From 5e51e7db37d6a049e131b6144b25ae6383de1177 Mon Sep 17 00:00:00 2001 From: nscuro Date: Mon, 26 Aug 2024 21:53:43 +0200 Subject: [PATCH] Add initializer job for hyades Introduces a `Job` that executes in the `post-install` and `post-upgrade` phases of a Helm deployment. The job executes initialization tasks and exits. Pods that depend on successful execution of the job will wait for it, using new init containers. Since this waiting requires interacting with the Kubernetes API, pods will need `get`, `list`, and `watch` permissions on the `batch/jobs` resource. Creation of a `Role` with those permissions can be enabled. This new functionality is disabled by default for now. The plan is to enable it per default once it's thoroughly tested, and we are confident it's the best way forward. Depends on https://github.com/DependencyTrack/hyades-apiserver/pull/873 Closes #136 Signed-off-by: nscuro --- charts/hyades/ci/test-initializer-values.yaml | 182 ++++++++++++++++++ charts/hyades/ci/test-values.yaml | 24 +-- .../test-vulnanalyzer-statefulset-values.yaml | 24 +-- charts/hyades/templates/_helpers.tpl | 86 +++++++++ .../templates/api-server/deployment.yaml | 11 +- charts/hyades/templates/initializer/job.yaml | 81 ++++++++ charts/hyades/templates/initializer/role.yaml | 18 ++ .../templates/initializer/rolebinding.yaml | 17 ++ .../templates/mirror-service/deployment.yaml | 3 + .../notification-publisher/deployment.yaml | 3 + .../repo-meta-analyzer/deployment.yaml | 3 + .../templates/vuln-analyzer/deployment.yaml | 3 + .../templates/vuln-analyzer/statefulset.yaml | 3 + charts/hyades/values.schema.json | 73 +++++++ charts/hyades/values.yaml | 41 +++- 15 files changed, 531 insertions(+), 41 deletions(-) create mode 100644 charts/hyades/ci/test-initializer-values.yaml create mode 100644 charts/hyades/templates/initializer/job.yaml create mode 100644 charts/hyades/templates/initializer/role.yaml create mode 100644 charts/hyades/templates/initializer/rolebinding.yaml diff --git a/charts/hyades/ci/test-initializer-values.yaml b/charts/hyades/ci/test-initializer-values.yaml new file mode 100644 index 0000000..29073c2 --- /dev/null +++ b/charts/hyades/ci/test-initializer-values.yaml @@ -0,0 +1,182 @@ +common: + database: + jdbcUrl: "jdbc:postgresql://postgres.{{ .Release.Namespace }}.svc.cluster.local:5432/dtrack" + username: "dtrack" + password: "dtrack" + kafka: + bootstrapServers: "redpanda.{{ .Release.Namespace }}.svc.cluster.local:9092" + secretKey: + createSecret: true + serviceAccount: + automount: true + +apiServer: + resources: + requests: + cpu: 100m + memory: 512Mi + limits: + cpu: "2" + memory: 512Mi + +initializer: + enabled: true + # chart-testing executes `helm install` with `--wait` flag, + # causing post-install hooks to never run. + # See https://github.com/helm/chart-testing/issues/202. + noHelmHook: true + +mirrorService: + resources: &hyadesResources + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 256Mi + +repoMetaAnalyzer: + resources: *hyadesResources + +vulnAnalyzer: + resources: *hyadesResources + +extraObjects: +- apiVersion: apps/v1 + kind: Deployment + metadata: + name: postgres + namespace: "{{ .Release.Namespace }}" + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/name: "{{ printf \"%s-postgres\" (include \"hyades.name\" .) }}" + app.kubernetes.io/component: postgres + template: + metadata: + labels: + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/name: "{{ printf \"%s-postgres\" (include \"hyades.name\" .) }}" + app.kubernetes.io/component: postgres + spec: + containers: + - name: postgres + image: postgres:16-alpine + env: + - name: POSTGRES_DB + value: dtrack + - name: POSTGRES_USER + value: dtrack + - name: POSTGRES_PASSWORD + value: dtrack + ports: + - name: postgres + containerPort: 5432 + protocol: TCP +- apiVersion: v1 + kind: Service + metadata: + name: postgres + namespace: "{{ .Release.Namespace }}" + labels: + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/name: "{{ printf \"%s-postgres\" (include \"hyades.name\" .) }}" + app.kubernetes.io/component: postgres + spec: + type: ClusterIP + selector: + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/name: "{{ printf \"%s-postgres\" (include \"hyades.name\" .) }}" + app.kubernetes.io/component: postgres + ports: + - port: 5432 + targetPort: 5432 +- apiVersion: apps/v1 + kind: Deployment + metadata: + name: redpanda + namespace: "{{ .Release.Namespace }}" + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/name: "{{ printf \"%s-redpanda\" (include \"hyades.name\" .) }}" + app.kubernetes.io/component: redpanda + template: + metadata: + labels: + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/name: "{{ printf \"%s-redpanda\" (include \"hyades.name\" .) }}" + app.kubernetes.io/component: redpanda + spec: + containers: + - name: redpanda + image: docker.redpanda.com/vectorized/redpanda:v24.1.7 + args: + - redpanda + - start + - --smp + - '1' + - --reserve-memory + - 0M + - --memory + - 512M + - --overprovisioned + - --node-id + - '0' + - --kafka-addr + - PLAINTEXT://0.0.0.0:9092 + - --advertise-kafka-addr + - PLAINTEXT://redpanda.{{ .Release.Namespace }}.svc.cluster.local:9092 + ports: + - name: kafka-api + containerPort: 9092 + protocol: TCP + - name: redpanda-admin + containerPort: 9644 + protocol: TCP +- apiVersion: v1 + kind: Service + metadata: + name: redpanda + namespace: "{{ .Release.Namespace }}" + labels: + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/name: "{{ printf \"%s-redpanda\" (include \"hyades.name\" .) }}" + app.kubernetes.io/component: redpanda + spec: + type: ClusterIP + selector: + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/name: "{{ printf \"%s-redpanda\" (include \"hyades.name\" .) }}" + app.kubernetes.io/component: redpanda + ports: + - name: kafka-api + port: 9092 + targetPort: 9092 + - name: redpanda-admin + port: 9644 + targetPort: 9644 +- apiVersion: batch/v1 + kind: Job + metadata: + name: redpanda-init + namespace: "{{ .Release.Namespace }}" + spec: + template: + spec: + containers: + - name: redpanda + image: docker.redpanda.com/vectorized/redpanda:v24.1.7 + command: + - /bin/bash + args: + - -c + - bash <(curl -s https://raw.githubusercontent.com/DependencyTrack/hyades/main/scripts/create-topics.sh) + env: + - name: REDPANDA_BROKERS + value: "redpanda.{{ .Release.Namespace }}.svc.cluster.local:9092" + restartPolicy: OnFailure diff --git a/charts/hyades/ci/test-values.yaml b/charts/hyades/ci/test-values.yaml index 491c675..1473067 100644 --- a/charts/hyades/ci/test-values.yaml +++ b/charts/hyades/ci/test-values.yaml @@ -11,38 +11,26 @@ common: apiServer: resources: requests: - cpu: 500m + cpu: 100m memory: 512Mi limits: - cpu: 500m + cpu: "2" memory: 512Mi mirrorService: - resources: + resources: &hyadesResources requests: - cpu: 500m + cpu: 100m memory: 256Mi limits: cpu: 500m memory: 256Mi repoMetaAnalyzer: - resources: - requests: - cpu: 500m - memory: 256Mi - limits: - cpu: 500m - memory: 256Mi + resources: *hyadesResources vulnAnalyzer: - resources: - requests: - cpu: 500m - memory: 256Mi - limits: - cpu: 500m - memory: 256Mi + resources: *hyadesResources extraObjects: - apiVersion: apps/v1 diff --git a/charts/hyades/ci/test-vulnanalyzer-statefulset-values.yaml b/charts/hyades/ci/test-vulnanalyzer-statefulset-values.yaml index 2a6e40d..efa881d 100644 --- a/charts/hyades/ci/test-vulnanalyzer-statefulset-values.yaml +++ b/charts/hyades/ci/test-vulnanalyzer-statefulset-values.yaml @@ -11,39 +11,27 @@ common: apiServer: resources: requests: - cpu: 500m + cpu: 100m memory: 512Mi limits: - cpu: 500m + cpu: "2" memory: 512Mi mirrorService: - resources: + resources: &hyadesResources requests: - cpu: 500m + cpu: 100m memory: 256Mi limits: cpu: 500m memory: 256Mi repoMetaAnalyzer: - resources: - requests: - cpu: 500m - memory: 256Mi - limits: - cpu: 500m - memory: 256Mi + resources: *hyadesResources vulnAnalyzer: useStatefulSet: true - resources: - requests: - cpu: 500m - memory: 256Mi - limits: - cpu: 500m - memory: 256Mi + resources: *hyadesResources persistentVolume: enabled: true extraEnv: diff --git a/charts/hyades/templates/_helpers.tpl b/charts/hyades/templates/_helpers.tpl index e881631..f368328 100644 --- a/charts/hyades/templates/_helpers.tpl +++ b/charts/hyades/templates/_helpers.tpl @@ -91,6 +91,92 @@ API server image {{- end -}} +{{/* +Initializer labels +*/}} +{{- define "hyades.initializerLabels" -}} +{{ include "hyades.commonLabels" . }} +{{ include "hyades.initializerSelectorLabels" . }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} + +{{/* +Initializer selector labels +*/}} +{{- define "hyades.initializerSelectorLabels" -}} +{{ include "hyades.commonSelectorLabels" . }} +app.kubernetes.io/name: {{ printf "%s-initializer" (include "hyades.name" .) }} +app.kubernetes.io/component: initializer +{{- end -}} + +{{/* +Initializer name +*/}} +{{- define "hyades.initializerName" -}} +{{- printf "%s-initializer" (include "hyades.name" .) -}} +{{- end -}} + +{{/* +Initializer fully qualified name +*/}} +{{- define "hyades.initializerFullname" -}} +{{- printf "%s-initializer" (include "hyades.fullname" .) -}} +{{- end -}} + +{{/* +Initializer image +*/}} +{{- define "hyades.initializerImage" -}} +{{- if eq (substr 0 7 .Values.initializer.image.tag) "sha256:" -}} +{{- printf "%s/%s@%s" (.Values.initializer.image.registry | default .Values.common.image.registry) .Values.initializer.image.repository .Values.initializer.image.tag -}} +{{- else -}} +{{- printf "%s/%s:%s" (.Values.initializer.image.registry | default .Values.common.image.registry) .Values.initializer.image.repository (.Values.initializer.image.tag | default .Chart.AppVersion) -}} +{{- end -}} +{{- end -}} + + +{{/* +Initializer waiter name +*/}} +{{- define "hyades.initializerWaiterName" -}} +{{- printf "%s-waiter" (include "hyades.initializerName" .) -}} +{{- end -}} + +{{/* +Initializer waiter fully qualified name +*/}} +{{- define "hyades.initializerWaiterFullname" -}} +{{- printf "%s-waiter" (include "hyades.initializerFullname" .) -}} +{{- end -}} + +{{/* +Initializer waiter image +*/}} +{{- define "hyades.initializerWaiterImage" -}} +{{- if eq (substr 0 7 .Values.initializer.waiter.image.tag) "sha256:" -}} +{{- printf "%s/%s@%s" (.Values.initializer.waiter.image.registry | default .Values.common.image.registry) .Values.initializer.waiter.image.repository .Values.initializer.waiter.image.tag -}} +{{- else -}} +{{- printf "%s/%s:%s" (.Values.initializer.waiter.image.registry | default .Values.common.image.registry) .Values.initializer.waiter.image.repository (.Values.initializer.waiter.image.tag | default .Chart.AppVersion) -}} +{{- end -}} +{{- end -}} + +{{/* +Initializer waiter container +*/}} +{{- define "hyades.initializerWaiterContainer" -}} +name: {{ include "hyades.initializerWaiterName" . }} +image: {{ include "hyades.initializerWaiterImage" . }} +imagePullPolicy: {{ .Values.initializer.waiter.image.pullPolicy }} +args: +- wait +- --for +- condition=complete +- --timeout +- "5m" +- job/{{ include "hyades.initializerFullname" . }} +{{- end -}} + + {{/* Frontend labels */}} diff --git a/charts/hyades/templates/api-server/deployment.yaml b/charts/hyades/templates/api-server/deployment.yaml index 9c05dd6..bd49575 100644 --- a/charts/hyades/templates/api-server/deployment.yaml +++ b/charts/hyades/templates/api-server/deployment.yaml @@ -24,6 +24,9 @@ spec: imagePullSecrets: {{- toYaml . | nindent 6 }} {{- end }} initContainers: + {{- if .Values.initializer.enabled }} + - {{ include "hyades.initializerWaiterContainer" . | nindent 8 }} + {{- end }} {{- with .Values.apiServer.initContainers }} {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} @@ -48,10 +51,6 @@ spec: - name: ALPINE_SECRET_KEY_PATH value: "/var/run/secrets/secret.key" {{- end }} - - name: ALPINE_DATABASE_MODE - value: "external" - - name: ALPINE_DATABASE_DRIVER - value: "org.postgresql.Driver" {{- with .Values.common.database.jdbcUrl }} - name: ALPINE_DATABASE_URL value: {{ tpl . $ | quote }} @@ -64,6 +63,10 @@ spec: - name: ALPINE_DATABASE_PASSWORD value: {{ . | quote }} {{- end }} + {{- if .Values.initializer.enabled }} + - name: INIT_TASKS_ENABLED + value: "false" + {{- end }} - name: KAFKA_BOOTSTRAP_SERVERS value: {{ tpl .Values.common.kafka.bootstrapServers $ | quote }} {{- with .Values.common.kafka.topicPrefix }} diff --git a/charts/hyades/templates/initializer/job.yaml b/charts/hyades/templates/initializer/job.yaml new file mode 100644 index 0000000..dc53c02 --- /dev/null +++ b/charts/hyades/templates/initializer/job.yaml @@ -0,0 +1,81 @@ +{{- if .Values.initializer.enabled }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "hyades.initializerFullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "hyades.initializerLabels" . | nindent 4 }} + {{- if not .Values.initializer.noHelmHook }} + annotations: + "helm.sh/hook": "post-install, post-upgrade" + "helm.sh/hook-delete-policy": "before-hook-creation" + {{- end }} +spec: + template: + metadata: + labels: {{- include "hyades.initializerSelectorLabels" . | nindent 8 }} + {{- with .Values.initializer.annotations }} + annotations: {{- toYaml . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ include "hyades.serviceAccountName" . }} + containers: + - name: {{ include "hyades.initializerName" . }} + image: {{ include "hyades.initializerImage" . }} + imagePullPolicy: {{ .Values.initializer.image.pullPolicy }} + securityContext: {{ toYaml .Values.initializer.securityContext | nindent 10 }} + {{- with .Values.initializer.command }} + command: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.initializer.args }} + args: {{ toYaml . | nindent 8 }} + {{- end }} + resources: {{- toYaml .Values.initializer.resources | nindent 10 }} + env: + # Clear the defaults for garbage collector and heap size that we set in the API server's Dockerfile. + # Let the JVM deal with configuring itself appropriately for the available resources. + - name: JAVA_OPTIONS + value: "" + - name: INIT_TASKS_ENABLED + value: "true" + - name: INIT_AND_EXIT + value: "true" + - name: ALPINE_DATABASE_POOL_ENABLED + value: "false" + {{- with .Values.common.database.jdbcUrl }} + - name: ALPINE_DATABASE_URL + value: {{ tpl . $ | quote }} + {{- end}} + {{- with .Values.common.database.username }} + - name: ALPINE_DATABASE_USERNAME + value: {{ . | quote }} + {{- end }} + {{- with .Values.common.database.password }} + - name: ALPINE_DATABASE_PASSWORD + value: {{ . | quote }} + {{- end }} + {{- with .Values.initializer.extraEnv }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.initializer.extraEnvFrom }} + envFrom: {{ toYaml . | nindent 8 }} + {{- end }} + volumeMounts: + - name: tmp + subPath: data + mountPath: /data + - name: tmp + subPath: tmp + mountPath: /tmp + {{- with .Values.initializer.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.initializer.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: tmp + emptyDir: {} +{{- end }} \ No newline at end of file diff --git a/charts/hyades/templates/initializer/role.yaml b/charts/hyades/templates/initializer/role.yaml new file mode 100644 index 0000000..453b559 --- /dev/null +++ b/charts/hyades/templates/initializer/role.yaml @@ -0,0 +1,18 @@ +{{- if and .Values.initializer.enabled .Values.initializer.waiter.createRole }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "hyades.initializerWaiterFullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "hyades.commonLabels" . | nindent 4 }} +rules: +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch +{{- end }} \ No newline at end of file diff --git a/charts/hyades/templates/initializer/rolebinding.yaml b/charts/hyades/templates/initializer/rolebinding.yaml new file mode 100644 index 0000000..88b9505 --- /dev/null +++ b/charts/hyades/templates/initializer/rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.initializer.enabled .Values.initializer.waiter.createRole }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "hyades.initializerWaiterFullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "hyades.commonLabels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "hyades.initializerWaiterFullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "hyades.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hyades/templates/mirror-service/deployment.yaml b/charts/hyades/templates/mirror-service/deployment.yaml index 6a65dd3..ab2d735 100644 --- a/charts/hyades/templates/mirror-service/deployment.yaml +++ b/charts/hyades/templates/mirror-service/deployment.yaml @@ -24,6 +24,9 @@ spec: imagePullSecrets: {{- toYaml . | nindent 6 }} {{- end }} initContainers: + {{- if .Values.initializer.enabled }} + - {{ include "hyades.initializerWaiterContainer" . | nindent 8 }} + {{- end }} {{- with .Values.mirrorService.initContainers }} {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} diff --git a/charts/hyades/templates/notification-publisher/deployment.yaml b/charts/hyades/templates/notification-publisher/deployment.yaml index 995df48..644ffb1 100644 --- a/charts/hyades/templates/notification-publisher/deployment.yaml +++ b/charts/hyades/templates/notification-publisher/deployment.yaml @@ -24,6 +24,9 @@ spec: imagePullSecrets: {{- toYaml . | nindent 6 }} {{- end }} initContainers: + {{- if .Values.initializer.enabled }} + - {{ include "hyades.initializerWaiterContainer" . | nindent 8 }} + {{- end }} {{- with .Values.notificationPublisher.initContainers }} {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} diff --git a/charts/hyades/templates/repo-meta-analyzer/deployment.yaml b/charts/hyades/templates/repo-meta-analyzer/deployment.yaml index 550853b..9901f33 100644 --- a/charts/hyades/templates/repo-meta-analyzer/deployment.yaml +++ b/charts/hyades/templates/repo-meta-analyzer/deployment.yaml @@ -24,6 +24,9 @@ spec: imagePullSecrets: {{- toYaml . | nindent 6 }} {{- end }} initContainers: + {{- if .Values.initializer.enabled }} + - {{ include "hyades.initializerWaiterContainer" . | nindent 8 }} + {{- end }} {{- with .Values.repoMetaAnalyzer.initContainers }} {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} diff --git a/charts/hyades/templates/vuln-analyzer/deployment.yaml b/charts/hyades/templates/vuln-analyzer/deployment.yaml index 7be9a0c..63d21d4 100644 --- a/charts/hyades/templates/vuln-analyzer/deployment.yaml +++ b/charts/hyades/templates/vuln-analyzer/deployment.yaml @@ -24,6 +24,9 @@ spec: imagePullSecrets: {{- toYaml . | nindent 6 }} {{- end }} initContainers: + {{- if .Values.initializer.enabled }} + - {{ include "hyades.initializerWaiterContainer" . | nindent 8 }} + {{- end }} {{- with .Values.notificationPublisher.initContainers }} {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} diff --git a/charts/hyades/templates/vuln-analyzer/statefulset.yaml b/charts/hyades/templates/vuln-analyzer/statefulset.yaml index fb1a6a2..f3b554f 100644 --- a/charts/hyades/templates/vuln-analyzer/statefulset.yaml +++ b/charts/hyades/templates/vuln-analyzer/statefulset.yaml @@ -25,6 +25,9 @@ spec: imagePullSecrets: {{- toYaml . | nindent 6 }} {{- end }} initContainers: + {{- if .Values.initializer.enabled }} + - {{ include "hyades.initializerWaiterContainer" . | nindent 8 }} + {{- end }} {{- with .Values.notificationPublisher.initContainers }} {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} diff --git a/charts/hyades/values.schema.json b/charts/hyades/values.schema.json index 7302ce0..95a930b 100644 --- a/charts/hyades/values.schema.json +++ b/charts/hyades/values.schema.json @@ -111,6 +111,9 @@ "resources": { "$ref": "#/$defs/resources" }, + "securityContext": { + "type": "object" + }, "extraEnv": { "$ref": "#/$defs/objectArray" }, @@ -146,6 +149,61 @@ } } }, + "initializer": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "annotations": { + "type": "object" + }, + "image": { + "$ref": "#/$defs/image" + }, + "command": { + "type": "array", + "items": { + "type": "string" + } + }, + "args": { + "type": "array", + "items": { + "type": "string" + } + }, + "resources": { + "$ref": "#/$defs/resources" + }, + "securityContext": { + "type": "object" + }, + "extraEnv": { + "$ref": "#/$defs/objectArray" + }, + "extraEnvFrom": { + "$ref": "#/$defs/objectArray" + }, + "tolerations": { + "$ref": "#/$defs/objectArray" + }, + "nodeSelector": { + "type": "object" + }, + "waiter": { + "type": "object", + "properties": { + "image": { + "$ref": "#/$defs/image" + }, + "createRole": { + "type": "boolean" + } + } + } + } + }, "frontend": { "type": "object", "properties": { @@ -176,6 +234,9 @@ "resources": { "$ref": "#/$defs/resources" }, + "securityContext": { + "type": "object" + }, "extraEnv": { "$ref": "#/$defs/objectArray" }, @@ -243,6 +304,9 @@ "resources": { "$ref": "#/$defs/resources" }, + "securityContext": { + "type": "object" + }, "extraEnv": { "$ref": "#/$defs/objectArray" }, @@ -302,6 +366,9 @@ "resources": { "$ref": "#/$defs/resources" }, + "securityContext": { + "type": "object" + }, "extraEnv": { "$ref": "#/$defs/objectArray" }, @@ -361,6 +428,9 @@ "resources": { "$ref": "#/$defs/resources" }, + "securityContext": { + "type": "object" + }, "extraEnv": { "$ref": "#/$defs/objectArray" }, @@ -423,6 +493,9 @@ "resources": { "$ref": "#/$defs/resources" }, + "securityContext": { + "type": "object" + }, "persistentVolume":{ "type": "object", "properties": { diff --git a/charts/hyades/values.yaml b/charts/hyades/values.yaml index 7bc5558..b22c8e6 100644 --- a/charts/hyades/values.yaml +++ b/charts/hyades/values.yaml @@ -30,7 +30,7 @@ apiServer: enabled: true replicaCount: 1 annotations: {} - image: + image: &apiServerImage # -- Override common.image.registry for the API server. registry: "" repository: dependencytrack/hyades-apiserver @@ -114,6 +114,45 @@ apiServer: tolerations: [] nodeSelector: {} +initializer: + # -- Whether to enable the initializer Job. + # When enabled, an init container will be added to all + # deployments that require database access. + # The init container will wait for the initializer Job to complete. + # Requires the service account token to be mounted. + enabled: false + # -- Whether to NOT deploy the initializer Job as `post-install` and `post-upgrade` + # Helm hook. Deploying as Helm hook can create deadlock situations when `helm install` + # and `helm upgrade` are executed with `--wait` flag. See . + # Note that without hooks, `helm upgrade` may fail due to Job fields being immutable. + noHelmHook: false + annotations: {} + image: *apiServerImage + command: [] + args: [] + resources: + requests: + cpu: 150m + memory: 256Mi + limits: + cpu: 500m + memory: 256Mi + # -- Security context of the Container. + securityContext: *hyadesSecurityContext + extraEnv: [] + extraEnvFrom: [] + tolerations: [] + nodeSelector: {} + waiter: + image: + registry: "docker.io" + repository: bitnami/kubectl + tag: latest + pullPolicy: Always + # -- Whether to create a Role with permissions to + # wait for Job completion, and bind it to the ServiceAccount. + createRole: true + frontend: # -- Whether the frontend shall be deployed. enabled: true