From 3780a99b79fb10ff419c8082657337a918b1d13d Mon Sep 17 00:00:00 2001 From: alejandroEsc Date: Thu, 24 Aug 2023 15:05:08 -0400 Subject: [PATCH 1/7] feat: allow extra init containers --- charts/console/templates/deployment.yaml | 4 + charts/console/values.schema.json | 526 ++++++++++++----------- charts/console/values.yaml | 12 + 3 files changed, 283 insertions(+), 259 deletions(-) diff --git a/charts/console/templates/deployment.yaml b/charts/console/templates/deployment.yaml index 3ab031571e..8c77178da5 100644 --- a/charts/console/templates/deployment.yaml +++ b/charts/console/templates/deployment.yaml @@ -70,6 +70,10 @@ spec: {{- with .Values.extraVolumes }} {{- toYaml . | nindent 8 }} {{- end }} +{{- if dig "extraInitContainers" false .Values.initContainers }} + initContainers: +{{- tpl .Values.initContainers.extraInitContainers . | nindent 8 }} +{{- end }} containers: - name: {{ .Chart.Name }} {{- with .Values.deployment.command }} diff --git a/charts/console/values.schema.json b/charts/console/values.schema.json index 1d5b845248..dcab4b69e6 100644 --- a/charts/console/values.schema.json +++ b/charts/console/values.schema.json @@ -1,295 +1,303 @@ { - "$schema": "http://json-schema.org/schema#", - "type": "object", - "required": [ - "image" - ], - "properties": { - "affinity": { - "type": "object" + "$schema": "http://json-schema.org/schema#", + "type": "object", + "required": [ + "image" + ], + "properties": { + "affinity": { + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "configmap": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - } - } + "maxReplicas": { + "type": "integer" }, - "console": { - "type": "object" + "minReplicas": { + "type": "integer" }, - "deployment": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - } - } - }, - "extraContainers": { - "type": "array" - }, - "extraEnv": { - "type": "array" - }, - "extraEnvFrom": { - "type": "array" + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "configmap": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "console": { + "type": "object" + }, + "deployment": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "extraContainers": { + "type": "array" + }, + "extraEnv": { + "type": "array" + }, + "extraEnvFrom": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + }, + "fullnameOverride": { + "type": "string" + }, + "image": { + "type": "object", + "required": [ + "repository" + ], + "properties": { + "pullPolicy": { + "type": "string" }, - "extraVolumeMounts": { - "type": "array" + "registry": { + "type": "string" }, - "extraVolumes": { - "type": "array" + "repository": { + "type": "string", + "minLength": 1 }, - "fullnameOverride": { - "type": "string" + "tag": { + "type": "string" + } + } + }, + "imagePullSecrets": { + "type": "array" + }, + "ingress": { + "type": "object", + "properties": { + "annotations": { + "type": "object" }, - "image": { - "type": "object", - "required": [ - "repository" - ], - "properties": { - "pullPolicy": { - "type": "string" - }, - "registry": { - "type": "string" - }, - "repository": { - "type": "string", - "minLength": 1 - }, - "tag": { - "type": "string" - } - } + "className": { + "type": "string" }, - "imagePullSecrets": { - "type": "array" + "enabled": { + "type": "boolean" }, - "ingress": { + "hosts": { + "type": "array", + "items": { "type": "object", "properties": { - "annotations": { - "type": "object" - }, - "className": { - "type": "string" - }, - "enabled": { - "type": "boolean" - }, - "hosts": { - "type": "array", - "items": { - "type": "object", - "properties": { - "host": { - "type": "string" - }, - "paths": { - "type": "array", - "items": { - "type": "object", - "properties": { - "path": { - "type": "string" - }, - "pathType": { - "type": "string" - } - } - } - } - } + "host": { + "type": "string" + }, + "paths": { + "type": "array", + "items": { + "type": "object", + "properties": { + "path": { + "type": "string" + }, + "pathType": { + "type": "string" } - }, - "tls": { - "type": "array" + } } + } } + } }, - "livenessProbe": { - "type": "object", - "properties": { - "failureThreshold": { - "type": "integer" - }, - "initialDelaySeconds": { - "type": "integer" - }, - "periodSeconds": { - "type": "integer" - }, - "successThreshold": { - "type": "integer" - }, - "timeoutSeconds": { - "type": "integer" - } - } + "tls": { + "type": "array" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" }, - "nameOverride": { - "type": "string" + "initialDelaySeconds": { + "type": "integer" }, - "nodeSelector": { - "type": "object" + "periodSeconds": { + "type": "integer" }, - "annotations": { - "type": "object" + "successThreshold": { + "type": "integer" }, - "podAnnotations": { - "type": "object" + "timeoutSeconds": { + "type": "integer" + } + } + }, + "nameOverride": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "annotations": { + "type": "object" + }, + "podAnnotations": { + "type": "object" + }, + "podSecurityContext": { + "type": "object", + "properties": { + "fsGroup": { + "type": "integer" }, - "podSecurityContext": { - "type": "object", - "properties": { - "fsGroup": { - "type": "integer" - }, - "runAsUser": { - "type": "integer" - } - } + "runAsUser": { + "type": "integer" + } + } + }, + "readinessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" }, - "readinessProbe": { - "type": "object", - "properties": { - "failureThreshold": { - "type": "integer" - }, - "initialDelaySeconds": { - "type": "integer" - }, - "periodSeconds": { - "type": "integer" - }, - "successThreshold": { - "type": "integer" - }, - "timeoutSeconds": { - "type": "integer" - } - } + "initialDelaySeconds": { + "type": "integer" }, - "replicaCount": { - "type": "integer" + "periodSeconds": { + "type": "integer" }, - "resources": { - "type": "object" + "successThreshold": { + "type": "integer" }, - "secret": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "enterprise": { - "type": "object" - }, - "kafka": { - "type": "object" - }, - "login": { - "type": "object", - "properties": { - "jwtSecret": { - "type": "string" - }, - "github": { - "type": "object" - }, - "google": { - "type": "object" - }, - "oidc": { - "type": "object" - }, - "okta": { - "type": "object" - } - } - }, - "redpanda": { - "type": "object", - "properties": { - "adminApi": { - "type": "object" - } - } - } - } + "timeoutSeconds": { + "type": "integer" + } + } + }, + "replicaCount": { + "type": "integer" + }, + "resources": { + "type": "object" + }, + "secret": { + "type": "object", + "properties": { + "create": { + "type": "boolean" }, - "secretMounts": { - "type": "array" + "enterprise": { + "type": "object" }, - "securityContext": { - "type": "object", - "properties": { - "runAsNonRoot": { - "type": "boolean" - } + "kafka": { + "type": "object" + }, + "login": { + "type": "object", + "properties": { + "jwtSecret": { + "type": "string" + }, + "github": { + "type": "object" + }, + "google": { + "type": "object" + }, + "oidc": { + "type": "object" + }, + "okta": { + "type": "object" } + } }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "port": { - "type": "integer" - }, - "targetPort": { - "anyOf": [ - { - "type": "integer" - }, - { - "type": "null" - } - ] - }, - "type": { - "type": "string" - } + "redpanda": { + "type": "object", + "properties": { + "adminApi": { + "type": "object" } + } + } + } + }, + "secretMounts": { + "type": "array" + }, + "securityContext": { + "type": "object", + "properties": { + "runAsNonRoot": { + "type": "boolean" + } + } + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "create": { - "type": "boolean" - }, - "name": { - "type": "string" - } + "port": { + "type": "integer" + }, + "targetPort": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "null" } + ] + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" }, - "tolerations": { - "type": "array" + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + } + }, + "tolerations": { + "type": "array" + }, + "initContainers": { + "type": "object", + "properties": { + "extraInitContainers": { + "type": "string" } + } } + } } diff --git a/charts/console/values.yaml b/charts/console/values.yaml index 6986a066b4..fc53893ecd 100644 --- a/charts/console/values.yaml +++ b/charts/console/values.yaml @@ -163,6 +163,18 @@ extraVolumeMounts: [] # -- Add additional containers, such as for oauth2-proxy. extraContainers: [] +# -- Any initContainers defined should be written here +initContainers: + # -- Additional set of init containers + extraInitContainers: |- +# - name: "test-init-container" +# image: "mintel/docker-alpine-bash-curl-jq:latest" +# command: [ "/bin/bash", "-c" ] +# args: +# - | +# set -xe +# echo "Hello World!" + # -- SecretMounts is an abstraction to make a Secret available in the container's filesystem. # Under the hood it creates a volume and a volume mount for the Redpanda Console container. secretMounts: [] From 67dca9d99d7384be4636f9d7d0e406df62c8bbc3 Mon Sep 17 00:00:00 2001 From: alejandroEsc Date: Thu, 24 Aug 2023 15:05:38 -0400 Subject: [PATCH 2/7] chore: bump chart version --- charts/console/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/console/Chart.yaml b/charts/console/Chart.yaml index ae6d8fd404..305f1f3de9 100644 --- a/charts/console/Chart.yaml +++ b/charts/console/Chart.yaml @@ -27,7 +27,7 @@ type: application # Versions are expected to follow Semantic Versioning (https://semver.org/) # Chart versions do not track appVersion -version: 0.6.9 +version: 0.7.0 # The app version is the version of the Chart application appVersion: v2.2.5 From d4d9a4d57b3756607c012fcff1620aac7ebcb3ef Mon Sep 17 00:00:00 2001 From: joejulian Date: Mon, 28 Aug 2023 01:25:49 +0000 Subject: [PATCH 3/7] update redpanda appVersion from v23.2.6 to v23.2.7 --- charts/redpanda/Chart.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/redpanda/Chart.yaml b/charts/redpanda/Chart.yaml index 32e125ac44..4eedb74b27 100644 --- a/charts/redpanda/Chart.yaml +++ b/charts/redpanda/Chart.yaml @@ -23,11 +23,11 @@ type: application # The chart version and the app version are not the same and will not track # together. The chart version is a semver representation of changes to this # chart. -version: 5.1.6 +version: 5.1.7 # The app version is the default version of Redpanda to install. # ** NOTE for maintainers: please ensure the artifacthub image annotation is updated before merging -appVersion: v23.2.6 +appVersion: v23.2.7 # kubeVersion must be suffixed with "-0" to be able to match cloud providers # kubernetes versions like "v1.23.8-gke.1900". Their suffix is interpreted as a @@ -56,7 +56,7 @@ annotations: url: https://helm.sh/docs/intro/install/ artifacthub.io/images: | - name: redpanda - image: docker.redpanda.com/redpandadata/redpanda:v23.2.6 + image: docker.redpanda.com/redpandadata/redpanda:v23.2.7 - name: busybox image: busybox:latest - name: mintel/docker-alpine-bash-curl-jq From 7672966c3c13a764a9463607748ca4eea8d814a2 Mon Sep 17 00:00:00 2001 From: Nicolas Truyens Date: Mon, 28 Aug 2023 15:33:23 +0200 Subject: [PATCH 4/7] Support custom domains when using connectors and console. Replace hard-coded "cluster.local" by clusterDomain value --- charts/redpanda/Chart.yaml | 2 +- .../redpanda/templates/console/configmap-and-deployment.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/redpanda/Chart.yaml b/charts/redpanda/Chart.yaml index 4eedb74b27..c0b4fab08a 100644 --- a/charts/redpanda/Chart.yaml +++ b/charts/redpanda/Chart.yaml @@ -23,7 +23,7 @@ type: application # The chart version and the app version are not the same and will not track # together. The chart version is a semver representation of changes to this # chart. -version: 5.1.7 +version: 5.1.8 # The app version is the default version of Redpanda to install. # ** NOTE for maintainers: please ensure the artifacthub image annotation is updated before merging diff --git a/charts/redpanda/templates/console/configmap-and-deployment.yaml b/charts/redpanda/templates/console/configmap-and-deployment.yaml index 265b22be6e..e2d9486dcb 100644 --- a/charts/redpanda/templates/console/configmap-and-deployment.yaml +++ b/charts/redpanda/templates/console/configmap-and-deployment.yaml @@ -61,7 +61,7 @@ limitations under the License. "enabled" $values.connectors.enabled "clusters" (list (dict - "url" (printf "http://%s.%s.svc.cluster.local:%s" (include "connectors.serviceName" $connectorsValues) .Release.Namespace ($values.connectors.connectors.restPort | toString )) + "url" (printf "http://%s.%s.svc.%s:%s" (include "connectors.serviceName" $connectorsValues) .Release.Namespace ($values.clusterDomain | trimSuffix ".") ($values.connectors.connectors.restPort | toString )) "name" "connectors" "tls" (dict "enabled" "false" @@ -248,4 +248,4 @@ limitations under the License. {{ $helmVars := merge $consoleValues $helmVars }} --- {{ include (print .Subcharts.console.Template.BasePath "/deployment.yaml") $helmVars }} -{{ end }} \ No newline at end of file +{{ end }} From 9c554e37801aaa9e6d00346ba792c37a8ff18f5b Mon Sep 17 00:00:00 2001 From: alejandroesc Date: Mon, 28 Aug 2023 21:24:33 -0400 Subject: [PATCH 5/7] chore: calculate sha256 without rolling --- charts/redpanda/Chart.yaml | 2 +- charts/redpanda/templates/_configmap.tpl | 463 +++++++++++++++++++++ charts/redpanda/templates/configmap.yaml | 427 +------------------ charts/redpanda/templates/statefulset.yaml | 2 +- 4 files changed, 466 insertions(+), 428 deletions(-) create mode 100644 charts/redpanda/templates/_configmap.tpl diff --git a/charts/redpanda/Chart.yaml b/charts/redpanda/Chart.yaml index c0b4fab08a..c098f55655 100644 --- a/charts/redpanda/Chart.yaml +++ b/charts/redpanda/Chart.yaml @@ -23,7 +23,7 @@ type: application # The chart version and the app version are not the same and will not track # together. The chart version is a semver representation of changes to this # chart. -version: 5.1.8 +version: 5.2.0 # The app version is the default version of Redpanda to install. # ** NOTE for maintainers: please ensure the artifacthub image annotation is updated before merging diff --git a/charts/redpanda/templates/_configmap.tpl b/charts/redpanda/templates/_configmap.tpl new file mode 100644 index 0000000000..237203ba14 --- /dev/null +++ b/charts/redpanda/templates/_configmap.tpl @@ -0,0 +1,463 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "configmap-content-no-seed" -}} +{{- /* + configmap content without seed list. +*/ -}} +{{- $root := . }} +{{- $values := .Values }} + +{{- /* + It's impossible to do a rolling upgrade from not-tls-enabled rpc to tls-enabled rpc. +*/ -}} +{{- $check := list + (include "redpanda-atleast-23-1-2" .|fromJson).bool + (include "redpanda-22-3-atleast-22-3-13" .|fromJson).bool + (include "redpanda-22-2-atleast-22-2-10" .|fromJson).bool +-}} +{{- $wantedRPCTLS := (include "rpc-tls-enabled" . | fromJson).bool -}} +{{- if and (not (mustHas true $check)) $wantedRPCTLS -}} + {{- fail (printf "Redpanda version v%s does not support TLS on the RPC port. Please upgrade. See technical service bulletin 2023-01." (include "redpanda.semver" .)) -}} +{{- end -}} +{{- $cm := lookup "v1" "ConfigMap" .Release.Namespace (include "redpanda.fullname" .) -}} +{{- $redpandaYAML := dig "data" "redpanda.yaml" "" $cm | fromYaml -}} +{{- $currentRPCTLS := dig "redpanda" "rpc_server_tls" "enabled" false $redpandaYAML -}} +{{- /* Lookup will return an empty map when running `helm template` or when `--dry-run` is passed. */ -}} +{{- if (and .Release.IsUpgrade $cm) -}} + {{- if ne $currentRPCTLS $wantedRPCTLS -}} + {{- if eq (get .Values "force" | default false) false -}} + {{- fail (join "\n" (list + (printf "\n\nError: Cannot do a rolling restart to enable or disable tls at the RPC layer: changing listeners.rpc.tls.enabled (redpanda.yaml:repdanda.rpc_server_tls.enabled) from %v to %v" $currentRPCTLS $wantedRPCTLS) + "***WARNING The following instructions will result in a short period of downtime." + "To accept this risk, run the upgrade again adding `--force=true` and do the following:\n" + "While helm is upgrading the release, manually delete ALL the pods:" + (printf " kubectl -n %s delete pod -l app.kubernetes.io/component=redpanda-statefulset" .Release.Namespace) + "\nIf you got here thinking rpc tls was already enabled, see technical service bulletin 2023-01." + )) + -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- $users := list -}} +{{- if (include "sasl-enabled" . | fromJson).bool -}} + {{- range $user := .Values.auth.sasl.users -}} + {{- $users = append $users $user.name -}} + {{- end -}} +{{- end -}} + + bootstrap.yaml: | + kafka_enable_authorization: {{ (include "sasl-enabled" . | fromJson).bool }} + enable_sasl: {{ (include "sasl-enabled" . | fromJson).bool }} + enable_rack_awareness: {{ .Values.rackAwareness.enabled }} + {{- if $users }} + superusers: {{ toJson $users }} + {{- end }} + {{- with (dig "cluster" dict .Values.config) }} + {{- range $key, $element := .}} + {{- if or (eq (typeOf $element) "bool") $element }} + {{ $key }}: {{ $element | toYaml }} + {{- end }} + {{- end }} + {{- end }} + {{- include "tunable" . }} + {{- if and (not (hasKey .Values.config.cluster "storage_min_free_bytes")) ((include "redpanda-atleast-22-2-0" . | fromJson).bool) }} + storage_min_free_bytes: {{ include "storage-min-free-bytes" . }} + {{- end }} +{{- if and (include "is-licensed" . | fromJson).bool .Values.storage.tieredConfig.cloud_storage_enabled }} + {{- $tieredStorageConfig := deepCopy .Values.storage.tieredConfig }} + {{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_cache_directory" }} + {{- if not (include "redpanda-atleast-22-3-0" . | fromJson).bool }} + {{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_credentials_source"}} + {{- end }} + {{- range $key, $element := $tieredStorageConfig}} + {{- if or (eq (typeOf $element) "bool") $element }} + {{ $key }}: {{ $element | toYaml }} + {{- end }} + {{- end }} +{{- end }} + redpanda.yaml: | + config_file: /etc/redpanda/redpanda.yaml +{{- if .Values.logging.usageStats.enabled }} + {{- with (dig "usageStats" "organization" "" .Values.logging) }} + organization: {{ . }} + {{- end }} + {{- with (dig "usageStats" "clusterId" "" .Values.logging) }} + cluster_id: {{ . }} + {{- end }} +{{- end }} + redpanda: +{{- if (include "redpanda-atleast-22-3-0" . | fromJson).bool }} + empty_seed_starts_cluster: false +{{- end }} + kafka_enable_authorization: {{ (include "sasl-enabled" . | fromJson).bool }} + enable_sasl: {{ (include "sasl-enabled" . | fromJson).bool }} + {{- if $users }} + superusers: {{ toJson $users }} + {{- end }} + {{- with (dig "cluster" dict .Values.config) }} + {{- range $key, $element := . }} + {{- if or (eq (typeOf $element) "bool") $element }} + {{ $key }}: {{ $element | toYaml }} + {{- end }} + {{- end }} + {{- end }} + {{- with (dig "tunable" dict .Values.config) }} + {{- range $key, $element := .}} + {{- if or (eq (typeOf $element) "bool") $element }} + {{ $key }}: {{ $element | toYaml }} + {{- end }} + {{- end }} + {{- end }} + {{- if not (hasKey .Values.config.cluster "storage_min_free_bytes") }} + storage_min_free_bytes: {{ include "storage-min-free-bytes" . }} + {{- end }} + {{- with dig "node" dict .Values.config }} + {{- range $key, $element := .}} + {{- if or (eq (typeOf $element) "bool") $element }} + {{ $key }}: {{ $element | toYaml }} + {{- end }} + {{- end }} + {{- end }} +{{- /* LISTENERS */}} +{{- /* Admin API */}} +{{- $service := .Values.listeners.admin }} + admin: + - name: internal + address: 0.0.0.0 + port: {{ $service.port }} +{{- range $name, $listener := $service.external }} +{{- if and $listener.port $name }} + - name: {{ $name }} + address: 0.0.0.0 + port: {{ $listener.port }} +{{- end }} +{{- end }} + admin_api_tls: +{{- if (include "admin-internal-tls-enabled" . | fromJson).bool }} + - name: internal + enabled: true + cert_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.crt + key_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.key + require_client_auth: {{ $service.tls.requireClientAuth }} + {{- $cert := get .Values.tls.certs $service.tls.cert }} + {{- if empty $cert }} + {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- end }} + {{- if $cert.caEnabled }} + truststore_file: /etc/tls/certs/{{ $service.tls.cert }}/ca.crt + {{- else }} + {{- /* This is a required field so we use the default in the redpanda debian container */}} + truststore_file: /etc/ssl/certs/ca-certificates.crt + {{- end }} +{{- end }} +{{- range $name, $listener := $service.external }} + {{- $k := dict "Values" $values "listener" $listener }} + {{- if (include "admin-external-tls-enabled" $k | fromJson).bool }} + {{- $mtls := dig "tls" "requireClientAuth" false $listener }} + {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} + {{- $certName := include "admin-external-tls-cert" $k }} + {{- $certPath := printf "/etc/tls/certs/%s" $certName }} + {{- $cert := get $values.tls.certs $certName }} + {{- if empty $cert }} + {{- fail (printf "Certificate, '%s', used but not defined" $certName)}} + {{- end }} + - name: {{ $name }} + enabled: true + cert_file: {{ $certPath }}/tls.crt + key_file: {{ $certPath }}/tls.key + require_client_auth: {{ $mtls }} + {{- if $cert.caEnabled }} + truststore_file: {{ $certPath }}/ca.crt + {{- else }} + {{- /* This is a required field so we use the default in the redpanda debian container */}} + truststore_file: /etc/ssl/certs/ca-certificates.crt + {{- end }} + {{- end }} +{{- end }} +{{- /* Kafka API */}} +{{- $kafkaService := .Values.listeners.kafka }} + kafka_api: + - name: internal + address: 0.0.0.0 + port: {{ $kafkaService.port }} + {{- if or (include "sasl-enabled" $root | fromJson).bool $kafkaService.authenticationMethod }} + authentication_method: {{ default "sasl" $kafkaService.authenticationMethod }} + {{- end }} +{{- range $name, $listener := $kafkaService.external }} + - name: {{ $name }} + address: 0.0.0.0 + port: {{ $listener.port }} + {{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }} + authentication_method: {{ default "sasl" $listener.authenticationMethod }} + {{- end }} +{{- end }} + kafka_api_tls: +{{- if (include "kafka-internal-tls-enabled" . | fromJson).bool }} + - name: internal + enabled: true + cert_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.crt + key_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.key + require_client_auth: {{ $kafkaService.tls.requireClientAuth }} + {{- $cert := get .Values.tls.certs $kafkaService.tls.cert }} + {{- if empty $cert }} + {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- end }} + {{- if $cert.caEnabled }} + truststore_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/ca.crt + {{- else }} + {{- /* This is a required field so we use the default in the redpanda debian container */}} + truststore_file: /etc/ssl/certs/ca-certificates.crt + {{- end }} +{{- end }} +{{- range $name, $listener := $kafkaService.external }} + {{- $k := dict "Values" $values "listener" $listener }} + {{- if (include "kafka-external-tls-enabled" $k | fromJson).bool }} + {{- $mtls := dig "tls" "requireClientAuth" false $listener }} + {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} + {{- $certName := include "kafka-external-tls-cert" $k }} + {{- $certPath := printf "/etc/tls/certs/%s" $certName }} + {{- $cert := get $values.tls.certs $certName }} + {{- if empty $cert }} + {{- fail (printf "Certificate, '%s', used but not defined" $certName)}} + {{- end }} + - name: {{ $name }} + enabled: true + cert_file: {{ $certPath }}/tls.crt + key_file: {{ $certPath }}/tls.key + require_client_auth: {{ $mtls }} + {{- if $cert.caEnabled }} + truststore_file: {{ $certPath }}/ca.crt + {{- else }} + {{- /* This is a required field so we use the default in the redpanda debian container */}} + truststore_file: /etc/ssl/certs/ca-certificates.crt + {{- end }} + {{- end }} +{{- end }} +{{- /* RPC Server */}} +{{- $service = .Values.listeners.rpc }} + rpc_server: + address: 0.0.0.0 + port: {{ $service.port }} +{{- if (include "rpc-tls-enabled" . | fromJson).bool }} + rpc_server_tls: + enabled: true + cert_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.crt + key_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.key + require_client_auth: {{ $service.tls.requireClientAuth }} + {{- $cert := get .Values.tls.certs $service.tls.cert }} + {{- if empty $cert }} + {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- end }} + {{- if $cert.caEnabled }} + truststore_file: /etc/tls/certs/{{ $service.tls.cert }}/ca.crt + {{- else }} + {{- /* This is a required field so we use the default in the redpanda debian container */}} + truststore_file: /etc/ssl/certs/ca-certificates.crt + {{- end }} +{{- end }} + seed_servers: +{{- with $root.tempConfigMapServerList -}} + {{- . | trim | nindent 8 }} +{{- end -}} +{{- if and (include "is-licensed" . | fromJson).bool .Values.storage.tieredConfig.cloud_storage_enabled }} + {{- $tieredStorageConfig := deepCopy .Values.storage.tieredConfig }} + {{- if not (include "redpanda-atleast-22-3-0" . | fromJson).bool }} + {{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_credentials_source"}} + {{- end }} + {{- range $key, $element := $tieredStorageConfig}} + {{- if or (eq (typeOf $element) "bool") $element }} + {{ $key }}: {{ $element | toYaml }} + {{- end }} + {{- end }} +{{- end }} +{{- /* Schema Registry API */}} +{{- if and .Values.listeners.schemaRegistry.enabled (include "redpanda-22-2-x-without-sasl" $root | fromJson).bool }} + {{- $schemaRegistryService := .Values.listeners.schemaRegistry }} + schema_registry: + schema_registry_api: + - name: internal + address: 0.0.0.0 + port: {{ $schemaRegistryService.port }} + {{- if or (include "sasl-enabled" $root | fromJson).bool $schemaRegistryService.authenticationMethod }} + authentication_method: {{ default "http_basic" $schemaRegistryService.authenticationMethod }} + {{- end }} + {{- range $name, $listener := $schemaRegistryService.external }} + - name: {{ $name }} + address: 0.0.0.0 + {{- /* + when upgrading from an older version that had a missing port, fail if we cannot guess a default + this should work in all cases as the older versions would have failed with multiple listeners anyway + */}} + {{- if and (empty $listener.port) (ne (len $schemaRegistryService.external) 1) }} + {{- fail "missing required port for schemaRegistry listener $listener.name" }} + {{- end }} + port: {{ $listener.port | default 8084 }} + {{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }} + authentication_method: {{ default "http_basic" $listener.authenticationMethod }} + {{- end }} + {{- end }} + schema_registry_api_tls: + {{- if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }} + - name: internal + enabled: true + cert_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/tls.crt + key_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/tls.key + require_client_auth: {{ $schemaRegistryService.tls.requireClientAuth }} + {{- $cert := get .Values.tls.certs $schemaRegistryService.tls.cert }} + {{- if empty $cert }} + {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- end }} + {{- if $cert.caEnabled }} + truststore_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/ca.crt + {{- else }} + {{- /* This is a required field so we use the default in the redpanda debian container */}} + truststore_file: /etc/ssl/certs/ca-certificates.crt + {{- end }} + {{- end }} + {{- range $name, $listener := $schemaRegistryService.external }} + {{- $k := dict "Values" $values "listener" $listener }} + {{- if (include "schemaRegistry-external-tls-enabled" $k | fromJson).bool }} + {{- $mtls := dig "tls" "requireClientAuth" false $listener }} + {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} + {{- $certName := include "schemaRegistry-external-tls-cert" $k }} + {{- $certPath := printf "/etc/tls/certs/%s" $certName }} + {{- $cert := get $values.tls.certs $certName }} + {{- if empty $cert }} + {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- end }} + - name: {{ $name }} + enabled: true + cert_file: {{ $certPath }}/tls.crt + key_file: {{ $certPath }}/tls.key + require_client_auth: {{ $mtls }} + {{- if $cert.caEnabled }} + truststore_file: {{ $certPath }}/ca.crt + {{- else }} + {{- /* This is a required field so we use the default in the redpanda debian container */}} + truststore_file: /etc/ssl/certs/ca-certificates.crt + {{- end }} + {{- end }} + {{- end }} +{{- end }} +{{- /* HTTP Proxy */}} +{{- if and .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" $root | fromJson).bool }} + {{- $HTTPService := .Values.listeners.http }} + pandaproxy: + pandaproxy_api: + - name: internal + address: 0.0.0.0 + port: {{ $HTTPService.port }} + {{- if or (include "sasl-enabled" $root | fromJson).bool $HTTPService.authenticationMethod }} + authentication_method: {{ default "http_basic" $HTTPService.authenticationMethod }} + {{- end }} + {{- range $name, $listener := $HTTPService.external }} + - name: {{ $name }} + address: 0.0.0.0 + port: {{ $listener.port }} + {{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }} + authentication_method: {{ default "http_basic" $listener.authenticationMethod }} + {{- end }} + {{- end }} + pandaproxy_api_tls: + {{- if (include "http-internal-tls-enabled" . | fromJson).bool }} + - name: internal + enabled: true + cert_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/tls.crt + key_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/tls.key + require_client_auth: {{ $HTTPService.tls.requireClientAuth }} + {{- $cert := get .Values.tls.certs $HTTPService.tls.cert }} + {{- if empty $cert }} + {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- end }} + {{- if $cert.caEnabled }} + truststore_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/ca.crt + {{- else }} + {{- /* This is a required field so we use the default in the redpanda debian container */}} + truststore_file: /etc/ssl/certs/ca-certificates.crt + {{- end }} + {{- end }} + {{- range $name, $listener := $HTTPService.external }} + {{- $k := dict "Values" $values "listener" $listener }} + {{- if (include "http-external-tls-enabled" $k | fromJson).bool }} + {{- $mtls := dig "tls" "requireClientAuth" false $listener }} + {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} + {{- $certName := include "http-external-tls-cert" $k }} + {{- $certPath := printf "/etc/tls/certs/%s" $certName }} + {{- $cert := get $values.tls.certs $certName }} + {{- if empty $cert }} + {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- end }} + - name: {{ $name }} + enabled: true + cert_file: {{ $certPath }}/tls.crt + key_file: {{ $certPath }}/tls.key + require_client_auth: {{ $mtls }} + {{- if $cert.caEnabled }} + truststore_file: {{ $certPath }}/ca.crt + {{- else }} + {{- /* This is a required field so we use the default in the redpanda debian container */}} + truststore_file: /etc/ssl/certs/ca-certificates.crt + {{- end }} + {{- end }} + {{- end }} +{{- end }} +{{- /* END LISTENERS */}} + + rpk: +{{- with (dig "rpk" dict .Values.config) }} + {{- . | toYaml | nindent 6}} +{{- end }} + enable_usage_stats: {{ .Values.logging.usageStats.enabled }} + overprovisioned: {{ dig "cpu" "overprovisioned" false .Values.resources }} + enable_memory_locking: {{ dig "memory" "enable_memory_locking" false .Values.resources }} +{{- if hasKey .Values.tuning "tune_aio_events" }} + tune_aio_events: {{ .Values.tuning.tune_aio_events }} +{{- end }} +{{- if hasKey .Values.tuning "tune_clocksource" }} + tune_clocksource: {{ .Values.tuning.tune_clocksource }} +{{- end }} +{{- if hasKey .Values.tuning "tune_ballast_file" }} + tune_ballast_file: {{ .Values.tuning.tune_ballast_file }} +{{- end }} +{{- if hasKey .Values.tuning "ballast_file_path" }} + ballast_file_path: {{ .Values.tuning.ballast_file_path }} +{{- end }} +{{- if hasKey .Values.tuning "ballast_file_size" }} + ballast_file_size: {{ .Values.tuning.ballast_file_size }} +{{- end }} +{{- if hasKey .Values.tuning "well_known_io" }} + well_known_io: {{ .Values.tuning.well_known_io }} +{{- end }} +{{- end -}} + +{{- define "configmap-server-list" -}} +{{- $root := . }} +{{- range (include "seed-server-list" $root | mustFromJson) }} +- host: + address: {{ . }} + port: {{ $root.Values.listeners.rpc.port }} +{{- end }} +{{- end -}} + +{{- define "configmap-with-server-list" -}} +{{- $root := . }} +{{- $serverList := (include "configmap-server-list" $root ) -}} +{{- $r := set $root "tempConfigMapServerList" ( $serverList ) }} +{{ include "configmap-content-no-seed" $r }} +{{- end -}} \ No newline at end of file diff --git a/charts/redpanda/templates/configmap.yaml b/charts/redpanda/templates/configmap.yaml index 6e92b99f20..e87531719a 100644 --- a/charts/redpanda/templates/configmap.yaml +++ b/charts/redpanda/templates/configmap.yaml @@ -14,47 +14,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} -{{- $root := . }} -{{- $values := .Values }} - -{{- /* - It's impossible to do a rolling upgrade from not-tls-enabled rpc to tls-enabled rpc. -*/ -}} -{{- $check := list - (include "redpanda-atleast-23-1-2" .|fromJson).bool - (include "redpanda-22-3-atleast-22-3-13" .|fromJson).bool - (include "redpanda-22-2-atleast-22-2-10" .|fromJson).bool --}} -{{- $wantedRPCTLS := (include "rpc-tls-enabled" . | fromJson).bool -}} -{{- if and (not (mustHas true $check)) $wantedRPCTLS -}} - {{- fail (printf "Redpanda version v%s does not support TLS on the RPC port. Please upgrade. See technical service bulletin 2023-01." (include "redpanda.semver" .)) -}} -{{- end -}} -{{- $cm := lookup "v1" "ConfigMap" .Release.Namespace (include "redpanda.fullname" .) -}} -{{- $redpandaYAML := dig "data" "redpanda.yaml" "" $cm | fromYaml -}} -{{- $currentRPCTLS := dig "redpanda" "rpc_server_tls" "enabled" false $redpandaYAML -}} -{{- /* Lookup will return an empty map when running `helm template` or when `--dry-run` is passed. */ -}} -{{- if (and .Release.IsUpgrade $cm) -}} - {{- if ne $currentRPCTLS $wantedRPCTLS -}} - {{- if eq (get .Values "force" | default false) false -}} - {{- fail (join "\n" (list - (printf "\n\nError: Cannot do a rolling restart to enable or disable tls at the RPC layer: changing listeners.rpc.tls.enabled (redpanda.yaml:repdanda.rpc_server_tls.enabled) from %v to %v" $currentRPCTLS $wantedRPCTLS) - "***WARNING The following instructions will result in a short period of downtime." - "To accept this risk, run the upgrade again adding `--force=true` and do the following:\n" - "While helm is upgrading the release, manually delete ALL the pods:" - (printf " kubectl -n %s delete pod -l app.kubernetes.io/component=redpanda-statefulset" .Release.Namespace) - "\nIf you got here thinking rpc tls was already enabled, see technical service bulletin 2023-01." - )) - -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- $users := list -}} -{{- if (include "sasl-enabled" . | fromJson).bool -}} - {{- range $user := .Values.auth.sasl.users -}} - {{- $users = append $users $user.name -}} - {{- end -}} -{{- end -}} --- apiVersion: v1 kind: ConfigMap @@ -66,388 +25,4 @@ metadata: {{- . | nindent 4 }} {{- end }} data: - bootstrap.yaml: | - kafka_enable_authorization: {{ (include "sasl-enabled" . | fromJson).bool }} - enable_sasl: {{ (include "sasl-enabled" . | fromJson).bool }} - enable_rack_awareness: {{ .Values.rackAwareness.enabled }} - {{- if $users }} - superusers: {{ toJson $users }} - {{- end }} - {{- with (dig "cluster" dict .Values.config) }} - {{- range $key, $element := .}} - {{- if or (eq (typeOf $element) "bool") $element }} - {{ $key }}: {{ $element | toYaml }} - {{- end }} - {{- end }} - {{- end }} - {{- include "tunable" . }} - {{- if and (not (hasKey .Values.config.cluster "storage_min_free_bytes")) ((include "redpanda-atleast-22-2-0" . | fromJson).bool) }} - storage_min_free_bytes: {{ include "storage-min-free-bytes" . }} - {{- end }} -{{- if and (include "is-licensed" . | fromJson).bool .Values.storage.tieredConfig.cloud_storage_enabled }} - {{- $tieredStorageConfig := deepCopy .Values.storage.tieredConfig }} - {{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_cache_directory" }} - {{- if not (include "redpanda-atleast-22-3-0" . | fromJson).bool }} - {{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_credentials_source"}} - {{- end }} - {{- range $key, $element := $tieredStorageConfig}} - {{- if or (eq (typeOf $element) "bool") $element }} - {{ $key }}: {{ $element | toYaml }} - {{- end }} - {{- end }} -{{- end }} - redpanda.yaml: | - config_file: /etc/redpanda/redpanda.yaml -{{- if .Values.logging.usageStats.enabled }} - {{- with (dig "usageStats" "organization" "" .Values.logging) }} - organization: {{ . }} - {{- end }} - {{- with (dig "usageStats" "clusterId" "" .Values.logging) }} - cluster_id: {{ . }} - {{- end }} -{{- end }} - redpanda: -{{- if (include "redpanda-atleast-22-3-0" . | fromJson).bool }} - empty_seed_starts_cluster: false -{{- end }} - kafka_enable_authorization: {{ (include "sasl-enabled" . | fromJson).bool }} - enable_sasl: {{ (include "sasl-enabled" . | fromJson).bool }} - {{- if $users }} - superusers: {{ toJson $users }} - {{- end }} - {{- with (dig "cluster" dict .Values.config) }} - {{- range $key, $element := . }} - {{- if or (eq (typeOf $element) "bool") $element }} - {{ $key }}: {{ $element | toYaml }} - {{- end }} - {{- end }} - {{- end }} - {{- with (dig "tunable" dict .Values.config) }} - {{- range $key, $element := .}} - {{- if or (eq (typeOf $element) "bool") $element }} - {{ $key }}: {{ $element | toYaml }} - {{- end }} - {{- end }} - {{- end }} - {{- if not (hasKey .Values.config.cluster "storage_min_free_bytes") }} - storage_min_free_bytes: {{ include "storage-min-free-bytes" . }} - {{- end }} - {{- with dig "node" dict .Values.config }} - {{- range $key, $element := .}} - {{- if or (eq (typeOf $element) "bool") $element }} - {{ $key }}: {{ $element | toYaml }} - {{- end }} - {{- end }} - {{- end }} -{{- /* LISTENERS */}} -{{- /* Admin API */}} -{{- $service := .Values.listeners.admin }} - admin: - - name: internal - address: 0.0.0.0 - port: {{ $service.port }} -{{- range $name, $listener := $service.external }} -{{- if and $listener.port $name }} - - name: {{ $name }} - address: 0.0.0.0 - port: {{ $listener.port }} -{{- end }} -{{- end }} - admin_api_tls: -{{- if (include "admin-internal-tls-enabled" . | fromJson).bool }} - - name: internal - enabled: true - cert_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.crt - key_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.key - require_client_auth: {{ $service.tls.requireClientAuth }} - {{- $cert := get .Values.tls.certs $service.tls.cert }} - {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} - {{- end }} - {{- if $cert.caEnabled }} - truststore_file: /etc/tls/certs/{{ $service.tls.cert }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} -{{- end }} -{{- range $name, $listener := $service.external }} - {{- $k := dict "Values" $values "listener" $listener }} - {{- if (include "admin-external-tls-enabled" $k | fromJson).bool }} - {{- $mtls := dig "tls" "requireClientAuth" false $listener }} - {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} - {{- $certName := include "admin-external-tls-cert" $k }} - {{- $certPath := printf "/etc/tls/certs/%s" $certName }} - {{- $cert := get $values.tls.certs $certName }} - {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined" $certName)}} - {{- end }} - - name: {{ $name }} - enabled: true - cert_file: {{ $certPath }}/tls.crt - key_file: {{ $certPath }}/tls.key - require_client_auth: {{ $mtls }} - {{- if $cert.caEnabled }} - truststore_file: {{ $certPath }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} - {{- end }} -{{- end }} -{{- /* Kafka API */}} -{{- $kafkaService := .Values.listeners.kafka }} - kafka_api: - - name: internal - address: 0.0.0.0 - port: {{ $kafkaService.port }} - {{- if or (include "sasl-enabled" $root | fromJson).bool $kafkaService.authenticationMethod }} - authentication_method: {{ default "sasl" $kafkaService.authenticationMethod }} - {{- end }} -{{- range $name, $listener := $kafkaService.external }} - - name: {{ $name }} - address: 0.0.0.0 - port: {{ $listener.port }} - {{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }} - authentication_method: {{ default "sasl" $listener.authenticationMethod }} - {{- end }} -{{- end }} - kafka_api_tls: -{{- if (include "kafka-internal-tls-enabled" . | fromJson).bool }} - - name: internal - enabled: true - cert_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.crt - key_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.key - require_client_auth: {{ $kafkaService.tls.requireClientAuth }} - {{- $cert := get .Values.tls.certs $kafkaService.tls.cert }} - {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} - {{- end }} - {{- if $cert.caEnabled }} - truststore_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} -{{- end }} -{{- range $name, $listener := $kafkaService.external }} - {{- $k := dict "Values" $values "listener" $listener }} - {{- if (include "kafka-external-tls-enabled" $k | fromJson).bool }} - {{- $mtls := dig "tls" "requireClientAuth" false $listener }} - {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} - {{- $certName := include "kafka-external-tls-cert" $k }} - {{- $certPath := printf "/etc/tls/certs/%s" $certName }} - {{- $cert := get $values.tls.certs $certName }} - {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined" $certName)}} - {{- end }} - - name: {{ $name }} - enabled: true - cert_file: {{ $certPath }}/tls.crt - key_file: {{ $certPath }}/tls.key - require_client_auth: {{ $mtls }} - {{- if $cert.caEnabled }} - truststore_file: {{ $certPath }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} - {{- end }} -{{- end }} -{{- /* RPC Server */}} -{{- $service = .Values.listeners.rpc }} - rpc_server: - address: 0.0.0.0 - port: {{ $service.port }} -{{- if (include "rpc-tls-enabled" . | fromJson).bool }} - rpc_server_tls: - enabled: true - cert_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.crt - key_file: /etc/tls/certs/{{ $service.tls.cert }}/tls.key - require_client_auth: {{ $service.tls.requireClientAuth }} - {{- $cert := get .Values.tls.certs $service.tls.cert }} - {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} - {{- end }} - {{- if $cert.caEnabled }} - truststore_file: /etc/tls/certs/{{ $service.tls.cert }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} -{{- end }} - seed_servers: -{{- range (include "seed-server-list" . | mustFromJson) }} - - host: - address: {{ . }} - port: {{ $values.listeners.rpc.port }} -{{- end }} -{{- if and (include "is-licensed" . | fromJson).bool .Values.storage.tieredConfig.cloud_storage_enabled }} - {{- $tieredStorageConfig := deepCopy .Values.storage.tieredConfig }} - {{- if not (include "redpanda-atleast-22-3-0" . | fromJson).bool }} - {{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_credentials_source"}} - {{- end }} - {{- range $key, $element := $tieredStorageConfig}} - {{- if or (eq (typeOf $element) "bool") $element }} - {{ $key }}: {{ $element | toYaml }} - {{- end }} - {{- end }} -{{- end }} -{{- /* Schema Registry API */}} -{{- if and .Values.listeners.schemaRegistry.enabled (include "redpanda-22-2-x-without-sasl" $root | fromJson).bool }} - {{- $schemaRegistryService := .Values.listeners.schemaRegistry }} - schema_registry: - schema_registry_api: - - name: internal - address: 0.0.0.0 - port: {{ $schemaRegistryService.port }} - {{- if or (include "sasl-enabled" $root | fromJson).bool $schemaRegistryService.authenticationMethod }} - authentication_method: {{ default "http_basic" $schemaRegistryService.authenticationMethod }} - {{- end }} - {{- range $name, $listener := $schemaRegistryService.external }} - - name: {{ $name }} - address: 0.0.0.0 - {{- /* - when upgrading from an older version that had a missing port, fail if we cannot guess a default - this should work in all cases as the older versions would have failed with multiple listeners anyway - */}} - {{- if and (empty $listener.port) (ne (len $schemaRegistryService.external) 1) }} - {{- fail "missing required port for schemaRegistry listener $listener.name" }} - {{- end }} - port: {{ $listener.port | default 8084 }} - {{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }} - authentication_method: {{ default "http_basic" $listener.authenticationMethod }} - {{- end }} - {{- end }} - schema_registry_api_tls: - {{- if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }} - - name: internal - enabled: true - cert_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/tls.crt - key_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/tls.key - require_client_auth: {{ $schemaRegistryService.tls.requireClientAuth }} - {{- $cert := get .Values.tls.certs $schemaRegistryService.tls.cert }} - {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} - {{- end }} - {{- if $cert.caEnabled }} - truststore_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} - {{- end }} - {{- range $name, $listener := $schemaRegistryService.external }} - {{- $k := dict "Values" $values "listener" $listener }} - {{- if (include "schemaRegistry-external-tls-enabled" $k | fromJson).bool }} - {{- $mtls := dig "tls" "requireClientAuth" false $listener }} - {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} - {{- $certName := include "schemaRegistry-external-tls-cert" $k }} - {{- $certPath := printf "/etc/tls/certs/%s" $certName }} - {{- $cert := get $values.tls.certs $certName }} - {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} - {{- end }} - - name: {{ $name }} - enabled: true - cert_file: {{ $certPath }}/tls.crt - key_file: {{ $certPath }}/tls.key - require_client_auth: {{ $mtls }} - {{- if $cert.caEnabled }} - truststore_file: {{ $certPath }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} - {{- end }} - {{- end }} -{{- end }} -{{- /* HTTP Proxy */}} -{{- if and .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" $root | fromJson).bool }} - {{- $HTTPService := .Values.listeners.http }} - pandaproxy: - pandaproxy_api: - - name: internal - address: 0.0.0.0 - port: {{ $HTTPService.port }} - {{- if or (include "sasl-enabled" $root | fromJson).bool $HTTPService.authenticationMethod }} - authentication_method: {{ default "http_basic" $HTTPService.authenticationMethod }} - {{- end }} - {{- range $name, $listener := $HTTPService.external }} - - name: {{ $name }} - address: 0.0.0.0 - port: {{ $listener.port }} - {{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }} - authentication_method: {{ default "http_basic" $listener.authenticationMethod }} - {{- end }} - {{- end }} - pandaproxy_api_tls: - {{- if (include "http-internal-tls-enabled" . | fromJson).bool }} - - name: internal - enabled: true - cert_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/tls.crt - key_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/tls.key - require_client_auth: {{ $HTTPService.tls.requireClientAuth }} - {{- $cert := get .Values.tls.certs $HTTPService.tls.cert }} - {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} - {{- end }} - {{- if $cert.caEnabled }} - truststore_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} - {{- end }} - {{- range $name, $listener := $HTTPService.external }} - {{- $k := dict "Values" $values "listener" $listener }} - {{- if (include "http-external-tls-enabled" $k | fromJson).bool }} - {{- $mtls := dig "tls" "requireClientAuth" false $listener }} - {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} - {{- $certName := include "http-external-tls-cert" $k }} - {{- $certPath := printf "/etc/tls/certs/%s" $certName }} - {{- $cert := get $values.tls.certs $certName }} - {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} - {{- end }} - - name: {{ $name }} - enabled: true - cert_file: {{ $certPath }}/tls.crt - key_file: {{ $certPath }}/tls.key - require_client_auth: {{ $mtls }} - {{- if $cert.caEnabled }} - truststore_file: {{ $certPath }}/ca.crt - {{- else }} - {{- /* This is a required field so we use the default in the redpanda debian container */}} - truststore_file: /etc/ssl/certs/ca-certificates.crt - {{- end }} - {{- end }} - {{- end }} -{{- end }} -{{- /* END LISTENERS */}} - - rpk: -{{- with (dig "rpk" dict .Values.config) }} - {{- . | toYaml | nindent 6}} -{{- end }} - enable_usage_stats: {{ .Values.logging.usageStats.enabled }} - overprovisioned: {{ dig "cpu" "overprovisioned" false .Values.resources }} - enable_memory_locking: {{ dig "memory" "enable_memory_locking" false .Values.resources }} -{{- if hasKey .Values.tuning "tune_aio_events" }} - tune_aio_events: {{ .Values.tuning.tune_aio_events }} -{{- end }} -{{- if hasKey .Values.tuning "tune_clocksource" }} - tune_clocksource: {{ .Values.tuning.tune_clocksource }} -{{- end }} -{{- if hasKey .Values.tuning "tune_ballast_file" }} - tune_ballast_file: {{ .Values.tuning.tune_ballast_file }} -{{- end }} -{{- if hasKey .Values.tuning "ballast_file_path" }} - ballast_file_path: {{ .Values.tuning.ballast_file_path }} -{{- end }} -{{- if hasKey .Values.tuning "ballast_file_size" }} - ballast_file_size: {{ .Values.tuning.ballast_file_size }} -{{- end }} -{{- if hasKey .Values.tuning "well_known_io" }} - well_known_io: {{ .Values.tuning.well_known_io }} -{{- end }} + {{ include "configmap-with-server-list" . | trim }} diff --git a/charts/redpanda/templates/statefulset.yaml b/charts/redpanda/templates/statefulset.yaml index 0c08bb5fa1..8918658fb3 100644 --- a/charts/redpanda/templates/statefulset.yaml +++ b/charts/redpanda/templates/statefulset.yaml @@ -57,7 +57,7 @@ spec: labels: {{ (include "statefulset-pod-labels" .) | nindent 8 }} redpanda.com/poddisruptionbudget: {{ template "redpanda.name" . }} annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/config: {{ include "configmap-content-no-seed" . | sha256sum }} {{- with $.Values.statefulset.annotations }} {{- toYaml . | nindent 8 }} {{- end }} From 373151f38c035c874e8d6d594d2936501fd2ca0f Mon Sep 17 00:00:00 2001 From: Joe Julian Date: Tue, 29 Aug 2023 11:21:20 -0700 Subject: [PATCH 6/7] feat(redpanda): add the ability to add annotations to the internal service --- charts/redpanda/Chart.yaml | 2 +- charts/redpanda/templates/service.internal.yaml | 3 +++ charts/redpanda/values.schema.json | 8 ++++++++ charts/redpanda/values.yaml | 9 +++++++++ 4 files changed, 21 insertions(+), 1 deletion(-) diff --git a/charts/redpanda/Chart.yaml b/charts/redpanda/Chart.yaml index c0b4fab08a..c098f55655 100644 --- a/charts/redpanda/Chart.yaml +++ b/charts/redpanda/Chart.yaml @@ -23,7 +23,7 @@ type: application # The chart version and the app version are not the same and will not track # together. The chart version is a semver representation of changes to this # chart. -version: 5.1.8 +version: 5.2.0 # The app version is the default version of Redpanda to install. # ** NOTE for maintainers: please ensure the artifacthub image annotation is updated before merging diff --git a/charts/redpanda/templates/service.internal.yaml b/charts/redpanda/templates/service.internal.yaml index 0f1cb94e1a..1dcd041a81 100644 --- a/charts/redpanda/templates/service.internal.yaml +++ b/charts/redpanda/templates/service.internal.yaml @@ -28,6 +28,9 @@ metadata: {{- with include "full.labels" . }} {{- . | nindent 4 }} {{- end }} +{{- with dig "service" "internal" "annotations" dict .Values.AsMap }} + annotations: {{ toYaml . | nindent 4 }} +{{- end }} spec: type: ClusterIP publishNotReadyAddresses: true diff --git a/charts/redpanda/values.schema.json b/charts/redpanda/values.schema.json index a3bb2e3e88..14f43484b8 100644 --- a/charts/redpanda/values.schema.json +++ b/charts/redpanda/values.schema.json @@ -55,6 +55,14 @@ "properties": { "name": { "type": "string" + }, + "internal": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + } + } } } }, diff --git a/charts/redpanda/values.yaml b/charts/redpanda/values.yaml index 19cd9ebdf1..93e78328b4 100644 --- a/charts/redpanda/values.yaml +++ b/charts/redpanda/values.yaml @@ -60,6 +60,15 @@ image: # service: # -- set service.name to override the default service name # name: redpanda +# -- internal Service +# internal: +# -- add annotations to the internal Service +# annotations: {} +# +# -- eg. for a bare metal install using external-dns +# annotations: +# "external-dns.alpha.kubernetes.io/hostname": redpanda.domain.dom +# "external-dns.alpha.kubernetes.io/endpoints-type": HostIP # -- Pull secrets may be used to provide credentials to image repositories # See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ From 9944cf8c2da36f761790b02d9aeaa11d92ae411a Mon Sep 17 00:00:00 2001 From: alejandroEsc Date: Wed, 30 Aug 2023 14:34:26 -0400 Subject: [PATCH 7/7] chore: bump version --- charts/redpanda/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/redpanda/Chart.yaml b/charts/redpanda/Chart.yaml index c098f55655..f8089506f3 100644 --- a/charts/redpanda/Chart.yaml +++ b/charts/redpanda/Chart.yaml @@ -23,7 +23,7 @@ type: application # The chart version and the app version are not the same and will not track # together. The chart version is a semver representation of changes to this # chart. -version: 5.2.0 +version: 5.3.0 # The app version is the default version of Redpanda to install. # ** NOTE for maintainers: please ensure the artifacthub image annotation is updated before merging