mirror of
https://github.com/bitnami/charts.git
synced 2026-03-15 14:57:16 +08:00
[bitnami/influxdb] Set some additional pod security restrictions (#17291)
* [bitnami/influxdb] Seed influxdb with pss-restricted Signed-off-by: Pat Riehecky <riehecky@fnal.gov> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Pat Riehecky <riehecky@fnal.gov> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
Pat Riehecky
@@ -26,4 +26,4 @@ maintainers:
|
||||
name: influxdb
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/influxdb
|
||||
version: 5.7.3
|
||||
version: 5.8.0
|
||||
|
||||
@@ -78,106 +78,110 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
|
||||
### InfluxDB™ parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
|
||||
| `image.registry` | InfluxDB™ image registry | `docker.io` |
|
||||
| `image.repository` | InfluxDB™ image repository | `bitnami/influxdb` |
|
||||
| `image.tag` | InfluxDB™ image tag (immutable tags are recommended) | `2.7.1-debian-11-r83` |
|
||||
| `image.digest` | InfluxDB™ image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `image.pullPolicy` | InfluxDB™ image pull policy | `IfNotPresent` |
|
||||
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
| `image.debug` | Specify if debug logs should be enabled | `false` |
|
||||
| `auth.enabled` | Enable/disable authentication (Variable to keep compatibility with InfluxDB™ v1, in v2 it will be ignored) | `true` |
|
||||
| `auth.usePasswordFiles` | Whether to use files to provide secrets instead of env vars. | `false` |
|
||||
| `auth.admin.username` | InfluxDB™ admin user name | `admin` |
|
||||
| `auth.admin.password` | InfluxDB™ admin user's password | `""` |
|
||||
| `auth.admin.token` | InfluxDB™ admin user's token. Only valid with InfluxDB™ v2 | `""` |
|
||||
| `auth.admin.org` | InfluxDB™ admin user's org. Only valid with InfluxDB™ v2 | `primary` |
|
||||
| `auth.admin.bucket` | InfluxDB™ admin user's bucket. Only valid with InfluxDB™ v2 | `primary` |
|
||||
| `auth.admin.retention` | InfluxDB™ admin user's bucket retention. Only valid with InfluxDB™ v2 | `""` |
|
||||
| `auth.createUserToken` | Whether to create tokens for the different users. Take into account these tokens are going to be created by CLI randomly and they will not be accessible from a secret. See more influxdb 2.0 [auth ref](https://docs.influxdata.com/influxdb/v2.0/security/tokens/) | `false` |
|
||||
| `auth.user.username` | Name for InfluxDB™ user with 'admin' privileges on the bucket specified at `auth.user.bucket` and `auth.user.org` or `auth.admin.org` | `""` |
|
||||
| `auth.user.password` | InfluxDB™ password for `user.name` user | `""` |
|
||||
| `auth.user.org` | Org to be created on first run | `""` |
|
||||
| `auth.user.bucket` | Bucket to be created on first run | `""` |
|
||||
| `auth.readUser.username` | Name for InfluxDB™ user with 'read' privileges on the bucket specified at `auth.user.bucket` | `""` |
|
||||
| `auth.readUser.password` | InfluxDB™ password for `auth.readUser.username` user | `""` |
|
||||
| `auth.writeUser.username` | Name for InfluxDB™ user with 'read' privileges on the bucket specified at `auth.user.bucket` | `""` |
|
||||
| `auth.writeUser.password` | InfluxDB™ password for `auth.writeUser.username` user | `""` |
|
||||
| `auth.existingSecret` | Name of existing Secret object with InfluxDB™ credentials (`auth.admin.password`, `auth.user.password`, `auth.readUser.password`, and `auth.writeUser.password` will be ignored and picked up from this secret) | `""` |
|
||||
| `influxdb.configuration` | Specify content for influxdb.conf | `""` |
|
||||
| `influxdb.existingConfiguration` | Name of existing ConfigMap object with the InfluxDB™ configuration (`influxdb.configuration` will be ignored). | `""` |
|
||||
| `influxdb.initdbScripts` | Dictionary of initdb scripts | `{}` |
|
||||
| `influxdb.initdbScriptsCM` | Name of existing ConfigMap object with the initdb scripts (`influxdb.initdbScripts` will be ignored). | `""` |
|
||||
| `influxdb.initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`) | `""` |
|
||||
| `influxdb.podAffinityPreset` | InfluxDB™ Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `influxdb.podAntiAffinityPreset` | InfluxDB™ Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
|
||||
| `influxdb.nodeAffinityPreset.type` | InfluxDB™ Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `influxdb.nodeAffinityPreset.key` | InfluxDB™ Node label key to match Ignored if `affinity` is set. | `""` |
|
||||
| `influxdb.nodeAffinityPreset.values` | InfluxDB™ Node label values to match. Ignored if `affinity` is set. | `[]` |
|
||||
| `influxdb.affinity` | InfluxDB™ Affinity for pod assignment | `{}` |
|
||||
| `influxdb.nodeSelector` | InfluxDB™ Node labels for pod assignment | `{}` |
|
||||
| `influxdb.tolerations` | InfluxDB™ Tolerations for pod assignment | `[]` |
|
||||
| `influxdb.podAnnotations` | Annotations for InfluxDB™ pods | `{}` |
|
||||
| `influxdb.podLabels` | Extra labels for InfluxDB™ pods | `{}` |
|
||||
| `influxdb.hostAliases` | InfluxDB™ pods host aliases | `[]` |
|
||||
| `influxdb.updateStrategy.type` | InfluxDB™ statefulset/deployment strategy type | `RollingUpdate` |
|
||||
| `influxdb.priorityClassName` | InfluxDB™ pods' priorityClassName | `""` |
|
||||
| `influxdb.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
|
||||
| `influxdb.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
|
||||
| `influxdb.podManagementPolicy` | podManagementPolicy to manage scaling operation of InfluxDB™ pods | `OrderedReady` |
|
||||
| `influxdb.podSecurityContext.enabled` | Enabled InfluxDB™ pods' Security Context | `true` |
|
||||
| `influxdb.podSecurityContext.fsGroup` | Set InfluxDB™ pod's Security Context fsGroup | `1001` |
|
||||
| `influxdb.containerSecurityContext.enabled` | Enabled InfluxDB™ containers' Security Context | `true` |
|
||||
| `influxdb.containerSecurityContext.runAsUser` | Set InfluxDB™ containers' Security Context runAsUser | `1001` |
|
||||
| `influxdb.containerSecurityContext.runAsNonRoot` | Set Controller container's Security Context runAsNonRoot | `true` |
|
||||
| `influxdb.resources.limits` | The resources limits for the container | `{}` |
|
||||
| `influxdb.resources.requests` | The requested resources for the container | `{}` |
|
||||
| `influxdb.command` | Override default container command (useful when using custom images) | `[]` |
|
||||
| `influxdb.args` | Override default container args (useful when using custom images) | `[]` |
|
||||
| `influxdb.lifecycleHooks` | for the InfluxDB™ container(s) to automate configuration before or after startup | `{}` |
|
||||
| `influxdb.extraEnvVars` | Array containing extra env vars to configure InfluxDB™ | `[]` |
|
||||
| `influxdb.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for InfluxDB™ nodes | `""` |
|
||||
| `influxdb.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for InfluxDB™ nodes | `""` |
|
||||
| `influxdb.extraVolumes` | Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts | `[]` |
|
||||
| `influxdb.extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. | `[]` |
|
||||
| `influxdb.containerPorts.http` | InfluxDB™ container HTTP port | `8086` |
|
||||
| `influxdb.containerPorts.rpc` | InfluxDB™ container RPC port | `8088` |
|
||||
| `influxdb.startupProbe.enabled` | Enable startupProbe | `false` |
|
||||
| `influxdb.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `180` |
|
||||
| `influxdb.startupProbe.periodSeconds` | Period seconds for startupProbe | `45` |
|
||||
| `influxdb.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `30` |
|
||||
| `influxdb.startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` |
|
||||
| `influxdb.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
|
||||
| `influxdb.livenessProbe.enabled` | Enable livenessProbe | `true` |
|
||||
| `influxdb.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `180` |
|
||||
| `influxdb.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `45` |
|
||||
| `influxdb.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `30` |
|
||||
| `influxdb.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
|
||||
| `influxdb.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
|
||||
| `influxdb.readinessProbe.enabled` | Enable readinessProbe | `true` |
|
||||
| `influxdb.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `60` |
|
||||
| `influxdb.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `45` |
|
||||
| `influxdb.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `30` |
|
||||
| `influxdb.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
|
||||
| `influxdb.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
|
||||
| `influxdb.customStartupProbe` | Override default startup probe | `{}` |
|
||||
| `influxdb.customLivenessProbe` | Override default liveness probe | `{}` |
|
||||
| `influxdb.customReadinessProbe` | Override default readiness probe | `{}` |
|
||||
| `influxdb.sidecars` | Add additional sidecar containers to the InfluxDB™ pod(s) | `[]` |
|
||||
| `influxdb.initContainers` | Add additional init containers to the InfluxDB™ pod(s) | `[]` |
|
||||
| `influxdb.service.type` | Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) | `ClusterIP` |
|
||||
| `influxdb.service.ports.http` | InfluxDB™ HTTP port | `8086` |
|
||||
| `influxdb.service.ports.rpc` | InfluxDB™ RPC port | `8088` |
|
||||
| `influxdb.service.nodePorts` | Specify the nodePort(s) value for the LoadBalancer and NodePort service types. | `{}` |
|
||||
| `influxdb.service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `""` |
|
||||
| `influxdb.service.loadBalancerSourceRanges` | Address that are allowed when service is LoadBalancer | `[]` |
|
||||
| `influxdb.service.clusterIP` | Static clusterIP or None for headless services | `""` |
|
||||
| `influxdb.service.externalTrafficPolicy` | InfluxDB™ service external traffic policy | `Cluster` |
|
||||
| `influxdb.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
|
||||
| `influxdb.service.annotations` | Annotations for InfluxDB™ service | `{}` |
|
||||
| `influxdb.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
|
||||
| `influxdb.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
|
||||
| Name | Description | Value |
|
||||
| ------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
|
||||
| `image.registry` | InfluxDB™ image registry | `docker.io` |
|
||||
| `image.repository` | InfluxDB™ image repository | `bitnami/influxdb` |
|
||||
| `image.tag` | InfluxDB™ image tag (immutable tags are recommended) | `2.7.1-debian-11-r83` |
|
||||
| `image.digest` | InfluxDB™ image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `image.pullPolicy` | InfluxDB™ image pull policy | `IfNotPresent` |
|
||||
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
| `image.debug` | Specify if debug logs should be enabled | `false` |
|
||||
| `auth.enabled` | Enable/disable authentication (Variable to keep compatibility with InfluxDB™ v1, in v2 it will be ignored) | `true` |
|
||||
| `auth.usePasswordFiles` | Whether to use files to provide secrets instead of env vars. | `false` |
|
||||
| `auth.admin.username` | InfluxDB™ admin user name | `admin` |
|
||||
| `auth.admin.password` | InfluxDB™ admin user's password | `""` |
|
||||
| `auth.admin.token` | InfluxDB™ admin user's token. Only valid with InfluxDB™ v2 | `""` |
|
||||
| `auth.admin.org` | InfluxDB™ admin user's org. Only valid with InfluxDB™ v2 | `primary` |
|
||||
| `auth.admin.bucket` | InfluxDB™ admin user's bucket. Only valid with InfluxDB™ v2 | `primary` |
|
||||
| `auth.admin.retention` | InfluxDB™ admin user's bucket retention. Only valid with InfluxDB™ v2 | `""` |
|
||||
| `auth.createUserToken` | Whether to create tokens for the different users. Take into account these tokens are going to be created by CLI randomly and they will not be accessible from a secret. See more influxdb 2.0 [auth ref](https://docs.influxdata.com/influxdb/v2.0/security/tokens/) | `false` |
|
||||
| `auth.user.username` | Name for InfluxDB™ user with 'admin' privileges on the bucket specified at `auth.user.bucket` and `auth.user.org` or `auth.admin.org` | `""` |
|
||||
| `auth.user.password` | InfluxDB™ password for `user.name` user | `""` |
|
||||
| `auth.user.org` | Org to be created on first run | `""` |
|
||||
| `auth.user.bucket` | Bucket to be created on first run | `""` |
|
||||
| `auth.readUser.username` | Name for InfluxDB™ user with 'read' privileges on the bucket specified at `auth.user.bucket` | `""` |
|
||||
| `auth.readUser.password` | InfluxDB™ password for `auth.readUser.username` user | `""` |
|
||||
| `auth.writeUser.username` | Name for InfluxDB™ user with 'read' privileges on the bucket specified at `auth.user.bucket` | `""` |
|
||||
| `auth.writeUser.password` | InfluxDB™ password for `auth.writeUser.username` user | `""` |
|
||||
| `auth.existingSecret` | Name of existing Secret object with InfluxDB™ credentials (`auth.admin.password`, `auth.user.password`, `auth.readUser.password`, and `auth.writeUser.password` will be ignored and picked up from this secret) | `""` |
|
||||
| `influxdb.configuration` | Specify content for influxdb.conf | `""` |
|
||||
| `influxdb.existingConfiguration` | Name of existing ConfigMap object with the InfluxDB™ configuration (`influxdb.configuration` will be ignored). | `""` |
|
||||
| `influxdb.initdbScripts` | Dictionary of initdb scripts | `{}` |
|
||||
| `influxdb.initdbScriptsCM` | Name of existing ConfigMap object with the initdb scripts (`influxdb.initdbScripts` will be ignored). | `""` |
|
||||
| `influxdb.initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`) | `""` |
|
||||
| `influxdb.podAffinityPreset` | InfluxDB™ Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `influxdb.podAntiAffinityPreset` | InfluxDB™ Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
|
||||
| `influxdb.nodeAffinityPreset.type` | InfluxDB™ Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `influxdb.nodeAffinityPreset.key` | InfluxDB™ Node label key to match Ignored if `affinity` is set. | `""` |
|
||||
| `influxdb.nodeAffinityPreset.values` | InfluxDB™ Node label values to match. Ignored if `affinity` is set. | `[]` |
|
||||
| `influxdb.affinity` | InfluxDB™ Affinity for pod assignment | `{}` |
|
||||
| `influxdb.nodeSelector` | InfluxDB™ Node labels for pod assignment | `{}` |
|
||||
| `influxdb.tolerations` | InfluxDB™ Tolerations for pod assignment | `[]` |
|
||||
| `influxdb.podAnnotations` | Annotations for InfluxDB™ pods | `{}` |
|
||||
| `influxdb.podLabels` | Extra labels for InfluxDB™ pods | `{}` |
|
||||
| `influxdb.hostAliases` | InfluxDB™ pods host aliases | `[]` |
|
||||
| `influxdb.updateStrategy.type` | InfluxDB™ statefulset/deployment strategy type | `RollingUpdate` |
|
||||
| `influxdb.priorityClassName` | InfluxDB™ pods' priorityClassName | `""` |
|
||||
| `influxdb.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
|
||||
| `influxdb.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
|
||||
| `influxdb.podManagementPolicy` | podManagementPolicy to manage scaling operation of InfluxDB™ pods | `OrderedReady` |
|
||||
| `influxdb.podSecurityContext.enabled` | Enabled InfluxDB™ pods' Security Context | `true` |
|
||||
| `influxdb.podSecurityContext.fsGroup` | Set InfluxDB™ pod's Security Context fsGroup | `1001` |
|
||||
| `influxdb.containerSecurityContext.enabled` | Enabled InfluxDB™ containers' Security Context | `true` |
|
||||
| `influxdb.containerSecurityContext.runAsUser` | Set InfluxDB™ containers' Security Context runAsUser | `1001` |
|
||||
| `influxdb.containerSecurityContext.runAsGroup` | Set InfluxDB™ containers' Security Context runAsGroup | `0` |
|
||||
| `influxdb.containerSecurityContext.runAsNonRoot` | Set Controller container's Security Context runAsNonRoot | `true` |
|
||||
| `influxdb.containerSecurityContext.allowPrivilegeEscalation` | Set Controller container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `influxdb.containerSecurityContext.seccompProfile.type` | Set Controller container's Security Context seccompProfile | `RuntimeDefault` |
|
||||
| `influxdb.containerSecurityContext.capabilities.drop` | Set Controller container's Security Context capabilities to drop | `["ALL"]` |
|
||||
| `influxdb.resources.limits` | The resources limits for the container | `{}` |
|
||||
| `influxdb.resources.requests` | The requested resources for the container | `{}` |
|
||||
| `influxdb.command` | Override default container command (useful when using custom images) | `[]` |
|
||||
| `influxdb.args` | Override default container args (useful when using custom images) | `[]` |
|
||||
| `influxdb.lifecycleHooks` | for the InfluxDB™ container(s) to automate configuration before or after startup | `{}` |
|
||||
| `influxdb.extraEnvVars` | Array containing extra env vars to configure InfluxDB™ | `[]` |
|
||||
| `influxdb.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for InfluxDB™ nodes | `""` |
|
||||
| `influxdb.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for InfluxDB™ nodes | `""` |
|
||||
| `influxdb.extraVolumes` | Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts | `[]` |
|
||||
| `influxdb.extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. | `[]` |
|
||||
| `influxdb.containerPorts.http` | InfluxDB™ container HTTP port | `8086` |
|
||||
| `influxdb.containerPorts.rpc` | InfluxDB™ container RPC port | `8088` |
|
||||
| `influxdb.startupProbe.enabled` | Enable startupProbe | `false` |
|
||||
| `influxdb.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `180` |
|
||||
| `influxdb.startupProbe.periodSeconds` | Period seconds for startupProbe | `45` |
|
||||
| `influxdb.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `30` |
|
||||
| `influxdb.startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` |
|
||||
| `influxdb.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
|
||||
| `influxdb.livenessProbe.enabled` | Enable livenessProbe | `true` |
|
||||
| `influxdb.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `180` |
|
||||
| `influxdb.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `45` |
|
||||
| `influxdb.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `30` |
|
||||
| `influxdb.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
|
||||
| `influxdb.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
|
||||
| `influxdb.readinessProbe.enabled` | Enable readinessProbe | `true` |
|
||||
| `influxdb.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `60` |
|
||||
| `influxdb.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `45` |
|
||||
| `influxdb.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `30` |
|
||||
| `influxdb.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
|
||||
| `influxdb.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
|
||||
| `influxdb.customStartupProbe` | Override default startup probe | `{}` |
|
||||
| `influxdb.customLivenessProbe` | Override default liveness probe | `{}` |
|
||||
| `influxdb.customReadinessProbe` | Override default readiness probe | `{}` |
|
||||
| `influxdb.sidecars` | Add additional sidecar containers to the InfluxDB™ pod(s) | `[]` |
|
||||
| `influxdb.initContainers` | Add additional init containers to the InfluxDB™ pod(s) | `[]` |
|
||||
| `influxdb.service.type` | Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) | `ClusterIP` |
|
||||
| `influxdb.service.ports.http` | InfluxDB™ HTTP port | `8086` |
|
||||
| `influxdb.service.ports.rpc` | InfluxDB™ RPC port | `8088` |
|
||||
| `influxdb.service.nodePorts` | Specify the nodePort(s) value for the LoadBalancer and NodePort service types. | `{}` |
|
||||
| `influxdb.service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `""` |
|
||||
| `influxdb.service.loadBalancerSourceRanges` | Address that are allowed when service is LoadBalancer | `[]` |
|
||||
| `influxdb.service.clusterIP` | Static clusterIP or None for headless services | `""` |
|
||||
| `influxdb.service.externalTrafficPolicy` | InfluxDB™ service external traffic policy | `Cluster` |
|
||||
| `influxdb.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
|
||||
| `influxdb.service.annotations` | Annotations for InfluxDB™ service | `{}` |
|
||||
| `influxdb.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
|
||||
| `influxdb.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
|
||||
|
||||
### InfluxDB Collectd™ parameters
|
||||
|
||||
@@ -268,59 +272,66 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
|
||||
### InfluxDB™ backup parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | -------------------------- |
|
||||
| `backup.enabled` | Enable InfluxDB™ backup | `false` |
|
||||
| `backup.directory` | Directory where backups are stored | `/backups` |
|
||||
| `backup.retentionDays` | Retention time in days for backups (older backups are deleted) | `10` |
|
||||
| `backup.cronjob.schedule` | Schedule in Cron format to save snapshots | `0 2 * * *` |
|
||||
| `backup.cronjob.historyLimit` | Number of successful finished jobs to retain | `1` |
|
||||
| `backup.cronjob.podAnnotations` | Pod annotations | `{}` |
|
||||
| `backup.cronjob.securityContext.enabled` | Enable security context for InfluxDB™ | `true` |
|
||||
| `backup.cronjob.securityContext.fsGroup` | Group ID for the InfluxDB™ filesystem | `1001` |
|
||||
| `backup.cronjob.securityContext.runAsUser` | Group ID for the InfluxDB™ filesystem | `1001` |
|
||||
| `backup.podAffinityPreset` | Backup ™ Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `backup.podAntiAffinityPreset` | Backup™ Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
|
||||
| `backup.nodeAffinityPreset.type` | Backup™ Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `backup.nodeAffinityPreset.key` | Backup™ Node label key to match Ignored if `affinity` is set. | `""` |
|
||||
| `backup.nodeAffinityPreset.values` | Backup™ Node label values to match. Ignored if `affinity` is set. | `[]` |
|
||||
| `backup.affinity` | Backup™ Affinity for backup pod assignment | `{}` |
|
||||
| `backup.nodeSelector` | Backup™ Node labels for backup pod assignment | `{}` |
|
||||
| `backup.tolerations` | Backup™ Tolerations for backup pod assignment | `[]` |
|
||||
| `backup.uploadProviders.google.enabled` | enable upload to google storage bucket | `false` |
|
||||
| `backup.uploadProviders.google.secret` | json secret with serviceaccount data to access Google storage bucket | `""` |
|
||||
| `backup.uploadProviders.google.secretKey` | service account secret key name | `key.json` |
|
||||
| `backup.uploadProviders.google.existingSecret` | Name of existing secret object with Google serviceaccount json credentials | `""` |
|
||||
| `backup.uploadProviders.google.bucketName` | google storage bucket name name | `gs://bucket/influxdb` |
|
||||
| `backup.uploadProviders.google.image.registry` | Google Cloud SDK image registry | `docker.io` |
|
||||
| `backup.uploadProviders.google.image.repository` | Google Cloud SDK image name | `bitnami/google-cloud-sdk` |
|
||||
| `backup.uploadProviders.google.image.tag` | Google Cloud SDK image tag | `0.439.0-debian-11-r6` |
|
||||
| `backup.uploadProviders.google.image.digest` | Google Cloud SDK image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `backup.uploadProviders.google.image.pullPolicy` | Google Cloud SDK image pull policy | `IfNotPresent` |
|
||||
| `backup.uploadProviders.google.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
| `backup.uploadProviders.azure.enabled` | Enable upload to azure storage container | `false` |
|
||||
| `backup.uploadProviders.azure.secret` | Secret with credentials to access Azure storage | `""` |
|
||||
| `backup.uploadProviders.azure.secretKey` | Service account secret key name | `connection-string` |
|
||||
| `backup.uploadProviders.azure.existingSecret` | Name of existing secret object | `""` |
|
||||
| `backup.uploadProviders.azure.containerName` | Destination container | `influxdb-container` |
|
||||
| `backup.uploadProviders.azure.image.registry` | Azure CLI image registry | `docker.io` |
|
||||
| `backup.uploadProviders.azure.image.repository` | Azure CLI image repository | `bitnami/azure-cli` |
|
||||
| `backup.uploadProviders.azure.image.tag` | Azure CLI image tag (immutable tags are recommended) | `2.50.0-debian-11-r16` |
|
||||
| `backup.uploadProviders.azure.image.digest` | Azure CLI image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `backup.uploadProviders.azure.image.pullPolicy` | Azure CLI image pull policy | `IfNotPresent` |
|
||||
| `backup.uploadProviders.azure.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
| `backup.uploadProviders.aws.enabled` | Enable upload to aws s3 bucket | `false` |
|
||||
| `backup.uploadProviders.aws.accessKeyID` | Access Key ID to access aws s3 | `""` |
|
||||
| `backup.uploadProviders.aws.secretAccessKey` | Secret Access Key to access aws s3 | `""` |
|
||||
| `backup.uploadProviders.aws.region` | Region of aws s3 bucket | `us-east-1` |
|
||||
| `backup.uploadProviders.aws.existingSecret` | Name of existing secret object | `""` |
|
||||
| `backup.uploadProviders.aws.bucketName` | aws s3 bucket name | `s3://bucket/influxdb` |
|
||||
| `backup.uploadProviders.aws.image.registry` | AWS CLI image registry | `docker.io` |
|
||||
| `backup.uploadProviders.aws.image.repository` | AWS CLI image repository | `bitnami/aws-cli` |
|
||||
| `backup.uploadProviders.aws.image.tag` | AWS CLI image tag (immutable tags are recommended) | `2.13.3-debian-11-r4` |
|
||||
| `backup.uploadProviders.aws.image.digest` | AWS CLI image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `backup.uploadProviders.aws.image.pullPolicy` | AWS CLI image pull policy | `IfNotPresent` |
|
||||
| `backup.uploadProviders.aws.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
| Name | Description | Value |
|
||||
| ------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------- | -------------------------- |
|
||||
| `backup.enabled` | Enable InfluxDB™ backup | `false` |
|
||||
| `backup.directory` | Directory where backups are stored | `/backups` |
|
||||
| `backup.retentionDays` | Retention time in days for backups (older backups are deleted) | `10` |
|
||||
| `backup.cronjob.schedule` | Schedule in Cron format to save snapshots | `0 2 * * *` |
|
||||
| `backup.cronjob.historyLimit` | Number of successful finished jobs to retain | `1` |
|
||||
| `backup.cronjob.podAnnotations` | Pod annotations | `{}` |
|
||||
| `backup.cronjob.securityContext.enabled` | Enable security context for InfluxDB™ backup pods | `true` |
|
||||
| `backup.cronjob.securityContext.fsGroup` | Group ID for the InfluxDB™ filesystem | `1001` |
|
||||
| `backup.cronjob.securityContext.runAsUser` | User ID for the InfluxDB™ filesystem | `1001` |
|
||||
| `backup.cronjob.securityContext.runAsGroup` | Group ID for the InfluxDB™ runAsGroup | `0` |
|
||||
| `backup.cronjob.securityContext.runAsNonRoot` | Setting for the InfluxDB™ runAsNonRoot | `true` |
|
||||
| `backup.cronjob.securityContext.seccompProfile.type` | Setting for the InfluxDB™ seccompProfile.type | `RuntimeDefault` |
|
||||
| `backup.cronjob.containerSecurityContext.enabled` | Enable security context for InfluxDB™ backup containers | `true` |
|
||||
| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | readOnlyRootFilesystem for InfluxDB™ | `true` |
|
||||
| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | allowPrivilegeEscalation for InfluxDB™ | `false` |
|
||||
| `backup.cronjob.containerSecurityContext.capabilities.drop` | Capabilities to drop for InfluxDB™ | `["ALL"]` |
|
||||
| `backup.podAffinityPreset` | Backup ™ Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `backup.podAntiAffinityPreset` | Backup™ Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
|
||||
| `backup.nodeAffinityPreset.type` | Backup™ Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `backup.nodeAffinityPreset.key` | Backup™ Node label key to match Ignored if `affinity` is set. | `""` |
|
||||
| `backup.nodeAffinityPreset.values` | Backup™ Node label values to match. Ignored if `affinity` is set. | `[]` |
|
||||
| `backup.affinity` | Backup™ Affinity for backup pod assignment | `{}` |
|
||||
| `backup.nodeSelector` | Backup™ Node labels for backup pod assignment | `{}` |
|
||||
| `backup.tolerations` | Backup™ Tolerations for backup pod assignment | `[]` |
|
||||
| `backup.uploadProviders.google.enabled` | enable upload to google storage bucket | `false` |
|
||||
| `backup.uploadProviders.google.secret` | json secret with serviceaccount data to access Google storage bucket | `""` |
|
||||
| `backup.uploadProviders.google.secretKey` | service account secret key name | `key.json` |
|
||||
| `backup.uploadProviders.google.existingSecret` | Name of existing secret object with Google serviceaccount json credentials | `""` |
|
||||
| `backup.uploadProviders.google.bucketName` | google storage bucket name name | `gs://bucket/influxdb` |
|
||||
| `backup.uploadProviders.google.image.registry` | Google Cloud SDK image registry | `docker.io` |
|
||||
| `backup.uploadProviders.google.image.repository` | Google Cloud SDK image name | `bitnami/google-cloud-sdk` |
|
||||
| `backup.uploadProviders.google.image.tag` | Google Cloud SDK image tag | `0.439.0-debian-11-r6` |
|
||||
| `backup.uploadProviders.google.image.digest` | Google Cloud SDK image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `backup.uploadProviders.google.image.pullPolicy` | Google Cloud SDK image pull policy | `IfNotPresent` |
|
||||
| `backup.uploadProviders.google.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
| `backup.uploadProviders.azure.enabled` | Enable upload to azure storage container | `false` |
|
||||
| `backup.uploadProviders.azure.secret` | Secret with credentials to access Azure storage | `""` |
|
||||
| `backup.uploadProviders.azure.secretKey` | Service account secret key name | `connection-string` |
|
||||
| `backup.uploadProviders.azure.existingSecret` | Name of existing secret object | `""` |
|
||||
| `backup.uploadProviders.azure.containerName` | Destination container | `influxdb-container` |
|
||||
| `backup.uploadProviders.azure.image.registry` | Azure CLI image registry | `docker.io` |
|
||||
| `backup.uploadProviders.azure.image.repository` | Azure CLI image repository | `bitnami/azure-cli` |
|
||||
| `backup.uploadProviders.azure.image.tag` | Azure CLI image tag (immutable tags are recommended) | `2.50.0-debian-11-r16` |
|
||||
| `backup.uploadProviders.azure.image.digest` | Azure CLI image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `backup.uploadProviders.azure.image.pullPolicy` | Azure CLI image pull policy | `IfNotPresent` |
|
||||
| `backup.uploadProviders.azure.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
| `backup.uploadProviders.aws.enabled` | Enable upload to aws s3 bucket | `false` |
|
||||
| `backup.uploadProviders.aws.accessKeyID` | Access Key ID to access aws s3 | `""` |
|
||||
| `backup.uploadProviders.aws.secretAccessKey` | Secret Access Key to access aws s3 | `""` |
|
||||
| `backup.uploadProviders.aws.region` | Region of aws s3 bucket | `us-east-1` |
|
||||
| `backup.uploadProviders.aws.existingSecret` | Name of existing secret object | `""` |
|
||||
| `backup.uploadProviders.aws.bucketName` | aws s3 bucket name | `s3://bucket/influxdb` |
|
||||
| `backup.uploadProviders.aws.image.registry` | AWS CLI image registry | `docker.io` |
|
||||
| `backup.uploadProviders.aws.image.repository` | AWS CLI image repository | `bitnami/aws-cli` |
|
||||
| `backup.uploadProviders.aws.image.tag` | AWS CLI image tag (immutable tags are recommended) | `2.13.3-debian-11-r4` |
|
||||
| `backup.uploadProviders.aws.image.digest` | AWS CLI image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `backup.uploadProviders.aws.image.pullPolicy` | AWS CLI image pull policy | `IfNotPresent` |
|
||||
| `backup.uploadProviders.aws.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
|
||||
## RBAC Parameters
|
||||
|
||||
|
||||
@@ -32,9 +32,7 @@ spec:
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.podAnnotations "context" $) | nindent 12 }}
|
||||
spec:
|
||||
{{- if .Values.backup.cronjob.securityContext.enabled }}
|
||||
securityContext:
|
||||
fsGroup: {{ .Values.backup.cronjob.securityContext.fsGroup }}
|
||||
runAsUser: {{ .Values.backup.cronjob.securityContext.runAsUser }}
|
||||
securityContext: {{- omit .Values.backup.cronjob.securityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
restartPolicy: OnFailure
|
||||
volumes:
|
||||
@@ -94,6 +92,9 @@ spec:
|
||||
- name: backup-scripts
|
||||
mountPath: /tmp/backup.sh
|
||||
subPath: backup.sh
|
||||
{{- if .Values.backup.cronjob.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.backup.cronjob.containerSecurityContext "enabled" | toYaml | nindent 16 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: influxdb-backup-dummy-container
|
||||
image: {{ include "influxdb.image" . | quote }}
|
||||
@@ -104,6 +105,9 @@ spec:
|
||||
command:
|
||||
- "/bin/true"
|
||||
{{- end }}
|
||||
{{- if .Values.backup.cronjob.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.backup.cronjob.containerSecurityContext "enabled" | toYaml | nindent 16 }}
|
||||
{{- end }}
|
||||
{{- if .Values.backup.uploadProviders.google.enabled }}
|
||||
- name: gsutil-cp
|
||||
image: {{ include "gcloudSdk.image" . }}
|
||||
@@ -122,6 +126,9 @@ spec:
|
||||
subPath: upload-google.sh
|
||||
- name: google-cloud-key
|
||||
mountPath: /var/secrets/google/
|
||||
{{- if .Values.backup.cronjob.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.backup.cronjob.containerSecurityContext "enabled" | toYaml | nindent 16 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.backup.uploadProviders.azure.enabled }}
|
||||
- name: azure-cli
|
||||
@@ -149,6 +156,9 @@ spec:
|
||||
- name: backup-scripts
|
||||
mountPath: /tmp/upload-azure.sh
|
||||
subPath: upload-azure.sh
|
||||
{{- if .Values.backup.cronjob.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.backup.cronjob.containerSecurityContext "enabled" | toYaml | nindent 16 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.backup.uploadProviders.aws.enabled }}
|
||||
- name: aws-cli
|
||||
@@ -194,5 +204,8 @@ spec:
|
||||
- name: backup-scripts
|
||||
mountPath: /tmp/upload-aws.sh
|
||||
subPath: upload-aws.sh
|
||||
{{- if .Values.backup.cronjob.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.backup.cronjob.containerSecurityContext "enabled" | toYaml | nindent 16 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -279,12 +279,24 @@ influxdb:
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
||||
## @param influxdb.containerSecurityContext.enabled Enabled InfluxDB™ containers' Security Context
|
||||
## @param influxdb.containerSecurityContext.runAsUser Set InfluxDB™ containers' Security Context runAsUser
|
||||
## @param influxdb.containerSecurityContext.runAsGroup Set InfluxDB™ containers' Security Context runAsGroup
|
||||
## @param influxdb.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot
|
||||
## @param influxdb.containerSecurityContext.allowPrivilegeEscalation Set Controller container's Security Context allowPrivilegeEscalation
|
||||
## @param influxdb.containerSecurityContext.seccompProfile.type Set Controller container's Security Context seccompProfile
|
||||
## @param influxdb.containerSecurityContext.capabilities.drop Set Controller container's Security Context capabilities to drop
|
||||
#
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
## InfluxDB™ pods' resource requests and limits
|
||||
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
|
||||
## We usually recommend not to specify default resources and to leave this as a conscious
|
||||
@@ -879,14 +891,34 @@ backup:
|
||||
podAnnotations: {}
|
||||
## K8s Security Context for Backup Cronjob pods
|
||||
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
## @param backup.cronjob.securityContext.enabled Enable security context for InfluxDB™
|
||||
## @param backup.cronjob.securityContext.enabled Enable security context for InfluxDB™ backup pods
|
||||
## @param backup.cronjob.securityContext.fsGroup Group ID for the InfluxDB™ filesystem
|
||||
## @param backup.cronjob.securityContext.runAsUser Group ID for the InfluxDB™ filesystem
|
||||
## @param backup.cronjob.securityContext.runAsUser User ID for the InfluxDB™ filesystem
|
||||
## @param backup.cronjob.securityContext.runAsGroup Group ID for the InfluxDB™ runAsGroup
|
||||
## @param backup.cronjob.securityContext.runAsNonRoot Setting for the InfluxDB™ runAsNonRoot
|
||||
## @param backup.cronjob.securityContext.seccompProfile.type Setting for the InfluxDB™ seccompProfile.type
|
||||
##
|
||||
securityContext:
|
||||
enabled: true
|
||||
fsGroup: 1001
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
## K8s Security Context for Backup Cronjob containers
|
||||
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
||||
## @param backup.cronjob.containerSecurityContext.enabled Enable security context for InfluxDB™ backup containers
|
||||
## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem readOnlyRootFilesystem for InfluxDB™
|
||||
## @param backup.cronjob.containerSecurityContext.allowPrivilegeEscalation allowPrivilegeEscalation for InfluxDB™
|
||||
## @param backup.cronjob.containerSecurityContext.capabilities.drop Capabilities to drop for InfluxDB™
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: [ "ALL" ]
|
||||
## @param backup.podAffinityPreset Backup ™ Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
|
||||
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
||||
##
|
||||
|
||||
Reference in New Issue
Block a user