diff --git a/charts/console/Chart.yaml b/charts/console/Chart.yaml index 00514ce..02606d8 100644 --- a/charts/console/Chart.yaml +++ b/charts/console/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: console appVersion: 1.17.3 -version: 1.0.2 +version: 1.0.3 description: Helm chart to deploy Conduktor Platform on Kubernetes icon: https://www.conduktor.io/svgs/logo/symbol.svg home: https://www.conduktor.io diff --git a/charts/console/README.md b/charts/console/README.md index ec9209d..02f8ce0 100644 --- a/charts/console/README.md +++ b/charts/console/README.md @@ -75,75 +75,71 @@ Helm Chart to deploy Conduktor Platform on Kubernetes. ### Platform Deployment Parameters -| Name | Description | Value | -| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | -| `platform.image.registry` | Conduktor Platform image registry | `docker.io` | -| `platform.image.repository` | Conduktor Platform image repository | `conduktor/conduktor-platform` | -| `platform.image.tag` | Conduktor Platform image tag (immutable tags are recommended) | `1.17.3` | -| `platform.image.digest` | Conduktor Platform image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended) | `""` | -| `platform.image.pullPolicy` | Conduktor Platform image pull policy | `IfNotPresent` | -| `platform.image.pullSecrets` | Conduktor Platform image pull secrets | `[]` | -| `platform.image.debug` | Enable Conduktor Platform image debug mode | `false` | -| `platform.replicaCount` | Number of Conduktor Platform replicas to deploy | `1` | -| `platform.containerPorts.http` | Conduktor Platform HTTP (or HTTPS if configured) container port | `8080` | -| `platform.livenessProbe.enabled` | Enable livenessProbe on Conduktor Platform containers | `true` | -| `platform.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | -| `platform.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `platform.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `platform.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `platform.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `platform.readinessProbe.enabled` | Enable readinessProbe on Conduktor Platform containers | `true` | -| `platform.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `60` | -| `platform.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `platform.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `platform.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `platform.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `platform.startupProbe.enabled` | Enable startupProbe on Conduktor Platform containers | `true` | -| `platform.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `platform.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `platform.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `platform.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | -| `platform.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `platform.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `platform.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `platform.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `platform.resources.limits.cpu` | CPU limit for the platform container | `4000m` | -| `platform.resources.limits.memory` | Memory limit for the container | `8Gi` | -| `platform.resources.requests.cpu` | CPU resource requests | `2000m` | -| `platform.resources.requests.memory` | Memory resource requests | `4Gi` | -| `platform.podSecurityContext.enabled` | Enabled Conduktor Platform pods' Security Context | `true` | -| `platform.podSecurityContext.fsGroup` | Set Conduktor Platform pod's Security Context fsGroup | `1001` | -| `platform.containerSecurityContext.enabled` | Enabled Conduktor Platform containers' Security Context | `true` | -| `platform.containerSecurityContext.runAsUser` | Set Conduktor Platform containers' Security Context runAsUser | `1001` | -| `platform.containerSecurityContext.runAsNonRoot` | Set Conduktor Platform containers' Security Context runAsNonRoot | `true` | -| `platform.containerSecurityContext.readOnlyRootFilesystem` | Set Conduktor Platform containers' Security Context runAsNonRoot | `false` | -| `platform.existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Conduktor Platform | `""` | -| `platform.command` | Override default container command (useful when using custom images) | `[]` | -| `platform.args` | Override default container args (useful when using custom images) | `[]` | -| `platform.hostAliases` | Conduktor Platform pods host aliases | `[]` | -| `platform.podLabels` | Extra labels for Conduktor Platform pods | `{}` | -| `platform.podAnnotations` | Annotations for Conduktor Platform pods | `{}` | -| `platform.podAffinityPreset` | Pod affinity preset. Ignored if `platform.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `platform.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `platform.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `platform.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `platform.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `platform.nodeAffinityPreset.key` | Node label key to match. Ignored if `platform.affinity` is set | `""` | -| `platform.nodeAffinityPreset.values` | Node label values to match. Ignored if `platform.affinity` is set | `[]` | -| `platform.affinity` | Affinity for Conduktor Platform pods assignment | `{}` | -| `platform.nodeSelector` | Node labels for Conduktor Platform pods assignment | `{}` | -| `platform.tolerations` | Tolerations for Conduktor Platform pods assignment | `[]` | -| `platform.updateStrategy.type` | Conduktor Platform statefulset strategy type | `RollingUpdate` | -| `platform.priorityClassName` | Conduktor Platform pods' priorityClassName | `""` | -| `platform.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `platform.schedulerName` | Name of the k8s scheduler (other than default) for Conduktor Platform pods | `""` | -| `platform.terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` | -| `platform.lifecycleHooks` | for the Conduktor Platform container(s) to automate configuration before or after startup | `{}` | -| `platform.extraEnvVars` | Array with extra environment variables to add to Conduktor Platform nodes | `[]` | -| `platform.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Conduktor Platform nodes | `""` | -| `platform.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Conduktor Platform nodes | `""` | -| `platform.extraVolumes` | Optionally specify extra list of additional volumes for the Conduktor Platform pod(s) | `[]` | -| `platform.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Conduktor Platform container(s) | `[]` | -| `platform.sidecars` | Add additional sidecar containers to the Conduktor Platform pod(s) | `[]` | -| `platform.initContainers` | Add additional init containers to the Conduktor Platform pod(s) | `[]` | +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `platform.image.registry` | Conduktor Platform image registry | `docker.io` | +| `platform.image.repository` | Conduktor Platform image repository | `conduktor/conduktor-platform` | +| `platform.image.tag` | Conduktor Platform image tag (immutable tags are recommended) | `1.17.3` | +| `platform.image.digest` | Conduktor Platform image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended) | `""` | +| `platform.image.pullPolicy` | Conduktor Platform image pull policy | `IfNotPresent` | +| `platform.image.pullSecrets` | Conduktor Platform image pull secrets | `[]` | +| `platform.image.debug` | Enable Conduktor Platform image debug mode | `false` | +| `platform.replicaCount` | Number of Conduktor Platform replicas to deploy | `1` | +| `platform.containerPorts.http` | Conduktor Platform HTTP (or HTTPS if configured) container port | `8080` | +| `platform.livenessProbe.enabled` | Enable livenessProbe on Conduktor Platform containers | `true` | +| `platform.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | +| `platform.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `platform.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `platform.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `platform.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `platform.readinessProbe.enabled` | Enable readinessProbe on Conduktor Platform containers | `true` | +| `platform.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `60` | +| `platform.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `platform.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `platform.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `platform.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `platform.startupProbe.enabled` | Enable startupProbe on Conduktor Platform containers | `true` | +| `platform.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `platform.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `platform.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `platform.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` | +| `platform.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `platform.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `platform.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `platform.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `platform.resources.limits.cpu` | CPU limit for the platform container | `4000m` | +| `platform.resources.limits.memory` | Memory limit for the container | `8Gi` | +| `platform.resources.requests.cpu` | CPU resource requests | `2000m` | +| `platform.resources.requests.memory` | Memory resource requests | `4Gi` | +| `platform.podSecurityContext` | Conduktor Platform Pod Security Context | `{}` | +| `platform.containerSecurityContext` | Conduktor Platform containers' Security Context | `{}` | +| `platform.existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Conduktor Platform | `""` | +| `platform.command` | Override default container command (useful when using custom images) | `[]` | +| `platform.args` | Override default container args (useful when using custom images) | `[]` | +| `platform.hostAliases` | Conduktor Platform pods host aliases | `[]` | +| `platform.podLabels` | Extra labels for Conduktor Platform pods | `{}` | +| `platform.podAnnotations` | Annotations for Conduktor Platform pods | `{}` | +| `platform.podAffinityPreset` | Pod affinity preset. Ignored if `platform.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `platform.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `platform.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `platform.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `platform.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `platform.nodeAffinityPreset.key` | Node label key to match. Ignored if `platform.affinity` is set | `""` | +| `platform.nodeAffinityPreset.values` | Node label values to match. Ignored if `platform.affinity` is set | `[]` | +| `platform.affinity` | Affinity for Conduktor Platform pods assignment | `{}` | +| `platform.nodeSelector` | Node labels for Conduktor Platform pods assignment | `{}` | +| `platform.tolerations` | Tolerations for Conduktor Platform pods assignment | `[]` | +| `platform.updateStrategy.type` | Conduktor Platform statefulset strategy type | `RollingUpdate` | +| `platform.priorityClassName` | Conduktor Platform pods' priorityClassName | `""` | +| `platform.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `platform.schedulerName` | Name of the k8s scheduler (other than default) for Conduktor Platform pods | `""` | +| `platform.terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` | +| `platform.lifecycleHooks` | for the Conduktor Platform container(s) to automate configuration before or after startup | `{}` | +| `platform.extraEnvVars` | Array with extra environment variables to add to Conduktor Platform nodes | `[]` | +| `platform.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Conduktor Platform nodes | `""` | +| `platform.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Conduktor Platform nodes | `""` | +| `platform.extraVolumes` | Optionally specify extra list of additional volumes for the Conduktor Platform pod(s) | `[]` | +| `platform.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Conduktor Platform container(s) | `[]` | +| `platform.sidecars` | Add additional sidecar containers to the Conduktor Platform pod(s) | `[]` | +| `platform.initContainers` | Add additional init containers to the Conduktor Platform pod(s) | `[]` | ### Traffic Exposure Parameters @@ -176,15 +172,38 @@ Helm Chart to deploy Conduktor Platform on Kubernetes. ### Other Parameters -| Name | Description | Value | -| --------------------------------------------- | ---------------------------------------------------------------- | ------ | -| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | -| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | +| Name | Description | Value | +| --------------------------------------------- | ---------------------------------------------------------------- | ------- | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | +| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | +| `test` | Enable additional manifests for testing purposes | `false` | ## Snippets +### Console configuration + +If you are looking for additional snippets related to the configuration of +console, we recommend you to look at our +[documentation](https://docs.conduktor.io/platform/configuration/configuration-snippets/). + +- [Install with a basic SSO configuration](#install-with-a-basic-sso-configuration) +- [Install with a registered kafka cluster](#install-with-a-kafka-cluster) +- [Install with an enterprise license](#install-with-an-enterprise-license) + +### Kubernetes configuration + +- [Install with a PodAffinity](#install-with-a-podaffinity) +- [Install with a PodAntiAffinity](#install-with-a-podantiaffinity) +- [Install with a Toleration](#install-with-a-toleration) +- [Install with a Self-Signed Certificate](#install-with-self-signed-tls-certificate) +- [Install with a custom service account](#install-with-a-custom-service-account) +- [Install with a AWS EKS IAM Role](#install-with-a-aws-eks-iam-role) + +- [Provide the license as a Kubernetes Secret](#provide-the-license-as-a-kubernetes-secret) +- [Provide the license as a Kubernetes ConfigMap](#provide-the-platform-config-as-a-kubernetes-configmap) + ### Install with an enterprise license ```yaml @@ -206,6 +225,88 @@ config: license: "${ENTERPRISE_LICENSE}" ``` +### Install with a basic SSO configuration + +```yaml +config: + organization: + name: "my-org" + + admin: + email: "admin@my-org.com" + password: "admin" + + database: + host: '' + port: 5432 + name: 'postgres' + username: '' + password: '' + sso: + oauth2: + - name: 'auth0' + default: true + client-id: + client-secret: + callback-uri: http://localhost/auth/oauth/callback/auth0 + openid: + issuer: https://conduktor-staging.eu.auth0.com/ + + license: '' +``` + +### Install with a kafka cluster + +```yaml +config: + organization: + name: "my-org" + + admin: + email: "admin@my-org.com" + password: "admin" + + database: + host: '' + port: 5432 + name: 'postgres' + username: '' + password: '' + clusters: + - id: my-local-kafka-cluster + name: My Local Kafka Cluster + color: '#0013E7' + bootstrapServers: 'my-bootstrap-server:9092' + schemaRegistry: + id: my-schema-registry + url: 'http://my-schema-registry:8081' +``` + +### Provide the license as a Kubernetes Secret + +We expect the secret to contain a key named `license` which contains your +license key. + +```shell +# values.yaml +config: + organization: + name: "" + + admin: + email: "" + password: "" + + database: + host: '' + port: 5432 + name: '' + username: '' + password: '' + + existingLicenseSecret: "" +``` + ### Install with a PodAffinity ```yaml diff --git a/charts/console/ci/01-basic-values.yaml b/charts/console/ci/01-basic-values.yaml index 7e878fb..de06449 100644 --- a/charts/console/ci/01-basic-values.yaml +++ b/charts/console/ci/01-basic-values.yaml @@ -20,3 +20,4 @@ platform: requests: cpu: 1500m memory: 4Gi +test: true diff --git a/charts/console/ci/02-pod-tls-existingSecret-values.yaml b/charts/console/ci/02-pod-tls-existingSecret-values.yaml index 88f7d8a..da06357 100644 --- a/charts/console/ci/02-pod-tls-existingSecret-values.yaml +++ b/charts/console/ci/02-pod-tls-existingSecret-values.yaml @@ -26,3 +26,4 @@ platform: requests: cpu: 1500m memory: 4Gi +test: true \ No newline at end of file diff --git a/charts/console/ci/03-pod-tls-selfsigned-values.yaml b/charts/console/ci/03-pod-tls-selfsigned-values.yaml index 7e0c4f2..b4f0cc8 100644 --- a/charts/console/ci/03-pod-tls-selfsigned-values.yaml +++ b/charts/console/ci/03-pod-tls-selfsigned-values.yaml @@ -81,3 +81,4 @@ platform: requests: cpu: 1500m memory: 4Gi +test: true \ No newline at end of file diff --git a/charts/console/templates/platform/deployment.yaml b/charts/console/templates/platform/deployment.yaml index 82f80e8..3f1dd4e 100644 --- a/charts/console/templates/platform/deployment.yaml +++ b/charts/console/templates/platform/deployment.yaml @@ -65,8 +65,12 @@ spec: {{- if .Values.platform.topologySpreadConstraints }} topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.platform.topologySpreadConstraints "context" .) | nindent 8 }} {{- end }} - {{- if .Values.platform.podSecurityContext.enabled }} - securityContext: {{- omit .Values.platform.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- if .Values.platform.podSecurityContext }} + securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.platform.containerSecurityContext "context" $) | nindent 10 }} + {{- else }} + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true {{- end }} {{- if .Values.platform.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.platform.terminationGracePeriodSeconds }} @@ -79,8 +83,12 @@ spec: - name: conduktor-platform image: {{ template "conduktor.image" . }} imagePullPolicy: {{ .Values.platform.image.pullPolicy }} - {{- if .Values.platform.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.platform.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- if .Values.platform.containerSecurityContext }} + securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.platform.containerSecurityContext "context" $) | nindent 12 }} + {{- else }} + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true {{- end }} {{- if .Values.diagnosticMode.enabled }} command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} diff --git a/charts/console/templates/tests/01-setup-postgresql.yaml b/charts/console/templates/tests/01-setup-postgresql.yaml index 94b1e8b..5df26ee 100644 --- a/charts/console/templates/tests/01-setup-postgresql.yaml +++ b/charts/console/templates/tests/01-setup-postgresql.yaml @@ -1,7 +1,7 @@ {{/** This is hack so that we install a fresh postgresql (without volume) for each test. **/}} -{{- if regexMatch "^cdkt-test-.*$" .Values.nameOverride }} +{{- if eq .Values.test true }} {{- $postgres_password := "conduktor123" }} {{- $postgres_db := "platform" }} apiVersion: apps/v1 diff --git a/charts/console/values.yaml b/charts/console/values.yaml index 74ba526..40b021b 100644 --- a/charts/console/values.yaml +++ b/charts/console/values.yaml @@ -220,26 +220,22 @@ platform: cpu: 2000m ## @param platform.resources.requests.memory Memory resource requests memory: 4Gi - ## Configure Pods Security Context + ## @param platform.podSecurityContext Conduktor Platform Pod Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param platform.podSecurityContext.enabled Enabled Conduktor Platform pods' Security Context - ## @param platform.podSecurityContext.fsGroup Set Conduktor Platform pod's Security Context fsGroup + ## default: + ## securityContext: + ## readOnlyRootFilesystem: true + ## runAsNonRoot: true ## - podSecurityContext: - enabled: true - fsGroup: 1001 - ## Configure Container Security Context + podSecurityContext: {} + ## @param platform.containerSecurityContext Conduktor Platform containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param platform.containerSecurityContext.enabled Enabled Conduktor Platform containers' Security Context - ## @param platform.containerSecurityContext.runAsUser Set Conduktor Platform containers' Security Context runAsUser - ## @param platform.containerSecurityContext.runAsNonRoot Set Conduktor Platform containers' Security Context runAsNonRoot - ## @param platform.containerSecurityContext.readOnlyRootFilesystem Set Conduktor Platform containers' Security Context runAsNonRoot + ## default: + ## securityContext: + ## readOnlyRootFilesystem: true + ## runAsNonRoot: true ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsNonRoot: true - readOnlyRootFilesystem: false + containerSecurityContext: {} ## @param platform.existingConfigmap The name of an existing ConfigMap with your custom configuration for Conduktor Platform ## @@ -544,3 +540,6 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account ## automountServiceAccountToken: true + +## @param test Enable additional manifests for testing purposes +test: false \ No newline at end of file