Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-16 14:57:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/opensearch] Enable automated setup of snapshot policies (#29796)

Browse Source 
* [bitnami/opensearch] Conditionally create PVC for snapshots

I've borrowowed most of the config from the dashboards PVC.

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* [bitnami/opensearch] Create volumes for snapshots

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* [bitnami/opensearch] Create snapshots post-install hook

This change creates a new job to be run as an optional post-install
hook for creating initial snapshot policies in OpenSearch, along with
relvant ConfigMaps and NetworkPolicies.

I have tried to follow most of Bitnami's conventions for the templates,
but it's hard to tell if everything is 100% aligned with best practices.

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* [bitnami/opensearch] Bump chart version

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* [bitnami/opensearch] Remove reundant comment in values

Co-authored-by: Juan José Martos <jotamartos@gmail.com>
Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* [bitnami/opensearch] Remove another reundant comment

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* Add defaults for documented image values

Co-authored-by: Juan José Martos <jotamartos@gmail.com>
Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* [bitnami/opensearch] Fix typo in nindent

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* [bitnami/opensearch] Add `--show-error` to curl

This drastically improves debugging things when `curl` returns errors.

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* [bitnami/opensearch] Allow UDP/53 in NetworkPolicy

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Add snapshots.image to warnings list

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Move `snapshots.enabled` to the top

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* Move `snapshots.persistence.enabled` to the top

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

---------

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>
Signed-off-by: Carlos Rodríguez Hernández <carlosrh@vmware.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Carlos Rodríguez Hernández <carlosrh@vmware.com>
Co-authored-by: Juan José Martos <jotamartos@gmail.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
Andreas Lindhé
2024-11-18 13:50:09 +01:00
committed by GitHub
parent c9c33f849a
commit 39322b9054
15 changed files with 546 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
bitnami/opensearch/CHANGELOG.md
View File

@@ -1,8 +1,12 @@
# Changelog
## 1.3.14 (2024-11-08)
## 1.4.0 (2024-11-15)
* [bitnami/opensearch] Unify seLinuxOptions default value ([#30336](https://github.com/bitnami/charts/pull/30336))
* [bitnami/opensearch] Enable automated setup of snapshot policies ([#29796](https://github.com/bitnami/charts/pull/29796))
## <small>1.3.14 (2024-11-08)</small>
* [bitnami/opensearch] Unify seLinuxOptions default value (#30336) ([2b670fc](https://github.com/bitnami/charts/commit/2b670fc5c17e0dd5ddafef2c062c1a474d07eb21)), closes [#30336](https://github.com/bitnami/charts/issues/30336)
## <small>1.3.13 (2024-11-06)</small>

2
bitnami/opensearch/Chart.yaml
View File

@@ -30,4 +30,4 @@ maintainers:
name: opensearch
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/opensearch
version: 1.3.14
version: 1.4.0

61
bitnami/opensearch/README.md
View File

@@ -94,20 +94,19 @@ initScriptsSecret=special-scripts-sensitive
As it's described in the [official documentation](https://opensearch.org/docs/latest/tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore/#register-repository), it's necessary to register a snapshot repository before you can perform snapshot and restore operations.
This chart allows you to configure OpenSearch to use a shared file system to store snapshots. To do so, you need to mount a RWX volume on every OpenSearch node, and set the parameter `snapshotRepoPath` with the path where the volume is mounted. In the example below, you can find the values to set when using a NFS Persistent Volume:
This chart allows you to configure snapshot repositories and snapshot policies in OpenSearch.
A minimal configuration example looks like this:
```yaml
extraVolumes:
- name: snapshot-repository
nfs:
server: nfs.example.com # Please change this to your NFS server
path: /share1
extraVolumeMounts:
- name: snapshot-repository
mountPath: /snapshots
snapshots:
enabled: true
persistence:
enabled: true
snapshotRepoPath: "/snapshots"
```
For details, please refer to the `snapshots.*` documentation below.
### Sidecars and Init Containers
If you have a need for additional containers to run within the same pod as OpenSearch components (e.g. an additional metrics or logging exporter), you can do so via the `XXX.sidecars` parameter(s), where XXX is placeholder you need to replace with the actual component(s). Simply define your container according to the Kubernetes container spec.
@@ -982,6 +981,50 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
| `dashboards.persistence.selector` | Selector to match an existing Persistent Volume for OpenSearch data PVC | `{}` |
| `dashboards.persistence.dataSource` | Custom PVC data source | `{}` |
### OpenSearch Snapshots Parameters
| Name | Description | Value |
| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `snapshots.enabled` | Enable automatic setup of repositories and snapshot policies | `false` |
| `snapshots.command` | Override default container command (useful when using custom images) | `["/usr/bin/curl"]` |
| `snapshots.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `snapshots.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `snapshots.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `snapshots.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `snapshots.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `snapshots.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `snapshots.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `snapshots.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `snapshots.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `snapshots.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `snapshots.fullnameOverride` | String to fully override opensearch.snapshots.fullname | `""` |
| `snapshots.image.registry` | OpenSearch Snapshots image registry | `REGISTRY_NAME` |
| `snapshots.image.repository` | OpenSearch Snapshots image repository | `REPOSITORY_NAME/os-shell` |
| `snapshots.image.digest` | OpenSearch Snapshots image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `snapshots.image.pullPolicy` | OpenSearch Snapshots image pull policy | `IfNotPresent` |
| `snapshots.image.pullSecrets` | OpenSearch Snapshots image pull secrets | `[]` |
| `snapshots.image.debug` | Enable OpenSearch Snapshots image debug mode | `false` |
| `snapshots.nameOverride` | String to partially override common.names.fullname | `""` |
| `snapshots.persistence.enabled` | Enable persistence using Persistent Volume Claims | `false` |
| `snapshots.persistence.accessModes` | Persistent Volume Access Modes | `["ReadWriteMany"]` |
| `snapshots.persistence.annotations` | Persistent Volume Claim annotations | `{}` |
| `snapshots.persistence.dataSource` | Custom PVC data source | `{}` |
| `snapshots.persistence.existingClaim` | The name of an existing PVC to use for persistence | `""` |
| `snapshots.persistence.labels` | Extra labels for the Persistent Volume Claim | `{}` |
| `snapshots.persistence.selector` | Selector to match an existing Persistent Volume for OpenSearch data PVC | `{}` |
| `snapshots.persistence.size` | Size of data volume | `8Gi` |
| `snapshots.persistence.storageClass` | Storage class of backing PVC | `""` |
| `snapshots.persistence.subPath` | The subdirectory of the volume to mount to, useful in dev environments and one PV for multiple services | `""` |
| `snapshots.podSecurityContext.enabled` | Enabled data pods' Security Context | `true` |
| `snapshots.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `snapshots.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `snapshots.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `snapshots.podSecurityContext.fsGroup` | Set snapshots pod's Security Context fsGroup | `1001` |
| `snapshots.policies` | Each object represents a snapshot policy in YAML form, which will be converted to JSON and then passed as the HTTP body data to the OpenSearch REST API. | `SNAPSHOT_POLICY_API_BODY` |
| `snapshots.repositories` | Each object represents a snapshot repository in YAML form, which will be converted to JSON and then passed as the HTTP body data to the OpenSearch REST API. | `SNAPSHOT_REPO_API_BODY` |
| `snapshots.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if snapshots.resources is set (snapshots.resources is recommended for production). | `nano` |
| `snapshots.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console

2
bitnami/opensearch/templates/NOTES.txt
View File

@@ -120,4 +120,4 @@ In order to replicate the container startup scripts execute this command:
{{- end }}
{{ include "opensearch.validateValues" . }}
{{- include "common.warnings.resources" (dict "sections" (list "coordinating" "dashboards" "data" "ingest" "master" "sysctlImage" "volumePermissions") "context" $) }}
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.sysctlImage .Values.dashboards.image) "context" $) }}
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.sysctlImage .Values.dashboards.image .Values.snapshots.image) "context" $) }}

41
bitnami/opensearch/templates/_helpers.tpl
View File

@@ -822,3 +822,44 @@ Return true if a TLS credentials secret object should be created
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified snapshots name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "opensearch.snapshots.fullname" -}}
{{- $name := default "snapshots" .Values.snapshots.nameOverride -}}
{{- if .Values.snapshots.fullnameOverride -}}
{{- .Values.snapshots.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" (include "common.names.fullname" .) $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Create a global mount path for snapshots volume based on repo path
*/}}
{{- define "opensearch.snapshots.mountPath" -}}
{{- required "Value snapshotRepoPath must be set!" $.Values.snapshotRepoPath -}}
{{- end -}}
{{/*
Create name for snapshot API repo data ConfigMap
*/}}
{{- define "opensearch.snapshots.repoDataConfigMap" -}}
{{- printf "%s-repo-data" (include "opensearch.snapshots.fullname" $) -}}
{{- end -}}
{{/*
Create name for snapshot API policy data ConfigMap
*/}}
{{- define "opensearch.snapshots.policyDataConfigMap" -}}
{{- printf "%s-policy-data" (include "opensearch.snapshots.fullname" $) -}}
{{- end -}}
{{/*
Return the proper Opensearch Snapshots image name
*/}}
{{- define "opensearch.snapshots.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.snapshots.image "global" .Values.global) }}
{{- end -}}

9
bitnami/opensearch/templates/coordinating/statefulset.yaml
View File

@@ -258,6 +258,10 @@ spec:
- name: custom-init-scripts-secret
mountPath: /docker-entrypoint-initdb.d/init-scripts-secret
{{- end }}
{{- if .Values.snapshots.persistence.enabled }}
- name: snapshots
mountPath: {{ include "opensearch.snapshots.mountPath" . }}
{{- end }}
{{- if .Values.coordinating.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.coordinating.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
@@ -308,6 +312,11 @@ spec:
secretName: {{ template "opensearch.initScriptsSecret" . }}
defaultMode: 0755
{{- end }}
{{- if .Values.snapshots.persistence.enabled }}
- name: snapshots
persistentVolumeClaim:
claimName: {{ include "opensearch.snapshots.fullname" . }}
{{- end }}
{{- if .Values.coordinating.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.coordinating.extraVolumes "context" $) | nindent 8 }}
{{- end }}

9
bitnami/opensearch/templates/data/statefulset.yaml
View File

@@ -284,6 +284,10 @@ spec:
- name: custom-init-scripts-secret
mountPath: /docker-entrypoint-initdb.d/init-scripts-secret
{{- end }}
{{- if .Values.snapshots.persistence.enabled }}
- name: snapshots
mountPath: {{ include "opensearch.snapshots.mountPath" . }}
{{- end }}
{{- if .Values.data.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.data.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
@@ -332,6 +336,11 @@ spec:
secretName: {{ template "opensearch.initScriptsSecret" . }}
defaultMode: 0755
{{- end }}
{{- if .Values.snapshots.persistence.enabled }}
- name: snapshots
persistentVolumeClaim:
claimName: {{ include "opensearch.snapshots.fullname" . }}
{{- end }}
{{- if .Values.data.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.data.extraVolumes "context" $) | nindent 8 }}
{{- end }}

9
bitnami/opensearch/templates/ingest/statefulset.yaml
View File

@@ -258,6 +258,10 @@ spec:
- name: custom-init-scripts-secret
mountPath: /docker-entrypoint-initdb.d/init-scripts-secret
{{- end }}
{{- if .Values.snapshots.persistence.enabled }}
- name: snapshots
mountPath: {{ include "opensearch.snapshots.mountPath" . }}
{{- end }}
{{- if .Values.ingest.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.ingest.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
@@ -308,6 +312,11 @@ spec:
secretName: {{ template "opensearch.initScriptsSecret" . }}
defaultMode: 0755
{{- end }}
{{- if .Values.snapshots.persistence.enabled }}
- name: snapshots
persistentVolumeClaim:
claimName: {{ include "opensearch.snapshots.fullname" . }}
{{- end }}
{{- if .Values.ingest.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.ingest.extraVolumes "context" $) | nindent 8 }}
{{- end }}

9
bitnami/opensearch/templates/master/statefulset.yaml
View File

@@ -296,6 +296,10 @@ spec:
- name: custom-init-scripts-secret
mountPath: /docker-entrypoint-initdb.d/init-scripts-secret
{{- end }}
{{- if .Values.snapshots.persistence.enabled }}
- name: snapshots
mountPath: {{ include "opensearch.snapshots.mountPath" . }}
{{- end }}
{{- if .Values.master.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.master.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
@@ -344,6 +348,11 @@ spec:
secretName: {{ template "opensearch.initScriptsSecret" . }}
defaultMode: 0755
{{- end }}
{{- if .Values.snapshots.persistence.enabled }}
- name: snapshots
persistentVolumeClaim:
claimName: {{ include "opensearch.snapshots.fullname" . }}
{{- end }}
{{- if .Values.master.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.master.extraVolumes "context" $) | nindent 8 }}
{{- end }}

90
bitnami/opensearch/templates/snapshots/init-job.yaml Normal file
View File

@@ -0,0 +1,90 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if $.Values.snapshots.enabled -}}
{{- $host := (include "opensearch.service.name" $) -}}
{{- $port := (include "opensearch.service.ports.restAPI" $) -}}
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: post-install
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: snapshots
name: {{ include "opensearch.snapshots.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
spec:
template:
spec:
automountServiceAccountToken: false
containers:
- args:
- --silent
- --show-error
- "file:///dev/null" # Starting with curl 8, a URL is required before the first `--next`
{{- range $name, $_ := $.Values.snapshots.repositories }}
# Register snapshot repository:
- --next
- -w
- '\n'
- -XPUT
- -H
- "Content-Type: application/json"
- -d
- "@/run/repo-data/{{ $name }}"
- http://{{ $host }}:{{ $port }}/_snapshot/{{ $name }}
{{- end }}
{{- range $name, $_ := $.Values.snapshots.policies }}
# Register snapshot policy:
- --next
- -w
- '\n'
- -H
- "Content-Type: application/json"
- -d
- "@/run/policy-data/{{ $name }}"
- http://{{ $host }}:{{ $port }}/_plugins/_sm/policies/{{ $name }}
{{- end }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.snapshots.command "context" $) | nindent 12 }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" (or .Values.snapshots.image.debug .Values.diagnosticMode.enabled) | quote }}
image: {{ template "opensearch.snapshots.image" . }}
imagePullPolicy: {{ .Values.snapshots.image.pullPolicy }}
name: {{ include "opensearch.snapshots.fullname" . }}
{{- if .Values.snapshots.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.snapshots.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.snapshots.resources }}
resources: {{- toYaml .Values.snapshots.resources | nindent 12 }}
{{- else if ne .Values.snapshots.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.snapshots.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: repo-data
mountPath: /run/repo-data/
- name: policy-data
mountPath: /run/policy-data/
{{- with .Values.snapshots.image.pullSecrets }}
imagePullPolicy:
{{- range . }}
- name: {{ . }}
{{- end }}
{{- end }}
restartPolicy: Never
{{- if .Values.dashboards.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dashboards.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: policy-data
configMap:
name: {{ include "opensearch.snapshots.policyDataConfigMap" . }}
- name: repo-data
configMap:
name: {{ include "opensearch.snapshots.repoDataConfigMap" . }}
{{- end -}}

50
bitnami/opensearch/templates/snapshots/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.snapshots.enabled }}
---
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
kind: NetworkPolicy
metadata:
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: opensearch
app.kubernetes.io/component: snapshots
name: {{ template "opensearch.snapshots.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
spec:
podSelector:
matchLabels:
batch.kubernetes.io/job-name: {{ template "opensearch.snapshots.fullname" . }}
policyTypes:
- Ingress
- Egress
ingress: []
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
- to:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if (include "opensearch.coordinating.enabled" .) }}
app.kubernetes.io/component: coordinating-only
{{- else }}
app.kubernetes.io/component: master
{{- end }}
ports:
- port: {{ include "opensearch.service.ports.restAPI" $ }}
{{- end }}

27
bitnami/opensearch/templates/snapshots/policies-cm.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if $.Values.snapshots.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: snapshots
name: {{ include "opensearch.snapshots.policyDataConfigMap" . }}
namespace: {{ include "common.names.namespace" . | quote }}
data:
{{- range $name, $policy := $.Values.snapshots.policies }}
{{- $repo := $policy.snapshot_config.repository -}}
{{- if (hasKey $.Values.snapshots.repositories $repo) -}}
{{- $name | nindent 2 }}: |
{{- $policy | mustToPrettyJson | nindent 4 }}
{{- else -}}
{{- fail (printf "Repository `%s` is not defined in .snapshots.repositories" $repo) -}}
{{- end -}}
{{- end -}}
{{- end -}}

36
bitnami/opensearch/templates/snapshots/pvc.yaml Normal file
View File

@@ -0,0 +1,36 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.snapshots.persistence.enabled (not .Values.snapshots.persistence.existingClaim) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ include "opensearch.snapshots.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels .Values.snapshots.persistence.labels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: snapshots
annotations:
helm.sh/resource-policy: keep
{{- if or .Values.snapshots.persistence.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.snapshots.persistence.annotations .Values.commonAnnotations ) "context" . ) }}
{{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
accessModes:
{{- range .Values.snapshots.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.snapshots.persistence.size | quote }}
{{- if .Values.snapshots.persistence.selector }}
selector: {{- include "common.tplvalues.render" (dict "value" .Values.snapshots.persistence.selector "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.snapshots.persistence.dataSource }}
dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.snapshots.persistence.dataSource "context" $) | nindent 4 }}
{{- end }}
{{- include "common.storage.class" (dict "persistence" .Values.snapshots.persistence "global" .Values.global) | nindent 2 }}
{{- end -}}

28
bitnami/opensearch/templates/snapshots/repos-cm.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if $.Values.snapshots.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: snapshots
name: {{ include "opensearch.snapshots.repoDataConfigMap" . }}
namespace: {{ include "common.names.namespace" . | quote }}
data:
{{- range $name, $repo := $.Values.snapshots.repositories }}
{{- if (eq $repo.type "fs") -}}
{{- $location := $repo.settings.location -}}
{{- if not (eq $location $.Values.snapshotRepoPath) -}}
{{- fail (printf "Location `%s` for repo `%s` must be allowed via .snapshotRepoPath" $location $name) -}}
{{- end -}}
{{- end -}}
{{ $name | nindent 2 }}: |
{{- $repo | mustToPrettyJson | nindent 4 }}
{{- end -}}
{{- end -}}

178
bitnami/opensearch/values.yaml
View File

@@ -3405,3 +3405,181 @@ dashboards:
## @param dashboards.persistence.dataSource Custom PVC data source
##
dataSource: {}
## @section OpenSearch Snapshots Parameters
snapshots:
## @param snapshots.enabled Enable automatic setup of repositories and snapshot policies
##
enabled: false
## @param snapshots.command Override default container command (useful when using custom images)
##
command:
- /usr/bin/curl
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param snapshots.containerSecurityContext.enabled Enabled containers' Security Context
## @param snapshots.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param snapshots.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param snapshots.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param snapshots.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param snapshots.containerSecurityContext.privileged Set container's Security Context privileged
## @param snapshots.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
## @param snapshots.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
## @param snapshots.containerSecurityContext.capabilities.drop List of capabilities to be dropped
## @param snapshots.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
## @param snapshots.fullnameOverride String to fully override opensearch.snapshots.fullname
##
fullnameOverride: ""
## Bitnami OpenSearch Snapshots image
## @param snapshots.image.registry [default: REGISTRY_NAME] OpenSearch Snapshots image registry
## @param snapshots.image.repository [default: REPOSITORY_NAME/os-shell] OpenSearch Snapshots image repository
## @skip snapshots.image.tag OpenSearch Snapshots image tag (immutable tags are recommended)
## @param snapshots.image.digest OpenSearch Snapshots image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param snapshots.image.pullPolicy OpenSearch Snapshots image pull policy
## @param snapshots.image.pullSecrets OpenSearch Snapshots image pull secrets
## @param snapshots.image.debug Enable OpenSearch Snapshots image debug mode
##
image:
registry: docker.io
repository: bitnami/os-shell
tag: 12-debian-12-r30
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## e.g:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Enable debug mode
##
debug: false
## @param snapshots.nameOverride String to partially override common.names.fullname
##
nameOverride: ""
## Enable persistence using Persistent Volume Claims
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
##
persistence:
## @param snapshots.persistence.enabled Enable persistence using Persistent Volume Claims
##
enabled: false
## @param snapshots.persistence.accessModes Persistent Volume Access Modes
##
accessModes:
- ReadWriteMany
## @param snapshots.persistence.annotations Persistent Volume Claim annotations
##
annotations: {}
## @param snapshots.persistence.dataSource Custom PVC data source
##
dataSource: {}
## @param snapshots.persistence.existingClaim The name of an existing PVC to use for persistence
##
existingClaim: ""
## @param snapshots.persistence.labels Extra labels for the Persistent Volume Claim
##
labels: {}
## @param snapshots.persistence.selector Selector to match an existing Persistent Volume for OpenSearch data PVC
## If set, the PVC can't have a PV dynamically provisioned for it
## E.g.
## selector:
## matchLabels:
## app: my-app
##
selector: {}
## @param snapshots.persistence.size Size of data volume
##
size: 8Gi
## @param snapshots.persistence.storageClass Storage class of backing PVC
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
storageClass: ""
## @param snapshots.persistence.subPath The subdirectory of the volume to mount to, useful in dev environments and one PV for multiple services
##
subPath: ""
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param snapshots.podSecurityContext.enabled Enabled data pods' Security Context
## @param snapshots.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param snapshots.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param snapshots.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param snapshots.podSecurityContext.fsGroup Set snapshots pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## @param snapshots.policies [default: SNAPSHOT_POLICY_API_BODY] Each object represents a snapshot policy in YAML form, which will be converted to JSON and then passed as the HTTP body data to the OpenSearch REST API.
## NOTE: The field `snapshot_config.repository` in each policy must match a repo name in `snapshots.repositories`.
##
policies:
default:
creation:
schedule:
cron:
expression: "0 20 * * *"
timezone: UTC
deletion:
condition:
max_age: 7d
min_count: 1
schedule:
cron:
expression: 0 20 * * *
timezone: UTC
description: Default snapshot policy
enabled: true
snapshot_config:
repository: default
## @param snapshots.repositories [default: SNAPSHOT_REPO_API_BODY] Each object represents a snapshot repository in YAML form, which will be converted to JSON and then passed as the HTTP body data to the OpenSearch REST API.
## NOTE: The field `settings.location` in each repo must match the snapshot repo path configured in `snapshotRepoPath`, if its `type` is `fs`.
##
repositories:
default:
settings:
location: /snapshots
type: fs
## OpenSearch resource requests and limits
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## @param snapshots.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if snapshots.resources is set (snapshots.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "nano"
## @param snapshots.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 100m
## memory: 10Mi
## limits:
## cpu: 200m
## memory: 20Mi
##
resources: {}