diff --git a/services/canal/rabbitmq/deepin-values.yml b/services/canal/rabbitmq/deepin-values.yml index cf15b4c..9004377 100644 --- a/services/canal/rabbitmq/deepin-values.yml +++ b/services/canal/rabbitmq/deepin-values.yml @@ -1,4 +1,4 @@ -# Copyright VMware, Inc. +# Copyright Broadcom, Inc. All Rights Reserved. # SPDX-License-Identifier: APACHE-2.0 ## @section Global parameters @@ -9,7 +9,8 @@ ## @param global.imageRegistry Global Docker image registry ## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.storageClass Global StorageClass for Persistent Volume(s) +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) +## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead ## global: imageRegistry: "hub.cicd.getdeepin.org" @@ -18,14 +19,28 @@ global: ## - myRegistryKeySecretName ## imagePullSecrets: [] + defaultStorageClass: "canal" storageClass: "canal" - + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: true + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto ## @section RabbitMQ Image parameters ## Bitnami RabbitMQ image version ## ref: https://hub.docker.com/r/bitnami/rabbitmq/tags/ -## @param image.registry RabbitMQ image registry -## @param image.repository RabbitMQ image repository -## @param image.tag RabbitMQ image tag (immutable tags are recommended) +## @param image.registry [default: REGISTRY_NAME] RabbitMQ image registry +## @param image.repository [default: REPOSITORY_NAME/rabbitmq] RabbitMQ image repository +## @skip image.tag RabbitMQ image tag (immutable tags are recommended) ## @param image.digest RabbitMQ image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param image.pullPolicy RabbitMQ image pull policy ## @param image.pullSecrets Specify docker-registry secret names as an array @@ -33,7 +48,7 @@ global: ## image: registry: docker.io - repository: bitnami/rabbitmq + repository: bitnamilegacy/rabbitmq tag: 3.12.7-debian-11-r0 digest: "" ## set to true if you would like to see extra information on logs @@ -41,8 +56,7 @@ image: ## debug: false ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -53,7 +67,6 @@ image: ## - myRegistryKeySecretName ## pullSecrets: [] - ## @section Common parameters ## @@ -84,19 +97,19 @@ servicenameOverride: "" ## @param commonLabels Labels to add to all deployed objects ## commonLabels: {} - ## @param serviceBindings.enabled Create secret for service binding (Experimental) ## Ref: https://servicebinding.io/service-provider/ ## serviceBindings: enabled: false - ## @param enableServiceLinks Whether information about services should be injected into pod's environment variable ## The environment variables injected by service links are not used, but can lead to slow boot times or slow running of the scripts when there are many services in the current namespace. ## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. ## enableServiceLinks: true - +## @param usePasswordFiles Mount credentials as files instead of using environment variables +## +usePasswordFiles: true ## Enable diagnostic mode in the deployment ## diagnosticMode: @@ -111,7 +124,9 @@ diagnosticMode: ## args: - infinity - +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: true ## @param hostAliases Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -146,11 +161,19 @@ auth: ## ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables ## securePassword: true - ## @param auth.existingPasswordSecret Existing secret with RabbitMQ credentials (must contain a value for `rabbitmq-password` key) + ## @param auth.updatePassword Update RabbitMQ password on secret change + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables + ## + updatePassword: false + ## @param auth.existingPasswordSecret Existing secret with RabbitMQ credentials (existing secret must contain a value for `rabbitmq-password` key or override with setting auth.existingSecretPasswordKey) ## e.g: ## existingPasswordSecret: name-of-existing-secret ## existingPasswordSecret: "" + ## @param auth.existingSecretPasswordKey [default: rabbitmq-password] Password key to be retrieved from existing secret + ## NOTE: ignored unless `auth.existingSecret` parameter is set + ## + existingSecretPasswordKey: "" ## @param auth.enableLoopbackUser If enabled, the user `auth.username` can only connect from localhost ## enableLoopbackUser: false @@ -158,12 +181,15 @@ auth: ## ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables ## erlangCookie: "" - ## @param auth.existingErlangSecret Existing secret with RabbitMQ Erlang cookie (must contain a value for `rabbitmq-erlang-cookie` key) + ## @param auth.existingErlangSecret Existing secret with RabbitMQ Erlang cookie (must contain a value for `rabbitmq-erlang-cookie` key or override with auth.existingSecretErlangKey) ## e.g: ## existingErlangSecret: name-of-existing-secret ## existingErlangSecret: "" - + ## @param auth.existingSecretErlangKey [default: rabbitmq-erlang-cookie] Erlang cookie key to be retrieved from existing secret + ## NOTE: ignored unless `auth.existingErlangSecret` parameter is set + ## + existingSecretErlangKey: "" ## Enable encryption to rabbitmq ## ref: https://www.rabbitmq.com/ssl.html ## @param auth.tls.enabled Enable TLS support on RabbitMQ @@ -197,7 +223,6 @@ auth: existingSecret: "" existingSecretFullChain: false overrideCaCertificate: "" - ## @param logs Path of the RabbitMQ server's Erlang log file. Value for the `RABBITMQ_LOGS` environment variable ## ref: https://www.rabbitmq.com/logging.html#log-file-location ## @@ -206,7 +231,7 @@ logs: "-" ## ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables ## ref: https://www.rabbitmq.com/install-debian.html#kernel-resource-limits ## -ulimitNofiles: "65536" +ulimitNofiles: "65535" ## RabbitMQ maximum available scheduler threads and online scheduler threads. By default it will create a thread per CPU detected, with the following parameters you can tune it manually. ## ref: https://hamidreza-s.github.io/erlang/scheduling/real-time/preemptive/migration/2016/02/09/erlang-scheduler-details.html#scheduler-threads ## ref: https://github.com/bitnami/charts/issues/2189 @@ -215,7 +240,6 @@ ulimitNofiles: "65536" ## maxAvailableSchedulers: "" onlineSchedulers: "" - ## The memory threshold under which RabbitMQ will stop reading from client network sockets, in order to avoid being killed by the OS ## ref: https://www.rabbitmq.com/alarms.html ## ref: https://www.rabbitmq.com/memory.html#threshold @@ -230,14 +254,21 @@ memoryHighWatermark: ## Memory high watermark value. ## @param memoryHighWatermark.value Memory high watermark value ## The default value of 0.4 stands for 40% of available RAM - ## Note: the memory relative limit is applied to the resource.limits.memory to calculate the memory threshold - ## You can also use an absolute value, e.g.: 256MB + ## Note: the memory relative limit is applied to the resourcesPreset memory limit or the resource.limits.memory to calculate the memory threshold + ## You can also use an absolute value, e.g.: 256Mi ## value: 0.4 - ## @param plugins List of default plugins to enable (should only be altered to remove defaults; for additional plugins use `extraPlugins`) ## plugins: "rabbitmq_management rabbitmq_peer_discovery_k8s" + +## @param queue_leader_locator Changes the queue_leader_locator setting in the rabbitmq config file +## +queue_leader_locator: balanced +## @param queue_master_locator DEPRECATED. Use queue_leader_locator instead +## +queue_master_locator: "" + ## @param communityPlugins List of Community plugins (URLs) to be downloaded during container initialization ## Combine it with extraPlugins to also enable them. ## @@ -246,13 +277,16 @@ communityPlugins: "" ## Use this instead of `plugins` to add new plugins ## extraPlugins: "rabbitmq_auth_backend_ldap" - ## Clustering settings ## clustering: ## @param clustering.enabled Enable RabbitMQ clustering ## enabled: true + ## @param clustering.name RabbitMQ cluster name + ## If not set, a name is generated using the common.names.fullname template + ## + name: "" ## @param clustering.addressType Switch clustering mode. Either `ip` or `hostname` ## addressType: hostname @@ -264,12 +298,11 @@ clustering: ## forceBoot executes 'rabbitmqctl force_boot' to force boot cluster shut down unexpectedly in an unknown order ## ref: https://www.rabbitmq.com/rabbitmqctl.8.html#force_boot ## - forceBoot: true + forceBoot: false ## @param clustering.partitionHandling Switch Partition Handling Strategy. Either `autoheal` or `pause_minority` or `pause_if_all_down` or `ignore` ## ref: https://www.rabbitmq.com/partitions.html#automatic-handling ## partitionHandling: autoheal - ## Loading a RabbitMQ definitions file to configure RabbitMQ ## loadDefinition: @@ -284,7 +317,6 @@ loadDefinition: ## existingSecret: "{{ .Release.Name }}-load-definition" ## existingSecret: "" - ## @param command Override default container command (useful when using custom images) ## command: [] @@ -311,7 +343,6 @@ extraEnvVarsCM: "" ## @param extraEnvVarsSecret Name of existing Secret containing extra environment variables (in case of sensitive data) ## extraEnvVarsSecret: "" - ## Container Ports ## @param containerPorts.amqp ## @param containerPorts.amqpTls @@ -327,6 +358,17 @@ containerPorts: manager: 15672 epmd: 4369 metrics: 9419 +## Host Ports +## @param hostPorts.amqp +## @param hostPorts.amqpTls +## @param hostPorts.manager +## @param hostPorts.metrics +## +hostPorts: + amqp: "" + amqpTls: "" + manager: "" + metrics: "" ## @param initScripts Dictionary of init scripts. Evaluated as a template. ## Specify dictionary of scripts to be run at first boot @@ -361,6 +403,9 @@ extraContainerPorts: [] ## See : https://www.rabbitmq.com/networking.html for additional information ## tcpListenOptions: + ## @param tcpListenOptions.enabled Enable TCP listen options of RabbitMQ + ## + enabled: true ## @param tcpListenOptions.backlog Maximum size of the unaccepted TCP connections queue ## backlog: 128 @@ -379,10 +424,8 @@ tcpListenOptions: ## @param tcpListenOptions.keepalive When set to true, enables TCP keepalives ## keepalive: false - configuration: |- ## Username and password - ## default_user = {{ .Values.auth.username }} {{- if and (not .Values.auth.securePassword) .Values.auth.password }} default_pass = {{ .Values.auth.password }} @@ -390,8 +433,13 @@ configuration: |- {{- if .Values.clustering.enabled }} ## Clustering ## + cluster_name = {{ default (include "common.names.fullname" .) .Values.clustering.name }} cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s cluster_formation.k8s.host = kubernetes.default + cluster_formation.k8s.address_type = {{ .Values.clustering.addressType }} + {{- $svcName := printf "%s-%s" (include "common.names.fullname" .) (default "headless" .Values.servicenameOverride) }} + cluster_formation.k8s.service_name = {{ $svcName }} + cluster_formation.k8s.hostname_suffix = .{{ $svcName }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} cluster_formation.node_cleanup.interval = 10 cluster_formation.node_cleanup.only_log_warning = true cluster_partition_handling = {{ .Values.clustering.partitionHandling }} @@ -402,8 +450,8 @@ configuration: |- {{- if .Values.loadDefinition.enabled }} load_definitions = {{ .Values.loadDefinition.file }} {{- end }} - # queue master locator - queue_master_locator = min-masters + # queue leader locator + queue_leader_locator = {{ include "rabbitmq.queueLocator" . }} # enable loopback user {{- if not (empty .Values.auth.username) }} loopback_users.{{ .Values.auth.username }} = {{ .Values.auth.enableLoopbackUser }} @@ -419,7 +467,7 @@ configuration: |- ssl_options.certfile = /opt/bitnami/rabbitmq/certs/server_certificate.pem ssl_options.keyfile = /opt/bitnami/rabbitmq/certs/server_key.pem {{- if .Values.auth.tls.sslOptionsPassword.enabled }} - ssl_options.password = {{ template "rabbitmq.tlsSslOptionsPassword" . }} + ssl_options.password = {{ include "common.secrets.passwords.manage" (dict "secret" .Values.auth.tls.sslOptionsPassword.existingSecret "key" .Values.auth.tls.sslOptionsPassword.key "providedValues" (list "auth.tls.sslOptionsPassword.password") "skipB64enc" true "failOnNew" false "context" $) }} {{- end }} {{- end }} {{- if .Values.ldap.enabled }} @@ -470,16 +518,22 @@ configuration: |- {{- end }} {{- end }} {{- end }} - {{- if .Values.metrics.enabled }} ## Prometheus metrics ## prometheus.tcp.port = {{ .Values.containerPorts.metrics }} - {{- end }} {{- if .Values.memoryHighWatermark.enabled }} ## Memory Threshold ## - total_memory_available_override_value = {{ include "rabbitmq.toBytes" .Values.resources.limits.memory }} + {{- if (dig "limits" "memory" "" .Values.resources) }} + total_memory_available_override_value = {{ include "rabbitmq.toBytes" (dig "limits" "memory" "" .Values.resources) }} + {{- end }} + {{- if (eq .Values.memoryHighWatermark.type "absolute") }} + vm_memory_high_watermark.{{ .Values.memoryHighWatermark.type }} = {{ include "rabbitmq.toBytes" .Values.memoryHighWatermark.value }} + {{- else if (eq .Values.memoryHighWatermark.type "relative") }} vm_memory_high_watermark.{{ .Values.memoryHighWatermark.type }} = {{ .Values.memoryHighWatermark.value }} + {{- end }} + {{- end }} + {{- if .Values.tcpListenOptions.enabled }} ## TCP Listen Options ## tcp_listen_options.backlog = {{ .Values.tcpListenOptions.backlog }} @@ -488,14 +542,12 @@ configuration: |- tcp_listen_options.linger.timeout = {{ .Values.tcpListenOptions.linger.timeout }} tcp_listen_options.keepalive = {{ .Values.tcpListenOptions.keepalive }} {{- end }} - ## @param configurationExistingSecret Existing secret with the configuration to use as rabbitmq.conf. ## Must contain the key "rabbitmq.conf" ## Takes precedence over `configuration`, so do not use both simultaneously ## With providing an existingSecret, extraConfiguration and extraConfigurationExistingSecret do not take any effect ## configurationExistingSecret: "" - ## @param extraConfiguration [string] Configuration file content: extra configuration to be appended to RabbitMQ configuration ## Use this instead of `configuration` to add more configuration ## Do not use simultaneously with `extraConfigurationExistingSecret` @@ -503,13 +555,11 @@ configurationExistingSecret: "" extraConfiguration: |- #default_vhost = {{ .Release.Namespace }}-vhost #disk_free_limit.absolute = 50MB - ## @param extraConfigurationExistingSecret Existing secret with the extra configuration to append to `configuration`. ## Must contain the key "extraConfiguration" ## Takes precedence over `extraConfiguration`, so do not use both simultaneously ## extraConfigurationExistingSecret: "" - ## @param advancedConfiguration Configuration file content: advanced configuration ## Use this as additional configuration in classic config format (Erlang term configuration format) ## @@ -523,21 +573,18 @@ extraConfigurationExistingSecret: "" ## If both, advancedConfiguration and advancedConfigurationExistingSecret are set, then advancedConfiguration ## will be used instead of the secret. # -advancedConfiguration: |- - +advancedConfiguration: "" ## @param advancedConfigurationExistingSecret Existing secret with the advanced configuration file (must contain a key `advanced.config`). ## Use this as additional configuration in classic config format (Erlang term configuration format) as in advancedConfiguration ## Do not use in combination with advancedConfiguration, will be ignored ## advancedConfigurationExistingSecret: "" - ## This subsystem was introduced in RabbitMQ 3.8.0 to allow rolling upgrades of cluster members without shutting down the entire cluster. ## Feature flags are a mechanism that controls what features are considered to be enabled or available on all cluster nodes. If a feature flag is enabled, so is its associated feature (or behavior). If not then all nodes in the cluster will disable the feature (behavior). ## e.g, drop_unroutable_metric,empty_basic_get_metric,implicit_default_bindings,maintenance_mode_status,quorum_queue,virtual_host_metadata ## @param featureFlags that controls what features are considered to be enabled or available on all cluster nodes. ## featureFlags: "" - ## LDAP configuration ## ldap: @@ -553,7 +600,6 @@ ldap: ## @param ldap.port LDAP servers port. This is valid only if ldap.uri is not set ## port: "" - ## DEPRECATED ldap.user_dn_pattern it will removed in a future, please use userDnPattern instead ## Pattern used to translate the provided username into a value to be used for the LDAP bind ## @param ldap.userDnPattern Pattern used to translate the provided username into a value to be used for the LDAP bind. @@ -570,7 +616,7 @@ ldap: ## basedn: "" ## @param ldap.uidField Field used to match with the user name (uid, samAccountName, cn, etc). It matches with 'dn_lookup_attribute' in RabbitMQ configuration - ##��ref: https://www.rabbitmq.com/ldap.html#usernames-and-dns + ## ref: https://www.rabbitmq.com/ldap.html#usernames-and-dns ## ## @param ldap.uidField Field used to match with the user name (uid, samAccountName, cn, etc). It matches with 'dn_lookup_attribute' in RabbitMQ configuration ## @@ -599,7 +645,6 @@ ldap: CAFilename: "" certFilename: "" certKeyFilename: "" - ## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts ## Examples: ## extraVolumeMounts: @@ -629,7 +674,6 @@ extraSecrets: {} ## @param extraSecretsPrependReleaseName Set this flag to true if extraSecrets should be created with prepended. ## extraSecretsPrependReleaseName: false - ## @section Statefulset parameters ## @@ -688,7 +732,6 @@ podAffinityPreset: "" ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## podAntiAffinityPreset: soft - ## Node affinity preset ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity ## @@ -708,14 +751,13 @@ nodeAffinityPreset: ## - e2e-az2 ## values: [] - ## @param affinity Affinity for pod assignment. Evaluated as a template ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set ## affinity: {} ## @param nodeSelector Node labels for pod assignment. Evaluated as a template -## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param tolerations Tolerations for pod assignment. Evaluated as a template @@ -726,19 +768,29 @@ tolerations: [] ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods ## topologySpreadConstraints: [] - ## RabbitMQ pods' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enable RabbitMQ pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 - ## @param containerSecurityContext.enabled Enabled RabbitMQ containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup ## @param containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot +## @param containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## Example: ## containerSecurityContext: @@ -748,32 +800,37 @@ podSecurityContext: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true - + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## RabbitMQ containers' resource requests and limits -## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. -## @param resources.limits The resources limits for RabbitMQ containers -## @param resources.requests The requested resources for RabbitMQ containers +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resources: - ## Example: - ## limits: - ## cpu: 1000m - ## memory: 2Gi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 1000m - ## memory: 2Gi - ## - requests: {} - +resourcesPreset: "micro" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} ## Configure RabbitMQ containers' extra options for liveness probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @param livenessProbe.enabled Enable livenessProbe @@ -806,7 +863,6 @@ readinessProbe: periodSeconds: 30 failureThreshold: 3 successThreshold: 1 - ## Configure RabbitMQ containers' extra options for startup probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @param startupProbe.enabled Enable startupProbe @@ -823,7 +879,6 @@ startupProbe: periodSeconds: 30 failureThreshold: 3 successThreshold: 1 - ## @param customLivenessProbe Override default liveness probe ## customLivenessProbe: {} @@ -856,21 +911,19 @@ initContainers: [] ## containerPort: 1234 ## sidecars: [] - ## Pod Disruption Budget configuration ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## pdb: ## @param pdb.create Enable/disable a Pod Disruption Budget creation ## - create: false + create: true ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled ## - minAvailable: 1 - ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable + minAvailable: "" + ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. ## maxUnavailable: "" - ## @section RBAC parameters ## @@ -887,11 +940,10 @@ serviceAccount: name: "" ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. ## annotations: {} - ## Role Based Access ## ref: https://kubernetes.io/docs/admin/authorization/rbac/ ## @@ -901,10 +953,20 @@ rbac: ## that allows RabbitMQ pods querying the K8s API ## create: true - + ## @param rbac.rules Custom RBAC rules + ## Example: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] ## @section Persistence parameters ## - persistence: ## @param persistence.enabled Enable RabbitMQ data persistence using PVC ## @@ -935,7 +997,7 @@ persistence: ## @param persistence.mountPath The path the volume will be mounted at ## Note: useful when using custom RabbitMQ images ## - mountPath: /bitnami/rabbitmq/mnesia + mountPath: /opt/bitnami/rabbitmq/.rabbitmq/mnesia ## @param persistence.subPath The subdirectory of the volume to mount to ## Useful in dev environments and one PV for multiple services ## @@ -955,7 +1017,19 @@ persistence: ## labels: ## app: my-app labels: {} - +## Persistent Volume Claim Retention Policy +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention +## +persistentVolumeClaimRetentionPolicy: + ## @param persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for rabbitmq Statefulset + ## + enabled: false + ## @param persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced + ## + whenScaled: Retain + ## @param persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted + ## + whenDeleted: Retain ## @section Exposure parameters ## @@ -965,7 +1039,6 @@ service: ## @param service.type Kubernetes Service type ## type: NodePort - ## @param service.portEnabled Amqp port. Cannot be disabled when `auth.tls.enabled` is `false`. Listener can be disabled with `listeners.tcp = none`. ## portEnabled: true @@ -1009,7 +1082,6 @@ service: manager: "http-stats" metrics: "metrics" epmd: "epmd" - ## Node ports to expose ## @param service.nodePorts.amqp Node port for Ampq ## @param service.nodePorts.amqpTls Node port for Ampq TLS @@ -1033,6 +1105,14 @@ service: ## targetPort: 1234 ## extraPorts: [] + ## @param service.extraPortsHeadless Extra ports to expose in the headless service + ## E.g.: + ## extraPortsHeadless: + ## - name: new_svc_name + ## port: 1234 + ## targetPort: 1234 + ## + extraPortsHeadless: [] ## @param service.loadBalancerSourceRanges Address(es) that are allowed when service is `LoadBalancer` ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## e.g: @@ -1040,6 +1120,10 @@ service: ## - 10.10.10.0/24 ## loadBalancerSourceRanges: [] + ## @param service.allocateLoadBalancerNodePorts Whether to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true ## @param service.externalIPs Set the ExternalIPs ## externalIPs: [] @@ -1047,6 +1131,9 @@ service: ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip ## externalTrafficPolicy: Cluster + ## @param service.loadBalancerClass Set the LoadBalancerClass + ## + loadBalancerClass: "" ## @param service.loadBalancerIP Set the LoadBalancerIP ## loadBalancerIP: "" @@ -1088,20 +1175,21 @@ service: ## timeoutSeconds: 300 ## sessionAffinityConfig: {} - + ## @param service.trafficDistribution Traffic Distribution provides another + ## way to influence traffic routing within a Kubernetes Service. + ## + trafficDistribution: "PreferClose" ## Configure the ingress resource that allows you to access the ## RabbitMQ installation. Set up the URL -## ref: https://kubernetes.io/docs/user-guide/ingress/ +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## ingress: ## @param ingress.enabled Enable ingress resource for Management console ## enabled: true - ## @param ingress.path Path for the default host. You may need to set this to '/*' in order to use this with ALB ingress controllers. ## path: / - ## @param ingress.pathType Ingress path type ## pathType: ImplementationSpecific @@ -1110,7 +1198,7 @@ ingress: hostname: rabbitmq.cicd.getdeepin.org ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md ## Use this parameter to set the required annotations for cert-manager, see ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations ## @@ -1190,34 +1278,73 @@ ingress: ## @param ingress.existingSecret It is you own the certificate as secret. ## existingSecret: "cicd.getdeepin.org" - -## Network Policy configuration -## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## networkPolicy: - ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created ## enabled: false - ## @param networkPolicy.allowExternal Don't require client label for connections + ## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param networkPolicy.allowExternal Don't require server label for connections ## The Policy model to apply. When set to false, only pods with the correct - ## client label will have network access to the ports RabbitMQ is listening - ## on. When true, RabbitMQ will accept connections from any source + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source ## (with the correct destination port). ## allowExternal: true - ## @param networkPolicy.additionalRules Additional NetworkPolicy Ingress "from" rules to set. Note that all rules are OR-ed. + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy ## e.g: - ## additionalRules: - ## - matchLabels: - ## - role: frontend - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - ## - additionalRules: [] - + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Metrics Parameters ## @@ -1241,32 +1368,12 @@ metrics: ## ref: https://github.com/coreos/prometheus-operator ## serviceMonitor: - ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator - ## - enabled: false ## @param metrics.serviceMonitor.namespace Specify the namespace in which the serviceMonitor resource will be created ## namespace: "" - ## @param metrics.serviceMonitor.interval Specify the interval at which metrics should be scraped - ## - interval: 30s - ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended - ## e.g: - ## scrapeTimeout: 30s - ## - scrapeTimeout: "" ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. ## jobLabel: "" - ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. - ## - relabelings: [] - ## @param metrics.serviceMonitor.metricRelabelings MetricsRelabelConfigs to apply to samples before ingestion. - ## - metricRelabelings: [] - ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels - ## - honorLabels: false ## @param metrics.serviceMonitor.targetLabels Used to keep given service's labels in target ## e.g: ## - app.kubernetes.io/name @@ -1277,13 +1384,6 @@ metrics: ## - app.kubernetes.io/name ## podTargetLabels: {} - ## @param metrics.serviceMonitor.path Define the path used by ServiceMonitor to scrap metrics - ## Could be /metrics for aggregated metrics or /metrics/per-object for more details - ## - path: "" - ## @param metrics.serviceMonitor.params Define the HTTP URL parameters used by ServiceMonitor - ## - params: {} ## @param metrics.serviceMonitor.selector ServiceMonitor selector labels ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration ## @@ -1297,6 +1397,111 @@ metrics: ## @param metrics.serviceMonitor.annotations Extra annotations for the ServiceMonitor ## annotations: {} + ## Scrape metrics from the `/metrics` endpoint + ## ref: https://www.rabbitmq.com/docs/prometheus#default-endpoint + ## + default: + ## @param metrics.serviceMonitor.default.enabled Enable default metrics endpoint (`GET /metrics`) to be scraped by the ServiceMonitor + ## + enabled: false + ## @param metrics.serviceMonitor.default.interval Specify the interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.default.scrapeTimeout Specify the timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 30s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.default.relabelings RelabelConfigs to apply to samples before scraping. + ## + relabelings: [ ] + ## @param metrics.serviceMonitor.default.metricRelabelings MetricsRelabelConfigs to apply to samples before ingestion. + ## + metricRelabelings: [ ] + ## @param metrics.serviceMonitor.default.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## Scrape metrics from the `/metrics/per-object` endpoint + ## ref: https://www.rabbitmq.com/docs/prometheus#per-object-endpoint + ## + perObject: + ## @param metrics.serviceMonitor.perObject.enabled Enable per-object metrics endpoint (`GET /metrics/per-object`) to be scraped by the ServiceMonitor + ## + enabled: false + ## @param metrics.serviceMonitor.perObject.interval Specify the interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.perObject.scrapeTimeout Specify the timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 30s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.perObject.relabelings RelabelConfigs to apply to samples before scraping. + ## + relabelings: [ ] + ## @param metrics.serviceMonitor.perObject.metricRelabelings MetricsRelabelConfigs to apply to samples before ingestion. + ## + metricRelabelings: [ ] + ## @param metrics.serviceMonitor.perObject.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## Scrape metrics from the `/metrics/detailed` endpoint + ## ref: https://www.rabbitmq.com/docs/prometheus#detailed-endpoint + ## + detailed: + ## @param metrics.serviceMonitor.detailed.enabled Enable detailed metrics endpoint (`GET /metrics/detailed`) to be scraped by the ServiceMonitor + ## + enabled: false + ## @param metrics.serviceMonitor.detailed.family List of metric families to get + ## e.g. + ## family: ["queue_coarse_metrics", "queue_consumer_count"] + ## + family: [] + ## @param metrics.serviceMonitor.detailed.vhost Filter metrics to only show for the specified vhosts + ## + vhost: [] + ## @param metrics.serviceMonitor.detailed.interval Specify the interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.detailed.scrapeTimeout Specify the timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 30s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.detailed.relabelings RelabelConfigs to apply to samples before scraping. + ## + relabelings: [ ] + ## @param metrics.serviceMonitor.detailed.metricRelabelings MetricsRelabelConfigs to apply to samples before ingestion. + ## + metricRelabelings: [ ] + ## @param metrics.serviceMonitor.detailed.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + + ## @param metrics.serviceMonitor.enabled Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead. + ## + enabled: false + ## @param metrics.serviceMonitor.interval Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead. + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead. + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabelings Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead. + ## + relabelings: [ ] + ## @param metrics.serviceMonitor.metricRelabelings Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead. + ## + metricRelabelings: [ ] + ## @param metrics.serviceMonitor.honorLabels Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead. + ## + honorLabels: false + ## @param metrics.serviceMonitor.path Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead. + ## + path: "" + ## @param metrics.serviceMonitor.params Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead. + ## + params: { } ## Custom PrometheusRule to be defined ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart @@ -1371,7 +1576,6 @@ metrics: ## VALUE = {{ "{{ $value }}" }}\n LABELS: {{ "{{ $labels }}" }} ## rules: [] - ## @section Init Container Parameters ## @@ -1383,9 +1587,9 @@ volumePermissions: ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` ## enabled: false - ## @param volumePermissions.image.registry Init container volume-permissions image registry - ## @param volumePermissions.image.repository Init container volume-permissions image repository - ## @param volumePermissions.image.tag Init container volume-permissions image tag + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository + ## @skip volumePermissions.image.tag Init container volume-permissions image tag ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array @@ -1393,11 +1597,10 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r90 + tag: 12-debian-12-r50 digest: "" ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1408,31 +1611,33 @@ volumePermissions: ## pullSecrets: [] ## Init Container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param volumePermissions.resources.limits Init container volume-permissions resource limits - ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 128Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 128Mi - ## - requests: {} + resourcesPreset: "nano" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: + seLinuxOptions: {} runAsUser: 0 +