0 + + resources: + requests: + cpu: 1 + memory: 1.5Gi + limits: + cpu: 1.5 + memory: 2Gi + + serviceAccount: + name: "mongodb-sa" + + networkPolicy: + enabled: false + + persistentVolumeClaimRetentionPolicy: + enabled: true + whenDeleted: Retain + whenScaled: Retain + + persistence: + resourcePolicy: "keep" + + automountServiceAccountToken: true + + pdb: + minAvailable: 2 # At least 2 replicas must be available (ensures quorum) + + initContainers: + - name: create-mongodb-credentials + image: "{{ .Values.helperImages.kubectl.repository }}:{{ .Values.helperImages.kubectl.tag }}" + imagePullPolicy: "{{ .Values.helperImages.kubectl.pullPolicy }}" + command: + - sh + - -c + - | + set -e + + # Check if MongoDB credentials secret exists + secret=$(kubectl get secret mongodb -n {{ .Release.Namespace }} --ignore-not-found) + if [ -z "$secret" ]; then + echo "Secret mongodb does not exist, creating it with random values..." + + # Generate random passwords (32 chars, alphanumeric) + ROOT_PASSWORD=$(head -c 24 /dev/urandom | base64 | tr -d '+/=' | cut -c1-32) + REPLICA_SET_KEY=$(head -c 24 /dev/urandom | base64 | tr -d '+/=' | cut -c1-32) + + # Create the secret with annotation in a single command + kubectl create secret generic mongodb \ + -n {{ .Release.Namespace }} \ + --from-literal=mongodb-root-password="$ROOT_PASSWORD" \ + --from-literal=mongodb-replica-set-key="$REPLICA_SET_KEY" \ + --from-literal=mongodb-passwords="" \ + --from-literal=mongodb-metrics-password="" \ + --dry-run=client -o yaml | \ + sed '/^metadata:/a\ annotations:\n helm.sh/resource-policy: keep' | \ + kubectl apply -f - + + echo "Secret mongodb created with random credentials." + echo "NOTE: These credentials will be preserved for data retention." + else + echo "Secret mongodb already exists, will reuse existing credentials..." + echo "This ensures data retention across reinstalls." + fi + + echo "MongoDB credentials initialization completed." + echo "==============================" + + - name: create-certmanager-resources + image: "{{ .Values.helperImages.kubectl.repository }}:{{ .Values.helperImages.kubectl.tag }}" + imagePullPolicy: "{{ .Values.helperImages.kubectl.pullPolicy }}" + command: + - sh + - -c + - | + set -e + {{- if not .Values.tls.enabled }} + echo "TLS is disabled, skipping cert-manager resource creation." + exit 0 + {{- end }} + secret=$(kubectl get secret mongo-ca-secret -n {{ .Release.Namespace }} --ignore-not-found) + if [ -z "$secret" ]; then + echo "Secret mongo-ca-secret does not exist, creating it..." + SKIP_SECRET_CREATION=false + else + echo "Secret mongo-ca-secret already exists, skipping creation..." + SKIP_SECRET_CREATION=true + fi + + if [ "$SKIP_SECRET_CREATION" = "false" ]; then + echo "Waiting for CA certificate to be ready..." + kubectl wait --for=condition=Ready certificate/mongo-root-ca -n {{ .Release.Namespace }} --timeout=300s + + echo "Extracting CA certificate and key..." + kubectl get secret mongo-root-ca-secret -n {{ .Release.Namespace }} \ + -o jsonpath="{.data.tls\.crt}" | base64 -d > /tmp/mongodb-ca-cert + kubectl get secret mongo-root-ca-secret -n {{ .Release.Namespace }} \ + -o jsonpath="{.data.tls\.key}" | base64 -d > /tmp/mongodb-ca-key + + echo "Creating mongo-ca-secret..." + kubectl create secret generic mongo-ca-secret -n {{ .Release.Namespace }} \ + --from-file=mongodb-ca-cert=/tmp/mongodb-ca-cert \ + --from-file=mongodb-ca-key=/tmp/mongodb-ca-key \ + --dry-run=client -o yaml | kubectl apply -f - + echo "Secret mongo-ca-secret created." + fi + + echo "Waiting for mongo client cert to be ready..." + kubectl wait --for=condition=Ready certificate/mongo-app-client-cert -n {{ .Release.Namespace }} --timeout=300s + + echo "==============================" + echo "cert-manager resources creation completed." + echo "==============================" + + auth: + enabled: true + rootUser: root + # The initContainer will create this secret if it doesn't exist with + # random credentials, or reuse it if it exists (for data retention) + existingSecret: "mongodb" + + tls: + enabled: true + mTLS: + enabled: true + mode: requireTLS + autoGenerated: false + existingSecret: "mongo-ca-secret" + replicaset: + existingSecrets: + - "mongo-server-cert-0" + - "mongo-server-cert-1" + - "mongo-server-cert-2" + + image: + registry: docker.io + repository: bitnamilegacy/nginx + tag: 1.27.2-debian-12-r2 + pullPolicy: IfNotPresent + + replicaSetHostnames: true + + extraFlags: + - "--setParameter" + - "authenticationMechanisms=MONGODB-X509,SCRAM-SHA-256" + + tolerations: [] + + nodeSelector: {} + + jobTolerations: [] + + arbiter: + enabled: false + + metrics: + enabled: true + image: + registry: docker.io + repository: bitnamilegacy/mongodb-exporter + tag: 0.41.2-debian-12-r1 + pullSecrets: [] + command: + - /bin/bash + - -ec + args: + - | + export HOSTNAME=$(hostname) + {{- if .Values.tls.enabled }} + /bin/mongodb_exporter --collector.diagnosticdata --collector.replicasetstatus --compatible-mode --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":9216" --mongodb.uri "mongodb://$MONGODB_ROOT_USER:$(echo $MONGODB_ROOT_PASSWORD | sed -r "s/@/%40/g;s/:/%3A/g")@${HOSTNAME}.mongodb-headless.nvsentinel.svc.cluster.local:27017/admin?tls=true&tlsCertificateKeyFile=/certs/mongodb.pem&tlsCAFile=/certs/mongodb-ca-cert&authMechanism=SCRAM-SHA-256&connectTimeoutMS=30000&serverSelectionTimeoutMS=30000" + {{- else }} + /bin/mongodb_exporter --collector.diagnosticdata --collector.replicasetstatus --compatible-mode --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":9216" --mongodb.uri "mongodb://$MONGODB_ROOT_USER:$(echo $MONGODB_ROOT_PASSWORD | sed -r "s/@/%40/g;s/:/%3A/g")@${HOSTNAME}.mongodb-headless.nvsentinel.svc.cluster.local:27017/admin?authMechanism=SCRAM-SHA-256&connectTimeoutMS=30000&serverSelectionTimeoutMS=30000" + {{- end }} + +# ============================================================================= +# Percona MongoDB Operator Configuration (used when usePerconaOperator=true) +# ============================================================================= +psmdb-operator: + nodeSelector: {} + tolerations: [] + +psmdb-db: + nameOverride: mongodb + fullnameOverride: mongodb + replsets: + rs0: + name: rs0 + size: 3 + configuration: | + setParameter: + authenticationMechanisms: "MONGODB-X509,SCRAM-SHA-256,SCRAM-SHA-1" + replsetOverrides: + mongodb-rs0-0: + priority: 3 # Preferred primary + mongodb-rs0-1: + priority: 1 + mongodb-rs0-2: + priority: 1 + resources: + requests: + cpu: "1" + memory: "1.5Gi" + limits: + cpu: "1.5" + memory: "2Gi" + volumeSpec: + pvc: + resources: + requests: + storage: "8Gi" + nodeSelector: {} + tolerations: [] + podDisruptionBudget: + maxUnavailable: 1 + sidecars: + - name: mongodb-exporter + image: percona/mongodb_exporter:0.40.0 + imagePullPolicy: IfNotPresent + args: + - --discovering-mode + - --compatible-mode + - --collect-all + - --web.listen-address=:9216 + - --mongodb.direct-connect + - --collector.replicasetstatus + - --collector.dbstats + - --collector.dbstatsfreestorage + - --collector.collstats + - --collector.topmetrics + - --collector.indexstats + env: + - name: MONGODB_USER + valueFrom: + secretKeyRef: + name: internal-mongodb-users + key: MONGODB_CLUSTER_MONITOR_USER + - name: MONGODB_PASSWORD + valueFrom: + secretKeyRef: + name: internal-mongodb-users + key: MONGODB_CLUSTER_MONITOR_PASSWORD + - name: MONGODB_URI + value: "mongodb://localhost:27017/admin?directConnection=true&tls=true&tlsInsecure=true&authMechanism=SCRAM-SHA-256" + ports: + - name: metrics + containerPort: 9216 + protocol: TCP + + sharding: + enabled: false + + logcollector: + enabled: false + + tls: + mode: requireTLS + + secrets: + keyFile: mongodb-keyfile + encryptionKey: mongodb-encryption-key + + backup: + enabled: false + storages: {} + tasks: [] + volumeMounts: [] + + finalizers: [] + +psmdb: + helperImages: + kubectl: + repository: docker.io/lachlanevenson/k8s-kubectl + tag: "v1.25.4" + pullPolicy: IfNotPresent + mongosh: + repository: ghcr.io/rtsp/docker-mongosh + tag: "2.5.2" + pullPolicy: IfNotPresent diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/Chart.yaml new file mode 100644 index 00000000..2340268c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for Kubernetes +name: node-drainer +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/_helpers.tpl new file mode 100644 index 00000000..7032c4a5 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "node-drainer.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "node-drainer.fullname" -}} +{{- "node-drainer" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "node-drainer.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "node-drainer.labels" -}} +helm.sh/chart: {{ include "node-drainer.chart" . }} +{{ include "node-drainer.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "node-drainer.selectorLabels" -}} +app.kubernetes.io/name: {{ include "node-drainer.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/clusterrole.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/clusterrole.yaml new file mode 100644 index 00000000..cc2d887b --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/clusterrole.yaml @@ -0,0 +1,74 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "node-drainer.fullname" . }} + labels: + {{- include "node-drainer.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - delete + - watch +- apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create +- apiGroups: + - "" + resources: + - namespaces + verbs: + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - create + - update + - watch +{{- if .Values.customDrain.enabled }} +- apiGroups: + - {{ .Values.customDrain.apiGroup | quote }} + resources: + - {{ .Values.customDrain.resource | quote }} + - {{ printf "%s/status" .Values.customDrain.resource | quote }} + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/clusterrolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..9196a80f --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/clusterrolebinding.yaml @@ -0,0 +1,27 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "node-drainer.fullname" . }} + labels: + {{- include "node-drainer.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "node-drainer.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "node-drainer.fullname" . }} + namespace: {{ .Release.Namespace }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/configmap.yaml new file mode 100644 index 00000000..447699f8 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/configmap.yaml @@ -0,0 +1,48 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "node-drainer.fullname" . }} + labels: + {{- include "node-drainer.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + config.toml: | + evictionTimeoutInSeconds = {{ .Values.evictionTimeoutInSeconds | quote }} + systemNamespaces = {{ .Values.systemNamespaces | quote }} + deleteAfterTimeoutMinutes = {{ .Values.deleteAfterTimeoutMinutes }} + notReadyTimeoutMinutes = {{ .Values.notReadyTimeoutMinutes }} + partialDrainEnabled = {{ .Values.partialDrainEnabled }} + + {{- range .Values.userNamespaces }} + [[userNamespaces]] + name = {{ .name | quote }} + mode = {{ .mode | quote }} + {{- end }} + + {{- if .Values.customDrain.enabled }} + [customDrain] + enabled = true + templateMountPath = {{ .Values.customDrain.templateMountPath | quote }} + templateFileName = {{ .Values.customDrain.templateFileName | quote }} + namespace = {{ .Values.customDrain.namespace | quote }} + apiGroup = {{ .Values.customDrain.apiGroup | quote }} + version = {{ .Values.customDrain.version | quote }} + kind = {{ .Values.customDrain.kind | quote }} + statusConditionType = {{ .Values.customDrain.statusConditionType | quote }} + statusConditionStatus = {{ .Values.customDrain.statusConditionStatus | quote }} + timeout = {{ .Values.customDrain.timeout | quote }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/deployment.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/deployment.yaml new file mode 100644 index 00000000..9abf4887 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/deployment.yaml @@ -0,0 +1,211 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "node-drainer.fullname" . }} + labels: + {{- include "node-drainer.labels" . | nindent 4}} + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "node-drainer.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + # Force pod restart when configmap changes + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "node-drainer.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "node-drainer.fullname" . }} + {{- if .Values.global.auditLogging.enabled }} + securityContext: + fsGroup: 65532 + {{- end }} + {{- if or .Values.global.auditLogging.enabled (and .Values.clientCertMountPath .Values.global.datastore (eq .Values.global.datastore.provider "postgresql")) }} + initContainers: + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.initContainer" . | nindent 8 }} + {{- end }} + {{- if and .Values.clientCertMountPath .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: fix-cert-permissions + image: "{{ .Values.global.initContainerImage.repository }}:{{ .Values.global.initContainerImage.tag }}" + imagePullPolicy: {{ .Values.global.initContainerImage.pullPolicy }} + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + command: + - sh + - -c + - | + echo "Copying PostgreSQL client certificates with correct permissions..." + cp /etc/ssl/client-certs-original/tls.crt /etc/ssl/client-certs-fixed/ + cp /etc/ssl/client-certs-original/ca.crt /etc/ssl/client-certs-fixed/ + cp /etc/ssl/client-certs-original/tls.key /etc/ssl/client-certs-fixed/ + chmod 644 /etc/ssl/client-certs-fixed/tls.crt + chmod 644 /etc/ssl/client-certs-fixed/ca.crt + chmod 600 /etc/ssl/client-certs-fixed/tls.key + echo "Certificate permissions fixed:" + ls -la /etc/ssl/client-certs-fixed/ + volumeMounts: + - name: postgresql-client-cert-original + mountPath: /etc/ssl/client-certs-original + readOnly: true + - name: client-certs-fixed + mountPath: /etc/ssl/client-certs-fixed + {{- end }} + {{- end }} + containers: + - name: node-drainer + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + ports: + - name: metrics + containerPort: {{ .Values.global.metricsPort }} + livenessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + args: + - "--metrics-port={{ .Values.global.metricsPort }}" + - "--config-path=/etc/config/config.toml" + - "--dry-run={{ .Values.global.dryRun }}" + {{- if .Values.clientCertMountPath }} + - "--database-client-cert-mount-path={{ .Values.clientCertMountPath }}" + {{- else }} + - "--tls-enabled=false" + {{- end }} + volumeMounts: + - name: config-volume + mountPath: /etc/config/config.toml + subPath: config.toml + {{- if .Values.clientCertMountPath }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: client-certs-fixed + mountPath: {{ .Values.clientCertMountPath }} + readOnly: true + {{- else }} + - name: mongo-app-client-cert + mountPath: {{ .Values.clientCertMountPath }} + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.customDrain.enabled }} + - name: drain-template + mountPath: {{ .Values.customDrain.templateMountPath }} + readOnly: true + {{- end }} + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.volumeMount" . | nindent 10 }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: LOG_LEVEL + value: "{{ .Values.logLevel }}" + # App name for connection identification in logs and currentOp + - name: APP_NAME + value: {{ .Chart.Name | quote }} + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.envVars" . | nindent 12 }} + {{- end }} + {{- if .Values.clientCertMountPath }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: POSTGRESQL_CLIENT_CERT_MOUNT_PATH + value: {{ .Values.clientCertMountPath }} + {{- else }} + - name: MONGODB_CLIENT_CERT_MOUNT_PATH + value: {{ .Values.clientCertMountPath }} + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ if .Values.global.datastore }}{{ .Release.Name }}-datastore-config{{ else }}mongodb-config{{ end }} + optional: true + volumes: + - name: config-volume + configMap: + name: {{ include "node-drainer.fullname" . }} + items: + - key: config.toml + path: config.toml + {{- if .Values.clientCertMountPath }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: postgresql-client-cert-original + secret: + secretName: postgresql-client-cert + optional: false + - name: client-certs-fixed + emptyDir: {} + {{- else }} + - name: mongo-app-client-cert + secret: + secretName: {{ include "nvsentinel.certificates.secretName" . }} + {{- include "nvsentinel.certificates.volumeItems" . | nindent 10 }} + optional: true + {{- end }} + {{- end }} + {{- if .Values.customDrain.enabled }} + - name: drain-template + configMap: + name: {{ .Values.customDrain.templateConfigMapName | default "drain-template" }} + {{- end }} + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.volume" . | nindent 6 }} + {{- end }} + restartPolicy: Always + {{- with (.Values.global.systemNodeSelector | default .Values.nodeSelector) }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (.Values.global.affinity | default .Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (.Values.global.systemNodeTolerations | default .Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/serviceaccount.yaml new file mode 100644 index 00000000..3a336704 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/templates/serviceaccount.yaml @@ -0,0 +1,19 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "node-drainer.fullname" . }} + labels: + {{- include "node-drainer.labels" . | nindent 4 }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/values.yaml new file mode 100644 index 00000000..7217e562 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/node-drainer/values.yaml @@ -0,0 +1,122 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +replicaCount: 1 + +logLevel: info + +# Client certificate mount path for database connections +clientCertMountPath: /etc/ssl/client-certs + +image: + repository: ghcr.io/nvidia/nvsentinel/node-drainer + pullPolicy: IfNotPresent + tag: "" + +podAnnotations: {} + +resources: + limits: + cpu: "200m" + memory: "300Mi" + requests: + cpu: "200m" + memory: "300Mi" + +# Eviction timeout in seconds for pod eviction operations +# Maximum time to wait for a pod to gracefully terminate before force deletion +# Must be a positive integer, converted to time.Duration in the code +evictionTimeoutInSeconds: "60" + +# Regular expression pattern matching system namespaces +# Pods in these namespaces are skipped during the drain process +systemNamespaces: "^(nvsentinel|kube-system|gpu-operator|gmp-system|network-operator|skyhook)$" + +# Time in minutes after which pods in DeleteAfterTimeout mode will be force deleted +# This timeout is calculated from the health event's createdAt timestamp +# When the timeout is reached, remaining pods are force deleted regardless of their state +# Default: 60 minutes if not specified (validated in config.go) +deleteAfterTimeoutMinutes: 60 + +# Time in minutes after which a pod in NotReady state is considered stuck +# Used to detect pods that are unhealthy and unlikely to complete gracefully +# Stuck pods may be force deleted to unblock the node drain process +# Default: 5 minutes if not specified (validated in config.go) +notReadyTimeoutMinutes: 5 + +# User namespace configuration with eviction modes +# Defines how pods in different namespaces should be evicted during node drain +# Each entry specifies a namespace pattern and its corresponding eviction mode +userNamespaces: + # Namespace name or pattern (* matches all user namespaces) + - name: "*" + # Eviction mode determines how pods are evicted: + # - "Immediate": Pod is evicted immediately without waiting for graceful termination + # - "AllowCompletion": Wait for pod to complete gracefully (respects terminationGracePeriodSeconds) + # - "DeleteAfterTimeout": Wait for deleteAfterTimeoutMinutes, then force delete if still running + mode: "AllowCompletion" + +# If enabled, the node-drainer will only drain pods which are leveraging the GPU_UUID impacted entity in +# COMPONENT_RESET HealthEvents. If disabled, the node-drainer will drain all eligible pods +# on the impacted node for the configured namespaces regardless of the remediation action. +# HealthEvents with the COMPONENT_RESET remediation action must include an impacted entity for the +# unhealthy GPU_UUID or else the drain will fail. IMPORTANT: If this setting is enabled, the COMPONENT_RESET +# action in fault-remediation must map to a custom resource which takes action only against the GPU_UUID. +# If partial drain was enabled in node-drainer but fault-remediation mapped COMPONENT_RESET to a reboot +# action, pods which weren't drained would be restarted as part of the reboot. +partialDrainEnabled: false + +# Custom drain configuration for extensible drain handling +# When enabled, node-drainer creates a customer-defined CR from a template instead of evicting pods directly +# The customer controller is responsible for draining pods and updating the CR status +# Mutually exclusive with userNamespaces (only one can be enabled) +customDrain: + # Enable custom drain mechanism + enabled: false + + # Name of the ConfigMap containing the drain template + # Customer must create this ConfigMap with the drain template file + templateConfigMapName: "drain-template" + + # Path where the drain template ConfigMap is mounted + templateMountPath: "/etc/drain-template" + + # Name of the template file to use for rendering custom drain CRs + templateFileName: "drain-template.yaml" + + # Namespace where custom drain CRs will be created + namespace: "nvsentinel" + + # API group of the custom drain CRD (e.g., "drain.example.com") + apiGroup: "" + + # API version of the custom drain CRD (e.g., "v1alpha1") + version: "" + + # Kind of the custom drain CRD (e.g., "DrainRequest") + kind: "" + + # Plural resource name for the custom drain CRD (e.g., "drainrequests") + # Must match the CRD's spec.names.plural field exactly + resource: "" + + # Condition type to check in CR status.conditions for completion (e.g., "Complete") + statusConditionType: "" + + # Expected condition status value indicating completion (e.g., "True") + statusConditionStatus: "" + + # Timeout duration for waiting for CR completion (e.g., "30m") + # After this timeout, the drain is considered failed + timeout: "30m" diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/.helmignore new file mode 100644 index 00000000..207983f3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/Chart.lock b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/Chart.lock new file mode 100644 index 00000000..79e21f43 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + version: 2.23.0 +digest: sha256:fbd6439f12ded949c04553b9c52a4c8153a8f2790147d972b314ddcd46921a14 +generated: "2024-09-13T19:13:44.505302736Z" diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/Chart.yaml new file mode 100644 index 00000000..3d305e09 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + category: Database + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r30 + - name: postgres-exporter + image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r43 + - name: postgresql + image: docker.io/bitnami/postgresql:16.4.0-debian-12-r14 + licenses: Apache-2.0 +apiVersion: v2 +appVersion: 16.4.0 +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x +description: PostgreSQL (Postgres) is an open source object-relational database known + for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, + views, triggers and stored procedures. +home: https://bitnami.com +icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png +keywords: +- postgresql +- postgres +- database +- sql +- replication +- cluster +maintainers: +- name: Broadcom, Inc. All Rights Reserved. + url: https://github.com/bitnami/charts +name: postgresql +sources: +- https://github.com/bitnami/charts/tree/main/bitnami/postgresql +version: 15.5.38 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/README.md b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/README.md new file mode 100644 index 00000000..56352af4 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/README.md @@ -0,0 +1,1021 @@ + + +# Bitnami package for PostgreSQL + +PostgreSQL (Postgres) is an open source object-relational database known for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, views, triggers and stored procedures. + +[Overview of PostgreSQL](http://www.postgresql.org) + +Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. + +## TL;DR + +```console +helm install my-release oci://registry-1.docker.io/bitnamicharts/postgresql +``` + +Looking to use PostgreSQL in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + +## Introduction + +This chart bootstraps a [PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +For HA, please see [this repo](https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha) + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.23+ +- Helm 3.8.0+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/postgresql +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling VS Immutable tags](https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customizing primary and read replica services in a replicated configuration + +At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. + +### Use a different PostgreSQL version + +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. + +### LDAP + +LDAP support can be enabled in the chart by specifying the `ldap.` parameters while creating a release. The following parameters should be configured to properly enable the LDAP support in the chart. + +- **ldap.enabled**: Enable LDAP support. Defaults to `false`. +- **ldap.uri**: LDAP URL beginning in the form `ldap[s]://:`. No defaults. +- **ldap.base**: LDAP base DN. No defaults. +- **ldap.binddn**: LDAP bind DN. No defaults. +- **ldap.bindpw**: LDAP bind password. No defaults. +- **ldap.bslookup**: LDAP base lookup. No defaults. +- **ldap.nss_initgroups_ignoreusers**: LDAP ignored users. `root,nslcd`. +- **ldap.scope**: LDAP search scope. No defaults. +- **ldap.tls_reqcert**: LDAP TLS check on server certificates. No defaults. + +For example: + +```text +ldap.enabled="true" +ldap.uri="ldap://my_ldap_server" +ldap.base="dc=example\,dc=org" +ldap.binddn="cn=admin\,dc=example\,dc=org" +ldap.bindpw="admin" +ldap.bslookup="ou=group-ok\,dc=example\,dc=org" +ldap.nss_initgroups_ignoreusers="root\,nslcd" +ldap.scope="sub" +ldap.tls_reqcert="demand" +``` + +Next, login to the PostgreSQL server using the `psql` client and add the PAM authenticated LDAP users. + +> Note: Parameters including commas must be escaped as shown in the above example. + +### postgresql.conf / pg_hba.conf files as configMap + +This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`. + +You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter. + +In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options. + +### Initialize a fresh instance + +The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string. + +In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +### Securing traffic using TLS + +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: + +- `tls.enabled`: Enable TLS support. Defaults to `false` +- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. +- `tls.certFilename`: Certificate filename. No defaults. +- `tls.certKeyFilename`: Certificate key filename. No defaults. + +For example: + +- First, create the secret with the cetificates files: + + ```console + kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt + ``` + +- Then, use the following parameters: + + ```console + volumePermissions.enabled=true + tls.enabled=true + tls.certificatesSecret="certificates-tls-secret" + tls.certFilename="cert.crt" + tls.certKeyFilename="cert.key" + ``` + + > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. + +### Sidecars + +If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. + +```yaml +# For the PostgreSQL primary +primary: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +# For the PostgreSQL replicas +readReplicas: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). + +The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. + +### Use of global variables + +In more complex scenarios, we may have the following tree of dependencies + +```text + +--------------+ + | | + +------------+ Chart 1 +-----------+ + | | | | + | --------+------+ | + | | | + | | | + | | | + | | | + v v v ++-------+------+ +--------+------+ +--------+------+ +| | | | | | +| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | +| | | | | | ++--------------+ +---------------+ +---------------+ +``` + +The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: + +```text +postgresql.auth.username=testuser +subchart1.postgresql.auth.username=testuser +subchart2.postgresql.auth.username=testuser +postgresql.auth.password=testpass +subchart1.postgresql.auth.password=testpass +subchart2.postgresql.auth.password=testpass +postgresql.auth.database=testdb +subchart1.postgresql.auth.database=testdb +subchart2.postgresql.auth.database=testdb +``` + +If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: + +```text +global.postgresql.auth.username=testuser +global.postgresql.auth.password=testpass +global.postgresql.auth.database=testdb +``` + +This way, the credentials will be available in all of the subcharts. + +### Backup and restore PostgreSQL deployments + +To back up and restore Bitnami PostgreSQL Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. + +These are the steps you will usually follow to back up and restore your PostgreSQL cluster data: + +- Install Velero on the source and destination clusters. +- Use Velero to back up the PersistentVolumes (PVs) used by the deployment on the source cluster. +- Use Velero to restore the backed-up PVs on the destination cluster. +- Create a new deployment on the destination cluster with the same chart, deployment name, credentials and other parameters as the original. This new deployment will use the restored PVs and hence the original data. + +Refer to our detailed [tutorial on backing up and restoring PostgreSQL deployments on Kubernetes](https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-migrate-data-tac-velero-index.html) for more information. + +### NetworkPolicy + +To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: + +```console +kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" +``` + +With NetworkPolicy enabled, traffic will be limited to just port 5432. + +For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. +This label will be displayed in the output of a successful install. + +### Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image + +- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. +- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. +- For OpenShift up to 4.10, let set the volume permissions, security context, runAsUser and fsGroup automatically by OpenShift and disable the predefined settings of the helm chart: primary.securityContext.enabled=false,primary.containerSecurityContext.enabled=false,volumePermissions.enabled=false,shmVolume.enabled=false +- For OpenShift 4.11 and higher, let set OpenShift the runAsUser and fsGroup automatically. Configure the pod and container security context to restrictive defaults and disable the volume permissions setup: primary. + podSecurityContext.fsGroup=null,primary.podSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.runAsUser=null,primary.containerSecurityContext.allowPrivilegeEscalation=false,primary.containerSecurityContext.runAsNonRoot=true,primary.containerSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.capabilities.drop=['ALL'],volumePermissions.enabled=false,shmVolume.enabled=false + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Persistence + +The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | +| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | +| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` | +| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` | +| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` | +| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` | +| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` | +| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | + +### Common parameters + +| Name | Description | Value | +| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override common.names.fullname template | `""` | +| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` | +| `commonLabels` | Add labels to all the deployed resources | `{}` | +| `commonAnnotations` | Add annotations to all the deployed resources | `{}` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the statefulset | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the statefulset | `["infinity"]` | + +### PostgreSQL common parameters + +| Name | Description | Value | +| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | +| `image.registry` | PostgreSQL image registry | `REGISTRY_NAME` | +| `image.repository` | PostgreSQL image repository | `REPOSITORY_NAME/postgresql` | +| `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify image pull secrets | `[]` | +| `image.debug` | Specify if debug values should be set | `false` | +| `auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `true` | +| `auth.postgresPassword` | Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided | `""` | +| `auth.username` | Name for a custom user to create | `""` | +| `auth.password` | Password for the custom user to create. Ignored if `auth.existingSecret` is provided | `""` | +| `auth.database` | Name for a custom database to create | `""` | +| `auth.replicationUsername` | Name of the replication user | `repl_user` | +| `auth.replicationPassword` | Password for the replication user. Ignored if `auth.existingSecret` is provided | `""` | +| `auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. | `""` | +| `auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `postgres-password` | +| `auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `password` | +| `auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `replication-password` | +| `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `false` | +| `architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | +| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | +| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. | `0` | +| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | +| `containerPorts.postgresql` | PostgreSQL container port | `5432` | +| `audit.logHostname` | Log client hostnames | `false` | +| `audit.logConnections` | Add client log-in operations to the log file | `false` | +| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` | +| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `""` | +| `audit.pgAuditLogCatalog` | Log catalog using pgAudit | `off` | +| `audit.clientMinMessages` | Message log level to share with the user | `error` | +| `audit.logLinePrefix` | Template for log line prefix (default if not set) | `""` | +| `audit.logTimezone` | Timezone for the log timestamps | `""` | +| `ldap.enabled` | Enable LDAP support | `false` | +| `ldap.server` | IP address or name of the LDAP server. | `""` | +| `ldap.port` | Port number on the LDAP server to connect to | `""` | +| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `""` | +| `ldap.suffix` | String to append to the user name when forming the DN to bind | `""` | +| `ldap.basedn` | Root DN to begin the search for the user in | `""` | +| `ldap.binddn` | DN of user to bind to LDAP | `""` | +| `ldap.bindpw` | Password for the user to bind to LDAP | `""` | +| `ldap.searchAttribute` | Attribute to match against the user name in the search | `""` | +| `ldap.searchFilter` | The search filter to use when doing search+bind authentication | `""` | +| `ldap.scheme` | Set to `ldaps` to use LDAPS | `""` | +| `ldap.tls.enabled` | Se to true to enable TLS encryption | `false` | +| `ldap.uri` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. | `""` | +| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql/data` | +| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` | +| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) | `true` | +| `shmVolume.sizeLimit` | Set this to enable a size limit on the shm tmpfs | `""` | +| `tls.enabled` | Enable TLS traffic support | `false` | +| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` | +| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` | +| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `""` | +| `tls.certFilename` | Certificate filename | `""` | +| `tls.certKeyFilename` | Certificate key filename | `""` | +| `tls.certCAFilename` | CA Certificate filename | `""` | +| `tls.crlFilename` | File containing a Certificate Revocation List | `""` | + +### PostgreSQL Primary parameters + +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | +| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` | +| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` | +| `primary.existingConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary configuration | `""` | +| `primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `""` | +| `primary.existingExtendedConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary extended configuration | `""` | +| `primary.initdb.args` | PostgreSQL initdb extra arguments | `""` | +| `primary.initdb.postgresqlWalDir` | Specify a custom location for the PostgreSQL transaction log | `""` | +| `primary.initdb.scripts` | Dictionary of initdb scripts | `{}` | +| `primary.initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot | `""` | +| `primary.initdb.scriptsSecret` | Secret with scripts to be run at first boot (in case it contains sensitive information) | `""` | +| `primary.initdb.user` | Specify the PostgreSQL username to execute the initdb scripts | `""` | +| `primary.initdb.password` | Specify the PostgreSQL password to execute the initdb scripts | `""` | +| `primary.preInitDb.scripts` | Dictionary of pre-init scripts | `{}` | +| `primary.preInitDb.scriptsConfigMap` | ConfigMap with pre-init scripts to be run | `""` | +| `primary.preInitDb.scriptsSecret` | Secret with pre-init scripts to be run | `""` | +| `primary.standby.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not | `false` | +| `primary.standby.primaryHost` | The Host of replication primary in the other cluster | `""` | +| `primary.standby.primaryPort` | The Port of replication primary in the other cluster | `""` | +| `primary.extraEnvVars` | Array with extra environment variables to add to PostgreSQL Primary nodes | `[]` | +| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes | `""` | +| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL Primary nodes | `""` | +| `primary.command` | Override default container command (useful when using custom images) | `[]` | +| `primary.args` | Override default container args (useful when using custom images) | `[]` | +| `primary.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Primary containers | `true` | +| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `primary.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Primary containers | `true` | +| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `primary.startupProbe.enabled` | Enable startupProbe on PostgreSQL Primary containers | `false` | +| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `primary.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` | +| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `nano` | +| `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `primary.podSecurityContext.enabled` | Enable security context | `true` | +| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | +| `primary.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `primary.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `primary.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `primary.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `primary.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` | +| `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` | +| `primary.annotations` | Annotations for PostgreSQL primary pods | `{}` | +| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` | +| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` | +| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | +| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` | +| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` | +| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` | +| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `""` | +| `primary.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `primary.terminationGracePeriodSeconds` | Seconds PostgreSQL primary pod needs to terminate gracefully | `""` | +| `primary.updateStrategy.type` | PostgreSQL Primary statefulset strategy type | `RollingUpdate` | +| `primary.updateStrategy.rollingUpdate` | PostgreSQL Primary statefulset rolling update configuration parameters | `{}` | +| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) | `[]` | +| `primary.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) | `[]` | +| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` | +| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` | +| `primary.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | +| `primary.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | +| `primary.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `primary.pdb.minAvailable` and `primary.pdb.maxUnavailable` are empty. | `""` | +| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` | +| `primary.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `primary.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `primary.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `primary.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `primary.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `primary.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `primary.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `primary.service.type` | Kubernetes Service type | `ClusterIP` | +| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` | +| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | +| `primary.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `primary.service.annotations` | Annotations for PostgreSQL primary service | `{}` | +| `primary.service.loadBalancerClass` | Load balancer class if service type is `LoadBalancer` | `""` | +| `primary.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | +| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | +| `primary.service.extraPorts` | Extra ports to expose in the PostgreSQL primary service | `[]` | +| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `primary.service.headless.annotations` | Additional custom annotations for headless PostgreSQL primary service | `{}` | +| `primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` | +| `primary.persistence.volumeName` | Name to assign the volume | `data` | +| `primary.persistence.existingClaim` | Name of an existing PVC to use | `""` | +| `primary.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | +| `primary.persistence.subPath` | The subdirectory of the volume to mount to | `""` | +| `primary.persistence.storageClass` | PVC Storage Class for PostgreSQL Primary data volume | `""` | +| `primary.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | +| `primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `primary.persistence.annotations` | Annotations for the PVC | `{}` | +| `primary.persistence.labels` | Labels for the PVC | `{}` | +| `primary.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | +| `primary.persistence.dataSource` | Custom PVC data source | `{}` | +| `primary.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for Primary Statefulset | `false` | +| `primary.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `primary.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | + +### PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) + +| Name | Description | Value | +| ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` | +| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` | +| `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` | +| `readReplicas.extraEnvVars` | Array with extra environment variables to add to PostgreSQL read only nodes | `[]` | +| `readReplicas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes | `""` | +| `readReplicas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL read only nodes | `""` | +| `readReplicas.command` | Override default container command (useful when using custom images) | `[]` | +| `readReplicas.args` | Override default container args (useful when using custom images) | `[]` | +| `readReplicas.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL read only containers | `true` | +| `readReplicas.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `readReplicas.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `readReplicas.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `readReplicas.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `readReplicas.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readReplicas.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL read only containers | `true` | +| `readReplicas.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readReplicas.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readReplicas.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readReplicas.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readReplicas.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `readReplicas.startupProbe.enabled` | Enable startupProbe on PostgreSQL read only containers | `false` | +| `readReplicas.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `readReplicas.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `readReplicas.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `readReplicas.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `readReplicas.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `readReplicas.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` | +| `readReplicas.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production). | `nano` | +| `readReplicas.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` | +| `readReplicas.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `readReplicas.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `readReplicas.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | +| `readReplicas.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `readReplicas.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `readReplicas.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `readReplicas.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `readReplicas.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `readReplicas.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `readReplicas.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `readReplicas.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `readReplicas.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `readReplicas.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` | +| `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` | +| `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `readReplicas.labels` | Map of labels to add to the statefulset (PostgreSQL read only) | `{}` | +| `readReplicas.annotations` | Annotations for PostgreSQL read only pods | `{}` | +| `readReplicas.podLabels` | Map of labels to add to the pods (PostgreSQL read only) | `{}` | +| `readReplicas.podAnnotations` | Map of annotations to add to the pods (PostgreSQL read only) | `{}` | +| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` | +| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` | +| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` | +| `readReplicas.tolerations` | Tolerations for PostgreSQL read only pods assignment | `[]` | +| `readReplicas.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `readReplicas.priorityClassName` | Priority Class to use for each pod (PostgreSQL read only) | `""` | +| `readReplicas.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `readReplicas.terminationGracePeriodSeconds` | Seconds PostgreSQL read only pod needs to terminate gracefully | `""` | +| `readReplicas.updateStrategy.type` | PostgreSQL read only statefulset strategy type | `RollingUpdate` | +| `readReplicas.updateStrategy.rollingUpdate` | PostgreSQL read only statefulset rolling update configuration parameters | `{}` | +| `readReplicas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) | `[]` | +| `readReplicas.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | +| `readReplicas.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | +| `readReplicas.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `readReplicas.pdb.minAvailable` and `readReplicas.pdb.maxUnavailable` are empty. | `""` | +| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` | +| `readReplicas.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `readReplicas.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `readReplicas.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `readReplicas.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `readReplicas.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `readReplicas.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `readReplicas.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` | +| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` | +| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | +| `readReplicas.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `readReplicas.service.annotations` | Annotations for PostgreSQL read only service | `{}` | +| `readReplicas.service.loadBalancerClass` | Load balancer class if service type is `LoadBalancer` | `""` | +| `readReplicas.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | +| `readReplicas.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `readReplicas.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | +| `readReplicas.service.extraPorts` | Extra ports to expose in the PostgreSQL read only service | `[]` | +| `readReplicas.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `readReplicas.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `readReplicas.service.headless.annotations` | Additional custom annotations for headless PostgreSQL read only service | `{}` | +| `readReplicas.persistence.enabled` | Enable PostgreSQL read only data persistence using PVC | `true` | +| `readReplicas.persistence.existingClaim` | Name of an existing PVC to use | `""` | +| `readReplicas.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | +| `readReplicas.persistence.subPath` | The subdirectory of the volume to mount to | `""` | +| `readReplicas.persistence.storageClass` | PVC Storage Class for PostgreSQL read only data volume | `""` | +| `readReplicas.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | +| `readReplicas.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `readReplicas.persistence.annotations` | Annotations for the PVC | `{}` | +| `readReplicas.persistence.labels` | Labels for the PVC | `{}` | +| `readReplicas.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | +| `readReplicas.persistence.dataSource` | Custom PVC data source | `{}` | +| `readReplicas.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for read only Statefulset | `false` | +| `readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | + +### Backup parameters + +| Name | Description | Value | +| ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | +| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | +| `backup.cronjob.timeZone` | Set the cronjob parameter timeZone | `""` | +| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | +| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | +| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | +| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | +| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | +| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | +| `backup.cronjob.podSecurityContext.enabled` | Enable PodSecurityContext for CronJob/Backup | `true` | +| `backup.cronjob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `backup.cronjob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` | +| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `backup.cronjob.command` | Set backup container's command to run | `["/bin/sh","-c","pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"]` | +| `backup.cronjob.labels` | Set the cronjob labels | `{}` | +| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | +| `backup.cronjob.nodeSelector` | Node labels for PostgreSQL backup CronJob pod assignment | `{}` | +| `backup.cronjob.tolerations` | Tolerations for PostgreSQL backup CronJob pods assignment | `[]` | +| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). | `nano` | +| `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory | `{}` | +| `backup.cronjob.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `backup.cronjob.storage.enabled` | Enable using a `PersistentVolumeClaim` as backup data volume | `true` | +| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | +| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | +| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | +| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/pgdump` | +| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | +| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `backup.cronjob.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the backup container | `[]` | +| `backup.cronjob.extraVolumes` | Optionally specify extra list of additional volumes for the backup container | `[]` | + +### Volume Permissions parameters + +| Name | Description | Value | +| ---------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | +| `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` | +| `volumePermissions.containerSecurityContext.runAsNonRoot` | runAsNonRoot for the init container | `false` | +| `volumePermissions.containerSecurityContext.seccompProfile.type` | seccompProfile.type for the init container | `RuntimeDefault` | + +### Other Parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | +| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | +| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` | +| `rbac.rules` | Custom RBAC rules to set | `[]` | +| `psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | + +### Metrics Parameters + +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `metrics.enabled` | Start a prometheus exporter | `false` | +| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `REPOSITORY_NAME/postgres-exporter` | +| `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify image pull secrets | `[]` | +| `metrics.collectors` | Control enabled collectors | `{}` | +| `metrics.customMetrics` | Define additional custom metrics | `{}` | +| `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` | +| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Prometheus exporter containers | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Prometheus exporter containers | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe on PostgreSQL Prometheus exporter containers | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` | +| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `metrics.service.annotations` | Annotations for Prometheus to auto-discover the metrics endpoint | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.prometheusRule.enabled` | Create a PrometheusRule for Prometheus Operator | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | PrometheusRule definitions | `[]` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install my-release \ + --set auth.postgresPassword=secretpassword + oci://REGISTRY_NAME/REPOSITORY_NAME/postgresql +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The above command sets the PostgreSQL `postgres` account password to `secretpassword`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. +> **Warning** Setting a password will be ignored on new installation in case when previous PostgreSQL release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. Refer to [issue 2061](https://github.com/bitnami/charts/issues/2061) for more details + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/postgresql +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/postgresql/values.yaml) + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +### To 15.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + +### To 14.0.0 + +This major version adapts the NetworkPolicy objects to the most recent Bitnami standards. Now there is a separate object for `primary` and for `readReplicas`, being located in their corresponding sections. It is also enabled by default in other to comply with the best security standards. + +Check the parameter section for the new value structure. + +### To 13.0.0 + +This major version changes the default PostgreSQL image from 15.x to 16.x. Follow the [official instructions](https://www.postgresql.org/docs/16/upgrading.html) to upgrade to 16.x. + +### To 12.0.0 + +This major version changes the default PostgreSQL image from 14.x to 15.x. Follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html) to upgrade to 15.x. + +### To 11.0.0 + +In this version the application version was bumped to _14.x_ series. Also, this major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. + +- _replication.enabled_ parameter is deprecated in favor of _architecture_ parameter that accepts two values: _standalone_ and _replication_. +- _replication.singleService_ and _replication.uniqueServices_ parameters are deprecated. When using replication, each statefulset (primary and read-only) has its own headless service & service allowing to connect to read-only replicas through the service (round-robin) or individually. +- _postgresqlPostgresPassword_, _postgresqlUsername_, _postgresqlPassword_, _postgresqlDatabase_, _replication.user_, _replication.password_, and _existingSecret_ parameters have been regrouped under the _auth_ map. The _auth_ map uses a new perspective to configure authentication, so please read carefully each sub-parameter description. +- _extraEnv_ has been deprecated in favor of _primary.extraEnvVars_ and _readReplicas.extraEnvVars_. +- _postgresqlConfiguration_, _pgHbaConfiguration_, _configurationConfigMap_, _postgresqlExtendedConf_, and _extendedConfConfigMap_ have been deprecated in favor of _primary.configuration_, _primary.pgHbaConfiguration_, _primary.existingConfigmap_, _primary.extendedConfiguration_, and _primary.existingExtendedConfigmap_. +- _postgresqlInitdbArgs_, _postgresqlInitdbWalDir_, _initdbScripts_, _initdbScriptsConfigMap_, _initdbScriptsSecret_, _initdbUser_ and _initdbPassword_ have been regrouped under the _primary.initdb_ map. +- _postgresqlMaxConnections_, _postgresqlPostgresConnectionLimit_, _postgresqlDbUserConnectionLimit_, _postgresqlTcpKeepalivesInterval_, _postgresqlTcpKeepalivesIdle_, _postgresqlTcpKeepalivesCount_, _postgresqlStatementTimeout_ and _postgresqlPghbaRemoveFilters_ parameters are deprecated. Use _XXX.extraEnvVars_ instead. +- _primaryAsStandBy_ has been deprecated in favor of _primary.standby_. +- _securityContext_ and _containerSecurityContext_ have been deprecated in favor of _primary.podSecurityContext_, _primary.containerSecurityContext_, _readReplicas.podSecurityContext_, and _readReplicas.containerSecurityContext_. +- _livenessProbe_ and _readinessProbe_ maps have been deprecated in favor of _primary.livenessProbe_, _primary.readinessProbe_, _readReplicas.livenessProbe_ and _readReplicas.readinessProbe_ maps. +- _persistence_ map has been deprecated in favor of _primary.persistence_ and _readReplicas.persistence_ maps. +- _networkPolicy_ map has been completely refactored. +- _service_ map has been deprecated in favor of _primary.service_ and _readReplicas.service_ maps. +- _metrics.service.port_ has been regrouped under the _metrics.service.ports_ map. +- _serviceAccount.enabled_ and _serviceAccount.autoMount_ have been deprecated in favor of _serviceAccount.create_ and _serviceAccount.automountServiceAccountToken_. + +#### How to upgrade to version 11.0.0 + +To upgrade to _11.0.0_ from _10.x_, it should be done reusing the PVC(s) used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is _postgresql_): + +> NOTE: Please, create a backup of your database before running any of these actions. + +1. Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: + +```console +export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +``` + +1. Delete the PostgreSQL statefulset (notice the option _--cascade=false_) and secret: + +```console +kubectl delete statefulsets.apps postgresql-postgresql --namespace default --cascade=false +kubectl delete secret postgresql --namespace default +``` + +1. Upgrade your release using the same PostgreSQL version: + +```console +CURRENT_VERSION=$(kubectl exec postgresql-postgresql-0 -- bash -c 'echo $BITNAMI_IMAGE_VERSION') +helm upgrade postgresql bitnami/postgresql \ + --set auth.postgresPassword=$POSTGRESQL_PASSWORD \ + --set primary.persistence.existingClaim=$POSTGRESQL_PVC \ + --set image.tag=$CURRENT_VERSION +``` + +1. You will have to delete the existing PostgreSQL pod and the new statefulset is going to create a new one + +```console +kubectl delete pod postgresql-postgresql-0 +``` + +1. Finally, you should see the lines below in PostgreSQL container logs: + +```text +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}") +... +postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... +... +``` + +> NOTE: the instructions above reuse the same PostgreSQL version you were using in your chart release. Otherwise, you will find an error such as the one below when upgrading since the new chart major version also bumps the application version. To workaround this issue you need to upgrade database, please refer to the [official PostgreSQL documentation](https://www.postgresql.org/docs/current/upgrading.html) for more information about this. + +```console +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}") + ... +postgresql 08:10:14.72 INFO ==> ** Starting PostgreSQL ** +2022-02-01 08:10:14.734 GMT [1] FATAL: database files are incompatible with server +2022-02-01 08:10:14.734 GMT [1] DETAIL: The data directory was initialized by PostgreSQL version 11, which is not compatible with this version 14.1. +``` + +### To 10.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Move dependency information from the _requirements.yaml_ to the _Chart.yaml_ +- After running _helm dependency update_, a _Chart.lock_ file is generated containing the same structure used in the previous _requirements.lock_ +- The different fields present in the _Chart.yaml_ file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Chart. +- The term _master_ has been replaced with _primary_ and _slave_ with _readReplicas_ throughout the chart. Role names have changed from _master_ and _slave_ to _primary_ and _read_. + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version does not support Helm v2 anymore. +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3. + +#### Useful links + +- [Bitnami Tutorial](https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-resolve-helm2-helm3-post-migration-issues-index.html) +- [Helm docs](https://helm.sh/docs/topics/v2_v3_migration) +- [Helm Blog](https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3) + +#### How to upgrade to version 10.0.0 + +To upgrade to _10.0.0_ from _9.x_, it should be done reusing the PVC(s) used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is _postgresql_): + +> NOTE: Please, create a backup of your database before running any of those actions. + +1. Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: + +```console +export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +``` + +1. Delete the PostgreSQL statefulset (notice the option _--cascade=false_): + +```console +kubectl delete statefulsets.apps postgresql-postgresql --namespace default --cascade=false +``` + +1. Upgrade your release using the same PostgreSQL version: + +```console +helm upgrade postgresql bitnami/postgresql \ + --set postgresqlPassword=$POSTGRESQL_PASSWORD \ + --set persistence.existingClaim=$POSTGRESQL_PVC +``` + +1. Delete the existing PostgreSQL pod and the new statefulset will create a new one: + +```console +kubectl delete pod postgresql-postgresql-0 +``` + +1. Finally, you should see the lines below in PostgreSQL container logs: + +```text +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +... +postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... +... +``` + +### To 9.0.0 + +In this version the chart was adapted to follow the [Helm standard labels](https://helm.sh/docs/chart_best_practices/labels/#standard-labels). + +- Some inmutable objects were modified to adopt Helm standard labels introducing backward incompatibilities. + +#### How to upgrade to version 9.0.0 + +To upgrade to _9.0.0_ from _8.x_, it should be done reusing the PVC(s) used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is _postgresql_): + +> NOTE: Please, create a backup of your database before running any of those actions. + +1. Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: + +```console +export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +export POSTGRESQL_PVC=$(kubectl get pvc -l app=postgresql,role=master -o jsonpath="{.items[0].metadata.name}") +``` + +1. Delete the PostgreSQL statefulset (notice the option _--cascade=false_): + +```console +kubectl delete statefulsets.apps postgresql-postgresql --namespace default --cascade=false +``` + +1. Upgrade your release using the same PostgreSQL version: + +```console +helm upgrade postgresql bitnami/postgresql \ + --set postgresqlPassword=$POSTGRESQL_PASSWORD \ + --set persistence.existingClaim=$POSTGRESQL_PVC +``` + +1. Delete the existing PostgreSQL pod and the new statefulset will create a new one: + +```console +kubectl delete pod postgresql-postgresql-0 +``` + +1. Finally, you should see the lines below in PostgreSQL container logs: + +```text +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=master -o jsonpath="{.items[0].metadata.name}") +... +postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... +... +``` + +## License + +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/.helmignore new file mode 100644 index 00000000..d0e10845 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/.helmignore @@ -0,0 +1,26 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/Chart.yaml new file mode 100644 index 00000000..8cc0aaa0 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + category: Infrastructure + licenses: Apache-2.0 +apiVersion: v2 +appVersion: 2.23.0 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://bitnami.com +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- name: Broadcom, Inc. All Rights Reserved. + url: https://github.com/bitnami/charts +name: common +sources: +- https://github.com/bitnami/charts/tree/main/bitnami/common +type: library +version: 2.23.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/README.md b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/README.md new file mode 100644 index 00000000..fee26c99 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/README.md @@ -0,0 +1,235 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 2.x.x + repository: oci://registry-1.docker.io/bitnamicharts +``` + +```console +helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.23+ +- Helm 3.8.0+ + +## Parameters + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +#### What changes were introduced in this major version? + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +#### Useful links + +- +- +- + +## License + +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_affinities.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_affinities.tpl new file mode 100644 index 00000000..c2d29079 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_affinities.tpl @@ -0,0 +1,139 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a topologyKey definition +{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}} +*/}} +{{- define "common.affinities.topologyKey" -}} +{{ .topologyKey | default "kubernetes.io/hostname" -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: 1 + {{- range $extraPodAffinityTerms }} + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: {{ .weight | default 1 -}} + {{- end -}} +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- range $extraPodAffinityTerms }} + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- end -}} +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_capabilities.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_capabilities.tpl new file mode 100644 index 00000000..2fe81d32 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_capabilities.tpl @@ -0,0 +1,229 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.7-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "common.capabilities.daemonset.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if (.Values.ingress).apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.17-0" $kubeVersion) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.10-0" $kubeVersion) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "common.capabilities.hpa.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Vertical Pod Autoscaler. +*/}} +{{- define "common.capabilities.vpa.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if PodSecurityPolicy is supported +*/}} +{{- define "common.capabilities.psp.supported" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (semverCompare "<1.25-0" $kubeVersion) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if AdmissionConfiguration is supported +*/}} +{{- define "common.capabilities.admissionConfiguration.supported" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (not (semverCompare "<1.23-0" $kubeVersion)) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for AdmissionConfiguration. +*/}} +{{- define "common.capabilities.admissionConfiguration.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- print "apiserver.config.k8s.io/v1alpha1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "apiserver.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiserver.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for PodSecurityConfiguration. +*/}} +{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "pod-security.admission.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "pod-security.admission.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_compatibility.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_compatibility.tpl new file mode 100644 index 00000000..a61588d6 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_compatibility.tpl @@ -0,0 +1,46 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} + +{{- if (((.context.Values.global).compatibility).openshift) -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{/* Remove empty seLinuxOptions object if global.compatibility.omitEmptySeLinuxOptions is set to true */}} +{{- if and (((.context.Values.global).compatibility).omitEmptySeLinuxOptions) (not .secContext.seLinuxOptions) -}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} +{{- end -}} +{{/* Remove fields that are disregarded when running the container in privileged mode */}} +{{- if $adaptedContext.privileged -}} + {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_errors.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_errors.tpl new file mode 100644 index 00000000..e9653651 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_errors.tpl @@ -0,0 +1,28 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_images.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_images.tpl new file mode 100644 index 00000000..76bb7ce4 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_images.tpl @@ -0,0 +1,115 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name. +If image tag and digest are not defined, termination fallbacks to chart appVersion. +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "chart" .Chart ) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := default .imageRoot.registry ((.global).imageRegistry) -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} + +{{- if not .imageRoot.tag }} + {{- if .chart }} + {{- $termination = .chart.AppVersion | toString -}} + {{- end -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- range ((.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end }} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) -}} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- range (($context.Values.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) -}} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion) +{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }} +*/}} +{{- define "common.images.version" -}} +{{- $imageTag := .imageRoot.tag | toString -}} +{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}} +{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}} + {{- $version := semver $imageTag -}} + {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}} +{{- else -}} + {{- print .chart.AppVersion -}} +{{- end -}} +{{- end -}} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_ingress.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_ingress.tpl new file mode 100644 index 00000000..7d2b8798 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_ingress.tpl @@ -0,0 +1,73 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_labels.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_labels.tpl new file mode 100644 index 00000000..0a0cc548 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_labels.tpl @@ -0,0 +1,46 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Kubernetes standard labels +{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}} +*/}} +{{- define "common.labels.standard" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}} +{{- with .context.Chart.AppVersion -}} +{{- $_ := set $default "app.kubernetes.io/version" . -}} +{{- end -}} +{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }} +{{- else -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Chart.AppVersion }} +app.kubernetes.io/version: {{ . | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector +{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}} + +We don't want to loop over custom labels appending them to the selector +since it's very likely that it will break deployments, services, etc. +However, it's important to overwrite the standard labels if the user +overwrote them on metadata.labels fields. +*/}} +{{- define "common.labels.matchLabels" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }} +{{- else -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_names.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_names.tpl new file mode 100644 index 00000000..ba839568 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_names.tpl @@ -0,0 +1,71 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a fully qualified app name adding the installation's namespace. +*/}} +{{- define "common.names.fullname.namespace" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_resources.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_resources.tpl new file mode 100644 index 00000000..d8a43e1c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi") + ) + "xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_secrets.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_secrets.tpl new file mode 100644 index 00000000..801918ce --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_secrets.tpl @@ -0,0 +1,185 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. +The order in which this function returns a secret password: + 1. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 2. Password provided via the values.yaml + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 3. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- end }} + +{{- if not $password }} + {{- if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} + {{- else }} + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- if not (eq .failOnNew false) }} + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + {{- end }} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} + {{- else }} + {{- $password = randAlphaNum $passwordLength }} + {{- end }} + {{- end -}} +{{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} +{{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Reuses the value from an existing secret, otherwise sets its value to a default value. + +Usage: +{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - context - Context - Required - Parent context. + +*/}} +{{- define "common.secrets.lookup" -}} +{{- $value := "" -}} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} +{{- end -}} +{{- if $value -}} +{{- printf "%s" $value -}} +{{- end -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_storage.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_storage.tpl new file mode 100644 index 00000000..aa75856c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_storage.tpl @@ -0,0 +1,21 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} +{{- $storageClass := (.global).storageClass | default .persistence.storageClass | default (.global).defaultStorageClass | default "" -}} +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else -}} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_tplvalues.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_tplvalues.tpl new file mode 100644 index 00000000..c84d72c8 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,38 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template perhaps with scope if the scope is present. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} +*/}} +{{- define "common.tplvalues.render" -}} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge +Usage: +{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_utils.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_utils.tpl new file mode 100644 index 00000000..d53c74aa --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_utils.tpl @@ -0,0 +1,77 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376). +Usage: +{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }} +*/}} +{{- define "common.utils.checksumTemplate" -}} +{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}} +{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_warnings.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_warnings.tpl new file mode 100644 index 00000000..e4dbecde --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/_warnings.tpl @@ -0,0 +1,109 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html +{{- end }} +{{- end -}} + +{{/* +Warning about replaced images from the original. +Usage: +{{ include "common.warnings.modifiedImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} +*/}} +{{- define "common.warnings.modifiedImages" -}} +{{- $affectedImages := list -}} +{{- $printMessage := false -}} +{{- $originalImages := .context.Chart.Annotations.images -}} +{{- range .images -}} + {{- $fullImageName := printf (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- if not (contains $fullImageName $originalImages) }} + {{- $affectedImages = append $affectedImages (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- $printMessage = true -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +⚠ SECURITY WARNING: Original containers have been substituted. This Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables. + +Substituted images detected: +{{- range $affectedImages }} + - {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_cassandra.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 00000000..3f41ff8f --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,77 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_mariadb.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 00000000..6ea8c0f4 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,108 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_mongodb.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 00000000..d4cd38cb --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,113 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB® required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_mysql.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_mysql.tpl new file mode 100644 index 00000000..924812a9 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_mysql.tpl @@ -0,0 +1,108 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MySQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mysql.passwords" -}} + {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mysql.values.enabled" . -}} + {{- $architecture := include "common.mysql.values.architecture" . -}} + {{- $authPrefix := include "common.mysql.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mysql. + +Usage: +{{ include "common.mysql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mysql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mysql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.key.auth" -}} + {{- if .subchart -}} + mysql.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_postgresql.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 00000000..0fa0b146 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,134 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_redis.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_redis.tpl new file mode 100644 index 00000000..f4778256 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,81 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis® required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} + + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_validations.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_validations.tpl new file mode 100644 index 00000000..7cdee617 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,51 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/values.yaml new file mode 100644 index 00000000..de2cac57 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/charts/common/values.yaml @@ -0,0 +1,8 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/NOTES.txt b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/NOTES.txt new file mode 100644 index 00000000..fd7a751f --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/NOTES.txt @@ -0,0 +1,117 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +** Please be patient while the chart is being deployed ** + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ .Release.Namespace }} -ti -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash + +In order to replicate the container startup scripts execute this command: + + /opt/bitnami/scripts/postgresql/entrypoint.sh /opt/bitnami/scripts/postgresql/run.sh + +{{- else }} + +{{- $customUser := include "postgresql.v1.username" . }} +{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary .Values.auth.postgresPassword .Values.auth.password (eq $customUser "postgres")) "context" $) -}} +{{- $authEnabled := and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres"))) }} +{{- if not $authEnabled }} + +WARNING: PostgreSQL has been configured without authentication, this is not recommended for production environments. +{{- end }} + +PostgreSQL can be accessed via port {{ include "postgresql.v1.service.port" . }} on the following DNS names from within your cluster: + + {{ include "postgresql.v1.primary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection + +{{- if eq .Values.architecture "replication" }} + + {{ include "postgresql.v1.readReplica.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read only connection + +{{- end }} + +{{- if and (not (empty $customUser)) (ne $customUser "postgres") }} +{{- if .Values.auth.enablePostgresUser }} + +To get the password for "postgres" run: + + export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{include "postgresql.v1.adminPasswordKey" .}}}" | base64 -d) +{{- end }} + +To get the password for "{{ $customUser }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{include "postgresql.v1.userPasswordKey" .}}}" | base64 -d) +{{- else }} +{{- if .Values.auth.enablePostgresUser }} + +To get the password for "{{ default "postgres" $customUser }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{ ternary "password" (include "postgresql.v1.adminPasswordKey" .) (and (not (empty $customUser)) (ne $customUser "postgres")) }}}" | base64 -d) +{{- end }} +{{- end }} + +To connect to your database run the following command: + {{- if $authEnabled }} + + kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.v1.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" \ + --command -- psql --host {{ include "postgresql.v1.primary.fullname" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }} + {{- else }} + + kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.v1.image" . }} \ + --command -- psql --host {{ include "postgresql.v1.primary.fullname" . }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }} + {{- end }} + + > NOTE: If you access the container using bash, make sure that you execute "/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash" in order to avoid the error "psql: local user with ID {{ .Values.primary.containerSecurityContext.runAsUser }}} does not exist" + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.primary.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "postgresql.v1.primary.fullname" . }}) + {{- if $authEnabled }} + PGPASSWORD="$POSTGRES_PASSWORD" psql --host $NODE_IP --port $NODE_PORT -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} + {{- else }} + psql --host $NODE_IP --port $NODE_PORT -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} + {{- end }} +{{- else if contains "LoadBalancer" .Values.primary.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "postgresql.v1.primary.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.primary.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + {{- if $authEnabled }} + PGPASSWORD="$POSTGRES_PASSWORD" psql --host $SERVICE_IP --port {{ include "postgresql.v1.service.port" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} + {{- else }} + psql --host $SERVICE_IP --port {{ include "postgresql.v1.service.port" . }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} + {{- end }} +{{- else if contains "ClusterIP" .Values.primary.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "postgresql.v1.primary.fullname" . }} {{ include "postgresql.v1.service.port" . }}:{{ include "postgresql.v1.service.port" . }} & + {{- if $authEnabled }} + PGPASSWORD="$POSTGRES_PASSWORD" psql --host 127.0.0.1 -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }} + {{- else }} + psql --host 127.0.0.1 -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }} + {{- end }} +{{- end }} +{{- end }} + +WARNING: The configured password will be ignored on new installation in case when previous PostgreSQL release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. + +{{- include "postgresql.v1.validateValues" . -}} +{{- include "common.warnings.rollingTag" .Values.image -}} +{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} +{{- include "common.warnings.resources" (dict "sections" (list "metrics" "primary" "readReplicas" "volumePermissions") "context" $) }} +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/_helpers.tpl new file mode 100644 index 00000000..7c00c477 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/_helpers.tpl @@ -0,0 +1,417 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Create a default fully qualified app name for PostgreSQL Primary objects +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.v1.primary.fullname" -}} +{{- if eq .Values.architecture "replication" -}} + {{- printf "%s-%s" (include "common.names.fullname" .) .Values.primary.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "common.names.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name for PostgreSQL read-only replicas objects +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.v1.readReplica.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) .Values.readReplicas.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the default FQDN for PostgreSQL primary headless service +We truncate at 63 chars because of the DNS naming spec. +*/}} +{{- define "postgresql.v1.primary.svc.headless" -}} +{{- printf "%s-hl" (include "postgresql.v1.primary.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the default FQDN for PostgreSQL read-only replicas headless service +We truncate at 63 chars because of the DNS naming spec. +*/}} +{{- define "postgresql.v1.readReplica.svc.headless" -}} +{{- printf "%s-hl" (include "postgresql.v1.readReplica.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the proper PostgreSQL image name +*/}} +{{- define "postgresql.v1.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper PostgreSQL metrics image name +*/}} +{{- define "postgresql.v1.metrics.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "postgresql.v1.volumePermissions.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "postgresql.v1.imagePullSecrets" -}} +{{ include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "context" $) }} +{{- end -}} + +{{/* +Return the name for a custom user to create +*/}} +{{- define "postgresql.v1.username" -}} +{{- if .Values.global.postgresql.auth.username -}} + {{- .Values.global.postgresql.auth.username -}} +{{- else -}} + {{- .Values.auth.username -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name for a custom database to create +*/}} +{{- define "postgresql.v1.database" -}} +{{- if .Values.global.postgresql.auth.database -}} + {{- printf "%s" (tpl .Values.global.postgresql.auth.database $) -}} +{{- else if .Values.auth.database -}} + {{- printf "%s" (tpl .Values.auth.database $) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "postgresql.v1.secretName" -}} +{{- if .Values.global.postgresql.auth.existingSecret -}} + {{- printf "%s" (tpl .Values.global.postgresql.auth.existingSecret $) -}} +{{- else if .Values.auth.existingSecret -}} + {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} +{{- else -}} + {{- printf "%s" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the replication-password key. +*/}} +{{- define "postgresql.v1.replicationPasswordKey" -}} +{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}} + {{- if .Values.global.postgresql.auth.secretKeys.replicationPasswordKey -}} + {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.replicationPasswordKey $) -}} + {{- else if .Values.auth.secretKeys.replicationPasswordKey -}} + {{- printf "%s" (tpl .Values.auth.secretKeys.replicationPasswordKey $) -}} + {{- else -}} + {{- "replication-password" -}} + {{- end -}} +{{- else -}} + {{- "replication-password" -}} +{{- end -}} +{{- end -}} + +{{/* +Get the admin-password key. +*/}} +{{- define "postgresql.v1.adminPasswordKey" -}} +{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}} + {{- if .Values.global.postgresql.auth.secretKeys.adminPasswordKey -}} + {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.adminPasswordKey $) -}} + {{- else if .Values.auth.secretKeys.adminPasswordKey -}} + {{- printf "%s" (tpl .Values.auth.secretKeys.adminPasswordKey $) -}} + {{- end -}} +{{- else -}} + {{- "postgres-password" -}} +{{- end -}} +{{- end -}} + +{{/* +Get the user-password key. +*/}} +{{- define "postgresql.v1.userPasswordKey" -}} +{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}} + {{- if or (empty (include "postgresql.v1.username" .)) (eq (include "postgresql.v1.username" .) "postgres") -}} + {{- printf "%s" (include "postgresql.v1.adminPasswordKey" .) -}} + {{- else -}} + {{- if .Values.global.postgresql.auth.secretKeys.userPasswordKey -}} + {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.userPasswordKey $) -}} + {{- else if .Values.auth.secretKeys.userPasswordKey -}} + {{- printf "%s" (tpl .Values.auth.secretKeys.userPasswordKey $) -}} + {{- end -}} + {{- end -}} +{{- else -}} + {{- "password" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created +*/}} +{{- define "postgresql.v1.createSecret" -}} +{{- $customUser := include "postgresql.v1.username" . -}} +{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword .Values.global.postgresql.auth.password .Values.auth.password) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) -}} +{{- if and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres")) (eq .Values.architecture "replication") (and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw))) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL service port +*/}} +{{- define "postgresql.v1.service.port" -}} +{{- if .Values.global.postgresql.service.ports.postgresql -}} + {{- .Values.global.postgresql.service.ports.postgresql -}} +{{- else -}} + {{- .Values.primary.service.ports.postgresql -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL service port +*/}} +{{- define "postgresql.v1.readReplica.service.port" -}} +{{- if .Values.global.postgresql.service.ports.postgresql -}} + {{- .Values.global.postgresql.service.ports.postgresql -}} +{{- else -}} + {{- .Values.readReplicas.service.ports.postgresql -}} +{{- end -}} +{{- end -}} + +{{/* +Get the PostgreSQL primary configuration ConfigMap name. +*/}} +{{- define "postgresql.v1.primary.configmapName" -}} +{{- if .Values.primary.existingConfigmap -}} + {{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-configuration" (include "postgresql.v1.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for PostgreSQL primary with the configuration +*/}} +{{- define "postgresql.v1.primary.createConfigmap" -}} +{{- if and (or .Values.primary.configuration .Values.primary.pgHbaConfiguration) (not .Values.primary.existingConfigmap) -}} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Get the PostgreSQL primary extended configuration ConfigMap name. +*/}} +{{- define "postgresql.v1.primary.extendedConfigmapName" -}} +{{- if .Values.primary.existingExtendedConfigmap -}} + {{- printf "%s" (tpl .Values.primary.existingExtendedConfigmap $) -}} +{{- else -}} + {{- printf "%s-extended-configuration" (include "postgresql.v1.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the PostgreSQL read replica extended configuration ConfigMap name. +*/}} +{{- define "postgresql.v1.readReplicas.extendedConfigmapName" -}} + {{- printf "%s-extended-configuration" (include "postgresql.v1.readReplica.fullname" .) -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for PostgreSQL primary with the extended configuration +*/}} +{{- define "postgresql.v1.primary.createExtendedConfigmap" -}} +{{- if and .Values.primary.extendedConfiguration (not .Values.primary.existingExtendedConfigmap) -}} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for PostgreSQL read replica with the extended configuration +*/}} +{{- define "postgresql.v1.readReplicas.createExtendedConfigmap" -}} +{{- if .Values.readReplicas.extendedConfiguration -}} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* + Create the name of the service account to use + */}} +{{- define "postgresql.v1.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap should be mounted with PostgreSQL configuration +*/}} +{{- define "postgresql.v1.mountConfigurationCM" -}} +{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the pre-initialization scripts ConfigMap name. +*/}} +{{- define "postgresql.v1.preInitDb.scriptsCM" -}} +{{- if .Values.primary.preInitDb.scriptsConfigMap -}} + {{- printf "%s" (tpl .Values.primary.preInitDb.scriptsConfigMap $) -}} +{{- else -}} + {{- printf "%s-preinit-scripts" (include "postgresql.v1.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "postgresql.v1.initdb.scriptsCM" -}} +{{- if .Values.primary.initdb.scriptsConfigMap -}} + {{- printf "%s" (tpl .Values.primary.initdb.scriptsConfigMap $) -}} +{{- else -}} + {{- printf "%s-init-scripts" (include "postgresql.v1.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if TLS is enabled for LDAP connection +*/}} +{{- define "postgresql.v1.ldap.tls.enabled" -}} +{{- if and (kindIs "string" .Values.ldap.tls) (not (empty .Values.ldap.tls)) -}} + {{- true -}} +{{- else if and (kindIs "map" .Values.ldap.tls) .Values.ldap.tls.enabled -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the readiness probe command +*/}} +{{- define "postgresql.v1.readinessProbeCommand" -}} +{{- $customUser := include "postgresql.v1.username" . -}} +- | +{{- if (include "postgresql.v1.database" .) }} + exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if .Values.tls.enabled }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} +{{- else }} + exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if .Values.tls.enabled }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} +{{- end }} +{{- if contains "bitnami/" .Values.image.repository }} + [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] +{{- end }} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "postgresql.v1.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "postgresql.v1.validateValues.ldapConfigurationMethod" .) -}} +{{- $messages := append $messages (include "postgresql.v1.validateValues.psp" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap +*/}} +{{- define "postgresql.v1.validateValues.ldapConfigurationMethod" -}} +{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) -}} +postgresql: ldap.url, ldap.server + You cannot set both `ldap.url` and `ldap.server` at the same time. + Please provide a unique way to configure LDAP. + More info at https://www.postgresql.org/docs/current/auth-ldap.html +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If PSP is enabled RBAC should be enabled too +*/}} +{{- define "postgresql.v1.validateValues.psp" -}} +{{- if and .Values.psp.create (not .Values.rbac.create) -}} +postgresql: psp.create, rbac.create + RBAC should be enabled if PSP is enabled in order for PSP to work. + More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert file. +*/}} +{{- define "postgresql.v1.tlsCert" -}} +{{- if .Values.tls.autoGenerated -}} + {{- printf "/opt/bitnami/postgresql/certs/tls.crt" -}} +{{- else -}} + {{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert key file. +*/}} +{{- define "postgresql.v1.tlsCertKey" -}} +{{- if .Values.tls.autoGenerated -}} + {{- printf "/opt/bitnami/postgresql/certs/tls.key" -}} +{{- else -}} +{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "postgresql.v1.tlsCACert" -}} +{{- if .Values.tls.autoGenerated -}} + {{- printf "/opt/bitnami/postgresql/certs/ca.crt" -}} +{{- else -}} + {{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CRL file. +*/}} +{{- define "postgresql.v1.tlsCRL" -}} +{{- if .Values.tls.crlFilename -}} +{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a TLS credentials secret object should be created +*/}} +{{- define "postgresql.v1.createTlsSecret" -}} +{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "postgresql.v1.tlsSecretName" -}} +{{- if .Values.tls.autoGenerated -}} + {{- printf "%s-crt" (include "common.names.fullname" .) -}} +{{- else -}} + {{ tpl (required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret) . }} +{{- end -}} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/backup/cronjob.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/backup/cronjob.yaml new file mode 100644 index 00000000..9689ac0d --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/backup/cronjob.yaml @@ -0,0 +1,138 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.backup.enabled }} +{{- $customUser := include "postgresql.v1.username" . }} +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall + namespace: {{ .Release.Namespace | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: pg_dumpall + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.annotations .Values.commonAnnotations ) "context" . ) }} + {{- if $annotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + schedule: {{ quote .Values.backup.cronjob.schedule }} + {{- if .Values.backup.cronjob.timezone }} + timeZone: {{ .Values.backup.cronjob.timezone | quote }} + {{- end }} + concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }} + failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }} + successfulJobsHistoryLimit: {{ .Values.backup.cronjob.successfulJobsHistoryLimit }} + {{- if .Values.backup.cronjob.startingDeadlineSeconds }} + startingDeadlineSeconds: {{ .Values.backup.cronjob.startingDeadlineSeconds }} + {{- end }} + jobTemplate: + spec: + {{- if .Values.backup.cronjob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.backup.cronjob.ttlSecondsAfterFinished }} + {{- end }} + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 12 }} + app.kubernetes.io/component: pg_dumpall + {{- if $annotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 12 }} + {{- end }} + spec: + {{- include "postgresql.v1.imagePullSecrets" . | nindent 10 }} + {{- if .Values.backup.cronjob.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.nodeSelector "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.backup.cronjob.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.tolerations "context" $) | nindent 12 }} + {{- end }} + containers: + - name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall + image: {{ include "postgresql.v1.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + env: + - name: PGUSER + {{- if .Values.auth.enablePostgresUser }} + value: postgres + {{- else }} + value: {{ $customUser | quote }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: PGPASSFILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }} + {{- else }} + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.v1.secretName" . }} + key: {{ include "postgresql.v1.adminPasswordKey" . }} + {{- end }} + - name: PGHOST + value: {{ include "postgresql.v1.primary.fullname" . }} + - name: PGPORT + value: {{ include "postgresql.v1.service.port" . | quote }} + - name: PGDUMP_DIR + value: {{ .Values.backup.cronjob.storage.mountPath }} + {{- if .Values.tls.enabled }} + - name: PGSSLROOTCERT + {{- if .Values.tls.autoGenerated }} + value: /tmp/certs/ca.crt + {{- else }} + value: {{ printf "/tmp/certs/%s" .Values.tls.certCAFilename }} + {{- end }} + {{- end }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + {{- end }} + {{- if .Values.backup.cronjob.storage.enabled }} + - name: datadir + mountPath: {{ .Values.backup.cronjob.storage.mountPath }} + subPath: {{ .Values.backup.cronjob.storage.subPath }} + {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.backup.cronjob.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.extraVolumeMounts "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.backup.cronjob.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.backup.cronjob.containerSecurityContext "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.backup.cronjob.resources }} + resources: {{- toYaml .Values.backup.cronjob.resources | nindent 14 }} + {{- else if ne .Values.backup.cronjob.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.backup.cronjob.resourcesPreset) | nindent 14 }} + {{- end }} + restartPolicy: {{ .Values.backup.cronjob.restartPolicy }} + {{- if .Values.backup.cronjob.podSecurityContext.enabled }} + securityContext: + fsGroup: {{ .Values.backup.cronjob.podSecurityContext.fsGroup }} + {{- end }} + volumes: + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ include "postgresql.v1.tlsSecretName" . }} + {{- end }} + {{- if .Values.backup.cronjob.storage.enabled }} + {{- if .Values.backup.cronjob.storage.existingClaim }} + - name: datadir + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.backup.cronjob.storage.existingClaim .) }} + {{- else }} + - name: datadir + persistentVolumeClaim: + claimName: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall + {{- end }} + {{- end }} + - name: empty-dir + emptyDir: {} + {{- if .Values.backup.cronjob.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.extraVolumes "context" $ ) | nindent 12 }} + {{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/backup/networkpolicy.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/backup/networkpolicy.yaml new file mode 100644 index 00000000..21e1add8 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/backup/networkpolicy.yaml @@ -0,0 +1,32 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.backup.enabled .Values.backup.cronjob.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: pg_dumpall + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: pg_dumpall + policyTypes: + - Egress + egress: + - ports: + - port: 5432 + protocol: TCP + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/backup/pvc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/backup/pvc.yaml new file mode 100644 index 00000000..84a7c600 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/backup/pvc.yaml @@ -0,0 +1,34 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.backup.enabled .Values.backup.cronjob.storage.enabled (not .Values.backup.cronjob.storage.existingClaim) -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall + namespace: {{ .Release.Namespace | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: pg_dumpall + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations .Values.backup.cronjob.storage.resourcePolicy }} + annotations: + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.annotations .Values.commonAnnotations ) "context" . ) }} + {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.backup.cronjob.storage.resourcePolicy }} + helm.sh/resource-policy: {{ .Values.backup.cronjob.storage.resourcePolicy | quote }} + {{- end }} + {{- end }} +spec: + accessModes: + {{- range .Values.backup.cronjob.storage.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.backup.cronjob.storage.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.backup.cronjob.storage "global" .Values.global) }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/extra-list.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/extra-list.yaml new file mode 100644 index 00000000..329f5c65 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/extra-list.yaml @@ -0,0 +1,9 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/configmap.yaml new file mode 100644 index 00000000..48376a10 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/configmap.yaml @@ -0,0 +1,26 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "postgresql.v1.primary.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-configuration" (include "postgresql.v1.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- if .Values.primary.configuration }} + postgresql.conf: | + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.pgHbaConfiguration }} + pg_hba.conf: | + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.pgHbaConfiguration "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/extended-configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/extended-configmap.yaml new file mode 100644 index 00000000..d9644fcd --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/extended-configmap.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "postgresql.v1.primary.createExtendedConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-extended-configuration" (include "postgresql.v1.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + override.conf: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extendedConfiguration "context" $ ) | nindent 4 }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/initialization-configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/initialization-configmap.yaml new file mode 100644 index 00000000..739fe473 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/initialization-configmap.yaml @@ -0,0 +1,17 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.primary.initdb.scripts (not .Values.primary.initdb.scriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-init-scripts" (include "postgresql.v1.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.initdb.scripts "context" .) | nindent 2 }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/metrics-configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/metrics-configmap.yaml new file mode 100644 index 00000000..9e9e644e --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/metrics-configmap.yaml @@ -0,0 +1,18 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/metrics-svc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/metrics-svc.yaml new file mode 100644 index 00000000..581d5fe6 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/metrics-svc.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if or .Values.commonAnnotations .Values.metrics.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + sessionAffinity: {{ .Values.metrics.service.sessionAffinity }} + {{- if .Values.metrics.service.clusterIP }} + clusterIP: {{ .Values.metrics.service.clusterIP }} + {{- end }} + ports: + - name: http-metrics + port: {{ .Values.metrics.service.ports.metrics }} + targetPort: http-metrics + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: primary +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/networkpolicy.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/networkpolicy.yaml new file mode 100644 index 00000000..6e5e28f9 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/networkpolicy.yaml @@ -0,0 +1,78 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.primary.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "postgresql.v1.primary.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: primary + policyTypes: + - Ingress + - Egress + {{- if .Values.primary.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to read-replicas + - ports: + - port: {{ .Values.containerPorts.postgresql }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: read + {{- if .Values.primary.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.metrics }} + {{- end }} + {{- if not .Values.primary.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "postgresql.v1.primary.fullname" . }}-client: "true" + {{- if .Values.primary.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.primary.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.primary.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.primary.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.primary.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/pdb.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/pdb.yaml new file mode 100644 index 00000000..ca6cacaa --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/pdb.yaml @@ -0,0 +1,29 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.primary.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "postgresql.v1.primary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.primary.pdb.minAvailable }} + minAvailable: {{ .Values.primary.pdb.minAvailable }} + {{- end }} + {{- if or .Values.primary.pdb.maxUnavailable ( not .Values.primary.pdb.minAvailable ) }} + maxUnavailable: {{ .Values.primary.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: primary +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/preinitialization-configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/preinitialization-configmap.yaml new file mode 100644 index 00000000..65606a4e --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/preinitialization-configmap.yaml @@ -0,0 +1,17 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.primary.preInitDb.scripts (not .Values.primary.preInitDb.scriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-preinit-scripts" (include "postgresql.v1.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.preInitDb.scripts "context" .) | nindent 2 }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/servicemonitor.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/servicemonitor.yaml new file mode 100644 index 00000000..22a0ce7a --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/servicemonitor.yaml @@ -0,0 +1,46 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "postgresql.v1.primary.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + selector: + {{- $svcLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.selector .Values.commonLabels ) "context" . ) }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $svcLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: metrics + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace | quote }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/statefulset.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/statefulset.yaml new file mode 100644 index 00000000..c03c0cc7 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/statefulset.yaml @@ -0,0 +1,702 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $customUser := include "postgresql.v1.username" . }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "postgresql.v1.primary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: primary + {{- if or .Values.commonAnnotations .Values.primary.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + replicas: 1 + serviceName: {{ include "postgresql.v1.primary.svc.headless" . }} + {{- if .Values.primary.updateStrategy }} + updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: primary + template: + metadata: + name: {{ include "postgresql.v1.primary.fullname" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: primary + {{- if or (include "postgresql.v1.primary.createConfigmap" .) (include "postgresql.v1.primary.createExtendedConfigmap" .) .Values.primary.podAnnotations }} + annotations: + {{- if (include "postgresql.v1.primary.createConfigmap" .) }} + checksum/configuration: {{ pick (include (print $.Template.BasePath "/primary/configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }} + {{- end }} + {{- if (include "postgresql.v1.primary.createExtendedConfigmap" .) }} + checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }} + {{- end }} + {{- if .Values.primary.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.primary.extraPodSpec }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }} + {{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.primary.automountServiceAccountToken }} + {{- if .Values.primary.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.primary.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.primary.priorityClassName }} + priorityClassName: {{ .Values.primary.priorityClassName }} + {{- end }} + {{- if .Values.primary.schedulerName }} + schedulerName: {{ .Values.primary.schedulerName | quote }} + {{- end }} + {{- if .Values.primary.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.primary.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + hostNetwork: {{ .Values.primary.hostNetwork }} + hostIPC: {{ .Values.primary.hostIPC }} + {{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled)) .Values.primary.initContainers }} + initContainers: + {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} + - name: copy-certs + image: {{ include "postgresql.v1.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.primary.resources }} + resources: {{- toYaml .Values.primary.resources | nindent 12 }} + {{- else if ne .Values.primary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }} + {{- end }} + # We don't require a privileged container in this case + {{- if .Values.primary.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + chmod 600 {{ include "postgresql.v1.tlsCertKey" . }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- else if and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled) }} + - name: init-chmod-data + image: {{ include "postgresql.v1.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + {{- if .Values.primary.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.primary.persistence.mountPath }} + {{- else }} + chown {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} {{ .Values.primary.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }} + find {{ .Values.primary.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.v1.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + xargs -r chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs -r chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ include "postgresql.v1.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: {{ .Values.primary.persistence.volumeName }} + mountPath: {{ .Values.primary.persistence.mountPath }} + {{- if .Values.primary.persistence.subPath }} + subPath: {{ .Values.primary.persistence.subPath }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.primary.initContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.initContainers "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + containers: + - name: postgresql + image: {{ include "postgresql.v1.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.primary.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.primary.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.primary.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: {{ .Values.containerPorts.postgresql | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: {{ .Values.primary.persistence.mountPath | quote }} + {{- if .Values.primary.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + # Authentication + {{- if or (eq $customUser "postgres") (empty $customUser) }} + {{- if .Values.auth.enablePostgresUser }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_PASSWORD_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }} + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.v1.secretName" . }} + key: {{ include "postgresql.v1.adminPasswordKey" . }} + {{- end }} + {{- else }} + - name: ALLOW_EMPTY_PASSWORD + value: "true" + {{- end }} + {{- else }} + - name: POSTGRES_USER + value: {{ $customUser | quote }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_PASSWORD_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }} + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.v1.secretName" . }} + key: {{ include "postgresql.v1.userPasswordKey" . }} + {{- end }} + {{- if .Values.auth.enablePostgresUser }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }} + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.v1.secretName" . }} + key: {{ include "postgresql.v1.adminPasswordKey" . }} + {{- end }} + {{- end }} + {{- end }} + {{- if (include "postgresql.v1.database" .) }} + - name: POSTGRES_DATABASE + value: {{ (include "postgresql.v1.database" .) | quote }} + {{- end }} + {{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }} + # Replication + - name: POSTGRES_REPLICATION_MODE + value: {{ ternary "slave" "master" .Values.primary.standby.enabled | quote }} + - name: POSTGRES_REPLICATION_USER + value: {{ .Values.auth.replicationUsername | quote }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.replicationPasswordKey" .) }} + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.v1.secretName" . }} + key: {{ include "postgresql.v1.replicationPasswordKey" . }} + {{- end }} + {{- if ne .Values.replication.synchronousCommit "off" }} + - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE + value: {{ .Values.replication.synchronousCommit | quote }} + - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS + value: {{ .Values.replication.numSynchronousReplicas | quote }} + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + {{- end }} + {{- if .Values.primary.initdb.args }} + # Initdb + - name: POSTGRES_INITDB_ARGS + value: {{ .Values.primary.initdb.args | quote }} + {{- end }} + {{- if .Values.primary.initdb.postgresqlWalDir }} + - name: POSTGRES_INITDB_WALDIR + value: {{ .Values.primary.initdb.postgresqlWalDir | quote }} + {{- end }} + {{- if .Values.primary.initdb.user }} + - name: POSTGRES_INITSCRIPTS_USERNAME + value: {{ .Values.primary.initdb.user }} + {{- end }} + {{- if .Values.primary.initdb.password }} + - name: POSTGRES_INITSCRIPTS_PASSWORD + value: {{ .Values.primary.initdb.password | quote }} + {{- end }} + {{- if .Values.primary.standby.enabled }} + # Standby + - name: POSTGRES_MASTER_HOST + value: {{ .Values.primary.standby.primaryHost }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ .Values.primary.standby.primaryPort | quote }} + {{- end }} + # LDAP + - name: POSTGRESQL_ENABLE_LDAP + value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }} + {{- if .Values.ldap.enabled }} + {{- if or .Values.ldap.url .Values.ldap.uri }} + - name: POSTGRESQL_LDAP_URL + value: {{ coalesce .Values.ldap.url .Values.ldap.uri }} + {{- else }} + - name: POSTGRESQL_LDAP_SERVER + value: {{ .Values.ldap.server }} + - name: POSTGRESQL_LDAP_PORT + value: {{ .Values.ldap.port | quote }} + - name: POSTGRESQL_LDAP_SCHEME + value: {{ .Values.ldap.scheme }} + {{- if (include "postgresql.v1.ldap.tls.enabled" .) }} + - name: POSTGRESQL_LDAP_TLS + value: "1" + {{- end }} + - name: POSTGRESQL_LDAP_PREFIX + value: {{ .Values.ldap.prefix | quote }} + - name: POSTGRESQL_LDAP_SUFFIX + value: {{ .Values.ldap.suffix | quote }} + - name: POSTGRESQL_LDAP_BASE_DN + value: {{ coalesce .Values.ldap.baseDN .Values.ldap.basedn }} + - name: POSTGRESQL_LDAP_BIND_DN + value: {{ coalesce .Values.ldap.bindDN .Values.ldap.binddn}} + {{- if or (not (empty .Values.ldap.bind_password)) (not (empty .Values.ldap.bindpw)) }} + - name: POSTGRESQL_LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.v1.secretName" . }} + key: ldap-password + {{- end }} + - name: POSTGRESQL_LDAP_SEARCH_ATTR + value: {{ coalesce .Values.ldap.search_attr .Values.ldap.searchAttribute }} + - name: POSTGRESQL_LDAP_SEARCH_FILTER + value: {{ coalesce .Values.ldap.search_filter .Values.ldap.searchFilter }} + {{- end }} + {{- end }} + # TLS + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ include "postgresql.v1.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ include "postgresql.v1.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ include "postgresql.v1.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ include "postgresql.v1.tlsCRL" . }} + {{- end }} + {{- end }} + # Audit + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + # Others + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.primary.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }} + envFrom: + {{- if .Values.primary.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.primary.extraEnvVarsCM }} + {{- end }} + {{- if .Values.primary.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.primary.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ .Values.containerPorts.postgresql }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.primary.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.primary.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.v1.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- end }} + {{- if .Values.primary.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.primary.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.v1.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- end }} + {{- if .Values.primary.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.primary.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.v1.readinessProbeCommand" . | nindent 16 }} + {{- end }} + {{- end }} + {{- if .Values.primary.resources }} + resources: {{- toYaml .Values.primary.resources | nindent 12 }} + {{- else if ne .Values.primary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.primary.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/tmp + subPath: app-tmp-dir + {{- if or .Values.primary.preInitDb.scriptsConfigMap .Values.primary.preInitDb.scripts }} + - name: custom-preinit-scripts + mountPath: /docker-entrypoint-preinitdb.d/ + {{- end }} + {{- if .Values.primary.preInitDb.scriptsSecret }} + - name: custom-preinit-scripts-secret + mountPath: /docker-entrypoint-preinitdb.d/secret + {{- end }} + {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d/ + {{- end }} + {{- if .Values.primary.initdb.scriptsSecret }} + - name: custom-init-scripts-secret + mountPath: /docker-entrypoint-initdb.d/secret + {{- end }} + {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }} + - name: postgresql-extended-config + mountPath: {{ .Values.primary.persistence.mountPath }}/conf/conf.d/ + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + - name: {{ .Values.primary.persistence.volumeName }} + mountPath: {{ .Values.primary.persistence.mountPath }} + {{- if .Values.primary.persistence.subPath }} + subPath: {{ .Values.primary.persistence.subPath }} + {{- end }} + {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} + - name: postgresql-config + mountPath: {{ .Values.primary.persistence.mountPath }}/conf + {{- end }} + {{- if .Values.primary.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "postgresql.v1.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if or .Values.metrics.customMetrics .Values.metrics.collectors }} + args: + {{- if .Values.metrics.customMetrics }} + - --extend.query-path + - /conf/custom-metrics.yaml + {{- end }} + {{- range $name, $enabled := .Values.metrics.collectors }} + - --{{ if not $enabled }}no-{{ end }}collector.{{ $name }} + {{- end }} + {{- end }} + env: + - name: DATA_SOURCE_URI + value: {{ printf "127.0.0.1:%d/postgres?sslmode=disable" (int (include "postgresql.v1.service.port" .)) }} + {{- if .Values.auth.usePasswordFiles }} + - name: DATA_SOURCE_PASS_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }} + {{- else }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: {{ include "postgresql.v1.secretName" . }} + key: {{ include "postgresql.v1.adminPasswordKey" . }} + {{- end }} + - name: DATA_SOURCE_USER + value: "postgres" + {{- if .Values.metrics.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + ports: + - name: http-metrics + containerPort: {{ .Values.metrics.containerPorts.metrics }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: http-metrics + {{- end }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: http-metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: http-metrics + {{- end }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.metrics.customMetrics }} + - name: custom-metrics + mountPath: /conf + readOnly: true + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.primary.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} + - name: postgresql-config + configMap: + name: {{ include "postgresql.v1.primary.configmapName" . }} + {{- end }} + {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }} + - name: postgresql-extended-config + configMap: + name: {{ include "postgresql.v1.primary.extendedConfigmapName" . }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + secret: + secretName: {{ include "postgresql.v1.secretName" . }} + {{- end }} + {{- if or .Values.primary.preInitDb.scriptsConfigMap .Values.primary.preInitDb.scripts }} + - name: custom-preinit-scripts + configMap: + name: {{ include "postgresql.v1.preInitDb.scriptsCM" . }} + {{- end }} + {{- if .Values.primary.preInitDb.scriptsSecret }} + - name: custom-preinit-scripts-secret + secret: + secretName: {{ tpl .Values.primary.preInitDb.scriptsSecret $ }} + {{- end }} + {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} + - name: custom-init-scripts + configMap: + name: {{ include "postgresql.v1.initdb.scriptsCM" . }} + {{- end }} + {{- if .Values.primary.initdb.scriptsSecret }} + - name: custom-init-scripts-secret + secret: + secretName: {{ tpl .Values.primary.initdb.scriptsSecret $ }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ include "postgresql.v1.tlsSecretName" . }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if .Values.primary.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} + - name: custom-metrics + configMap: + name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + {{- if .Values.shmVolume.sizeLimit }} + sizeLimit: {{ .Values.shmVolume.sizeLimit }} + {{- end }} + {{- end }} + {{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }} + - name: {{ .Values.primary.persistence.volumeName }} + persistentVolumeClaim: + claimName: {{ tpl .Values.primary.persistence.existingClaim $ }} + {{- else if not .Values.primary.persistence.enabled }} + - name: {{ .Values.primary.persistence.volumeName }} + emptyDir: {} + {{- else }} + {{- if .Values.primary.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.primary.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.primary.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: {{ .Values.primary.persistence.volumeName }} + {{- if .Values.primary.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.primary.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.labels "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.primary.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + {{- if .Values.primary.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.dataSource "context" $) | nindent 10 }} + {{- end }} + resources: + requests: + storage: {{ .Values.primary.persistence.size | quote }} + {{- if .Values.primary.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/svc-headless.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/svc-headless.yaml new file mode 100644 index 00000000..ba918f4f --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/svc-headless.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.v1.primary.svc.headless" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: primary + annotations: + {{- if or .Values.primary.service.headless.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + # We want all pods in the StatefulSet to have their addresses published for + # the sake of the other Postgresql pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. + publishNotReadyAddresses: true + ports: + - name: tcp-postgresql + port: {{ template "postgresql.v1.service.port" . }} + targetPort: tcp-postgresql + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: primary diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/svc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/svc.yaml new file mode 100644 index 00000000..62fe7d40 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/primary/svc.yaml @@ -0,0 +1,54 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.v1.primary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: primary + {{- if or .Values.commonAnnotations .Values.primary.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.primary.service.type }} + {{- if or (eq .Values.primary.service.type "LoadBalancer") (eq .Values.primary.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.primary.service.loadBalancerSourceRanges | toJson}} + {{- end }} + {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerClass)) }} + loadBalancerClass: {{ .Values.primary.service.loadBalancerClass }} + {{- end }} + {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }} + {{- end }} + {{- if and .Values.primary.service.clusterIP (eq .Values.primary.service.type "ClusterIP") }} + clusterIP: {{ .Values.primary.service.clusterIP }} + {{- end }} + {{- if .Values.primary.service.sessionAffinity }} + sessionAffinity: {{ .Values.primary.service.sessionAffinity }} + {{- end }} + {{- if .Values.primary.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ template "postgresql.v1.service.port" . }} + targetPort: tcp-postgresql + {{- if and (or (eq .Values.primary.service.type "NodePort") (eq .Values.primary.service.type "LoadBalancer")) (not (empty .Values.primary.service.nodePorts.postgresql)) }} + nodePort: {{ .Values.primary.service.nodePorts.postgresql }} + {{- else if eq .Values.primary.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.primary.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: primary diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/prometheusrule.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/prometheusrule.yaml new file mode 100644 index 00000000..b6d17bad --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/prometheusrule.yaml @@ -0,0 +1,22 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.prometheusRule.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + groups: + - name: {{ include "common.names.fullname" . }} + rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/psp.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/psp.yaml new file mode 100644 index 00000000..b5220026 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/psp.yaml @@ -0,0 +1,42 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "common.capabilities.psp.supported" .) .Values.psp.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + privileged: false + volumes: + - 'configMap' + - 'secret' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'projected' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/extended-configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/extended-configmap.yaml new file mode 100644 index 00000000..d4db2ae2 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/extended-configmap.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-extended-configuration" (include "postgresql.v1.readReplica.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: read + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + override.conf: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extendedConfiguration "context" $ ) | nindent 4 }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/metrics-configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/metrics-configmap.yaml new file mode 100644 index 00000000..ca019c91 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/metrics-configmap.yaml @@ -0,0 +1,18 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.customMetrics (eq .Values.architecture "replication") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/metrics-svc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/metrics-svc.yaml new file mode 100644 index 00000000..cdb2647b --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/metrics-svc.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled (eq .Values.architecture "replication") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics-read + {{- if or .Values.commonAnnotations .Values.metrics.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + sessionAffinity: {{ .Values.metrics.service.sessionAffinity }} + {{- if .Values.metrics.service.clusterIP }} + clusterIP: {{ .Values.metrics.service.clusterIP }} + {{- end }} + ports: + - name: http-metrics + port: {{ .Values.metrics.service.ports.metrics }} + targetPort: http-metrics + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: read +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/networkpolicy.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/networkpolicy.yaml new file mode 100644 index 00000000..9c730d83 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/networkpolicy.yaml @@ -0,0 +1,80 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replication" }} +{{- if .Values.readReplicas.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "postgresql.v1.readReplica.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: read + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: read + policyTypes: + - Ingress + - Egress + {{- if .Values.readReplicas.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to primary + - ports: + - port: {{ .Values.containerPorts.postgresql }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: primary + {{- if .Values.readReplicas.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.metrics }} + {{- end }} + {{- if not .Values.readReplicas.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "postgresql.v1.readReplica.fullname" . }}-client: "true" + {{- if .Values.readReplicas.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/pdb.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/pdb.yaml new file mode 100644 index 00000000..1d25b68b --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/pdb.yaml @@ -0,0 +1,29 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and ( eq .Values.architecture "replication" ) .Values.readReplicas.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "postgresql.v1.readReplica.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: read + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.readReplicas.pdb.minAvailable }} + minAvailable: {{ .Values.readReplicas.pdb.minAvailable }} + {{- end }} + {{- if or .Values.readReplicas.pdb.maxUnavailable ( not .Values.readReplicas.pdb.minAvailable ) }} + maxUnavailable: {{ .Values.readReplicas.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: read +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/servicemonitor.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/servicemonitor.yaml new file mode 100644 index 00000000..2b635592 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/servicemonitor.yaml @@ -0,0 +1,46 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled (eq .Values.architecture "replication") }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "postgresql.v1.readReplica.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics-read + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + selector: + {{- $svcLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.selector .Values.commonLabels ) "context" . ) }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $svcLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: metrics-read + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace | quote }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/statefulset.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/statefulset.yaml new file mode 100644 index 00000000..4f537e60 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/statefulset.yaml @@ -0,0 +1,578 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replication" }} +{{- $customUser := include "postgresql.v1.username" . }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "postgresql.v1.readReplica.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: read + {{- if or .Values.commonAnnotations .Values.readReplicas.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.readReplicas.replicaCount }} + serviceName: {{ include "postgresql.v1.readReplica.svc.headless" . }} + {{- if .Values.readReplicas.updateStrategy }} + updateStrategy: {{- toYaml .Values.readReplicas.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: read + template: + metadata: + name: {{ include "postgresql.v1.readReplica.fullname" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: read + {{- if or (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) .Values.readReplicas.podAnnotations }} + annotations: + {{- if (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) }} + checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }} + {{- end }} + {{- if .Values.readReplicas.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.readReplicas.extraPodSpec }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraPodSpec "context" $) | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }} + {{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.readReplicas.automountServiceAccountToken }} + {{- if .Values.readReplicas.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.readReplicas.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.priorityClassName }} + priorityClassName: {{ .Values.readReplicas.priorityClassName }} + {{- end }} + {{- if .Values.readReplicas.schedulerName }} + schedulerName: {{ .Values.readReplicas.schedulerName | quote }} + {{- end }} + {{- if .Values.readReplicas.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.readReplicas.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + hostNetwork: {{ .Values.readReplicas.hostNetwork }} + hostIPC: {{ .Values.readReplicas.hostIPC }} + {{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled)) .Values.readReplicas.initContainers }} + initContainers: + {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} + - name: copy-certs + image: {{ include "postgresql.v1.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.readReplicas.resources }} + resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- else if ne .Values.readReplicas.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }} + {{- end }} + # We don't require a privileged container in this case + {{- if .Values.readReplicas.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + chmod 600 {{ include "postgresql.v1.tlsCertKey" . }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- else if and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled) }} + - name: init-chmod-data + image: {{ include "postgresql.v1.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.readReplicas.resources }} + resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- else if ne .Values.readReplicas.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + {{- if .Values.readReplicas.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.readReplicas.persistence.mountPath }} + {{- else }} + chown {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} {{ .Values.readReplicas.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }} + find {{ .Values.readReplicas.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.v1.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + xargs -r chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs -r chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ include "postgresql.v1.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: data + mountPath: {{ .Values.readReplicas.persistence.mountPath }} + {{- if .Values.readReplicas.persistence.subPath }} + subPath: {{ .Values.readReplicas.persistence.subPath }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.readReplicas.initContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.initContainers "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + containers: + - name: postgresql + image: {{ include "postgresql.v1.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.readReplicas.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: {{ .Values.containerPorts.postgresql | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: {{ .Values.readReplicas.persistence.mountPath | quote }} + {{- if .Values.readReplicas.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + # Authentication + {{- if or (eq $customUser "postgres") (empty $customUser) }} + {{- if .Values.auth.enablePostgresUser }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_PASSWORD_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }} + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.v1.secretName" . }} + key: {{ include "postgresql.v1.adminPasswordKey" . }} + {{- end }} + {{- else }} + - name: ALLOW_EMPTY_PASSWORD + value: "true" + {{- end }} + {{- else }} + - name: POSTGRES_USER + value: {{ $customUser | quote }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_PASSWORD_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }} + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.v1.secretName" . }} + key: {{ include "postgresql.v1.userPasswordKey" . }} + {{- end }} + {{- if .Values.auth.enablePostgresUser }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }} + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.v1.secretName" . }} + key: {{ include "postgresql.v1.adminPasswordKey" . }} + {{- end }} + {{- end }} + {{- end }} + # Replication + - name: POSTGRES_REPLICATION_MODE + value: "slave" + - name: POSTGRES_REPLICATION_USER + value: {{ .Values.auth.replicationUsername | quote }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.replicationPasswordKey" .) }} + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.v1.secretName" . }} + key: {{ include "postgresql.v1.replicationPasswordKey" . }} + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + - name: POSTGRES_MASTER_HOST + value: {{ include "postgresql.v1.primary.fullname" . }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ include "postgresql.v1.service.port" . | quote }} + # TLS + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ include "postgresql.v1.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ include "postgresql.v1.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ include "postgresql.v1.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ include "postgresql.v1.tlsCRL" . }} + {{- end }} + {{- end }} + # Audit + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + # Others + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.readReplicas.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.readReplicas.extraEnvVarsCM .Values.readReplicas.extraEnvVarsSecret }} + envFrom: + {{- if .Values.readReplicas.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.readReplicas.extraEnvVarsCM }} + {{- end }} + {{- if .Values.readReplicas.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.readReplicas.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ .Values.containerPorts.postgresql }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.readReplicas.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.v1.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser| quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.v1.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.v1.readinessProbeCommand" . | nindent 16 }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.resources }} + resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- else if ne .Values.readReplicas.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.readReplicas.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/tmp + subPath: app-tmp-dir + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.readReplicas.extendedConfiguration }} + - name: postgresql-extended-config + mountPath: {{ .Values.readReplicas.persistence.mountPath }}/conf/conf.d/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + - name: data + mountPath: {{ .Values.readReplicas.persistence.mountPath }} + {{- if .Values.readReplicas.persistence.subPath }} + subPath: {{ .Values.readReplicas.persistence.subPath }} + {{- end }} + {{- if .Values.readReplicas.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "postgresql.v1.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.customMetrics }} + args: [ "--extend.query-path", "/conf/custom-metrics.yaml" ] + {{- end }} + env: + - name: DATA_SOURCE_URI + value: {{ printf "127.0.0.1:%d/postgres?sslmode=disable" (int (include "postgresql.v1.service.port" .)) }} + {{- if .Values.auth.usePasswordFiles }} + - name: DATA_SOURCE_PASS_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }} + {{- else }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: {{ include "postgresql.v1.secretName" . }} + key: {{ include "postgresql.v1.userPasswordKey" . }} + {{- end }} + - name: DATA_SOURCE_USER + value: {{ default "postgres" $customUser | quote }} + {{- if .Values.metrics.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + ports: + - name: http-metrics + containerPort: {{ .Values.metrics.containerPorts.metrics }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: http-metrics + {{- end }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: http-metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: http-metrics + {{- end }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.metrics.customMetrics }} + - name: custom-metrics + mountPath: /conf + readOnly: true + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }} + {{- end }} + volumes: + {{- if .Values.readReplicas.extendedConfiguration }} + - name: postgresql-extended-config + configMap: + name: {{ include "postgresql.v1.readReplicas.extendedConfigmapName" . }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + secret: + secretName: {{ include "postgresql.v1.secretName" . }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ include "postgresql.v1.tlsSecretName" . }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} + - name: custom-metrics + configMap: + name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + {{- if .Values.shmVolume.sizeLimit }} + sizeLimit: {{ .Values.shmVolume.sizeLimit }} + {{- end }} + {{- end }} + - name: empty-dir + emptyDir: {} + {{- if .Values.readReplicas.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.readReplicas.persistence.enabled .Values.readReplicas.persistence.existingClaim }} + - name: data + persistentVolumeClaim: + claimName: {{ tpl .Values.readReplicas.persistence.existingClaim $ }} + {{- else if not .Values.readReplicas.persistence.enabled }} + - name: data + emptyDir: {} + {{- else }} + {{- if .Values.readReplicas.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: data + {{- if .Values.readReplicas.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.readReplicas.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.labels "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.readReplicas.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + {{- if .Values.readReplicas.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.dataSource "context" $) | nindent 10 }} + {{- end }} + resources: + requests: + storage: {{ .Values.readReplicas.persistence.size | quote }} + {{- if .Values.readReplicas.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.selector "context" $) | nindent 10 }} + {{- end -}} + {{- include "common.storage.class" (dict "persistence" .Values.readReplicas.persistence "global" .Values.global) | nindent 8 }} + {{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/svc-headless.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/svc-headless.yaml new file mode 100644 index 00000000..ef44601e --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/svc-headless.yaml @@ -0,0 +1,33 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replication" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.v1.readReplica.svc.headless" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: read + annotations: + {{- if or .Values.readReplicas.service.headless.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + # We want all pods in the StatefulSet to have their addresses published for + # the sake of the other Postgresql pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. + publishNotReadyAddresses: true + ports: + - name: tcp-postgresql + port: {{ include "postgresql.v1.readReplica.service.port" . }} + targetPort: tcp-postgresql + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: read +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/svc.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/svc.yaml new file mode 100644 index 00000000..d230acb6 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/read/svc.yaml @@ -0,0 +1,56 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replication" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.v1.readReplica.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: read + {{- if or .Values.commonAnnotations .Values.readReplicas.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.readReplicas.service.type }} + {{- if or (eq .Values.readReplicas.service.type "LoadBalancer") (eq .Values.readReplicas.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.readReplicas.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.readReplicas.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerClass)) }} + loadBalancerClass: {{ .Values.readReplicas.service.loadBalancerClass }} + {{- end }} + {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.readReplicas.service.loadBalancerIP }} + {{- end }} + {{- if and .Values.readReplicas.service.clusterIP (eq .Values.readReplicas.service.type "ClusterIP") }} + clusterIP: {{ .Values.readReplicas.service.clusterIP }} + {{- end }} + {{- if .Values.readReplicas.service.sessionAffinity }} + sessionAffinity: {{ .Values.readReplicas.service.sessionAffinity }} + {{- end }} + {{- if .Values.readReplicas.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ include "postgresql.v1.readReplica.service.port" . }} + targetPort: tcp-postgresql + {{- if and (or (eq .Values.readReplicas.service.type "NodePort") (eq .Values.readReplicas.service.type "LoadBalancer")) (not (empty .Values.readReplicas.service.nodePorts.postgresql)) }} + nodePort: {{ .Values.readReplicas.service.nodePorts.postgresql }} + {{- else if eq .Values.readReplicas.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.readReplicas.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: read +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/role.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/role.yaml new file mode 100644 index 00000000..12cd2120 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/role.yaml @@ -0,0 +1,32 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.rbac.create }} +kind: Role +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +# yamllint disable rule:indentation +rules: + {{- if and (include "common.capabilities.psp.supported" .) .Values.psp.create }} + - apiGroups: + - 'policy' + resources: + - 'podsecuritypolicies' + verbs: + - 'use' + resourceNames: + - {{ include "common.names.fullname" . }} + {{- end }} + {{- if .Values.rbac.rules }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} + {{- end }} +# yamllint enable rule:indentation +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/rolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/rolebinding.yaml new file mode 100644 index 00000000..2ee30a44 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/rolebinding.yaml @@ -0,0 +1,24 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + kind: Role + name: {{ include "common.names.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "postgresql.v1.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/secrets.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/secrets.yaml new file mode 100644 index 00000000..2fcf64c8 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/secrets.yaml @@ -0,0 +1,99 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- $host := include "postgresql.v1.primary.fullname" . }} +{{- $port := include "postgresql.v1.service.port" . }} +{{- $customUser := include "postgresql.v1.username" . }} +{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.adminPasswordKey .Values.auth.secretKeys.adminPasswordKey) "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.password .Values.auth.password .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) | trimAll "\"" | b64dec }} +{{- if and (not $postgresPassword) .Values.auth.enablePostgresUser }} +{{- $postgresPassword = randAlphaNum 10 }} +{{- end }} +{{- $replicationPassword := "" }} +{{- if eq .Values.architecture "replication" }} +{{- $replicationPassword = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.replicationPasswordKey .Values.auth.secretKeys.replicationPasswordKey) "providedValues" (list "auth.replicationPassword") "context" $) | trimAll "\"" | b64dec }} +{{- end }} +{{- $ldapPassword := "" }} +{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }} +{{- $ldapPassword = coalesce .Values.ldap.bind_password .Values.ldap.bindpw }} +{{- end }} +{{- $password := "" }} +{{- if and (not (empty $customUser)) (ne $customUser "postgres") }} +{{- $password = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.userPasswordKey .Values.auth.secretKeys.userPasswordKey) "providedValues" (list "global.postgresql.auth.password" "auth.password") "context" $) | trimAll "\"" | b64dec }} +{{- end }} +{{- $database := include "postgresql.v1.database" . }} +{{- if (include "postgresql.v1.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if $postgresPassword }} + postgres-password: {{ $postgresPassword | b64enc | quote }} + {{- end }} + {{- if $password }} + password: {{ $password | b64enc | quote }} + {{- end }} + {{- if $replicationPassword }} + replication-password: {{ $replicationPassword | b64enc | quote }} + {{- end }} + # We don't auto-generate LDAP password when it's not provided as we do for other passwords + {{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }} + ldap-password: {{ $ldapPassword | b64enc | quote }} + {{- end }} +{{- end }} +{{- if .Values.serviceBindings.enabled }} +{{- if $postgresPassword }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-svcbind-postgres + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/postgresql +data: + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "postgresql" | b64enc | quote }} + host: {{ $host | b64enc | quote }} + port: {{ $port | b64enc | quote }} + username: {{ print "postgres" | b64enc | quote }} + database: {{ print "postgres" | b64enc | quote }} + password: {{ $postgresPassword | b64enc | quote }} + uri: {{ printf "postgresql://postgres:%s@%s:%s/postgres" $postgresPassword $host $port | b64enc | quote }} +{{- end }} +{{- if $password }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-svcbind-custom-user + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/postgresql +data: + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "postgresql" | b64enc | quote }} + host: {{ $host | b64enc | quote }} + port: {{ $port | b64enc | quote }} + username: {{ $customUser | b64enc | quote }} + password: {{ $password | b64enc | quote }} + {{- if $database }} + database: {{ $database | b64enc | quote }} + {{- end }} + uri: {{ printf "postgresql://%s:%s@%s:%s/%s" $customUser $password $host $port $database | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/serviceaccount.yaml new file mode 100644 index 00000000..93efa64c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "postgresql.v1.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/tls-secrets.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/tls-secrets.yaml new file mode 100644 index 00000000..2e992d6e --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/templates/tls-secrets.yaml @@ -0,0 +1,30 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "postgresql.v1.createTlsSecret" . ) }} +{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }} +{{- $ca := genCA "postgresql-ca" 365 }} +{{- $fullname := include "common.names.fullname" . }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $primaryHeadlessServiceName := include "postgresql.v1.primary.svc.headless" . }} +{{- $readHeadlessServiceName := include "postgresql.v1.readReplica.svc.headless" . }} +{{- $altNames := list (printf "*.%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) $fullname }} +{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} + tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} + ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/values.schema.json b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/values.schema.json new file mode 100644 index 00000000..fc41483c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/values.schema.json @@ -0,0 +1,156 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "architecture": { + "type": "string", + "title": "PostgreSQL architecture", + "form": true, + "description": "Allowed values: `standalone` or `replication`" + }, + "auth": { + "type": "object", + "title": "Authentication configuration", + "form": true, + "properties": { + "enablePostgresUser": { + "type": "boolean", + "title": "Enable \"postgres\" admin user", + "description": "Assign a password to the \"postgres\" admin user. Otherwise, remote access will be blocked for this user", + "form": true + }, + "postgresPassword": { + "type": "string", + "title": "Password for the \"postgres\" admin user", + "description": "Defaults to a random 10-character alphanumeric string if not set", + "form": true + }, + "database": { + "type": "string", + "title": "PostgreSQL custom database", + "description": "Name of the custom database to be created during the 1st initialization of PostgreSQL", + "form": true + }, + "username": { + "type": "string", + "title": "PostgreSQL custom user", + "description": "Name of the custom user to be created during the 1st initialization of PostgreSQL. This user only has permissions on the PostgreSQL custom database", + "form": true + }, + "password": { + "type": "string", + "title": "Password for the custom user to create", + "description": "Defaults to a random 10-character alphanumeric string if not set", + "form": true + }, + "replicationUsername": { + "type": "string", + "title": "PostgreSQL replication user", + "description": "Name of user used to manage replication.", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + } + }, + "replicationPassword": { + "type": "string", + "title": "Password for PostgreSQL replication user", + "description": "Defaults to a random 10-character alphanumeric string if not set", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "persistence": { + "type": "object", + "properties": { + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi" + } + } + }, + "resources": { + "type": "object", + "title": "Required Resources", + "description": "Configure resource requests", + "form": true, + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string", + "form": true, + "render": "slider", + "title": "Memory Request", + "sliderMin": 10, + "sliderMax": 2048, + "sliderUnit": "Mi" + }, + "cpu": { + "type": "string", + "form": true, + "render": "slider", + "title": "CPU Request", + "sliderMin": 10, + "sliderMax": 2000, + "sliderUnit": "m" + } + } + } + } + }, + "replication": { + "type": "object", + "form": true, + "title": "Replication Details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Replication", + "form": true + }, + "readReplicas": { + "type": "integer", + "title": "read Replicas", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" + } + } + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Configure metrics exporter", + "form": true + } + } + } + } +} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/values.yaml new file mode 100644 index 00000000..417d0d39 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/postgresql/values.yaml @@ -0,0 +1,1780 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Please, note that this will override the parameters, including dependencies, configured to use the global value +## +global: + ## @param global.imageRegistry Global Docker image registry + ## + imageRegistry: "" + ## @param global.imagePullSecrets Global Docker registry secret names as an array + ## e.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + ## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) +## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead + ## + defaultStorageClass: "" + storageClass: "" + postgresql: + ## @param global.postgresql.auth.postgresPassword Password for the "postgres" admin user (overrides `auth.postgresPassword`) + ## @param global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`) + ## @param global.postgresql.auth.password Password for the custom user to create (overrides `auth.password`) + ## @param global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`) + ## @param global.postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). + ## @param global.postgresql.auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. + ## @param global.postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. + ## @param global.postgresql.auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. + ## + auth: + postgresPassword: "" + username: "" + password: "" + database: "" + existingSecret: "" + secretKeys: + adminPasswordKey: "" + userPasswordKey: "" + replicationPasswordKey: "" + ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) + ## + service: + ports: + postgresql: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto +## @section Common parameters +## + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname template +## +fullnameOverride: "" +## @param clusterDomain Kubernetes Cluster Domain +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) +## +extraDeploy: [] +## @param commonLabels Add labels to all the deployed resources +## +commonLabels: {} +## @param commonAnnotations Add annotations to all the deployed resources +## +commonAnnotations: {} +## Enable diagnostic mode in the statefulset +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the statefulset + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the statefulset + ## + args: + - infinity +## @section PostgreSQL common parameters +## + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## @param image.registry [default: REGISTRY_NAME] PostgreSQL image registry +## @param image.repository [default: REPOSITORY_NAME/postgresql] PostgreSQL image repository +## @skip image.tag PostgreSQL image tag (immutable tags are recommended) +## @param image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy PostgreSQL image pull policy +## @param image.pullSecrets Specify image pull secrets +## @param image.debug Specify if debug values should be set +## +image: + registry: docker.io + repository: bitnamilegacy/postgresql + tag: 16.4.0-debian-12-r14 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## Authentication parameters +## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#setting-the-root-password-on-first-run +## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-on-first-run +## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-user-on-first-run +## +auth: + ## @param auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user + ## + enablePostgresUser: true + ## @param auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided + ## + postgresPassword: "" + ## @param auth.username Name for a custom user to create + ## + username: "" + ## @param auth.password Password for the custom user to create. Ignored if `auth.existingSecret` is provided + ## + password: "" + ## @param auth.database Name for a custom database to create + ## + database: "" + ## @param auth.replicationUsername Name of the replication user + ## + replicationUsername: repl_user + ## @param auth.replicationPassword Password for the replication user. Ignored if `auth.existingSecret` is provided + ## + replicationPassword: "" + ## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. + ## + existingSecret: "" + ## @param auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## @param auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## @param auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## + secretKeys: + adminPasswordKey: postgres-password + userPasswordKey: password + replicationPasswordKey: replication-password + ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable + ## + usePasswordFiles: false +## @param architecture PostgreSQL architecture (`standalone` or `replication`) +## +architecture: standalone +## Replication configuration +## Ignored if `architecture` is `standalone` +## +replication: + ## @param replication.synchronousCommit Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` + ## @param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. + ## ref: https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT + ## + synchronousCommit: "off" + numSynchronousReplicas: 0 + ## @param replication.applicationName Cluster application name. Useful for advanced replication settings + ## + applicationName: my_application +## @param containerPorts.postgresql PostgreSQL container port +## +containerPorts: + postgresql: 5432 +## Audit settings +## https://github.com/bitnami/containers/tree/main/bitnami/postgresql#auditing +## @param audit.logHostname Log client hostnames +## @param audit.logConnections Add client log-in operations to the log file +## @param audit.logDisconnections Add client log-outs operations to the log file +## @param audit.pgAuditLog Add operations to log using the pgAudit extension +## @param audit.pgAuditLogCatalog Log catalog using pgAudit +## @param audit.clientMinMessages Message log level to share with the user +## @param audit.logLinePrefix Template for log line prefix (default if not set) +## @param audit.logTimezone Timezone for the log timestamps +## +audit: + logHostname: false + logConnections: false + logDisconnections: false + pgAuditLog: "" + pgAuditLogCatalog: "off" + clientMinMessages: error + logLinePrefix: "" + logTimezone: "" +## LDAP configuration +## @param ldap.enabled Enable LDAP support +## DEPRECATED ldap.url It will removed in a future, please use 'ldap.uri' instead +## @param ldap.server IP address or name of the LDAP server. +## @param ldap.port Port number on the LDAP server to connect to +## @param ldap.prefix String to prepend to the user name when forming the DN to bind +## @param ldap.suffix String to append to the user name when forming the DN to bind +## DEPRECATED ldap.baseDN It will removed in a future, please use 'ldap.basedn' instead +## DEPRECATED ldap.bindDN It will removed in a future, please use 'ldap.binddn' instead +## DEPRECATED ldap.bind_password It will removed in a future, please use 'ldap.bindpw' instead +## @param ldap.basedn Root DN to begin the search for the user in +## @param ldap.binddn DN of user to bind to LDAP +## @param ldap.bindpw Password for the user to bind to LDAP +## DEPRECATED ldap.search_attr It will removed in a future, please use 'ldap.searchAttribute' instead +## DEPRECATED ldap.search_filter It will removed in a future, please use 'ldap.searchFilter' instead +## @param ldap.searchAttribute Attribute to match against the user name in the search +## @param ldap.searchFilter The search filter to use when doing search+bind authentication +## @param ldap.scheme Set to `ldaps` to use LDAPS +## DEPRECATED ldap.tls as string is deprecated, please use 'ldap.tls.enabled' instead +## @param ldap.tls.enabled Se to true to enable TLS encryption +## +ldap: + enabled: false + server: "" + port: "" + prefix: "" + suffix: "" + basedn: "" + binddn: "" + bindpw: "" + searchAttribute: "" + searchFilter: "" + scheme: "" + tls: + enabled: false + ## @param ldap.uri LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. + ## Ref: https://www.postgresql.org/docs/current/auth-ldap.html + ## + uri: "" +## @param postgresqlDataDir PostgreSQL data dir folder +## +postgresqlDataDir: /bitnami/postgresql/data +## @param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list) +## +postgresqlSharedPreloadLibraries: "pgaudit" +## Start PostgreSQL pod(s) without limitations on shm memory. +## By default docker and containerd (and possibly other container runtimes) limit `/dev/shm` to `64M` +## ref: https://github.com/docker-library/postgres/issues/416 +## ref: https://github.com/containerd/containerd/issues/3654 +## +shmVolume: + ## @param shmVolume.enabled Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) + ## + enabled: true + ## @param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs + ## Note: the size of the tmpfs counts against container's memory limit + ## e.g: + ## sizeLimit: 1Gi + ## + sizeLimit: "" +## TLS configuration +## +tls: + ## @param tls.enabled Enable TLS traffic support + ## + enabled: false + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates + ## + autoGenerated: false + ## @param tls.preferServerCiphers Whether to use the server's TLS cipher preferences rather than the client's + ## + preferServerCiphers: true + ## @param tls.certificatesSecret Name of an existing secret that contains the certificates + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate + ## ref: https://www.postgresql.org/docs/9.6/auth-methods.html + ## + certCAFilename: "" + ## @param tls.crlFilename File containing a Certificate Revocation List + ## + crlFilename: "" +## @section PostgreSQL Primary parameters +## +primary: + ## @param primary.name Name of the primary database (eg primary, master, leader, ...) + ## + name: primary + ## @param primary.configuration PostgreSQL Primary main configuration to be injected as ConfigMap + ## ref: https://www.postgresql.org/docs/current/static/runtime-config.html + ## + configuration: "" + ## @param primary.pgHbaConfiguration PostgreSQL Primary client authentication configuration + ## ref: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html + ## e.g:# + ## pgHbaConfiguration: |- + ## local all all trust + ## host all all localhost trust + ## host mydatabase mysuser 192.168.0.0/24 md5 + ## + pgHbaConfiguration: "" + ## @param primary.existingConfigmap Name of an existing ConfigMap with PostgreSQL Primary configuration + ## NOTE: `primary.configuration` and `primary.pgHbaConfiguration` will be ignored + ## + existingConfigmap: "" + ## @param primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration) + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf + ## + extendedConfiguration: "" + ## @param primary.existingExtendedConfigmap Name of an existing ConfigMap with PostgreSQL Primary extended configuration + ## NOTE: `primary.extendedConfiguration` will be ignored + ## + existingExtendedConfigmap: "" + ## Initdb configuration + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#specifying-initdb-arguments + ## + initdb: + ## @param primary.initdb.args PostgreSQL initdb extra arguments + ## + args: "" + ## @param primary.initdb.postgresqlWalDir Specify a custom location for the PostgreSQL transaction log + ## + postgresqlWalDir: "" + ## @param primary.initdb.scripts Dictionary of initdb scripts + ## Specify dictionary of scripts to be run at first boot + ## e.g: + ## scripts: + ## my_init_script.sh: | + ## #!/bin/sh + ## echo "Do something." + ## + scripts: {} + ## @param primary.initdb.scriptsConfigMap ConfigMap with scripts to be run at first boot + ## NOTE: This will override `primary.initdb.scripts` + ## + scriptsConfigMap: "" + ## @param primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information) + ## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap` + ## + scriptsSecret: "" + ## @param primary.initdb.user Specify the PostgreSQL username to execute the initdb scripts + ## + user: "" + ## @param primary.initdb.password Specify the PostgreSQL password to execute the initdb scripts + ## + password: "" + ## Pre-init configuration + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql/#on-container-start + preInitDb: + ## @param primary.preInitDb.scripts Dictionary of pre-init scripts + ## Specify dictionary of shell scripts to be run before db boot + ## e.g: + ## scripts: + ## my_pre_init_script.sh: | + ## #!/bin/sh + ## echo "Do something." + scripts: {} + ## @param primary.preInitDb.scriptsConfigMap ConfigMap with pre-init scripts to be run + ## NOTE: This will override `primary.preInitDb.scripts` + scriptsConfigMap: "" + ## @param primary.preInitDb.scriptsSecret Secret with pre-init scripts to be run + ## NOTE: This can work along `primary.preInitDb.scripts` or `primary.preInitDb.scriptsConfigMap` + scriptsSecret: "" + ## Configure current cluster's primary server to be the standby server in other cluster. + ## This will allow cross cluster replication and provide cross cluster high availability. + ## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. + ## @param primary.standby.enabled Whether to enable current cluster's primary as standby server of another cluster or not + ## @param primary.standby.primaryHost The Host of replication primary in the other cluster + ## @param primary.standby.primaryPort The Port of replication primary in the other cluster + ## + standby: + enabled: false + primaryHost: "" + primaryPort: "" + ## @param primary.extraEnvVars Array with extra environment variables to add to PostgreSQL Primary nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes + ## + extraEnvVarsCM: "" + ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL Primary nodes + ## + extraEnvVarsSecret: "" + ## @param primary.command Override default container command (useful when using custom images) + ## + command: [] + ## @param primary.args Override default container args (useful when using custom images) + ## + args: [] + ## Configure extra options for PostgreSQL Primary containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param primary.livenessProbe.enabled Enable livenessProbe on PostgreSQL Primary containers + ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param primary.readinessProbe.enabled Enable readinessProbe on PostgreSQL Primary containers + ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param primary.startupProbe.enabled Enable startupProbe on PostgreSQL Primary containers + ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param primary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param primary.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param primary.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param primary.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param primary.lifecycleHooks for the PostgreSQL Primary container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## PostgreSQL Primary resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param primary.podSecurityContext.enabled Enable security context + ## @param primary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param primary.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param primary.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param primary.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param primary.containerSecurityContext.enabled Enabled containers' Security Context + ## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param primary.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param primary.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param primary.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param primary.containerSecurityContext.privileged Set container's Security Context privileged + ## @param primary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param primary.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param primary.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param primary.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param primary.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## @param primary.hostAliases PostgreSQL primary pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param primary.hostNetwork Specify if host network should be enabled for PostgreSQL pod (postgresql primary) + ## + hostNetwork: false + ## @param primary.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) + ## + hostIPC: false + ## @param primary.labels Map of labels to add to the statefulset (postgresql primary) + ## + labels: {} + ## @param primary.annotations Annotations for PostgreSQL primary pods + ## + annotations: {} + ## @param primary.podLabels Map of labels to add to the pods (postgresql primary) + ## + podLabels: {} + ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary) + ## + podAnnotations: {} + ## @param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL Primary node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param primary.affinity Affinity for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param primary.priorityClassName Priority Class to use for each pod (postgresql primary) + ## + priorityClassName: "" + ## @param primary.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param primary.terminationGracePeriodSeconds Seconds PostgreSQL primary pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param primary.updateStrategy.type PostgreSQL Primary statefulset strategy type + ## @param primary.updateStrategy.rollingUpdate PostgreSQL Primary statefulset rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + rollingUpdate: {} + ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) + ## + extraVolumeMounts: [] + ## @param primary.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) + ## + extraVolumes: [] + ## @param primary.sidecars Add additional sidecar containers to the PostgreSQL Primary pod(s) + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param primary.initContainers Add additional init containers to the PostgreSQL Primary pod(s) + ## Example + ## + ## initContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param primary.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param primary.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param primary.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `primary.pdb.minAvailable` and `primary.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" + ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) + ## + extraPodSpec: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param primary.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param primary.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param primary.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param primary.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param primary.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param primary.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param primary.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## PostgreSQL Primary service configuration + ## + service: + ## @param primary.service.type Kubernetes Service type + ## + type: ClusterIP + ## @param primary.service.ports.postgresql PostgreSQL service port + ## + ports: + postgresql: 5432 + ## Node ports to expose + ## NOTE: choose port between <30000-32767> + ## @param primary.service.nodePorts.postgresql Node port for PostgreSQL + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + postgresql: "" + ## @param primary.service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param primary.service.annotations Annotations for PostgreSQL primary service + ## + annotations: {} + ## @param primary.service.loadBalancerClass Load balancer class if service type is `LoadBalancer` + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + ## + loadBalancerClass: "" + ## @param primary.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param primary.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param primary.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param primary.service.extraPorts Extra ports to expose in the PostgreSQL primary service + ## + extraPorts: [] + ## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param primary.service.headless.annotations Additional custom annotations for headless PostgreSQL primary service + ## + annotations: {} + ## PostgreSQL Primary persistence configuration + ## + persistence: + ## @param primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC + ## + enabled: true + ## @param primary.persistence.volumeName Name to assign the volume + ## + volumeName: "data" + ## @param primary.persistence.existingClaim Name of an existing PVC to use + ## + existingClaim: "" + ## @param primary.persistence.mountPath The path the volume will be mounted at + ## Note: useful when using custom PostgreSQL images + ## + mountPath: /bitnami/postgresql + ## @param primary.persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param primary.persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param primary.persistence.size PVC Storage Request for PostgreSQL volume + ## + size: 8Gi + ## @param primary.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param primary.persistence.labels Labels for the PVC + ## + labels: {} + ## @param primary.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param primary.persistence.dataSource Custom PVC data source + ## + dataSource: {} + ## PostgreSQL Primary Persistent Volume Claim Retention Policy + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + ## + persistentVolumeClaimRetentionPolicy: + ## @param primary.persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for Primary Statefulset + ## + enabled: false + ## @param primary.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced + ## + whenScaled: Retain + ## @param primary.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted + ## + whenDeleted: Retain +## @section PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) +## +readReplicas: + ## @param readReplicas.name Name of the read replicas database (eg secondary, slave, ...) + ## + name: read + ## @param readReplicas.replicaCount Number of PostgreSQL read only replicas + ## + replicaCount: 1 + ## @param readReplicas.extendedConfiguration Extended PostgreSQL read only replicas configuration (appended to main or default configuration) + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf + ## + extendedConfiguration: "" + ## @param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes + ## + extraEnvVarsCM: "" + ## @param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes + ## + extraEnvVarsSecret: "" + ## @param readReplicas.command Override default container command (useful when using custom images) + ## + command: [] + ## @param readReplicas.args Override default container args (useful when using custom images) + ## + args: [] + ## Configure extra options for PostgreSQL read only containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param readReplicas.livenessProbe.enabled Enable livenessProbe on PostgreSQL read only containers + ## @param readReplicas.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param readReplicas.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param readReplicas.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param readReplicas.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param readReplicas.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param readReplicas.readinessProbe.enabled Enable readinessProbe on PostgreSQL read only containers + ## @param readReplicas.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param readReplicas.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param readReplicas.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param readReplicas.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param readReplicas.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param readReplicas.startupProbe.enabled Enable startupProbe on PostgreSQL read only containers + ## @param readReplicas.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param readReplicas.startupProbe.periodSeconds Period seconds for startupProbe + ## @param readReplicas.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param readReplicas.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param readReplicas.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param readReplicas.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## PostgreSQL read only resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param readReplicas.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param readReplicas.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param readReplicas.podSecurityContext.enabled Enable security context + ## @param readReplicas.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param readReplicas.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param readReplicas.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param readReplicas.containerSecurityContext.enabled Enabled containers' Security Context + ## @param readReplicas.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param readReplicas.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param readReplicas.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param readReplicas.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param readReplicas.containerSecurityContext.privileged Set container's Security Context privileged + ## @param readReplicas.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param readReplicas.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param readReplicas.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param readReplicas.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param readReplicas.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param readReplicas.hostNetwork Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) + ## + hostNetwork: false + ## @param readReplicas.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) + ## + hostIPC: false + ## @param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only) + ## + labels: {} + ## @param readReplicas.annotations Annotations for PostgreSQL read only pods + ## + annotations: {} + ## @param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only) + ## + podLabels: {} + ## @param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only) + ## + podAnnotations: {} + ## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL read only node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only) + ## + priorityClassName: "" + ## @param readReplicas.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param readReplicas.updateStrategy.type PostgreSQL read only statefulset strategy type + ## @param readReplicas.updateStrategy.rollingUpdate PostgreSQL read only statefulset rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + rollingUpdate: {} + ## @param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) + ## + extraVolumeMounts: [] + ## @param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) + ## + extraVolumes: [] + ## @param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s) + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s) + ## Example + ## + ## initContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + initContainers: [] + ## Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb + ## @param readReplicas.pdb.create Enable/disable a Pod Disruption Budget creation + ## @param readReplicas.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## @param readReplicas.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `readReplicas.pdb.minAvailable` and `readReplicas.pdb.maxUnavailable` are empty. + ## + pdb: + create: true + minAvailable: "" + maxUnavailable: "" + ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) + ## + extraPodSpec: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param readReplicas.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param readReplicas.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param readReplicas.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param readReplicas.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param readReplicas.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param readReplicas.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param readReplicas.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## PostgreSQL read only service configuration + ## + service: + ## @param readReplicas.service.type Kubernetes Service type + ## + type: ClusterIP + ## @param readReplicas.service.ports.postgresql PostgreSQL service port + ## + ports: + postgresql: 5432 + ## Node ports to expose + ## NOTE: choose port between <30000-32767> + ## @param readReplicas.service.nodePorts.postgresql Node port for PostgreSQL + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + postgresql: "" + ## @param readReplicas.service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param readReplicas.service.annotations Annotations for PostgreSQL read only service + ## + annotations: {} + ## @param readReplicas.service.loadBalancerClass Load balancer class if service type is `LoadBalancer` + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + ## + loadBalancerClass: "" + ## @param readReplicas.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param readReplicas.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service + ## + extraPorts: [] + ## @param readReplicas.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param readReplicas.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param readReplicas.service.headless.annotations Additional custom annotations for headless PostgreSQL read only service + ## + annotations: {} + ## PostgreSQL read only persistence configuration + ## + persistence: + ## @param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC + ## + enabled: true + ## @param readReplicas.persistence.existingClaim Name of an existing PVC to use + ## + existingClaim: "" + ## @param readReplicas.persistence.mountPath The path the volume will be mounted at + ## Note: useful when using custom PostgreSQL images + ## + mountPath: /bitnami/postgresql + ## @param readReplicas.persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume + ## + size: 8Gi + ## @param readReplicas.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param readReplicas.persistence.labels Labels for the PVC + ## + labels: {} + ## @param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param readReplicas.persistence.dataSource Custom PVC data source + ## + dataSource: {} + ## PostgreSQL Read only Persistent Volume Claim Retention Policy + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + ## + persistentVolumeClaimRetentionPolicy: + ## @param readReplicas.persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for read only Statefulset + ## + enabled: false + ## @param readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced + ## + whenScaled: Retain + ## @param readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted + ## + whenDeleted: Retain +## @section Backup parameters +## This section implements a trivial logical dump cronjob of the database. +## This only comes with the consistency guarantees of the dump program. +## This is not a snapshot based roll forward/backward recovery backup. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ +backup: + ## @param backup.enabled Enable the logical dump of the database "regularly" + enabled: false + cronjob: + ## @param backup.cronjob.schedule Set the cronjob parameter schedule + schedule: "@daily" + ## @param backup.cronjob.timeZone Set the cronjob parameter timeZone + timeZone: "" + ## @param backup.cronjob.concurrencyPolicy Set the cronjob parameter concurrencyPolicy + concurrencyPolicy: Allow + ## @param backup.cronjob.failedJobsHistoryLimit Set the cronjob parameter failedJobsHistoryLimit + failedJobsHistoryLimit: 1 + ## @param backup.cronjob.successfulJobsHistoryLimit Set the cronjob parameter successfulJobsHistoryLimit + successfulJobsHistoryLimit: 3 + ## @param backup.cronjob.startingDeadlineSeconds Set the cronjob parameter startingDeadlineSeconds + startingDeadlineSeconds: "" + ## @param backup.cronjob.ttlSecondsAfterFinished Set the cronjob parameter ttlSecondsAfterFinished + ttlSecondsAfterFinished: "" + ## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy + restartPolicy: OnFailure + ## @param backup.cronjob.podSecurityContext.enabled Enable PodSecurityContext for CronJob/Backup + ## @param backup.cronjob.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param backup.cronjob.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param backup.cronjob.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param backup.cronjob.podSecurityContext.fsGroup Group ID for the CronJob + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## backup container's Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context + ## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param backup.cronjob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged + ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param backup.cronjob.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param backup.cronjob.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param backup.cronjob.command Set backup container's command to run + command: + - /bin/sh + - -c + - "pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump" + ## @param backup.cronjob.labels Set the cronjob labels + labels: {} + ## @param backup.cronjob.annotations Set the cronjob annotations + annotations: {} + ## @param backup.cronjob.nodeSelector Node labels for PostgreSQL backup CronJob pod assignment + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/ + ## + nodeSelector: {} + ## @param backup.cronjob.tolerations Tolerations for PostgreSQL backup CronJob pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## backup cronjob container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param backup.cronjob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param backup.cronjob.resources Set container requests and limits for different resources like CPU or memory + ## Example: + resources: {} + ## resources: + ## requests: + ## cpu: 1 + ## memory: 512Mi + ## limits: + ## cpu: 2 + ## memory: 1024Mi + networkPolicy: + ## @param backup.cronjob.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + storage: + ## @param backup.cronjob.storage.enabled Enable using a `PersistentVolumeClaim` as backup data volume + ## + enabled: true + ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) + ## If defined, PVC must be created manually before volume will be bound + ## + existingClaim: "" + ## @param backup.cronjob.storage.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted + ## + resourcePolicy: "" + ## @param backup.cronjob.storage.storageClass PVC Storage Class for the backup data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param backup.cronjob.storage.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param backup.cronjob.storage.size PVC Storage Request for the backup data volume + ## + size: 8Gi + ## @param backup.cronjob.storage.annotations PVC annotations + ## + annotations: {} + ## @param backup.cronjob.storage.mountPath Path to mount the volume at + ## + mountPath: /backup/pgdump + ## @param backup.cronjob.storage.subPath Subdirectory of the volume to mount at + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param backup.cronjob.storage.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} + ## @param backup.cronjob.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the backup container + ## + extraVolumeMounts: [] + ## @param backup.cronjob.extraVolumes Optionally specify extra list of additional volumes for the backup container + ## + extraVolumes: [] +## @section Volume Permissions parameters +## + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume + ## + enabled: false + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository + ## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets + ## + image: + registry: docker.io + repository: bitnamilegacy/os-shell + tag: 12-debian-12-r30 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init container' Security Context + ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser + ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container + ## @param volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container + ## @param volumePermissions.containerSecurityContext.runAsNonRoot runAsNonRoot for the init container + ## @param volumePermissions.containerSecurityContext.seccompProfile.type seccompProfile.type for the init container + ## + containerSecurityContext: + seLinuxOptions: {} + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault +## @section Other Parameters +## + +## @param serviceBindings.enabled Create secret for service binding (Experimental) +## Ref: https://servicebinding.io/service-provider/ +## +serviceBindings: + enabled: false +## Service account for PostgreSQL to use. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod + ## + create: true + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: false + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} +## Creates role for ServiceAccount +## @param rbac.create Create Role and RoleBinding (required for PSP to work) +## +rbac: + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] +## Pod Security Policy +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later +## +psp: + create: false +## @section Metrics Parameters +## +metrics: + ## @param metrics.enabled Start a prometheus exporter + ## + enabled: false + ## @param metrics.image.registry [default: REGISTRY_NAME] PostgreSQL Prometheus Exporter image registry + ## @param metrics.image.repository [default: REPOSITORY_NAME/postgres-exporter] PostgreSQL Prometheus Exporter image repository + ## @skip metrics.image.tag PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) + ## @param metrics.image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param metrics.image.pullPolicy PostgreSQL Prometheus Exporter image pull policy + ## @param metrics.image.pullSecrets Specify image pull secrets + ## + image: + registry: docker.io + repository: bitnamilegacy/postgres-exporter + tag: 0.15.0-debian-12-r43 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.collectors Control enabled collectors + ## ref: https://github.com/prometheus-community/postgres_exporter#flags + ## Example: + ## collectors: + ## wal: false + collectors: {} + ## @param metrics.customMetrics Define additional custom metrics + ## ref: https://github.com/prometheus-community/postgres_exporter#adding-new-metrics-via-a-config-file-deprecated + ## customMetrics: + ## pg_database: + ## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" + ## metrics: + ## - name: + ## usage: "LABEL" + ## description: "Name of the database" + ## - size_bytes: + ## usage: "GAUGE" + ## description: "Size of the database in bytes" + ## + customMetrics: {} + ## @param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter + ## see: https://github.com/prometheus-community/postgres_exporter#environment-variables + ## For example: + ## extraEnvVars: + ## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS + ## value: "true" + ## + extraEnvVars: [] + ## PostgreSQL Prometheus exporter containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged + ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param metrics.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Configure extra options for PostgreSQL Prometheus exporter containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param metrics.livenessProbe.enabled Enable livenessProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param metrics.readinessProbe.enabled Enable readinessProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param metrics.startupProbe.enabled Enable startupProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe + ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param metrics.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param metrics.containerPorts.metrics PostgreSQL Prometheus exporter metrics container port + ## + containerPorts: + metrics: 9187 + ## PostgreSQL Prometheus exporter resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Service configuration + ## + service: + ## @param metrics.service.ports.metrics PostgreSQL Prometheus Exporter service port + ## + ports: + metrics: 9187 + ## @param metrics.service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## + clusterIP: "" + ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + labels: {} + ## @param metrics.prometheusRule.rules PrometheusRule definitions + ## Make sure to constraint the rules to the current postgresql service. + ## rules: + ## - alert: HugeReplicationLag + ## expr: pg_replication_lag{service="{{ printf "%s-metrics" (include "common.names.fullname" .) }}"} / 3600 > 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: replication for {{ include "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). + ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). + ## + rules: [] diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/Chart.yaml new file mode 100644 index 00000000..5becfd58 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.0.0 +description: Preflight webhook for injecting GPU health check init containers +name: preflight +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/files/ndv4-topo.xml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/files/ndv4-topo.xml new file mode 100644 index 00000000..1b379112 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/files/ndv4-topo.xml @@ -0,0 +1,35 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/files/ndv5-topo.xml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/files/ndv5-topo.xml new file mode 100644 index 00000000..02fa383a --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/files/ndv5-topo.xml @@ -0,0 +1,39 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/_helpers.tpl new file mode 100644 index 00000000..9ca1a24a --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/_helpers.tpl @@ -0,0 +1,156 @@ +{{/* +Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "preflight.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "preflight.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "preflight.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "preflight.labels" -}} +helm.sh/chart: {{ include "preflight.chart" . }} +{{ include "preflight.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "preflight.selectorLabels" -}} +app.kubernetes.io/name: {{ include "preflight.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "preflight.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "preflight.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Webhook name for MutatingWebhookConfiguration +*/}} +{{- define "preflight.webhookName" -}} +{{ include "preflight.name" . }}.nvsentinel.nvidia.com +{{- end }} + +{{/* +Certificate secret name +*/}} +{{- define "preflight.certSecretName" -}} +{{ include "preflight.fullname" . }}-webhook-tls +{{- end }} + +{{/* +Certificate DNS names +*/}} +{{- define "preflight.certDnsNames" -}} +- {{ include "preflight.fullname" . }} +- {{ include "preflight.fullname" . }}.{{ .Release.Namespace }} +- {{ include "preflight.fullname" . }}.{{ .Release.Namespace }}.svc +- {{ include "preflight.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local +{{- end }} + +{{/* +DCGM service endpoint - uses global.dcgm.service.endpoint with fallback to local +*/}} +{{- define "preflight.dcgmEndpoint" -}} +{{- if and .Values.global .Values.global.dcgm .Values.global.dcgm.service }} +{{- .Values.global.dcgm.service.endpoint | default .Values.dcgm.service.endpoint }} +{{- else }} +{{- .Values.dcgm.service.endpoint }} +{{- end }} +{{- end }} + +{{/* +DCGM service port - uses global.dcgm.service.port with fallback to local +*/}} +{{- define "preflight.dcgmPort" -}} +{{- if and .Values.global .Values.global.dcgm .Values.global.dcgm.service }} +{{- .Values.global.dcgm.service.port | default .Values.dcgm.service.port }} +{{- else }} +{{- .Values.dcgm.service.port }} +{{- end }} +{{- end }} + +{{/* +DCGM hostengine address - combines endpoint and port +*/}} +{{- define "preflight.dcgmHostengineAddr" -}} +{{- printf "%s:%v" (include "preflight.dcgmEndpoint" .) (include "preflight.dcgmPort" .) }} +{{- end }} + +{{/* +DCGM diagnostic level +*/}} +{{- define "preflight.dcgmDiagLevel" -}} +{{- .Values.dcgm.diagLevel | default 1 }} +{{- end }} + +{{/* +Event processing strategy +*/}} +{{- define "preflight.processingStrategy" -}} +{{- .Values.dcgm.processingStrategy | default "EXECUTE_REMEDIATION" }} +{{- end }} + +{{/* +Platform connector socket path for health event reporting +Uses global.socketPath with unix:// prefix +*/}} +{{- define "preflight.connectorSocket" -}} +{{- if and .Values.global .Values.global.socketPath }} +{{- printf "unix://%s" .Values.global.socketPath }} +{{- else }} +{{- "unix:///var/run/nvsentinel.sock" }} +{{- end }} +{{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/ca-certificate.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/ca-certificate.yaml new file mode 100644 index 00000000..d89c5b9c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/ca-certificate.yaml @@ -0,0 +1,39 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# CA Certificate - long-lived, used to sign webhook certificates +# This is what inject-ca-from should reference for stable CA rotation +{{- if .Values.webhook.createIssuer }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "preflight.fullname" . }}-ca + namespace: {{ .Release.Namespace }} + labels: + {{- include "preflight.labels" . | nindent 4 }} +spec: + isCA: true + secretName: {{ include "preflight.fullname" . }}-ca-secret + duration: 87600h # 10 years + renewBefore: 8760h # 1 year before expiry + commonName: {{ include "preflight.fullname" . }}-ca + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: {{ include "preflight.fullname" . }}-selfsigned + kind: Issuer + group: cert-manager.io +{{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/ca-issuer.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/ca-issuer.yaml new file mode 100644 index 00000000..fee10458 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/ca-issuer.yaml @@ -0,0 +1,28 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# CA Issuer - issues webhook certificates using the CA certificate +{{- if .Values.webhook.createIssuer }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "preflight.fullname" . }}-ca-issuer + namespace: {{ .Release.Namespace }} + labels: + {{- include "preflight.labels" . | nindent 4 }} +spec: + ca: + secretName: {{ include "preflight.fullname" . }}-ca-secret +{{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/certificate.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/certificate.yaml new file mode 100644 index 00000000..9341a95c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/certificate.yaml @@ -0,0 +1,40 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# TLS Certificate for webhook, issued by CA Issuer for proper rotation support +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "preflight.fullname" . }}-webhook-cert + namespace: {{ .Release.Namespace }} + labels: + {{- include "preflight.labels" . | nindent 4 }} +spec: + secretName: {{ include "preflight.certSecretName" . }} + duration: 2160h # 90 days + renewBefore: 360h # 15 days before expiration + commonName: {{ include "preflight.fullname" . }}.{{ .Release.Namespace }}.svc + dnsNames: + {{- include "preflight.certDnsNames" . | nindent 4 }} + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + {{- if .Values.webhook.createIssuer }} + name: {{ include "preflight.fullname" . }}-ca-issuer + {{- else }} + name: {{ .Values.webhook.certIssuer }} + {{- end }} + kind: Issuer + group: cert-manager.io diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/clusterrole.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/clusterrole.yaml new file mode 100644 index 00000000..aa6c0809 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/clusterrole.yaml @@ -0,0 +1,45 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.gangCoordination.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "preflight.fullname" . }} + labels: + {{- include "preflight.labels" . | nindent 4 }} +rules: + # Core resources for gang discovery + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + + # ConfigMaps for gang coordination + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + + # Gang discovery API - dynamically generated based on gangDiscovery config + {{- if .Values.gangDiscovery.podGroupGVR }} + # PodGroup-based scheduler ({{ .Values.gangDiscovery.name | default "custom" }}) + - apiGroups: [{{ .Values.gangDiscovery.podGroupGVR.group | quote }}] + resources: [{{ .Values.gangDiscovery.podGroupGVR.resource | quote }}] + {{- else }} + # K8s 1.35+ Workload API for native gang scheduling (default) + - apiGroups: ["scheduling.k8s.io"] + resources: ["workloads"] + {{- end }} + verbs: ["get", "list", "watch"] + +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/clusterrolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..ea5de4c4 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/clusterrolebinding.yaml @@ -0,0 +1,31 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.gangCoordination.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "preflight.fullname" . }} + labels: + {{- include "preflight.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "preflight.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "preflight.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/configmap.yaml new file mode 100644 index 00000000..f8987ead --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/configmap.yaml @@ -0,0 +1,88 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "preflight.fullname" . }}-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "preflight.labels" . | nindent 4 }} +data: + config.yaml: | + gpuResourceNames: + {{- toYaml .Values.gpuResourceNames | nindent 6 }} + networkResourceNames: + {{- toYaml .Values.networkResourceNames | nindent 6 }} + {{- if .Values.ncclEnvPatterns }} + ncclEnvPatterns: + {{- toYaml .Values.ncclEnvPatterns | nindent 6 }} + {{- end }} + {{- if .Values.volumeMountPatterns }} + volumeMountPatterns: + {{- toYaml .Values.volumeMountPatterns | nindent 6 }} + {{- end }} + dcgm: + hostengineAddr: {{ include "preflight.dcgmHostengineAddr" . | quote }} + diagLevel: {{ include "preflight.dcgmDiagLevel" . }} + connectorSocket: {{ include "preflight.connectorSocket" . | quote }} + processingStrategy: {{ include "preflight.processingStrategy" . | quote }} + gangDiscovery: + {{- toYaml .Values.gangDiscovery | nindent 6 }} + gangCoordination: + enabled: {{ .Values.gangCoordination.enabled }} + timeout: {{ .Values.gangCoordination.timeout | quote }} + masterPort: {{ .Values.gangCoordination.masterPort }} + configMapMountPath: {{ .Values.gangCoordination.configMapMountPath | quote }} + {{- /* Resolve ncclTopoConfigMap: explicit or auto-generated from shape */}} + {{- $topoConfigMap := .Values.gangCoordination.ncclTopoConfigMap | default "" }} + {{- if and (not $topoConfigMap) .Values.gangCoordination.ncclTopoShape }} + {{- $topoConfigMap = printf "%s-nccl-topo" (include "preflight.fullname" .) }} + {{- end }} + {{- if $topoConfigMap }} + ncclTopoConfigMap: {{ $topoConfigMap | quote }} + {{- end }} + {{- if .Values.gangCoordination.ncclTopoShape }} + {{- $topoFile := printf "files/%s-topo.xml" .Values.gangCoordination.ncclTopoShape }} + {{- $topoContent := .Files.Get $topoFile }} + {{- if not $topoContent }} + {{- fail (printf "ncclTopoShape '%s' not found: %s does not exist in chart files/" .Values.gangCoordination.ncclTopoShape $topoFile) }} + {{- end }} + ncclTopoData: | +{{ $topoContent | indent 8 }} + {{- end }} + {{- if .Values.gangCoordination.extraHostPathMounts }} + extraHostPathMounts: + {{- toYaml .Values.gangCoordination.extraHostPathMounts | nindent 8 }} + {{- end }} + {{- if .Values.gangCoordination.extraVolumeMounts }} + extraVolumeMounts: + {{- toYaml .Values.gangCoordination.extraVolumeMounts | nindent 8 }} + {{- end }} + {{- if not (kindIs "invalid" .Values.gangCoordination.mirrorResourceClaims) }} + mirrorResourceClaims: {{ .Values.gangCoordination.mirrorResourceClaims }} + {{- end }} + initContainers: + {{- $extraEnv := .Values.ncclAllreduceExtraEnv | default list }} + {{- $result := list }} + {{- range .Values.initContainers }} + {{- if and (eq .name "preflight-nccl-allreduce") $extraEnv }} + {{- $container := deepCopy . }} + {{- $_ := set $container "env" (concat (.env | default list) $extraEnv) }} + {{- $result = append $result $container }} + {{- else }} + {{- $result = append $result . }} + {{- end }} + {{- end }} + {{- toYaml $result | nindent 6 }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/deployment.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/deployment.yaml new file mode 100644 index 00000000..80873147 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/deployment.yaml @@ -0,0 +1,83 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "preflight.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "preflight.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "preflight.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "preflight.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "preflight.serviceAccountName" . }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - --port={{ .Values.webhook.port }} + - --cert-dir=/certs + - --config=/etc/preflight/config.yaml + ports: + - name: https + containerPort: {{ .Values.webhook.port }} + protocol: TCP + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .Values.readinessProbe | nindent 12 }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: tls-certs + mountPath: /certs + readOnly: true + - name: config + mountPath: /etc/preflight + readOnly: true + volumes: + - name: tls-certs + secret: + secretName: {{ include "preflight.certSecretName" . }} + - name: config + configMap: + name: {{ include "preflight.fullname" . }}-config + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/mutatingwebhook.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/mutatingwebhook.yaml new file mode 100644 index 00000000..2e387404 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/mutatingwebhook.yaml @@ -0,0 +1,53 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ include "preflight.fullname" . }} + labels: + {{- include "preflight.labels" . | nindent 4 }} + annotations: + # cert-manager injects the CA bundle from the CA certificate (not the leaf cert) + # This ensures stable CA across leaf certificate rotations + {{- if .Values.webhook.createIssuer }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "preflight.fullname" . }}-ca + {{- else }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.webhook.caCertificateName }} + {{- end }} +webhooks: + - name: {{ include "preflight.webhookName" . }} + clientConfig: + service: + name: {{ include "preflight.fullname" . }} + namespace: {{ .Release.Namespace }} + path: /mutate + port: {{ .Values.service.port }} + admissionReviewVersions: ["v1"] + sideEffects: None + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: Equivalent + timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} + rules: + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + operations: ["CREATE"] + scope: Namespaced + namespaceSelector: + matchLabels: + {{- toYaml .Values.namespaceSelector.matchLabels | nindent 8 }} + {{- with .Values.namespaceSelector.matchExpressions }} + matchExpressions: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/networkpolicy.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/networkpolicy.yaml new file mode 100644 index 00000000..8b78ddcc --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/networkpolicy.yaml @@ -0,0 +1,34 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "preflight.fullname" . }}-allow-webhook + namespace: {{ .Release.Namespace }} + labels: + {{- include "preflight.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "preflight.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: {{ .Values.webhook.port }} +{{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/selfsigned-issuer.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/selfsigned-issuer.yaml new file mode 100644 index 00000000..86760b6c --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/selfsigned-issuer.yaml @@ -0,0 +1,27 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Bootstrap self-signed issuer - only used to create the CA certificate +{{- if .Values.webhook.createIssuer }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "preflight.fullname" . }}-selfsigned + namespace: {{ .Release.Namespace }} + labels: + {{- include "preflight.labels" . | nindent 4 }} +spec: + selfSigned: {} +{{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/service.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/service.yaml new file mode 100644 index 00000000..b5b08970 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/service.yaml @@ -0,0 +1,31 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "preflight.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "preflight.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + protocol: TCP + name: https + selector: + {{- include "preflight.selectorLabels" . | nindent 4 }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/serviceaccount.yaml new file mode 100644 index 00000000..be4bd436 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/templates/serviceaccount.yaml @@ -0,0 +1,28 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "preflight.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "preflight.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/values.yaml new file mode 100644 index 00000000..bb2cd5de --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/preflight/values.yaml @@ -0,0 +1,295 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +replicaCount: 1 + +image: + repository: ghcr.io/nvidia/nvsentinel/preflight + pullPolicy: IfNotPresent + tag: "latest" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + create: true + annotations: {} + name: "" + +securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + capabilities: + drop: ["ALL"] + +service: + type: ClusterIP + port: 443 + targetPort: 8443 + +resources: + requests: + cpu: 250m + memory: 512Mi + limits: + cpu: 500m + memory: 1024Mi + +livenessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: 8443 + initialDelaySeconds: 5 + periodSeconds: 10 + +readinessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: 8443 + initialDelaySeconds: 2 + periodSeconds: 5 + +nodeSelector: {} +tolerations: [] +affinity: {} + +webhook: + port: 8443 + failurePolicy: Fail + timeoutSeconds: 10 + # Set to true to create the two-tier CA + # Set to false to use an existing CA issuer + createIssuer: true + # Only used when createIssuer=false + certIssuer: "" + caCertificateName: "" + +# Local fallback values - global.dcgm takes precedence when set +dcgm: + service: + # DCGM hostengine service endpoint (fallback when global.dcgm.service not set) + endpoint: "nvidia-dcgm.gpu-operator.svc" + port: 5555 + # Diagnostic level: + # 1 = Quick (~30 seconds) - basic health check + # 2 = Medium (~2 minutes) - more thorough + # 3 = Long (~15 minutes) - comprehensive + diagLevel: 2 + # Event processing strategy: EXECUTE_REMEDIATION or STORE_ONLY + processingStrategy: "EXECUTE_REMEDIATION" + +initContainers: + - name: preflight-dcgm-diag + image: ghcr.io/nvidia/nvsentinel/preflight-dcgm-diag:latest + volumeMounts: + - name: nvsentinel-socket + mountPath: /var/run + # Full corev1.Container fields supported: + # resources: + # limits: + # memory: 512Mi + + # # NCCL loopback test - validates intra-node GPU-to-GPU communication (NVLink/PCIe) + - name: preflight-nccl-loopback + image: ghcr.io/nvidia/nvsentinel/preflight-nccl-loopback:latest + env: + - name: BW_THRESHOLD_GBPS + # Minimum acceptable bus bandwidth + # Valid for NVLink GPU-to-GPU interconnect + # If using PCIe GPU-interconnect, this threshold should be set to ~15 GB/s + value: "150" # Minimum acceptable bus bandwidth in GB/s + - name: TEST_SIZE_MB + value: "256" # Message size for all-reduce test + # To skip the bandwidth check, set SKIP_BANDWIDTH_CHECK to true + # By default, the bandwidth check is enabled + # Checks if the loopback test passes without checking the bandwidth + # - name: SKIP_BANDWIDTH_CHECK + # value: "true" + volumeMounts: + - name: nvsentinel-socket + mountPath: /var/run + + # NCCL all-reduce test - validates multi-node GPU communication + # Requires gangCoordination.enabled=true and gang-aware scheduler (Volcano, Kueue, etc.) + - name: preflight-nccl-allreduce + image: ghcr.io/nvidia/nvsentinel/preflight-nccl-allreduce:latest + securityContext: + capabilities: + add: ["IPC_LOCK"] # Required for RDMA memory registration + env: + # Benchmark configuration (fabric-agnostic defaults) + - name: BW_THRESHOLD_GBPS + value: "100" # Minimum acceptable bus bandwidth in GB/s + - name: MESSAGE_SIZES + value: "4G" # Message size for bandwidth test + - name: NCCL_DEBUG + value: "INFO" # Set to WARN after transport selection is validated + - name: NCCL_DEBUG_SUBSYS + value: "INIT,NET" + volumeMounts: + - name: nvsentinel-socket + mountPath: /var/run + +# Fabric-specific NCCL configuration. +# +# In production, the webhook automatically copies NCCL env vars and volume +# mounts from the user's main container to preflight init containers using +# ncclEnvPatterns and volumeMountPatterns. No manual fabric config needed. +# +# For standalone testing (busybox main container), use ncclAllreduceExtraEnv +# and gangCoordination.extraHostPathMounts to provide fabric config explicitly. +# +# Tested fabric configurations (for reference): +# +# InfiniBand (Azure NDv4/v5, 166 GB/s): +# Env: NCCL_TOPO_FILE=/etc/nccl/topo.xml, NCCL_IB_PCI_RELAXED_ORDERING=1, +# NCCL_SOCKET_IFNAME=eth0 +# Mounts: ncclTopoShape=ndv4 (auto-creates topo ConfigMap) +# +# EFA (AWS H100, 346 GB/s): +# Env: FI_EFA_USE_DEVICE_RDMA=1, FI_PROVIDER=efa, NCCL_SOCKET_IFNAME=eth0, +# LD_LIBRARY_PATH=/opt/amazon/ofi-nccl/lib:/opt/amazon/efa/lib:... +# Mounts: /opt/amazon from host; libefa.so.1 + libibverbs.so.1 bind-mounts +# Note: Dockerfile removes /opt/amazon to avoid ABI mismatch with host EFA +# +# MNNVL + EFA (AWS GB200, 689 GB/s): +# Env: FI_EFA_USE_DEVICE_RDMA=1, NCCL_MNNVL_ENABLE=1, NCCL_NVLS_ENABLE=0, +# NCCL_NET_GDR_LEVEL=PHB, NCCL_P2P_NET_CHUNKSIZE=2097152 +# Mounts: /opt/amazon-efa-ofi from host +# Requires: ComputeDomain DRA claim, Volcano DRA feature gate +# +# TCPXO (GCP H100 A3+, 331 GB/s): +# Env: NCCL_SOCKET_IFNAME=eth1-8, NCCL_FASTRAK_*, NCCL_BUFFSIZE=8388608, +# NCCL_SHIMNET_GUEST_CONFIG_CHECKER_CONFIG_FILE, NCCL_TUNER_PLUGIN, etc. +# Mounts: nvtcpxo-libraries → /usr/local/nvidia, +# nvtcpxo-aperture-devices → /dev/aperture_devices (from GKE webhook) + +# Glob patterns for environment variable names to copy from the user's main +# containers to preflight init containers. Allows automatic inheritance of +# fabric-specific NCCL config without manual configuration. +ncclEnvPatterns: + - "NCCL_*" + - "FI_*" + - "LD_LIBRARY_PATH" + - "UCX_*" + - "TORCH_NCCL_*" + - "CUDA_DEVICE_ORDER" + +# Glob patterns for volume mount names to copy from the user's main +# containers to preflight init containers. Allows automatic inheritance of +# fabric-specific host mounts (EFA libs, TCPXO plugins, etc.). +volumeMountPatterns: + - "host-opt-amazon*" + - "host-libefa*" + - "host-libibverbs*" + - "amazon-efa*" + - "nvtcpxo-*" + - "nccl-*" + - "dev-shm" + +# Additional env vars appended to the preflight-nccl-allreduce init container +# AFTER user-container env vars are copied. Use for standalone testing or +# to override specific values. +ncclAllreduceExtraEnv: [] + +gpuResourceNames: + - "nvidia.com/gpu" + +# Network resource names to copy to init containers (RDMA, InfiniBand, etc.) +networkResourceNames: + - "nvidia.com/mlnxnics" + - "vpc.amazonaws.com/efa" + # GCP multi-network resources (TCPXO) + - "networking.gke.io.networks/gpu-nic0" + - "networking.gke.io.networks/gpu-nic0.IP" + - "networking.gke.io.networks/gpu-nic1" + - "networking.gke.io.networks/gpu-nic1.IP" + - "networking.gke.io.networks/gpu-nic2" + - "networking.gke.io.networks/gpu-nic2.IP" + - "networking.gke.io.networks/gpu-nic3" + - "networking.gke.io.networks/gpu-nic3.IP" + - "networking.gke.io.networks/gpu-nic4" + - "networking.gke.io.networks/gpu-nic4.IP" + - "networking.gke.io.networks/gpu-nic5" + - "networking.gke.io.networks/gpu-nic5.IP" + - "networking.gke.io.networks/gpu-nic6" + - "networking.gke.io.networks/gpu-nic6.IP" + - "networking.gke.io.networks/gpu-nic7" + - "networking.gke.io.networks/gpu-nic7.IP" + +# Gang discovery configuration for multi-node preflight checks. +# Default (empty): K8s 1.35+ native WorkloadRef API +# For PodGroup-based schedulers, set name and other fields: +gangDiscovery: {} + # name: "volcano" + # annotationKeys: ["scheduling.k8s.io/group-name"] + # labelKeys: [] # optional fallback + # podGroupGVR: + # group: "scheduling.volcano.sh" + # version: "v1beta1" + # resource: "podgroups" + # minCountExpr: "podGroup.spec.minMember" # CEL expression + +# Gang coordination configuration for multi-node checks (e.g., nccl-allreduce) +gangCoordination: + # Enable gang coordination (required for gang-wide checks) + enabled: true + # Maximum time to wait for all gang members to register + timeout: "10m" + # Port for PyTorch distributed TCP bootstrap (torchrun) + masterPort: 29500 + # Path where gang ConfigMap is mounted in init containers + configMapMountPath: "/etc/preflight" + # NCCL topology ConfigMap name — required for Azure InfiniBand. + # Without this, NCCL cannot map GPUs to IB HCAs and falls back to TCP. + # Set explicitly to use a pre-existing ConfigMap, or use ncclTopoShape + # to auto-create one from the chart's bundled topology files. + ncclTopoConfigMap: "" + # VM shape for auto-creating the NCCL topology ConfigMap (IB only). + # Supported: "ndv4", "ndv5" (files shipped in charts/preflight/files/). + # When set, a ConfigMap is created from files/-topo.xml and + # ncclTopoConfigMap is auto-resolved to its name. + ncclTopoShape: "" + + # Optional hostPath mounts injected into gang-aware preflight init containers. + # Fabric-specific; set via overlay files (e.g. values-mnnvl-efa.yaml). + extraHostPathMounts: [] + + # Mount pre-existing pod volumes into preflight init containers. + # Does NOT create new volumes — only adds volumeMounts for volumes already + # present in the pod (e.g. injected by a platform webhook). + # Fabric-specific; set via overlay files (e.g. values-tcpxo.yaml). + extraVolumeMounts: [] + + # Automatically mirror pod-level DRA resource claims (spec.resourceClaims) + # to preflight init containers' resources.claims. This ensures init + # containers get the same device access as main containers: GPUs, RDMA + # NICs, IMEX channels (GB200 MNNVL), etc. See ADR-026 §DRA Integration. + # Defaults to true when omitted. + # mirrorResourceClaims: true + +# Label-based namespace selection +# Enable preflight in a namespace: kubectl label namespace nvsentinel.nvidia.com/preflight=enabled +namespaceSelector: + matchLabels: + nvsentinel.nvidia.com/preflight: "enabled" + +networkPolicy: + enabled: true diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/Chart.yaml new file mode 100644 index 00000000..54c9d869 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: Monitors Slurm NodeSet pods for external drain conditions and publishes + health events +name: slurm-drain-monitor +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/_helpers.tpl new file mode 100644 index 00000000..55c900c8 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "slurm-drain-monitor.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "slurm-drain-monitor.fullname" -}} +{{- "slurm-drain-monitor" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "slurm-drain-monitor.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "slurm-drain-monitor.labels" -}} +helm.sh/chart: {{ include "slurm-drain-monitor.chart" . }} +{{ include "slurm-drain-monitor.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "slurm-drain-monitor.selectorLabels" -}} +app.kubernetes.io/name: {{ include "slurm-drain-monitor.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/clusterrole.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/clusterrole.yaml new file mode 100644 index 00000000..4cf64620 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/clusterrole.yaml @@ -0,0 +1,29 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "slurm-drain-monitor.fullname" . }} + labels: + {{- include "slurm-drain-monitor.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/clusterrolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..fc5b2b87 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/clusterrolebinding.yaml @@ -0,0 +1,28 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "slurm-drain-monitor.fullname" . }} + labels: + {{- include "slurm-drain-monitor.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "slurm-drain-monitor.fullname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "slurm-drain-monitor.fullname" . }} + apiGroup: rbac.authorization.k8s.io diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/configmap.yaml new file mode 100644 index 00000000..4a547294 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/configmap.yaml @@ -0,0 +1,40 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "slurm-drain-monitor.fullname" . }} + labels: + {{- include "slurm-drain-monitor.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "-1" +data: + slurm-drain-monitor.toml: | + namespace = {{ .Values.namespace | quote }} + labelSelector = {{ .Values.labelSelector | quote }} + reasonDelimiter = {{ .Values.reasonDelimiter | quote }} + {{- range .Values.patterns }} + + [[patterns]] + name = {{ .name | quote }} + regex = {{ .regex | quote }} + checkName = {{ .checkName | quote }} + componentClass = {{ .componentClass | quote }} + isFatal = {{ .isFatal }} + {{- if .message }} + message = {{ .message | quote }} + {{- end }} + recommendedAction = {{ .recommendedAction | quote }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/deployment.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/deployment.yaml new file mode 100644 index 00000000..f0aa48e8 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/deployment.yaml @@ -0,0 +1,107 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "slurm-drain-monitor.fullname" . }} + labels: + {{- include "slurm-drain-monitor.labels" . | nindent 4 }} + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "slurm-drain-monitor.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "slurm-drain-monitor.labels" . | nindent 8 }} + spec: + {{- if .Values.global }} + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "slurm-drain-monitor.fullname" . }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default ((.Values.global).image).tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - "--config-path=/config/slurm-drain-monitor.toml" + - "--platform-connector-socket=unix://{{ ((.Values.global).socketPath) | default "/var/run/nvsentinel.sock" }}" + - "--metrics-bind-address=:{{ ((.Values.global).metricsPort) | default 2112 }}" + - "--health-probe-bind-address=:8081" + - "--max-concurrent-reconciles={{ .Values.maxConcurrentReconciles }}" + - "--resync-period={{ .Values.resyncPeriod }}" + - "--processing-strategy={{ .Values.processingStrategy }}" + resources: + {{- toYaml .Values.resources | nindent 12 }} + ports: + - name: metrics + containerPort: {{ ((.Values.global).metricsPort) | default 2112 }} + - name: health + containerPort: 8081 + livenessProbe: + httpGet: + path: /healthz + port: health + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /readyz + port: health + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + env: + - name: LOG_LEVEL + value: "{{ .Values.logLevel }}" + volumeMounts: + - name: config + mountPath: /config + readOnly: true + - name: socket + mountPath: /var/run + volumes: + - name: config + configMap: + name: {{ include "slurm-drain-monitor.fullname" . }} + {{- range .Values.volumes }} + - {{- toYaml . | nindent 10 }} + {{- end }} + {{- with ((.Values.global).systemNodeSelector | default .Values.nodeSelector) }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with ((.Values.global).affinity | default .Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with ((.Values.global).systemNodeTolerations | default .Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/serviceaccount.yaml new file mode 100644 index 00000000..22921883 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/templates/serviceaccount.yaml @@ -0,0 +1,20 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "slurm-drain-monitor.fullname" . }} + labels: + {{- include "slurm-drain-monitor.labels" . | nindent 4 }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/values.yaml new file mode 100644 index 00000000..6539c400 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/slurm-drain-monitor/values.yaml @@ -0,0 +1,68 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for slurm-drain-monitor. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +logLevel: info + +image: + repository: ghcr.io/nvidia/nvsentinel/slurm-drain-monitor + pullPolicy: IfNotPresent + tag: "" + +podAnnotations: {} + +maxConcurrentReconciles: 1 +resyncPeriod: 5m + +# Top-level config fields for the TOML configuration +namespace: slurm +labelSelector: "app.kubernetes.io/name=slurmd,app.kubernetes.io/component=worker" +reasonDelimiter: "; " + +# Patterns to match against Slurm drain reasons. +# Each pattern is rendered as a [[patterns]] TOML table. +patterns: + - name: slurm-healthcheck + regex: '^\[HC\]' + checkName: SlurmHealthCheck + componentClass: NODE + isFatal: false + message: "" + recommendedAction: CONTACT_SUPPORT + +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi + +volumes: + - name: socket + hostPath: + path: /var/run/nvsentinel + type: DirectoryOrCreate + +# Processing strategy for health events +# valid values: EXECUTE_REMEDIATION, STORE_ONLY +# default: EXECUTE_REMEDIATION +# EXECUTE_REMEDIATION: normal behavior; downstream modules may update cluster state. +# STORE_ONLY: observability-only behavior; event should be persisted/exported but should not modify cluster resources (i.e., no node conditions, no quarantine, no drain, no remediation). +processingStrategy: EXECUTE_REMEDIATION diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/.helmignore b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/Chart.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/Chart.yaml new file mode 100644 index 00000000..387270d6 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 1.16.0 +description: A Helm chart for the Syslog Health Monitor +name: syslog-health-monitor +type: application +version: 0.1.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/templates/_helpers.tpl new file mode 100644 index 00000000..f39a2cf5 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/templates/_helpers.tpl @@ -0,0 +1,240 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "syslog-health-monitor.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "syslog-health-monitor.fullname" -}} +{{- "syslog-health-monitor" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "syslog-health-monitor.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "syslog-health-monitor.labels" -}} +helm.sh/chart: {{ include "syslog-health-monitor.chart" . }} +{{ include "syslog-health-monitor.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "syslog-health-monitor.selectorLabels" -}} +app.kubernetes.io/name: {{ include "syslog-health-monitor.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +DaemonSet template that can be customized for kata or regular mode. +Usage: include "syslog-health-monitor.daemonset" (dict "root" . "kataMode" true) +*/}} +{{- define "syslog-health-monitor.daemonset" }} +{{- $root := .root -}} +{{- $kataMode := .kataMode -}} +{{- $suffix := ternary "kata" "regular" $kataMode -}} +{{- $kataLabel := ternary "true" "false" $kataMode -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "syslog-health-monitor.fullname" $root }}-{{ $suffix }} + labels: + {{- include "syslog-health-monitor.labels" $root | nindent 4 }} +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 5% + selector: + matchLabels: + {{- include "syslog-health-monitor.selectorLabels" $root | nindent 6 }} + nvsentinel.dgxc.nvidia.com/kata: {{ $kataLabel | quote }} + template: + metadata: + {{- with $root.Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "syslog-health-monitor.selectorLabels" $root | nindent 8 }} + nvsentinel.dgxc.nvidia.com/kata: {{ $kataLabel | quote }} + spec: + {{- with $root.Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: syslog-health-monitor + securityContext: + runAsUser: 0 + capabilities: + add: ["SYSLOG", "SYS_ADMIN"] + image: "{{ $root.Values.image.repository }}:{{ $root.Values.image.tag | default (($root.Values.global).image).tag | default $root.Chart.AppVersion }}" + imagePullPolicy: {{ $root.Values.image.pullPolicy }} + args: + - "--polling-interval" + - "15s" + - "--metrics-port" + - "{{ $root.Values.global.metricsPort }}" + - "--kata-enabled" + - {{ $kataLabel | quote }} + {{- if $root.Values.xidSideCar.enabled }} + - "--xid-analyser-endpoint" + - "http://localhost:8080" + {{- end }} + - "--checks" + - "{{ join "," $root.Values.enabledChecks }}" + - "--metadata-path" + - "{{ $root.Values.global.metadataPath }}" + - "--processing-strategy" + - "{{ $root.Values.processingStrategy }}" + resources: + {{- toYaml $root.Values.resources | nindent 12 }} + ports: + - name: metrics + containerPort: {{ $root.Values.global.metricsPort }} + livenessProbe: + httpGet: + path: /metrics + port: {{ $root.Values.global.metricsPort }} + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 3 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /metrics + port: {{ $root.Values.global.metricsPort }} + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: LOG_LEVEL + value: "{{ $root.Values.logLevel }}" + volumeMounts: + - name: var-run-vol + mountPath: /var/run/ + - name: syslog-state-vol + mountPath: /var/run/syslog_health_monitor + - name: metadata-vol + mountPath: /var/lib/nvsentinel + readOnly: true + {{- if $kataMode }} + # Kata mode: Mount systemd journal for accessing host logs + - name: host-journal + mountPath: /nvsentinel/var/log/journal + readOnly: true + - name: host-systemd + mountPath: /run/systemd/journal + readOnly: true + - name: host-machine-id + mountPath: /etc/machine-id + readOnly: true + {{- else }} + # Regular mode: Mount journal from user-defined host path + - name: var-log-vol + mountPath: /nvsentinel/var/log + readOnly: true + {{- end }} + - name: proc-vol + mountPath: /nvsentinel/proc + readOnly: true + - name: sys-vol + mountPath: /nvsentinel/sys + readOnly: true + {{- if $root.Values.xidSideCar.enabled }} + - name: xid-analyzer-sidecar + image: {{ $root.Values.xidSideCar.image.repository }}:{{ $root.Values.xidSideCar.image.tag }} + imagePullPolicy: {{ $root.Values.xidSideCar.image.pullPolicy }} + ports: + - name: http-api + containerPort: 8080 + protocol: TCP + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "500m" + env: + - name: PORT + value: "8080" + {{- end }} + volumes: + - name: var-run-vol + hostPath: + path: /var/run/nvsentinel + type: DirectoryOrCreate + - name: syslog-state-vol + hostPath: + path: /var/run/syslog_health_monitor + type: DirectoryOrCreate + - name: metadata-vol + hostPath: + path: /var/lib/nvsentinel + type: DirectoryOrCreate + {{- if $kataMode }} + # Kata mode: Systemd journal volumes for host log access + - name: host-journal + hostPath: + path: /var/log/journal + type: Directory + - name: host-systemd + hostPath: + path: /run/systemd/journal + type: Directory + - name: host-machine-id + hostPath: + path: /etc/machine-id + type: File + {{- else }} + # Regular mode: Mount journal from user-defined host path + - name: var-log-vol + hostPath: + path: {{ $root.Values.journalHostPath }} + type: Directory + {{- end }} + - name: sys-vol + hostPath: + path: /sys + type: Directory + - name: proc-vol + hostPath: + path: /proc + type: Directory + nodeSelector: + nvsentinel.dgxc.nvidia.com/driver.installed: "true" + nvsentinel.dgxc.nvidia.com/kata.enabled: {{ $kataLabel | quote }} + {{- with ($root.Values.global.nodeSelector | default $root.Values.nodeSelector) }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with ($root.Values.global.affinity | default $root.Values.affinity) }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with ($root.Values.global.tolerations | default $root.Values.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/templates/daemonset-kata.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/templates/daemonset-kata.yaml new file mode 100644 index 00000000..20f9d068 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/templates/daemonset-kata.yaml @@ -0,0 +1,16 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "syslog-health-monitor.daemonset" (dict "root" . "kataMode" true) }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/templates/daemonset-regular.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/templates/daemonset-regular.yaml new file mode 100644 index 00000000..f7e22289 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/templates/daemonset-regular.yaml @@ -0,0 +1,16 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "syslog-health-monitor.daemonset" (dict "root" . "kataMode" false) }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/values.yaml new file mode 100644 index 00000000..8624bc13 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/charts/syslog-health-monitor/values.yaml @@ -0,0 +1,59 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +image: + repository: ghcr.io/nvidia/nvsentinel/syslog-health-monitor + pullPolicy: IfNotPresent + tag: "" + +podAnnotations: {} + +resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 128Mi + +enabledChecks: + - SysLogsXIDError + - SysLogsSXIDError + - SysLogsGPUFallenOff + +# XID (GPU error) analyzer sidecar configuration +xidSideCar: + # Enable XID analyzer sidecar for enhanced GPU error analysis + enabled: false + image: + repository: "" + tag: "" + pullPolicy: IfNotPresent + +# Scheduling configuration +nodeSelector: {} +affinity: {} +tolerations: [] + +# Customize this if your journal is stored in a non-standard location +journalHostPath: /var/log + +logLevel: info + +# Processing strategy for health events +# valid values: EXECUTE_REMEDIATION, STORE_ONLY +# default: EXECUTE_REMEDIATION +# EXECUTE_REMEDIATION: normal behavior; downstream modules may update cluster state. +# STORE_ONLY: observability-only behavior; event should be persisted/exported but should not modify cluster resources (i.e., no node conditions, no quarantine, no drain, no remediation). +processingStrategy: EXECUTE_REMEDIATION \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/files/node-condition-cleanup.sh b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/files/node-condition-cleanup.sh new file mode 100644 index 00000000..f5aae471 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/files/node-condition-cleanup.sh @@ -0,0 +1,113 @@ +#!/bin/bash +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +if [ -z "$DEPRECATED_CONDITIONS" ]; then + echo "No deprecated conditions configured" + exit 0 +fi + +IFS=',' read -ra conditions <<< "$DEPRECATED_CONDITIONS" +echo "Node Condition Cleanup: Removing ${conditions[*]}" + +nodes=$(kubectl get nodes -o jsonpath='{.items[*].metadata.name}') +node_count=$(echo "$nodes" | wc -w | tr -d ' ') +echo "Processing $node_count nodes (up to 5 in parallel)..." + +process_node() { + local node=$1 + local -r MAX_RETRIES=3 + local -r BASE_DELAY=0.1 + local retry=0 + + while true; do + # Fetch current conditions (refetch on each retry to resolve conflicts) + local current_conditions + current_conditions=$(kubectl get node "$node" -o json 2>/dev/null | jq -c '.status.conditions // []' 2>/dev/null || echo "[]") + + if [ "$current_conditions" = "[]" ]; then + if [ $retry -eq 0 ]; then + echo "- $node: no conditions found" + fi + return 0 + fi + + # Check if any deprecated conditions exist and filter them out + local filtered_conditions="$current_conditions" + local found_conditions=() + + for condition in "${conditions[@]}"; do + # Check if this condition exists using jq -e (exit code based) + if echo "$current_conditions" | jq -e --arg type "$condition" 'any(.[]; .type == $type)' >/dev/null 2>&1; then + found_conditions+=("$condition") + filtered_conditions=$(echo "$filtered_conditions" | jq --arg type "$condition" '[.[] | select(.type != $type)]' 2>/dev/null || echo "$filtered_conditions") + fi + done + + if [ ${#found_conditions[@]} -eq 0 ]; then + return 0 + fi + + # Attempt to patch the node with the freshly computed filtered conditions + local patch_output + if patch_output=$(kubectl patch node "$node" --type=json \ + -p="[{\"op\":\"replace\",\"path\":\"/status/conditions\",\"value\":$filtered_conditions}]" \ + --subresource=status 2>&1); then + echo "✓ $node: removed ${#found_conditions[@]} condition(s): ${found_conditions[*]}" + return 0 + fi + + # Check if this is a conflict error that warrants retry + if echo "$patch_output" | grep -qi "conflict"; then + retry=$((retry + 1)) + + if [ $retry -lt $MAX_RETRIES ]; then + local delay=$(awk "BEGIN {print $BASE_DELAY * (2 ^ ($retry - 1))}") + sleep "$delay" + continue + fi + + echo "⚠ $node: conflict persists after $MAX_RETRIES attempts - $patch_output" + return 1 + fi + + # Non-retriable error + echo "⚠ $node: patch failed - $patch_output" + return 1 + done +} + +active_jobs=0 +max_parallel=5 +processed=0 + +for node in $nodes; do + process_node "$node" & + active_jobs=$((active_jobs + 1)) + processed=$((processed + 1)) + + if [ $active_jobs -ge $max_parallel ]; then + wait -n 2>/dev/null || true + active_jobs=$((active_jobs - 1)) + fi + + if [ $((processed % 10)) -eq 0 ]; then + echo "[$processed/$node_count nodes started]" + fi +done + +wait +echo "Cleanup completed for $node_count nodes" diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/policies/README.md b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/policies/README.md new file mode 100644 index 00000000..e5eaf4dd --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/policies/README.md @@ -0,0 +1,278 @@ +# NVSentinel Image Admission Policies + +This directory contains Kubernetes admission policies for enforcing supply chain security of NVSentinel container images in your cluster. These policies ensure that only verified NVSentinel images with valid SLSA Build Provenance attestations can be deployed. + +## Current Status: Warn Mode Only + +**⚠️ Important:** The image admission policy is currently configured in **warn mode** due to a known compatibility issue: + +- **Issue**: NVSentinel attestations are created by GitHub Actions `actions/attest-build-provenance@v3`, which generates Sigstore bundle format v0.3 +- **Limitation**: Sigstore Policy Controller 0.10.5 (current latest version) cannot read bundle format v0.3 - it only supports v0.1 and v0.2 +- **Impact**: While attestations exist and are valid (verifiable manually with `cosign` CLI), the Policy Controller cannot validate them in-cluster +- **Current Configuration**: Policy runs in `mode: warn` - logs validation warnings but allows all images to deploy +- **Future Plan**: Policy will be switched to `mode: enforce` once Policy Controller adds support for bundle format v0.3 + +To track Policy Controller v0.3 support, see: [sigstore/policy-controller](https://github.com/sigstore/policy-controller/issues/1895) + +## Scope + +**Important:** These policies are designed to be used **only in the `nvsentinel` namespace** and **only apply to official NVSentinel images** from `ghcr.io/nvidia/nvsentinel/**`. + +- ✅ **Verified**: Images matching `ghcr.io/nvidia/nvsentinel/**` with valid attestations +- ✅ **Allowed**: All other images (third-party dependencies, sidecar containers, etc.) +- ✅ **Allowed**: Development images (e.g., `localhost:5001/*`) +- ❌ **Blocked**: NVSentinel images without valid SLSA attestations + +This ensures the policy doesn't interfere with other workloads in the namespace while still protecting NVSentinel deployments. + +## Prerequisites + +These policies require [Sigstore Policy Controller](https://docs.sigstore.dev/policy-controller/overview/) to be installed in your cluster. The Policy Controller version is managed centrally in `.versions.yaml` at the repository root. + +```bash +# Install Policy Controller using the latest release +kubectl apply -f https://github.com/sigstore/policy-controller/releases/latest/download/policy-controller.yaml + +# Verify installation +kubectl -n cosign-system get pods +``` + +Alternatively, you can install using Helm (recommended for production): + +```bash +helm repo add sigstore https://sigstore.github.io/helm-charts +helm repo update + +# Get the version from .versions.yaml +POLICY_CONTROLLER_VERSION=$(yq eval '.cluster.policy_controller' .versions.yaml) + +# Install specific version +helm install policy-controller sigstore/policy-controller \ + -n cosign-system \ + --create-namespace \ + --version "${POLICY_CONTROLLER_VERSION}" +``` + +## Namespace Configuration + +By default, Policy Controller operates in **opt-in** mode. Label the `nvsentinel` namespace to enforce policies: + +```bash +# Enable policy enforcement for the nvsentinel namespace +kubectl label namespace nvsentinel policy.sigstore.dev/include=true +``` + +**Important Configuration:** + +To ensure only NVSentinel images are subject to verification (allowing third-party images like databases, monitoring tools, etc.), configure the `no-match-policy`: + +```bash +kubectl create configmap config-policy-controller \ + -n cosign-system \ + --from-literal=no-match-policy=allow \ + --dry-run=client -o yaml | kubectl apply -f - +``` + +This allows images that don't match any `ClusterImagePolicy` pattern to run without verification. + +## Policies + +Two `ClusterImagePolicy` policies are provided to enforce different levels of image verification: + +### 1. SLSA Build Provenance Policy + +The [must-have-slsa.yaml](must-have-slsa.yaml) file verifies that NVSentinel container images have valid SLSA Build Provenance attestations: + +- **Scope**: All pods using `ghcr.io/nvidia/nvsentinel/**` images +- **Verification**: + - Checks for SLSA v1 provenance attestations + - Validates attestations are signed by the official GitHub Actions workflow + - Ensures images are built from the official NVIDIA/NVSentinel repository + - Uses keyless signing with Sigstore (GitHub Actions OIDC tokens via Fulcio) + - Verifies signatures in Rekor transparency log +- **Policy Language**: Uses CUE for attestation validation +- **Current Mode**: Running in `mode: warn` (see "Current Status" section above) + +**Key Features:** +- **Keyless Verification**: Uses GitHub Actions OIDC identity without managing keys +- **Transparency**: All signatures recorded in Rekor public transparency log +- **SLSA Provenance**: Validates build metadata including repository, workflow, and build parameters +- **Bundle Format**: Attestations stored in Sigstore bundle format v0.3 with push-to-registry +- **Regex Matching**: Supports both branch refs (`refs/heads/*`) and tag refs (`refs/tags/*`) + +### 2. SBOM Attestation Policy + +The [must-have-sbom.yaml](must-have-sbom.yaml) file verifies that NVSentinel container images have both: +- **SLSA Build Provenance attestations** (as above) +- **SBOM (Software Bill of Materials) attestations** in CycloneDX format + +This policy provides additional supply chain security by ensuring all image components are documented. + +**Multi-platform Support:** +- Both policies support multi-platform images (linux/amd64, linux/arm64) +- Each platform has its own attestations +- Policy Controller automatically verifies the platform-specific digest matching the node architecture + +## Installation + +Apply one of the policies to your cluster: + +```bash +# Apply SLSA-only policy +kubectl apply -f must-have-slsa.yaml + +# OR apply SLSA + SBOM policy (more restrictive) +kubectl apply -f must-have-sbom.yaml +``` + +Verify the policy is active: + +```bash +kubectl get clusterimagepolicy +kubectl describe clusterimagepolicy verify-nvsentinel-image-attestation +``` + +## Manual Image Verification + +To verify any NVSentinel image manually using Cosign CLI: + +### Cosign CLI + +```shell +export IMAGE="ghcr.io/nvidia/nvsentinel/fault-quarantine" +export DIGEST="sha256:850e8fd35bc6b9436fc9441c055ba0f7e656fb438320e933b086a34d35d09fd6" + +cosign verify-attestation "${IMAGE}@${DIGEST}" \ + --type https://slsa.dev/provenance/v1 \ + --certificate-identity-regexp '^https://github\.com/NVIDIA/NVSentinel/\.github/workflows/publish\.yml@refs/(heads|tags)/' \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + | jq -r '.payload' | base64 -d | jq . +``` + +### What's being verified + +SLSA attestations generated by GitHub Actions `actions/attest-build-provenance@v3` are stored with the image in the OCI registry as Sigstore bundle format v0.3. The above command will verify: + +* ✅ **Issuer**: https://token.actions.githubusercontent.com +* ✅ **Subject**: The GitHub Actions workflow identity (NVIDIA/NVSentinel/.github/workflows/publish.yml) +* ✅ **Transparency log**: Uses Rekor for verification +* ✅ **SLSA predicate**: Validates the attestation content matches SLSA Provenance v1 format +* ✅ **Build metadata**: Verifies the build came from NVIDIA/NVSentinel repository +* ✅ **Bundle format**: Attestations stored in Sigstore bundle format v0.3 (readable by cosign CLI) + +## Testing the Policy + +### Test with a valid NVSentinel image: + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: test-nvsentinel-valid + namespace: nvsentinel # Must be labeled with policy.sigstore.dev/include=true +spec: + containers: + - name: fault-quarantine + image: ghcr.io/nvidia/nvsentinel/fault-quarantine@sha256:850e8fd35bc6b9436fc9441c055ba0f7e656fb438320e933b086a34d35d09fd6 +``` + +This should be **allowed** if the image has valid attestations signed by the official workflow. + +### Test with an unsigned or unverified image: + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: test-nvsentinel-invalid + namespace: nvsentinel-system +spec: + containers: + - name: fault-quarantine + image: ghcr.io/nvidia/nvsentinel/fault-quarantine:latest +``` + +This should be **blocked** with an error message about missing or invalid attestations. + +## Policy Modes + +### Warn Mode (Current Default) + +The policy currently runs in warn mode due to bundle format v0.3 incompatibility (see "Current Status" section above). Images that fail verification are still deployed, but warnings are logged: + +```yaml +spec: + mode: warn # Current configuration + images: + - glob: "ghcr.io/nvidia/nvsentinel/**" +``` + +In warn mode: +- Images that fail verification are still deployed +- Warning events are logged and visible in pod events +- Provides visibility into which images would be validated once v0.3 support is added +- Useful for monitoring without blocking deployments + +### Enforce Mode (Future) + +Once Policy Controller adds support for bundle format v0.3, the policy will be switched to enforce mode to block any images that fail verification: + +```yaml +spec: + # mode: enforce # Will be enabled when v0.3 support is added + images: + - glob: "ghcr.io/nvidia/nvsentinel/**" + # ... rest of the policy +``` + +In enforce mode: +- Images without valid attestations are blocked +- Deployment attempts fail with detailed error messages +- Recommended for production environments once compatibility is resolved + +## Configuring No-Match Behavior + +Configure what happens when an image doesn't match any policy using the `config-policy-controller` ConfigMap: + +```bash +kubectl create configmap config-policy-controller -n cosign-system \ + --from-literal=no-match-policy=deny +``` + +Options: +- `deny` (recommended): Block images that don't match any policy +- `warn`: Allow but log warnings for unmatched images +- `allow`: Allow all unmatched images (not recommended for production) + +## Advanced Configuration + +### Debug Mode + +Enable verbose logging in Policy Controller: + +```bash +kubectl set env deployment/policy-controller -n cosign-system POLICY_CONTROLLER_LOG_LEVEL=debug +``` + +View detailed logs: +```bash +kubectl logs -n cosign-system deployment/policy-controller -f +``` + +### Testing Without Enforcement + +When you need to test without blocking images: + +1. **Switch policy to warn mode temporarily** - Edit the ClusterImagePolicy and add `mode: warn` +2. **Remove namespace label to disable enforcement** - `kubectl label namespace nvsentinel policy.sigstore.dev/include-` +3. **Use a separate test namespace** - Create a namespace without the enforcement label + +## Additional Resources + +- [NVSentinel Security Documentation](../../../SECURITY.md) +- [NVSentinel Attestations](https://github.com/NVIDIA/NVSentinel/attestations) +- [Sigstore Policy Controller Documentation](https://docs.sigstore.dev/policy-controller/overview/) +- [ClusterImagePolicy API Reference](https://github.com/sigstore/policy-controller/blob/main/docs/api-types/index-v1beta1.md) +- [SLSA Build Provenance](https://slsa.dev/provenance/) +- [Sigstore](https://www.sigstore.dev/) +- [Cosign](https://docs.sigstore.dev/cosign/overview/) diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/policies/must-have-sbom.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/policies/must-have-sbom.yaml new file mode 100644 index 00000000..fa3817b6 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/policies/must-have-sbom.yaml @@ -0,0 +1,91 @@ +--- +# ClusterImagePolicy for verifying NVSentinel container images +# +# SCOPE: This policy ONLY applies to images matching ghcr.io/nvidia/nvsentinel/** +# - Other images in the namespace are NOT verified or blocked +# - Development images (localhost:*) are NOT subject to this policy +# - Third-party images (databases, sidecars, etc.) are NOT affected +# +# This policy uses Sigstore Policy Controller to verify that NVSentinel images +# have valid SBOM (CycloneDX) attestations signed by the official GitHub Actions +# workflow using keyless signing. +# +# Note: SLSA Build Provenance verification is handled separately by +# must-have-slsa.yaml policy. +# +# Multi-platform support: +# - Images are built for linux/amd64 and linux/arm64 +# - Each platform has its own attestations +# - Policy Controller automatically verifies the platform-specific digest +# that matches the node architecture +# +# Configuration required: +# 1. Label namespace: kubectl label namespace nvsentinel policy.sigstore.dev/include=true +# 2. Configure no-match-policy to allow non-matching images: +# kubectl create configmap config-policy-controller -n cosign-system \ +# --from-literal=no-match-policy=allow --dry-run=client -o yaml | kubectl apply -f - +apiVersion: policy.sigstore.dev/v1beta1 +kind: ClusterImagePolicy +metadata: + name: verify-nvsentinel-sbom + annotations: + description: >- + Verifies that NVSentinel container images have valid SBOM attestations + signed by the official GitHub Actions workflow. Ensures images have proper + Software Bill of Materials documentation before allowing them to run in the + cluster. Only applies to ghcr.io/nvidia/nvsentinel/** images. + category: Supply Chain Security + severity: high +spec: + # WARN MODE: Currently in warn mode due to bundle format v0.3 incompatibility + # Policy Controller 0.10.5 cannot read Sigstore bundle format v0.3 + # Both SLSA and SBOM attestations have the same issue + # Will be changed to enforce mode when Policy Controller adds v0.3 support + mode: warn + + # Match ONLY official NVSentinel images from GHCR + # This glob pattern ensures only NVSentinel images are verified + # All other images (third-party, development, etc.) are not affected + images: + - glob: "ghcr.io/nvidia/nvsentinel/**" + + # Define the authorities that can sign the images + authorities: + - name: github-actions-keyless + keyless: + # Use public Sigstore Fulcio instance + url: https://fulcio.sigstore.dev + # Match the GitHub Actions OIDC identity + # Matches both branch refs (refs/heads/*) and tag refs (refs/tags/*) + identities: + - issuer: https://token.actions.githubusercontent.com + subjectRegExp: ^https://github\.com/NVIDIA/NVSentinel/\.github/workflows/publish\.yml@refs/(heads|tags)/ + # Use public Sigstore Rekor instance for transparency log + ctlog: + url: https://rekor.sigstore.dev + # Validate SBOM attestation only + attestations: + # SBOM (Software Bill of Materials) - verifies components are documented + - name: sbom-cyclonedx + # Cosign uses this predicate type for CycloneDX SBOMs + predicateType: https://cyclonedx.org/bom + policy: + type: cue + data: | + // Validate this is a CycloneDX SBOM + predicateType: "https://cyclonedx.org/bom" + + // Validate SBOM has required fields + predicate: { + // Must have bomFormat and specVersion + bomFormat: "CycloneDX" + specVersion: =~"^1\\." + + // Must have at least one component listed + components: [...{ + // Each component should have a name + name: string + // Components should have types (library, application, etc.) + type: string + }] + } diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/policies/must-have-slsa.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/policies/must-have-slsa.yaml new file mode 100644 index 00000000..17c81296 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/policies/must-have-slsa.yaml @@ -0,0 +1,86 @@ +--- +# ClusterImagePolicy for verifying NVSentinel container images +# +# SCOPE: This policy ONLY applies to images matching ghcr.io/nvidia/nvsentinel/** +# - Other images in the namespace are NOT verified or blocked +# - Development images (localhost:*) are NOT subject to this policy +# - Third-party images (databases, sidecars, etc.) are NOT affected +# +# This policy uses Sigstore Policy Controller to verify that NVSentinel images +# have valid SLSA Build Provenance attestations signed by the official +# GitHub Actions workflow using keyless signing with Fulcio/Rekor. +# +# Configuration required: +# 1. Label namespace: kubectl label namespace nvsentinel policy.sigstore.dev/include=true +# 2. Configure no-match-policy to allow non-matching images: +# kubectl create configmap config-policy-controller -n cosign-system \ +# --from-literal=no-match-policy=allow --dry-run=client -o yaml | kubectl apply -f - +apiVersion: policy.sigstore.dev/v1beta1 +kind: ClusterImagePolicy +metadata: + name: verify-nvsentinel-slsa + annotations: + description: >- + Verifies that NVSentinel container images have valid SLSA Build + Provenance attestations signed by the official GitHub Actions workflow. + Ensures images were built from the official NVIDIA/NVSentinel repository + with proper attestations before allowing them to run in the cluster. + Only applies to ghcr.io/nvidia/nvsentinel/** images. + category: Supply Chain Security + severity: high +spec: + # WARN MODE: Currently in warn mode due to bundle format v0.3 incompatibility + # Policy Controller 0.10.5 cannot read Sigstore bundle format v0.3 + # Will be changed to enforce mode when Policy Controller adds v0.3 support + mode: warn + + # Match ONLY official NVSentinel images from GHCR + # This glob pattern ensures only NVSentinel images are verified + # All other images (third-party, development, etc.) are not affected + images: + - glob: "ghcr.io/nvidia/nvsentinel/**" + + # Define the authorities that can sign the images + authorities: + - name: github-actions-keyless + keyless: + # Use public Sigstore Fulcio instance + url: https://fulcio.sigstore.dev + # Match the GitHub Actions OIDC identity + # Matches both branch refs (refs/heads/*) and tag refs (refs/tags/*) + identities: + - issuer: https://token.actions.githubusercontent.com + subjectRegExp: ^https://github\.com/NVIDIA/NVSentinel/\.github/workflows/publish\.yml@refs/(heads|tags)/ + # Use public Sigstore Rekor instance for transparency log + ctlog: + url: https://rekor.sigstore.dev + # Validate SLSA Build Provenance attestations + attestations: + - name: slsa-provenance + predicateType: https://slsa.dev/provenance/v1 + policy: + type: cue + data: | + // Validate the builder is the official GitHub Actions workflow + predicateType: "https://slsa.dev/provenance/v1" + predicate: buildDefinition: { + buildType: "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1" + externalParameters: { + workflow: { + ref: =~"^refs/(heads|tags)/" + repository: "https://github.com/NVIDIA/NVSentinel" + } + } + internalParameters: { + github: { + event_name: "push" | "workflow_dispatch" | "release" + } + } + } + + // Validate the source repository + predicate: runDetails: { + builder: { + id: =~"^https://github.com/NVIDIA/NVSentinel/" + } + } diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/NOTES.txt b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/NOTES.txt new file mode 100644 index 00000000..4d5df51a --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/NOTES.txt @@ -0,0 +1 @@ +NVSentinel has been successfully deployed diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/_helpers.tpl b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/_helpers.tpl new file mode 100644 index 00000000..9bde522d --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/_helpers.tpl @@ -0,0 +1,138 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "nvsentinel.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nvsentinel.fullname" -}} +{{- "platform-connectors" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nvsentinel.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "nvsentinel.labels" -}} +helm.sh/chart: {{ include "nvsentinel.chart" . }} +{{ include "nvsentinel.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nvsentinel.selectorLabels" -}} +app.kubernetes.io/name: {{ include "nvsentinel.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "nvsentinel.serviceAccountName" -}} +{{- include "nvsentinel.fullname" . }} +{{- end }} + +{{/* +Audit logging init container +*/}} +{{- define "nvsentinel.auditLogging.initContainer" -}} +- name: fix-audit-log-permissions + image: "{{ .Values.global.initContainerImage.repository }}:{{ .Values.global.initContainerImage.tag }}" + imagePullPolicy: {{ .Values.global.initContainerImage.pullPolicy }} + securityContext: + runAsUser: 0 + command: + - sh + - -c + - | + chown 65532:65532 /var/log/nvsentinel + chmod 770 /var/log/nvsentinel + volumeMounts: + - name: audit-logs + mountPath: /var/log/nvsentinel +{{- end }} + +{{/* +Audit logging volume mount for container +*/}} +{{- define "nvsentinel.auditLogging.volumeMount" -}} +- name: audit-logs + mountPath: /var/log/nvsentinel +{{- end }} + +{{/* +Audit logging volume definition +*/}} +{{- define "nvsentinel.auditLogging.volume" -}} +- name: audit-logs + hostPath: + path: /var/log/nvsentinel + type: DirectoryOrCreate +{{- end }} + +{{/* +Audit logging environment variables +*/}} +{{- define "nvsentinel.auditLogging.envVars" -}} +- name: AUDIT_ENABLED + value: "{{ .Values.global.auditLogging.enabled }}" +- name: AUDIT_LOG_REQUEST_BODY + value: "{{ .Values.global.auditLogging.logRequestBody }}" +- name: AUDIT_LOG_MAX_SIZE_MB + value: "{{ .Values.global.auditLogging.maxSizeMB }}" +- name: AUDIT_LOG_MAX_BACKUPS + value: "{{ .Values.global.auditLogging.maxBackups }}" +- name: AUDIT_LOG_MAX_AGE_DAYS + value: "{{ .Values.global.auditLogging.maxAgeDays }}" +- name: AUDIT_LOG_COMPRESS + value: "{{ .Values.global.auditLogging.compress }}" +{{- end }} + +{{/* +MongoDB client certificate secret name +*/}} +{{- define "nvsentinel.certificates.secretName" -}} +{{- if and .Values.global.datastore .Values.global.datastore.certificates .Values.global.datastore.certificates.secretName -}} +{{ .Values.global.datastore.certificates.secretName }} +{{- else -}} +mongo-app-client-cert-secret +{{- end -}} +{{- end -}} + +{{/* +MongoDB client certificate volume items +Maps configurable source keys to standard destination paths +*/}} +{{- define "nvsentinel.certificates.volumeItems" -}} +{{- $certKey := "tls.crt" -}} +{{- $keyKey := "tls.key" -}} +{{- $caKey := "ca.crt" -}} +{{- if and .Values.global.datastore .Values.global.datastore.certificates -}} + {{- $certKey = .Values.global.datastore.certificates.certKey | default "tls.crt" -}} + {{- $keyKey = .Values.global.datastore.certificates.keyKey | default "tls.key" -}} + {{- $caKey = .Values.global.datastore.certificates.caKey | default "ca.crt" -}} +{{- end -}} +items: + - key: {{ $certKey }} + path: tls.crt + - key: {{ $keyKey }} + path: tls.key + - key: {{ $caKey }} + path: ca.crt +{{- end -}} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/certmanager-postgresql.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/certmanager-postgresql.yaml new file mode 100644 index 00000000..a41d9699 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/certmanager-postgresql.yaml @@ -0,0 +1,89 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if or (eq .Values.global.clusterType "standalone") (eq .Values.global.clusterType "mgmt") }} +{{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: postgresql-ca-issuer + namespace: {{ .Release.Namespace }} +spec: + ca: + secretName: postgresql-root-ca-secret +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-ca-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: postgresql-root-ca + namespace: {{ .Release.Namespace }} +spec: + isCA: true + commonName: postgresql-root-ca + secretName: postgresql-root-ca-secret + duration: 87600h # 10 years + renewBefore: 720h # 30 days before expiration + privateKey: + algorithm: RSA + size: 4096 + issuerRef: + name: selfsigned-ca-issuer + kind: Issuer +--- +# PostgreSQL Server Certificate +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: postgresql-server-cert + namespace: {{ .Release.Namespace }} +spec: + secretName: postgresql-server-cert + duration: 8760h # 1 year + renewBefore: 360h # 15 days before expiration + commonName: postgresql + dnsNames: + - postgresql + - {{ printf "%s-postgresql.%s.svc.cluster.local" .Release.Name .Release.Namespace }} + - {{ printf "%s-postgresql.%s.svc" .Release.Name .Release.Namespace }} + - {{ printf "postgresql.%s.svc.cluster.local" .Release.Namespace }} + - {{ printf "postgresql.%s.svc" .Release.Namespace }} + issuerRef: + name: postgresql-ca-issuer + kind: Issuer +--- +# PostgreSQL Client Certificate +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: postgresql-client-cert + namespace: {{ .Release.Namespace }} +spec: + secretName: postgresql-client-cert + duration: 8760h # 1 year + renewBefore: 360h # 15 days before expiration + commonName: postgresql + issuerRef: + name: postgresql-ca-issuer + kind: Issuer +{{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/clusterrole.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/clusterrole.yaml new file mode 100644 index 00000000..a47651cc --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/clusterrole.yaml @@ -0,0 +1,58 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "nvsentinel.fullname" . }} + labels: + {{- include "nvsentinel.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - get + - patch + - update + - list +- apiGroups: + - "" + resources: + - events + verbs: + - create + - update + - list +- apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/clusterrolebinding.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..90d62529 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/clusterrolebinding.yaml @@ -0,0 +1,28 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "nvsentinel.fullname" . }} + labels: + {{- include "nvsentinel.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "nvsentinel.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "nvsentinel.fullname" . }} + namespace: {{ .Release.Namespace }} + diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/configmap-datastore.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/configmap-datastore.yaml new file mode 100644 index 00000000..42d2dea7 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/configmap-datastore.yaml @@ -0,0 +1,108 @@ +{{/* +Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.global.datastore }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-datastore-config + labels: + {{- include "nvsentinel.labels" . | nindent 4 }} +data: + datastore.yaml: | + provider: {{ .Values.global.datastore.provider | quote }} + connection: + host: {{ .Values.global.datastore.connection.host | quote }} + port: {{ .Values.global.datastore.connection.port | default 5432 }} + database: {{ .Values.global.datastore.connection.database | quote }} + {{- if .Values.global.datastore.connection.username }} + username: {{ .Values.global.datastore.connection.username | quote }} + {{- end }} + {{- if .Values.global.datastore.connection.sslmode }} + sslmode: {{ .Values.global.datastore.connection.sslmode | quote }} + {{- end }} + {{- if .Values.global.datastore.connection.sslcert }} + sslcert: {{ .Values.global.datastore.connection.sslcert | quote }} + {{- end }} + {{- if .Values.global.datastore.connection.sslkey }} + sslkey: {{ .Values.global.datastore.connection.sslkey | quote }} + {{- end }} + {{- if .Values.global.datastore.connection.sslrootcert }} + sslrootcert: {{ .Values.global.datastore.connection.sslrootcert | quote }} + {{- end }} + {{- if .Values.global.datastore.connection.extraParams }} + extraParams: + {{- toYaml .Values.global.datastore.connection.extraParams | nindent 8 }} + {{- end }} + {{- if .Values.global.datastore.options }} + options: + {{- toYaml .Values.global.datastore.options | nindent 6 }} + {{- end }} + + # Environment variables for components + DATASTORE_PROVIDER: {{ .Values.global.datastore.provider | quote }} + DATASTORE_HOST: {{ .Values.global.datastore.connection.host | quote }} + DATASTORE_PORT: {{ .Values.global.datastore.connection.port | default 5432 | quote }} + DATASTORE_DATABASE: {{ .Values.global.datastore.connection.database | quote }} + {{- if .Values.global.datastore.connection.username }} + DATASTORE_USERNAME: {{ .Values.global.datastore.connection.username | quote }} + {{- end }} + {{- if .Values.global.datastore.connection.sslmode }} + DATASTORE_SSLMODE: {{ .Values.global.datastore.connection.sslmode | quote }} + {{- end }} + {{- if .Values.global.datastore.connection.sslcert }} + DATASTORE_SSLCERT: {{ .Values.global.datastore.connection.sslcert | quote }} + {{- end }} + {{- if .Values.global.datastore.connection.sslkey }} + DATASTORE_SSLKEY: {{ .Values.global.datastore.connection.sslkey | quote }} + {{- end }} + {{- if .Values.global.datastore.connection.sslrootcert }} + DATASTORE_SSLROOTCERT: {{ .Values.global.datastore.connection.sslrootcert | quote }} + {{- end }} + + # Certificate rotation configuration (MongoDB only) + # When enabled, client certificates can be rotated without restarting pods + {{- if eq .Values.global.datastore.provider "mongodb" }} + MONGODB_ENABLE_CERT_ROTATION: {{ .Values.global.certificateRotationEnabled | default false | quote }} + {{- end }} + + # Legacy MongoDB environment variables for backward compatibility + # These are set for all providers to support legacy code paths that still use the old config system + {{- if eq .Values.global.datastore.provider "mongodb" }} + {{- $mongodbURI := printf "mongodb://%s:%d/" .Values.global.datastore.connection.host (int (.Values.global.datastore.connection.port | default 27017)) }} + {{- if .Values.global.datastore.connection.extraParams }} + {{- $params := list }} + {{- range $key, $value := .Values.global.datastore.connection.extraParams }} + {{- $params = append $params (printf "%s=%s" $key $value) }} + {{- end }} + {{- $mongodbURI = printf "%s?%s" $mongodbURI (join "&" $params) }} + {{- end }} + MONGODB_URI: {{ $mongodbURI | quote }} + {{- else }} + # For non-MongoDB datastores, set empty MongoDB URI + MONGODB_URI: "" + {{- end }} + MONGODB_DATABASE_NAME: {{ .Values.global.datastore.connection.database | quote }} + {{- if .Values.global.datastore.connection.collection }} + MONGODB_COLLECTION_NAME: {{ .Values.global.datastore.connection.collection | quote }} + {{- else }} + MONGODB_COLLECTION_NAME: "health_events" + {{- end }} + {{- if .Values.global.datastore.connection.tokenCollection }} + MONGODB_TOKEN_COLLECTION_NAME: {{ .Values.global.datastore.connection.tokenCollection | quote }} + {{- else }} + MONGODB_TOKEN_COLLECTION_NAME: "ResumeTokens" + {{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/configmap.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/configmap.yaml new file mode 100644 index 00000000..b115fe46 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/configmap.yaml @@ -0,0 +1,71 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nvsentinel.fullname" . }} + labels: + {{- include "nvsentinel.labels" . | nindent 4 }} +data: + config.json: | + { + "enableK8sPlatformConnector": "{{ .Values.platformConnector.k8sConnector.enabled }}", + "K8sConnectorQps": {{ printf "%.2f" .Values.platformConnector.k8sConnector.qps }}, + "K8sConnectorBurst": {{ .Values.platformConnector.k8sConnector.burst }}, + "MaxNodeConditionMessageLength": {{ .Values.platformConnector.k8sConnector.maxNodeConditionMessageLength }}, + "CompactedHealthEventMsgLen": {{ .Values.platformConnector.k8sConnector.compactedHealthEventMsgLen }}, + "StoreConnectorMaxRetries": {{ .Values.platformConnector.mongodbStore.maxRetries }}, + "enableMongoDBStorePlatformConnector": "{{ .Values.global.mongodbStore.enabled }}", + "enablePostgresDBStorePlatformConnector": {{ if and .Values.global.datastore .Values.global.datastore.provider }}{{ eq .Values.global.datastore.provider "postgresql" | quote }}{{ else }}"false"{{ end }} + {{- with .Values.platformConnector.pipeline }} + ,"pipeline": {{ . | toJson }} + {{- end }} + } + {{- if .Values.platformConnector.transformers.MetadataAugmentor }} + metadata.toml: | + cacheSize = {{ .Values.platformConnector.transformers.MetadataAugmentor.cacheSize }} + cacheTTL = "{{ .Values.platformConnector.transformers.MetadataAugmentor.cacheTTLSeconds }}s" + {{- with .Values.platformConnector.transformers.MetadataAugmentor.allowedLabels }} + allowedLabels = {{ . | toJson }} + {{- end }} + {{- end }} + {{- if .Values.platformConnector.transformers.OverrideTransformer }} + overrides.toml: | + {{- $overrideEnabled := false }} + {{- range .Values.platformConnector.pipeline }} + {{- if eq .name "OverrideTransformer" }} + {{- $overrideEnabled = .enabled }} + {{- end }} + {{- end }} + enabled = {{ $overrideEnabled }} + {{- range .Values.platformConnector.transformers.OverrideTransformer.rules }} + + [[rules]] + name = {{ .name | quote }} + when = {{ .when | quote }} + override = { {{- $pairs := list -}} + {{- if hasKey .override "isFatal" -}} + {{- $pairs = append $pairs (printf "isFatal = %v" .override.isFatal) -}} + {{- end -}} + {{- if hasKey .override "isHealthy" -}} + {{- $pairs = append $pairs (printf "isHealthy = %v" .override.isHealthy) -}} + {{- end -}} + {{- if .override.recommendedAction -}} + {{- $pairs = append $pairs (printf "recommendedAction = %q" .override.recommendedAction) -}} + {{- end -}} + {{- $pairs | join ", " -}} + } + {{- end }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/daemonset.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/daemonset.yaml new file mode 100644 index 00000000..f9691141 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/daemonset.yaml @@ -0,0 +1,219 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "nvsentinel.fullname" . }} + labels: + {{- include "nvsentinel.labels" . | nindent 4 }} +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 5% + selector: + matchLabels: + {{- include "nvsentinel.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- with .Values.platformConnector.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + labels: + {{- include "nvsentinel.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "nvsentinel.serviceAccountName" . }} + {{- if .Values.global.auditLogging.enabled }} + securityContext: + fsGroup: 65532 + {{- end }} + {{- if or .Values.global.auditLogging.enabled (and .Values.platformConnector.postgresqlStore.clientCertMountPath .Values.global.datastore (eq .Values.global.datastore.provider "postgresql")) }} + initContainers: + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.initContainer" . | nindent 8 }} + {{- end }} + {{- if and .Values.platformConnector.postgresqlStore.clientCertMountPath .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + - name: fix-cert-permissions + image: "{{ .Values.global.initContainerImage.repository }}:{{ .Values.global.initContainerImage.tag }}" + imagePullPolicy: {{ .Values.global.initContainerImage.pullPolicy }} + securityContext: + runAsUser: 0 + command: + - sh + - -c + - | + echo "Copying PostgreSQL client certificates with correct permissions..." + cp /etc/ssl/client-certs-original/tls.crt /etc/ssl/client-certs-fixed/ + cp /etc/ssl/client-certs-original/ca.crt /etc/ssl/client-certs-fixed/ + cp /etc/ssl/client-certs-original/tls.key /etc/ssl/client-certs-fixed/ + chmod 644 /etc/ssl/client-certs-fixed/tls.crt + chmod 644 /etc/ssl/client-certs-fixed/ca.crt + chmod 600 /etc/ssl/client-certs-fixed/tls.key + echo "Certificate permissions fixed:" + ls -la /etc/ssl/client-certs-fixed/ + volumeMounts: + - name: postgresql-client-cert-original + mountPath: /etc/ssl/client-certs-original + readOnly: true + - name: client-certs-fixed + mountPath: /etc/ssl/client-certs-fixed + {{- end }} + {{- end }} + containers: + - name: platform-connector + image: "{{ .Values.platformConnector.image.repository }}:{{ .Values.platformConnector.image.tag | default .Values.global.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.platformConnector.image.pullPolicy }} + securityContext: + runAsUser: 0 + capabilities: + drop: + - ALL + ports: + - name: metrics + containerPort: {{ .Values.global.metricsPort }} + startupProbe: + httpGet: + path: /healthz + port: metrics + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 30 + livenessProbe: + httpGet: + path: /healthz + port: metrics + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: metrics + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + args: + - "--config=/etc/config/config.json" + - "--metrics-port={{ .Values.global.metricsPort }}" + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + {{- if .Values.platformConnector.postgresqlStore.clientCertMountPath }} + - "--database-client-cert-mount-path={{ .Values.platformConnector.postgresqlStore.clientCertMountPath }}" + {{- else }} + - "--tls-enabled=false" + {{- end }} + {{- else }} + {{- if .Values.platformConnector.mongodbStore.clientCertMountPath }} + - "--mongo-client-cert-mount-path={{ .Values.platformConnector.mongodbStore.clientCertMountPath }}" + {{- else }} + - "--tls-enabled=false" + {{- end }} + {{- end }} + - "--socket={{ .Values.socketPath }}" + resources: + {{- toYaml .Values.platformConnector.resources | nindent 12 }} + volumeMounts: + - name: var-run-vol + mountPath: /var/run + - name: platform-connector-configmap + mountPath: /etc/config/ + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + {{- if .Values.platformConnector.postgresqlStore.clientCertMountPath }} + - name: client-certs-fixed + mountPath: {{ .Values.platformConnector.postgresqlStore.clientCertMountPath }} + readOnly: true + {{- end }} + {{- else }} + {{- if .Values.platformConnector.mongodbStore.clientCertMountPath }} + - name: mongo-app-client-cert + mountPath: {{ .Values.platformConnector.mongodbStore.clientCertMountPath }} + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.volumeMount" . | nindent 12 }} + {{- end }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: LOG_LEVEL + value: "{{ .Values.platformConnector.logLevel }}" + # App name for connection identification in logs and currentOp + - name: APP_NAME + value: "platform-connector" + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.envVars" . | nindent 12 }} + {{- end }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + {{- if .Values.platformConnector.postgresqlStore.clientCertMountPath }} + - name: POSTGRESQL_CLIENT_CERT_MOUNT_PATH + value: {{ .Values.platformConnector.postgresqlStore.clientCertMountPath }} + {{- end }} + {{- else }} + {{- if .Values.platformConnector.mongodbStore.clientCertMountPath }} + - name: MONGODB_CLIENT_CERT_MOUNT_PATH + value: {{ .Values.platformConnector.mongodbStore.clientCertMountPath }} + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ if .Values.global.datastore }}{{ .Release.Name }}-datastore-config{{ else }}mongodb-config{{ end }} + optional: true + volumes: + - name: var-run-vol + hostPath: + path: /var/run/nvsentinel + type: DirectoryOrCreate + - name: platform-connector-configmap + configMap: + name: {{ include "nvsentinel.fullname" . }} + {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }} + {{- if .Values.platformConnector.postgresqlStore.clientCertMountPath }} + - name: postgresql-client-cert-original + secret: + secretName: postgresql-client-cert + optional: false + - name: client-certs-fixed + emptyDir: {} + {{- end }} + {{- else }} + {{- if .Values.platformConnector.mongodbStore.clientCertMountPath }} + - name: mongo-app-client-cert + secret: + secretName: {{ include "nvsentinel.certificates.secretName" . }} + {{- include "nvsentinel.certificates.volumeItems" . | nindent 12 }} + optional: true + {{- end }} + {{- end }} + {{- if .Values.global.auditLogging.enabled }} + {{- include "nvsentinel.auditLogging.volume" . | nindent 8 }} + {{- end }} + {{- with (.Values.global.tolerations | default .Values.platformConnector.tolerations) }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/networkpolicy.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/networkpolicy.yaml new file mode 100644 index 00000000..fe1ef645 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/networkpolicy.yaml @@ -0,0 +1,43 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: metrics-access + labels: + {{- include "nvsentinel.labels" . | nindent 4 }} +spec: + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - incluster-file-server + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: {{ .Values.global.metricsPort }} + - protocol: TCP + port: 9216 # MongoDB metrics port + {{- if .Values.global.inclusterFileServer.enabled }} + - protocol: TCP + port: {{ .Values.global.inclusterFileServer.metricsPort }} + - protocol: TCP + port: {{ .Values.global.inclusterFileServer.cleanupMetricsPort }} + {{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/node-condition-cleanup-hook.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/node-condition-cleanup-hook.yaml new file mode 100644 index 00000000..f805ce92 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/node-condition-cleanup-hook.yaml @@ -0,0 +1,142 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ if .Values.nodeConditionCleanup.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "nvsentinel.fullname" . }}-node-condition-cleanup + namespace: {{ .Release.Namespace }} + labels: + {{- include "nvsentinel.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-weight: "-5" + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "nvsentinel.fullname" . }}-node-condition-cleanup + labels: + {{- include "nvsentinel.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-weight: "-5" + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - patch + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "nvsentinel.fullname" . }}-node-condition-cleanup + labels: + {{- include "nvsentinel.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-weight: "-5" + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "nvsentinel.fullname" . }}-node-condition-cleanup +subjects: + - kind: ServiceAccount + name: {{ include "nvsentinel.fullname" . }}-node-condition-cleanup + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "nvsentinel.fullname" . }}-node-condition-cleanup + namespace: {{ .Release.Namespace }} + labels: + {{- include "nvsentinel.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-weight: "-5" + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +spec: + backoffLimit: 3 + activeDeadlineSeconds: 300 + template: + metadata: + labels: + {{- include "nvsentinel.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: node-condition-cleanup + spec: + serviceAccountName: {{ include "nvsentinel.fullname" . }}-node-condition-cleanup + restartPolicy: OnFailure + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeConditionCleanup.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeConditionCleanup.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: cleanup + image: {{ .Values.nodeConditionCleanup.image.repository }}:{{ .Values.nodeConditionCleanup.image.tag }} + imagePullPolicy: {{ .Values.nodeConditionCleanup.image.pullPolicy }} + env: + - name: DEPRECATED_CONDITIONS + value: {{ .Values.nodeConditionCleanup.deprecatedConditions | join "," | quote }} + command: + - /bin/bash + - -c + - | +{{ .Files.Get "files/node-condition-cleanup.sh" | indent 10 }} + resources: + {{- toYaml .Values.nodeConditionCleanup.resources | nindent 10 }} + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 65534 + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault +{{- end }} \ No newline at end of file diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/podMonitor.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/podMonitor.yaml new file mode 100644 index 00000000..7c21d65d --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/podMonitor.yaml @@ -0,0 +1,48 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +{{- if .Values.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: nvsentinel + labels: + {{- include "nvsentinel.labels" . | nindent 4 }} + {{- with .Values.podMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchExpressions: + - { key: "app.kubernetes.io/instance", operator: In, values: [{{ .Release.Name | quote }}] } + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + podMetricsEndpoints: + - port: metrics + path: {{ .Values.podMonitor.metricsPath | default "/metrics" }} + {{- if .Values.podMonitor.interval }} + interval: {{ .Values.podMonitor.interval }} + {{- end }} + {{- if .Values.podMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.podMonitor.scrapeTimeout }} + {{- end }} + - port: cleanup-metrics + path: {{ .Values.podMonitor.metricsPath | default "/metrics" }} + {{- if .Values.podMonitor.interval }} + interval: {{ .Values.podMonitor.interval }} + {{- end }} + {{- if .Values.podMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.podMonitor.scrapeTimeout }} + {{- end }} +{{- end }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/serviceaccount.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/serviceaccount.yaml new file mode 100644 index 00000000..e7c598d1 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/templates/serviceaccount.yaml @@ -0,0 +1,19 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "nvsentinel.fullname" . }} + labels: + {{- include "nvsentinel.labels" . | nindent 4 }} diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/values-full.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/values-full.yaml new file mode 100644 index 00000000..3a4efa03 --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/values-full.yaml @@ -0,0 +1,1466 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################ +# NVSentinel Complete Configuration Reference +# +# This file documents every possible configuration option for NVSentinel. +# All options are set to their default values unless otherwise noted. +# +# NVSentinel is a Kubernetes-native system for detecting, quarantining, +# and remediating node failures in GPU clusters. It consists of: +# +# - Health Monitors: Detect hardware and software failures +# - Fault Quarantine: Cordon and taint nodes with detected faults +# - Node Drainer: Gracefully evict workloads from failing nodes +# - Fault Remediation: Create maintenance resources to trigger node recovery +# - Janitor: Execute node reboots and terminations via cloud provider APIs +# +# For production use, enable the core modules and configure them for your +# specific environment. +################################################################################ + +################################################################################ +# GLOBAL CONFIGURATION +# +# Settings that apply to all NVSentinel components. +# These can be overridden per-module in their individual sections. +################################################################################ +global: + # Docker image configuration + image: + # Image tag to use for all NVSentinel containers + # Examples: "main" (latest development), "v1.0.0" (specific release) + # Leave empty to use the appVersion from Chart.yaml + tag: "main" + + # Metrics port for Prometheus scraping + # All components expose health and metrics endpoints on this port unless using ctrl-runtime mgmt + # Prometheus should scrape these endpoints to monitor NVSentinel + metricsPort: 2112 + + # Health Check port for healthz and readyz scraping + # This port is only used when using ctrl-runtime + # components expose health and metrics endpoints on this port + # Prometheus should scrape these endpoints to monitor NVSentinel + healthPort: 9440 + + # Dry-run mode - when enabled, all actions are logged but not executed + # Useful for: + # - Testing configuration changes safely + # - Validating rule behavior before production use + # - Debugging without affecting the cluster + # Components will log what they WOULD do but won't actually: + # - Cordon or taint nodes (fault-quarantine) + # - Evict or delete pods (node-drainer) + # - Create maintenance resources (fault-remediation) + # - Reboot or terminate nodes (janitor) + dryRun: false + + # Image pull secrets for private container registries + # Create these secrets in Kubernetes before installing NVSentinel: + # kubectl create secret docker-registry my-registry-secret \ + # --docker-server=myregistry.com \ + # --docker-username=myuser \ + # --docker-password=mypassword + # Then reference them here: + # imagePullSecrets: + # - name: my-registry-secret + imagePullSecrets: [] + + # Node selector for all NVSentinel workloads + # Used to constrain pods to nodes with specific labels + # Example - run only on nodes with label "nvsentinel=enabled": + # nodeSelector: + # nvsentinel: "enabled" + # Leave empty to allow scheduling on any node + nodeSelector: {} + + # Tolerations for all NVSentinel workloads + # Allows pods to schedule on nodes with matching taints + # Example - tolerate GPU nodes: + # tolerations: + # - key: "nvidia.com/gpu" + # operator: "Exists" + # effect: "NoSchedule" + # Leave empty for no tolerations + tolerations: [] + + # Affinity rules for all NVSentinel workloads + # Controls pod placement based on node properties or other pods + # Example - spread pods across availability zones: + # affinity: + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 100 + # podAffinityTerm: + # topologyKey: topology.kubernetes.io/zone + # Leave empty for no affinity rules + affinity: {} + + # Node selector for system components + # System components include: platform-connectors, fault-quarantine, + # node-drainer, fault-remediation (control plane workloads) + # Example - run system components on control plane nodes: + # systemNodeSelector: + # node-role.kubernetes.io/control-plane: "" + # Leave empty to use same as global nodeSelector + systemNodeSelector: {} + + # Tolerations for system components + # Allows system pods to run on tainted nodes (like control plane) + # Example - tolerate control plane taint: + # systemNodeTolerations: + # - key: "node-role.kubernetes.io/control-plane" + # operator: "Exists" + # effect: "NoSchedule" + # Leave empty to use same as global tolerations + systemNodeTolerations: [] + + ################################################################################ + # MODULE ENABLE/DISABLE FLAGS + # + # Control which NVSentinel components are deployed. + # For production, typically enable all modules except healthEventsAnalyzer. + ################################################################################ + + # GPU Health Monitor - monitors GPU hardware health via DCGM + # Detects: XID errors, thermal issues, ECC errors, memory errors, NVLink failures + # Requires: NVIDIA GPU Operator with DCGM installed + gpuHealthMonitor: + enabled: true + + # Health Events Analyzer - analyzes patterns in health events + # Provides insights and recommendations based on historical data + # Requires: MongoDB store enabled + healthEventsAnalyzer: + enabled: false + + # Fault Quarantine Module - cordons/taints nodes with detected faults + # Prevents new workloads from scheduling on failing nodes + # Uses rule-based evaluation to determine when to quarantine + # Requires: MongoDB store enabled + faultQuarantine: + enabled: false + + # Node Drainer Module - evicts workloads from quarantined nodes + # Gracefully terminates pods before node maintenance + # Supports multiple eviction strategies per namespace + # Requires: MongoDB store enabled, fault-quarantine enabled + nodeDrainer: + enabled: false + + # Fault Remediation Module - creates maintenance resources for node recovery + # Triggers janitor to reboot or terminate failing nodes + # Uses configurable templates for different remediation actions + # Requires: MongoDB store enabled, janitor enabled + faultRemediation: + enabled: false + + # Janitor Module - executes node reboots and terminations + # Integrates with cloud provider APIs to perform actual maintenance + # Supports: AWS, GCP, Azure, OCI, kind (for testing) + # Requires: Cloud provider credentials configured + janitor: + enabled: false + + # CSP Health Monitor - monitors cloud provider maintenance events + # Detects scheduled maintenance windows from cloud provider APIs + # Supports: GCP (Compute Engine), AWS (EC2) + # Requires: Cloud provider credentials configured + cspHealthMonitor: + enabled: false + + # Syslog Health Monitor - analyzes system logs for fault patterns + # Reads journalctl logs to detect kernel errors, driver issues + # Runs as DaemonSet on all nodes + # Requires: Access to host journalctl + syslogHealthMonitor: + enabled: true + # XID sidecar - parses NVIDIA XID errors from dmesg + # Extracts detailed XID error information + xidSideCar: + enabled: false + + # Labeler Module - applies labels to nodes based on capabilities + # Detects: Kata Containers support, node features + # Runs as Deployment to label all nodes in the cluster + labeler: + enabled: true + + # In-cluster File Server - HTTP server for log uploads + # Used by log-collector jobs to upload diagnostic bundles + # Only needed if fault-remediation log collection is enabled + inclusterFileServer: + enabled: false + # Metrics port for file server + metricsPort: 9001 + # Metrics port for cleanup job + cleanupMetricsPort: 9002 + + # MongoDB Store - database for health events + # Stores all health events from monitors + # Required by: fault-quarantine, node-drainer, fault-remediation + # Uses Bitnami MongoDB chart with TLS enabled + mongodbStore: + enabled: false + + # Event Exporter - exports health events to a remote endpoint + # Requires: MongoDB store enabled + eventExporter: + enabled: false + +################################################################################ +# PLATFORM CONNECTOR CONFIGURATION +# +# Central communication hub that receives health events from all monitors. +# Persists events to MongoDB and updates Kubernetes node status. +# This is the core component that connects health monitors to the remediation +# pipeline. +################################################################################ +platformConnector: + # Container image configuration + image: + repository: ghcr.io/nvidia/nvsentinel/platform-connectors + # Image pull policy - when to pull the image + # IfNotPresent: Only pull if not already present (recommended) + # Always: Always pull the latest image + # Never: Never pull, use local image only + pullPolicy: IfNotPresent + # Image tag override - leave empty to use global.image.tag + tag: "" + + # Resource limits and requests + # Limits: Maximum resources the pod can use + # Requests: Resources guaranteed to be available + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 200m + memory: 512Mi + + # Additional pod annotations + # Example - for Istio service mesh: + # podAnnotations: + # sidecar.istio.io/inject: "false" + podAnnotations: {} + + # Tolerations for platform-connector pods + # Used when global.tolerations is not specified + tolerations: [] + + # Kubernetes connector configuration + # Handles updating Kubernetes node status and conditions + k8sConnector: + # Maximum length of the node condition message + # This is the maximum length of the node condition message that will be stored in the Kubernetes node status + # If the node condition message is longer than this value, it will be truncated + # This is to prevent the node condition message from being too long and causing the Kubernetes node status to be too large + maxNodeConditionMessageLength: 1024 + # Maximum length of the compacted message prefix (before Recommended Action) per health event. + # Controls how much of the ErrorCode and entity identifiers (GPU, PCI, etc.) are preserved + # when messages are compacted to fit within maxNodeConditionMessageLength. + compactedHealthEventMsgLen: 72 + # Enable Kubernetes status updates + enabled: true + # Rate limiting for Kubernetes API calls + # QPS: Maximum queries per second to API server + qps: 5.0 + # Burst: Maximum burst size above QPS + burst: 10 + + # Health event transformers pipeline + # Transformers process health events before storage and propagation + # They execute in the order specified in the pipeline + pipeline: + # Metadata augmentor - enriches events with node labels and provider info + - name: MetadataAugmentor + enabled: false # Disabled by default + config: /etc/config/metadata.toml + + # Property overrides - uses CEL expressions to override event properties + - name: OverrideTransformer + enabled: false # Disabled by default + config: /etc/config/overrides.toml + + # Transformer-specific configurations + transformers: + # Metadata augmentor configuration + # Adds node labels and provider information to health events + MetadataAugmentor: + # LRU cache size for node metadata + # Higher values use more memory but reduce API calls + cacheSize: 50 + # Cache TTL in seconds (supports duration strings like "1h", "30m") + # How long to cache node metadata before refreshing + cacheTTLSeconds: 3600 + # Node labels to include in health event metadata + # Only these labels will be copied from nodes to events + # This allows CEL rules to match on topology, instance type, etc. + allowedLabels: + - "topology.kubernetes.io/zone" + - "topology.kubernetes.io/region" + - "node.kubernetes.io/instance-type" + - "nvidia.com/cuda.driver-version.major" + - "nvidia.com/cuda.driver-version.minor" + - "nvidia.com/cuda.driver-version.revision" + - "nvidia.com/cuda.driver-version.full" + - "nvidia.com/cuda.runtime-version.major" + - "nvidia.com/cuda.runtime-version.minor" + - "nvidia.com/cuda.runtime-version.full" + - "topology.k8s.aws/capacity-block-id" + - "topology.k8s.aws/network-node-layer-1" + - "topology.k8s.aws/network-node-layer-2" + - "topology.k8s.aws/network-node-layer-3" + - "oci.oraclecloud.com/host.id" + - "oci.oraclecloud.com/host.network_block_id" + - "oci.oraclecloud.com/host.rack_id" + - "oci.oraclecloud.com/host.serial_number" + - "cloud.google.com/gce-topology-block" + - "cloud.google.com/gce-topology-host" + - "cloud.google.com/gce-topology-subblock" + + # Property overrides configuration + # Uses CEL expressions to modify health event properties + # Allows operators to suppress errors or change recommended actions + OverrideTransformer: + # List of override rules (evaluated in order, first match wins) + rules: [] + # Example rule - suppress XID 109 errors: + # - name: "suppress-xid-109" + # when: 'event.agent == "syslog-health-monitor" && "109" in event.errorCode' + # override: + # isFatal: false + # recommendedAction: "NONE" + # + # Example rule - zone-specific override: + # - name: "zone-specific-override" + # when: 'event.metadata["topology.kubernetes.io/zone"] == "us-west1-a" && event.componentClass == "GPU"' + # override: + # isFatal: false + # recommendedAction: "CONTACT_SUPPORT" + +# Unix socket path for inter-process communication +# Health monitors connect to platform-connectors via this socket +# Must be accessible by both monitors and platform-connectors +socketPath: "/var/run/nvsentinel.sock" + +################################################################################ +# FAULT-QUARANTINE MODULE CONFIGURATION +# +# Watches MongoDB for health events and applies quarantine actions to nodes. +# Quarantine actions include: cordoning (preventing new pods) and tainting +# (repelling pods without tolerations). Also adds labels and annotations +# for tracking quarantine state. +################################################################################ +fault-quarantine: + # Number of pod replicas (recommend 1 for consistency) + replicaCount: 1 + + # Log level - controls verbosity of logging + # Options: debug, info, warn, error + # debug: Very verbose, includes all details + # info: Normal operations and important events + # warn: Warning conditions + # error: Error conditions only + logLevel: info + + # Container image configuration + image: + repository: ghcr.io/nvidia/nvsentinel/fault-quarantine + pullPolicy: IfNotPresent + tag: "" + + # Pod resource limits and requests + resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + + # Scheduling configuration + # These override global values if set + nodeSelector: {} + affinity: {} + tolerations: [] + podAnnotations: {} + + # Label prefix for node labels and annotations + # Used to create labels like: cordon-by, cordon-reason + # These labels track when and why nodes were quarantined + # Also used for uncordon tracking + labelPrefix: "k8saas.nvidia.com/" + + # Circuit breaker prevents quarantining too many nodes at once + # If the threshold is exceeded, new quarantines are blocked + # This prevents cascading failures from taking down the entire cluster + # State is persisted in a ConfigMap and survives restarts + circuitBreaker: + # Enable circuit breaker protection + enabled: true + # Maximum percentage of cluster nodes that can be cordoned + # Example: 50 means if 50% or more nodes are already cordoned, + # no new quarantines will be allowed + # Range: 1-100 + percentage: 50 + # Cooldown period after circuit breaker trips + # Circuit breaker waits this long before attempting to close again + # Even if node count drops below threshold during cooldown, it stays open + # Examples: "5m", "10m", "1h" + duration: "5m" + + # Quarantine rules define when and how to quarantine nodes + # Each rule has: + # - Match conditions: When the rule should trigger + # - Actions: What to do when conditions match (cordon, taint, label) + # Rules are evaluated in order for each health event + ruleSets: + # Example rule 1: Quarantine nodes with fatal GPU errors + - version: "1" + name: "GPU fatal error ruleset" + + # Match conditions - all must be true + match: + # Use 'all' for AND logic (all conditions must match) + # Use 'any' for OR logic (at least one condition must match) + all: + # Check health event properties + - kind: "HealthEvent" + # CEL expression with access to 'event' object + # Available fields: agent, componentClass, isFatal, nodeName, severity, etc. + expression: "event.agent == 'gpu-health-monitor' && event.componentClass == 'GPU' && event.isFatal == true" + + # Check node properties + - kind: "Node" + # CEL expression with access to 'node' object + # Available fields: node.metadata.labels, node.metadata.annotations, node.spec, etc. + # This checks if node is explicitly excluded from management + expression: | + !('k8saas.nvidia.com/ManagedByNVSentinel' in node.metadata.labels && node.metadata.labels['k8saas.nvidia.com/ManagedByNVSentinel'] == "false") + + # Actions to take when rule matches + # Cordon action - mark node as unschedulable + cordon: + # When true, sets node.spec.unschedulable=true + # Prevents new pods from being scheduled on the node + # Existing pods continue running + shouldCordon: true + + # Optional: Taint action - repel pods without matching tolerations + # Uncomment to enable tainting + # taint: + # # Taint key identifier + # key: "nvidia.com/gpu-error" + # # Taint value (additional context) + # value: "fatal" + # # Effect determines pod behavior: + # # NoSchedule: New pods without toleration won't schedule + # # PreferNoSchedule: Scheduler tries to avoid (soft version) + # # NoExecute: Existing pods without toleration are evicted + # effect: "NoSchedule" + + # Example rule 2: Quarantine nodes with CSP maintenance events + - version: "1" + name: "CSP health monitor fatal error ruleset" + match: + all: + - kind: "HealthEvent" + expression: "event.agent == 'csp-health-monitor' && event.checkName == 'CSPMaintenance' && event.isFatal == true" + - kind: "Node" + expression: | + !('k8saas.nvidia.com/ManagedByNVSentinel' in node.metadata.labels && node.metadata.labels['k8saas.nvidia.com/ManagedByNVSentinel'] == "false") + cordon: + shouldCordon: true + + # Example rule 3: Quarantine nodes with syslog errors + - version: "1" + name: "Syslog fatal error ruleset" + match: + all: + - kind: "HealthEvent" + expression: "event.agent == 'syslog-health-monitor' && event.componentClass == 'GPU' && event.isFatal == true" + - kind: "Node" + expression: | + !('k8saas.nvidia.com/ManagedByNVSentinel' in node.metadata.labels && node.metadata.labels['k8saas.nvidia.com/ManagedByNVSentinel'] == "false") + cordon: + shouldCordon: true + +################################################################################ +# NODE-DRAINER MODULE CONFIGURATION +# +# Evicts workloads from quarantined nodes to prepare for maintenance. +# Supports different eviction strategies per namespace: +# - Immediate: Evict right away +# - AllowCompletion: Wait for graceful termination +# - DeleteAfterTimeout: Wait for timeout, then force delete +################################################################################ +node-drainer: + # Number of pod replicas (recommend 1 for consistency) + replicaCount: 1 + + # Log level for debugging and monitoring + logLevel: info + + # Container image configuration + image: + repository: ghcr.io/nvidia/nvsentinel/node-drainer + pullPolicy: IfNotPresent + tag: "" + + # Pod resource limits and requests + resources: + limits: + cpu: "200m" + memory: "300Mi" + requests: + cpu: "200m" + memory: "300Mi" + + podAnnotations: {} + + # Eviction timeout in seconds + # Maximum time to wait for a pod to terminate gracefully + # After this timeout, pod may be force deleted (depends on eviction mode) + # Must be a positive integer + evictionTimeoutInSeconds: "60" + + # System namespaces regex pattern + # Pods in these namespaces are skipped during drain + # This protects critical infrastructure pods from eviction + # The pattern matches namespace names + systemNamespaces: "^(nvsentinel|kube-system|gpu-operator|gmp-system|network-operator|skyhook)$" + + # Delete timeout in minutes for DeleteAfterTimeout mode + # Calculated from health event creation time + # When timeout is reached, remaining pods are force deleted + # Used to prevent drains from waiting indefinitely + # Default: 60 minutes + deleteAfterTimeoutMinutes: 60 + + # NotReady timeout in minutes + # Time after which a pod in NotReady state is considered stuck + # Stuck pods are candidates for force deletion + # Helps identify and handle unhealthy pods that won't complete gracefully + # Default: 5 minutes + notReadyTimeoutMinutes: 5 + + # Namespace-specific eviction strategies + # Define how pods in different namespaces should be evicted + # Multiple rules can be defined with namespace patterns + userNamespaces: + # Match all user namespaces (not matched by systemNamespaces) + - name: "*" + # Eviction mode options: + # "Immediate": Evict pod immediately, don't wait for graceful termination + # Use for: Stateless apps, batch jobs + # "AllowCompletion": Wait for pod to complete gracefully + # Respects pod's terminationGracePeriodSeconds + # Use for: Long-running jobs, stateful apps + # "DeleteAfterTimeout": Wait for deleteAfterTimeoutMinutes + # Then force delete if still running + # Use for: Jobs that should complete but might hang + mode: "AllowCompletion" + + # Example: Immediate eviction for a specific namespace + # - name: "batch-jobs" + # mode: "Immediate" + + # Example: Delete after timeout for another namespace + # - name: "training-jobs" + # mode: "DeleteAfterTimeout" + + # If enabled, the node-drainer will only drain pods which are leveraging the GPU_UUID impacted entity in + # COMPONENT_RESET HealthEvents. If disabled, the node-drainer will drain all eligible pods + # on the impacted node for the configured namespaces regardless of the remediation action. + # HealthEvents with the COMPONENT_RESET remediation action must include an impacted entity for the + # unhealthy GPU_UUID or else the drain will fail. IMPORTANT: If this setting is enabled, the COMPONENT_RESET + # action in fault-remediation must map to a custom resource which takes action only against the GPU_UUID. + # If partial drain was enabled in node-drainer but fault-remediation mapped COMPONENT_RESET to a reboot + # action, pods which weren't drained would be restarted as part of the reboot. + partialDrainEnabled: false + +################################################################################ +# FAULT-REMEDIATION MODULE CONFIGURATION +# +# Creates maintenance CRDs (Custom Resource Definitions) to trigger node recovery. +# The janitor module watches these CRDs and performs actual cloud provider API +# calls to reboot or terminate nodes. +################################################################################ +fault-remediation: + # Number of pod replicas (recommend 1 for consistency) + replicaCount: 1 + + # Log level for debugging and monitoring + logLevel: info + + # Container image configuration + image: + repository: ghcr.io/nvidia/nvsentinel/fault-remediation + pullPolicy: IfNotPresent + tag: "" + + # Pod resource limits and requests + resources: + limits: + cpu: "200m" + memory: "300Mi" + requests: + cpu: "200m" + memory: "300Mi" + + # Scheduling configuration + nodeSelector: {} + affinity: {} + # Special tolerations - allow running on all nodes for log collection + tolerations: + - operator: "Exists" + podAnnotations: {} + + # Multi-template remediation configuration + # Allows different remediation actions to use different CRDs and operators + maintenance: + # Per-action remediation definitions + # Key is the RecommendedAction string (e.g., "COMPONENT_RESET", "RESTART_BM") + actions: + COMPONENT_RESET: + apiGroup: "janitor.dgxc.nvidia.com" + version: "v1alpha1" + kind: "RebootNode" + scope: "Cluster" + completeConditionType: "NodeReady" + templateFileName: "nvidia-reboot.yaml" + equivalenceGroup: "restart" + + # RESTART_VM is used as a fallback when GPU UUID is not available from metadata-collector. + RESTART_VM: + apiGroup: "janitor.dgxc.nvidia.com" + version: "v1alpha1" + kind: "RebootNode" + scope: "Cluster" + completeConditionType: "NodeReady" + templateFileName: "nvidia-reboot.yaml" + equivalenceGroup: "restart" + + # RESTART_BM is used for bare-metal node restarts. + RESTART_BM: + apiGroup: "janitor.dgxc.nvidia.com" + version: "v1alpha1" + kind: "RebootNode" + scope: "Cluster" + completeConditionType: "NodeReady" + templateFileName: "nvidia-reboot.yaml" + equivalenceGroup: "restart" + + # REPLACE_VM is used when the VM needs to be terminated and replaced. + REPLACE_VM: + apiGroup: "janitor.dgxc.nvidia.com" + version: "v1alpha1" + kind: "TerminateNode" + scope: "Cluster" + completeConditionType: "NodeTerminated" + templateFileName: "terminate-node.yaml" + equivalenceGroup: "terminate" + + # NOTE: Resource names for RBAC are generated by appending 's' to lowercase kind. + # This works for regular nouns but may fail for irregular plurals: + # RebootNode → rebootnodes (✓ correct) + # Policy → policys (✗ should be policies) + # Use CRD kinds that follow regular pluralization rules. + + # Template content for each remediation action + # Key matches the templateFileName name from actions above + templates: + "nvidia-reboot.yaml": | + apiVersion: janitor.dgxc.nvidia.com/v1alpha1 + kind: RebootNode + metadata: + name: maintenance-{{ .HealthEvent.NodeName }}-{{ .HealthEventID }} + labels: + app.kubernetes.io/managed-by: nvsentinel + spec: + nodeName: {{ .HealthEvent.NodeName }} + force: false + "terminate-node.yaml": | + apiVersion: janitor.dgxc.nvidia.com/v1alpha1 + kind: TerminateNode + metadata: + name: maintenance-{{ .HealthEvent.NodeName }}-{{ .HealthEventID }} + labels: + app.kubernetes.io/managed-by: nvsentinel + spec: + nodeName: {{ .HealthEvent.NodeName }} + force: false + # Additional template examples: + # "namespaced-restart.yaml": | + # apiVersion: remediation.example.com/v1alpha1 + # kind: RestartNode + # metadata: + # name: maintenance-{{ .NodeName }}-{{ .HealthEventID }} + # namespace: remediation + # labels: + # app.kubernetes.io/managed-by: nvsentinel + # spec: + # nodeName: {{ .NodeName }} + # ttlSecondsAfterFinished: 60 + + # Retry configuration for node annotation updates + # After creating maintenance resource, module updates node annotations + # These settings control retry behavior on failures (conflicts, network issues) + updateRetry: + # Maximum retry attempts + # After this many failures, the update is abandoned + maxRetries: 5 + + # Delay between retries in seconds + # Uses exponential backoff (delay increases each retry) + # First retry: retryDelaySeconds + # Second retry: retryDelaySeconds * 2 + # Third retry: retryDelaySeconds * 4, etc. + retryDelaySeconds: 10 + + # Log collector configuration + # When enabled, creates Kubernetes Jobs to collect diagnostic logs + # from failing nodes before they are rebooted or terminated + logCollector: + # Enable log collection feature + # When true, a log collector job is created for each node failure + # Logs are uploaded to the configured upload URL + enabled: false + + # Container image for log collector + image: + repository: ghcr.io/nvidia/nvsentinel/log-collector + pullPolicy: IfNotPresent + + # HTTP endpoint where logs will be uploaded + # Should be the incluster-file-server or external storage + # Logs are uploaded as tar.gz files + uploadURL: "http://nvsentinel-incluster-file-server.nvsentinel.svc.cluster.local/upload" + + # Namespaces where GPU operator components run + # Log collector will gather logs from these namespaces + # Can be multiple namespaces separated by commas + gpuOperatorNamespaces: "gpu-operator" + + # Enable GPU Operator must-gather collection (disabled by default) + # WARNING: must-gather collects logs from ALL nodes in the cluster, which can be very + # time-consuming for large clusters + # If enabling this, you MUST increase the timeout accordingly. + # Recommended timeout: ~2-3 minutes per node + enableGpuOperatorMustGather: false + + # Timeout for log collection job (default: 10m) + # If enableGpuOperatorMustGather is true, increase to: ~2-3 min per node in cluster + timeout: "10m" + + # Enable GCP-specific SOS report collection + # Requires running on GCP and appropriate permissions + enableGcpSosCollection: false + + # Enable AWS-specific SOS report collection + # Requires running on AWS and appropriate permissions + enableAwsSosCollection: false + +################################################################################ +# GPU-HEALTH-MONITOR CONFIGURATION +# +# Monitors GPU hardware health using NVIDIA DCGM (Data Center GPU Manager). +# Detects: XID errors, thermal throttling, ECC errors, memory errors, NVLink +# failures, and other GPU hardware faults. +# +# Requires: NVIDIA GPU Operator with DCGM deployed in the cluster +################################################################################ +gpu-health-monitor: + # Container image configuration + image: + repository: ghcr.io/nvidia/nvsentinel/gpu-health-monitor + pullPolicy: IfNotPresent + tag: "" + + # DCGM integration configuration + # DCGM must be running in the cluster (typically via GPU Operator) + dcgm: + # Enable DCGM Kubernetes service discovery + # When true, monitor connects to DCGM via Kubernetes service + # When false, must use host networking to connect to local DCGM + dcgmK8sServiceEnabled: true + + # DCGM service endpoint + service: + # Service endpoint in format: servicename.namespace.svc + # Default GPU Operator deployment uses: nvidia-dcgm.gpu-operator.svc + endpoint: "nvidia-dcgm.gpu-operator.svc" + + # DCGM service port + # Default DCGM port is 5555 + port: 5555 + + # Use host networking for GPU health monitor pods + # Required when: + # - DCGM is running as hostProcess (not as service) + # - Need direct access to host-level GPU metrics + # - dcgmK8sServiceEnabled is false + # Most deployments should use service-based access (false) + useHostNetworking: false + + # Additional volume mounts for GPU health monitor + # Use when monitor needs access to host files + # Example: + # additionalVolumeMounts: + # - name: custom-config + # mountPath: /etc/custom + # readOnly: true + additionalVolumeMounts: [] + + # Additional host volumes for GPU health monitor + # Use with additionalVolumeMounts to mount host paths + # Example: + # additionalHostVolumes: + # - name: custom-config + # hostPath: + # path: /etc/custom + # type: Directory + additionalHostVolumes: [] + + # Pod resource limits and requests + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 128Mi + + # Scheduling configuration + nodeSelector: {} + affinity: {} + tolerations: [] + podAnnotations: {} + +################################################################################ +# LABELER CONFIGURATION +# +# Labels nodes based on their capabilities and features. +# Currently detects: Kata Containers support +# Runs as Deployment to label all nodes in the cluster. +################################################################################ +labeler: + # Number of replicas for the labeler deployment + replicaCount: 1 + + # Log level for debugging + logLevel: info + + # Container image configuration + image: + repository: ghcr.io/nvidia/nvsentinel/labeler + pullPolicy: IfNotPresent + tag: "" + + podAnnotations: {} + + # Kata Containers detection configuration + # Labeler checks node labels to determine Kata support + # Sets output label: nvsentinel.dgxc.nvidia.com/kata.enabled + # + # Detection logic: + # 1. Check default label: katacontainers.io/kata-runtime + # 2. If kataLabelOverride is set, also check that label + # 3. Label value must be truthy: "true", "enabled", "1", or "yes" (case-insensitive) + # 4. Set output label to "true" if detected, "false" otherwise + # + # Use kataLabelOverride when: + # - Your cluster uses custom labels for Kata detection + # - You have additional Kata runtime indicators + # + # Example: 'io.katacontainers.config.runtime.oci_runtime' + # Leave empty to only check default label + kataLabelOverride: "" + + # Pod resource limits and requests + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi + +################################################################################ +# JANITOR CONFIGURATION +# +# Executes node reboots and terminations by calling cloud provider APIs. +# Watches maintenance CRDs created by fault-remediation and performs the +# actual infrastructure operations. +# +# Supports: AWS, GCP, Azure, OCI, kind (for testing), kwok (for testing) +################################################################################ +janitor: + # Number of pod replicas (recommend 1 for consistency) + replicaCount: 1 + + # Container image configuration + image: + repository: ghcr.io/nvidia/nvsentinel/janitor + pullPolicy: IfNotPresent + tag: "" + + # Kubernetes service account configuration + serviceAccount: + # Create service account + # Set to false if using an existing service account + create: true + + # Automatically mount service account token + automount: true + + # Annotations for service account + # Used for cloud provider identity (IRSA, Workload Identity, etc.) + # Examples: + # AWS IRSA: + # eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/nvsentinel-janitor + # GCP Workload Identity: + # iam.gke.io/gcp-service-account: nvsentinel-janitor@PROJECT_ID.iam.gserviceaccount.com + # Azure Workload Identity: + # azure.workload.identity/client-id: "12345678-1234-1234-1234-123456789012" + annotations: {} + + # Service account name + # Leave empty to use generated name from chart + name: "" + + podAnnotations: {} + podLabels: {} + podSecurityContext: {} + securityContext: {} + + # Pod resource limits + # Default is no limits - set based on cluster size + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # Scheduling configuration + nodeSelector: {} + tolerations: [] + affinity: {} + + # Autoscaling configuration + # Not typically needed for janitor (low request rate) + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + + # Janitor controller configuration + config: + # Global timeout for all operations + # Used as default for controllers that don't specify their own + # Should account for cloud provider API call time + node boot time + # Format: duration string like "25m", "1h", "30s" + timeout: "25m" + + # Manual mode - when true, controllers don't send actual reboot/terminate signals + # Useful for testing without affecting infrastructure + # Controllers will create/update resources but won't call cloud provider APIs + manualMode: false + + # HTTP port for runtime configuration endpoint + # Exposes configuration and status information + httpPort: 8082 + + # Node exclusions - nodes matching these selectors are never rebooted/terminated + # Use to protect critical nodes from automated maintenance + # Supports both matchLabels and matchExpressions + nodes: + exclusions: [] + # Examples: + # Exclude control plane nodes: + # - matchLabels: + # node-role.kubernetes.io/control-plane: "" + # Exclude nodes with specific labels: + # - matchExpressions: + # - key: critical-workload + # operator: In + # values: + # - "true" + # - key: app + # operator: In + # values: + # - database + # - cache + + # Controller-specific configuration + controllers: + # Reboot node controller - handles RebootNode CRDs + rebootNode: + # Enable reboot node controller + enabled: true + + # Timeout for reboot operations + # Should account for: + # 1. Cloud provider API call time + # 2. Node shutdown time + # 3. Node boot time + # 4. Kubernetes node ready time + # Leave empty to use config.timeout + # + # Recommended values by platform: + # - AWS/Azure/OCI: "25m" (includes 5min API cooldown) + # - GCP: "20m" (faster API, tracks operation status) + # - kind/kwok: "5m" (for testing) + timeout: "25m" + + # Terminate node controller - handles TerminateNode CRDs + terminateNode: + # Enable terminate node controller + enabled: true + + # Timeout for terminate operations + # Should account for cloud provider API call time + # Termination is typically faster than reboot + # Leave empty to use config.timeout + timeout: "25m" + + # Cloud Service Provider (CSP) configuration + # Configure the provider that matches your Kubernetes cluster + csp: + # Provider type - select one: + # - kind: Local development with kind clusters (simulated operations) + # - kwok: Testing with kwok (simulated nodes) + # - aws: Amazon Web Services EKS clusters + # - gcp: Google Cloud Platform GKE clusters + # - azure: Microsoft Azure AKS clusters + # - oci: Oracle Cloud Infrastructure OKE clusters + provider: "kind" + + # AWS-specific configuration (only needed when provider=aws) + aws: + # AWS region where EKS cluster is running + # Required for EC2 API calls + # Examples: us-east-1, us-west-2, eu-west-1, ap-southeast-1 + region: "" + + # AWS Account ID (12-digit number) + # Required for IRSA (IAM Roles for Service Accounts) + # Example: "123456789012" + # Find with: aws sts get-caller-identity --query Account --output text + accountId: "" + + # IAM Role name for janitor service account + # Role must have ec2:RebootInstances and ec2:TerminateInstances permissions + # Example: "nvsentinel-janitor-role" + # Create with: aws iam create-role --role-name nvsentinel-janitor-role + # Attach policy: AmazonEC2FullAccess (or custom policy with reboot/terminate) + iamRoleName: "" + + # Setup steps for AWS: + # 1. Create IAM role with trust relationship to OIDC provider + # 2. Attach policy with ec2:RebootInstances permission + # 3. Annotate service account with role ARN + # 4. Janitor pods will use IRSA to assume the role + + # GCP-specific configuration (only needed when provider=gcp) + gcp: + # GCP project ID where GKE cluster is running + # Required for Compute Engine API calls + # Example: "my-gcp-project" + # Find with: gcloud config get-value project + project: "" + + # GCP zone where cluster nodes are located + # Required for instance operations + # Examples: us-central1-a, us-west1-b, europe-west1-c + # Find with: gcloud container clusters describe CLUSTER_NAME --region REGION + zone: "" + + # GCP Service Account email for Workload Identity + # Provide just the name (without @project.iam.gserviceaccount.com) + # Example: "nvsentinel-janitor" + # Full email will be: nvsentinel-janitor@PROJECT_ID.iam.gserviceaccount.com + # Service account must have compute.instances.reset permission + serviceAccount: "" + + # Setup steps for GCP: + # 1. Create GCP service account: gcloud iam service-accounts create nvsentinel-janitor + # 2. Grant role: gcloud projects add-iam-policy-binding PROJECT_ID \ + # --member serviceAccount:nvsentinel-janitor@PROJECT_ID.iam.gserviceaccount.com \ + # --role roles/compute.instanceAdmin.v1 + # 3. Bind Kubernetes SA to GCP SA: + # gcloud iam service-accounts add-iam-policy-binding \ + # nvsentinel-janitor@PROJECT_ID.iam.gserviceaccount.com \ + # --member "serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/janitor]" \ + # --role roles/iam.workloadIdentityUser + # 4. Annotate Kubernetes service account with GCP SA email + + # Azure-specific configuration (only needed when provider=azure) + azure: + # Azure subscription ID + # Required for Azure Resource Manager API calls + # Format: 8-4-4-4-12 UUID + # Find with: az account show --query id --output tsv + subscriptionId: "" + + # Azure resource group containing the AKS cluster + # Often auto-detected from node provider IDs + # If not auto-detected, specify manually + # Find with: az aks show --name CLUSTER_NAME --resource-group RG_NAME --query nodeResourceGroup + resourceGroup: "" + + # Azure region where AKS cluster is deployed + # Examples: eastus, westus2, westeurope, southeastasia + # Find with: az aks show --name CLUSTER_NAME --resource-group RG_NAME --query location + location: "" + + # Managed Identity Client ID for Workload Identity + # Format: 8-4-4-4-12 UUID + # Managed identity must have Virtual Machine Contributor role + # Find with: az identity show --name IDENTITY_NAME --resource-group RG_NAME --query clientId + clientId: "" + + # Setup steps for Azure: + # 1. Create managed identity: az identity create --name nvsentinel-janitor + # 2. Grant role: az role assignment create \ + # --assignee CLIENT_ID \ + # --role "Virtual Machine Contributor" \ + # --scope /subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP + # 3. Create federated identity credential: + # az identity federated-credential create \ + # --name nvsentinel-janitor-credential \ + # --identity-name nvsentinel-janitor \ + # --resource-group RG_NAME \ + # --issuer "https://oidc.prod-aks.azure.com/TENANT_ID/" \ + # --subject "system:serviceaccount:NAMESPACE:janitor" + # 4. Annotate service account with client ID + + # OCI-specific configuration (only needed when provider=oci) + oci: + # OCI region where OKE cluster is running + # Examples: us-ashburn-1, us-phoenix-1, uk-london-1, ap-mumbai-1 + # Find with: oci iam region list + region: "" + + # OCI compartment OCID containing cluster resources + # Format: ocid1.compartment.oc1..aaa... + # Find with: oci iam compartment list + compartment: "" + + # Path to OCI credentials file (optional) + # Only needed if not using workload identity + # Default location: ~/.oci/config + # Leave empty to use workload identity + credentialsFile: "" + + # OCI profile name in credentials file + # Default profile name in config file + profile: "DEFAULT" + + # OCI Principal OCID for Workload Identity + # Format: ocid1.principal.oc1..aaa... + # This is the OCID of the dynamic group or service principal + # Required for OKE Workload Identity + principalId: "" + + # Setup steps for OCI: + # 1. Create dynamic group with matching rule for the pod + # 2. Create policy granting dynamic group manage instance-family permission + # 3. Configure workload identity for the service account + # 4. Janitor pods will use workload identity to call OCI APIs + + # Webhook configuration + # Janitor uses admission webhooks to validate CRDs + webhook: + # Port for webhook server + port: 9443 + + # Directory containing webhook TLS certificates + # Certificates should be mounted via cert-manager + certDir: "/tmp/k8s-webhook-server/serving-certs" + + # Cert-manager issuer for webhook certificate + # This issuer must exist in the same namespace + # Create with: kubectl apply -f - < 0 + healthEvent: + componentClass: Node + isFatal: false + message: "Node test condition is not ready" + recommendedAction: CONTACT_SUPPORT + errorCode: + - NODE_TEST_CONDITION_NOT_READY + + # This policy monitors DaemonSet pods in the gpu-operator namespace and publishes + # fatal health events when pods are unhealthy. It detects: + # 1. Pods not in Running/Succeeded phase (e.g., Pending, Failed) + # 2. Pods in CrashLoopBackOff (phase=Running but container is crashing) + # + - name: gpu-operator-pod-health + enabled: true + resource: + group: "" + version: v1 + kind: Pod + predicate: + # Trigger event if: + # 1. Pod is in gpu-operator namespace + # 2. Pod is owned by a DaemonSet (filters to only monitor DaemonSet pods) + # 3. Pod has been assigned to a node (nodeName is set) + # 4. Pod is unhealthy: either NOT in Running/Succeeded state OR in CrashLoopBackOff + # 5. Pod has been running for at least 30 seconds (grace period) + # + # Note: CrashLoopBackOff pods have phase=Running but container is in Waiting state + # with reason=CrashLoopBackOff, so we must check containerStatuses explicitly. + expression: | + resource.metadata.namespace == 'gpu-operator' && + has(resource.metadata.ownerReferences) && + resource.metadata.ownerReferences.exists(r, r.kind == 'DaemonSet') && + has(resource.spec.nodeName) && resource.spec.nodeName != "" && + has(resource.status.startTime) && + now - timestamp(resource.status.startTime) > duration('30s') && + ( + (resource.status.phase != 'Running' && resource.status.phase != 'Succeeded') || + ( + has(resource.status.containerStatuses) && + resource.status.containerStatuses.exists(cs, + has(cs.state.waiting) && + has(cs.state.waiting.reason) && + cs.state.waiting.reason == 'CrashLoopBackOff' + ) + ) + ) + nodeAssociation: + expression: resource.spec.nodeName + healthEvent: + componentClass: Software + isFatal: true + message: "GPU Operator DaemonSet pod is unhealthy (not Running or in CrashLoopBackOff)" + recommendedAction: CONTACT_SUPPORT + errorCode: + - GPU_OPERATOR_POD_UNHEALTHY + + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: kwok + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + topologyKey: kubernetes.io/hostname + +event-exporter: + replicaCount: 1 + + image: + repository: ghcr.io/nvidia/nvsentinel/event-exporter + pullPolicy: IfNotPresent + + podAnnotations: {} + + resources: + limits: + cpu: "500m" + memory: "512Mi" + requests: + cpu: "100m" + memory: "128Mi" + + oidcSecretName: "event-exporter-oidc-secret" + + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: kwok + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + topologyKey: kubernetes.io/hostname + + exporter: + metadata: + cluster: "tilt-test-cluster" + environment: "development" + tilt_test: "true" + + sink: + endpoint: "http://event-exporter-mock.nvsentinel.svc.cluster.local:8443/events" + timeout: "30s" + insecureSkipVerify: true + + oidc: + tokenUrl: "http://event-exporter-mock.nvsentinel.svc.cluster.local:8443/token" + clientId: "tilt-test-client" + scope: "test-scope" + insecureSkipVerify: true + + backfill: + enabled: true + maxAge: "1h" + maxEvents: 10000 + batchSize: 100 + rateLimit: 100 + + resumeToken: + database: "nvsentinel" + collection: "resumetokens" + + failureHandling: + maxRetries: 3 + initialBackoff: "1s" + maxBackoff: "10s" + backoffMultiplier: 2.0 diff --git a/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/values.yaml new file mode 100644 index 00000000..2a992c8d --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/charts/nvsentinel/values.yaml @@ -0,0 +1,243 @@ +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: + dryRun: false + image: + tag: "v1.1.0" + initContainerImage: + repository: docker.io/bitnamilegacy/os-shell + tag: "12-debian-12-r30" + pullPolicy: IfNotPresent + metricsPort: 2112 + + # Datastore configuration + # By default, datastore is not configured (use mongodb-config ConfigMap directly) + # To use the centralized datastore configuration, uncomment and configure below + # datastore: + # provider: "mongodb" # or "postgresql" + # connection: + # host: "mongodb" + # port: 27017 + # database: "nvsentinel" + # certificates: + # secretName: "mongo-app-client-cert-secret" # Secret containing client certificates + # certKey: "tls.crt" # Key for client certificate (default: tls.crt) + # keyKey: "tls.key" # Key for client private key (default: tls.key) + # caKey: "ca.crt" # Key for CA certificate (default: ca.crt) + + # Certificate rotation (MongoDB only) + # When enabled, client certificates can be rotated without restarting pods. + # Uses controller-runtime's certwatcher to detect file changes and automatically + # provide updated certificates to new MongoDB connections. + certificateRotationEnabled: false + + # Shared metadata path used by metadata-collector and syslog-health-monitor + metadataPath: /var/lib/nvsentinel/gpu_metadata.json + + # DCGM (Data Center GPU Manager) configuration + # Shared by gpu-health-monitor and preflight dcgm-diag + dcgm: + # Enable DCGM Kubernetes service integration + enabled: true + service: + # DCGM hostengine service endpoint + endpoint: "nvidia-dcgm.gpu-operator.svc" + # DCGM hostengine service port + port: 5555 + + # Audit logging configuration + auditLogging: + enabled: false # Enable/disable audit logging for all components + logRequestBody: false # Log request body in audit logs (may contain sensitive data) + maxSizeMB: 100 # Maximum size of each audit log file in MB + maxBackups: 7 # Maximum number of rotated log files to keep + maxAgeDays: 30 # Maximum age of rotated log files in days + compress: true # Compress rotated log files + + nodeSelector: {} + tolerations: + - operator: Exists + affinity: {} + systemNodeSelector: {} + systemNodeTolerations: [] + imagePullSecrets: [] + + gpuHealthMonitor: + enabled: true + healthEventsAnalyzer: + enabled: false + faultQuarantine: + enabled: false + nodeDrainer: + enabled: false + faultRemediation: + enabled: false + janitor: + enabled: false + janitorProvider: + enabled: false + cspHealthMonitor: + enabled: false + syslogHealthMonitor: + enabled: true + labeler: + enabled: true + metadataCollector: + enabled: true + inclusterFileServer: + enabled: false + metricsPort: 9001 + cleanupMetricsPort: 9002 + mongodbStore: + enabled: false + kubernetesObjectMonitor: + enabled: false + eventExporter: + enabled: false + preflight: + enabled: false + k8sdatastoreCrds: + enabled: false + slurmDrainMonitor: + enabled: false + +# Network policy configuration +# The metrics-access network policy restricts ingress to metrics ports only. +# This can block other services (e.g., cert-manager webhook) when deployed +# in the same namespace. Set enabled=false to disable the network policy. +networkPolicy: + enabled: true + +platformConnector: + image: + repository: ghcr.io/nvidia/nvsentinel/platform-connectors + pullPolicy: IfNotPresent + tag: "" + + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 200m + memory: 512Mi + + podAnnotations: {} + + tolerations: [] + + logLevel: info + + mongodbStore: + enabled: false + clientCertMountPath: "/etc/ssl/mongo-client" + maxRetries: 3 + + postgresqlStore: + clientCertMountPath: "/etc/ssl/client-certs" + + k8sConnector: + enabled: true + maxNodeConditionMessageLength: 1024 + # Max length of the compacted message prefix (before Recommended Action) per health event + compactedHealthEventMsgLen: 72 + qps: 5.0 + burst: 10 + + # Node metadata enrichment configuration + # Health event transformers pipeline + pipeline: + # List of transformers to execute (in order) + - name: MetadataAugmentor + enabled: false + config: /etc/config/metadata.toml + + - name: OverrideTransformer + enabled: false + config: /etc/config/overrides.toml + + # Transformer-specific configurations + transformers: + # Metadata augmentor - enriches events with node labels and provider info + MetadataAugmentor: + cacheSize: 50 + cacheTTLSeconds: 3600 + allowedLabels: + - "topology.kubernetes.io/zone" + - "topology.kubernetes.io/region" + - "node.kubernetes.io/instance-type" + - "nvidia.com/cuda.driver-version.major" + - "nvidia.com/cuda.driver-version.minor" + - "nvidia.com/cuda.driver-version.revision" + - "nvidia.com/cuda.driver-version.full" + - "nvidia.com/cuda.runtime-version.major" + - "nvidia.com/cuda.runtime-version.minor" + - "nvidia.com/cuda.runtime-version.full" + - "topology.k8s.aws/capacity-block-id" + - "topology.k8s.aws/network-node-layer-1" + - "topology.k8s.aws/network-node-layer-2" + - "topology.k8s.aws/network-node-layer-3" + - "oci.oraclecloud.com/host.id" + - "oci.oraclecloud.com/host.network_block_id" + - "oci.oraclecloud.com/host.rack_id" + - "oci.oraclecloud.com/host.serial_number" + - "cloud.google.com/gce-topology-block" + - "cloud.google.com/gce-topology-host" + - "cloud.google.com/gce-topology-subblock" + + # Property overrides - uses CEL expressions to override event properties + OverrideTransformer: + rules: [] + # Example: + # - name: "suppress-xid-109" + # when: 'event.agent == "syslog-health-monitor" && "109" in event.errorCode' + # override: + # isFatal: false + # recommendedAction: "NONE" + +socketPath: "/var/run/nvsentinel.sock" + +# Node condition cleanup hook configuration +nodeConditionCleanup: + enabled: false + deprecatedConditions: [] + # - "OldConditionType1" + # - "OldConditionType2" + image: + repository: docker.io/bitnamilegacy/kubectl + tag: "1.30.6" + pullPolicy: IfNotPresent + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + +# PostgreSQL subchart configuration +# Only enabled when using PostgreSQL as the datastore +# See values-postgresql.yaml for a complete PostgreSQL configuration example +postgresql: + enabled: false + +# PodMonitor configuration for Prometheus Operator +# Disable this if using standard Prometheus with annotations instead +podMonitor: + enabled: true + interval: 30s # Scrape interval (defaults to 30s to maintain backward compatibility) + # scrapeTimeout: "" # Scrape timeout (defaults to Prometheus default if not specified) + # metricsPath: "/metrics" # Metrics path (defaults to /metrics) + # labels: {} # Additional labels for the PodMonitor resource diff --git a/packs/nvidia-nvsentinel-v1.1.0/logo.png b/packs/nvidia-nvsentinel-v1.1.0/logo.png new file mode 100644 index 00000000..a98c7869 Binary files /dev/null and b/packs/nvidia-nvsentinel-v1.1.0/logo.png differ diff --git a/packs/nvidia-nvsentinel-v1.1.0/pack.json b/packs/nvidia-nvsentinel-v1.1.0/pack.json new file mode 100644 index 00000000..4c2551cd --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/pack.json @@ -0,0 +1,17 @@ +{ + "addonType": "ai", + "annotations": { + "source": "community", + "contributor" : "spectrocloud" + }, + "cloudTypes": [ + "all" + ], + "displayName": "Nvidia NVSentinel", + "charts": [ + "charts/nvsentinel-v1.1.0.tgz" + ], + "layer":"addon", + "name": "nvidia-nvsentinel", + "version": "v1.1.0" + } diff --git a/packs/nvidia-nvsentinel-v1.1.0/values.yaml b/packs/nvidia-nvsentinel-v1.1.0/values.yaml new file mode 100644 index 00000000..49b7b08a --- /dev/null +++ b/packs/nvidia-nvsentinel-v1.1.0/values.yaml @@ -0,0 +1,268 @@ +pack: + releaseNameOverride: + gpu-health-monitor: gpu-health-monitor + mongodb-store: mongodb-store + postgresql: postgresql + fault-quarantine: fault-quarantine + node-drainer: node-drainer + fault-remediation: fault-remediation + health-events-analyzer: health-events-analyzer + csp-health-monitor: csp-health-monitor + syslog-health-monitor: syslog-health-monitor + incluster-file-server: incluster-file-server + labeler: labeler + janitor: janitor + metadata-collector: metadata-collector + kubernetes-object-monitor: kubernetes-object-monitor + preflight: preflight + namespace: nvsentinel + namespaceLabels: + "nvsentinel": "pod-security.kubernetes.io/enforce=privileged,pod-security.kubernetes.io/enforce-version=latest" + content: + images: [] + +charts: + nvsentinel: + # Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + + global: + dryRun: false + image: + tag: "v1.1.0" + initContainerImage: + repository: docker.io/bitnamilegacy/os-shell + tag: "12-debian-12-r30" + pullPolicy: IfNotPresent + metricsPort: 2112 + + # Datastore configuration + # By default, datastore is not configured (use mongodb-config ConfigMap directly) + # To use the centralized datastore configuration, uncomment and configure below + # datastore: + # provider: "mongodb" # or "postgresql" + # connection: + # host: "mongodb" + # port: 27017 + # database: "nvsentinel" + # certificates: + # secretName: "mongo-app-client-cert-secret" # Secret containing client certificates + # certKey: "tls.crt" # Key for client certificate (default: tls.crt) + # keyKey: "tls.key" # Key for client private key (default: tls.key) + # caKey: "ca.crt" # Key for CA certificate (default: ca.crt) + + # Certificate rotation (MongoDB only) + # When enabled, client certificates can be rotated without restarting pods. + # Uses controller-runtime's certwatcher to detect file changes and automatically + # provide updated certificates to new MongoDB connections. + certificateRotationEnabled: false + + # Shared metadata path used by metadata-collector and syslog-health-monitor + metadataPath: /var/lib/nvsentinel/gpu_metadata.json + + # DCGM (Data Center GPU Manager) configuration + # Shared by gpu-health-monitor and preflight dcgm-diag + dcgm: + # Enable DCGM Kubernetes service integration + enabled: true + service: + # DCGM hostengine service endpoint + endpoint: "nvidia-dcgm.gpu-operator.svc" + # DCGM hostengine service port + port: 5555 + + # Audit logging configuration + auditLogging: + enabled: false # Enable/disable audit logging for all components + logRequestBody: false # Log request body in audit logs (may contain sensitive data) + maxSizeMB: 100 # Maximum size of each audit log file in MB + maxBackups: 7 # Maximum number of rotated log files to keep + maxAgeDays: 30 # Maximum age of rotated log files in days + compress: true # Compress rotated log files + + nodeSelector: {} + tolerations: + - operator: Exists + affinity: {} + systemNodeSelector: {} + systemNodeTolerations: [] + imagePullSecrets: [] + + gpuHealthMonitor: + enabled: true + healthEventsAnalyzer: + enabled: false + faultQuarantine: + enabled: false + nodeDrainer: + enabled: false + faultRemediation: + enabled: false + janitor: + enabled: false + janitorProvider: + enabled: false + cspHealthMonitor: + enabled: false + syslogHealthMonitor: + enabled: true + labeler: + enabled: true + metadataCollector: + enabled: true + inclusterFileServer: + enabled: false + metricsPort: 9001 + cleanupMetricsPort: 9002 + mongodbStore: + enabled: false + kubernetesObjectMonitor: + enabled: false + eventExporter: + enabled: false + preflight: + enabled: false + k8sdatastoreCrds: + enabled: false + slurmDrainMonitor: + enabled: false + + # Network policy configuration + # The metrics-access network policy restricts ingress to metrics ports only. + # This can block other services (e.g., cert-manager webhook) when deployed + # in the same namespace. Set enabled=false to disable the network policy. + networkPolicy: + enabled: true + + platformConnector: + image: + repository: ghcr.io/nvidia/nvsentinel/platform-connectors + pullPolicy: IfNotPresent + tag: "" + + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 200m + memory: 512Mi + + podAnnotations: {} + + tolerations: [] + + logLevel: info + + mongodbStore: + enabled: false + clientCertMountPath: "/etc/ssl/mongo-client" + maxRetries: 3 + + postgresqlStore: + clientCertMountPath: "/etc/ssl/client-certs" + + k8sConnector: + enabled: true + maxNodeConditionMessageLength: 1024 + # Max length of the compacted message prefix (before Recommended Action) per health event + compactedHealthEventMsgLen: 72 + qps: 5.0 + burst: 10 + + # Node metadata enrichment configuration + # Health event transformers pipeline + pipeline: + # List of transformers to execute (in order) + - name: MetadataAugmentor + enabled: false + config: /etc/config/metadata.toml + + - name: OverrideTransformer + enabled: false + config: /etc/config/overrides.toml + + # Transformer-specific configurations + transformers: + # Metadata augmentor - enriches events with node labels and provider info + MetadataAugmentor: + cacheSize: 50 + cacheTTLSeconds: 3600 + allowedLabels: + - "topology.kubernetes.io/zone" + - "topology.kubernetes.io/region" + - "node.kubernetes.io/instance-type" + - "nvidia.com/cuda.driver-version.major" + - "nvidia.com/cuda.driver-version.minor" + - "nvidia.com/cuda.driver-version.revision" + - "nvidia.com/cuda.driver-version.full" + - "nvidia.com/cuda.runtime-version.major" + - "nvidia.com/cuda.runtime-version.minor" + - "nvidia.com/cuda.runtime-version.full" + - "topology.k8s.aws/capacity-block-id" + - "topology.k8s.aws/network-node-layer-1" + - "topology.k8s.aws/network-node-layer-2" + - "topology.k8s.aws/network-node-layer-3" + - "oci.oraclecloud.com/host.id" + - "oci.oraclecloud.com/host.network_block_id" + - "oci.oraclecloud.com/host.rack_id" + - "oci.oraclecloud.com/host.serial_number" + - "cloud.google.com/gce-topology-block" + - "cloud.google.com/gce-topology-host" + - "cloud.google.com/gce-topology-subblock" + + # Property overrides - uses CEL expressions to override event properties + OverrideTransformer: + rules: [] + # Example: + # - name: "suppress-xid-109" + # when: 'event.agent == "syslog-health-monitor" && "109" in event.errorCode' + # override: + # isFatal: false + # recommendedAction: "NONE" + + socketPath: "/var/run/nvsentinel.sock" + + # Node condition cleanup hook configuration + nodeConditionCleanup: + enabled: false + deprecatedConditions: [] + # - "OldConditionType1" + # - "OldConditionType2" + image: + repository: docker.io/bitnamilegacy/kubectl + tag: "1.30.6" + pullPolicy: IfNotPresent + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + + # PostgreSQL subchart configuration + # Only enabled when using PostgreSQL as the datastore + # See values-postgresql.yaml for a complete PostgreSQL configuration example + postgresql: + enabled: false + + # PodMonitor configuration for Prometheus Operator + # Disable this if using standard Prometheus with annotations instead + podMonitor: + enabled: true + interval: 30s # Scrape interval (defaults to 30s to maintain backward compatibility) + # scrapeTimeout: "" # Scrape timeout (defaults to Prometheus default if not specified) + # metricsPath: "/metrics" # Metrics path (defaults to /metrics) + # labels: {} # Additional labels for the PodMonitor resource \ No newline at end of file