mirror of
https://github.com/bitnami/charts.git
synced 2026-03-06 23:47:48 +08:00
[bitnami/kafka] Add passwordSecret parameter (#8936)
* [bitnami/kafka] Add passwordSecret parameter to provide pem/jks password through a secret Signed-off-by: Yohan Boyer <yohan.boyer@ioterop.com> * [bitnami/kafka] Bump version Signed-off-by: Yohan Boyer <yohan.boyer@ioterop.com> * [bitnami/kafka] change parameter name Signed-off-by: Yohan Boyer <yohan.boyer@ioterop.com>
This commit is contained in:
yohboy
@@ -29,4 +29,4 @@ name: kafka
|
||||
sources:
|
||||
- https://github.com/bitnami/bitnami-docker-kafka
|
||||
- https://kafka.apache.org/
|
||||
version: 15.2.3
|
||||
version: 15.3.0
|
||||
|
||||
@@ -83,7 +83,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| ------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- |
|
||||
| `image.registry` | Kafka image registry | `docker.io` |
|
||||
| `image.repository` | Kafka image repository | `bitnami/kafka` |
|
||||
| `image.tag` | Kafka image tag (immutable tags are recommended) | `3.1.0-debian-10-r8` |
|
||||
| `image.tag` | Kafka image tag (immutable tags are recommended) | `3.1.0-debian-10-r14` |
|
||||
| `image.pullPolicy` | Kafka image pull policy | `IfNotPresent` |
|
||||
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
| `image.debug` | Specify if debug values should be set | `false` |
|
||||
@@ -134,6 +134,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `auth.tls.existingSecrets` | Array existing secrets containing the TLS certificates for the Kafka brokers | `[]` |
|
||||
| `auth.tls.autoGenerated` | Generate automatically self-signed TLS certificates for Kafka brokers. Currently only supported if `auth.tls.type` is `pem` | `false` |
|
||||
| `auth.tls.password` | Password to access the JKS files or PEM key when they are password-protected. | `""` |
|
||||
| `auth.tls.existingSecret` | Name of the secret containing the password to access the JKS files or PEM key when they are password-protected. (`key`: `password`) | `""` |
|
||||
| `auth.tls.jksTruststoreSecret` | Name of the existing secret containing your truststore if truststore not existing or different from the ones in the `auth.tls.existingSecrets` | `""` |
|
||||
| `auth.tls.jksKeystoreSAN` | The secret key from the `auth.tls.existingSecrets` containing the keystore with a SAN certificate | `""` |
|
||||
| `auth.tls.jksTruststore` | The secret key from the `auth.tls.existingSecrets` or `auth.tls.jksTruststoreSecret` containing the truststore | `""` |
|
||||
@@ -289,7 +290,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` |
|
||||
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
|
||||
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` |
|
||||
| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `10-debian-10-r326` |
|
||||
| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `10-debian-10-r332` |
|
||||
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
|
||||
| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` |
|
||||
| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` |
|
||||
@@ -315,7 +316,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `metrics.kafka.enabled` | Whether or not to create a standalone Kafka exporter to expose Kafka metrics | `false` |
|
||||
| `metrics.kafka.image.registry` | Kafka exporter image registry | `docker.io` |
|
||||
| `metrics.kafka.image.repository` | Kafka exporter image repository | `bitnami/kafka-exporter` |
|
||||
| `metrics.kafka.image.tag` | Kafka exporter image tag (immutable tags are recommended) | `1.4.2-debian-10-r135` |
|
||||
| `metrics.kafka.image.tag` | Kafka exporter image tag (immutable tags are recommended) | `1.4.2-debian-10-r140` |
|
||||
| `metrics.kafka.image.pullPolicy` | Kafka exporter image pull policy | `IfNotPresent` |
|
||||
| `metrics.kafka.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
| `metrics.kafka.certificatesSecret` | Name of the existing secret containing the optional certificate and key files | `""` |
|
||||
@@ -360,7 +361,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
| `metrics.jmx.enabled` | Whether or not to expose JMX metrics to Prometheus | `false` |
|
||||
| `metrics.jmx.image.registry` | JMX exporter image registry | `docker.io` |
|
||||
| `metrics.jmx.image.repository` | JMX exporter image repository | `bitnami/jmx-exporter` |
|
||||
| `metrics.jmx.image.tag` | JMX exporter image tag (immutable tags are recommended) | `0.16.1-debian-10-r197` |
|
||||
| `metrics.jmx.image.tag` | JMX exporter image tag (immutable tags are recommended) | `0.16.1-debian-10-r203` |
|
||||
| `metrics.jmx.image.pullPolicy` | JMX exporter image pull policy | `IfNotPresent` |
|
||||
| `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
| `metrics.jmx.containerSecurityContext.enabled` | Enable Prometheus JMX exporter containers' Security Context | `true` |
|
||||
|
||||
@@ -30,7 +30,8 @@ In order to replicate the container startup scripts execute this command:
|
||||
{{- $externalClientProtocol := include "kafka.listenerType" (dict "protocol" (include "kafka.externalClientProtocol" . )) -}}
|
||||
{{- $saslMechanisms := .Values.auth.sasl.mechanisms -}}
|
||||
{{- $tlsEndpointIdentificationAlgorithm := default "" .Values.auth.tls.endpointIdentificationAlgorithm -}}
|
||||
{{- $tlsPassword := .Values.auth.tls.password -}}
|
||||
{{- $tlsPasswordSecret := printf "$(kubectl get secret %s --namespace %s -o jsonpath='{.data.password}' | base64 --decode | cut -d , -f 1)" .Values.auth.tls.existingSecret $releaseNamespace -}}
|
||||
{{- $tlsPassword := ternary .Values.auth.tls.password $tlsPasswordSecret (eq .Values.auth.tls.existingSecret "") -}}
|
||||
{{- $servicePort := int .Values.service.ports.client -}}
|
||||
|
||||
{{- if and (or (eq .Values.service.type "LoadBalancer") .Values.externalAccess.enabled) (eq $externalClientProtocol "PLAINTEXT") }}
|
||||
|
||||
@@ -265,9 +265,15 @@ spec:
|
||||
value: {{ default "" .Values.auth.tls.endpointIdentificationAlgorithm | quote }}
|
||||
- name: KAFKA_TLS_CLIENT_AUTH
|
||||
value: {{ ternary "required" "none" (or (eq (include "kafka.externalClientProtocol" . ) "mtls") (eq .Values.auth.clientProtocol "mtls")) | quote }}
|
||||
{{- $tlsPassword := .Values.auth.tls.password }}
|
||||
- name: KAFKA_CERTIFICATE_PASSWORD
|
||||
value: {{ default "" $tlsPassword | quote }}
|
||||
{{- if .Values.auth.tls.existingSecret }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.auth.tls.existingSecret }}
|
||||
key: password
|
||||
{{- else }}
|
||||
value: {{ default "" .Values.auth.tls.password | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.jmx.enabled }}
|
||||
- name: JMX_PORT
|
||||
|
||||
@@ -311,10 +311,14 @@ auth:
|
||||
##
|
||||
autoGenerated: false
|
||||
## @param auth.tls.password Password to access the JKS files or PEM key when they are password-protected.
|
||||
## Note: ignored when using 'existingSecret'.
|
||||
##
|
||||
password: ""
|
||||
## @param auth.tls.existingSecret Name of the secret containing the password to access the JKS files or PEM key when they are password-protected. (`key`: `password`)
|
||||
##
|
||||
existingSecret: ""
|
||||
## @param auth.tls.jksTruststoreSecret Name of the existing secret containing your truststore if truststore not existing or different from the ones in the `auth.tls.existingSecrets`
|
||||
## Note: ignored when using 'pem' format for certificates .
|
||||
## Note: ignored when using 'pem' format for certificates.
|
||||
##
|
||||
jksTruststoreSecret: ""
|
||||
## @param auth.tls.jksKeystoreSAN The secret key from the `auth.tls.existingSecrets` containing the keystore with a SAN certificate
|
||||
|
||||
Reference in New Issue
Block a user