Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-02-27 15:37:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/redis-cluster]Allow redis-cluster securityContext override for redis-cluster init-containers (#13068)

Browse Source 
* Allow securityContext override for redis-cluster init-containers

Signed-off-by: cleverhu <shouping.hu@daocloud.io>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

Signed-off-by: cleverhu <shouping.hu@daocloud.io>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
cleverhu
2022-10-26 17:49:49 +08:00
committed by GitHub
parent a39e51ee24
commit b0eb3a1df4
4 changed files with 123 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/redis-cluster/Chart.yaml
View File

@@ -23,4 +23,4 @@ name: redis-cluster
sources:
- https://github.com/bitnami/containers/tree/main/bitnami/redis
- http://redis.io/
version: 8.2.5
version: 8.2.6

196
bitnami/redis-cluster/README.md
View File

@@ -81,88 +81,91 @@ The command removes all the Kubernetes components associated with the chart and
### Redis&reg; Cluster Common parameters
| Name | Description | Value |
| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- |
| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` |
| `fullnameOverride` | String to fully override common.names.fullname template | `""` |
| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` |
| `commonAnnotations` | Annotations to add to all deployed objects | `{}` |
| `commonLabels` | Labels to add to all deployed objects | `{}` |
| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` |
| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` |
| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` |
| `image.registry` | Redis&reg; cluster image registry | `docker.io` |
| `image.repository` | Redis&reg; cluster image repository | `bitnami/redis-cluster` |
| `image.tag` | Redis&reg; cluster image tag (immutable tags are recommended) | `7.0.5-debian-11-r9` |
| `image.digest` | Redis&reg; cluster image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | Redis&reg; cluster image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `image.debug` | Enable image debug mode | `false` |
| `networkPolicy.enabled` | Enable NetworkPolicy | `false` |
| `networkPolicy.allowExternal` | The Policy model to apply. Don't require client label for connections | `true` |
| `networkPolicy.ingressNSMatchLabels` | Allow connections from other namespacess. Just set label for namespace and set label for pods (optional). | `{}` |
| `networkPolicy.ingressNSPodMatchLabels` | For other namespaces match by pod labels and namespace labels | `{}` |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` |
| `serviceAccount.name` | The name of the ServiceAccount to create | `""` |
| `serviceAccount.annotations` | Annotations for Cassandra Service Account | `{}` |
| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account. | `false` |
| `rbac.create` | Specifies whether RBAC resources should be created | `false` |
| `rbac.role.rules` | Rules to create. It follows the role specification | `[]` |
| `podSecurityContext.enabled` | Enable Redis&reg; pod Security Context | `true` |
| `podSecurityContext.fsGroup` | Group ID for the pods | `1001` |
| `podSecurityContext.runAsUser` | User ID for the pods | `1001` |
| `podSecurityContext.sysctls` | Set namespaced sysctls for the pods | `[]` |
| `podDisruptionBudget` | Limits the number of pods of the replicated application that are down simultaneously from voluntary disruptions | `{}` |
| `minAvailable` | Min number of pods that must still be available after the eviction | `""` |
| `maxUnavailable` | Max number of pods that can be unavailable after the eviction | `""` |
| `containerSecurityContext.enabled` | Enable Containers' Security Context | `true` |
| `containerSecurityContext.runAsUser` | User ID for the containers. | `1001` |
| `containerSecurityContext.runAsNonRoot` | Run container as non root | `true` |
| `usePassword` | Use password authentication | `true` |
| `password` | Redis&reg; password (ignored if existingSecret set) | `""` |
| `existingSecret` | Name of existing secret object (for password authentication) | `""` |
| `existingSecretPasswordKey` | Name of key containing password to be retrieved from the existing secret | `""` |
| `usePasswordFile` | Mount passwords as files instead of environment variables | `false` |
| `tls.enabled` | Enable TLS support for replication traffic | `false` |
| `tls.authClients` | Require clients to authenticate or not | `true` |
| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` |
| `tls.existingSecret` | The name of the existing secret that contains the TLS certificates | `""` |
| `tls.certificatesSecret` | DEPRECATED. Use tls.existingSecret instead | `""` |
| `tls.certFilename` | Certificate filename | `""` |
| `tls.certKeyFilename` | Certificate key filename | `""` |
| `tls.certCAFilename` | CA Certificate filename | `""` |
| `tls.dhParamsFilename` | File containing DH params (in order to support DH based ciphers) | `""` |
| `service.ports.redis` | Kubernetes Redis service port | `6379` |
| `service.nodePorts.redis` | Node port for Redis | `""` |
| `service.extraPorts` | Extra ports to expose in the service (normally used with the `sidecar` value) | `[]` |
| `service.annotations` | Provide any additional annotations which may be required. | `{}` |
| `service.labels` | Additional labels for redis service | `{}` |
| `service.type` | Service type for default redis service | `ClusterIP` |
| `service.clusterIP` | Service Cluster IP | `""` |
| `service.loadBalancerIP` | Load balancer IP if `service.type` is `LoadBalancer` | `""` |
| `service.loadBalancerSourceRanges` | Service Load Balancer sources | `[]` |
| `service.externalTrafficPolicy` | Service external traffic policy | `Cluster` |
| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `persistence.path` | Path to mount the volume at, to use other images Redis&reg; images. | `/bitnami/redis/data` |
| `persistence.subPath` | The subdirectory of the volume to mount to, useful in dev environments and one PV for multiple services | `""` |
| `persistence.storageClass` | Storage class of backing PVC | `""` |
| `persistence.annotations` | Persistent Volume Claim annotations | `{}` |
| `persistence.accessModes` | Persistent Volume Access Modes | `["ReadWriteOnce"]` |
| `persistence.size` | Size of data volume | `8Gi` |
| `persistence.matchLabels` | Persistent Volume selectors | `{}` |
| `persistence.matchExpressions` | matchExpressions Persistent Volume selectors | `{}` |
| `volumePermissions.enabled` | Enable init container that changes volume permissions in the registry (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag | `11-debian-11-r43` |
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `volumePermissions.resources.limits` | The resources limits for the container | `{}` |
| `volumePermissions.resources.requests` | The requested resources for the container | `{}` |
| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
| Name | Description | Value |
| ------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- |
| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` |
| `fullnameOverride` | String to fully override common.names.fullname template | `""` |
| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` |
| `commonAnnotations` | Annotations to add to all deployed objects | `{}` |
| `commonLabels` | Labels to add to all deployed objects | `{}` |
| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` |
| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` |
| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` |
| `image.registry` | Redis&reg; cluster image registry | `docker.io` |
| `image.repository` | Redis&reg; cluster image repository | `bitnami/redis-cluster` |
| `image.tag` | Redis&reg; cluster image tag (immutable tags are recommended) | `7.0.5-debian-11-r9` |
| `image.digest` | Redis&reg; cluster image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | Redis&reg; cluster image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `image.debug` | Enable image debug mode | `false` |
| `networkPolicy.enabled` | Enable NetworkPolicy | `false` |
| `networkPolicy.allowExternal` | The Policy model to apply. Don't require client label for connections | `true` |
| `networkPolicy.ingressNSMatchLabels` | Allow connections from other namespacess. Just set label for namespace and set label for pods (optional). | `{}` |
| `networkPolicy.ingressNSPodMatchLabels` | For other namespaces match by pod labels and namespace labels | `{}` |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` |
| `serviceAccount.name` | The name of the ServiceAccount to create | `""` |
| `serviceAccount.annotations` | Annotations for Cassandra Service Account | `{}` |
| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account. | `false` |
| `rbac.create` | Specifies whether RBAC resources should be created | `false` |
| `rbac.role.rules` | Rules to create. It follows the role specification | `[]` |
| `podSecurityContext.enabled` | Enable Redis&reg; pod Security Context | `true` |
| `podSecurityContext.fsGroup` | Group ID for the pods | `1001` |
| `podSecurityContext.runAsUser` | User ID for the pods | `1001` |
| `podSecurityContext.sysctls` | Set namespaced sysctls for the pods | `[]` |
| `podDisruptionBudget` | Limits the number of pods of the replicated application that are down simultaneously from voluntary disruptions | `{}` |
| `minAvailable` | Min number of pods that must still be available after the eviction | `""` |
| `maxUnavailable` | Max number of pods that can be unavailable after the eviction | `""` |
| `containerSecurityContext.enabled` | Enable Containers' Security Context | `true` |
| `containerSecurityContext.runAsUser` | User ID for the containers. | `1001` |
| `containerSecurityContext.runAsNonRoot` | Run container as non root | `true` |
| `usePassword` | Use password authentication | `true` |
| `password` | Redis&reg; password (ignored if existingSecret set) | `""` |
| `existingSecret` | Name of existing secret object (for password authentication) | `""` |
| `existingSecretPasswordKey` | Name of key containing password to be retrieved from the existing secret | `""` |
| `usePasswordFile` | Mount passwords as files instead of environment variables | `false` |
| `tls.enabled` | Enable TLS support for replication traffic | `false` |
| `tls.authClients` | Require clients to authenticate or not | `true` |
| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` |
| `tls.existingSecret` | The name of the existing secret that contains the TLS certificates | `""` |
| `tls.certificatesSecret` | DEPRECATED. Use tls.existingSecret instead | `""` |
| `tls.certFilename` | Certificate filename | `""` |
| `tls.certKeyFilename` | Certificate key filename | `""` |
| `tls.certCAFilename` | CA Certificate filename | `""` |
| `tls.dhParamsFilename` | File containing DH params (in order to support DH based ciphers) | `""` |
| `service.ports.redis` | Kubernetes Redis service port | `6379` |
| `service.nodePorts.redis` | Node port for Redis | `""` |
| `service.extraPorts` | Extra ports to expose in the service (normally used with the `sidecar` value) | `[]` |
| `service.annotations` | Provide any additional annotations which may be required. | `{}` |
| `service.labels` | Additional labels for redis service | `{}` |
| `service.type` | Service type for default redis service | `ClusterIP` |
| `service.clusterIP` | Service Cluster IP | `""` |
| `service.loadBalancerIP` | Load balancer IP if `service.type` is `LoadBalancer` | `""` |
| `service.loadBalancerSourceRanges` | Service Load Balancer sources | `[]` |
| `service.externalTrafficPolicy` | Service external traffic policy | `Cluster` |
| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `persistence.path` | Path to mount the volume at, to use other images Redis&reg; images. | `/bitnami/redis/data` |
| `persistence.subPath` | The subdirectory of the volume to mount to, useful in dev environments and one PV for multiple services | `""` |
| `persistence.storageClass` | Storage class of backing PVC | `""` |
| `persistence.annotations` | Persistent Volume Claim annotations | `{}` |
| `persistence.accessModes` | Persistent Volume Access Modes | `["ReadWriteOnce"]` |
| `persistence.size` | Size of data volume | `8Gi` |
| `persistence.matchLabels` | Persistent Volume selectors | `{}` |
| `persistence.matchExpressions` | matchExpressions Persistent Volume selectors | `{}` |
| `volumePermissions.enabled` | Enable init container that changes volume permissions in the registry (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag | `11-debian-11-r43` |
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `volumePermissions.containerSecurityContext.enabled` | Enable Containers' Security Context | `true` |
| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the containers. | `0` |
| `volumePermissions.containerSecurityContext.privileged` | Run container as privileged | `false` |
| `volumePermissions.resources.limits` | The resources limits for the container | `{}` |
| `volumePermissions.resources.requests` | The requested resources for the container | `{}` |
| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
### Redis&reg; statefulset parameters
@@ -318,19 +321,22 @@ The command removes all the Kubernetes components associated with the chart and
### Sysctl Image parameters
| Name | Description | Value |
| -------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ----------------------- |
| `sysctlImage.enabled` | Enable an init container to modify Kernel settings | `false` |
| `sysctlImage.command` | sysctlImage command to execute | `[]` |
| `sysctlImage.registry` | sysctlImage Init container registry | `docker.io` |
| `sysctlImage.repository` | sysctlImage Init container repository | `bitnami/bitnami-shell` |
| `sysctlImage.tag` | sysctlImage Init container tag | `11-debian-11-r43` |
| `sysctlImage.digest` | sysctlImage Init container digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `sysctlImage.pullPolicy` | sysctlImage Init container pull policy | `IfNotPresent` |
| `sysctlImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `sysctlImage.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` |
| `sysctlImage.resources.limits` | The resources limits for the container | `{}` |
| `sysctlImage.resources.requests` | The requested resources for the container | `{}` |
| Name | Description | Value |
| ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ----------------------- |
| `sysctlImage.enabled` | Enable an init container to modify Kernel settings | `false` |
| `sysctlImage.command` | sysctlImage command to execute | `[]` |
| `sysctlImage.registry` | sysctlImage Init container registry | `docker.io` |
| `sysctlImage.repository` | sysctlImage Init container repository | `bitnami/bitnami-shell` |
| `sysctlImage.tag` | sysctlImage Init container tag | `11-debian-11-r43` |
| `sysctlImage.digest` | sysctlImage Init container digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `sysctlImage.pullPolicy` | sysctlImage Init container pull policy | `IfNotPresent` |
| `sysctlImage.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `sysctlImage.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` |
| `sysctlImage.containerSecurityContext.enabled` | Enable Containers' Security Context | `true` |
| `sysctlImage.containerSecurityContext.runAsUser` | User ID for the containers. | `0` |
| `sysctlImage.containerSecurityContext.privileged` | Run privileged as privileged | `true` |
| `sysctlImage.resources.limits` | The resources limits for the container | `{}` |
| `sysctlImage.resources.requests` | The requested resources for the container | `{}` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

6
bitnami/redis-cluster/templates/redis-statefulset.yaml
View File

@@ -382,9 +382,9 @@ spec:
{{- end }}
command:
{{- toYaml .Values.sysctlImage.command | nindent 12 }}
securityContext:
privileged: true
runAsUser: 0
{{- if .Values.sysctlImage.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.sysctlImage.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.redis.initContainers }}
{{- toYaml .Values.redis.initContainers | nindent 8 }}

18
bitnami/redis-cluster/values.yaml
View File

@@ -348,6 +348,15 @@ volumePermissions:
## - myRegistryKeySecretName
##
pullSecrets: []
## Containers Security Context
## @param volumePermissions.containerSecurityContext.enabled Enable Containers' Security Context
## @param volumePermissions.containerSecurityContext.runAsUser User ID for the containers.
## @param volumePermissions.containerSecurityContext.privileged Run container as privileged
##
containerSecurityContext:
enabled: true
runAsUser: 0
privileged: false
## Container resource requests and limits
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
## @param volumePermissions.resources.limits The resources limits for the container
@@ -975,6 +984,15 @@ sysctlImage:
## @param sysctlImage.mountHostSys Mount the host `/sys` folder to `/host-sys`
##
mountHostSys: false
## Containers Security Context
## @param sysctlImage.containerSecurityContext.enabled Enable Containers' Security Context
## @param sysctlImage.containerSecurityContext.runAsUser User ID for the containers.
## @param sysctlImage.containerSecurityContext.privileged Run privileged as privileged
##
containerSecurityContext:
enabled: true
runAsUser: 0
privileged: true
## Container resource requests and limits
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
## @param sysctlImage.resources.limits The resources limits for the container