Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-02-27 15:37:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/wildfly] feat: 🔒 Add resource preset support (#23531)

Browse Source 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-02-15 15:59:19 +01:00
committed by GitHub
parent c163985d52
commit 16facca73a
6 changed files with 125 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bitnami/wildfly/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.14.1
digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3
generated: "2024-01-17T20:02:04.375177785Z"
version: 2.15.3
digest: sha256:d80293db4b59902571fcfcbeabb6b81aebb1c05e8a6d25510053e7c329d73002
generated: "2024-02-14T16:16:53.924456594+01:00"

2
bitnami/wildfly/Chart.yaml
View File

@@ -33,4 +33,4 @@ maintainers:
name: wildfly
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/wildfly
version: 18.1.0
version: 18.2.0

170
bitnami/wildfly/README.md
View File

@@ -107,70 +107,70 @@ The command removes all the Kubernetes components associated with the chart and
### WildFly deployment parameters
| Name | Description | Value |
| --------------------------------------------------- | ----------------------------------------------------------------------------------------- | ---------------- |
| `replicaCount` | Number of Wildfly replicas to deploy | `1` |
| `updateStrategy.type` | WildFly deployment strategy type | `RollingUpdate` |
| `automountServiceAccountToken` | Mount Service Account token in pod | `true` |
| `hostAliases` | WildFly pod host aliases | `[]` |
| `extraVolumes` | Optionally specify extra list of additional volumes for WildFly pods | `[]` |
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for WildFly container(s) | `[]` |
| `serviceAccountName` | Name of existing ServiceAccount to be connected | `""` |
| `sidecars` | Add additional sidecar containers to the WildFly pod | `[]` |
| `initContainers` | Add additional init containers to the WildFly pods | `[]` |
| `podLabels` | Extra labels for WildFly pods | `{}` |
| `podAnnotations` | Annotations for WildFly pods | `{}` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` |
| `affinity` | Affinity for pod assignment | `{}` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `{}` |
| `priorityClassName` | Pod priorityClassName | `""` |
| `schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `resources.limits` | The resources limits for the WildFly container | `{}` |
| `resources.requests` | The requested resources for the WildFly container | `{}` |
| `containerPorts.http` | WildFly HTTP container port | `8080` |
| `containerPorts.mgmt` | WildFly HTTPS container port | `9990` |
| `extraContainerPorts` | Array with extra container ports to add to the WildFly container | `[]` |
| `podSecurityContext.enabled` | Enabled WildFly pods' Security Context | `true` |
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `podSecurityContext.fsGroup` | Set WildFly pod's Security Context fsGroup | `1001` |
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `startupProbe.enabled` | Enable startupProbe | `false` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| Name | Description | Value |
| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
| `replicaCount` | Number of Wildfly replicas to deploy | `1` |
| `updateStrategy.type` | WildFly deployment strategy type | `RollingUpdate` |
| `automountServiceAccountToken` | Mount Service Account token in pod | `true` |
| `hostAliases` | WildFly pod host aliases | `[]` |
| `extraVolumes` | Optionally specify extra list of additional volumes for WildFly pods | `[]` |
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for WildFly container(s) | `[]` |
| `serviceAccountName` | Name of existing ServiceAccount to be connected | `""` |
| `sidecars` | Add additional sidecar containers to the WildFly pod | `[]` |
| `initContainers` | Add additional init containers to the WildFly pods | `[]` |
| `podLabels` | Extra labels for WildFly pods | `{}` |
| `podAnnotations` | Annotations for WildFly pods | `{}` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` |
| `affinity` | Affinity for pod assignment | `{}` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `{}` |
| `priorityClassName` | Pod priorityClassName | `""` |
| `schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` |
| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `containerPorts.http` | WildFly HTTP container port | `8080` |
| `containerPorts.mgmt` | WildFly HTTPS container port | `9990` |
| `extraContainerPorts` | Array with extra container ports to add to the WildFly container | `[]` |
| `podSecurityContext.enabled` | Enabled WildFly pods' Security Context | `true` |
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `podSecurityContext.fsGroup` | Set WildFly pod's Security Context fsGroup | `1001` |
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `startupProbe.enabled` | Enable startupProbe | `false` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
### Traffic Exposure Parameters
@@ -222,24 +222,24 @@ The command removes all the Kubernetes components associated with the chart and
### Persistence Parameters
| Name | Description | Value |
| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------------------- |
| `persistence.enabled` | Enable persistence using Persistent Volume Claims | `true` |
| `persistence.storageClass` | Persistent Volume storage class | `""` |
| `persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` |
| `persistence.accessModes` | Persistent Volume access modes | `[]` |
| `persistence.size` | Persistent Volume size | `8Gi` |
| `persistence.annotations` | Persistent Volume Claim annotations | `{}` |
| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` |
| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` |
| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` |
| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `volumePermissions.securityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
| Name | Description | Value |
| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `persistence.enabled` | Enable persistence using Persistent Volume Claims | `true` |
| `persistence.storageClass` | Persistent Volume storage class | `""` |
| `persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` |
| `persistence.accessModes` | Persistent Volume access modes | `[]` |
| `persistence.size` | Persistent Volume size | `8Gi` |
| `persistence.annotations` | Persistent Volume Claim annotations | `{}` |
| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` |
| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `volumePermissions.securityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
The above parameters map to the env variables defined in [bitnami/wildfly](https://github.com/bitnami/containers/tree/main/bitnami/wildfly). For more information please refer to the [bitnami/wildfly](https://github.com/bitnami/containers/tree/main/bitnami/wildfly) image documentation.
@@ -268,6 +268,12 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/wildf
## Configuration and installation details
### Resource requests and limits
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.

1
bitnami/wildfly/templates/NOTES.txt
View File

@@ -79,3 +79,4 @@ APP VERSION: {{ .Chart.AppVersion }}
{{- $requiredWildflyPasswordError := include "common.validations.values.single.empty" $requiredWildflyPassword -}}
{{- $passwordValidationErrors = append $passwordValidationErrors $requiredWildflyPasswordError -}}
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $) -}}
{{- include "common.warnings.resources" (dict "sections" (list "" "volumePermissions") "context" $) }}

4
bitnami/wildfly/templates/deployment.yaml
View File

@@ -72,6 +72,8 @@ spec:
{{- end }}
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
{{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: data
@@ -159,6 +161,8 @@ spec:
{{- end }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: data

52
bitnami/wildfly/values.yaml
View File

@@ -18,7 +18,6 @@ global:
##
imagePullSecrets: []
storageClass: ""
## @section Common parameters
## @param kubeVersion Override Kubernetes version
@@ -56,7 +55,6 @@ diagnosticMode:
##
args:
- infinity
## @section WildFly Image parameters
## Bitnami WildFly image
@@ -90,7 +88,6 @@ image:
## Enable debug mode
##
debug: false
## @section WildFly Configuration parameters
## WildFly settings based on environment variables
## ref: https://github.com/bitnami/containers/tree/main/bitnami/wildfly#configuration
@@ -127,7 +124,6 @@ extraEnvVarsCM: ""
## @param extraEnvVarsSecret Name of existing Secret containing extra env vars
##
extraEnvVarsSecret: ""
## @section WildFly deployment parameters
## @param replicaCount Number of Wildfly replicas to deploy
@@ -243,14 +239,21 @@ schedulerName: ""
topologySpreadConstraints: []
## WildFly containers' resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## @param resources.limits [object] The resources limits for the WildFly container
## @param resources.requests [object] The requested resources for the WildFly container
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resources:
limits: {}
requests:
memory: 512Mi
cpu: 300m
resourcesPreset: "none"
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## Container ports
## @param containerPorts.http WildFly HTTP container port
## @param containerPorts.mgmt WildFly HTTPS container port
@@ -258,7 +261,6 @@ resources:
containerPorts:
http: 8080
mgmt: 9990
## @param extraContainerPorts [array] Array with extra container ports to add to the WildFly container
## e.g:
## extraContainerPorts:
@@ -266,7 +268,6 @@ containerPorts:
## value: 8888
##
extraContainerPorts: []
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param podSecurityContext.enabled Enabled WildFly pods' Security Context
@@ -369,7 +370,6 @@ customLivenessProbe: {}
## @param customReadinessProbe [object] Custom readinessProbe that overrides the default one
##
customReadinessProbe: {}
## @section Traffic Exposure Parameters
## WildFly service parameters
@@ -430,7 +430,6 @@ service:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
## Network Policies
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
@@ -486,7 +485,6 @@ networkPolicy:
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
## Configure the ingress resource that allows you to access the WildFly installation
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
@@ -595,7 +593,6 @@ ingress:
## name: http
##
extraRules: []
## Management Console Ingress parameters
##
mgmtIngress:
@@ -677,8 +674,6 @@ mgmtIngress:
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
##
ingressClassName: ""
## @section Persistence Parameters
## Persistence Parameters
@@ -740,12 +735,21 @@ volumePermissions:
pullSecrets: []
## Init container's resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## @param volumePermissions.resources.limits [object] The resources limits for the init container
## @param volumePermissions.resources.requests [object] The requested resources for the init container
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resources:
limits: {}
requests: {}
resourcesPreset: "none"
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## Init container Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param volumePermissions.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container