diff --git a/getting-started/templates/GCP/gcp-supplemental-values.yaml b/getting-started/templates/GCP/gcp-supplemental-values.yaml new file mode 100644 index 00000000..4ff4de6f --- /dev/null +++ b/getting-started/templates/GCP/gcp-supplemental-values.yaml @@ -0,0 +1,382 @@ +global: + ingress: + api: + annotations: + kubernetes.io/ingress.class: # - Enter the ingress class used + ui: + annotations: + kubernetes.io/ingress.class: # - Enter the ingress class used + +testmonitorservice: + ## Cloud SQL auth proxy sidecar container to authenticate to Cloud SQL Postgres database + ## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern + sidecars: + - name: cloud-sql-auth-proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 + volumeMounts: + # This volume mount is required for the proxy to authenticate with cloudSQL using Workload Identity Federation config file. + - name: # - Enter the volume name where the token is available + mountPath: # - Enter the path where the token should be mounted + readOnly: true + # This volume mount is required for the proxy to authenticate with cloudSQL using service account key file or Workload Identity Federation. + - name: # - Enter the volume name where config.json is available + mountPath: /secrets/ + readOnly: true + env: + # This env variable is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: /secrets/ # - Enter the file name which was used as the key while creating the secret + args: + # If connecting from a VPC-native GKE cluster, you can use the + # following flag to have the proxy connect over private IP + - "--private-ip" + + # If you are not connecting with Automatic IAM, you can delete the following flag. + - "--auto-iam-authn" + + # Enable structured logging with LogEntry format: + - "--structured-logs" + + # Ensures the proxy exits gracefully with a 0 exit code when it receives a SIGTERM signal + - "--exit-zero-on-sigterm" + + - "--port=5432" + - "" # - Enter the connection name from the CloudSQL instance + + # The credentials file is required for the proxy to authenticate using a service account key file. + # Not required if Workload Identity federation is used for authentication. + - "--credentials-file=/secrets/" # - Enter the file name which was used as the key while creating the secret + securityContext: + # The default Cloud SQL Auth Proxy image runs as the + # "nonroot" user and group (uid: 65532) by default. + runAsNonRoot: true + restartPolicy: Always + # You should use resource requests/limits as a best practice to prevent + # pods from consuming too many resources and affecting the execution of + # other pods. You should adjust the following values based on what your + # application needs. For details, see + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + # The proxy's memory use scales linearly with the number of active + # connections. Fewer open connections will use less memory. Adjust + # this value based on your application's requirements. + memory: "1Gi" + # The proxy's CPU use scales linearly with the amount of IO between + # the database and the application. Adjust this value based on your + # application's requirements. + cpu: "1" + + ## Extra volumes that can be used in sidecars + extraVolumes: + # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. + - name: # - Enter the volume name + projected: + sources: + - serviceAccountToken: + audience: # - Enter the audience name for the projected service account token + expirationSeconds: 3600 + path: token + # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. + - name: # - Enter the volume name where config.json is to be mounted + secret: + secretName: # - Enter the secret name where config.json is added. + + connectionInfo: + ## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost. + ## + host: "localhost" + ## @param database.connectionInfo.port PostgreSQL port + ## + port: "5432" + ## @param database.connectionInfo.dbName PostgreSQL database name + ## + dbName: # - Enter the PostgreSQL database name for testmonitor service + ## @param database.connectionInfo.user PostgreSQL username used by the service + ## + user: # - Enter the PostgreSQL username for the testmonitor service + ## @param database.connectionInfo.secretName The name of an existing secret with PostgreSQL connection credentials + ## + secretName: # - Enter the secret name that contains the testmonitor service's Postgres SQL database connection credentials + ## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret + ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + ## + # passwordKey: "passkey" + ## @param database.connectionInfo.migrationPasswordKey Password key for database.connectionInfo.migrationUser to be retrieved from existing secret + ## If unset database.connectionInfo.passwordKey is used instead. + ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + ## + # migrationPasswordKey: null + + serviceAccount: + ## @param serviceAccount.annotations Annotations to add to the service account + ## + annotations: + { + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project Id + } + ## @param serviceAccount.name The name of the service account to use. + ## If not set, a name is generated based on the service name + ## + name: "" + +dashboardhost: + grafana: + ## Configuring Cloud SQL auth proxy extra container to authenticate to Cloud SQL Postgres database + ## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern + ## A reverse proxy server should be added to the extraContainers for grafana to authenticate users. + extraContainers: | + - name: cloud-sql-auth-proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 + volumeMounts: + # This volume mount is required for the proxy to authenticate with cloudSQL using Workload Identity Federation config file. + - name: # - Enter the volume name where the token is available + mountPath: # - Enter the path where the token should be mounted + readOnly: true + # This volume mount is required for the proxy to authenticate with cloudSQL using service account key file or Workload Identity Federation. + - name: # - Enter the volume name where config.json is available + mountPath: /secrets/ + readOnly: true + env: + # This env variable is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: /secrets/ # - Enter the file name which was used as the key while creating the secret + args: + # If connecting from a VPC-native GKE cluster, you can use the + # following flag to have the proxy connect over private IP + - "--private-ip" + + # If you are not connecting with Automatic IAM, you can delete the following flag. + - "--auto-iam-authn" + + # Enable structured logging with LogEntry format: + - "--structured-logs" + + # Ensures the proxy exits gracefully with a 0 exit code when it receives a SIGTERM signal + - "--exit-zero-on-sigterm" + + - "--port=5432" + - "" # - Enter the connection name from the CloudSQL instance + + # The credentials file is required for the proxy to authenticate using a service account key file. + # Not required if Workload Identity federation is used for authentication. + - "--credentials-file=/secrets/" # - Enter the file name which was used as the key while creating the secret + securityContext: + # The default Cloud SQL Auth Proxy image runs as the + # "nonroot" user and group (uid: 65532) by default. + runAsNonRoot: true + restartPolicy: Always + # You should use resource requests/limits as a best practice to prevent + # pods from consuming too many resources and affecting the execution of + # other pods. You should adjust the following values based on what your + # application needs. For details, see + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + # The proxy's memory use scales linearly with the number of active + # connections. Fewer open connections will use less memory. Adjust + # this value based on your application's requirements. + memory: "1Gi" + # The proxy's CPU use scales linearly with the amount of IO between + # the database and the application. Adjust this value based on your + # application's requirements. + cpu: "1" + + ## Extra volumes that can be used in extrContainers + extraContainerVolumes: + # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. + - name: # - Enter the volume name + projected: + sources: + - serviceAccountToken: + audience: # - Enter the audience name for the projected service account token + expirationSeconds: 3600 + path: token + # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. + - name: # - Enter the volume name where config.json is to be mounted + secret: + secretName: # - Enter the secret name where config.json is added. + + grafana.ini: + ## Database configuration. See here for more documentation: https://grafana.com/docs/grafana/latest/administration/configuration/#database + # - This configures a connection to an external PostgresSQL. Remove this section if not using an external database. + ## + database: + ## Either mysql, postgres or sqlite3. + ## + type: "postgres" + ## The database user (not applicable for sqlite3). + ## + user: # - Enter the PostgreSQL username for the dashboardhost database + ## The database user’s password (not applicable for sqlite3). If the password contains # or ; you have to wrap it with triple quotes. For example """#password;""". + ## + password: # - Enter the PostgreSQL password for the dashboardhost database + ## Only applicable to MySQL or Postgres. Includes IP or host name and port or in case of Unix sockets the path to it. + ## For example, for MySQL running on the same host as Grafana: host = 127.0.0.1:3306 or with Unix sockets: host = /var/run/mysqld/mysqld.sock. + ## + host: "localhost:5432" + ## The name of the Grafana database. Leave it set to grafana (default) or some other name. + ## - You must create the database manually before deploying. If you are using the default database + ## name, you must create a database named "grafana". The database user, if not a superuser, will require USAGE + ## and CREATE privileges on the "public" schema and SELECT, INSERT, UPDATE, and DELETE privileges on all tables + ## in the "public" schema. + # name: "database-name" + ## Use either URL or the other fields above to configure the database. + ## url: postgres://dashboardhost:abc123@dashboardhostpostgrescluster-primary.systemlink-nic2.svc:5432/grafana + ## For PostgresSQL, use either disable, require or verify-full. For MySQL, use either true, false, or skip-verify. + ## + ssl_mode: "disable" + + serviceAccount: + ## @param serviceAccount.annotations Annotations to add to the service account + ## + annotations: + { + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project Id + } + ## @param serviceAccount.name The name of the service account to use. + ## If not set, a name is generated based on the service name + ## + name: "" + +dynamicformfields: + ## Configuring Cloud SQL auth proxy sidecar container to authenticate to Cloud SQL Postgres database + ## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern + sidecars: + - name: cloud-sql-auth-proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 + volumeMounts: + # This volume mount is required for the proxy to authenticate with cloudSQL using Workload Identity Federation config file. + - name: # - Enter the volume name where the token is available + mountPath: # - Enter the path where the token should be mounted + readOnly: true + # This volume mount is required for the proxy to authenticate with cloudSQL using service account key file or Workload Identity Federation. + - name: # - Enter the volume name where config.json is available + mountPath: /secrets/ + readOnly: true + env: + # This env variable is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: /secrets/ # - Enter the file name which was used as the key while creating the secret + args: + # If connecting from a VPC-native GKE cluster, you can use the + # following flag to have the proxy connect over private IP + - "--private-ip" + + # If you are not connecting with Automatic IAM, you can delete the following flag. + - "--auto-iam-authn" + + # Enable structured logging with LogEntry format: + - "--structured-logs" + + # Ensures the proxy exits gracefully with a 0 exit code when it receives a SIGTERM signal + - "--exit-zero-on-sigterm" + + - "--port=5432" + - "" # - Enter the connection name from the CloudSQL instance + + # The credentials file is required for the proxy to authenticate using a service account key file. + # Not required if Workload Identity federation is used for authentication. + - "--credentials-file=/secrets/" # - Enter the file name which was used as the key while creating the secret + securityContext: + # The default Cloud SQL Auth Proxy image runs as the + # "nonroot" user and group (uid: 65532) by default. + runAsNonRoot: true + restartPolicy: Always + # You should use resource requests/limits as a best practice to prevent + # pods from consuming too many resources and affecting the execution of + # other pods. You should adjust the following values based on what your + # application needs. For details, see + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + # The proxy's memory use scales linearly with the number of active + # connections. Fewer open connections will use less memory. Adjust + # this value based on your application's requirements. + memory: "1Gi" + # The proxy's CPU use scales linearly with the amount of IO between + # the database and the application. Adjust this value based on your + # application's requirements. + cpu: "1" + + ## Extra volumes that can be used in sidecars + extraVolumes: + # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. + - name: # - Enter the volume name + projected: + sources: + - serviceAccountToken: + audience: # - Enter the audience name for the projected service account token + expirationSeconds: 3600 + path: token + # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. + - name: # - Enter the volume name where config.json is to be mounted + secret: + secretName: # - Enter the secret name where config.json is added. + + connectionInfo: + ## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost. + ## + host: "localhost" + ## @param database.connectionInfo.port PostgreSQL port + ## + port: "5432" + ## @param database.connectionInfo.dbName PostgreSQL database name + ## + dbName: # - Enter the PostgreSQL database name for testmonitor service + ## @param database.connectionInfo.user PostgreSQL username used by the service + ## + user: # - Enter the PostgreSQL username for the testmonitor service + ## @param database.connectionInfo.secretName The name of an existing secret with + ## PostgreSQL connection credentials + ## + secretName: # - Enter the secret name that contains the testmonitor service's Postgres SQL database connection credentials + ## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret + ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + ## + # passwordKey: "passkey" + ## @param database.connectionInfo.migrationPasswordKey Password key for database.connectionInfo.migrationUser to be retrieved from existing secret + ## If unset database.connectionInfo.passwordKey is used instead. + ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + ## + # migrationPasswordKey: null + + serviceAccount: + ## @param serviceAccount.annotations Annotations to add to the service account + ## + annotations: + { + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project Id + } + ## @param serviceAccount.name The name of the service account to use. + ## If not set, a name is generated based on the service name + ## + name: "" + +fileingestion: + s3: + port: 443 + bucket: # - Enter the name of the GCS bucket for fileingestion service + scheme: "https://" + host: "storage.googleapis.com" + region: # - Enter the region where the GCS bucket is located + +feedservice: + s3: + port: 443 + bucket: # - Enter the name of the GCS bucket for feedservice service + scheme: "https://" + host: "storage.googleapis.com" + region: # - Enter the region where the GCS bucket is located + +saltmaster: + serviceTCP: + type: LoadBalancer + +nbexecservice: + s3: + port: 443 + bucket: # - Enter the name of the GCS bucket for nbexecservice service + scheme: "https://" + host: "storage.googleapis.com" + region: # - Enter the region where the GCS bucket is located diff --git a/getting-started/templates/OpenShift/openshift_supplemental_values.yaml b/getting-started/templates/OpenShift/openshift_supplemental_values.yaml new file mode 100644 index 00000000..80aa17dd --- /dev/null +++ b/getting-started/templates/OpenShift/openshift_supplemental_values.yaml @@ -0,0 +1,16 @@ +## Openshift prohibits running the pods as a root user. The redis and rabbitmq pods should be run as non-root users. +## Disabling 'adaptSecurityContext' will restrict openshift from adapting security context values for the mentioned pods. +## ref: https://github.com/bitnami/charts/issues/24251#:~:text=Perform%20automatic%20adaptation%20of%20securityContext%20sections%20in%20Openshift + +rabbitmq: + global: + compatibility: + openshift: + adaptSecurityContext: disabled + +webserver: + redis-cluster: + global: + compatibility: + openshift: + adaptSecurityContext: disabled