From d914c684ec7dd4f9826e59ea25d22079fb5b78a2 Mon Sep 17 00:00:00 2001 From: Maha Benzekri Date: Wed, 19 Feb 2025 17:46:19 +0100 Subject: [PATCH 1/4] bump mongo to v7 Issue: ZENKO-4950 --- solution-base/deps.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/solution-base/deps.yaml b/solution-base/deps.yaml index fb1bd11939..bcec85e9de 100644 --- a/solution-base/deps.yaml +++ b/solution-base/deps.yaml @@ -3,10 +3,10 @@ # yq eval 'sortKeys(.)' -i deps.yaml mongodb-sharded: image: bitnami/mongodb-sharded - tag: 6.0.12-debian-11-r5 + tag: 7.0.6-debian-12-r0 mongodb-sharded-exporter: image: bitnami/mongodb-exporter - tag: 0.40.0-debian-12-r33 + tag: 0.40.0-debian-12-r12 mongodb-shell: image: bitnami/os-shell tag: 12-debian-12-r22 From 3f23988f9cbd01f4adde35548a230833f9134c73 Mon Sep 17 00:00:00 2001 From: Maha Benzekri Date: Wed, 19 Feb 2025 17:48:16 +0100 Subject: [PATCH 2/4] upgrade mongodb sharded version in charts Issue: ZENKO-4950 --- solution-base/mongodb/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solution-base/mongodb/Makefile b/solution-base/mongodb/Makefile index 16ec5e118f..b3574c5104 100644 --- a/solution-base/mongodb/Makefile +++ b/solution-base/mongodb/Makefile @@ -3,7 +3,7 @@ CHART_DIR:="${ROOT_DIR}/charts" CHART_REPO:="https://charts.bitnami.com/bitnami" CHART_MONGO_REPLICASET_VERSION:="7.8.0" -CHART_MONGO_SHARDED_VERSION:="6.6.7" +CHART_MONGO_SHARDED_VERSION:="7.9.1" PATCH_DIR:="${ROOT_DIR}/patches" PATCH_FILES:="$(shell ls -d ${PATCH_DIR}/*)" From 0ef05f61a5236b51b4c3e13890d41b5b27178bb8 Mon Sep 17 00:00:00 2001 From: Maha Benzekri Date: Wed, 19 Feb 2025 18:00:29 +0100 Subject: [PATCH 3/4] upgrade charts to v7 Issue: ZENKO-4950 --- .../charts/mongodb-sharded/.helmignore | 2 + .../mongodb/charts/mongodb-sharded/Chart.lock | 6 +- .../mongodb/charts/mongodb-sharded/Chart.yaml | 10 +- .../mongodb/charts/mongodb-sharded/README.md | 908 ++++++++++-------- .../mongodb-sharded/charts/common/.helmignore | 2 + .../mongodb-sharded/charts/common/Chart.yaml | 4 +- .../mongodb-sharded/charts/common/README.md | 10 +- .../charts/common/templates/_capabilities.tpl | 44 + .../common/templates/_compatibility.tpl | 35 + .../charts/common/templates/_images.tpl | 24 +- .../charts/common/templates/_labels.tpl | 10 +- .../charts/common/templates/_resources.tpl | 50 + .../charts/common/templates/_secrets.tpl | 22 +- .../charts/common/templates/_utils.tpl | 10 + .../charts/common/templates/_warnings.tpl | 65 +- .../mongodb-sharded/templates/NOTES.txt | 1 + .../mongodb-sharded/templates/_helpers.tpl | 23 - .../config-server-statefulset.yaml | 75 +- .../templates/mongos/mongos-dep-sts.yaml | 56 +- .../templates/networkpolicy.yaml | 75 ++ .../replicaset-entrypoint-configmap.yaml | 14 - .../shard/shard-arbiter-statefulset.yaml | 42 +- .../shard/shard-data-podmonitor.yaml | 6 +- .../shard/shard-data-statefulset.yaml | 71 +- .../charts/mongodb-sharded/values.yaml | 374 ++++++-- 25 files changed, 1324 insertions(+), 615 deletions(-) create mode 100644 solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_compatibility.tpl create mode 100644 solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_resources.tpl create mode 100644 solution-base/mongodb/charts/mongodb-sharded/templates/networkpolicy.yaml diff --git a/solution-base/mongodb/charts/mongodb-sharded/.helmignore b/solution-base/mongodb/charts/mongodb-sharded/.helmignore index f0c1319444..fb56657ab4 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/.helmignore +++ b/solution-base/mongodb/charts/mongodb-sharded/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/solution-base/mongodb/charts/mongodb-sharded/Chart.lock b/solution-base/mongodb/charts/mongodb-sharded/Chart.lock index 3aed37a569..7c2d61933b 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/Chart.lock +++ b/solution-base/mongodb/charts/mongodb-sharded/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.11.1 -digest: sha256:ead8f26c76a9ec082f23629a358e8efd8f88d87aaed734bf41febcb8a7bc5d4c -generated: "2023-09-21T21:30:53.645379122Z" + version: 2.18.0 +digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 +generated: "2024-03-05T14:57:12.782866744+01:00" diff --git a/solution-base/mongodb/charts/mongodb-sharded/Chart.yaml b/solution-base/mongodb/charts/mongodb-sharded/Chart.yaml index 5aa2eadf7c..18cdb4283b 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/Chart.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/Chart.yaml @@ -2,14 +2,14 @@ annotations: category: Database images: | - name: mongodb-exporter - image: docker.io/bitnami/mongodb-exporter:0.39.0-debian-11-r106 + image: docker.io/bitnami/mongodb-exporter:0.40.0-debian-12-r12 - name: mongodb-sharded - image: docker.io/bitnami/mongodb-sharded:6.0.10-debian-11-r8 + image: docker.io/bitnami/mongodb-sharded:7.0.6-debian-12-r0 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r72 + image: docker.io/bitnami/os-shell:12-debian-12-r16 licenses: Apache-2.0 apiVersion: v2 -appVersion: 6.0.10 +appVersion: 7.0.6 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts @@ -34,4 +34,4 @@ maintainers: name: mongodb-sharded sources: - https://github.com/bitnami/charts/tree/main/bitnami/mongodb-sharded -version: 6.6.7 +version: 7.9.1 diff --git a/solution-base/mongodb/charts/mongodb-sharded/README.md b/solution-base/mongodb/charts/mongodb-sharded/README.md index af56001149..f54850a103 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/README.md +++ b/solution-base/mongodb/charts/mongodb-sharded/README.md @@ -14,6 +14,8 @@ Disclaimer: The respective trademarks mentioned in the offering are owned by the helm install my-release oci://registry-1.docker.io/bitnamicharts/mongodb-sharded ``` +Looking to use MongoDBreg; Sharded in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart bootstraps a [MongoDB(®) Sharded](https://github.com/bitnami/containers/tree/main/bitnami/mongodb-sharded) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. @@ -24,12 +26,10 @@ This chart uses the [sharding method](https://docs.mongodb.com/manual/sharding/) Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use MongoDBreg; Sharded in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites -- Kubernetes 1.19+ -- Helm 3.2.0+ +- Kubernetes 1.23+ +- Helm 3.8.0+ - PV provisioner support in the underlying infrastructure - ReadWriteMany volumes for deployment scaling @@ -38,9 +38,11 @@ Looking to use MongoDBreg; Sharded in production? Try [VMware Application Catalo To install the chart with the release name `my-release`: ```console -helm install my-release oci://registry-1.docker.io/bitnamicharts/mongodb-sharded +helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb-sharded ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + The command deploys MongoDB® on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. > **Tip**: List all releases using `helm list` @@ -59,11 +61,12 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global storage class for dynamic provisioning | `""` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global storage class for dynamic provisioning | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | ### Common parameters @@ -83,306 +86,346 @@ The command removes all the Kubernetes components associated with the chart and ### MongoDB(®) Sharded parameters -| Name | Description | Value | -| ---------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | -| `image.registry` | MongoDB(®) Sharded image registry | `docker.io` | -| `image.repository` | MongoDB(®) Sharded Image name | `bitnami/mongodb-sharded` | -| `image.tag` | MongoDB(®) Sharded image tag (immutable tags are recommended) | `6.0.10-debian-11-r8` | -| `image.digest` | MongoDB(®) Sharded image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | MongoDB(®) Sharded image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `image.debug` | Specify if debug logs should be enabled | `false` | -| `auth.enabled` | Enable authentication | `true` | -| `auth.rootUser` | MongoDB(®) root user | `root` | -| `auth.rootPassword` | MongoDB(®) root password | `""` | -| `auth.replicaSetKey` | Key used for authentication in the replicaset (only when `architecture=replicaset`) | `""` | -| `auth.existingSecret` | Existing secret with MongoDB(®) credentials (keys: `mongodb-password`, `mongodb-root-password`, `mongodb-replica-set-key`) | `""` | -| `auth.usePasswordFile` | Mount credentials as files instead of using environment variables | `false` | -| `shards` | Number of shards to be created | `2` | -| `common.mongodbEnableNumactl` | Enable launch MongoDB instance prefixed with "numactl --interleave=all" | `false` | -| `common.useHostnames` | Enable DNS hostnames in the replica set config | `true` | -| `common.mongodbEnableIPv6` | Switch to enable/disable IPv6 on MongoDB® | `false` | -| `common.mongodbDirectoryPerDB` | Switch to enable/disable DirectoryPerDB on MongoDB® | `false` | -| `common.mongodbSystemLogVerbosity` | MongoDB® system log verbosity level | `0` | -| `common.mongodbDisableSystemLog` | Whether to disable MongoDB® system log or not | `false` | -| `common.mongodbMaxWaitTimeout` | Maximum time (in seconds) for MongoDB® nodes to wait for another MongoDB® node to be ready | `120` | -| `common.initScriptsCM` | Configmap with init scripts to execute | `""` | -| `common.initScriptsSecret` | Secret with init scripts to execute (for sensitive data) | `""` | -| `common.extraEnvVars` | An array to add extra env vars | `[]` | -| `common.extraEnvVarsCM` | Name of a ConfigMap containing extra env vars | `""` | -| `common.extraEnvVarsSecret` | Name of a Secret containing extra env vars | `""` | -| `common.sidecars` | Add sidecars to the pod | `[]` | -| `common.initContainers` | Add init containers to the pod | `[]` | -| `common.podAnnotations` | Additional pod annotations | `{}` | -| `common.podLabels` | Additional pod labels | `{}` | -| `common.extraVolumes` | Array to add extra volumes | `[]` | -| `common.extraVolumeMounts` | Array to add extra mounts (normally used with extraVolumes) | `[]` | -| `common.containerPorts.mongodb` | MongoDB container port | `27017` | -| `common.serviceAccount.create` | Whether to create a Service Account for all pods automatically | `false` | -| `common.serviceAccount.name` | Name of a Service Account to be used by all Pods | `""` | -| `common.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | -| `common.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | -| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | -| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/os-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag | `11-debian-11-r72` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resources` | Init container resource requests/limit | `{}` | -| `service.name` | Specify an explicit service name | `""` | -| `service.annotations` | Additional service annotations (evaluate as a template) | `{}` | -| `service.type` | Service type | `ClusterIP` | -| `service.externalTrafficPolicy` | External traffic policy | `Cluster` | -| `service.ports.mongodb` | MongoDB® service port | `27017` | -| `service.clusterIP` | Static clusterIP or None for headless services | `""` | -| `service.nodePorts.mongodb` | Specify the nodePort value for the LoadBalancer and NodePort service types. | `""` | -| `service.externalIPs` | External IP list to use with ClusterIP service type | `[]` | -| `service.loadBalancerIP` | Static IP Address to use for LoadBalancer service type | `""` | -| `service.loadBalancerSourceRanges` | List of IP ranges allowed access to load balancer (if supported) | `[]` | -| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `service.headless.annotations` | Annotations for the headless service. | `{}` | +| Name | Description | Value | +| ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | +| `image.registry` | MongoDB(®) Sharded image registry | `REGISTRY_NAME` | +| `image.repository` | MongoDB(®) Sharded Image name | `REPOSITORY_NAME/mongodb-sharded` | +| `image.digest` | MongoDB(®) Sharded image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | MongoDB(®) Sharded image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Specify if debug logs should be enabled | `false` | +| `auth.enabled` | Enable authentication | `true` | +| `auth.rootUser` | MongoDB(®) root user | `root` | +| `auth.rootPassword` | MongoDB(®) root password | `""` | +| `auth.replicaSetKey` | Key used for authentication in the replicaset | `""` | +| `auth.existingSecret` | Existing secret with MongoDB(®) credentials (keys: `mongodb-password`, `mongodb-root-password`, `mongodb-replica-set-key`) | `""` | +| `auth.usePasswordFile` | Mount credentials as files instead of using environment variables | `false` | +| `shards` | Number of shards to be created | `2` | +| `common.mongodbEnableNumactl` | Enable launch MongoDB instance prefixed with "numactl --interleave=all" | `false` | +| `common.useHostnames` | Enable DNS hostnames in the replica set config | `true` | +| `common.mongodbEnableIPv6` | Switch to enable/disable IPv6 on MongoDB® | `false` | +| `common.mongodbDirectoryPerDB` | Switch to enable/disable DirectoryPerDB on MongoDB® | `false` | +| `common.mongodbSystemLogVerbosity` | MongoDB® system log verbosity level | `0` | +| `common.mongodbDisableSystemLog` | Whether to disable MongoDB® system log or not | `false` | +| `common.mongodbInitRetryAttempts` | Maximum retries for checking the MongoDB® initialization status | `24` | +| `common.mongodbInitRetryDelay` | Time (in seconds) to wait between retries for checking the MongoDB® initialization status | `5` | +| `common.initScriptsCM` | Configmap with init scripts to execute | `""` | +| `common.initScriptsSecret` | Secret with init scripts to execute (for sensitive data) | `""` | +| `common.extraEnvVars` | An array to add extra env vars | `[]` | +| `common.extraEnvVarsCM` | Name of a ConfigMap containing extra env vars | `""` | +| `common.extraEnvVarsSecret` | Name of a Secret containing extra env vars | `""` | +| `common.sidecars` | Add sidecars to the pod | `[]` | +| `common.initContainers` | Add init containers to the pod | `[]` | +| `common.podAnnotations` | Additional pod annotations | `{}` | +| `common.podLabels` | Additional pod labels | `{}` | +| `common.extraVolumes` | Array to add extra volumes | `[]` | +| `common.extraVolumeMounts` | Array to add extra mounts (normally used with extraVolumes) | `[]` | +| `common.containerPorts.mongodb` | MongoDB container port | `27017` | +| `common.serviceAccount.create` | Whether to create a Service Account for all pods automatically | `true` | +| `common.serviceAccount.name` | Name of a Service Account to be used by all Pods | `""` | +| `common.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | +| `common.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` | +| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image name | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `service.name` | Specify an explicit service name | `""` | +| `service.annotations` | Additional service annotations (evaluate as a template) | `{}` | +| `service.type` | Service type | `ClusterIP` | +| `service.externalTrafficPolicy` | External traffic policy | `Cluster` | +| `service.ports.mongodb` | MongoDB® service port | `27017` | +| `service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `service.nodePorts.mongodb` | Specify the nodePort value for the LoadBalancer and NodePort service types. | `""` | +| `service.externalIPs` | External IP list to use with ClusterIP service type | `[]` | +| `service.loadBalancerIP` | Static IP Address to use for LoadBalancer service type | `""` | +| `service.loadBalancerSourceRanges` | List of IP ranges allowed access to load balancer (if supported) | `[]` | +| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.headless.annotations` | Annotations for the headless service. | `{}` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Config Server parameters -| Name | Description | Value | -| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | -| `configsvr.replicaCount` | Number of nodes in the replica set (the first node will be primary) | `1` | -| `configsvr.resources` | Configure pod resources | `{}` | -| `configsvr.hostAliases` | Deployment pod host aliases | `[]` | -| `configsvr.mongodbExtraFlags` | MongoDB® additional command line flags | `[]` | -| `configsvr.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `configsvr.priorityClassName` | Pod priority class name | `""` | -| `configsvr.podAffinityPreset` | Config Server Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `configsvr.podAntiAffinityPreset` | Config Server Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `configsvr.nodeAffinityPreset.type` | Config Server Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `configsvr.nodeAffinityPreset.key` | Config Server Node label key to match Ignored if `affinity` is set. | `""` | -| `configsvr.nodeAffinityPreset.values` | Config Server Node label values to match. Ignored if `affinity` is set. | `[]` | -| `configsvr.affinity` | Config Server Affinity for pod assignment | `{}` | -| `configsvr.nodeSelector` | Config Server Node labels for pod assignment | `{}` | -| `configsvr.tolerations` | Config Server Tolerations for pod assignment | `[]` | -| `configsvr.podManagementPolicy` | Statefulset's pod management policy, allows parallel startup of pods | `OrderedReady` | -| `configsvr.updateStrategy.type` | updateStrategy for MongoDB® Primary, Secondary and Arbiter statefulsets | `RollingUpdate` | -| `configsvr.config` | MongoDB® configuration file | `""` | -| `configsvr.configCM` | ConfigMap name with Config Server configuration file (cannot be used with configsvr.config) | `""` | -| `configsvr.extraEnvVars` | An array to add extra env vars | `[]` | -| `configsvr.extraEnvVarsCM` | Name of a ConfigMap containing extra env vars | `""` | -| `configsvr.extraEnvVarsSecret` | Name of a Secret containing extra env vars | `""` | -| `configsvr.sidecars` | Add sidecars to the pod | `[]` | -| `configsvr.initContainers` | Add init containers to the pod | `[]` | -| `configsvr.podAnnotations` | Additional pod annotations | `{}` | -| `configsvr.podLabels` | Additional pod labels | `{}` | -| `configsvr.extraVolumes` | Array to add extra volumes. Requires setting `extraVolumeMounts` | `[]` | -| `configsvr.extraVolumeMounts` | Array to add extra mounts (normally used with extraVolumes). Normally used with `extraVolumes` | `[]` | -| `configsvr.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | -| `configsvr.pdb.create` | Enable pod disruption budget | `false` | -| `configsvr.pdb.minAvailable` | Minimum number of available config pods allowed (`0` to disable) | `0` | -| `configsvr.pdb.maxUnavailable` | Maximum number of unavailable config pods allowed (`0` to disable) | `1` | -| `configsvr.persistence.enabled` | Use a PVC to persist data | `true` | -| `configsvr.persistence.mountPath` | Path to mount the volume at | `/bitnami/mongodb` | -| `configsvr.persistence.subPath` | Subdirectory of the volume to mount at (evaluated as a template) | `""` | -| `configsvr.persistence.storageClass` | Storage class of backing PVC | `""` | -| `configsvr.persistence.accessModes` | Use volume as ReadOnly or ReadWrite | `["ReadWriteOnce"]` | -| `configsvr.persistence.size` | PersistentVolumeClaim size | `8Gi` | -| `configsvr.persistence.annotations` | Persistent Volume annotations | `{}` | -| `configsvr.persistence.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | -| `configsvr.serviceAccount.create` | Specifies whether a ServiceAccount should be created for Config Server | `false` | -| `configsvr.serviceAccount.name` | Name of a Service Account to be used by Config Server | `""` | -| `configsvr.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | -| `configsvr.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | -| `configsvr.external.host` | Primary node of an external Config Server replicaset | `""` | -| `configsvr.external.rootPassword` | Root password of the external Config Server replicaset | `""` | -| `configsvr.external.replicasetName` | Replicaset name of an external Config Server | `""` | -| `configsvr.external.replicasetKey` | Replicaset key of an external Config Server | `""` | -| `configsvr.podSecurityContext.enabled` | Enable security context | `true` | -| `configsvr.podSecurityContext.fsGroup` | Group ID for the container | `1001` | -| `configsvr.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `configsvr.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `configsvr.containerSecurityContext.runAsNonRoot` | Set containers' Security Context runAsNonRoot | `true` | -| `configsvr.containerSecurityContext.readOnlyRootFilesystem` | Set containers' Security Context runAsNonRoot | `false` | -| `configsvr.command` | Override default container command (useful when using custom images) | `["/bin/bash","/entrypoint/replicaset-entrypoint.sh"]` | -| `configsvr.args` | Override default container args (useful when using custom images) | `[]` | -| `configsvr.terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` | -| `configsvr.lifecycleHooks` | for the Config Server container(s) to automate configuration before or after startup | `{}` | -| `configsvr.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `configsvr.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | -| `configsvr.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` | -| `configsvr.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `20` | -| `configsvr.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `2` | -| `configsvr.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `configsvr.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `configsvr.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` | -| `configsvr.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `30` | -| `configsvr.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `20` | -| `configsvr.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `configsvr.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `configsvr.startupProbe.enabled` | Enable startupProbe | `true` | -| `configsvr.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | -| `configsvr.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `configsvr.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `configsvr.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | -| `configsvr.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `configsvr.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `configsvr.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `configsvr.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| Name | Description | Value | +| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------ | +| `configsvr.replicaCount` | Number of nodes in the replica set (the first node will be primary) | `1` | +| `configsvr.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if configsvr.resources is set (configsvr.resources is recommended for production). | `none` | +| `configsvr.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `configsvr.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `configsvr.hostAliases` | Deployment pod host aliases | `[]` | +| `configsvr.mongodbExtraFlags` | MongoDB® additional command line flags | `[]` | +| `configsvr.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `configsvr.priorityClassName` | Pod priority class name | `""` | +| `configsvr.podAffinityPreset` | Config Server Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `configsvr.podAntiAffinityPreset` | Config Server Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `configsvr.nodeAffinityPreset.type` | Config Server Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `configsvr.nodeAffinityPreset.key` | Config Server Node label key to match Ignored if `affinity` is set. | `""` | +| `configsvr.nodeAffinityPreset.values` | Config Server Node label values to match. Ignored if `affinity` is set. | `[]` | +| `configsvr.affinity` | Config Server Affinity for pod assignment | `{}` | +| `configsvr.nodeSelector` | Config Server Node labels for pod assignment | `{}` | +| `configsvr.tolerations` | Config Server Tolerations for pod assignment | `[]` | +| `configsvr.podManagementPolicy` | Statefulset's pod management policy, allows parallel startup of pods | `OrderedReady` | +| `configsvr.updateStrategy.type` | updateStrategy for MongoDB® Primary, Secondary and Arbiter statefulsets | `RollingUpdate` | +| `configsvr.config` | MongoDB® configuration file | `""` | +| `configsvr.configCM` | ConfigMap name with Config Server configuration file (cannot be used with configsvr.config) | `""` | +| `configsvr.extraEnvVars` | An array to add extra env vars | `[]` | +| `configsvr.extraEnvVarsCM` | Name of a ConfigMap containing extra env vars | `""` | +| `configsvr.extraEnvVarsSecret` | Name of a Secret containing extra env vars | `""` | +| `configsvr.sidecars` | Add sidecars to the pod | `[]` | +| `configsvr.initContainers` | Add init containers to the pod | `[]` | +| `configsvr.podAnnotations` | Additional pod annotations | `{}` | +| `configsvr.podLabels` | Additional pod labels | `{}` | +| `configsvr.extraVolumes` | Array to add extra volumes. Requires setting `extraVolumeMounts` | `[]` | +| `configsvr.extraVolumeMounts` | Array to add extra mounts (normally used with extraVolumes). Normally used with `extraVolumes` | `[]` | +| `configsvr.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `configsvr.pdb.create` | Enable pod disruption budget | `false` | +| `configsvr.pdb.minAvailable` | Minimum number of available config pods allowed (`0` to disable) | `0` | +| `configsvr.pdb.maxUnavailable` | Maximum number of unavailable config pods allowed (`0` to disable) | `1` | +| `configsvr.persistence.enabled` | Use a PVC to persist data | `true` | +| `configsvr.persistence.mountPath` | Path to mount the volume at | `/bitnami/mongodb` | +| `configsvr.persistence.subPath` | Subdirectory of the volume to mount at (evaluated as a template) | `""` | +| `configsvr.persistence.storageClass` | Storage class of backing PVC | `""` | +| `configsvr.persistence.accessModes` | Use volume as ReadOnly or ReadWrite | `["ReadWriteOnce"]` | +| `configsvr.persistence.size` | PersistentVolumeClaim size | `8Gi` | +| `configsvr.persistence.annotations` | Persistent Volume annotations | `{}` | +| `configsvr.persistence.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `configsvr.serviceAccount.create` | Specifies whether a ServiceAccount should be created for Config Server | `true` | +| `configsvr.serviceAccount.name` | Name of a Service Account to be used by Config Server | `""` | +| `configsvr.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | +| `configsvr.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` | +| `configsvr.external.host` | Primary node of an external Config Server replicaset | `""` | +| `configsvr.external.rootPassword` | Root password of the external Config Server replicaset | `""` | +| `configsvr.external.replicasetName` | Replicaset name of an external Config Server | `""` | +| `configsvr.external.replicasetKey` | Replicaset key of an external Config Server | `""` | +| `configsvr.podSecurityContext.enabled` | Enable security context | `true` | +| `configsvr.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `configsvr.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `configsvr.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `configsvr.podSecurityContext.fsGroup` | Group ID for the container | `1001` | +| `configsvr.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `configsvr.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `configsvr.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `configsvr.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `configsvr.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `configsvr.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `configsvr.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `configsvr.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `configsvr.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `configsvr.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `configsvr.command` | Override default container command (useful when using custom images) | `["/bin/bash","/entrypoint/replicaset-entrypoint.sh"]` | +| `configsvr.args` | Override default container args (useful when using custom images) | `[]` | +| `configsvr.terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` | +| `configsvr.lifecycleHooks` | for the Config Server container(s) to automate configuration before or after startup | `{}` | +| `configsvr.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `configsvr.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | +| `configsvr.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` | +| `configsvr.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `20` | +| `configsvr.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `2` | +| `configsvr.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `configsvr.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `configsvr.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` | +| `configsvr.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `30` | +| `configsvr.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `20` | +| `configsvr.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `configsvr.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `configsvr.startupProbe.enabled` | Enable startupProbe | `true` | +| `configsvr.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | +| `configsvr.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `configsvr.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `configsvr.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `configsvr.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `configsvr.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `configsvr.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `configsvr.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | ### Mongos parameters -| Name | Description | Value | -| -------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | --------------- | -| `mongos.replicaCount` | Number of replicas | `1` | -| `mongos.resources` | Configure pod resources | `{}` | -| `mongos.hostAliases` | Deployment pod host aliases | `[]` | -| `mongos.mongodbExtraFlags` | MongoDB® additional command line flags | `[]` | -| `mongos.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `mongos.priorityClassName` | Pod priority class name | `""` | -| `mongos.podAffinityPreset` | Mongos Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `mongos.podAntiAffinityPreset` | Mongos Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `mongos.nodeAffinityPreset.type` | Mongos Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `mongos.nodeAffinityPreset.key` | Mongos Node label key to match Ignored if `affinity` is set. | `""` | -| `mongos.nodeAffinityPreset.values` | Mongos Node label values to match. Ignored if `affinity` is set. | `[]` | -| `mongos.affinity` | Mongos Affinity for pod assignment | `{}` | -| `mongos.nodeSelector` | Mongos Node labels for pod assignment | `{}` | -| `mongos.tolerations` | Mongos Tolerations for pod assignment | `[]` | -| `mongos.podManagementPolicy` | Statefulsets pod management policy, allows parallel startup of pods | `OrderedReady` | -| `mongos.updateStrategy.type` | updateStrategy for MongoDB® Primary, Secondary and Arbiter statefulsets | `RollingUpdate` | -| `mongos.config` | MongoDB® configuration file | `""` | -| `mongos.configCM` | ConfigMap name with MongoDB® configuration file (cannot be used with mongos.config) | `""` | -| `mongos.extraEnvVars` | An array to add extra env vars | `[]` | -| `mongos.extraEnvVarsCM` | Name of a ConfigMap containing extra env vars | `""` | -| `mongos.extraEnvVarsSecret` | Name of a Secret containing extra env vars | `""` | -| `mongos.sidecars` | Add sidecars to the pod | `[]` | -| `mongos.initContainers` | Add init containers to the pod | `[]` | -| `mongos.podAnnotations` | Additional pod annotations | `{}` | -| `mongos.podLabels` | Additional pod labels | `{}` | -| `mongos.extraVolumes` | Array to add extra volumes. Requires setting `extraVolumeMounts` | `[]` | -| `mongos.extraVolumeMounts` | Array to add extra volume mounts. Normally used with `extraVolumes`. | `[]` | -| `mongos.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | -| `mongos.useStatefulSet` | Use StatefulSet instead of Deployment | `false` | -| `mongos.servicePerReplica.enabled` | Create one service per mongos replica (must be used with statefulset) | `false` | -| `mongos.servicePerReplica.annotations` | Additional service annotations (evaluate as a template) | `{}` | -| `mongos.servicePerReplica.type` | Service type | `ClusterIP` | -| `mongos.servicePerReplica.externalTrafficPolicy` | External traffic policy | `Cluster` | -| `mongos.servicePerReplica.port` | MongoDB® service port | `27017` | -| `mongos.servicePerReplica.clusterIPs` | Array of static clusterIPs for each MongoDB@reg; replica. Length must be the same as mongos.replicaCount | `[]` | -| `mongos.servicePerReplica.nodePorts` | Array of node ports used for each MongoDB@reg; replica. Length must be the same as mongos.replicaCount | `[]` | -| `mongos.servicePerReplica.externalIPs` | External IP list to use with ClusterIP service type | `[]` | -| `mongos.servicePerReplica.loadBalancerIPs` | Array of static IP Address to use for each replica LoadBalancer service type. Length must be the same as mongos.replicaCount | `[]` | -| `mongos.servicePerReplica.loadBalancerSourceRanges` | List of IP ranges allowed access to load balancer (if supported) | `[]` | -| `mongos.servicePerReplica.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `mongos.servicePerReplica.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `mongos.servicePerReplica.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `mongos.pdb.create` | Enable pod disruption budget | `false` | -| `mongos.pdb.minAvailable` | Minimum number of available mongo pods allowed (`0` to disable) | `0` | -| `mongos.pdb.maxUnavailable` | Maximum number of unavailable mongo pods allowed (`0` to disable) | `1` | -| `mongos.serviceAccount.create` | Whether to create a Service Account for mongos automatically | `false` | -| `mongos.serviceAccount.name` | Name of a Service Account to be used by mongos | `""` | -| `mongos.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | -| `mongos.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | -| `mongos.podSecurityContext.enabled` | Enable security context | `true` | -| `mongos.podSecurityContext.fsGroup` | Group ID for the container | `1001` | -| `mongos.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `mongos.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `mongos.containerSecurityContext.runAsNonRoot` | Set containers' Security Context runAsNonRoot | `true` | -| `mongos.containerSecurityContext.readOnlyRootFilesystem` | Set containers' Security Context runAsNonRoot | `false` | -| `mongos.command` | Override default container command (useful when using custom images) | `[]` | -| `mongos.args` | Override default container args (useful when using custom images) | `[]` | -| `mongos.terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` | -| `mongos.lifecycleHooks` | for the Mongo container(s) to automate configuration before or after startup | `{}` | -| `mongos.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `mongos.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | -| `mongos.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` | -| `mongos.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `20` | -| `mongos.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `2` | -| `mongos.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `mongos.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `mongos.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` | -| `mongos.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `30` | -| `mongos.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `20` | -| `mongos.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `mongos.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `mongos.startupProbe.enabled` | Enable startupProbe | `false` | -| `mongos.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | -| `mongos.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `mongos.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `mongos.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | -| `mongos.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `mongos.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `mongos.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `mongos.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- | +| `mongos.replicaCount` | Number of replicas | `1` | +| `mongos.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if mongos.resources is set (mongos.resources is recommended for production). | `none` | +| `mongos.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `mongos.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `mongos.hostAliases` | Deployment pod host aliases | `[]` | +| `mongos.mongodbExtraFlags` | MongoDB® additional command line flags | `[]` | +| `mongos.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `mongos.priorityClassName` | Pod priority class name | `""` | +| `mongos.podAffinityPreset` | Mongos Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `mongos.podAntiAffinityPreset` | Mongos Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `mongos.nodeAffinityPreset.type` | Mongos Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `mongos.nodeAffinityPreset.key` | Mongos Node label key to match Ignored if `affinity` is set. | `""` | +| `mongos.nodeAffinityPreset.values` | Mongos Node label values to match. Ignored if `affinity` is set. | `[]` | +| `mongos.affinity` | Mongos Affinity for pod assignment | `{}` | +| `mongos.nodeSelector` | Mongos Node labels for pod assignment | `{}` | +| `mongos.tolerations` | Mongos Tolerations for pod assignment | `[]` | +| `mongos.podManagementPolicy` | Statefulsets pod management policy, allows parallel startup of pods | `OrderedReady` | +| `mongos.updateStrategy.type` | updateStrategy for MongoDB® Primary, Secondary and Arbiter statefulsets | `RollingUpdate` | +| `mongos.config` | MongoDB® configuration file | `""` | +| `mongos.configCM` | ConfigMap name with MongoDB® configuration file (cannot be used with mongos.config) | `""` | +| `mongos.extraEnvVars` | An array to add extra env vars | `[]` | +| `mongos.extraEnvVarsCM` | Name of a ConfigMap containing extra env vars | `""` | +| `mongos.extraEnvVarsSecret` | Name of a Secret containing extra env vars | `""` | +| `mongos.sidecars` | Add sidecars to the pod | `[]` | +| `mongos.initContainers` | Add init containers to the pod | `[]` | +| `mongos.podAnnotations` | Additional pod annotations | `{}` | +| `mongos.podLabels` | Additional pod labels | `{}` | +| `mongos.extraVolumes` | Array to add extra volumes. Requires setting `extraVolumeMounts` | `[]` | +| `mongos.extraVolumeMounts` | Array to add extra volume mounts. Normally used with `extraVolumes`. | `[]` | +| `mongos.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `mongos.useStatefulSet` | Use StatefulSet instead of Deployment | `false` | +| `mongos.servicePerReplica.enabled` | Create one service per mongos replica (must be used with statefulset) | `false` | +| `mongos.servicePerReplica.annotations` | Additional service annotations (evaluate as a template) | `{}` | +| `mongos.servicePerReplica.type` | Service type | `ClusterIP` | +| `mongos.servicePerReplica.externalTrafficPolicy` | External traffic policy | `Cluster` | +| `mongos.servicePerReplica.port` | MongoDB® service port | `27017` | +| `mongos.servicePerReplica.clusterIPs` | Array of static clusterIPs for each MongoDB@reg; replica. Length must be the same as mongos.replicaCount | `[]` | +| `mongos.servicePerReplica.nodePorts` | Array of node ports used for each MongoDB@reg; replica. Length must be the same as mongos.replicaCount | `[]` | +| `mongos.servicePerReplica.externalIPs` | External IP list to use with ClusterIP service type | `[]` | +| `mongos.servicePerReplica.loadBalancerIPs` | Array of static IP Address to use for each replica LoadBalancer service type. Length must be the same as mongos.replicaCount | `[]` | +| `mongos.servicePerReplica.loadBalancerSourceRanges` | List of IP ranges allowed access to load balancer (if supported) | `[]` | +| `mongos.servicePerReplica.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `mongos.servicePerReplica.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `mongos.servicePerReplica.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `mongos.pdb.create` | Enable pod disruption budget | `false` | +| `mongos.pdb.minAvailable` | Minimum number of available mongo pods allowed (`0` to disable) | `0` | +| `mongos.pdb.maxUnavailable` | Maximum number of unavailable mongo pods allowed (`0` to disable) | `1` | +| `mongos.serviceAccount.create` | Whether to create a Service Account for mongos automatically | `true` | +| `mongos.serviceAccount.name` | Name of a Service Account to be used by mongos | `""` | +| `mongos.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | +| `mongos.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` | +| `mongos.podSecurityContext.enabled` | Enable security context | `true` | +| `mongos.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `mongos.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `mongos.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `mongos.podSecurityContext.fsGroup` | Group ID for the container | `1001` | +| `mongos.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `mongos.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `mongos.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `mongos.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `mongos.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `mongos.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `mongos.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `mongos.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `mongos.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `mongos.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `mongos.command` | Override default container command (useful when using custom images) | `[]` | +| `mongos.args` | Override default container args (useful when using custom images) | `[]` | +| `mongos.terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` | +| `mongos.lifecycleHooks` | for the Mongo container(s) to automate configuration before or after startup | `{}` | +| `mongos.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `mongos.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | +| `mongos.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` | +| `mongos.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `20` | +| `mongos.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `2` | +| `mongos.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `mongos.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `mongos.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` | +| `mongos.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `30` | +| `mongos.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `20` | +| `mongos.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `mongos.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `mongos.startupProbe.enabled` | Enable startupProbe | `false` | +| `mongos.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | +| `mongos.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `mongos.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `mongos.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `mongos.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `mongos.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `mongos.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `mongos.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | ### Shard configuration: Data node parameters -| Name | Description | Value | -| ------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------ | -| `shardsvr.dataNode.replicaCount` | Number of nodes in each shard replica set (the first node will be primary) | `1` | -| `shardsvr.dataNode.resources` | Configure pod resources | `{}` | -| `shardsvr.dataNode.mongodbExtraFlags` | MongoDB® additional command line flags | `[]` | -| `shardsvr.dataNode.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `shardsvr.dataNode.priorityClassName` | Pod priority class name | `""` | -| `shardsvr.dataNode.podAffinityPreset` | Data nodes Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `shardsvr.dataNode.podAntiAffinityPreset` | Data nodes Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `shardsvr.dataNode.nodeAffinityPreset.type` | Data nodes Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `shardsvr.dataNode.nodeAffinityPreset.key` | Data nodes Node label key to match Ignored if `affinity` is set. | `""` | -| `shardsvr.dataNode.nodeAffinityPreset.values` | Data nodes Node label values to match. Ignored if `affinity` is set. | `[]` | -| `shardsvr.dataNode.affinity` | Data nodes Affinity for pod assignment | `{}` | -| `shardsvr.dataNode.nodeSelector` | Data nodes Node labels for pod assignment | `{}` | -| `shardsvr.dataNode.tolerations` | Data nodes Tolerations for pod assignment | `[]` | -| `shardsvr.dataNode.podManagementPolicy` | podManagementPolicy for the statefulset, allows parallel startup of pods | `OrderedReady` | -| `shardsvr.dataNode.updateStrategy.type` | updateStrategy for MongoDB® Primary, Secondary and Arbiter statefulsets | `RollingUpdate` | -| `shardsvr.dataNode.hostAliases` | Deployment pod host aliases | `[]` | -| `shardsvr.dataNode.config` | Entries for the MongoDB® config file | `""` | -| `shardsvr.dataNode.configCM` | ConfigMap name with MongoDB® configuration (cannot be used with shardsvr.dataNode.config) | `""` | -| `shardsvr.dataNode.extraEnvVars` | An array to add extra env vars | `[]` | -| `shardsvr.dataNode.extraEnvVarsCM` | Name of a ConfigMap containing extra env vars | `""` | -| `shardsvr.dataNode.extraEnvVarsSecret` | Name of a Secret containing extra env vars | `""` | -| `shardsvr.dataNode.sidecars` | Attach additional containers (evaluated as a template) | `[]` | -| `shardsvr.dataNode.initContainers` | Add init containers to the pod | `[]` | -| `shardsvr.dataNode.podAnnotations` | Additional pod annotations | `{}` | -| `shardsvr.dataNode.podLabels` | Additional pod labels | `{}` | -| `shardsvr.dataNode.extraVolumes` | Array to add extra volumes. Requires setting `extraVolumeMounts` | `[]` | -| `shardsvr.dataNode.extraVolumeMounts` | Array to add extra mounts. Normally used with `extraVolumes` | `[]` | -| `shardsvr.dataNode.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | -| `shardsvr.dataNode.pdb.create` | Enable pod disruption budget | `false` | -| `shardsvr.dataNode.pdb.minAvailable` | Minimum number of available data pods allowed (`0` to disable) | `0` | -| `shardsvr.dataNode.pdb.maxUnavailable` | Maximum number of unavailable data pods allowed (`0` to disable) | `1` | -| `shardsvr.dataNode.serviceAccount.create` | Specifies whether a ServiceAccount should be created for shardsvr | `false` | -| `shardsvr.dataNode.serviceAccount.name` | Name of a Service Account to be used by shardsvr data pods | `""` | -| `shardsvr.dataNode.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | -| `shardsvr.dataNode.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | -| `shardsvr.dataNode.podSecurityContext.enabled` | Enable security context | `true` | -| `shardsvr.dataNode.podSecurityContext.fsGroup` | Group ID for the container | `1001` | -| `shardsvr.dataNode.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `shardsvr.dataNode.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `shardsvr.dataNode.containerSecurityContext.runAsNonRoot` | Set containers' Security Context runAsNonRoot | `true` | -| `shardsvr.dataNode.containerSecurityContext.readOnlyRootFilesystem` | Set containers' Security Context runAsNonRoot | `false` | -| `shardsvr.dataNode.command` | Override default container command (useful when using custom images) | `["/bin/bash","/entrypoint/replicaset-entrypoint.sh"]` | -| `shardsvr.dataNode.args` | Override default container args (useful when using custom images) | `[]` | -| `shardsvr.dataNode.terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` | -| `shardsvr.dataNode.lifecycleHooks` | for the Data container(s) to automate configuration before or after startup | `{}` | -| `shardsvr.dataNode.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `shardsvr.dataNode.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | -| `shardsvr.dataNode.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` | -| `shardsvr.dataNode.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `20` | -| `shardsvr.dataNode.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `2` | -| `shardsvr.dataNode.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `shardsvr.dataNode.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `shardsvr.dataNode.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` | -| `shardsvr.dataNode.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `30` | -| `shardsvr.dataNode.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `20` | -| `shardsvr.dataNode.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `shardsvr.dataNode.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `shardsvr.dataNode.startupProbe.enabled` | Enable startupProbe | `false` | -| `shardsvr.dataNode.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | -| `shardsvr.dataNode.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `shardsvr.dataNode.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `shardsvr.dataNode.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | -| `shardsvr.dataNode.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `shardsvr.dataNode.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `shardsvr.dataNode.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `shardsvr.dataNode.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| Name | Description | Value | +| --------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | +| `shardsvr.dataNode.replicaCount` | Number of nodes in each shard replica set (the first node will be primary) | `1` | +| `shardsvr.dataNode.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if shardsvr.dataNode.resources is set (shardsvr.dataNode.resources is recommended for production). | `none` | +| `shardsvr.dataNode.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `shardsvr.dataNode.mongodbExtraFlags` | MongoDB® additional command line flags | `[]` | +| `shardsvr.dataNode.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `shardsvr.dataNode.priorityClassName` | Pod priority class name | `""` | +| `shardsvr.dataNode.podAffinityPreset` | Data nodes Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `shardsvr.dataNode.podAntiAffinityPreset` | Data nodes Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `shardsvr.dataNode.nodeAffinityPreset.type` | Data nodes Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `shardsvr.dataNode.nodeAffinityPreset.key` | Data nodes Node label key to match Ignored if `affinity` is set. | `""` | +| `shardsvr.dataNode.nodeAffinityPreset.values` | Data nodes Node label values to match. Ignored if `affinity` is set. | `[]` | +| `shardsvr.dataNode.affinity` | Data nodes Affinity for pod assignment | `{}` | +| `shardsvr.dataNode.nodeSelector` | Data nodes Node labels for pod assignment | `{}` | +| `shardsvr.dataNode.tolerations` | Data nodes Tolerations for pod assignment | `[]` | +| `shardsvr.dataNode.podManagementPolicy` | podManagementPolicy for the statefulset, allows parallel startup of pods | `OrderedReady` | +| `shardsvr.dataNode.updateStrategy.type` | updateStrategy for MongoDB® Primary, Secondary and Arbiter statefulsets | `RollingUpdate` | +| `shardsvr.dataNode.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `shardsvr.dataNode.hostAliases` | Deployment pod host aliases | `[]` | +| `shardsvr.dataNode.config` | Entries for the MongoDB® config file | `""` | +| `shardsvr.dataNode.configCM` | ConfigMap name with MongoDB® configuration (cannot be used with shardsvr.dataNode.config) | `""` | +| `shardsvr.dataNode.extraEnvVars` | An array to add extra env vars | `[]` | +| `shardsvr.dataNode.extraEnvVarsCM` | Name of a ConfigMap containing extra env vars | `""` | +| `shardsvr.dataNode.extraEnvVarsSecret` | Name of a Secret containing extra env vars | `""` | +| `shardsvr.dataNode.sidecars` | Attach additional containers (evaluated as a template) | `[]` | +| `shardsvr.dataNode.initContainers` | Add init containers to the pod | `[]` | +| `shardsvr.dataNode.podAnnotations` | Additional pod annotations | `{}` | +| `shardsvr.dataNode.podLabels` | Additional pod labels | `{}` | +| `shardsvr.dataNode.extraVolumes` | Array to add extra volumes. Requires setting `extraVolumeMounts` | `[]` | +| `shardsvr.dataNode.extraVolumeMounts` | Array to add extra mounts. Normally used with `extraVolumes` | `[]` | +| `shardsvr.dataNode.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `shardsvr.dataNode.pdb.create` | Enable pod disruption budget | `false` | +| `shardsvr.dataNode.pdb.minAvailable` | Minimum number of available data pods allowed (`0` to disable) | `0` | +| `shardsvr.dataNode.pdb.maxUnavailable` | Maximum number of unavailable data pods allowed (`0` to disable) | `1` | +| `shardsvr.dataNode.serviceAccount.create` | Specifies whether a ServiceAccount should be created for shardsvr | `true` | +| `shardsvr.dataNode.serviceAccount.name` | Name of a Service Account to be used by shardsvr data pods | `""` | +| `shardsvr.dataNode.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | +| `shardsvr.dataNode.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` | +| `shardsvr.dataNode.podSecurityContext.enabled` | Enable security context | `true` | +| `shardsvr.dataNode.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `shardsvr.dataNode.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `shardsvr.dataNode.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `shardsvr.dataNode.podSecurityContext.fsGroup` | Group ID for the container | `1001` | +| `shardsvr.dataNode.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `shardsvr.dataNode.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `shardsvr.dataNode.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `shardsvr.dataNode.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `shardsvr.dataNode.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `shardsvr.dataNode.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `shardsvr.dataNode.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `shardsvr.dataNode.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `shardsvr.dataNode.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `shardsvr.dataNode.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `shardsvr.dataNode.command` | Override default container command (useful when using custom images) | `["/bin/bash","/entrypoint/replicaset-entrypoint.sh"]` | +| `shardsvr.dataNode.args` | Override default container args (useful when using custom images) | `[]` | +| `shardsvr.dataNode.terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` | +| `shardsvr.dataNode.lifecycleHooks` | for the Data container(s) to automate configuration before or after startup | `{}` | +| `shardsvr.dataNode.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `shardsvr.dataNode.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | +| `shardsvr.dataNode.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` | +| `shardsvr.dataNode.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `20` | +| `shardsvr.dataNode.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `2` | +| `shardsvr.dataNode.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `shardsvr.dataNode.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `shardsvr.dataNode.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` | +| `shardsvr.dataNode.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `30` | +| `shardsvr.dataNode.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `20` | +| `shardsvr.dataNode.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `shardsvr.dataNode.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `shardsvr.dataNode.startupProbe.enabled` | Enable startupProbe | `false` | +| `shardsvr.dataNode.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | +| `shardsvr.dataNode.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `shardsvr.dataNode.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `shardsvr.dataNode.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `shardsvr.dataNode.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `shardsvr.dataNode.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `shardsvr.dataNode.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `shardsvr.dataNode.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | ### Shard configuration: Persistence parameters @@ -399,140 +442,166 @@ The command removes all the Kubernetes components associated with the chart and ### Shard configuration: Arbiter parameters -| Name | Description | Value | -| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------ | --------------- | -| `shardsvr.arbiter.replicaCount` | Number of arbiters in each shard replica set (the first node will be primary) | `0` | -| `shardsvr.arbiter.hostAliases` | Deployment pod host aliases | `[]` | -| `shardsvr.arbiter.resources` | Configure pod resources | `{}` | -| `shardsvr.arbiter.mongodbExtraFlags` | MongoDB® additional command line flags | `[]` | -| `shardsvr.arbiter.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `shardsvr.arbiter.priorityClassName` | Pod priority class name | `""` | -| `shardsvr.arbiter.podAffinityPreset` | Arbiter's Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `shardsvr.arbiter.podAntiAffinityPreset` | Arbiter's Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `shardsvr.arbiter.nodeAffinityPreset.type` | Arbiter's Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `shardsvr.arbiter.nodeAffinityPreset.key` | Arbiter's Node label key to match Ignored if `affinity` is set. | `""` | -| `shardsvr.arbiter.nodeAffinityPreset.values` | Arbiter's Node label values to match. Ignored if `affinity` is set. | `[]` | -| `shardsvr.arbiter.affinity` | Arbiter's Affinity for pod assignment | `{}` | -| `shardsvr.arbiter.nodeSelector` | Arbiter's Node labels for pod assignment | `{}` | -| `shardsvr.arbiter.tolerations` | Arbiter's Tolerations for pod assignment | `[]` | -| `shardsvr.arbiter.podManagementPolicy` | Statefulset's pod management policy, allows parallel startup of pods | `OrderedReady` | -| `shardsvr.arbiter.updateStrategy.type` | updateStrategy for MongoDB® Primary, Secondary and Arbiter statefulsets | `RollingUpdate` | -| `shardsvr.arbiter.config` | MongoDB® configuration file | `""` | -| `shardsvr.arbiter.configCM` | ConfigMap name with MongoDB® configuration file (cannot be used with shardsvr.arbiter.config) | `""` | -| `shardsvr.arbiter.extraEnvVars` | An array to add extra env vars | `[]` | -| `shardsvr.arbiter.extraEnvVarsCM` | Name of a ConfigMap containing extra env vars | `""` | -| `shardsvr.arbiter.extraEnvVarsSecret` | Name of a Secret containing extra env vars | `""` | -| `shardsvr.arbiter.sidecars` | Add sidecars to the pod | `[]` | -| `shardsvr.arbiter.initContainers` | Add init containers to the pod | `[]` | -| `shardsvr.arbiter.podAnnotations` | Additional pod annotations | `{}` | -| `shardsvr.arbiter.podLabels` | Additional pod labels | `{}` | -| `shardsvr.arbiter.extraVolumes` | Array to add extra volumes | `[]` | -| `shardsvr.arbiter.extraVolumeMounts` | Array to add extra mounts (normally used with extraVolumes) | `[]` | -| `shardsvr.arbiter.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | -| `shardsvr.arbiter.serviceAccount.create` | Specifies whether a ServiceAccount should be created for shardsvr arbiter nodes | `false` | -| `shardsvr.arbiter.serviceAccount.name` | Name of a Service Account to be used by shardsvr arbiter pods | `""` | -| `shardsvr.arbiter.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | -| `shardsvr.arbiter.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` | -| `shardsvr.arbiter.podSecurityContext.enabled` | Enable security context | `true` | -| `shardsvr.arbiter.podSecurityContext.fsGroup` | Group ID for the container | `1001` | -| `shardsvr.arbiter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `shardsvr.arbiter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `shardsvr.arbiter.containerSecurityContext.runAsNonRoot` | Set containers' Security Context runAsNonRoot | `true` | -| `shardsvr.arbiter.containerSecurityContext.readOnlyRootFilesystem` | Set containers' Security Context runAsNonRoot | `false` | -| `shardsvr.arbiter.command` | Override default container command (useful when using custom images) | `[]` | -| `shardsvr.arbiter.args` | Override default container args (useful when using custom images) | `[]` | -| `shardsvr.arbiter.terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` | -| `shardsvr.arbiter.lifecycleHooks` | for the arbiter container(s) to automate configuration before or after startup | `{}` | -| `shardsvr.arbiter.livenessProbe.enabled` | Enable livenessProbe | `true` | -| `shardsvr.arbiter.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | -| `shardsvr.arbiter.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` | -| `shardsvr.arbiter.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `20` | -| `shardsvr.arbiter.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `2` | -| `shardsvr.arbiter.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `shardsvr.arbiter.readinessProbe.enabled` | Enable readinessProbe | `true` | -| `shardsvr.arbiter.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` | -| `shardsvr.arbiter.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `30` | -| `shardsvr.arbiter.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `20` | -| `shardsvr.arbiter.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `shardsvr.arbiter.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `shardsvr.arbiter.startupProbe.enabled` | Enable startupProbe | `false` | -| `shardsvr.arbiter.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | -| `shardsvr.arbiter.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `shardsvr.arbiter.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `shardsvr.arbiter.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | -| `shardsvr.arbiter.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `shardsvr.arbiter.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `shardsvr.arbiter.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `shardsvr.arbiter.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| Name | Description | Value | +| -------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `shardsvr.arbiter.replicaCount` | Number of arbiters in each shard replica set (the first node will be primary) | `0` | +| `shardsvr.arbiter.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `shardsvr.arbiter.hostAliases` | Deployment pod host aliases | `[]` | +| `shardsvr.arbiter.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if shardsvr.arbiter.resources is set (shardsvr.arbiter.resources is recommended for production). | `none` | +| `shardsvr.arbiter.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `shardsvr.arbiter.mongodbExtraFlags` | MongoDB® additional command line flags | `[]` | +| `shardsvr.arbiter.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `shardsvr.arbiter.priorityClassName` | Pod priority class name | `""` | +| `shardsvr.arbiter.podAffinityPreset` | Arbiter's Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `shardsvr.arbiter.podAntiAffinityPreset` | Arbiter's Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `shardsvr.arbiter.nodeAffinityPreset.type` | Arbiter's Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `shardsvr.arbiter.nodeAffinityPreset.key` | Arbiter's Node label key to match Ignored if `affinity` is set. | `""` | +| `shardsvr.arbiter.nodeAffinityPreset.values` | Arbiter's Node label values to match. Ignored if `affinity` is set. | `[]` | +| `shardsvr.arbiter.affinity` | Arbiter's Affinity for pod assignment | `{}` | +| `shardsvr.arbiter.nodeSelector` | Arbiter's Node labels for pod assignment | `{}` | +| `shardsvr.arbiter.tolerations` | Arbiter's Tolerations for pod assignment | `[]` | +| `shardsvr.arbiter.podManagementPolicy` | Statefulset's pod management policy, allows parallel startup of pods | `OrderedReady` | +| `shardsvr.arbiter.updateStrategy.type` | updateStrategy for MongoDB® Primary, Secondary and Arbiter statefulsets | `RollingUpdate` | +| `shardsvr.arbiter.config` | MongoDB® configuration file | `""` | +| `shardsvr.arbiter.configCM` | ConfigMap name with MongoDB® configuration file (cannot be used with shardsvr.arbiter.config) | `""` | +| `shardsvr.arbiter.extraEnvVars` | An array to add extra env vars | `[]` | +| `shardsvr.arbiter.extraEnvVarsCM` | Name of a ConfigMap containing extra env vars | `""` | +| `shardsvr.arbiter.extraEnvVarsSecret` | Name of a Secret containing extra env vars | `""` | +| `shardsvr.arbiter.sidecars` | Add sidecars to the pod | `[]` | +| `shardsvr.arbiter.initContainers` | Add init containers to the pod | `[]` | +| `shardsvr.arbiter.podAnnotations` | Additional pod annotations | `{}` | +| `shardsvr.arbiter.podLabels` | Additional pod labels | `{}` | +| `shardsvr.arbiter.extraVolumes` | Array to add extra volumes | `[]` | +| `shardsvr.arbiter.extraVolumeMounts` | Array to add extra mounts (normally used with extraVolumes) | `[]` | +| `shardsvr.arbiter.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `shardsvr.arbiter.serviceAccount.create` | Specifies whether a ServiceAccount should be created for shardsvr arbiter nodes | `true` | +| `shardsvr.arbiter.serviceAccount.name` | Name of a Service Account to be used by shardsvr arbiter pods | `""` | +| `shardsvr.arbiter.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | +| `shardsvr.arbiter.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` | +| `shardsvr.arbiter.podSecurityContext.enabled` | Enable security context | `true` | +| `shardsvr.arbiter.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `shardsvr.arbiter.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `shardsvr.arbiter.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `shardsvr.arbiter.podSecurityContext.fsGroup` | Group ID for the container | `1001` | +| `shardsvr.arbiter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `shardsvr.arbiter.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `shardsvr.arbiter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `shardsvr.arbiter.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `shardsvr.arbiter.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `shardsvr.arbiter.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `shardsvr.arbiter.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `shardsvr.arbiter.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `shardsvr.arbiter.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `shardsvr.arbiter.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `shardsvr.arbiter.command` | Override default container command (useful when using custom images) | `[]` | +| `shardsvr.arbiter.args` | Override default container args (useful when using custom images) | `[]` | +| `shardsvr.arbiter.terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` | +| `shardsvr.arbiter.lifecycleHooks` | for the arbiter container(s) to automate configuration before or after startup | `{}` | +| `shardsvr.arbiter.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `shardsvr.arbiter.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | +| `shardsvr.arbiter.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `30` | +| `shardsvr.arbiter.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `20` | +| `shardsvr.arbiter.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `2` | +| `shardsvr.arbiter.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `shardsvr.arbiter.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `shardsvr.arbiter.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` | +| `shardsvr.arbiter.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `30` | +| `shardsvr.arbiter.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `20` | +| `shardsvr.arbiter.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `shardsvr.arbiter.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `shardsvr.arbiter.startupProbe.enabled` | Enable startupProbe | `false` | +| `shardsvr.arbiter.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | +| `shardsvr.arbiter.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `shardsvr.arbiter.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `shardsvr.arbiter.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `shardsvr.arbiter.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `shardsvr.arbiter.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `shardsvr.arbiter.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `shardsvr.arbiter.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | ### Metrics parameters -| Name | Description | Value | -| --------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `metrics.enabled` | Start a side-car prometheus exporter | `false` | -| `metrics.image.registry` | MongoDB® exporter image registry | `docker.io` | -| `metrics.image.repository` | MongoDB® exporter image name | `bitnami/mongodb-exporter` | -| `metrics.image.tag` | MongoDB® exporter image tag | `0.39.0-debian-11-r106` | -| `metrics.image.digest` | MongoDB® exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | MongoDB® exporter image pull policy | `Always` | -| `metrics.image.pullSecrets` | MongoDB® exporter image pull secrets | `[]` | -| `metrics.useTLS` | Whether to connect to MongoDB® with TLS | `false` | -| `metrics.extraArgs` | String with extra arguments to the metrics exporter | `""` | -| `metrics.resources` | Metrics exporter resource requests and limits | `{}` | -| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set containers' Security Context runAsNonRoot | `true` | -| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set containers' Security Context runAsNonRoot | `false` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe | `false` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe | `false` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.startupProbe.enabled` | Enable startupProbe | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `2` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.containerPorts.metrics` | Port of the Prometheus metrics container | `9216` | -| `metrics.podAnnotations` | Metrics exporter pod Annotation | `{}` | -| `metrics.podMonitor.enabled` | Create PodMonitor Resource for scraping metrics using PrometheusOperator | `false` | -| `metrics.podMonitor.namespace` | Namespace where podmonitor resource should be created | `monitoring` | -| `metrics.podMonitor.interval` | Specify the interval at which metrics should be scraped | `30s` | -| `metrics.podMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | -| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitors will be discovered by Prometheus | `{}` | +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | +| `metrics.enabled` | Start a side-car prometheus exporter | `false` | +| `metrics.image.registry` | MongoDB® exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | MongoDB® exporter image name | `REPOSITORY_NAME/mongodb-exporter` | +| `metrics.image.digest` | MongoDB® exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | MongoDB® exporter image pull policy | `Always` | +| `metrics.image.pullSecrets` | MongoDB® exporter image pull secrets | `[]` | +| `metrics.useTLS` | Whether to connect to MongoDB® with TLS | `false` | +| `metrics.extraArgs` | String with extra arguments to the metrics exporter | `""` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe | `false` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe | `false` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `2` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.containerPorts.metrics` | Port of the Prometheus metrics container | `9216` | +| `metrics.podAnnotations` | Metrics exporter pod Annotation | `{}` | +| `metrics.podMonitor.enabled` | Create PodMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.podMonitor.namespace` | Namespace where podmonitor resource should be created | `monitoring` | +| `metrics.podMonitor.interval` | Specify the interval at which metrics should be scraped | `30s` | +| `metrics.podMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | +| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitors will be discovered by Prometheus | `{}` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, ```console helm install my-release \ --set shards=4,configsvr.replicaCount=3,shardsvr.dataNode.replicaCount=2 \ - oci://registry-1.docker.io/bitnamicharts/mongodb-sharded + oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb-sharded ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + The above command sets the number of shards to 4, the number of replicas for the config servers to 3 and number of replicas for data nodes to 2. Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, ```console -helm install my-release -f values.yaml oci://registry-1.docker.io/bitnamicharts/mongodb-sharded +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb-sharded ``` -> **Tip**: You can use the default [values.yaml](values.yaml) +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/mongodb-sharded/values.yaml) ## Configuration and installation details -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -631,11 +700,18 @@ Find more information about how to deal with common errors related to Bitnami's If authentication is enabled, it's necessary to set the `auth.rootPassword` and `auth.replicaSetKey` when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use. Please note down the password, and run the command below to upgrade your chart: ```console -helm upgrade my-release oci://registry-1.docker.io/bitnamicharts/mongodb-sharded --set auth.rootPassword=[PASSWORD] (--set auth.replicaSetKey=[auth.replicaSetKey]) +helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb-sharded --set auth.rootPassword=[PASSWORD] (--set auth.replicaSetKey=[auth.replicaSetKey]) ``` +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. > Note: you need to substitute the placeholders [PASSWORD] and [auth.replicaSetKey] with the values obtained in the installation notes. +### To 7.0.0 + +This major version updates the MongoDB® container image version used from 6.0 to 7.0, the new stable version. There are no major changes in the chart, but we recommend checking the [MongoDB® 7.0 release notes](https://www.mongodb.com/docs/manual/release-notes/7.0/) before upgrading. + +> Note: Due to an error in our release process, the latest version in the previous major branch (6.6.8) already uses 7.0 by default, see [PR#19575](https://github.com/bitnami/charts/pull/19575) + ### To 5.0.0 This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. @@ -695,7 +771,7 @@ MongoDB® container images were updated to `4.4.x` and it can affect compatib ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/solution-base/mongodb/charts/mongodb-sharded/charts/common/.helmignore b/solution-base/mongodb/charts/mongodb-sharded/charts/common/.helmignore index 50af031725..7c7c21d659 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/charts/common/.helmignore +++ b/solution-base/mongodb/charts/mongodb-sharded/charts/common/.helmignore @@ -20,3 +20,5 @@ .idea/ *.tmproj .vscode/ +# img folder +img/ diff --git a/solution-base/mongodb/charts/mongodb-sharded/charts/common/Chart.yaml b/solution-base/mongodb/charts/mongodb-sharded/charts/common/Chart.yaml index 3be88e6aa0..2acf0cd40a 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/charts/common/Chart.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.11.1 +appVersion: 2.18.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.11.1 +version: 2.18.0 diff --git a/solution-base/mongodb/charts/mongodb-sharded/charts/common/README.md b/solution-base/mongodb/charts/mongodb-sharded/charts/common/README.md index fe6a010003..0d01a1e064 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/charts/common/README.md +++ b/solution-base/mongodb/charts/mongodb-sharded/charts/common/README.md @@ -24,18 +24,18 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites -- Kubernetes 1.19+ -- Helm 3.2.0+ +- Kubernetes 1.23+ +- Helm 3.8.0+ ## Parameters @@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01="" ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_capabilities.tpl b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_capabilities.tpl index c6d115fe51..115674af87 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_capabilities.tpl +++ b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_capabilities.tpl @@ -172,6 +172,50 @@ Return the appropriate apiVersion for Vertical Pod Autoscaler. {{- end -}} {{- end -}} +{{/* +Returns true if PodSecurityPolicy is supported +*/}} +{{- define "common.capabilities.psp.supported" -}} +{{- if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if AdmissionConfiguration is supported +*/}} +{{- define "common.capabilities.admissionConfiguration.supported" -}} +{{- if semverCompare ">=1.23-0" (include "common.capabilities.kubeVersion" .) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for AdmissionConfiguration. +*/}} +{{- define "common.capabilities.admissionConfiguration.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiserver.config.k8s.io/v1alpha1" -}} +{{- else if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiserver.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiserver.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for PodSecurityConfiguration. +*/}} +{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}} +{{- else if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "pod-security.admission.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "pod-security.admission.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + {{/* Returns true if the used Helm version is 3.3+. A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. diff --git a/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_compatibility.tpl b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_compatibility.tpl new file mode 100644 index 0000000000..c529f08725 --- /dev/null +++ b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_compatibility.tpl @@ -0,0 +1,35 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_images.tpl b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_images.tpl index e248d6d08e..1bcb779df5 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_images.tpl +++ b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_images.tpl @@ -38,13 +38,21 @@ Return the proper Docker Image Registry Secret Names (deprecated: use common.ima {{- if .global }} {{- range .global.imagePullSecrets -}} - {{- $pullSecrets = append $pullSecrets . -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end }} {{- end -}} {{- end -}} {{- range .images -}} {{- range .pullSecrets -}} - {{- $pullSecrets = append $pullSecrets . -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} {{- end -}} {{- end -}} @@ -66,13 +74,21 @@ Return the proper Docker Image Registry Secret Names evaluating values as templa {{- if $context.Values.global }} {{- range $context.Values.global.imagePullSecrets -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} {{- end -}} {{- end -}} {{- range .images -}} {{- range .pullSecrets -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} {{- end -}} {{- end -}} diff --git a/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_labels.tpl b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_labels.tpl index a3cdc2bfda..d90a6cdc0c 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_labels.tpl +++ b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_labels.tpl @@ -11,13 +11,19 @@ Kubernetes standard labels */}} {{- define "common.labels.standard" -}} {{- if and (hasKey . "customLabels") (hasKey . "context") -}} -{{ merge (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) (dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service "app.kubernetes.io/version" .context.Chart.AppVersion) | toYaml }} +{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}} +{{- with .context.Chart.AppVersion -}} +{{- $_ := set $default "app.kubernetes.io/version" . -}} +{{- end -}} +{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }} {{- else -}} app.kubernetes.io/name: {{ include "common.names.name" . }} helm.sh/chart: {{ include "common.names.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- with .Chart.AppVersion }} +app.kubernetes.io/version: {{ . | quote }} +{{- end -}} {{- end -}} {{- end -}} diff --git a/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_resources.tpl b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_resources.tpl new file mode 100644 index 0000000000..d90f8752db --- /dev/null +++ b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") + ) + "xlarge" (dict + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_secrets.tpl b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_secrets.tpl index a193c46b6b..84dbe38036 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_secrets.tpl +++ b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_utils.tpl b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_utils.tpl index c87040cd91..bfbddf0547 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_utils.tpl +++ b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_utils.tpl @@ -65,3 +65,13 @@ Usage: {{- end -}} {{- printf "%s" $key -}} {{- end -}} + +{{/* +Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376). +Usage: +{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }} +*/}} +{{- define "common.utils.checksumTemplate" -}} +{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}} +{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }} +{{- end -}} diff --git a/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_warnings.tpl b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_warnings.tpl index 66dffc1fec..0f763cd827 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_warnings.tpl +++ b/solution-base/mongodb/charts/mongodb-sharded/charts/common/templates/_warnings.tpl @@ -13,7 +13,70 @@ Usage: {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ ++info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers {{- end }} +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} {{- end -}} diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/NOTES.txt b/solution-base/mongodb/charts/mongodb-sharded/templates/NOTES.txt index 1106ef8a38..d6210b0a9b 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/NOTES.txt +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/NOTES.txt @@ -62,3 +62,4 @@ To connect to your database from outside the cluster execute the following comma {{- include "mongodb-sharded.validateValues" . -}} {{- include "mongodb-sharded.checkRollingTags" . -}} +{{- include "common.warnings.resources" (dict "sections" (list "configsvr" "metrics" "mongos" "shardsvr.arbiter" "shardsvr.dataNode" "volumePermissions") "context" $) }} diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/_helpers.tpl b/solution-base/mongodb/charts/mongodb-sharded/templates/_helpers.tpl index 4724c6216b..2929960de2 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/_helpers.tpl +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/_helpers.tpl @@ -37,10 +37,6 @@ Usage: {{- end -}} {{- end -}} -{{- define "mongodb-sharded.configServer.serviceName" -}} - {{- printf "%s-configsvr.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterDomain -}} -{{- end -}} - {{- define "mongodb-sharded.configServer.rsName" -}} {{- if .Values.configsvr.external.replicasetName -}} {{- .Values.configsvr.external.replicasetName }} @@ -253,22 +249,3 @@ mongodb: .Values.mongos.servicePerReplica.loadBalancerIPs {{- include "common.warnings.rollingTag" .Values.metrics.image }} {{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} {{- end -}} - -{{/* app credentials environment variables */}} -{{- define "mongodb-sharded.appAccountEnvs" -}} -- name: MONGODB_APP_USERNAME - valueFrom: - secretKeyRef: - name: {{ include "mongodb-sharded.secret" $ }} - key: mongodb-username -- name: MONGODB_APP_DATABASE - valueFrom: - secretKeyRef: - name: {{ include "mongodb-sharded.secret" $ }} - key: mongodb-database -- name: MONGODB_APP_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "mongodb-sharded.secret" $ }} - key: mongodb-password -{{- end -}} diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml index aba110219b..4dcb327b5e 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml @@ -42,6 +42,7 @@ spec: schedulerName: {{ .Values.configsvr.schedulerName | quote }} {{- end }} serviceAccountName: {{ include "mongodb-sharded.serviceAccountName" (dict "component" "configsvr" "value" .Values.configsvr.serviceAccount "context" $) }} + automountServiceAccountToken: {{ .Values.configsvr.automountServiceAccountToken }} {{- if .Values.configsvr.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.configsvr.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -66,7 +67,7 @@ spec: topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.configsvr.topologySpreadConstraints "context" $) | nindent 8 }} {{- end }} {{- if .Values.configsvr.podSecurityContext.enabled }} - securityContext: {{- omit .Values.configsvr.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.configsvr.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.configsvr.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.configsvr.terminationGracePeriodSeconds }} @@ -77,16 +78,30 @@ spec: - name: volume-permissions image: {{ include "mongodb-sharded.volumePermissions.image" . }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - command: ["chown", "-R", "{{ .Values.configsvr.containerSecurityContext.runAsUser }}:{{ .Values.configsvr.podSecurityContext.fsGroup }}", "{{ .Values.configsvr.persistence.mountPath }}"] + command: + - /bin/bash + args: + - -ec + - | + mkdir -p {{ .Values.configsvr.persistence.mountPath }}{{- if .Values.configsvr.persistence.subPath }}/{{ include "common.tplvalues.render" (dict "value" .Values.configsvr.persistence.subPath "context" $) }}{{- end }} + chown {{ .Values.configsvr.containerSecurityContext.runAsUser }}:{{ .Values.configsvr.podSecurityContext.fsGroup }} {{ .Values.configsvr.persistence.mountPath }}{{- if .Values.configsvr.persistence.subPath }}/{{ include "common.tplvalues.render" (dict "value" .Values.configsvr.persistence.subPath "context" $) }}{{- end }} + find {{ .Values.configsvr.persistence.mountPath }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.configsvr.containerSecurityContext.runAsUser }}:{{ .Values.configsvr.podSecurityContext.fsGroup }} securityContext: runAsUser: 0 - resources: {{ toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} + {{- end }} volumeMounts: - name: datadir mountPath: {{ .Values.configsvr.persistence.mountPath }} {{- if .Values.configsvr.persistence.subPath }} subPath: {{ include "common.tplvalues.render" (dict "value" .Values.configsvr.persistence.subPath "context" $) }} {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- with .Values.configsvr.initContainers }} {{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }} @@ -99,7 +114,7 @@ spec: image: {{ include "mongodb-sharded.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- if .Values.configsvr.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.configsvr.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.configsvr.containerSecurityContext "context" $) | nindent 12 }} {{- end }} ports: - containerPort: {{ .Values.common.containerPorts.mongodb }} @@ -117,8 +132,10 @@ spec: {{- else }} value: "no" {{- end }} - - name: MONGODB_MAX_TIMEOUT - value: {{ .Values.common.mongodbMaxWaitTimeout | quote }} + - name: MONGODB_INIT_RETRY_ATTEMPTS + value: {{ .Values.common.mongodbInitRetryAttempts | quote }} + - name: MONGODB_INIT_RETRY_DELAY + value: {{ .Values.common.mongodbInitRetryDelay | quote }} - name: MONGODB_SHARDING_MODE value: "configsvr" - name: MONGODB_POD_NAME @@ -155,7 +172,6 @@ spec: name: {{ include "mongodb-sharded.secret" . }} key: mongodb-replica-set-key {{- end }} - {{- include "mongodb-sharded.appAccountEnvs" $ | nindent 12 }} {{- end }} - name: MONGODB_ENABLE_IPV6 {{- if .Values.common.mongodbEnableIPv6 }} @@ -239,6 +255,18 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" $.Values.configsvr.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir - name: replicaset-entrypoint-configmap mountPath: /entrypoint - name: datadir @@ -268,13 +296,17 @@ spec: {{- if .Values.configsvr.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" .Values.configsvr.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} + {{- if .Values.configsvr.resources }} resources: {{- toYaml .Values.configsvr.resources | nindent 12 }} + {{- else if ne .Values.configsvr.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.configsvr.resourcesPreset) | nindent 12 }} + {{- end }} {{- if .Values.metrics.enabled }} - name: metrics image: {{ include "mongodb-sharded.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: {{- if .Values.auth.enabled }} @@ -305,11 +337,14 @@ spec: {{- end }} /bin/mongodb_exporter --collect-all --compatible-mode --web.listen-address ":{{ .Values.metrics.containerPorts.metrics }}" --mongodb.uri mongodb://$(echo $MONGODB_ROOT_USER):$(echo $MONGODB_ROOT_PASSWORD | sed -r "s/@/%40/g;s/:/%3A/g")@localhost:{{ .Values.common.containerPorts.mongodb }}/admin{{ ternary "?ssl=true" "" $.Values.metrics.useTLS }} {{ .Values.metrics.extraArgs }} {{- end }} - {{- if .Values.auth.usePasswordFile }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.auth.usePasswordFile }} - name: secrets mountPath: /bitnami/mongodb/secrets/ - {{- end }} + {{- end }} ports: - name: metrics containerPort: {{ .Values.metrics.containerPorts.metrics }} @@ -338,7 +373,11 @@ spec: port: metrics {{- end }} {{- end }} - resources: {{ toYaml .Values.metrics.resources | nindent 12 }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} {{- end }} {{- with .Values.configsvr.sidecars }} {{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }} @@ -347,6 +386,8 @@ spec: {{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} - name: replicaset-entrypoint-configmap configMap: name: {{ printf "%s-replicaset-entrypoint" (include "common.names.fullname" .) }} @@ -380,7 +421,9 @@ spec: {{- end }} {{- if and .Values.configsvr.persistence.enabled }} volumeClaimTemplates: - - metadata: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: name: datadir {{- if or .Values.configsvr.persistence.annotations .Values.commonAnnotations .Values.configsvr.persistence.resourcePolicy }} {{- if or .Values.commonAnnotations .Values.configsvr.persistence.annotations .Values.configsvr.persistence.resourcePolicy }} @@ -401,16 +444,12 @@ spec: {{- range .Values.configsvr.persistence.accessModes }} - {{ . | quote }} {{- end }} - {{- if .Values.configsvr.persistence.selector }} - selector: -{{ toYaml .Values.configsvr.persistence.selector | indent 10 }} - {{- end }} resources: requests: storage: {{ .Values.configsvr.persistence.size | quote }} {{- include "common.storage.class" (dict "persistence" .Values.configsvr.persistence "global" .Values.global) | nindent 8 }} {{- else }} - - name: datadir - emptyDir: {} + - name: datadir + emptyDir: {} {{- end }} {{- end }} diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/mongos/mongos-dep-sts.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/mongos/mongos-dep-sts.yaml index e7fd18a68c..6b321eab64 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/mongos/mongos-dep-sts.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/mongos/mongos-dep-sts.yaml @@ -46,6 +46,7 @@ spec: schedulerName: {{ .Values.mongos.schedulerName | quote }} {{- end }} serviceAccountName: {{ include "mongodb-sharded.serviceAccountName" (dict "component" "mongos" "value" $.Values.mongos.serviceAccount "context" $) }} + automountServiceAccountToken: {{ .Values.mongos.automountServiceAccountToken }} {{- if .Values.mongos.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.mongos.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -70,7 +71,7 @@ spec: topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.mongos.topologySpreadConstraints "context" $) | nindent 8 }} {{- end }} {{- if .Values.mongos.podSecurityContext.enabled }} - securityContext: {{- omit .Values.mongos.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.mongos.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.mongos.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.mongos.terminationGracePeriodSeconds }} @@ -90,11 +91,8 @@ spec: image: {{ include "mongodb-sharded.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.mongos.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.mongos.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.mongos.containerSecurityContext "context" $) | nindent 12 }} {{- end }} - command: - - /bin/bash - - /entrypoint/mongos-entrypoint.sh env: - name: MONGODB_ENABLE_NUMACTL value: {{ ternary "yes" "no" $.Values.common.mongodbEnableNumactl | quote }} @@ -102,8 +100,10 @@ spec: value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - name: MONGODB_SHARDING_MODE value: "mongos" - - name: MONGODB_MAX_TIMEOUT - value: {{ .Values.common.mongodbMaxWaitTimeout | quote }} + - name: MONGODB_INIT_RETRY_ATTEMPTS + value: {{ .Values.common.mongodbInitRetryAttempts | quote }} + - name: MONGODB_INIT_RETRY_DELAY + value: {{ .Values.common.mongodbInitRetryDelay | quote }} {{- if $.Values.auth.enabled }} - name: MONGODB_ROOT_USER value: {{ .Values.auth.rootUser | quote }} @@ -136,7 +136,7 @@ spec: - name: MONGODB_PORT_NUMBER value: {{ $.Values.common.containerPorts.mongodb | quote }} - name: MONGODB_CFG_PRIMARY_HOST - value: {{ include "mongodb-sharded.configServer.serviceName" . }} + value: {{ include "mongodb-sharded.configServer.primaryHost" . }} - name: MONGODB_CFG_REPLICA_SET_NAME value: {{ include "mongodb-sharded.configServer.rsName" . }} - name: MONGODB_SYSTEM_LOG_VERBOSITY @@ -233,8 +233,18 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.mongos.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: - - name: replicaset-entrypoint-configmap - mountPath: /entrypoint + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir {{- if .Values.auth.usePasswordFile }} - name: secrets mountPath: /bitnami/mongodb/secrets/ @@ -249,13 +259,17 @@ spec: {{- if $.Values.mongos.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" $.Values.mongos.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} + {{- if .Values.mongos.resources }} resources: {{- toYaml .Values.mongos.resources | nindent 12 }} + {{- else if ne .Values.mongos.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.mongos.resourcesPreset) | nindent 12 }} + {{- end }} {{- if .Values.metrics.enabled }} - name: metrics image: {{ include "mongodb-sharded.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: {{- if $.Values.auth.enabled }} @@ -286,11 +300,14 @@ spec: {{- end }} /bin/mongodb_exporter --collect-all --compatible-mode --web.listen-address ":{{ .Values.metrics.containerPorts.metrics }}" --mongodb.uri mongodb://$(echo $MONGODB_ROOT_USER):$(echo $MONGODB_ROOT_PASSWORD | sed -r "s/@/%40/g;s/:/%3A/g")@localhost:{{ .Values.common.containerPorts.mongodb }}/admin{{ ternary "?ssl=true" "" $.Values.metrics.useTLS }} {{ .Values.metrics.extraArgs }} {{- end }} - {{- if .Values.auth.usePasswordFile }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.auth.usePasswordFile }} - name: secrets mountPath: /bitnami/mongodb/secrets/ - {{- end }} + {{- end }} ports: - name: metrics containerPort: {{ .Values.metrics.containerPorts.metrics }} @@ -319,18 +336,21 @@ spec: port: metrics {{- end }} {{- end }} + {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} {{- end }} - {{- with $.Values.mongos.sidecars }} + {{- with .Values.mongos.sidecars }} {{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }} {{- end }} - {{- with $.Values.common.sidecars }} + {{- with .Values.common.sidecars }} {{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }} {{- end }} volumes: - - name: replicaset-entrypoint-configmap - configMap: - name: {{ include "common.names.fullname" . }}-replicaset-entrypoint + - name: empty-dir + emptyDir: {} {{- if .Values.auth.usePasswordFile }} - name: secrets secret: diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/networkpolicy.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/networkpolicy.yaml new file mode 100644 index 0000000000..c179173508 --- /dev/null +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/networkpolicy.yaml @@ -0,0 +1,75 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ template "common.names.namespace" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.common.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow connection to other cluster pods + - ports: + - port: {{ .Values.common.containerPorts.mongodb }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.common.containerPorts.mongodb }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.metrics }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/replicaset-entrypoint-configmap.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/replicaset-entrypoint-configmap.yaml index 763dc44647..0427ec0cf6 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/replicaset-entrypoint-configmap.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/replicaset-entrypoint-configmap.yaml @@ -13,16 +13,6 @@ metadata: annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} data: - mongos-entrypoint.sh: |- - #!/bin/bash - - . /liblog.sh - - # Disable MongoSH telemetry to support offline deployments - mongosh --nodb --eval "disableTelemetry()" - info "MongoDB Telemetry is now disabled." - - exec /entrypoint.sh /run.sh replicaset-entrypoint.sh: |- #!/bin/bash @@ -46,8 +36,4 @@ data: {{- end }} fi - # Disable MongoSH telemetry to support offline deployments - mongosh --nodb --eval "disableTelemetry()" - info "MongoDB Telemetry is now disabled." - exec /entrypoint.sh /run.sh diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-arbiter-statefulset.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-arbiter-statefulset.yaml index c96c4d0dcc..d5023a0dbc 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-arbiter-statefulset.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-arbiter-statefulset.yaml @@ -45,6 +45,7 @@ spec: {{- if $.Values.shardsvr.arbiter.schedulerName }} schedulerName: {{ $.Values.shardsvr.arbiter.schedulerName | quote }} {{- end }} + automountServiceAccountToken: {{ $.Values.shardsvr.arbiter.automountServiceAccountToken }} {{- if $.Values.shardsvr.arbiter.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" $.Values.shardsvr.arbiter.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -69,7 +70,7 @@ spec: topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" $.Values.shardsvr.arbiter.topologySpreadConstraints "context" $) | nindent 8 }} {{- end }} {{- if $.Values.shardsvr.arbiter.podSecurityContext.enabled }} - securityContext: {{- omit $.Values.shardsvr.arbiter.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.shardsvr.arbiter.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if $.Values.shardsvr.arbiter.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ $.Values.shardsvr.arbiter.terminationGracePeriodSeconds }} @@ -89,7 +90,7 @@ spec: image: {{ include "mongodb-sharded.image" $ }} imagePullPolicy: {{ $.Values.image.pullPolicy }} {{- if $.Values.shardsvr.arbiter.containerSecurityContext.enabled }} - securityContext: {{- omit $.Values.shardsvr.arbiter.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.shardsvr.arbiter.containerSecurityContext "context" $) | nindent 12 }} {{- end }} ports: - containerPort: {{ $.Values.common.containerPorts.mongodb }} @@ -111,8 +112,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - - name: MONGODB_MAX_TIMEOUT - value: {{ $.Values.common.mongodbMaxWaitTimeout | quote }} + - name: MONGODB_INIT_RETRY_ATTEMPTS + value: {{ $.Values.common.mongodbInitRetryAttempts | quote }} + - name: MONGODB_INIT_RETRY_DELAY + value: {{ $.Values.common.mongodbInitRetryDelay | quote }} - name: MONGODB_SHARDING_MODE value: "shardsvr" - name: MONGODB_REPLICA_SET_MODE @@ -225,6 +228,18 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" $.Values.shardsvr.arbiter.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir {{- if or $.Values.shardsvr.arbiter.config $.Values.shardsvr.arbiter.configCM }} - name: config mountPath: /bitnami/mongodb/conf/ @@ -247,13 +262,17 @@ spec: {{- if $.Values.shardsvr.arbiter.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" $.Values.shardsvr.arbiter.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} + {{- if $.Values.shardsvr.arbiter.resources }} resources: {{- toYaml $.Values.shardsvr.arbiter.resources | nindent 12 }} + {{- else if ne $.Values.shardsvr.arbiter.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" $.Values.shardsvr.arbiter.resourcesPreset) | nindent 12 }} + {{- end }} {{- if $.Values.metrics.enabled }} - name: metrics image: {{ include "mongodb-sharded.metrics.image" $ }} imagePullPolicy: {{ $.Values.metrics.image.pullPolicy | quote }} {{- if $.Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit $.Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: {{- if $.Values.auth.enabled }} @@ -284,11 +303,14 @@ spec: {{- end }} /bin/mongodb_exporter --collect-all --compatible-mode --web.listen-address ":{{ $.Values.metrics.containerPorts.metrics }}" --mongodb.uri mongodb://$(echo $MONGODB_ROOT_USER):$(echo $MONGODB_ROOT_PASSWORD | sed -r "s/@/%40/g;s/:/%3A/g")@localhost:{{ $.Values.common.containerPorts.mongodb }}/admin{{ ternary "?ssl=true" "" $.Values.metrics.useTLS }} {{ $.Values.metrics.extraArgs }} {{- end }} - {{- if $.Values.auth.usePasswordFile }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if $.Values.auth.usePasswordFile }} - name: secrets mountPath: /bitnami/mongodb/secrets/ - {{- end }} + {{- end }} ports: - name: metrics containerPort: {{ $.Values.metrics.containerPorts.metrics }} @@ -317,7 +339,11 @@ spec: port: metrics {{- end }} {{- end }} + {{- if $.Values.metrics.resources }} resources: {{ toYaml $.Values.metrics.resources | nindent 12 }} + {{- else if ne $.Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" $.Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} {{- end }} {{- with $.Values.shardsvr.arbiter.sidecars }} {{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }} @@ -326,6 +352,8 @@ spec: {{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if or $.Values.shardsvr.arbiter.config $.Values.shardsvr.arbiter.configCM }} - name: config configMap: diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-podmonitor.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-podmonitor.yaml index 657764ac98..d2c9c0cbe9 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-podmonitor.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-podmonitor.yaml @@ -4,7 +4,8 @@ SPDX-License-Identifier: APACHE-2.0 */}} {{- if and .Values.shards .Values.metrics.enabled .Values.metrics.podMonitor.enabled }} -{{- $i := 0 }} +{{- $replicas := .Values.shards | int }} +{{- range $i, $e := until $replicas }} apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: @@ -35,4 +36,7 @@ spec: selector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: shardsvr + shard: {{ $i | quote }} +--- +{{- end }} {{- end }} diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml index 3f04c43d19..5e64838124 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml @@ -52,6 +52,7 @@ spec: podAntiAffinity: {{- include "common.affinities.pods" (dict "type" $.Values.shardsvr.dataNode.podAntiAffinityPreset "component" "shardsvr" "customLabels" $podLabels "context" $) | nindent 10 }} nodeAffinity: {{- include "common.affinities.nodes" (dict "type" $.Values.shardsvr.dataNode.nodeAffinityPreset.type "key" $.Values.shardsvr.dataNode.nodeAffinityPreset.key "values" $.Values.shardsvr.dataNode.nodeAffinityPreset.values) | nindent 10 }} {{- end }} + automountServiceAccountToken: {{ $.Values.shardsvr.dataNode.automountServiceAccountToken }} {{- if $.Values.shardsvr.dataNode.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" $.Values.shardsvr.dataNode.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -69,7 +70,7 @@ spec: topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" $.Values.shardsvr.dataNode.topologySpreadConstraints "context" $) | nindent 8 }} {{- end }} {{- if $.Values.shardsvr.dataNode.podSecurityContext.enabled }} - securityContext: {{- omit $.Values.shardsvr.dataNode.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.shardsvr.dataNode.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if $.Values.shardsvr.dataNode.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ $.Values.shardsvr.dataNode.terminationGracePeriodSeconds }} @@ -80,11 +81,25 @@ spec: - name: volume-permissions image: {{ include "mongodb-sharded.volumePermissions.image" $ }} imagePullPolicy: {{ $.Values.volumePermissions.image.pullPolicy | quote }} - command: ["chown", "-R", "{{ $.Values.shardsvr.dataNode.containerSecurityContext.runAsUser }}:{{ $.Values.shardsvr.dataNode.podSecurityContext.fsGroup }}", "{{ $.Values.shardsvr.persistence.mountPath }}"] + command: + - /bin/bash + args: + - -ec + - | + mkdir -p {{ $.Values.shardsvr.persistence.mountPath }}{{- if $.Values.shardsvr.persistence.subPath }}/{{ include "common.tplvalues.render" (dict "value" $.Values.shardsvr.persistence.subPath "context" $) }}{{- end }} + chown {{ $.Values.shardsvr.dataNode.containerSecurityContext.runAsUser }}:{{ $.Values.shardsvr.dataNode.podSecurityContext.fsGroup }} {{ $.Values.shardsvr.persistence.mountPath }}{{- if $.Values.shardsvr.persistence.subPath }}/{{ include "common.tplvalues.render" (dict "value" $.Values.shardsvr.persistence.subPath "context" $) }}{{- end }} + find {{ $.Values.shardsvr.persistence.mountPath }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ $.Values.shardsvr.dataNode.containerSecurityContext.runAsUser }}:{{ $.Values.shardsvr.dataNode.podSecurityContext.fsGroup }} securityContext: runAsUser: 0 + {{- if $.Values.volumePermissions.resources }} resources: {{ toYaml $.Values.volumePermissions.resources | nindent 12 }} + {{- else if ne $.Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" $.Values.volumePermissions.resourcesPreset) | nindent 12 }} + {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: datadir mountPath: {{ $.Values.shardsvr.persistence.mountPath }} {{- if $.Values.shardsvr.persistence.subPath }} @@ -102,7 +117,7 @@ spec: image: {{ include "mongodb-sharded.image" $ }} imagePullPolicy: {{ $.Values.image.pullPolicy }} {{- if $.Values.shardsvr.dataNode.containerSecurityContext.enabled }} - securityContext: {{- omit $.Values.shardsvr.dataNode.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.shardsvr.dataNode.containerSecurityContext "context" $) | nindent 12 }} {{- end }} ports: - containerPort: {{ $.Values.common.containerPorts.mongodb }} @@ -114,8 +129,10 @@ spec: value: {{ ternary "true" "false" (or $.Values.image.debug $.Values.diagnosticMode.enabled) | quote }} - name: MONGODB_SYSTEM_LOG_VERBOSITY value: {{ $.Values.common.mongodbSystemLogVerbosity | quote }} - - name: MONGODB_MAX_TIMEOUT - value: {{ $.Values.common.mongodbMaxWaitTimeout | quote }} + - name: MONGODB_INIT_RETRY_ATTEMPTS + value: {{ $.Values.common.mongodbInitRetryAttempts | quote }} + - name: MONGODB_INIT_RETRY_DELAY + value: {{ $.Values.common.mongodbInitRetryDelay | quote }} - name: MONGODB_DISABLE_SYSTEM_LOG {{- if $.Values.common.mongodbDisableSystemLog }} value: "yes" @@ -162,7 +179,6 @@ spec: name: {{ include "mongodb-sharded.secret" $ }} key: mongodb-replica-set-key {{- end }} - {{- include "mongodb-sharded.appAccountEnvs" $ | nindent 12 }} {{- end }} - name: MONGODB_ENABLE_IPV6 {{- if $.Values.common.mongodbEnableIPv6 }} @@ -246,6 +262,18 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" $.Values.shardsvr.dataNode.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir - name: replicaset-entrypoint-configmap mountPath: /entrypoint - name: datadir @@ -275,13 +303,17 @@ spec: {{- if $.Values.shardsvr.dataNode.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" $.Values.shardsvr.dataNode.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} + {{- if $.Values.shardsvr.dataNode.resources }} resources: {{- toYaml $.Values.shardsvr.dataNode.resources | nindent 12 }} + {{- else if ne $.Values.shardsvr.dataNode.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" $.Values.shardsvr.dataNode.resourcesPreset) | nindent 12 }} + {{- end }} {{- if $.Values.metrics.enabled }} - name: metrics image: {{ include "mongodb-sharded.metrics.image" $ }} imagePullPolicy: {{ $.Values.metrics.image.pullPolicy | quote }} {{- if $.Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit $.Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.metrics.containerSecurityContext "context" $) | nindent 12 }} {{- end }} env: {{- if $.Values.auth.enabled }} @@ -312,11 +344,14 @@ spec: {{- end }} /bin/mongodb_exporter --collect-all --compatible-mode --web.listen-address ":{{ $.Values.metrics.containerPorts.metrics }}" --mongodb.uri mongodb://$(echo $MONGODB_ROOT_USER):$(echo $MONGODB_ROOT_PASSWORD | sed -r "s/@/%40/g;s/:/%3A/g")@localhost:{{ $.Values.common.containerPorts.mongodb }}/admin{{ ternary "?ssl=true" "" $.Values.metrics.useTLS }} {{ $.Values.metrics.extraArgs }} {{- end }} - {{- if $.Values.auth.usePasswordFile }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if $.Values.auth.usePasswordFile }} - name: secrets mountPath: /bitnami/mongodb/secrets/ - {{- end }} + {{- end }} ports: - name: metrics containerPort: {{ $.Values.metrics.containerPorts.metrics }} @@ -345,7 +380,11 @@ spec: port: metrics {{- end }} {{- end }} + {{- if $.Values.metrics.resources }} resources: {{ toYaml $.Values.metrics.resources | nindent 12 }} + {{- else if ne $.Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" $.Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} {{- end }} {{- with $.Values.shardsvr.dataNode.sidecars }} {{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }} @@ -354,6 +393,8 @@ spec: {{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} - name: replicaset-entrypoint-configmap configMap: name: {{ printf "%s-replicaset-entrypoint" (include "common.names.fullname" $) }} @@ -387,7 +428,9 @@ spec: {{- end }} {{- if and $.Values.shardsvr.persistence.enabled }} volumeClaimTemplates: - - metadata: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: name: datadir {{- if or $.Values.shardsvr.persistence.annotations $.Values.commonAnnotations $.Values.shardsvr.persistence.resourcePolicy }} {{- if or $.Values.commonAnnotations $.Values.shardsvr.persistence.annotations $.Values.shardsvr.persistence.resourcePolicy }} @@ -408,17 +451,13 @@ spec: {{- range $.Values.shardsvr.persistence.accessModes }} - {{ . | quote }} {{- end }} - {{- if $.Values.shardsvr.persistence.selector }} - selector: -{{ toYaml $.Values.shardsvr.persistence.selector | indent 10 }} - {{- end }} resources: requests: storage: {{ $.Values.shardsvr.persistence.size | quote }} {{- include "common.storage.class" (dict "persistence" $.Values.shardsvr.persistence "global" $.Values.global) | nindent 8 }} {{- else }} - - name: datadir - emptyDir: {} + - name: datadir + emptyDir: {} {{- end }} {{- if lt $i (sub $replicas 1) }} --- diff --git a/solution-base/mongodb/charts/mongodb-sharded/values.yaml b/solution-base/mongodb/charts/mongodb-sharded/values.yaml index b55ebd4090..d934cc7be7 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/values.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/values.yaml @@ -19,7 +19,15 @@ global: ## imagePullSecrets: [] storageClass: "" - + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: disabled ## @section Common parameters ## @@ -47,7 +55,6 @@ clusterDomain: cluster.local ## @param extraDeploy Array of extra objects to deploy with the release ## extraDeploy: [] - ## Enable diagnostic mode in the deployment ## diagnosticMode: @@ -62,15 +69,14 @@ diagnosticMode: ## args: - infinity - ## @section MongoDB(®) Sharded parameters ## ## Bitnami MongoDB(®) Sharded image version ## ref: https://hub.docker.com/r/bitnami/mongodb-sharded/tags/ -## @param image.registry MongoDB(®) Sharded image registry -## @param image.repository MongoDB(®) Sharded Image name -## @param image.tag MongoDB(®) Sharded image tag (immutable tags are recommended) +## @param image.registry [default: REGISTRY_NAME] MongoDB(®) Sharded image registry +## @param image.repository [default: REPOSITORY_NAME/mongodb-sharded] MongoDB(®) Sharded Image name +## @skip image.tag MongoDB(®) Sharded image tag (immutable tags are recommended) ## @param image.digest MongoDB(®) Sharded image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param image.pullPolicy MongoDB(®) Sharded image pull policy ## @param image.pullSecrets Specify docker-registry secret names as an array @@ -79,11 +85,11 @@ diagnosticMode: image: registry: docker.io repository: bitnami/mongodb-sharded - tag: 6.0.10-debian-11-r8 + tag: 7.0.6-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -97,7 +103,6 @@ image: ## Set to true if you would like to see extra information on logs ## debug: false - ## MongoDB(®) Authentication parameters ## auth: @@ -112,18 +117,16 @@ auth: ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#setting-the-root-user-and-password-on-first-run ## rootPassword: "" - ## @param auth.replicaSetKey Key used for authentication in the replicaset (only when `architecture=replicaset`) + ## @param auth.replicaSetKey Key used for authentication in the replicaset ## replicaSetKey: "" ## @param auth.existingSecret Existing secret with MongoDB(®) credentials (keys: `mongodb-password`, `mongodb-root-password`, `mongodb-replica-set-key`) ## NOTE: When it's set the previous parameters are ignored. ## - existingSecret: mongodb-db-creds + existingSecret: "" ## @param auth.usePasswordFile Mount credentials as files instead of using environment variables ## usePasswordFile: false - - ## @param shards Number of shards to be created ## ref: https://docs.mongodb.com/manual/core/sharded-cluster-shards/ ## @@ -154,9 +157,12 @@ common: ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#configuring-system-log-verbosity-level ## mongodbDisableSystemLog: false - ## @param common.mongodbMaxWaitTimeout Maximum time (in seconds) for MongoDB® nodes to wait for another MongoDB® node to be ready + ## @param common.mongodbInitRetryAttempts Maximum retries for checking the MongoDB® initialization status + ## + mongodbInitRetryAttempts: 24 + ## @param common.mongodbInitRetryDelay Time (in seconds) to wait between retries for checking the MongoDB® initialization status ## - mongodbMaxWaitTimeout: 120 + mongodbInitRetryDelay: 5 ## @param common.initScriptsCM Configmap with init scripts to execute ## initScriptsCM: "" @@ -219,7 +225,7 @@ common: serviceAccount: ## @param common.serviceAccount.create Whether to create a Service Account for all pods automatically ## - create: false + create: true ## @param common.serviceAccount.name Name of a Service Account to be used by all Pods ## If not set and create is true, a name is generated using the XXX.fullname template ## @@ -229,8 +235,7 @@ common: annotations: {} ## @param common.serviceAccount.automountServiceAccountToken Automount service account token for the server service account ## - automountServiceAccountToken: true - + automountServiceAccountToken: false ## Init containers parameters: ## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. ## @@ -238,9 +243,9 @@ volumePermissions: ## @param volumePermissions.enabled Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) ## enabled: false - ## @param volumePermissions.image.registry Init container volume-permissions image registry - ## @param volumePermissions.image.repository Init container volume-permissions image name - ## @param volumePermissions.image.tag Init container volume-permissions image tag + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image name + ## @skip volumePermissions.image.tag Init container volume-permissions image tag ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets @@ -248,7 +253,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r72 + tag: 12-debian-12-r16 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -259,7 +264,19 @@ volumePermissions: ## - myRegistryKeySecretName ## pullSecrets: [] - ## @param volumePermissions.resources Init container resource requests/limit + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi ## resources: {} ## Kubernetes service type @@ -327,6 +344,61 @@ service: ## @param service.headless.annotations Annotations for the headless service. ## annotations: {} +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Config Server parameters ## @@ -337,10 +409,25 @@ configsvr: ## @param configsvr.replicaCount Number of nodes in the replica set (the first node will be primary) ## replicaCount: 1 - ## @param configsvr.resources Configure pod resources - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param configsvr.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if configsvr.resources is set (configsvr.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param configsvr.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## resources: {} + ## @param configsvr.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param configsvr.hostAliases Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -392,7 +479,7 @@ configsvr: ## affinity: {} ## @param configsvr.nodeSelector Config Server Node labels for pod assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param configsvr.tolerations Config Server Tolerations for pod assignment @@ -479,7 +566,7 @@ configsvr: ## maxUnavailable: 1 ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param configsvr.persistence.enabled Use a PVC to persist data @@ -520,7 +607,7 @@ configsvr: serviceAccount: ## @param configsvr.serviceAccount.create Specifies whether a ServiceAccount should be created for Config Server ## - create: false + create: true ## @param configsvr.serviceAccount.name Name of a Service Account to be used by Config Server ## If not set and create is true, a name is generated using the XXX.fullname template ## @@ -530,7 +617,7 @@ configsvr: annotations: {} ## @param configsvr.serviceAccount.automountServiceAccountToken Automount service account token for the server service account ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## Use a external config server instead of deploying one ## external: @@ -549,23 +636,43 @@ configsvr: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param configsvr.podSecurityContext.enabled Enable security context + ## @param configsvr.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param configsvr.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param configsvr.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param configsvr.podSecurityContext.fsGroup Group ID for the container ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param configsvr.containerSecurityContext.enabled Enabled containers' Security Context + ## @param configsvr.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param configsvr.containerSecurityContext.runAsUser Set containers' Security Context runAsUser - ## @param configsvr.containerSecurityContext.runAsNonRoot Set containers' Security Context runAsNonRoot - ## @param configsvr.containerSecurityContext.readOnlyRootFilesystem Set containers' Security Context runAsNonRoot + ## @param configsvr.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param configsvr.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param configsvr.containerSecurityContext.privileged Set container's Security Context privileged + ## @param configsvr.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param configsvr.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param configsvr.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param configsvr.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true + seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true + privileged: false readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## @param configsvr.command Override default container command (useful when using custom images) ## command: @@ -613,7 +720,6 @@ configsvr: timeoutSeconds: 20 failureThreshold: 6 successThreshold: 1 - ## Configure extra options for startup probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes ## @param configsvr.startupProbe.enabled Enable startupProbe @@ -630,7 +736,6 @@ configsvr: timeoutSeconds: 5 failureThreshold: 30 successThreshold: 1 - ## @param configsvr.customLivenessProbe Custom livenessProbe that overrides the default one ## customLivenessProbe: {} @@ -640,7 +745,6 @@ configsvr: ## @param configsvr.customStartupProbe Custom startupProbe that overrides the default one ## customStartupProbe: {} - ## @section Mongos parameters ## @@ -651,10 +755,25 @@ mongos: ## @param mongos.replicaCount Number of replicas ## replicaCount: 1 - ## @param mongos.resources Configure pod resources - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param mongos.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if mongos.resources is set (mongos.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param mongos.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## resources: {} + ## @param mongos.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param mongos.hostAliases Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -706,7 +825,7 @@ mongos: ## affinity: {} ## @param mongos.nodeSelector Mongos Node labels for pod assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param mongos.tolerations Mongos Tolerations for pod assignment @@ -859,7 +978,7 @@ mongos: serviceAccount: ## @param mongos.serviceAccount.create Whether to create a Service Account for mongos automatically ## - create: false + create: true ## @param mongos.serviceAccount.name Name of a Service Account to be used by mongos ## If not set and create is true, a name is generated using the XXX.fullname template ## @@ -869,27 +988,47 @@ mongos: annotations: {} ## @param mongos.serviceAccount.automountServiceAccountToken Automount service account token for the server service account ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param mongos.podSecurityContext.enabled Enable security context + ## @param mongos.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param mongos.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param mongos.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param mongos.podSecurityContext.fsGroup Group ID for the container ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param mongos.containerSecurityContext.enabled Enabled containers' Security Context + ## @param mongos.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param mongos.containerSecurityContext.runAsUser Set containers' Security Context runAsUser - ## @param mongos.containerSecurityContext.runAsNonRoot Set containers' Security Context runAsNonRoot - ## @param mongos.containerSecurityContext.readOnlyRootFilesystem Set containers' Security Context runAsNonRoot + ## @param mongos.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param mongos.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param mongos.containerSecurityContext.privileged Set container's Security Context privileged + ## @param mongos.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param mongos.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param mongos.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param mongos.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true + seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true + privileged: false readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## @param mongos.command Override default container command (useful when using custom images) ## command: [] @@ -935,7 +1074,6 @@ mongos: timeoutSeconds: 20 failureThreshold: 6 successThreshold: 1 - ## Configure extra options for startup probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes ## @param mongos.startupProbe.enabled Enable startupProbe @@ -952,7 +1090,6 @@ mongos: timeoutSeconds: 5 failureThreshold: 30 successThreshold: 1 - ## @param mongos.customLivenessProbe Custom livenessProbe that overrides the default one ## customLivenessProbe: {} @@ -975,8 +1112,20 @@ shardsvr: ## @param shardsvr.dataNode.replicaCount Number of nodes in each shard replica set (the first node will be primary) ## replicaCount: 1 - ## @param shardsvr.dataNode.resources Configure pod resources - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param shardsvr.dataNode.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if shardsvr.dataNode.resources is set (shardsvr.dataNode.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param shardsvr.dataNode.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## resources: {} ## @param shardsvr.dataNode.mongodbExtraFlags MongoDB® additional command line flags @@ -1031,7 +1180,7 @@ shardsvr: ## affinity: {} ## @param shardsvr.dataNode.nodeSelector Data nodes Node labels for pod assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## You can set dataNodeLoopId (or any other parameter) by setting the below code block under this 'nodeSelector' section: ## nodeSelector: { shardId: "{{ .dataNodeLoopId }}" } ## @@ -1055,6 +1204,9 @@ shardsvr: ## updateStrategy: type: RollingUpdate + ## @param shardsvr.dataNode.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param shardsvr.dataNode.hostAliases Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -1135,7 +1287,7 @@ shardsvr: serviceAccount: ## @param shardsvr.dataNode.serviceAccount.create Specifies whether a ServiceAccount should be created for shardsvr ## - create: false + create: true ## @param shardsvr.dataNode.serviceAccount.name Name of a Service Account to be used by shardsvr data pods ## If not set and create is true, a name is generated using the XXX.fullname template ## @@ -1145,27 +1297,47 @@ shardsvr: annotations: {} ## @param shardsvr.dataNode.serviceAccount.automountServiceAccountToken Automount service account token for the server service account ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param shardsvr.dataNode.podSecurityContext.enabled Enable security context + ## @param shardsvr.dataNode.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param shardsvr.dataNode.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param shardsvr.dataNode.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param shardsvr.dataNode.podSecurityContext.fsGroup Group ID for the container ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param shardsvr.dataNode.containerSecurityContext.enabled Enabled containers' Security Context + ## @param shardsvr.dataNode.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param shardsvr.dataNode.containerSecurityContext.runAsUser Set containers' Security Context runAsUser - ## @param shardsvr.dataNode.containerSecurityContext.runAsNonRoot Set containers' Security Context runAsNonRoot - ## @param shardsvr.dataNode.containerSecurityContext.readOnlyRootFilesystem Set containers' Security Context runAsNonRoot + ## @param shardsvr.dataNode.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param shardsvr.dataNode.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param shardsvr.dataNode.containerSecurityContext.privileged Set container's Security Context privileged + ## @param shardsvr.dataNode.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param shardsvr.dataNode.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param shardsvr.dataNode.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param shardsvr.dataNode.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true + seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true + privileged: false readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## @param shardsvr.dataNode.command Override default container command (useful when using custom images) ## command: @@ -1213,7 +1385,6 @@ shardsvr: timeoutSeconds: 20 failureThreshold: 6 successThreshold: 1 - ## Configure extra options for startup probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes ## @param shardsvr.dataNode.startupProbe.enabled Enable startupProbe @@ -1230,7 +1401,6 @@ shardsvr: timeoutSeconds: 5 failureThreshold: 30 successThreshold: 1 - ## @param shardsvr.dataNode.customLivenessProbe Custom livenessProbe that overrides the default one ## customLivenessProbe: {} @@ -1240,12 +1410,11 @@ shardsvr: ## @param shardsvr.dataNode.customStartupProbe Custom startupProbe that overrides the default one ## customStartupProbe: {} - ## @section Shard configuration: Persistence parameters ## ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param shardsvr.persistence.enabled Use a PVC to persist data @@ -1279,7 +1448,6 @@ shardsvr: annotations: {} ## @param shardsvr.persistence.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted resourcePolicy: "" - ## @section Shard configuration: Arbiter parameters ## @@ -1290,12 +1458,27 @@ shardsvr: ## @param shardsvr.arbiter.replicaCount Number of arbiters in each shard replica set (the first node will be primary) ## replicaCount: 0 + ## @param shardsvr.arbiter.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param shardsvr.arbiter.hostAliases Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## hostAliases: [] - ## @param shardsvr.arbiter.resources Configure pod resources - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param shardsvr.arbiter.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if shardsvr.arbiter.resources is set (shardsvr.arbiter.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param shardsvr.arbiter.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## resources: {} ## @param shardsvr.arbiter.mongodbExtraFlags MongoDB® additional command line flags @@ -1350,7 +1533,7 @@ shardsvr: ## affinity: {} ## @param shardsvr.arbiter.nodeSelector Arbiter's Node labels for pod assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param shardsvr.arbiter.tolerations Arbiter's Tolerations for pod assignment @@ -1430,7 +1613,7 @@ shardsvr: serviceAccount: ## @param shardsvr.arbiter.serviceAccount.create Specifies whether a ServiceAccount should be created for shardsvr arbiter nodes ## - create: false + create: true ## @param shardsvr.arbiter.serviceAccount.name Name of a Service Account to be used by shardsvr arbiter pods ## If not set and create is true, a name is generated using the XXX.fullname template ## @@ -1440,27 +1623,47 @@ shardsvr: annotations: {} ## @param shardsvr.arbiter.serviceAccount.automountServiceAccountToken Automount service account token for the server service account ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param shardsvr.arbiter.podSecurityContext.enabled Enable security context + ## @param shardsvr.arbiter.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param shardsvr.arbiter.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param shardsvr.arbiter.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param shardsvr.arbiter.podSecurityContext.fsGroup Group ID for the container ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param shardsvr.arbiter.containerSecurityContext.enabled Enabled containers' Security Context + ## @param shardsvr.arbiter.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param shardsvr.arbiter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser - ## @param shardsvr.arbiter.containerSecurityContext.runAsNonRoot Set containers' Security Context runAsNonRoot - ## @param shardsvr.arbiter.containerSecurityContext.readOnlyRootFilesystem Set containers' Security Context runAsNonRoot + ## @param shardsvr.arbiter.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param shardsvr.arbiter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param shardsvr.arbiter.containerSecurityContext.privileged Set container's Security Context privileged + ## @param shardsvr.arbiter.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param shardsvr.arbiter.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param shardsvr.arbiter.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param shardsvr.arbiter.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true + seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true + privileged: false readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## @param shardsvr.arbiter.command Override default container command (useful when using custom images) ## command: [] @@ -1506,7 +1709,6 @@ shardsvr: timeoutSeconds: 20 failureThreshold: 6 successThreshold: 1 - ## Configure extra options for startup probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes ## @param shardsvr.arbiter.startupProbe.enabled Enable startupProbe @@ -1523,7 +1725,6 @@ shardsvr: timeoutSeconds: 5 failureThreshold: 30 successThreshold: 1 - ## @param shardsvr.arbiter.customLivenessProbe Custom livenessProbe that overrides the default one ## customLivenessProbe: {} @@ -1540,9 +1741,9 @@ metrics: ## @param metrics.enabled Start a side-car prometheus exporter ## enabled: false - ## @param metrics.image.registry MongoDB® exporter image registry - ## @param metrics.image.repository MongoDB® exporter image name - ## @param metrics.image.tag MongoDB® exporter image tag + ## @param metrics.image.registry [default: REGISTRY_NAME] MongoDB® exporter image registry + ## @param metrics.image.repository [default: REPOSITORY_NAME/mongodb-exporter] MongoDB® exporter image name + ## @skip metrics.image.tag MongoDB® exporter image tag ## @param metrics.image.digest MongoDB® exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param metrics.image.pullPolicy MongoDB® exporter image pull policy ## @param metrics.image.pullSecrets MongoDB® exporter image pull secrets @@ -1550,7 +1751,7 @@ metrics: image: registry: docker.io repository: bitnami/mongodb-exporter - tag: 0.39.0-debian-11-r106 + tag: 0.40.0-debian-12-r12 digest: "" pullPolicy: Always ## Optionally specify an array of imagePullSecrets. @@ -1567,23 +1768,49 @@ metrics: ## @param metrics.extraArgs String with extra arguments to the metrics exporter ## ref: https://github.com/percona/mongodb_exporter/blob/main/main.go ## - extraArgs: "--collector.diagnosticdata --collector.replicasetstatus --collector.dbstats --collector.topmetrics --compatible-mode" - ## @param metrics.resources Metrics exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + extraArgs: "" + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## resources: {} ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser - ## @param metrics.containerSecurityContext.runAsNonRoot Set containers' Security Context runAsNonRoot - ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set containers' Security Context runAsNonRoot + ## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged + ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param metrics.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true + seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true + privileged: false readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## Metrics exporter liveness probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) ## @param metrics.livenessProbe.enabled Enable livenessProbe @@ -1632,7 +1859,6 @@ metrics: timeoutSeconds: 2 failureThreshold: 15 successThreshold: 1 - ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one ## customLivenessProbe: {} From e1d160fb8c14cdcfb9d008836070c133879a54bf Mon Sep 17 00:00:00 2001 From: Maha Benzekri Date: Thu, 20 Feb 2025 12:12:09 +0100 Subject: [PATCH 4/4] patches update Issue: ZENKO-4950 --- .../mongodb-sharded/templates/_helpers.tpl | 22 ++++++++++++++++ .../config-server-statefulset.yaml | 14 +++++----- .../templates/mongos/mongos-dep-sts.yaml | 10 ++++++- .../replicaset-entrypoint-configmap.yaml | 11 ++++++++ .../shard/shard-data-podmonitor.yaml | 6 +---- .../shard/shard-data-statefulset.yaml | 14 +++++----- .../charts/mongodb-sharded/values.yaml | 4 +-- .../mongodb/patches/credentials-helper.patch | 15 +++++------ .../mongodb-exporter-configuration.patch | 8 +++--- .../mongodb-sharded-add-pv-selector.patch | 8 +++--- .../mongodb/patches/mongos-dep-sts.patch | 26 +++++++++---------- .../replicaset-entrypoint-configmap.patch | 9 +++---- .../mongodb/patches/secret-name.patch | 4 +-- .../patches/statefulset-permissions.patch | 12 ++++----- 14 files changed, 95 insertions(+), 68 deletions(-) diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/_helpers.tpl b/solution-base/mongodb/charts/mongodb-sharded/templates/_helpers.tpl index 2929960de2..a7aa903154 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/_helpers.tpl +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/_helpers.tpl @@ -37,6 +37,10 @@ Usage: {{- end -}} {{- end -}} +{{- define "mongodb-sharded.configServer.serviceName" -}} + {{- printf "%s-configsvr.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterDomain -}} +{{- end -}} + {{- define "mongodb-sharded.configServer.rsName" -}} {{- if .Values.configsvr.external.replicasetName -}} {{- .Values.configsvr.external.replicasetName }} @@ -249,3 +253,21 @@ mongodb: .Values.mongos.servicePerReplica.loadBalancerIPs {{- include "common.warnings.rollingTag" .Values.metrics.image }} {{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} {{- end -}} +{{/* app credentials environment variables */}} +{{- define "mongodb-sharded.appAccountEnvs" -}} +- name: MONGODB_APP_USERNAME + valueFrom: + secretKeyRef: + name: {{ include "mongodb-sharded.secret" $ }} + key: mongodb-username +- name: MONGODB_APP_DATABASE + valueFrom: + secretKeyRef: + name: {{ include "mongodb-sharded.secret" $ }} + key: mongodb-database +- name: MONGODB_APP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb-sharded.secret" $ }} + key: mongodb-password +{{- end -}} diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml index 4dcb327b5e..202a5a305b 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml @@ -78,14 +78,7 @@ spec: - name: volume-permissions image: {{ include "mongodb-sharded.volumePermissions.image" . }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - command: - - /bin/bash - args: - - -ec - - | - mkdir -p {{ .Values.configsvr.persistence.mountPath }}{{- if .Values.configsvr.persistence.subPath }}/{{ include "common.tplvalues.render" (dict "value" .Values.configsvr.persistence.subPath "context" $) }}{{- end }} - chown {{ .Values.configsvr.containerSecurityContext.runAsUser }}:{{ .Values.configsvr.podSecurityContext.fsGroup }} {{ .Values.configsvr.persistence.mountPath }}{{- if .Values.configsvr.persistence.subPath }}/{{ include "common.tplvalues.render" (dict "value" .Values.configsvr.persistence.subPath "context" $) }}{{- end }} - find {{ .Values.configsvr.persistence.mountPath }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.configsvr.containerSecurityContext.runAsUser }}:{{ .Values.configsvr.podSecurityContext.fsGroup }} + command: ["chown", "-R", "{{ .Values.configsvr.containerSecurityContext.runAsUser }}:{{ .Values.configsvr.podSecurityContext.fsGroup }}", "{{ .Values.configsvr.persistence.mountPath }}"] securityContext: runAsUser: 0 {{- if .Values.volumePermissions.resources }} @@ -172,6 +165,7 @@ spec: name: {{ include "mongodb-sharded.secret" . }} key: mongodb-replica-set-key {{- end }} + {{- include "mongodb-sharded.appAccountEnvs" $ | nindent 12 }} {{- end }} - name: MONGODB_ENABLE_IPV6 {{- if .Values.common.mongodbEnableIPv6 }} @@ -444,6 +438,10 @@ spec: {{- range .Values.configsvr.persistence.accessModes }} - {{ . | quote }} {{- end }} + {{- if .Values.configsvr.persistence.selector }} + selector: +{{ toYaml .Values.configsvr.persistence.selector | indent 10 }} + {{- end }} resources: requests: storage: {{ .Values.configsvr.persistence.size | quote }} diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/mongos/mongos-dep-sts.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/mongos/mongos-dep-sts.yaml index 6b321eab64..2d5aac4f5b 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/mongos/mongos-dep-sts.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/mongos/mongos-dep-sts.yaml @@ -93,6 +93,9 @@ spec: {{- if .Values.mongos.containerSecurityContext.enabled }} securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.mongos.containerSecurityContext "context" $) | nindent 12 }} {{- end }} + command: + - /bin/bash + - /entrypoint/mongos-entrypoint.sh env: - name: MONGODB_ENABLE_NUMACTL value: {{ ternary "yes" "no" $.Values.common.mongodbEnableNumactl | quote }} @@ -136,7 +139,7 @@ spec: - name: MONGODB_PORT_NUMBER value: {{ $.Values.common.containerPorts.mongodb | quote }} - name: MONGODB_CFG_PRIMARY_HOST - value: {{ include "mongodb-sharded.configServer.primaryHost" . }} + value: {{ include "mongodb-sharded.configServer.serviceName" . }} - name: MONGODB_CFG_REPLICA_SET_NAME value: {{ include "mongodb-sharded.configServer.rsName" . }} - name: MONGODB_SYSTEM_LOG_VERBOSITY @@ -233,6 +236,8 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.mongos.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: replicaset-entrypoint-configmap + mountPath: /entrypoint - name: empty-dir mountPath: /tmp subPath: tmp-dir @@ -349,6 +354,9 @@ spec: {{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }} {{- end }} volumes: + - name: replicaset-entrypoint-configmap + configMap: + name: {{ include "common.names.fullname" . }}-replicaset-entrypoint - name: empty-dir emptyDir: {} {{- if .Values.auth.usePasswordFile }} diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/replicaset-entrypoint-configmap.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/replicaset-entrypoint-configmap.yaml index 0427ec0cf6..dde278bdf4 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/replicaset-entrypoint-configmap.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/replicaset-entrypoint-configmap.yaml @@ -13,6 +13,13 @@ metadata: annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} data: + mongos-entrypoint.sh: |- + #!/bin/bash + . /liblog.sh + # Disable MongoSH telemetry to support offline deployments + mongosh --nodb --eval "disableTelemetry()" + info "MongoDB Telemetry is now disabled." + exec /entrypoint.sh /run.sh replicaset-entrypoint.sh: |- #!/bin/bash @@ -36,4 +43,8 @@ data: {{- end }} fi + # Disable MongoSH telemetry to support offline deployments + mongosh --nodb --eval "disableTelemetry()" + info "MongoDB Telemetry is now disabled." + exec /entrypoint.sh /run.sh diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-podmonitor.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-podmonitor.yaml index d2c9c0cbe9..657764ac98 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-podmonitor.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-podmonitor.yaml @@ -4,8 +4,7 @@ SPDX-License-Identifier: APACHE-2.0 */}} {{- if and .Values.shards .Values.metrics.enabled .Values.metrics.podMonitor.enabled }} -{{- $replicas := .Values.shards | int }} -{{- range $i, $e := until $replicas }} +{{- $i := 0 }} apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: @@ -36,7 +35,4 @@ spec: selector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: shardsvr - shard: {{ $i | quote }} ---- -{{- end }} {{- end }} diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml index 5e64838124..0e6ed5a02e 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml @@ -81,14 +81,7 @@ spec: - name: volume-permissions image: {{ include "mongodb-sharded.volumePermissions.image" $ }} imagePullPolicy: {{ $.Values.volumePermissions.image.pullPolicy | quote }} - command: - - /bin/bash - args: - - -ec - - | - mkdir -p {{ $.Values.shardsvr.persistence.mountPath }}{{- if $.Values.shardsvr.persistence.subPath }}/{{ include "common.tplvalues.render" (dict "value" $.Values.shardsvr.persistence.subPath "context" $) }}{{- end }} - chown {{ $.Values.shardsvr.dataNode.containerSecurityContext.runAsUser }}:{{ $.Values.shardsvr.dataNode.podSecurityContext.fsGroup }} {{ $.Values.shardsvr.persistence.mountPath }}{{- if $.Values.shardsvr.persistence.subPath }}/{{ include "common.tplvalues.render" (dict "value" $.Values.shardsvr.persistence.subPath "context" $) }}{{- end }} - find {{ $.Values.shardsvr.persistence.mountPath }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ $.Values.shardsvr.dataNode.containerSecurityContext.runAsUser }}:{{ $.Values.shardsvr.dataNode.podSecurityContext.fsGroup }} + command: ["chown", "-R", "{{ $.Values.shardsvr.dataNode.containerSecurityContext.runAsUser }}:{{ $.Values.shardsvr.dataNode.podSecurityContext.fsGroup }}", "{{ $.Values.shardsvr.persistence.mountPath }}"] securityContext: runAsUser: 0 {{- if $.Values.volumePermissions.resources }} @@ -179,6 +172,7 @@ spec: name: {{ include "mongodb-sharded.secret" $ }} key: mongodb-replica-set-key {{- end }} + {{- include "mongodb-sharded.appAccountEnvs" $ | nindent 12 }} {{- end }} - name: MONGODB_ENABLE_IPV6 {{- if $.Values.common.mongodbEnableIPv6 }} @@ -451,6 +445,10 @@ spec: {{- range $.Values.shardsvr.persistence.accessModes }} - {{ . | quote }} {{- end }} + {{- if $.Values.shardsvr.persistence.selector }} + selector: +{{ toYaml $.Values.shardsvr.persistence.selector | indent 10 }} + {{- end }} resources: requests: storage: {{ $.Values.shardsvr.persistence.size | quote }} diff --git a/solution-base/mongodb/charts/mongodb-sharded/values.yaml b/solution-base/mongodb/charts/mongodb-sharded/values.yaml index d934cc7be7..bb4607cf9f 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/values.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/values.yaml @@ -123,7 +123,7 @@ auth: ## @param auth.existingSecret Existing secret with MongoDB(®) credentials (keys: `mongodb-password`, `mongodb-root-password`, `mongodb-replica-set-key`) ## NOTE: When it's set the previous parameters are ignored. ## - existingSecret: "" + existingSecret: mongodb-db-creds ## @param auth.usePasswordFile Mount credentials as files instead of using environment variables ## usePasswordFile: false @@ -1768,7 +1768,7 @@ metrics: ## @param metrics.extraArgs String with extra arguments to the metrics exporter ## ref: https://github.com/percona/mongodb_exporter/blob/main/main.go ## - extraArgs: "" + extraArgs: "--collector.diagnosticdata --collector.replicasetstatus --collector.dbstats --collector.topmetrics --compatible-mode" ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## diff --git a/solution-base/mongodb/patches/credentials-helper.patch b/solution-base/mongodb/patches/credentials-helper.patch index bcca95059f..343f029b5a 100644 --- a/solution-base/mongodb/patches/credentials-helper.patch +++ b/solution-base/mongodb/patches/credentials-helper.patch @@ -1,12 +1,11 @@ diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/_helpers.tpl b/solution-base/mongodb/charts/mongodb-sharded/templates/_helpers.tpl -index 2929960d..3f804a2c 100644 +index 2929960d..293980e4 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/_helpers.tpl +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/_helpers.tpl -@@ -249,3 +249,22 @@ mongodb: .Values.mongos.servicePerReplica.loadBalancerIPs +@@ -249,3 +249,21 @@ mongodb: .Values.mongos.servicePerReplica.loadBalancerIPs {{- include "common.warnings.rollingTag" .Values.metrics.image }} {{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} {{- end -}} -+ +{{/* app credentials environment variables */}} +{{- define "mongodb-sharded.appAccountEnvs" -}} +- name: MONGODB_APP_USERNAME @@ -26,10 +25,10 @@ index 2929960d..3f804a2c 100644 + key: mongodb-password +{{- end -}} diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml -index 6a45fed9..3d87bb8b 100644 +index 4dcb327b..091471e4 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml -@@ -162,6 +162,7 @@ spec: +@@ -172,6 +172,7 @@ spec: name: {{ include "mongodb-sharded.secret" . }} key: mongodb-replica-set-key {{- end }} @@ -38,10 +37,10 @@ index 6a45fed9..3d87bb8b 100644 - name: MONGODB_ENABLE_IPV6 {{- if .Values.common.mongodbEnableIPv6 }} diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml -index 3827a7de..775cd30d 100644 +index 5e648381..4fa00293 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml -@@ -169,6 +169,7 @@ spec: +@@ -179,6 +179,7 @@ spec: name: {{ include "mongodb-sharded.secret" $ }} key: mongodb-replica-set-key {{- end }} @@ -49,5 +48,3 @@ index 3827a7de..775cd30d 100644 {{- end }} - name: MONGODB_ENABLE_IPV6 {{- if $.Values.common.mongodbEnableIPv6 }} --- -2.25.1 diff --git a/solution-base/mongodb/patches/mongodb-exporter-configuration.patch b/solution-base/mongodb/patches/mongodb-exporter-configuration.patch index 3aabc114cb..a26917b053 100644 --- a/solution-base/mongodb/patches/mongodb-exporter-configuration.patch +++ b/solution-base/mongodb/patches/mongodb-exporter-configuration.patch @@ -1,13 +1,13 @@ diff --git a/solution-base/mongodb/charts/mongodb-sharded/values.yaml b/solution-base/mongodb/charts/mongodb-sharded/values.yaml -index 368576d2..68255050 100644 +index d934cc7b..83f60e80 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/values.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/values.yaml -@@ -1567,7 +1567,7 @@ metrics: +@@ -1768,7 +1768,7 @@ metrics: ## @param metrics.extraArgs String with extra arguments to the metrics exporter ## ref: https://github.com/percona/mongodb_exporter/blob/main/main.go ## - extraArgs: "" + extraArgs: "--collector.diagnosticdata --collector.replicasetstatus --collector.dbstats --collector.topmetrics --compatible-mode" - ## @param metrics.resources Metrics exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## diff --git a/solution-base/mongodb/patches/mongodb-sharded-add-pv-selector.patch b/solution-base/mongodb/patches/mongodb-sharded-add-pv-selector.patch index b24d3e54be..e897a84c43 100644 --- a/solution-base/mongodb/patches/mongodb-sharded-add-pv-selector.patch +++ b/solution-base/mongodb/patches/mongodb-sharded-add-pv-selector.patch @@ -1,8 +1,8 @@ diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml -index 6a45fed9..37ec1712 100644 +index 091471e4..87057f69 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml -@@ -407,6 +407,10 @@ spec: +@@ -445,6 +445,10 @@ spec: {{- range .Values.configsvr.persistence.accessModes }} - {{ . | quote }} {{- end }} @@ -14,10 +14,10 @@ index 6a45fed9..37ec1712 100644 requests: storage: {{ .Values.configsvr.persistence.size | quote }} diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml -index 3827a7de..180dda87 100644 +index 4fa00293..89883c12 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml -@@ -414,6 +414,10 @@ spec: +@@ -452,6 +452,10 @@ spec: {{- range $.Values.shardsvr.persistence.accessModes }} - {{ . | quote }} {{- end }} diff --git a/solution-base/mongodb/patches/mongos-dep-sts.patch b/solution-base/mongodb/patches/mongos-dep-sts.patch index 468b90d0b0..d6f20ba6cd 100644 --- a/solution-base/mongodb/patches/mongos-dep-sts.patch +++ b/solution-base/mongodb/patches/mongos-dep-sts.patch @@ -1,18 +1,18 @@ diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/mongos/mongos-dep-sts.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/mongos/mongos-dep-sts.yaml -index 73890420..e7fd18a6 100644 +index 6b321eab..764c6b25 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/mongos/mongos-dep-sts.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/mongos/mongos-dep-sts.yaml -@@ -92,6 +92,9 @@ spec: +@@ -93,6 +93,9 @@ spec: {{- if .Values.mongos.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.mongos.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.mongos.containerSecurityContext "context" $) | nindent 12 }} {{- end }} + command: -+ - /bin/bash -+ - /entrypoint/mongos-entrypoint.sh +++ - /bin/bash +++ - /entrypoint/mongos-entrypoint.sh env: - name: MONGODB_ENABLE_NUMACTL value: {{ ternary "yes" "no" $.Values.common.mongodbEnableNumactl | quote }} -@@ -133,7 +136,7 @@ spec: +@@ -136,7 +139,7 @@ spec: - name: MONGODB_PORT_NUMBER value: {{ $.Values.common.containerPorts.mongodb | quote }} - name: MONGODB_CFG_PRIMARY_HOST @@ -21,22 +21,22 @@ index 73890420..e7fd18a6 100644 - name: MONGODB_CFG_REPLICA_SET_NAME value: {{ include "mongodb-sharded.configServer.rsName" . }} - name: MONGODB_SYSTEM_LOG_VERBOSITY -@@ -230,6 +233,8 @@ spec: +@@ -233,6 +236,8 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.mongos.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: replicaset-entrypoint-configmap + mountPath: /entrypoint - {{- if .Values.auth.usePasswordFile }} - - name: secrets - mountPath: /bitnami/mongodb/secrets/ -@@ -323,6 +328,9 @@ spec: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir +@@ -349,6 +354,9 @@ spec: {{- include "common.tplvalues.render" ( dict "value" . "context" $ ) | nindent 8 }} {{- end }} volumes: + - name: replicaset-entrypoint-configmap + configMap: + name: {{ include "common.names.fullname" . }}-replicaset-entrypoint + - name: empty-dir + emptyDir: {} {{- if .Values.auth.usePasswordFile }} - - name: secrets - secret: diff --git a/solution-base/mongodb/patches/replicaset-entrypoint-configmap.patch b/solution-base/mongodb/patches/replicaset-entrypoint-configmap.patch index ed7b4fbfee..8329e1e9bc 100644 --- a/solution-base/mongodb/patches/replicaset-entrypoint-configmap.patch +++ b/solution-base/mongodb/patches/replicaset-entrypoint-configmap.patch @@ -1,25 +1,22 @@ diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/replicaset-entrypoint-configmap.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/replicaset-entrypoint-configmap.yaml -index 0427ec0c..763dc446 100644 +index 0427ec0c..dde278bd 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/replicaset-entrypoint-configmap.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/replicaset-entrypoint-configmap.yaml -@@ -13,6 +13,16 @@ metadata: +@@ -13,6 +13,13 @@ metadata: annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} data: + mongos-entrypoint.sh: |- + #!/bin/bash -+ + . /liblog.sh -+ + # Disable MongoSH telemetry to support offline deployments + mongosh --nodb --eval "disableTelemetry()" + info "MongoDB Telemetry is now disabled." -+ + exec /entrypoint.sh /run.sh replicaset-entrypoint.sh: |- #!/bin/bash -@@ -36,4 +46,8 @@ data: +@@ -36,4 +43,8 @@ data: {{- end }} fi diff --git a/solution-base/mongodb/patches/secret-name.patch b/solution-base/mongodb/patches/secret-name.patch index 380e3fac4a..d0428af127 100644 --- a/solution-base/mongodb/patches/secret-name.patch +++ b/solution-base/mongodb/patches/secret-name.patch @@ -1,8 +1,8 @@ diff --git a/solution-base/mongodb/charts/mongodb-sharded/values.yaml b/solution-base/mongodb/charts/mongodb-sharded/values.yaml -index 368576d2..5c2d39f0 100644 +index 83f60e80..bb4607cf 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/values.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/values.yaml -@@ -118,7 +118,7 @@ auth: +@@ -123,7 +123,7 @@ auth: ## @param auth.existingSecret Existing secret with MongoDB(®) credentials (keys: `mongodb-password`, `mongodb-root-password`, `mongodb-replica-set-key`) ## NOTE: When it's set the previous parameters are ignored. ## diff --git a/solution-base/mongodb/patches/statefulset-permissions.patch b/solution-base/mongodb/patches/statefulset-permissions.patch index 8253e1beca..362eae9b73 100644 --- a/solution-base/mongodb/patches/statefulset-permissions.patch +++ b/solution-base/mongodb/patches/statefulset-permissions.patch @@ -1,8 +1,8 @@ diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml -index 6a45fed9..ca78c8ae 100644 +index 87057f69..202a5a30 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/config-server/config-server-statefulset.yaml -@@ -77,14 +77,7 @@ spec: +@@ -78,14 +78,7 @@ spec: - name: volume-permissions image: {{ include "mongodb-sharded.volumePermissions.image" . }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} @@ -17,12 +17,12 @@ index 6a45fed9..ca78c8ae 100644 + command: ["chown", "-R", "{{ .Values.configsvr.containerSecurityContext.runAsUser }}:{{ .Values.configsvr.podSecurityContext.fsGroup }}", "{{ .Values.configsvr.persistence.mountPath }}"] securityContext: runAsUser: 0 - resources: {{ toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- if .Values.volumePermissions.resources }} diff --git a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml -index 3827a7de..8a97e555 100644 +index 89883c12..0e6ed5a0 100644 --- a/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml +++ b/solution-base/mongodb/charts/mongodb-sharded/templates/shard/shard-data-statefulset.yaml -@@ -80,14 +80,7 @@ spec: +@@ -81,14 +81,7 @@ spec: - name: volume-permissions image: {{ include "mongodb-sharded.volumePermissions.image" $ }} imagePullPolicy: {{ $.Values.volumePermissions.image.pullPolicy | quote }} @@ -37,4 +37,4 @@ index 3827a7de..8a97e555 100644 + command: ["chown", "-R", "{{ $.Values.shardsvr.dataNode.containerSecurityContext.runAsUser }}:{{ $.Values.shardsvr.dataNode.podSecurityContext.fsGroup }}", "{{ $.Values.shardsvr.persistence.mountPath }}"] securityContext: runAsUser: 0 - resources: {{ toYaml $.Values.volumePermissions.resources | nindent 12 }} + {{- if $.Values.volumePermissions.resources }}