From 062274b3f5dcca20dba0800ae2a792705548beee Mon Sep 17 00:00:00 2001 From: Priyadarshini Piramanayagam Date: Wed, 11 Dec 2024 17:30:26 +0530 Subject: [PATCH 01/10] add gcp supplemental values --- .../os_gcp_supplemental_values.yaml | 286 ++++++++++++++++++ 1 file changed, 286 insertions(+) create mode 100644 getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml diff --git a/getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml b/getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml new file mode 100644 index 00000000..fe3799d8 --- /dev/null +++ b/getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml @@ -0,0 +1,286 @@ +global: + ingress: + api: + annotations: + kubernetes.io/ingress.class: # Enter the volume name where the token is mounted + ui: + annotations: + kubernetes.io/ingress.class: # Enter the volume name where the token is mounted + +rabbitmq: + global: + compatibility: + openshift: + adaptSecurityContext: disabled + +webserver: + redis-cluster: + global: + compatibility: + openshift: + adaptSecurityContext: disabled + +testmonitorservice: + ## Configuring sidecars for the Test Monitor Service + sidecars: + - name: cloud-sql-auth-proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 + volumeMounts: + - name: # Enter the volume name where the token is mounted + readOnly: true + mountPath: /var/run/secrets/openshift/serviceaccount/ + - name: # Enter the volume name where config.json is mounted + mountPath: /secrets/ + readOnly: true + env: + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: /secrets/service_account.json + args: + # If connecting from a VPC-native GKE cluster, you can use the + # following flag to have the proxy connect over private IP + - "--private-ip" + # - "--auto-iam-authn" + + # Enable structured logging with LogEntry format: + - "--structured-logs" + - "--exit-zero-on-sigterm" + + # Replace DB_PORT with the port the proxy should listen on + - "--port=5432" + - "" # Enter the connection name from the CloudSQL instance + # - "--credentials-file=/var/run/secrets/openshift/serviceaccount/token" + securityContext: + # The default Cloud SQL Auth Proxy image runs as the + # "nonroot" user and group (uid: 65532) by default. + runAsNonRoot: true + # restartPolicy: Always + # You should use resource requests/limits as a best practice to prevent + # pods from consuming too many resources and affecting the execution of + # other pods. You should adjust the following values based on what your + # application needs. For details, see + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + # The proxy's memory use scales linearly with the number of active + # connections. Fewer open connections will use less memory. Adjust + # this value based on your application's requirements. + memory: "1Gi" + # The proxy's CPU use scales linearly with the amount of IO between + # the database and the application. Adjust this value based on your + # application's requirements. + cpu: "1" + + ## Volumes that can be used in extra containers + extraVolumes: + - name: # Enter the volume name where the token is to be mounted + projected: + sources: + - serviceAccountToken: + audience: openshift + expirationSeconds: 3600 + path: token + - name: # Enter the volume name where config.json is to be mounted + secret: + secretName: # Enter the secret name where config.json going to be added. + + serviceAccount: + ## @param serviceAccount.annotations Annotations to add to the service account + ## + annotations: + { + iam.gke.io/gcp-service-account=YOUR-GSA-NAME@YOUR-GOOGLE-CLOUD-PROJECT.iam.gserviceaccount.com, + } + ## @param serviceAccount.name The name of the service account to use. + ## If not set and create is true, a name is generated using the fullname template + ## + name: "" + +dashboardhost: + grafana: + ## Configuring extraContainers for the Dashboardhost service + extraContainers: | + - name: cloud-sql-auth-proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 + volumeMounts: + - name: #ATTENTION Enter the volume name where the token is mounted + mountPath: /var/run/secrets/openshift/serviceaccount/ + readOnly: true + - name: #ATTENTION Enter the volume name where config.json is mounted + mountPath: /secrets/ + readOnly: true + env: + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: /secrets/service_account.json + # - name: DB_HOST + # valueFrom: + # secretKeyRef: + # name: "cloud-sql-ip" + # key: db_host + args: + # Add the below two args if using kubernetes version lesser than 1.29 + # Enable the admin api server on port 9091 + - "--admin-port=9091" + # Enable the /quitquitquit admin api endpoint + - "--quitquitquit" + # If connecting from a VPC-native GKE cluster, you can use the + # following flag to have the proxy connect over private IP + - "--private-ip" + + # Enable structured logging with LogEntry format: + - "--structured-logs" + - "--exit-zero-on-sigterm" + + # Replace DB_PORT with the port the proxy should listen on + - "--port=5432" + - "" # Enter the connection name from the CloudSQL instance + securityContext: + # The default Cloud SQL Auth Proxy image runs as the + # "nonroot" user and group (uid: 65532) by default. + runAsNonRoot: true + # You should use resource requests/limits as a best practice to prevent + # pods from consuming too many resources and affecting the execution of + # other pods. You should adjust the following values based on what your + # application needs. For details, see + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + # restartPolicy: Always + resources: + requests: + # The proxy's memory use scales linearly with the number of active + # connections. Fewer open connections will use less memory. Adjust + # this value based on your application's requirements. + memory: "1Gi" + # The proxy's CPU use scales linearly with the amount of IO between + # the database and the application. Adjust this value based on your + # application's requirements. + cpu: "0.5" + + ## Volumes that can be used in extra containers + extraContainerVolumes: + - name: # Enter the volume name where the token is to be mounted + projected: + sources: + - serviceAccountToken: + audience: openshift + expirationSeconds: 3600 + path: token + - name: # Enter the volume name where config.json is to be mounted + secret: + secretName: # Enter the secret name where config.json going to be added. + + serviceAccount: + ## @param serviceAccount.annotations Annotations to add to the service account + ## + annotations: + { + iam.gke.io/gcp-service-account=YOUR-GSA-NAME@YOUR-GOOGLE-CLOUD-PROJECT.iam.gserviceaccount.com, + } + ## @param serviceAccount.name The name of the service account to use. + ## If not set and create is true, a name is generated using the fullname template + ## + name: "" + +dynamicformfields: + ## Configuring sidecars for the Dynamic Form Fields Service + sidecars: + - name: cloud-sql-auth-proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 + volumeMounts: + - name: # Enter the volume name where the token is mounted + readOnly: true + mountPath: /var/run/secrets/openshift/serviceaccount/ + - name: # Enter the volume name where config.json is mounted + mountPath: /secrets/ + readOnly: true + env: + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: /secrets/service_account.json + args: + # If connecting from a VPC-native GKE cluster, you can use the + # following flag to have the proxy connect over private IP + - "--private-ip" + # - "--auto-iam-authn" + + # Enable structured logging with LogEntry format: + - "--structured-logs" + - "--exit-zero-on-sigterm" + + # Replace DB_PORT with the port the proxy should listen on + - "--port=5432" + - "" # Enter the connection name from the CloudSQL instance + # - "--credentials-file=/var/run/secrets/openshift/serviceaccount/token" + securityContext: + # The default Cloud SQL Auth Proxy image runs as the + # "nonroot" user and group (uid: 65532) by default. + runAsNonRoot: true + # restartPolicy: Always + # You should use resource requests/limits as a best practice to prevent + # pods from consuming too many resources and affecting the execution of + # other pods. You should adjust the following values based on what your + # application needs. For details, see + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + # The proxy's memory use scales linearly with the number of active + # connections. Fewer open connections will use less memory. Adjust + # this value based on your application's requirements. + memory: "1Gi" + # The proxy's CPU use scales linearly with the amount of IO between + # the database and the application. Adjust this value based on your + # application's requirements. + cpu: "1" + + ## Volumes that can be used in extra containers + extraVolumes: + - name: # Enter the volume name where the token is to be mounted + projected: + sources: + - serviceAccountToken: + audience: openshift + expirationSeconds: 3600 + path: token + - name: # Enter the volume name where config.json is to be mounted + secret: + secretName: # Enter the secret name where config.json going to be added. + + serviceAccount: + ## @param serviceAccount.annotations Annotations to add to the service account + ## + annotations: + { + iam.gke.io/gcp-service-account=YOUR-GSA-NAME@YOUR-GOOGLE-CLOUD-PROJECT.iam.gserviceaccount.com, + } + ## @param serviceAccount.name The name of the service account to use. + ## If not set and create is true, a name is generated using the fullname template + ## + name: "" + +fileingestion: + s3: + port: 443 + bucket: # Enter the name of the GCS bucket for fileingestion service + scheme: "https://" + host: "storage.googleapis.com" + +feedservice: + s3: + port: 443 + bucket: # Enter the name of the GCS bucket for feedservice service + scheme: "https://" + host: "storage.googleapis.com" + +saltmaster: + serviceTCP: + type: LoadBalancer + +nbexecservice: + argo: + ## Configure S3/MinIO access. + ## + artifactRepository: + s3: + bucket: # Enter the name of the GCS bucket for nbexecservice service + port: 443 + region: "us-east1" + insecure: false + scheme: "https://" + host: "storage.googleapis.com" From 518e5758ff283df5663eeb2cc3ee563ffc00a2f6 Mon Sep 17 00:00:00 2001 From: Priyadarshini Piramanayagam Date: Wed, 11 Dec 2024 21:04:19 +0530 Subject: [PATCH 02/10] add gcp supplemental values --- .../GCP/gcp-supplemental-values.yaml | 233 +++++++++++++++++ .../os_gcp_supplemental_values.yaml | 234 ------------------ 2 files changed, 233 insertions(+), 234 deletions(-) create mode 100644 getting-started/templates/GCP/gcp-supplemental-values.yaml diff --git a/getting-started/templates/GCP/gcp-supplemental-values.yaml b/getting-started/templates/GCP/gcp-supplemental-values.yaml new file mode 100644 index 00000000..e64bc724 --- /dev/null +++ b/getting-started/templates/GCP/gcp-supplemental-values.yaml @@ -0,0 +1,233 @@ +testmonitorservice: + ## Configuring sidecars for the Test Monitor Service + sidecars: + - name: cloud-sql-auth-proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 + volumeMounts: + - name: # Enter the volume name where the token is mounted + readOnly: true + mountPath: # Enter the path where the token is mounted + - name: # Enter the volume name where config.json is mounted + mountPath: /secrets/ + readOnly: true + env: + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: /secrets/service_account.json + args: + # If connecting from a VPC-native GKE cluster, you can use the + # following flag to have the proxy connect over private IP + - "--private-ip" + # - "--auto-iam-authn" + + # Enable structured logging with LogEntry format: + - "--structured-logs" + - "--exit-zero-on-sigterm" + + # Replace DB_PORT with the port the proxy should listen on + - "--port=5432" + - "" # Enter the connection name from the CloudSQL instance + # - "--credentials-file=/token" + securityContext: + # The default Cloud SQL Auth Proxy image runs as the + # "nonroot" user and group (uid: 65532) by default. + runAsNonRoot: true + restartPolicy: Always + # You should use resource requests/limits as a best practice to prevent + # pods from consuming too many resources and affecting the execution of + # other pods. You should adjust the following values based on what your + # application needs. For details, see + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + # The proxy's memory use scales linearly with the number of active + # connections. Fewer open connections will use less memory. Adjust + # this value based on your application's requirements. + memory: "1Gi" + # The proxy's CPU use scales linearly with the amount of IO between + # the database and the application. Adjust this value based on your + # application's requirements. + cpu: "1" + + ## Volumes that can be used in extra containers + extraVolumes: + - name: # Enter the volume name where the token is to be mounted + projected: + sources: + - serviceAccountToken: + audience: # Enter the audience name for the projected service account token + expirationSeconds: 3600 + path: token + - name: # Enter the volume name where config.json is to be mounted + secret: + secretName: # Enter the secret name where config.json going to be added. + + serviceAccount: + ## @param serviceAccount.annotations Annotations to add to the service account + ## + annotations: + { + iam.gke.io/gcp-service-account=YOUR-GSA-NAME@YOUR-GOOGLE-CLOUD-PROJECT.iam.gserviceaccount.com, + } + ## @param serviceAccount.name The name of the service account to use. + ## If not set and create is true, a name is generated using the fullname template + ## + name: "" + +dashboardhost: + grafana: + ## Configuring extraContainers for the Dashboardhost service + extraContainers: | + - name: cloud-sql-auth-proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 + volumeMounts: + - name: #ATTENTION Enter the volume name where the token is mounted + mountPath: # Enter the path where the token is mounted + readOnly: true + - name: #ATTENTION Enter the volume name where config.json is mounted + mountPath: /secrets/ + readOnly: true + env: + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: /secrets/service_account.json + # - name: DB_HOST + # valueFrom: + # secretKeyRef: + # name: "cloud-sql-ip" + # key: db_host + args: + # Add the below two args if using kubernetes version lesser than 1.29 + # Enable the admin api server on port 9091 + - "--admin-port=9091" + # Enable the /quitquitquit admin api endpoint + - "--quitquitquit" + # If connecting from a VPC-native GKE cluster, you can use the + # following flag to have the proxy connect over private IP + - "--private-ip" + + # Enable structured logging with LogEntry format: + - "--structured-logs" + - "--exit-zero-on-sigterm" + + # Replace DB_PORT with the port the proxy should listen on + - "--port=5432" + - "" # Enter the connection name from the CloudSQL instance + securityContext: + # The default Cloud SQL Auth Proxy image runs as the + # "nonroot" user and group (uid: 65532) by default. + runAsNonRoot: true + # You should use resource requests/limits as a best practice to prevent + # pods from consuming too many resources and affecting the execution of + # other pods. You should adjust the following values based on what your + # application needs. For details, see + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + restartPolicy: Always + resources: + requests: + # The proxy's memory use scales linearly with the number of active + # connections. Fewer open connections will use less memory. Adjust + # this value based on your application's requirements. + memory: "1Gi" + # The proxy's CPU use scales linearly with the amount of IO between + # the database and the application. Adjust this value based on your + # application's requirements. + cpu: "0.5" + + ## Volumes that can be used in extra containers + extraContainerVolumes: + - name: # Enter the volume name where the token is to be mounted + projected: + sources: + - serviceAccountToken: + audience: # Enter the audience for the projected service account token + expirationSeconds: 3600 + path: token + - name: # Enter the volume name where config.json is to be mounted + secret: + secretName: # Enter the secret name where config.json going to be added. + + serviceAccount: + ## @param serviceAccount.annotations Annotations to add to the service account + ## + annotations: + { + iam.gke.io/gcp-service-account=YOUR-GSA-NAME@YOUR-GOOGLE-CLOUD-PROJECT.iam.gserviceaccount.com, + } + ## @param serviceAccount.name The name of the service account to use. + ## If not set and create is true, a name is generated using the fullname template + ## + name: "" + +dynamicformfields: + ## Configuring sidecars for the Dynamic Form Fields Service + sidecars: + - name: cloud-sql-auth-proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 + volumeMounts: + - name: # Enter the volume name where the token is mounted + readOnly: true + mountPath: # Enter the path where the token is mounted + - name: # Enter the volume name where config.json is mounted + mountPath: /secrets/ + readOnly: true + env: + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: /secrets/service_account.json + args: + # If connecting from a VPC-native GKE cluster, you can use the + # following flag to have the proxy connect over private IP + - "--private-ip" + # - "--auto-iam-authn" + + # Enable structured logging with LogEntry format: + - "--structured-logs" + - "--exit-zero-on-sigterm" + + # Replace DB_PORT with the port the proxy should listen on + - "--port=5432" + - "" # Enter the connection name from the CloudSQL instance + # - "--credentials-file=/token" + securityContext: + # The default Cloud SQL Auth Proxy image runs as the + # "nonroot" user and group (uid: 65532) by default. + runAsNonRoot: true + restartPolicy: Always + # You should use resource requests/limits as a best practice to prevent + # pods from consuming too many resources and affecting the execution of + # other pods. You should adjust the following values based on what your + # application needs. For details, see + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + # The proxy's memory use scales linearly with the number of active + # connections. Fewer open connections will use less memory. Adjust + # this value based on your application's requirements. + memory: "1Gi" + # The proxy's CPU use scales linearly with the amount of IO between + # the database and the application. Adjust this value based on your + # application's requirements. + cpu: "1" + + ## Volumes that can be used in extra containers + extraVolumes: + - name: # Enter the volume name where the token is to be mounted + projected: + sources: + - serviceAccountToken: + audience: # Enter the audience for the projected service account token + expirationSeconds: 3600 + path: token + - name: # Enter the volume name where config.json is to be mounted + secret: + secretName: # Enter the secret name where config.json going to be added. + + serviceAccount: + ## @param serviceAccount.annotations Annotations to add to the service account + ## + annotations: + { + iam.gke.io/gcp-service-account=YOUR-GSA-NAME@YOUR-GOOGLE-CLOUD-PROJECT.iam.gserviceaccount.com, + } + ## @param serviceAccount.name The name of the service account to use. + ## If not set and create is true, a name is generated using the fullname template + ## + name: "" diff --git a/getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml b/getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml index fe3799d8..e901b43e 100644 --- a/getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml +++ b/getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml @@ -20,240 +20,6 @@ webserver: openshift: adaptSecurityContext: disabled -testmonitorservice: - ## Configuring sidecars for the Test Monitor Service - sidecars: - - name: cloud-sql-auth-proxy - image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 - volumeMounts: - - name: # Enter the volume name where the token is mounted - readOnly: true - mountPath: /var/run/secrets/openshift/serviceaccount/ - - name: # Enter the volume name where config.json is mounted - mountPath: /secrets/ - readOnly: true - env: - - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: /secrets/service_account.json - args: - # If connecting from a VPC-native GKE cluster, you can use the - # following flag to have the proxy connect over private IP - - "--private-ip" - # - "--auto-iam-authn" - - # Enable structured logging with LogEntry format: - - "--structured-logs" - - "--exit-zero-on-sigterm" - - # Replace DB_PORT with the port the proxy should listen on - - "--port=5432" - - "" # Enter the connection name from the CloudSQL instance - # - "--credentials-file=/var/run/secrets/openshift/serviceaccount/token" - securityContext: - # The default Cloud SQL Auth Proxy image runs as the - # "nonroot" user and group (uid: 65532) by default. - runAsNonRoot: true - # restartPolicy: Always - # You should use resource requests/limits as a best practice to prevent - # pods from consuming too many resources and affecting the execution of - # other pods. You should adjust the following values based on what your - # application needs. For details, see - # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: - requests: - # The proxy's memory use scales linearly with the number of active - # connections. Fewer open connections will use less memory. Adjust - # this value based on your application's requirements. - memory: "1Gi" - # The proxy's CPU use scales linearly with the amount of IO between - # the database and the application. Adjust this value based on your - # application's requirements. - cpu: "1" - - ## Volumes that can be used in extra containers - extraVolumes: - - name: # Enter the volume name where the token is to be mounted - projected: - sources: - - serviceAccountToken: - audience: openshift - expirationSeconds: 3600 - path: token - - name: # Enter the volume name where config.json is to be mounted - secret: - secretName: # Enter the secret name where config.json going to be added. - - serviceAccount: - ## @param serviceAccount.annotations Annotations to add to the service account - ## - annotations: - { - iam.gke.io/gcp-service-account=YOUR-GSA-NAME@YOUR-GOOGLE-CLOUD-PROJECT.iam.gserviceaccount.com, - } - ## @param serviceAccount.name The name of the service account to use. - ## If not set and create is true, a name is generated using the fullname template - ## - name: "" - -dashboardhost: - grafana: - ## Configuring extraContainers for the Dashboardhost service - extraContainers: | - - name: cloud-sql-auth-proxy - image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 - volumeMounts: - - name: #ATTENTION Enter the volume name where the token is mounted - mountPath: /var/run/secrets/openshift/serviceaccount/ - readOnly: true - - name: #ATTENTION Enter the volume name where config.json is mounted - mountPath: /secrets/ - readOnly: true - env: - - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: /secrets/service_account.json - # - name: DB_HOST - # valueFrom: - # secretKeyRef: - # name: "cloud-sql-ip" - # key: db_host - args: - # Add the below two args if using kubernetes version lesser than 1.29 - # Enable the admin api server on port 9091 - - "--admin-port=9091" - # Enable the /quitquitquit admin api endpoint - - "--quitquitquit" - # If connecting from a VPC-native GKE cluster, you can use the - # following flag to have the proxy connect over private IP - - "--private-ip" - - # Enable structured logging with LogEntry format: - - "--structured-logs" - - "--exit-zero-on-sigterm" - - # Replace DB_PORT with the port the proxy should listen on - - "--port=5432" - - "" # Enter the connection name from the CloudSQL instance - securityContext: - # The default Cloud SQL Auth Proxy image runs as the - # "nonroot" user and group (uid: 65532) by default. - runAsNonRoot: true - # You should use resource requests/limits as a best practice to prevent - # pods from consuming too many resources and affecting the execution of - # other pods. You should adjust the following values based on what your - # application needs. For details, see - # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - # restartPolicy: Always - resources: - requests: - # The proxy's memory use scales linearly with the number of active - # connections. Fewer open connections will use less memory. Adjust - # this value based on your application's requirements. - memory: "1Gi" - # The proxy's CPU use scales linearly with the amount of IO between - # the database and the application. Adjust this value based on your - # application's requirements. - cpu: "0.5" - - ## Volumes that can be used in extra containers - extraContainerVolumes: - - name: # Enter the volume name where the token is to be mounted - projected: - sources: - - serviceAccountToken: - audience: openshift - expirationSeconds: 3600 - path: token - - name: # Enter the volume name where config.json is to be mounted - secret: - secretName: # Enter the secret name where config.json going to be added. - - serviceAccount: - ## @param serviceAccount.annotations Annotations to add to the service account - ## - annotations: - { - iam.gke.io/gcp-service-account=YOUR-GSA-NAME@YOUR-GOOGLE-CLOUD-PROJECT.iam.gserviceaccount.com, - } - ## @param serviceAccount.name The name of the service account to use. - ## If not set and create is true, a name is generated using the fullname template - ## - name: "" - -dynamicformfields: - ## Configuring sidecars for the Dynamic Form Fields Service - sidecars: - - name: cloud-sql-auth-proxy - image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 - volumeMounts: - - name: # Enter the volume name where the token is mounted - readOnly: true - mountPath: /var/run/secrets/openshift/serviceaccount/ - - name: # Enter the volume name where config.json is mounted - mountPath: /secrets/ - readOnly: true - env: - - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: /secrets/service_account.json - args: - # If connecting from a VPC-native GKE cluster, you can use the - # following flag to have the proxy connect over private IP - - "--private-ip" - # - "--auto-iam-authn" - - # Enable structured logging with LogEntry format: - - "--structured-logs" - - "--exit-zero-on-sigterm" - - # Replace DB_PORT with the port the proxy should listen on - - "--port=5432" - - "" # Enter the connection name from the CloudSQL instance - # - "--credentials-file=/var/run/secrets/openshift/serviceaccount/token" - securityContext: - # The default Cloud SQL Auth Proxy image runs as the - # "nonroot" user and group (uid: 65532) by default. - runAsNonRoot: true - # restartPolicy: Always - # You should use resource requests/limits as a best practice to prevent - # pods from consuming too many resources and affecting the execution of - # other pods. You should adjust the following values based on what your - # application needs. For details, see - # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: - requests: - # The proxy's memory use scales linearly with the number of active - # connections. Fewer open connections will use less memory. Adjust - # this value based on your application's requirements. - memory: "1Gi" - # The proxy's CPU use scales linearly with the amount of IO between - # the database and the application. Adjust this value based on your - # application's requirements. - cpu: "1" - - ## Volumes that can be used in extra containers - extraVolumes: - - name: # Enter the volume name where the token is to be mounted - projected: - sources: - - serviceAccountToken: - audience: openshift - expirationSeconds: 3600 - path: token - - name: # Enter the volume name where config.json is to be mounted - secret: - secretName: # Enter the secret name where config.json going to be added. - - serviceAccount: - ## @param serviceAccount.annotations Annotations to add to the service account - ## - annotations: - { - iam.gke.io/gcp-service-account=YOUR-GSA-NAME@YOUR-GOOGLE-CLOUD-PROJECT.iam.gserviceaccount.com, - } - ## @param serviceAccount.name The name of the service account to use. - ## If not set and create is true, a name is generated using the fullname template - ## - name: "" - fileingestion: s3: port: 443 From c9c151e502e7c72f6c6fdfe34b7be10bed437b4e Mon Sep 17 00:00:00 2001 From: Priyadarshini Piramanayagam Date: Thu, 12 Dec 2024 13:03:37 +0530 Subject: [PATCH 03/10] fix: split the docs into gcp and os --- .../openshift_supplemental_values.yaml | 12 ++ .../GCP/gcp-supplemental-values.yaml | 159 +++++++++++++++--- .../os_gcp_supplemental_values.yaml | 52 ------ 3 files changed, 152 insertions(+), 71 deletions(-) create mode 100644 getting-started/templates/GCP/Openshift/openshift_supplemental_values.yaml delete mode 100644 getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml diff --git a/getting-started/templates/GCP/Openshift/openshift_supplemental_values.yaml b/getting-started/templates/GCP/Openshift/openshift_supplemental_values.yaml new file mode 100644 index 00000000..51ca73e2 --- /dev/null +++ b/getting-started/templates/GCP/Openshift/openshift_supplemental_values.yaml @@ -0,0 +1,12 @@ +rabbitmq: + global: + compatibility: + openshift: + adaptSecurityContext: disabled + +webserver: + redis-cluster: + global: + compatibility: + openshift: + adaptSecurityContext: disabled diff --git a/getting-started/templates/GCP/gcp-supplemental-values.yaml b/getting-started/templates/GCP/gcp-supplemental-values.yaml index e64bc724..e0a63c54 100644 --- a/getting-started/templates/GCP/gcp-supplemental-values.yaml +++ b/getting-started/templates/GCP/gcp-supplemental-values.yaml @@ -1,5 +1,15 @@ +global: + ingress: + api: + annotations: + kubernetes.io/ingress.class: # Enter the ingress class used + ui: + annotations: + kubernetes.io/ingress.class: # Enter the ingress class used + testmonitorservice: ## Configuring sidecars for the Test Monitor Service + ## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern sidecars: - name: cloud-sql-auth-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 @@ -17,7 +27,7 @@ testmonitorservice: # If connecting from a VPC-native GKE cluster, you can use the # following flag to have the proxy connect over private IP - "--private-ip" - # - "--auto-iam-authn" + - "--auto-iam-authn" # Enable structured logging with LogEntry format: - "--structured-logs" @@ -26,7 +36,7 @@ testmonitorservice: # Replace DB_PORT with the port the proxy should listen on - "--port=5432" - "" # Enter the connection name from the CloudSQL instance - # - "--credentials-file=/token" + # - "--credentials-file=/token" securityContext: # The default Cloud SQL Auth Proxy image runs as the # "nonroot" user and group (uid: 65532) by default. @@ -48,7 +58,7 @@ testmonitorservice: # application's requirements. cpu: "1" - ## Volumes that can be used in extra containers + ## Volumes that can be used in sidecars extraVolumes: - name: # Enter the volume name where the token is to be mounted projected: @@ -61,6 +71,33 @@ testmonitorservice: secret: secretName: # Enter the secret name where config.json going to be added. + connectionInfo: + ## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost. + ## + host: "localhost" + ## @param database.connectionInfo.port PostgreSQL port + ## + port: + ## @param database.connectionInfo.dbName PostgreSQL database name + ## + dbName: + ## @param database.connectionInfo.user PostgreSQL username used by the service + ## + user: + ## @param database.connectionInfo.secretName The name of an existing secret with + ## PostgreSQL connection credentials + ## + secretName: + ## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret + ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + ## + # passwordKey: "passkey" + ## @param database.connectionInfo.migrationPasswordKey Password key for database.connectionInfo.migrationUser to be retrieved from existing secret + ## If unset database.connectionInfo.passwordKey is used instead. + ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + ## + migrationPasswordKey: null + serviceAccount: ## @param serviceAccount.annotations Annotations to add to the service account ## @@ -76,6 +113,7 @@ testmonitorservice: dashboardhost: grafana: ## Configuring extraContainers for the Dashboardhost service + ## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern extraContainers: | - name: cloud-sql-auth-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 @@ -95,22 +133,19 @@ dashboardhost: # name: "cloud-sql-ip" # key: db_host args: - # Add the below two args if using kubernetes version lesser than 1.29 - # Enable the admin api server on port 9091 - - "--admin-port=9091" - # Enable the /quitquitquit admin api endpoint - - "--quitquitquit" - # If connecting from a VPC-native GKE cluster, you can use the - # following flag to have the proxy connect over private IP - - "--private-ip" + # If connecting from a VPC-native GKE cluster, you can use the + # following flag to have the proxy connect over private IP + - "--private-ip" + - "--auto-iam-authn" - # Enable structured logging with LogEntry format: - - "--structured-logs" - - "--exit-zero-on-sigterm" + # Enable structured logging with LogEntry format: + - "--structured-logs" + - "--exit-zero-on-sigterm" - # Replace DB_PORT with the port the proxy should listen on - - "--port=5432" - - "" # Enter the connection name from the CloudSQL instance + # Replace DB_PORT with the port the proxy should listen on + - "--port=5432" + - "" # Enter the connection name from the CloudSQL instance + # - "--credentials-file=/token" securityContext: # The default Cloud SQL Auth Proxy image runs as the # "nonroot" user and group (uid: 65532) by default. @@ -145,6 +180,33 @@ dashboardhost: secret: secretName: # Enter the secret name where config.json going to be added. + connectionInfo: + ## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost. + ## + host: "localhost" + ## @param database.connectionInfo.port PostgreSQL port + ## + port: + ## @param database.connectionInfo.dbName PostgreSQL database name + ## + dbName: + ## @param database.connectionInfo.user PostgreSQL username used by the service + ## + user: + ## @param database.connectionInfo.secretName The name of an existing secret with + ## PostgreSQL connection credentials + ## + secretName: + ## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret + ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + ## + # passwordKey: "passkey" + ## @param database.connectionInfo.migrationPasswordKey Password key for database.connectionInfo.migrationUser to be retrieved from existing secret + ## If unset database.connectionInfo.passwordKey is used instead. + ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + ## + migrationPasswordKey: null + serviceAccount: ## @param serviceAccount.annotations Annotations to add to the service account ## @@ -159,6 +221,7 @@ dashboardhost: dynamicformfields: ## Configuring sidecars for the Dynamic Form Fields Service + ## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern sidecars: - name: cloud-sql-auth-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 @@ -176,7 +239,7 @@ dynamicformfields: # If connecting from a VPC-native GKE cluster, you can use the # following flag to have the proxy connect over private IP - "--private-ip" - # - "--auto-iam-authn" + - "--auto-iam-authn" # Enable structured logging with LogEntry format: - "--structured-logs" @@ -185,7 +248,7 @@ dynamicformfields: # Replace DB_PORT with the port the proxy should listen on - "--port=5432" - "" # Enter the connection name from the CloudSQL instance - # - "--credentials-file=/token" + # - "--credentials-file=/token" securityContext: # The default Cloud SQL Auth Proxy image runs as the # "nonroot" user and group (uid: 65532) by default. @@ -220,6 +283,33 @@ dynamicformfields: secret: secretName: # Enter the secret name where config.json going to be added. + connectionInfo: + ## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost + ## + host: "localhost" + ## @param database.connectionInfo.port PostgreSQL port + ## + port: + ## @param database.connectionInfo.dbName PostgreSQL database name + ## + dbName: + ## @param database.connectionInfo.user PostgreSQL username used by the service + ## + user: + ## @param database.connectionInfo.secretName The name of an existing secret with + ## PostgreSQL connection credentials + ## + secretName: + ## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret + ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + ## + # passwordKey: "passkey" + ## @param database.connectionInfo.migrationPasswordKey Password key for database.connectionInfo.migrationUser to be retrieved from existing secret + ## If unset database.connectionInfo.passwordKey is used instead. + ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + ## + migrationPasswordKey: null + serviceAccount: ## @param serviceAccount.annotations Annotations to add to the service account ## @@ -231,3 +321,34 @@ dynamicformfields: ## If not set and create is true, a name is generated using the fullname template ## name: "" + +fileingestion: + s3: + port: 443 + bucket: # Enter the name of the GCS bucket for fileingestion service + scheme: "https://" + host: "storage.googleapis.com" + +feedservice: + s3: + port: 443 + bucket: # Enter the name of the GCS bucket for feedservice service + scheme: "https://" + host: "storage.googleapis.com" + +saltmaster: + serviceTCP: + type: LoadBalancer + +nbexecservice: + argo: + ## Configure S3/MinIO access. + ## + artifactRepository: + s3: + bucket: # Enter the name of the GCS bucket for nbexecservice service + port: 443 + region: "us-east1" + insecure: false + scheme: "https://" + host: "storage.googleapis.com" diff --git a/getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml b/getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml deleted file mode 100644 index e901b43e..00000000 --- a/getting-started/templates/Openshift-GCP/os_gcp_supplemental_values.yaml +++ /dev/null @@ -1,52 +0,0 @@ -global: - ingress: - api: - annotations: - kubernetes.io/ingress.class: # Enter the volume name where the token is mounted - ui: - annotations: - kubernetes.io/ingress.class: # Enter the volume name where the token is mounted - -rabbitmq: - global: - compatibility: - openshift: - adaptSecurityContext: disabled - -webserver: - redis-cluster: - global: - compatibility: - openshift: - adaptSecurityContext: disabled - -fileingestion: - s3: - port: 443 - bucket: # Enter the name of the GCS bucket for fileingestion service - scheme: "https://" - host: "storage.googleapis.com" - -feedservice: - s3: - port: 443 - bucket: # Enter the name of the GCS bucket for feedservice service - scheme: "https://" - host: "storage.googleapis.com" - -saltmaster: - serviceTCP: - type: LoadBalancer - -nbexecservice: - argo: - ## Configure S3/MinIO access. - ## - artifactRepository: - s3: - bucket: # Enter the name of the GCS bucket for nbexecservice service - port: 443 - region: "us-east1" - insecure: false - scheme: "https://" - host: "storage.googleapis.com" From ddbe56bb1382b273a10a46ceb9a23137432899c3 Mon Sep 17 00:00:00 2001 From: Priyadarshini Piramanayagam Date: Fri, 13 Dec 2024 19:50:26 +0530 Subject: [PATCH 04/10] add comments --- .../openshift_supplemental_values.yaml | 2 + .../GCP/gcp-supplemental-values.yaml | 88 ++++++++++++------- 2 files changed, 57 insertions(+), 33 deletions(-) diff --git a/getting-started/templates/GCP/Openshift/openshift_supplemental_values.yaml b/getting-started/templates/GCP/Openshift/openshift_supplemental_values.yaml index 51ca73e2..50182f2a 100644 --- a/getting-started/templates/GCP/Openshift/openshift_supplemental_values.yaml +++ b/getting-started/templates/GCP/Openshift/openshift_supplemental_values.yaml @@ -1,3 +1,5 @@ +## Openshift prohibits running the pods as a root user. The redis and rabbitmq pods should be run as non-root users. +## Disabling 'adaptSecurityContext' will restrict openshift from adapting security context values for the mentioned pods. rabbitmq: global: compatibility: diff --git a/getting-started/templates/GCP/gcp-supplemental-values.yaml b/getting-started/templates/GCP/gcp-supplemental-values.yaml index e0a63c54..72833ab8 100644 --- a/getting-started/templates/GCP/gcp-supplemental-values.yaml +++ b/getting-started/templates/GCP/gcp-supplemental-values.yaml @@ -14,29 +14,36 @@ testmonitorservice: - name: cloud-sql-auth-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 volumeMounts: + # This volume mount is required for the proxy to authenticate with cloudSQL using a service account key file. - name: # Enter the volume name where the token is mounted - readOnly: true mountPath: # Enter the path where the token is mounted + readOnly: true + # This volume mount is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - name: # Enter the volume name where config.json is mounted mountPath: /secrets/ readOnly: true env: - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: /secrets/service_account.json + value: /secrets/ # Enter the key which was used while creating the secret args: # If connecting from a VPC-native GKE cluster, you can use the # following flag to have the proxy connect over private IP - "--private-ip" + + # If you are not connecting with Automatic IAM, you can delete the following flag. - "--auto-iam-authn" # Enable structured logging with LogEntry format: - "--structured-logs" + + # Ensures the proxy exits gracefully with a 0 exit code when it receives a SIGTERM signal - "--exit-zero-on-sigterm" - # Replace DB_PORT with the port the proxy should listen on - "--port=5432" - "" # Enter the connection name from the CloudSQL instance - # - "--credentials-file=/token" + + # The credentials file is required for the proxy to authenticate using a service account key file. + - "--credentials-file=/secrets/" # Enter the key which was used while creating the secret securityContext: # The default Cloud SQL Auth Proxy image runs as the # "nonroot" user and group (uid: 65532) by default. @@ -58,8 +65,9 @@ testmonitorservice: # application's requirements. cpu: "1" - ## Volumes that can be used in sidecars + ## Extra volumes that can be used in sidecars extraVolumes: + # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. - name: # Enter the volume name where the token is to be mounted projected: sources: @@ -67,6 +75,7 @@ testmonitorservice: audience: # Enter the audience name for the projected service account token expirationSeconds: 3600 path: token + # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - name: # Enter the volume name where config.json is to be mounted secret: secretName: # Enter the secret name where config.json going to be added. @@ -77,7 +86,7 @@ testmonitorservice: host: "localhost" ## @param database.connectionInfo.port PostgreSQL port ## - port: + port: "5432" ## @param database.connectionInfo.dbName PostgreSQL database name ## dbName: @@ -118,44 +127,46 @@ dashboardhost: - name: cloud-sql-auth-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 volumeMounts: - - name: #ATTENTION Enter the volume name where the token is mounted - mountPath: # Enter the path where the token is mounted - readOnly: true - - name: #ATTENTION Enter the volume name where config.json is mounted - mountPath: /secrets/ - readOnly: true + # This volume mount is required for the proxy to authenticate with cloudSQL using a service account key file. + - name: # Enter the volume name where the token is mounted + mountPath: # Enter the path where the token is mounted + readOnly: true + # This volume mount is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. + - name: # Enter the volume name where config.json is mounted + mountPath: /secrets/ + readOnly: true env: - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: /secrets/service_account.json - # - name: DB_HOST - # valueFrom: - # secretKeyRef: - # name: "cloud-sql-ip" - # key: db_host + value: /secrets/ # Enter the key which was used while creating the secret args: # If connecting from a VPC-native GKE cluster, you can use the # following flag to have the proxy connect over private IP - "--private-ip" + + # If you are not connecting with Automatic IAM, you can delete the following flag. - "--auto-iam-authn" # Enable structured logging with LogEntry format: - "--structured-logs" + + # Ensures the proxy exits gracefully with a 0 exit code when it receives a SIGTERM signal - "--exit-zero-on-sigterm" - # Replace DB_PORT with the port the proxy should listen on - "--port=5432" - "" # Enter the connection name from the CloudSQL instance - # - "--credentials-file=/token" + + # The credentials file is required for the proxy to authenticate using a service account key file. + - "--credentials-file=/secrets/" # Enter the key which was used while creating the secret securityContext: # The default Cloud SQL Auth Proxy image runs as the # "nonroot" user and group (uid: 65532) by default. runAsNonRoot: true + restartPolicy: Always # You should use resource requests/limits as a best practice to prevent # pods from consuming too many resources and affecting the execution of # other pods. You should adjust the following values based on what your # application needs. For details, see # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - restartPolicy: Always resources: requests: # The proxy's memory use scales linearly with the number of active @@ -165,20 +176,22 @@ dashboardhost: # The proxy's CPU use scales linearly with the amount of IO between # the database and the application. Adjust this value based on your # application's requirements. - cpu: "0.5" + cpu: "1" - ## Volumes that can be used in extra containers + ## Extra volumes that can be used in extrContainers extraContainerVolumes: + # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. - name: # Enter the volume name where the token is to be mounted projected: sources: - serviceAccountToken: - audience: # Enter the audience for the projected service account token + audience: # Enter the audience name for the projected service account token expirationSeconds: 3600 path: token + # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - name: # Enter the volume name where config.json is to be mounted secret: - secretName: # Enter the secret name where config.json going to be added. + secretName: # Enter the secret name where config.json going to be added. connectionInfo: ## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost. @@ -186,7 +199,7 @@ dashboardhost: host: "localhost" ## @param database.connectionInfo.port PostgreSQL port ## - port: + port: "5432" ## @param database.connectionInfo.dbName PostgreSQL database name ## dbName: @@ -226,29 +239,36 @@ dynamicformfields: - name: cloud-sql-auth-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 volumeMounts: + # This volume mount is required for the proxy to authenticate with cloudSQL using a service account key file. - name: # Enter the volume name where the token is mounted - readOnly: true mountPath: # Enter the path where the token is mounted + readOnly: true + # This volume mount is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - name: # Enter the volume name where config.json is mounted mountPath: /secrets/ readOnly: true env: - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: /secrets/service_account.json + value: /secrets/ # Enter the key which was used while creating the secret args: # If connecting from a VPC-native GKE cluster, you can use the # following flag to have the proxy connect over private IP - "--private-ip" + + # If you are not connecting with Automatic IAM, you can delete the following flag. - "--auto-iam-authn" # Enable structured logging with LogEntry format: - "--structured-logs" + + # Ensures the proxy exits gracefully with a 0 exit code when it receives a SIGTERM signal - "--exit-zero-on-sigterm" - # Replace DB_PORT with the port the proxy should listen on - "--port=5432" - "" # Enter the connection name from the CloudSQL instance - # - "--credentials-file=/token" + + # The credentials file is required for the proxy to authenticate using a service account key file. + - "--credentials-file=/secrets/" # Enter the key which was used while creating the secret securityContext: # The default Cloud SQL Auth Proxy image runs as the # "nonroot" user and group (uid: 65532) by default. @@ -270,15 +290,17 @@ dynamicformfields: # application's requirements. cpu: "1" - ## Volumes that can be used in extra containers + ## Extra volumes that can be used in sidecars extraVolumes: + # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. - name: # Enter the volume name where the token is to be mounted projected: sources: - serviceAccountToken: - audience: # Enter the audience for the projected service account token + audience: # Enter the audience name for the projected service account token expirationSeconds: 3600 path: token + # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - name: # Enter the volume name where config.json is to be mounted secret: secretName: # Enter the secret name where config.json going to be added. @@ -289,7 +311,7 @@ dynamicformfields: host: "localhost" ## @param database.connectionInfo.port PostgreSQL port ## - port: + port: "5432" ## @param database.connectionInfo.dbName PostgreSQL database name ## dbName: From fe4c31f768e41d1a6fbed1158b0c81c7065453cf Mon Sep 17 00:00:00 2001 From: Priyadarshini Piramanayagam Date: Mon, 16 Dec 2024 18:51:53 +0530 Subject: [PATCH 05/10] resolve comments --- .../GCP/gcp-supplemental-values.yaml | 127 ++++++++++-------- .../openshift_supplemental_values.yaml | 2 + 2 files changed, 70 insertions(+), 59 deletions(-) rename getting-started/templates/{GCP/Openshift => OpenShift}/openshift_supplemental_values.yaml (87%) diff --git a/getting-started/templates/GCP/gcp-supplemental-values.yaml b/getting-started/templates/GCP/gcp-supplemental-values.yaml index 72833ab8..3c2bd0bc 100644 --- a/getting-started/templates/GCP/gcp-supplemental-values.yaml +++ b/getting-started/templates/GCP/gcp-supplemental-values.yaml @@ -2,29 +2,29 @@ global: ingress: api: annotations: - kubernetes.io/ingress.class: # Enter the ingress class used + kubernetes.io/ingress.class: # - Enter the ingress class used ui: annotations: - kubernetes.io/ingress.class: # Enter the ingress class used + kubernetes.io/ingress.class: # - Enter the ingress class used testmonitorservice: - ## Configuring sidecars for the Test Monitor Service + ## Cloud SQL auth proxy sidecar container to authenticate to Cloud SQL Postgres database ## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern sidecars: - name: cloud-sql-auth-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 volumeMounts: # This volume mount is required for the proxy to authenticate with cloudSQL using a service account key file. - - name: # Enter the volume name where the token is mounted - mountPath: # Enter the path where the token is mounted + - name: # - Enter the volume name where the token is mounted + mountPath: # - Enter the path where the token is mounted readOnly: true # This volume mount is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - - name: # Enter the volume name where config.json is mounted + - name: # - Enter the volume name where config.json is mounted mountPath: /secrets/ readOnly: true env: - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: /secrets/ # Enter the key which was used while creating the secret + value: /secrets/ # - - Enter the key which was used while creating the secret args: # If connecting from a VPC-native GKE cluster, you can use the # following flag to have the proxy connect over private IP @@ -40,10 +40,10 @@ testmonitorservice: - "--exit-zero-on-sigterm" - "--port=5432" - - "" # Enter the connection name from the CloudSQL instance + - "" # - Enter the connection name from the CloudSQL instance # The credentials file is required for the proxy to authenticate using a service account key file. - - "--credentials-file=/secrets/" # Enter the key which was used while creating the secret + - "--credentials-file=/secrets/" # - Enter the key which was used while creating the secret securityContext: # The default Cloud SQL Auth Proxy image runs as the # "nonroot" user and group (uid: 65532) by default. @@ -68,17 +68,17 @@ testmonitorservice: ## Extra volumes that can be used in sidecars extraVolumes: # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. - - name: # Enter the volume name where the token is to be mounted + - name: # - Enter the volume name where the token is to be mounted projected: sources: - serviceAccountToken: - audience: # Enter the audience name for the projected service account token + audience: # - Enter the audience name for the projected service account token expirationSeconds: 3600 path: token # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - - name: # Enter the volume name where config.json is to be mounted + - name: # - Enter the volume name where config.json is to be mounted secret: - secretName: # Enter the secret name where config.json going to be added. + secretName: # - Enter the secret name where config.json is added. connectionInfo: ## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost. @@ -89,14 +89,13 @@ testmonitorservice: port: "5432" ## @param database.connectionInfo.dbName PostgreSQL database name ## - dbName: + dbName: # - Enter the PostgreSQL database name for testmonitor service ## @param database.connectionInfo.user PostgreSQL username used by the service ## - user: - ## @param database.connectionInfo.secretName The name of an existing secret with - ## PostgreSQL connection credentials + user: # - Enter the PostgreSQL username for the testmonitor service + ## @param database.connectionInfo.secretName The name of an existing secret with PostgreSQL connection credentials ## - secretName: + secretName: # - Enter the secret name for the testmonitor service with PostgreSQL connection credentials ## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. ## @@ -105,14 +104,14 @@ testmonitorservice: ## If unset database.connectionInfo.passwordKey is used instead. ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. ## - migrationPasswordKey: null + # migrationPasswordKey: null serviceAccount: ## @param serviceAccount.annotations Annotations to add to the service account ## annotations: { - iam.gke.io/gcp-service-account=YOUR-GSA-NAME@YOUR-GOOGLE-CLOUD-PROJECT.iam.gserviceaccount.com, + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the CloudSQL service account name and the Google Cloud Project name } ## @param serviceAccount.name The name of the service account to use. ## If not set and create is true, a name is generated using the fullname template @@ -121,23 +120,23 @@ testmonitorservice: dashboardhost: grafana: - ## Configuring extraContainers for the Dashboardhost service + ## Configuring Cloud SQL auth proxy extra container to authenticate to Cloud SQL Postgres database ## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern extraContainers: | - name: cloud-sql-auth-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 volumeMounts: # This volume mount is required for the proxy to authenticate with cloudSQL using a service account key file. - - name: # Enter the volume name where the token is mounted - mountPath: # Enter the path where the token is mounted + - name: # - Enter the volume name where the token is mounted + mountPath: # - Enter the path where the token is mounted readOnly: true # This volume mount is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - - name: # Enter the volume name where config.json is mounted + - name: # - Enter the volume name where config.json is mounted mountPath: /secrets/ readOnly: true env: - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: /secrets/ # Enter the key which was used while creating the secret + value: /secrets/ # - Enter the key which was used while creating the secret args: # If connecting from a VPC-native GKE cluster, you can use the # following flag to have the proxy connect over private IP @@ -153,10 +152,10 @@ dashboardhost: - "--exit-zero-on-sigterm" - "--port=5432" - - "" # Enter the connection name from the CloudSQL instance + - "" # - Enter the connection name from the CloudSQL instance # The credentials file is required for the proxy to authenticate using a service account key file. - - "--credentials-file=/secrets/" # Enter the key which was used while creating the secret + - "--credentials-file=/secrets/" # - Enter the key which was used while creating the secret securityContext: # The default Cloud SQL Auth Proxy image runs as the # "nonroot" user and group (uid: 65532) by default. @@ -181,17 +180,17 @@ dashboardhost: ## Extra volumes that can be used in extrContainers extraContainerVolumes: # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. - - name: # Enter the volume name where the token is to be mounted + - name: # - Enter the volume name where the token is to be mounted projected: sources: - serviceAccountToken: - audience: # Enter the audience name for the projected service account token + audience: # - Enter the audience name for the projected service account token expirationSeconds: 3600 path: token # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - - name: # Enter the volume name where config.json is to be mounted + - name: # - Enter the volume name where config.json is to be mounted secret: - secretName: # Enter the secret name where config.json going to be added. + secretName: # - Enter the secret name where config.json is added. connectionInfo: ## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost. @@ -202,14 +201,14 @@ dashboardhost: port: "5432" ## @param database.connectionInfo.dbName PostgreSQL database name ## - dbName: + dbName: # - Enter the PostgreSQL database name for testmonitor service ## @param database.connectionInfo.user PostgreSQL username used by the service ## - user: + user: # - Enter the PostgreSQL username for the testmonitor service ## @param database.connectionInfo.secretName The name of an existing secret with ## PostgreSQL connection credentials ## - secretName: + secretName: # - Enter the secret name for the testmonitor service with PostgreSQL connection credentials ## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. ## @@ -218,14 +217,14 @@ dashboardhost: ## If unset database.connectionInfo.passwordKey is used instead. ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. ## - migrationPasswordKey: null + # migrationPasswordKey: null serviceAccount: ## @param serviceAccount.annotations Annotations to add to the service account ## annotations: { - iam.gke.io/gcp-service-account=YOUR-GSA-NAME@YOUR-GOOGLE-CLOUD-PROJECT.iam.gserviceaccount.com, + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the CloudSQL service account name and the Google Cloud Project name } ## @param serviceAccount.name The name of the service account to use. ## If not set and create is true, a name is generated using the fullname template @@ -233,23 +232,23 @@ dashboardhost: name: "" dynamicformfields: - ## Configuring sidecars for the Dynamic Form Fields Service + ## Configuring Cloud SQL auth proxy sidecar container to authenticate to Cloud SQL Postgres database ## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern sidecars: - name: cloud-sql-auth-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 volumeMounts: # This volume mount is required for the proxy to authenticate with cloudSQL using a service account key file. - - name: # Enter the volume name where the token is mounted - mountPath: # Enter the path where the token is mounted + - name: # - Enter the volume name where the token is mounted + mountPath: # - Enter the path where the token is mounted readOnly: true # This volume mount is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - - name: # Enter the volume name where config.json is mounted + - name: # - Enter the volume name where config.json is mounted mountPath: /secrets/ readOnly: true env: - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: /secrets/ # Enter the key which was used while creating the secret + value: /secrets/ # - Enter the key which was used while creating the secret args: # If connecting from a VPC-native GKE cluster, you can use the # following flag to have the proxy connect over private IP @@ -265,10 +264,10 @@ dynamicformfields: - "--exit-zero-on-sigterm" - "--port=5432" - - "" # Enter the connection name from the CloudSQL instance + - "" # - Enter the connection name from the CloudSQL instance # The credentials file is required for the proxy to authenticate using a service account key file. - - "--credentials-file=/secrets/" # Enter the key which was used while creating the secret + - "--credentials-file=/secrets/" # - Enter the key which was used while creating the secret securityContext: # The default Cloud SQL Auth Proxy image runs as the # "nonroot" user and group (uid: 65532) by default. @@ -293,20 +292,20 @@ dynamicformfields: ## Extra volumes that can be used in sidecars extraVolumes: # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. - - name: # Enter the volume name where the token is to be mounted + - name: # - Enter the volume name where the token is to be mounted projected: sources: - serviceAccountToken: - audience: # Enter the audience name for the projected service account token + audience: # - Enter the audience name for the projected service account token expirationSeconds: 3600 path: token # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - - name: # Enter the volume name where config.json is to be mounted + - name: # - Enter the volume name where config.json is to be mounted secret: - secretName: # Enter the secret name where config.json going to be added. + secretName: # - Enter the secret name where config.json is added. connectionInfo: - ## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost + ## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost. ## host: "localhost" ## @param database.connectionInfo.port PostgreSQL port @@ -314,14 +313,14 @@ dynamicformfields: port: "5432" ## @param database.connectionInfo.dbName PostgreSQL database name ## - dbName: + dbName: # - Enter the PostgreSQL database name for testmonitor service ## @param database.connectionInfo.user PostgreSQL username used by the service ## - user: + user: # - Enter the PostgreSQL username for the testmonitor service ## @param database.connectionInfo.secretName The name of an existing secret with ## PostgreSQL connection credentials ## - secretName: + secretName: # - Enter the secret name for the testmonitor service with PostgreSQL connection credentials ## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. ## @@ -330,33 +329,43 @@ dynamicformfields: ## If unset database.connectionInfo.passwordKey is used instead. ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. ## - migrationPasswordKey: null + # migrationPasswordKey: null serviceAccount: ## @param serviceAccount.annotations Annotations to add to the service account ## annotations: { - iam.gke.io/gcp-service-account=YOUR-GSA-NAME@YOUR-GOOGLE-CLOUD-PROJECT.iam.gserviceaccount.com, + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the CloudSQL service account name and the Google Cloud Project name } ## @param serviceAccount.name The name of the service account to use. ## If not set and create is true, a name is generated using the fullname template ## name: "" +dataframeservice: + s3: + port: 443 + bucket: # - Enter the name of the GCS bucket for dataframe service + scheme: "https://" + host: "storage.googleapis.com" + region: "us-east1" + fileingestion: s3: port: 443 - bucket: # Enter the name of the GCS bucket for fileingestion service + bucket: # - Enter the name of the GCS bucket for fileingestion service scheme: "https://" host: "storage.googleapis.com" + region: "us-east1" feedservice: s3: port: 443 - bucket: # Enter the name of the GCS bucket for feedservice service + bucket: # - Enter the name of the GCS bucket for feedservice service scheme: "https://" host: "storage.googleapis.com" + region: "us-east1" saltmaster: serviceTCP: @@ -364,13 +373,13 @@ saltmaster: nbexecservice: argo: - ## Configure S3/MinIO access. + ## Configure GCS access. ## artifactRepository: s3: - bucket: # Enter the name of the GCS bucket for nbexecservice service port: 443 - region: "us-east1" - insecure: false + bucket: # - Enter the name of the GCS bucket for nbexecservice service scheme: "https://" host: "storage.googleapis.com" + region: "us-east1" + insecure: false diff --git a/getting-started/templates/GCP/Openshift/openshift_supplemental_values.yaml b/getting-started/templates/OpenShift/openshift_supplemental_values.yaml similarity index 87% rename from getting-started/templates/GCP/Openshift/openshift_supplemental_values.yaml rename to getting-started/templates/OpenShift/openshift_supplemental_values.yaml index 50182f2a..4cb81d8c 100644 --- a/getting-started/templates/GCP/Openshift/openshift_supplemental_values.yaml +++ b/getting-started/templates/OpenShift/openshift_supplemental_values.yaml @@ -1,5 +1,7 @@ ## Openshift prohibits running the pods as a root user. The redis and rabbitmq pods should be run as non-root users. ## Disabling 'adaptSecurityContext' will restrict openshift from adapting security context values for the mentioned pods. +## Github issue - https://github.com/bitnami/charts/issues/24251 + rabbitmq: global: compatibility: From c72245757b475c39d2f56e76356431082ae3fd6f Mon Sep 17 00:00:00 2001 From: Priyadarshini Piramanayagam Date: Tue, 17 Dec 2024 13:59:34 +0530 Subject: [PATCH 06/10] add comments --- .../templates/GCP/gcp-supplemental-values.yaml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/getting-started/templates/GCP/gcp-supplemental-values.yaml b/getting-started/templates/GCP/gcp-supplemental-values.yaml index 3c2bd0bc..4ac1aaae 100644 --- a/getting-started/templates/GCP/gcp-supplemental-values.yaml +++ b/getting-started/templates/GCP/gcp-supplemental-values.yaml @@ -23,6 +23,7 @@ testmonitorservice: mountPath: /secrets/ readOnly: true env: + # This env variable is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - name: "GOOGLE_APPLICATION_CREDENTIALS" value: /secrets/ # - - Enter the key which was used while creating the secret args: @@ -67,7 +68,7 @@ testmonitorservice: ## Extra volumes that can be used in sidecars extraVolumes: - # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. + # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - name: # - Enter the volume name where the token is to be mounted projected: sources: @@ -75,7 +76,7 @@ testmonitorservice: audience: # - Enter the audience name for the projected service account token expirationSeconds: 3600 path: token - # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. + # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. - name: # - Enter the volume name where config.json is to be mounted secret: secretName: # - Enter the secret name where config.json is added. @@ -122,6 +123,7 @@ dashboardhost: grafana: ## Configuring Cloud SQL auth proxy extra container to authenticate to Cloud SQL Postgres database ## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern + ## A reverse proxy server should be added to the extraContainers for grafana to authenticate users. extraContainers: | - name: cloud-sql-auth-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 @@ -135,6 +137,7 @@ dashboardhost: mountPath: /secrets/ readOnly: true env: + # This env variable is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - name: "GOOGLE_APPLICATION_CREDENTIALS" value: /secrets/ # - Enter the key which was used while creating the secret args: @@ -179,7 +182,7 @@ dashboardhost: ## Extra volumes that can be used in extrContainers extraContainerVolumes: - # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. + # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - name: # - Enter the volume name where the token is to be mounted projected: sources: @@ -187,7 +190,7 @@ dashboardhost: audience: # - Enter the audience name for the projected service account token expirationSeconds: 3600 path: token - # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. + # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. - name: # - Enter the volume name where config.json is to be mounted secret: secretName: # - Enter the secret name where config.json is added. @@ -247,6 +250,7 @@ dynamicformfields: mountPath: /secrets/ readOnly: true env: + # This env variable is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - name: "GOOGLE_APPLICATION_CREDENTIALS" value: /secrets/ # - Enter the key which was used while creating the secret args: @@ -291,7 +295,7 @@ dynamicformfields: ## Extra volumes that can be used in sidecars extraVolumes: - # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. + # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - name: # - Enter the volume name where the token is to be mounted projected: sources: @@ -299,7 +303,7 @@ dynamicformfields: audience: # - Enter the audience name for the projected service account token expirationSeconds: 3600 path: token - # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. + # This volume is required for the proxy to authenticate with cloudSQL using a service account key file. - name: # - Enter the volume name where config.json is to be mounted secret: secretName: # - Enter the secret name where config.json is added. From 0b9df67781457d4bab8651571bcd80052ad5a1d2 Mon Sep 17 00:00:00 2001 From: Priyadarshini Piramanayagam Date: Tue, 17 Dec 2024 15:27:04 +0530 Subject: [PATCH 07/10] fix comments and remove dfs --- .../GCP/gcp-supplemental-values.yaml | 20 ++++++------------- .../openshift_supplemental_values.yaml | 2 +- 2 files changed, 7 insertions(+), 15 deletions(-) diff --git a/getting-started/templates/GCP/gcp-supplemental-values.yaml b/getting-started/templates/GCP/gcp-supplemental-values.yaml index 4ac1aaae..03bc7aa5 100644 --- a/getting-started/templates/GCP/gcp-supplemental-values.yaml +++ b/getting-started/templates/GCP/gcp-supplemental-values.yaml @@ -96,7 +96,7 @@ testmonitorservice: user: # - Enter the PostgreSQL username for the testmonitor service ## @param database.connectionInfo.secretName The name of an existing secret with PostgreSQL connection credentials ## - secretName: # - Enter the secret name for the testmonitor service with PostgreSQL connection credentials + secretName: # - Enter the secret name that contains the testmonitor service's Postgres SQL database connection credentials ## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. ## @@ -112,7 +112,7 @@ testmonitorservice: ## annotations: { - iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the CloudSQL service account name and the Google Cloud Project name + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project name } ## @param serviceAccount.name The name of the service account to use. ## If not set and create is true, a name is generated using the fullname template @@ -211,7 +211,7 @@ dashboardhost: ## @param database.connectionInfo.secretName The name of an existing secret with ## PostgreSQL connection credentials ## - secretName: # - Enter the secret name for the testmonitor service with PostgreSQL connection credentials + secretName: # - Enter the secret name that contains the testmonitor service's Postgres SQL database connection credentials ## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. ## @@ -227,7 +227,7 @@ dashboardhost: ## annotations: { - iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the CloudSQL service account name and the Google Cloud Project name + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project name } ## @param serviceAccount.name The name of the service account to use. ## If not set and create is true, a name is generated using the fullname template @@ -324,7 +324,7 @@ dynamicformfields: ## @param database.connectionInfo.secretName The name of an existing secret with ## PostgreSQL connection credentials ## - secretName: # - Enter the secret name for the testmonitor service with PostgreSQL connection credentials + secretName: # - Enter the secret name that contains the testmonitor service's Postgres SQL database connection credentials ## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. ## @@ -340,21 +340,13 @@ dynamicformfields: ## annotations: { - iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the CloudSQL service account name and the Google Cloud Project name + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project name } ## @param serviceAccount.name The name of the service account to use. ## If not set and create is true, a name is generated using the fullname template ## name: "" -dataframeservice: - s3: - port: 443 - bucket: # - Enter the name of the GCS bucket for dataframe service - scheme: "https://" - host: "storage.googleapis.com" - region: "us-east1" - fileingestion: s3: port: 443 diff --git a/getting-started/templates/OpenShift/openshift_supplemental_values.yaml b/getting-started/templates/OpenShift/openshift_supplemental_values.yaml index 4cb81d8c..80aa17dd 100644 --- a/getting-started/templates/OpenShift/openshift_supplemental_values.yaml +++ b/getting-started/templates/OpenShift/openshift_supplemental_values.yaml @@ -1,6 +1,6 @@ ## Openshift prohibits running the pods as a root user. The redis and rabbitmq pods should be run as non-root users. ## Disabling 'adaptSecurityContext' will restrict openshift from adapting security context values for the mentioned pods. -## Github issue - https://github.com/bitnami/charts/issues/24251 +## ref: https://github.com/bitnami/charts/issues/24251#:~:text=Perform%20automatic%20adaptation%20of%20securityContext%20sections%20in%20Openshift rabbitmq: global: From 228753ea280f959021f73f0b2a89efdcfac81374 Mon Sep 17 00:00:00 2001 From: Priyadarshini Piramanayagam Date: Wed, 18 Dec 2024 19:36:29 +0530 Subject: [PATCH 08/10] fix comments --- .../GCP/gcp-supplemental-values.yaml | 79 ++++++++++--------- 1 file changed, 43 insertions(+), 36 deletions(-) diff --git a/getting-started/templates/GCP/gcp-supplemental-values.yaml b/getting-started/templates/GCP/gcp-supplemental-values.yaml index 03bc7aa5..6d583506 100644 --- a/getting-started/templates/GCP/gcp-supplemental-values.yaml +++ b/getting-started/templates/GCP/gcp-supplemental-values.yaml @@ -14,18 +14,18 @@ testmonitorservice: - name: cloud-sql-auth-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 volumeMounts: - # This volume mount is required for the proxy to authenticate with cloudSQL using a service account key file. - - name: # - Enter the volume name where the token is mounted - mountPath: # - Enter the path where the token is mounted + # This volume mount is required for the proxy to authenticate with cloudSQL using Workload Identity Federation config file. + - name: # - Enter the volume name where the token is available + mountPath: # - Enter the path where the token should be mounted readOnly: true - # This volume mount is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - - name: # - Enter the volume name where config.json is mounted + # This volume mount is required for the proxy to authenticate with cloudSQL using service account key file or Workload Identity Federation. + - name: # - Enter the volume name where config.json is available mountPath: /secrets/ readOnly: true env: # This env variable is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: /secrets/ # - - Enter the key which was used while creating the secret + value: /secrets/ # - Enter the file name which was used as the key while creating the secret args: # If connecting from a VPC-native GKE cluster, you can use the # following flag to have the proxy connect over private IP @@ -44,7 +44,8 @@ testmonitorservice: - "" # - Enter the connection name from the CloudSQL instance # The credentials file is required for the proxy to authenticate using a service account key file. - - "--credentials-file=/secrets/" # - Enter the key which was used while creating the secret + # Not required if Workload Identity federation is used for authentication. + - "--credentials-file=/secrets/" # - Enter the file name which was used as the key while creating the secret securityContext: # The default Cloud SQL Auth Proxy image runs as the # "nonroot" user and group (uid: 65532) by default. @@ -69,7 +70,7 @@ testmonitorservice: ## Extra volumes that can be used in sidecars extraVolumes: # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - - name: # - Enter the volume name where the token is to be mounted + - name: # - Enter the volume name projected: sources: - serviceAccountToken: @@ -112,10 +113,10 @@ testmonitorservice: ## annotations: { - iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project name + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project Id } ## @param serviceAccount.name The name of the service account to use. - ## If not set and create is true, a name is generated using the fullname template + ## If not set, a name is generated based on the service name ## name: "" @@ -128,18 +129,18 @@ dashboardhost: - name: cloud-sql-auth-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 volumeMounts: - # This volume mount is required for the proxy to authenticate with cloudSQL using a service account key file. - - name: # - Enter the volume name where the token is mounted - mountPath: # - Enter the path where the token is mounted + # This volume mount is required for the proxy to authenticate with cloudSQL using Workload Identity Federation config file. + - name: # - Enter the volume name where the token is available + mountPath: # - Enter the path where the token should be mounted readOnly: true - # This volume mount is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - - name: # - Enter the volume name where config.json is mounted + # This volume mount is required for the proxy to authenticate with cloudSQL using service account key file or Workload Identity Federation. + - name: # - Enter the volume name where config.json is available mountPath: /secrets/ readOnly: true env: # This env variable is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: /secrets/ # - Enter the key which was used while creating the secret + value: /secrets/ # - Enter the file name which was used as the key while creating the secret args: # If connecting from a VPC-native GKE cluster, you can use the # following flag to have the proxy connect over private IP @@ -158,7 +159,8 @@ dashboardhost: - "" # - Enter the connection name from the CloudSQL instance # The credentials file is required for the proxy to authenticate using a service account key file. - - "--credentials-file=/secrets/" # - Enter the key which was used while creating the secret + # Not required if Workload Identity federation is used for authentication. + - "--credentials-file=/secrets/" # - Enter the file name which was used as the key while creating the secret securityContext: # The default Cloud SQL Auth Proxy image runs as the # "nonroot" user and group (uid: 65532) by default. @@ -183,7 +185,7 @@ dashboardhost: ## Extra volumes that can be used in extrContainers extraContainerVolumes: # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - - name: # - Enter the volume name where the token is to be mounted + - name: # - Enter the volume name projected: sources: - serviceAccountToken: @@ -227,10 +229,10 @@ dashboardhost: ## annotations: { - iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project name + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project Id } ## @param serviceAccount.name The name of the service account to use. - ## If not set and create is true, a name is generated using the fullname template + ## If not set, a name is generated based on the service name ## name: "" @@ -241,18 +243,18 @@ dynamicformfields: - name: cloud-sql-auth-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0 volumeMounts: - # This volume mount is required for the proxy to authenticate with cloudSQL using a service account key file. - - name: # - Enter the volume name where the token is mounted - mountPath: # - Enter the path where the token is mounted + # This volume mount is required for the proxy to authenticate with cloudSQL using Workload Identity Federation config file. + - name: # - Enter the volume name where the token is available + mountPath: # - Enter the path where the token should be mounted readOnly: true - # This volume mount is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - - name: # - Enter the volume name where config.json is mounted + # This volume mount is required for the proxy to authenticate with cloudSQL using service account key file or Workload Identity Federation. + - name: # - Enter the volume name where config.json is available mountPath: /secrets/ readOnly: true env: # This env variable is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - name: "GOOGLE_APPLICATION_CREDENTIALS" - value: /secrets/ # - Enter the key which was used while creating the secret + value: /secrets/ # - Enter the file name which was used as the key while creating the secret args: # If connecting from a VPC-native GKE cluster, you can use the # following flag to have the proxy connect over private IP @@ -271,7 +273,8 @@ dynamicformfields: - "" # - Enter the connection name from the CloudSQL instance # The credentials file is required for the proxy to authenticate using a service account key file. - - "--credentials-file=/secrets/" # - Enter the key which was used while creating the secret + # Not required if Workload Identity federation is used for authentication. + - "--credentials-file=/secrets/" # - Enter the file name which was used as the key while creating the secret securityContext: # The default Cloud SQL Auth Proxy image runs as the # "nonroot" user and group (uid: 65532) by default. @@ -296,7 +299,7 @@ dynamicformfields: ## Extra volumes that can be used in sidecars extraVolumes: # This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation. - - name: # - Enter the volume name where the token is to be mounted + - name: # - Enter the volume name projected: sources: - serviceAccountToken: @@ -340,10 +343,10 @@ dynamicformfields: ## annotations: { - iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project name + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project Id } ## @param serviceAccount.name The name of the service account to use. - ## If not set and create is true, a name is generated using the fullname template + ## If not set, a name is generated based on the service name ## name: "" @@ -353,7 +356,7 @@ fileingestion: bucket: # - Enter the name of the GCS bucket for fileingestion service scheme: "https://" host: "storage.googleapis.com" - region: "us-east1" + region: # - Enter the region where the GCS bucket is located feedservice: s3: @@ -361,21 +364,25 @@ feedservice: bucket: # - Enter the name of the GCS bucket for feedservice service scheme: "https://" host: "storage.googleapis.com" - region: "us-east1" + region: # - Enter the region where the GCS bucket is located saltmaster: serviceTCP: type: LoadBalancer nbexecservice: + s3: + port: 443 + bucket: # - Enter the name of the GCS bucket for nbexecservice service + scheme: "https://" + host: "storage.googleapis.com" + region: # - Enter the region where the GCS bucket is located argo: - ## Configure GCS access. - ## artifactRepository: s3: port: 443 - bucket: # - Enter the name of the GCS bucket for nbexecservice service + bucket: # - Enter the name of the GCS bucket for artifact repository scheme: "https://" host: "storage.googleapis.com" - region: "us-east1" + region: # - Enter the region where the GCS bucket is located insecure: false From bdb62adabec8e84d49d64e1a26bea04cd8579b52 Mon Sep 17 00:00:00 2001 From: Priyadarshini Piramanayagam Date: Wed, 18 Dec 2024 20:32:44 +0530 Subject: [PATCH 09/10] change database config for grafana --- .../GCP/gcp-supplemental-values.yaml | 55 ++++++++----------- 1 file changed, 24 insertions(+), 31 deletions(-) diff --git a/getting-started/templates/GCP/gcp-supplemental-values.yaml b/getting-started/templates/GCP/gcp-supplemental-values.yaml index 6d583506..a5691bac 100644 --- a/getting-started/templates/GCP/gcp-supplemental-values.yaml +++ b/getting-started/templates/GCP/gcp-supplemental-values.yaml @@ -197,33 +197,35 @@ dashboardhost: secret: secretName: # - Enter the secret name where config.json is added. - connectionInfo: - ## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost. - ## - host: "localhost" - ## @param database.connectionInfo.port PostgreSQL port - ## - port: "5432" - ## @param database.connectionInfo.dbName PostgreSQL database name + ## Database configuration. See here for more documentation: https://grafana.com/docs/grafana/latest/administration/configuration/#database + # - This configures a connection to an external PostgresSQL. Remove this section if not using an external database. + ## + database: + ## Either mysql, postgres or sqlite3. ## - dbName: # - Enter the PostgreSQL database name for testmonitor service - ## @param database.connectionInfo.user PostgreSQL username used by the service + type: "postgres" + ## The database user (not applicable for sqlite3). ## - user: # - Enter the PostgreSQL username for the testmonitor service - ## @param database.connectionInfo.secretName The name of an existing secret with - ## PostgreSQL connection credentials + user: # - Enter the PostgreSQL username for the dashboardhost database + ## The database user’s password (not applicable for sqlite3). If the password contains # or ; you have to wrap it with triple quotes. For example """#password;""". ## - secretName: # - Enter the secret name that contains the testmonitor service's Postgres SQL database connection credentials - ## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret - ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + password: # - Enter the PostgreSQL password for the dashboardhost database + ## Only applicable to MySQL or Postgres. Includes IP or host name and port or in case of Unix sockets the path to it. + ## For example, for MySQL running on the same host as Grafana: host = 127.0.0.1:3306 or with Unix sockets: host = /var/run/mysqld/mysqld.sock. ## - # passwordKey: "passkey" - ## @param database.connectionInfo.migrationPasswordKey Password key for database.connectionInfo.migrationUser to be retrieved from existing secret - ## If unset database.connectionInfo.passwordKey is used instead. - ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + host: "localhost:5432" + ## The name of the Grafana database. Leave it set to grafana (default) or some other name. + ## - You must create the database manually before deploying. If you are using the default database + ## name, you must create a database named "grafana". The database user, if not a superuser, will require USAGE + ## and CREATE privileges on the "public" schema and SELECT, INSERT, UPDATE, and DELETE privileges on all tables + ## in the "public" schema. + # name: "database-name" + ## Use either URL or the other fields above to configure the database. + ## url: postgres://dashboardhost:abc123@dashboardhostpostgrescluster-primary.systemlink-nic2.svc:5432/grafana + ## For PostgresSQL, use either disable, require or verify-full. For MySQL, use either true, false, or skip-verify. ## - # migrationPasswordKey: null - + ssl_mode: "disable" + serviceAccount: ## @param serviceAccount.annotations Annotations to add to the service account ## @@ -377,12 +379,3 @@ nbexecservice: scheme: "https://" host: "storage.googleapis.com" region: # - Enter the region where the GCS bucket is located - argo: - artifactRepository: - s3: - port: 443 - bucket: # - Enter the name of the GCS bucket for artifact repository - scheme: "https://" - host: "storage.googleapis.com" - region: # - Enter the region where the GCS bucket is located - insecure: false From 4c0d10bdf9940d93daec78c3e2a46bae0b8c9edb Mon Sep 17 00:00:00 2001 From: Priyadarshini Piramanayagam Date: Wed, 18 Dec 2024 20:37:07 +0530 Subject: [PATCH 10/10] fix: grafana database --- .../GCP/gcp-supplemental-values.yaml | 55 ++++++++++--------- 1 file changed, 28 insertions(+), 27 deletions(-) diff --git a/getting-started/templates/GCP/gcp-supplemental-values.yaml b/getting-started/templates/GCP/gcp-supplemental-values.yaml index a5691bac..4ff4de6f 100644 --- a/getting-started/templates/GCP/gcp-supplemental-values.yaml +++ b/getting-started/templates/GCP/gcp-supplemental-values.yaml @@ -197,34 +197,35 @@ dashboardhost: secret: secretName: # - Enter the secret name where config.json is added. - ## Database configuration. See here for more documentation: https://grafana.com/docs/grafana/latest/administration/configuration/#database - # - This configures a connection to an external PostgresSQL. Remove this section if not using an external database. - ## - database: - ## Either mysql, postgres or sqlite3. - ## - type: "postgres" - ## The database user (not applicable for sqlite3). - ## - user: # - Enter the PostgreSQL username for the dashboardhost database - ## The database user’s password (not applicable for sqlite3). If the password contains # or ; you have to wrap it with triple quotes. For example """#password;""". - ## - password: # - Enter the PostgreSQL password for the dashboardhost database - ## Only applicable to MySQL or Postgres. Includes IP or host name and port or in case of Unix sockets the path to it. - ## For example, for MySQL running on the same host as Grafana: host = 127.0.0.1:3306 or with Unix sockets: host = /var/run/mysqld/mysqld.sock. - ## - host: "localhost:5432" - ## The name of the Grafana database. Leave it set to grafana (default) or some other name. - ## - You must create the database manually before deploying. If you are using the default database - ## name, you must create a database named "grafana". The database user, if not a superuser, will require USAGE - ## and CREATE privileges on the "public" schema and SELECT, INSERT, UPDATE, and DELETE privileges on all tables - ## in the "public" schema. - # name: "database-name" - ## Use either URL or the other fields above to configure the database. - ## url: postgres://dashboardhost:abc123@dashboardhostpostgrescluster-primary.systemlink-nic2.svc:5432/grafana - ## For PostgresSQL, use either disable, require or verify-full. For MySQL, use either true, false, or skip-verify. + grafana.ini: + ## Database configuration. See here for more documentation: https://grafana.com/docs/grafana/latest/administration/configuration/#database + # - This configures a connection to an external PostgresSQL. Remove this section if not using an external database. ## - ssl_mode: "disable" + database: + ## Either mysql, postgres or sqlite3. + ## + type: "postgres" + ## The database user (not applicable for sqlite3). + ## + user: # - Enter the PostgreSQL username for the dashboardhost database + ## The database user’s password (not applicable for sqlite3). If the password contains # or ; you have to wrap it with triple quotes. For example """#password;""". + ## + password: # - Enter the PostgreSQL password for the dashboardhost database + ## Only applicable to MySQL or Postgres. Includes IP or host name and port or in case of Unix sockets the path to it. + ## For example, for MySQL running on the same host as Grafana: host = 127.0.0.1:3306 or with Unix sockets: host = /var/run/mysqld/mysqld.sock. + ## + host: "localhost:5432" + ## The name of the Grafana database. Leave it set to grafana (default) or some other name. + ## - You must create the database manually before deploying. If you are using the default database + ## name, you must create a database named "grafana". The database user, if not a superuser, will require USAGE + ## and CREATE privileges on the "public" schema and SELECT, INSERT, UPDATE, and DELETE privileges on all tables + ## in the "public" schema. + # name: "database-name" + ## Use either URL or the other fields above to configure the database. + ## url: postgres://dashboardhost:abc123@dashboardhostpostgrescluster-primary.systemlink-nic2.svc:5432/grafana + ## For PostgresSQL, use either disable, require or verify-full. For MySQL, use either true, false, or skip-verify. + ## + ssl_mode: "disable" serviceAccount: ## @param serviceAccount.annotations Annotations to add to the service account