mirror of
https://github.com/bitnami/charts.git
synced 2026-03-05 14:57:31 +08:00
[bitnami/supabase] feat!: 🔒 💥 Improve security defaults (#24721)
* [bitnami/supabase] feat!: 🔒 💥 Improve security defaults Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * chore: 🔧 👷 Bump cluster size Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * configure verification as serial Signed-off-by: Alejandro Moreno <amorenoc@vmware.com> * reduce test cluster size Signed-off-by: Alejandro Moreno <amorenoc@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * fix: 🐛 Add missing part-of labels Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Add missing part-of in the rest of netpols Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Alejandro Moreno <amorenoc@vmware.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> Co-authored-by: Alejandro Moreno <amorenoc@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
committed by
GitHub
GitHub
parent
a755ec9c3a
commit
2a3c151225
2
.vib/supabase/vib-action.config
Normal file
2
.vib/supabase/vib-action.config
Normal file
@@ -0,0 +1,2 @@
|
||||
verification-mode=SERIAL
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
dependencies:
|
||||
- name: postgresql
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 13.4.6
|
||||
version: 15.2.2
|
||||
- name: kong
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 10.4.2
|
||||
version: 12.0.2
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.18.0
|
||||
digest: sha256:747b3c54d49dfaf7a5f9081b54738ff9ed8341ebcdd359d14a3ace239bf1a9ab
|
||||
generated: "2024-03-05T15:47:53.964731081+01:00"
|
||||
version: 2.19.1
|
||||
digest: sha256:272888d054b6ad496c1a9440f05b69480f8fc82153b24d6884dc95bb6d95e96d
|
||||
generated: "2024-04-05T18:14:38.274154431+02:00"
|
||||
|
||||
@@ -31,11 +31,11 @@ dependencies:
|
||||
- condition: postgresql.enabled
|
||||
name: postgresql
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 13.x.x
|
||||
version: 15.x.x
|
||||
- condition: kong.enabled
|
||||
name: kong
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 10.x.x
|
||||
version: 12.x.x
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
tags:
|
||||
@@ -53,4 +53,4 @@ maintainers:
|
||||
name: supabase
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/supabase
|
||||
version: 2.11.0
|
||||
version: 3.0.0
|
||||
|
||||
@@ -201,7 +201,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `global.jwt.existingSecretKey` | The key in the existing secret containing the JWT secret | `secret` |
|
||||
| `global.jwt.existingSecretAnonKey` | The key in the existing secret containing the JWT anon key | `anon-key` |
|
||||
| `global.jwt.existingSecretServiceKey` | The key in the existing secret containing the JWT service key | `service-key` |
|
||||
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
|
||||
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
|
||||
|
||||
### Common parameters
|
||||
|
||||
@@ -239,17 +239,46 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `jwt.autoGenerate.kubectlImage.pullSecrets` | Kubectl image pull secrets | `[]` |
|
||||
| `jwt.autoGenerate.backoffLimit` | set backoff limit of the job | `10` |
|
||||
| `jwt.autoGenerate.extraVolumes` | Optionally specify extra list of additional volumes for the jwt init job | `[]` |
|
||||
| `jwt.autoGenerate.livenessProbe.enabled` | Enable livenessProbe on Supabase auth containers | `true` |
|
||||
| `jwt.autoGenerate.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
|
||||
| `jwt.autoGenerate.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
|
||||
| `jwt.autoGenerate.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
|
||||
| `jwt.autoGenerate.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
|
||||
| `jwt.autoGenerate.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
|
||||
| `jwt.autoGenerate.readinessProbe.enabled` | Enable readinessProbe on Supabase auth containers | `true` |
|
||||
| `jwt.autoGenerate.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
|
||||
| `jwt.autoGenerate.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
|
||||
| `jwt.autoGenerate.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
|
||||
| `jwt.autoGenerate.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
|
||||
| `jwt.autoGenerate.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
|
||||
| `jwt.autoGenerate.startupProbe.enabled` | Enable startupProbe on Supabase auth containers | `false` |
|
||||
| `jwt.autoGenerate.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
|
||||
| `jwt.autoGenerate.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
|
||||
| `jwt.autoGenerate.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
|
||||
| `jwt.autoGenerate.startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` |
|
||||
| `jwt.autoGenerate.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
|
||||
| `jwt.autoGenerate.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `jwt.autoGenerate.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `jwt.autoGenerate.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `jwt.autoGenerate.networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` |
|
||||
| `jwt.autoGenerate.networkPolicy.allowExternal` | The Policy model to apply | `true` |
|
||||
| `jwt.autoGenerate.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
|
||||
| `jwt.autoGenerate.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
|
||||
| `jwt.autoGenerate.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
|
||||
| `jwt.autoGenerate.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
|
||||
| `jwt.autoGenerate.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `jwt.autoGenerate.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `jwt.autoGenerate.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
|
||||
| `jwt.autoGenerate.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
|
||||
| `jwt.autoGenerate.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` |
|
||||
| `jwt.autoGenerate.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
|
||||
| `jwt.autoGenerate.containerSecurityContext.enabled` | Enabled jwt init job containers' Security Context | `true` |
|
||||
| `jwt.autoGenerate.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `jwt.autoGenerate.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `jwt.autoGenerate.containerSecurityContext.runAsUser` | Set jwt init job containers' Security Context runAsUser | `1001` |
|
||||
| `jwt.autoGenerate.containerSecurityContext.runAsGroup` | Set jwt init job containers' Security Context runAsUser | `0` |
|
||||
| `jwt.autoGenerate.containerSecurityContext.runAsGroup` | Set jwt init job containers' Security Context runAsUser | `1001` |
|
||||
| `jwt.autoGenerate.containerSecurityContext.runAsNonRoot` | Set jwt init job container's Security Context runAsNonRoot | `true` |
|
||||
| `jwt.autoGenerate.containerSecurityContext.privileged` | Set jwt init job container's Security Context privileged | `false` |
|
||||
| `jwt.autoGenerate.containerSecurityContext.readOnlyRootFilesystem` | Set jwt init job container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `jwt.autoGenerate.containerSecurityContext.readOnlyRootFilesystem` | Set jwt init job container's Security Context readOnlyRootFilesystem | `true` |
|
||||
| `jwt.autoGenerate.containerSecurityContext.allowPrivilegeEscalation` | Set jwt init job container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `jwt.autoGenerate.containerSecurityContext.capabilities.drop` | List of jwt init job capabilities to be dropped | `["ALL"]` |
|
||||
| `jwt.autoGenerate.containerSecurityContext.seccompProfile.type` | Set jwt init job container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
@@ -262,7 +291,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `jwt.autoGenerate.extraEnvVarsCM` | ConfigMap containing extra env vars to configure the jwt init job | `""` |
|
||||
| `jwt.autoGenerate.extraEnvVarsSecret` | Secret containing extra env vars to configure the jwt init job (in case of sensitive data) | `""` |
|
||||
| `jwt.autoGenerate.extraVolumeMounts` | Array of extra volume mounts to be added to the jwt Container (evaluated as template). Normally used with `extraVolumes`. | `[]` |
|
||||
| `jwt.autoGenerate.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if jwt.autoGenerate.resources is set (jwt.autoGenerate.resources is recommended for production). | `none` |
|
||||
| `jwt.autoGenerate.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if jwt.autoGenerate.resources is set (jwt.autoGenerate.resources is recommended for production). | `nano` |
|
||||
| `jwt.autoGenerate.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `jwt.autoGenerate.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
|
||||
| `jwt.autoGenerate.hostAliases` | Add deployment host aliases | `[]` |
|
||||
@@ -309,7 +338,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `auth.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `auth.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `auth.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `auth.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if auth.resources is set (auth.resources is recommended for production). | `none` |
|
||||
| `auth.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if auth.resources is set (auth.resources is recommended for production). | `micro` |
|
||||
| `auth.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `auth.podSecurityContext.enabled` | Enabled Supabase auth pods' Security Context | `true` |
|
||||
| `auth.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
@@ -317,12 +346,12 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `auth.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `auth.podSecurityContext.fsGroup` | Set Supabase auth pod's Security Context fsGroup | `1001` |
|
||||
| `auth.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `auth.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `auth.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `auth.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `auth.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `auth.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
|
||||
| `auth.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `auth.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `auth.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `auth.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
|
||||
| `auth.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `auth.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `auth.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
@@ -414,7 +443,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `meta.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `meta.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `meta.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `meta.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if meta.resources is set (meta.resources is recommended for production). | `none` |
|
||||
| `meta.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if meta.resources is set (meta.resources is recommended for production). | `micro` |
|
||||
| `meta.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `meta.podSecurityContext.enabled` | Enabled Supabase Postgres Meta pods' Security Context | `true` |
|
||||
| `meta.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
@@ -422,12 +451,12 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `meta.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `meta.podSecurityContext.fsGroup` | Set Supabase Postgres Meta pod's Security Context fsGroup | `1001` |
|
||||
| `meta.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `meta.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `meta.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `meta.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `meta.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `meta.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
|
||||
| `meta.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `meta.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `meta.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `meta.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
|
||||
| `meta.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `meta.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `meta.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
@@ -502,7 +531,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `realtime.image.pullSecrets` | Realtime image pull secrets | `[]` |
|
||||
| `realtime.containerPorts.http` | Supabase realtime HTTP container port | `9999` |
|
||||
| `realtime.livenessProbe.enabled` | Enable livenessProbe on Supabase realtime containers | `true` |
|
||||
| `realtime.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
|
||||
| `realtime.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
|
||||
| `realtime.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
|
||||
| `realtime.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
|
||||
| `realtime.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
|
||||
@@ -522,7 +551,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `realtime.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `realtime.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `realtime.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `realtime.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if realtime.resources is set (realtime.resources is recommended for production). | `none` |
|
||||
| `realtime.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if realtime.resources is set (realtime.resources is recommended for production). | `medium` |
|
||||
| `realtime.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `realtime.podSecurityContext.enabled` | Enabled Supabase realtime pods' Security Context | `true` |
|
||||
| `realtime.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
@@ -530,12 +559,12 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `realtime.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `realtime.podSecurityContext.fsGroup` | Set Supabase realtime pod's Security Context fsGroup | `1001` |
|
||||
| `realtime.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `realtime.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `realtime.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `realtime.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `realtime.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `realtime.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
|
||||
| `realtime.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `realtime.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `realtime.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `realtime.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
|
||||
| `realtime.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `realtime.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `realtime.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
@@ -627,7 +656,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `rest.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `rest.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `rest.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `rest.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if rest.resources is set (rest.resources is recommended for production). | `none` |
|
||||
| `rest.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if rest.resources is set (rest.resources is recommended for production). | `micro` |
|
||||
| `rest.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `rest.podSecurityContext.enabled` | Enabled Supabase rest pods' Security Context | `true` |
|
||||
| `rest.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
@@ -635,12 +664,12 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `rest.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `rest.podSecurityContext.fsGroup` | Set Supabase rest pod's Security Context fsGroup | `1001` |
|
||||
| `rest.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `rest.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `rest.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `rest.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `rest.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `rest.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
|
||||
| `rest.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `rest.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `rest.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `rest.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
|
||||
| `rest.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `rest.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `rest.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
@@ -712,7 +741,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `storage.image.pullSecrets` | Storage image pull secrets | `[]` |
|
||||
| `storage.containerPorts.http` | Supabase storage HTTP container port | `5000` |
|
||||
| `storage.livenessProbe.enabled` | Enable livenessProbe on Supabase storage containers | `true` |
|
||||
| `storage.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
|
||||
| `storage.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
|
||||
| `storage.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
|
||||
| `storage.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
|
||||
| `storage.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
|
||||
@@ -732,7 +761,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `storage.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `storage.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `storage.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `storage.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if storage.resources is set (storage.resources is recommended for production). | `none` |
|
||||
| `storage.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if storage.resources is set (storage.resources is recommended for production). | `medium` |
|
||||
| `storage.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `storage.podSecurityContext.enabled` | Enabled Supabase storage pods' Security Context | `true` |
|
||||
| `storage.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
@@ -740,12 +769,12 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `storage.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `storage.podSecurityContext.fsGroup` | Set Supabase storage pod's Security Context fsGroup | `1001` |
|
||||
| `storage.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `storage.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `storage.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `storage.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `storage.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `storage.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
|
||||
| `storage.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `storage.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `storage.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `storage.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
|
||||
| `storage.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `storage.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `storage.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
@@ -853,7 +882,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `studio.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `studio.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `studio.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `studio.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if studio.resources is set (studio.resources is recommended for production). | `none` |
|
||||
| `studio.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if studio.resources is set (studio.resources is recommended for production). | `micro` |
|
||||
| `studio.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `studio.podSecurityContext.enabled` | Enabled Supabase studio pods' Security Context | `true` |
|
||||
| `studio.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
@@ -861,12 +890,12 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `studio.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `studio.podSecurityContext.fsGroup` | Set Supabase studio pod's Security Context fsGroup | `1001` |
|
||||
| `studio.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `studio.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `studio.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `studio.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `studio.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
|
||||
| `studio.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
|
||||
| `studio.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `studio.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `studio.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `studio.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
|
||||
| `studio.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `studio.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `studio.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
@@ -943,9 +972,9 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
|
||||
| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
|
||||
| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
|
||||
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
|
||||
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `micro` |
|
||||
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
|
||||
| `psqlImage.registry` | PostgreSQL client image registry | `REGISTRY_NAME` |
|
||||
| `psqlImage.repository` | PostgreSQL client image repository | `REPOSITORY_NAME/supabase-postgres` |
|
||||
@@ -966,49 +995,53 @@ If you encounter errors when working with persistent volumes, refer to our [trou
|
||||
|
||||
### Kong sub-chart parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| -------------------------------- | ------------------------------------------------------------------------------ | ---------------- |
|
||||
| `kong.enabled` | Enable Kong | `true` |
|
||||
| `kong.database` | Database to use | `off` |
|
||||
| `kong.initContainers` | Add additional init containers to the Kong pods | `""` |
|
||||
| `kong.ingressController.enabled` | Enable Kong Ingress Controller | `false` |
|
||||
| `kong.kong.extraVolumeMounts` | Additional volumeMounts to the Kong container | `[]` |
|
||||
| `kong.kong.extraEnvVars` | Additional environment variables to set | `[]` |
|
||||
| `kong.extraVolumes` | Additional volumes to the Kong pods | `[]` |
|
||||
| `kong.ingress.enabled` | Enable Ingress rule | `false` |
|
||||
| `kong.ingress.hostname` | Kong Ingress hostname | `supabase.local` |
|
||||
| `kong.ingress.tls` | Enable TLS for Kong Ingress | `false` |
|
||||
| `kong.service.loadBalancerIP` | Kubernetes service LoadBalancer IP | `""` |
|
||||
| `kong.service.type` | Kubernetes service type | `LoadBalancer` |
|
||||
| `kong.service.ports.proxyHttp` | Kong service port | `80` |
|
||||
| `kong.postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart inside the Kong subchart | `false` |
|
||||
| Name | Description | Value |
|
||||
| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
|
||||
| `kong.enabled` | Enable Kong | `true` |
|
||||
| `kong.database` | Database to use | `off` |
|
||||
| `kong.initContainers` | Add additional init containers to the Kong pods | `""` |
|
||||
| `kong.ingressController.enabled` | Enable Kong Ingress Controller | `false` |
|
||||
| `kong.kong.extraVolumeMounts` | Additional volumeMounts to the Kong container | `[]` |
|
||||
| `kong.kong.extraEnvVars` | Additional environment variables to set | `[]` |
|
||||
| `kong.kong.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if kong.resources is set (kong.resources is recommended for production). | `medium` |
|
||||
| `kong.kong.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `kong.extraVolumes` | Additional volumes to the Kong pods | `[]` |
|
||||
| `kong.ingress.enabled` | Enable Ingress rule | `false` |
|
||||
| `kong.ingress.hostname` | Kong Ingress hostname | `supabase.local` |
|
||||
| `kong.ingress.tls` | Enable TLS for Kong Ingress | `false` |
|
||||
| `kong.service.loadBalancerIP` | Kubernetes service LoadBalancer IP | `""` |
|
||||
| `kong.service.type` | Kubernetes service type | `LoadBalancer` |
|
||||
| `kong.service.ports.proxyHttp` | Kong service port | `80` |
|
||||
| `kong.postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart inside the Kong subchart | `false` |
|
||||
|
||||
### PostgreSQL sub-chart parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` |
|
||||
| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` |
|
||||
| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
|
||||
| `postgresql.service.ports.postgresql` | PostgreSQL service port | `5432` |
|
||||
| `postgresql.image.registry` | PostgreSQL image registry | `REGISTRY_NAME` |
|
||||
| `postgresql.image.repository` | PostgreSQL image repository | `REPOSITORY_NAME/supabase-postgres` |
|
||||
| `postgresql.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `postgresql.image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` |
|
||||
| `postgresql.image.pullSecrets` | Specify image pull secrets | `[]` |
|
||||
| `postgresql.image.debug` | Specify if debug values should be set | `false` |
|
||||
| `postgresql.postgresqlSharedPreloadLibraries` | Set the shared_preload_libraries parameter in postgresql.conf | `pg_stat_statements, pg_stat_monitor, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain` |
|
||||
| `postgresql.auth.postgresPassword` | PostgreSQL admin password | `""` |
|
||||
| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` |
|
||||
| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
|
||||
| `postgresql.service.ports.postgresql` | PostgreSQL service port | `5432` |
|
||||
| `externalDatabase.host` | Database host | `""` |
|
||||
| `externalDatabase.port` | Database port number | `5432` |
|
||||
| `externalDatabase.user` | Non-root username for PostgreSQL | `supabase_admin` |
|
||||
| `externalDatabase.password` | Password for the non-root username for PostgreSQL | `""` |
|
||||
| `externalDatabase.database` | PostgreSQL database name | `postgres` |
|
||||
| `externalDatabase.existingSecret` | Name of an existing secret resource containing the database credentials | `""` |
|
||||
| `externalDatabase.existingSecretPasswordKey` | Name of an existing secret key containing the database credentials | `""` |
|
||||
| Name | Description | Value |
|
||||
| --------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` |
|
||||
| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` |
|
||||
| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
|
||||
| `postgresql.service.ports.postgresql` | PostgreSQL service port | `5432` |
|
||||
| `postgresql.image.registry` | PostgreSQL image registry | `REGISTRY_NAME` |
|
||||
| `postgresql.image.repository` | PostgreSQL image repository | `REPOSITORY_NAME/supabase-postgres` |
|
||||
| `postgresql.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `postgresql.image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` |
|
||||
| `postgresql.image.pullSecrets` | Specify image pull secrets | `[]` |
|
||||
| `postgresql.image.debug` | Specify if debug values should be set | `false` |
|
||||
| `postgresql.postgresqlSharedPreloadLibraries` | Set the shared_preload_libraries parameter in postgresql.conf | `pg_stat_statements, pg_stat_monitor, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain` |
|
||||
| `postgresql.auth.postgresPassword` | PostgreSQL admin password | `""` |
|
||||
| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` |
|
||||
| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
|
||||
| `postgresql.service.ports.postgresql` | PostgreSQL service port | `5432` |
|
||||
| `postgresql.primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `nano` |
|
||||
| `postgresql.primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `externalDatabase.host` | Database host | `""` |
|
||||
| `externalDatabase.port` | Database port number | `5432` |
|
||||
| `externalDatabase.user` | Non-root username for PostgreSQL | `supabase_admin` |
|
||||
| `externalDatabase.password` | Password for the non-root username for PostgreSQL | `""` |
|
||||
| `externalDatabase.database` | PostgreSQL database name | `postgres` |
|
||||
| `externalDatabase.existingSecret` | Name of an existing secret resource containing the database credentials | `""` |
|
||||
| `externalDatabase.existingSecretPasswordKey` | Name of an existing secret key containing the database credentials | `""` |
|
||||
|
||||
The above parameters map to the env variables defined in [bitnami/supabase-studio](https://github.com/bitnami/containers/tree/main/bitnami/supabase-studio). For more information please refer to the [bitnami/supabase-studio](https://github.com/bitnami/containers/tree/main/bitnami/supabase-studio) image documentation.
|
||||
|
||||
@@ -1041,6 +1074,17 @@ Find more information about how to deal with common errors related to Bitnami's
|
||||
|
||||
## Upgrading
|
||||
|
||||
### To 3.0.0
|
||||
|
||||
This major bump changes the following security defaults:
|
||||
|
||||
- `runAsGroup` is changed from `0` to `1001`
|
||||
- `readOnlyRootFilesystem` is set to `true`
|
||||
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
|
||||
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
|
||||
|
||||
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
|
||||
|
||||
### To 2.0.0
|
||||
|
||||
This major updates the Kong subchart to its newest major, 10.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/kong#to-1000) you can find more information about the changes introduced in that version.
|
||||
|
||||
@@ -38,6 +38,7 @@ spec:
|
||||
{{- end }}
|
||||
checksum/jwt-secret: {{ include (print $.Template.BasePath "/jwt-secret.yaml") . | sha256sum }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: auth
|
||||
spec:
|
||||
serviceAccountName: {{ template "supabase.serviceAccountName" . }}
|
||||
|
||||
@@ -19,6 +19,7 @@ spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.auth.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: auth
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
@@ -11,6 +11,7 @@ metadata:
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: init
|
||||
{{- if or .Values.jwt.autoGenerate.annotations .Values.commonAnnotations }}
|
||||
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.jwt.autoGenerate.annotations .Values.commonAnnotations ) "context" . ) }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
|
||||
@@ -21,6 +22,7 @@ spec:
|
||||
metadata:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.jwt.autoGenerate.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: init
|
||||
{{- if .Values.jwt.autoGenerate.podAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.jwt.autoGenerate.podAnnotations "context" $) | nindent 8 }}
|
||||
@@ -149,6 +151,35 @@ spec:
|
||||
{{- else if ne .Values.jwt.autoGenerate.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.jwt.autoGenerate.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if not .Values.diagnosticMode.enabled }}
|
||||
{{- if .Values.jwt.autoGenerate.customLivenessProbe }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.jwt.autoGenerate.customLivenessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.jwt.autoGenerate.livenessProbe.enabled }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.jwt.autoGenerate.livenessProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- pgrep
|
||||
- kubectl
|
||||
{{- end }}
|
||||
{{- if .Values.jwt.autoGenerate.customReadinessProbe }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.jwt.autoGenerate.customReadinessProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.jwt.autoGenerate.readinessProbe.enabled }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.jwt.autoGenerate.readinessProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- pgrep
|
||||
- kubectl
|
||||
{{- end }}
|
||||
{{- if .Values.jwt.autoGenerate.customStartupProbe }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.jwt.autoGenerate.customStartupProbe "context" $) | nindent 12 }}
|
||||
{{- else if .Values.jwt.autoGenerate.startupProbe.enabled }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.jwt.autoGenerate.startupProbe "enabled") "context" $) | nindent 12 }}
|
||||
exec:
|
||||
command:
|
||||
- pgrep
|
||||
- kubectl
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
|
||||
49
bitnami/supabase/templates/jwt-job-networkpolicy.yaml
Normal file
49
bitnami/supabase/templates/jwt-job-networkpolicy.yaml
Normal file
@@ -0,0 +1,49 @@
|
||||
{{- /*
|
||||
Copyright VMware, Inc.
|
||||
SPDX-License-Identifier: APACHE-2.0
|
||||
*/}}
|
||||
|
||||
{{- if and (include "supabase.createInitJob" .) (not .Values.global.jwt.existingSecret) .Values.jwt.autoGenerate.networkPolicy.enabled }}
|
||||
kind: NetworkPolicy
|
||||
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}-jwt-init
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.jwt.autoGenerate.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: init
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
{{- if .Values.jwt.autoGenerate.networkPolicy.allowExternalEgress }}
|
||||
egress:
|
||||
- {}
|
||||
{{- else }}
|
||||
egress:
|
||||
- ports:
|
||||
# Allow dns resolution
|
||||
- port: 53
|
||||
protocol: UDP
|
||||
- port: 53
|
||||
protocol: TCP
|
||||
# Allow access to kube-apiserver
|
||||
{{- range $port := .Values.jwt.autoGenerate.networkPolicy.kubeAPIServerPorts }}
|
||||
- port: {{ $port }}
|
||||
{{- end }}
|
||||
{{- if .Values.jwt.autoGenerate.networkPolicy.extraEgress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.jwt.autoGenerate.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ingress:
|
||||
{{- if .Values.jwt.autoGenerate.networkPolicy.extraIngress }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.jwt.autoGenerate.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -38,6 +38,7 @@ spec:
|
||||
{{- end }}
|
||||
checksum/jwt-secret: {{ include (print $.Template.BasePath "/jwt-secret.yaml") . | sha256sum }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: meta
|
||||
spec:
|
||||
serviceAccountName: {{ template "supabase.serviceAccountName" . }}
|
||||
|
||||
@@ -19,6 +19,7 @@ spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.meta.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: meta
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
@@ -39,6 +39,7 @@ spec:
|
||||
checksum/jwt-secret: {{ include (print $.Template.BasePath "/jwt-secret.yaml") . | sha256sum }}
|
||||
checksum/secret: {{ include (print $.Template.BasePath "/realtime/secret.yaml") . | sha256sum }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: realtime
|
||||
spec:
|
||||
serviceAccountName: {{ template "supabase.serviceAccountName" . }}
|
||||
|
||||
@@ -19,6 +19,7 @@ spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.realtime.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: realtime
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
@@ -38,6 +38,7 @@ spec:
|
||||
{{- end }}
|
||||
checksum/jwt-secret: {{ include (print $.Template.BasePath "/jwt-secret.yaml") . | sha256sum }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: rest
|
||||
spec:
|
||||
serviceAccountName: {{ template "supabase.serviceAccountName" . }}
|
||||
|
||||
@@ -19,6 +19,7 @@ spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.rest.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: rest
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
@@ -38,6 +38,7 @@ spec:
|
||||
{{- end }}
|
||||
checksum/jwt-secret: {{ include (print $.Template.BasePath "/jwt-secret.yaml") . | sha256sum }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: storage
|
||||
spec:
|
||||
serviceAccountName: {{ template "supabase.serviceAccountName" . }}
|
||||
@@ -88,9 +89,11 @@ spec:
|
||||
mkdir -p {{ .Values.storage.persistence.mountPath }}
|
||||
find {{ .Values.storage.persistence.mountPath }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs chown -R {{ .Values.storage.containerSecurityContext.runAsUser }}:{{ .Values.storage.podSecurityContext.fsGroup }}
|
||||
securityContext: {{- include "common.tplvalues.render" (dict "value" .Values.volumePermissions.containerSecurityContext "context" $) | nindent 12 }}
|
||||
{{- if .Values.volumePermissions.resources }}
|
||||
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
|
||||
{{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: {{ .Values.storage.persistence.mountPath }}
|
||||
|
||||
@@ -19,6 +19,7 @@ spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.storage.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: storage
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
@@ -36,6 +36,7 @@ spec:
|
||||
{{- end }}
|
||||
checksum/jwt-secret: {{ include (print $.Template.BasePath "/jwt-secret.yaml") . | sha256sum }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: studio
|
||||
spec:
|
||||
serviceAccountName: {{ template "supabase.serviceAccountName" . }}
|
||||
|
||||
@@ -19,6 +19,7 @@ spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.studio.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/part-of: supabase
|
||||
app.kubernetes.io/component: studio
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
@@ -42,7 +42,7 @@ global:
|
||||
openshift:
|
||||
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
|
||||
##
|
||||
adaptSecurityContext: disabled
|
||||
adaptSecurityContext: auto
|
||||
## @section Common parameters
|
||||
##
|
||||
|
||||
@@ -159,6 +159,116 @@ jwt:
|
||||
## @param jwt.autoGenerate.extraVolumes Optionally specify extra list of additional volumes for the jwt init job
|
||||
##
|
||||
extraVolumes: []
|
||||
## Configure extra options for Supabase auth containers' liveness and readiness probes
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
|
||||
## @param jwt.autoGenerate.livenessProbe.enabled Enable livenessProbe on Supabase auth containers
|
||||
## @param jwt.autoGenerate.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
|
||||
## @param jwt.autoGenerate.livenessProbe.periodSeconds Period seconds for livenessProbe
|
||||
## @param jwt.autoGenerate.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
|
||||
## @param jwt.autoGenerate.livenessProbe.failureThreshold Failure threshold for livenessProbe
|
||||
## @param jwt.autoGenerate.livenessProbe.successThreshold Success threshold for livenessProbe
|
||||
##
|
||||
livenessProbe:
|
||||
enabled: true
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 6
|
||||
successThreshold: 1
|
||||
## @param jwt.autoGenerate.readinessProbe.enabled Enable readinessProbe on Supabase auth containers
|
||||
## @param jwt.autoGenerate.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
|
||||
## @param jwt.autoGenerate.readinessProbe.periodSeconds Period seconds for readinessProbe
|
||||
## @param jwt.autoGenerate.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
|
||||
## @param jwt.autoGenerate.readinessProbe.failureThreshold Failure threshold for readinessProbe
|
||||
## @param jwt.autoGenerate.readinessProbe.successThreshold Success threshold for readinessProbe
|
||||
##
|
||||
readinessProbe:
|
||||
enabled: true
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 6
|
||||
successThreshold: 1
|
||||
## @param jwt.autoGenerate.startupProbe.enabled Enable startupProbe on Supabase auth containers
|
||||
## @param jwt.autoGenerate.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
|
||||
## @param jwt.autoGenerate.startupProbe.periodSeconds Period seconds for startupProbe
|
||||
## @param jwt.autoGenerate.startupProbe.timeoutSeconds Timeout seconds for startupProbe
|
||||
## @param jwt.autoGenerate.startupProbe.failureThreshold Failure threshold for startupProbe
|
||||
## @param jwt.autoGenerate.startupProbe.successThreshold Success threshold for startupProbe
|
||||
##
|
||||
startupProbe:
|
||||
enabled: false
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 6
|
||||
successThreshold: 1
|
||||
## @param jwt.autoGenerate.customLivenessProbe Custom livenessProbe that overrides the default one
|
||||
##
|
||||
customLivenessProbe: {}
|
||||
## @param jwt.autoGenerate.customReadinessProbe Custom readinessProbe that overrides the default one
|
||||
##
|
||||
customReadinessProbe: {}
|
||||
## @param jwt.autoGenerate.customStartupProbe Custom startupProbe that overrides the default one
|
||||
##
|
||||
customStartupProbe: {}
|
||||
## Network Policy configuration
|
||||
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
|
||||
##
|
||||
networkPolicy:
|
||||
## @param jwt.autoGenerate.networkPolicy.enabled Enable creation of NetworkPolicy resources
|
||||
##
|
||||
enabled: true
|
||||
## @param jwt.autoGenerate.networkPolicy.allowExternal The Policy model to apply
|
||||
## When set to false, only pods with the correct client label will have network access to the ports Mastodon is
|
||||
## listening on. When true, Mastodon will accept connections from any source (with the correct destination port).
|
||||
##
|
||||
allowExternal: true
|
||||
## @param jwt.autoGenerate.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
|
||||
##
|
||||
allowExternalEgress: true
|
||||
## @param jwt.autoGenerate.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
|
||||
##
|
||||
kubeAPIServerPorts: [443, 6443, 8443]
|
||||
## @param jwt.autoGenerate.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
|
||||
## e.g:
|
||||
## extraIngress:
|
||||
## - ports:
|
||||
## - port: 1234
|
||||
## from:
|
||||
## - podSelector:
|
||||
## - matchLabels:
|
||||
## - role: frontend
|
||||
## - podSelector:
|
||||
## - matchExpressions:
|
||||
## - key: role
|
||||
## operator: In
|
||||
## values:
|
||||
## - frontend
|
||||
##
|
||||
extraIngress: []
|
||||
## @param jwt.autoGenerate.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
|
||||
## e.g:
|
||||
## extraEgress:
|
||||
## - ports:
|
||||
## - port: 1234
|
||||
## to:
|
||||
## - podSelector:
|
||||
## - matchLabels:
|
||||
## - role: frontend
|
||||
## - podSelector:
|
||||
## - matchExpressions:
|
||||
## - key: role
|
||||
## operator: In
|
||||
## values:
|
||||
## - frontend
|
||||
##
|
||||
extraEgress: []
|
||||
## @param jwt.autoGenerate.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
|
||||
## @param jwt.autoGenerate.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
|
||||
##
|
||||
ingressNSMatchLabels: {}
|
||||
ingressNSPodMatchLabels: {}
|
||||
## ServiceAccount configuration
|
||||
##
|
||||
serviceAccount:
|
||||
@@ -189,12 +299,12 @@ jwt:
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsGroup: 1001
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
@@ -235,7 +345,7 @@ jwt:
|
||||
## @param jwt.autoGenerate.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if jwt.autoGenerate.resources is set (jwt.autoGenerate.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "nano"
|
||||
## @param jwt.autoGenerate.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
@@ -409,7 +519,7 @@ auth:
|
||||
## @param auth.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if auth.resources is set (auth.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "micro"
|
||||
## @param auth.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
@@ -450,12 +560,12 @@ auth:
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsGroup: 1001
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
@@ -811,7 +921,7 @@ meta:
|
||||
## @param meta.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if meta.resources is set (meta.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "micro"
|
||||
## @param meta.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
@@ -852,12 +962,12 @@ meta:
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsGroup: 1001
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
@@ -1182,7 +1292,7 @@ realtime:
|
||||
##
|
||||
livenessProbe:
|
||||
enabled: true
|
||||
initialDelaySeconds: 5
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 6
|
||||
@@ -1229,7 +1339,7 @@ realtime:
|
||||
## @param realtime.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if realtime.resources is set (realtime.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "medium"
|
||||
## @param realtime.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
@@ -1270,12 +1380,12 @@ realtime:
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsGroup: 1001
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
@@ -1629,7 +1739,7 @@ rest:
|
||||
## @param rest.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if rest.resources is set (rest.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "micro"
|
||||
## @param rest.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
@@ -1670,12 +1780,12 @@ rest:
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsGroup: 1001
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
@@ -1988,7 +2098,7 @@ storage:
|
||||
##
|
||||
livenessProbe:
|
||||
enabled: true
|
||||
initialDelaySeconds: 5
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 6
|
||||
@@ -2035,7 +2145,7 @@ storage:
|
||||
## @param storage.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if storage.resources is set (storage.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "medium"
|
||||
## @param storage.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
@@ -2076,12 +2186,12 @@ storage:
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsGroup: 1001
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
@@ -2486,7 +2596,7 @@ studio:
|
||||
## @param studio.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if studio.resources is set (studio.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "micro"
|
||||
## @param studio.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
@@ -2527,12 +2637,12 @@ studio:
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsGroup: 1001
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: false
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
@@ -2908,7 +3018,7 @@ volumePermissions:
|
||||
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "micro"
|
||||
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
@@ -2929,7 +3039,7 @@ volumePermissions:
|
||||
## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
|
||||
##
|
||||
containerSecurityContext:
|
||||
seLinuxOptions: null
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 0
|
||||
## Bitnami PostgreSQL image
|
||||
## ref: https://hub.docker.com/r/bitnami/supabase-postgres/tags/
|
||||
@@ -3048,6 +3158,23 @@ kong:
|
||||
value: LAST,A,CNAME
|
||||
- name: KONG_PLUGINS
|
||||
value: request-transformer,cors,key-auth,acl
|
||||
## Container resource requests and limits
|
||||
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
|
||||
## @param kong.kong.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if kong.resources is set (kong.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "medium"
|
||||
## @param kong.kong.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
## requests:
|
||||
## cpu: 2
|
||||
## memory: 512Mi
|
||||
## limits:
|
||||
## cpu: 3
|
||||
## memory: 1024Mi
|
||||
##
|
||||
resources: {}
|
||||
## @param kong.extraVolumes [array] Additional volumes to the Kong pods
|
||||
##
|
||||
extraVolumes:
|
||||
@@ -3139,6 +3266,25 @@ postgresql:
|
||||
service:
|
||||
ports:
|
||||
postgresql: 5432
|
||||
primary:
|
||||
## PostgreSQL Primary resource requests and limits
|
||||
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
|
||||
## @param postgresql.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "nano"
|
||||
## @param postgresql.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
## requests:
|
||||
## cpu: 2
|
||||
## memory: 512Mi
|
||||
## limits:
|
||||
## cpu: 3
|
||||
## memory: 1024Mi
|
||||
##
|
||||
resources: {}
|
||||
|
||||
## External PostgreSQL configuration
|
||||
## All of these values are only used when postgresql.enabled is set to false
|
||||
## @param externalDatabase.host Database host
|
||||
|
||||
Reference in New Issue
Block a user