diff --git a/helm/dbrepo/Chart.lock b/helm/dbrepo/Chart.lock index 1dca92612fdef3f2c5e5b3b0163b664b18d01d82..edc00037f5219098a25e16c6cf978acc92b62c2e 100644 --- a/helm/dbrepo/Chart.lock +++ b/helm/dbrepo/Chart.lock @@ -7,18 +7,15 @@ dependencies: version: 21.6.1 - name: mariadb repository: https://charts.bitnami.com/bitnami - version: 14.1.4 + version: 19.0.3 - name: mariadb-galera repository: https://charts.bitnami.com/bitnami - version: 10.1.3 + version: 13.2.3 - name: rabbitmq repository: https://charts.bitnami.com/bitnami - version: 14.0.0 -- name: tusd - repository: https://charts.sagikazarmark.dev - version: 0.1.2 + version: 14.4.2 - name: openldap-stack-ha repository: https://jp-gouin.github.io/helm-openldap/ version: 4.2.5 -digest: sha256:d22946b1f2caf2daabe045afe08a892d609a9ed1e4c12d6dbf70014f3272aedc -generated: "2024-07-30T21:10:24.891252492+02:00" +digest: sha256:0e5b13ddfd50c6d7b22de57db4b9c15401aa25c447b274567209083481a104f2 +generated: "2024-07-31T21:17:50.377126847+02:00" diff --git a/helm/dbrepo/Chart.yaml b/helm/dbrepo/Chart.yaml index 7b37d25f8a9009c4f7fea507ccae1745d1c822e6..f6a537ce7e48a4b6b12414e929471a5b829ea95d 100644 --- a/helm/dbrepo/Chart.yaml +++ b/helm/dbrepo/Chart.yaml @@ -28,24 +28,19 @@ dependencies: condition: authservice.enabled - name: mariadb alias: datadb - version: 14.1.4 # app version: 11.1.3 + version: 19.0.3 repository: https://charts.bitnami.com/bitnami condition: datadb.enabled - name: mariadb-galera alias: metadatadb - version: 10.1.3 # app version: 11.1.3 + version: 13.2.3 repository: https://charts.bitnami.com/bitnami condition: metadatadb.enabled - name: rabbitmq alias: brokerservice - version: 14.0.0 + version: 14.4.2 repository: https://charts.bitnami.com/bitnami condition: brokerservice.enabled - - name: tusd - alias: uploadservice - version: 0.1.2 - repository: https://charts.sagikazarmark.dev - condition: uploadservice.enabled - name: openldap-stack-ha alias: identityservice version: 4.2.5 diff --git a/helm/dbrepo/charts/mariadb-14.1.4.tgz b/helm/dbrepo/charts/mariadb-14.1.4.tgz deleted file mode 100644 index 83f470bdcade4fdfc13b0d1f4f46095b877e3bcd..0000000000000000000000000000000000000000 Binary files a/helm/dbrepo/charts/mariadb-14.1.4.tgz and /dev/null differ diff --git a/helm/dbrepo/charts/mariadb-19.0.3.tgz b/helm/dbrepo/charts/mariadb-19.0.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..8de5085544fbe5098783b9149ff506bd72e0a60e Binary files /dev/null and b/helm/dbrepo/charts/mariadb-19.0.3.tgz differ diff --git a/helm/dbrepo/charts/mariadb-galera-10.1.3.tgz b/helm/dbrepo/charts/mariadb-galera-10.1.3.tgz deleted file mode 100644 index c906aaf7634b20f0eaf9358b435b01086bdc4f55..0000000000000000000000000000000000000000 Binary files a/helm/dbrepo/charts/mariadb-galera-10.1.3.tgz and /dev/null differ diff --git a/helm/dbrepo/charts/mariadb-galera-13.2.3.tgz b/helm/dbrepo/charts/mariadb-galera-13.2.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..01633c7fa452fd12b0eb071a2cdf448909272e46 Binary files /dev/null and b/helm/dbrepo/charts/mariadb-galera-13.2.3.tgz differ diff --git a/helm/dbrepo/charts/rabbitmq-14.0.0.tgz b/helm/dbrepo/charts/rabbitmq-14.0.0.tgz deleted file mode 100644 index 39ea3aaef2a94fe507a08242bbfe37209eb9fa53..0000000000000000000000000000000000000000 Binary files a/helm/dbrepo/charts/rabbitmq-14.0.0.tgz and /dev/null differ diff --git a/helm/dbrepo/charts/rabbitmq-14.4.2.tgz b/helm/dbrepo/charts/rabbitmq-14.4.2.tgz new file mode 100644 index 0000000000000000000000000000000000000000..4527ae9df492f94a489938db7881faf8fb145296 Binary files /dev/null and b/helm/dbrepo/charts/rabbitmq-14.4.2.tgz differ diff --git a/helm/dbrepo/charts/tusd-0.1.2.tgz b/helm/dbrepo/charts/tusd-0.1.2.tgz deleted file mode 100644 index 61032d920f3e057c7826491088745b3087a01a79..0000000000000000000000000000000000000000 Binary files a/helm/dbrepo/charts/tusd-0.1.2.tgz and /dev/null differ diff --git a/helm/dbrepo/templates/data-deployment.yaml b/helm/dbrepo/templates/data-deployment.yaml index d46f6d6573e7b8703037bab3acf6fc9c63e31d59..ecfd391213423789ff1850c20cce2158a07a42fa 100644 --- a/helm/dbrepo/templates/data-deployment.yaml +++ b/helm/dbrepo/templates/data-deployment.yaml @@ -82,6 +82,8 @@ spec: periodSeconds: 30 {{- if .Values.dataservice.resources }} resources: {{- toYaml .Values.dataservice.resources | nindent 12 }} + {{- else if .Values.resourcesWStorage }} + resources: {{- toYaml .Values.resourcesWStorage | nindent 12 }} {{- end }} volumeMounts: [] volumes: [] diff --git a/helm/dbrepo/templates/metadata-deployment.yaml b/helm/dbrepo/templates/metadata-deployment.yaml index f0f5b2eb3c4d137892294187ca14098d9f9f2e81..4254741ddd8d4ee5dc6d7b17a5d756a0dde2eee0 100644 --- a/helm/dbrepo/templates/metadata-deployment.yaml +++ b/helm/dbrepo/templates/metadata-deployment.yaml @@ -82,5 +82,7 @@ spec: periodSeconds: 30 {{- if .Values.metadataservice.resources }} resources: {{- toYaml .Values.metadataservice.resources | nindent 12 }} + {{- else if .Values.resourcesWStorage }} + resources: {{- toYaml .Values.resources | nindent 12 }} {{- end }} {{- end }} diff --git a/helm/dbrepo/templates/ui-deployment.yaml b/helm/dbrepo/templates/ui-deployment.yaml index 64cea9bf103dd3c66446ba353528b9ddb96b42a7..4639e81dc6c590b2de88186be84f3655279ed295 100644 --- a/helm/dbrepo/templates/ui-deployment.yaml +++ b/helm/dbrepo/templates/ui-deployment.yaml @@ -40,87 +40,87 @@ spec: valueFrom: secretKeyRef: name: ui-secret - key: public-api-server + key: NUXT_PUBLIC_API_SERVER - name: NUXT_PUBLIC_API_CLIENT valueFrom: secretKeyRef: name: ui-secret - key: public-api-server + key: NUXT_PUBLIC_API_CLIENT - name: NUXT_PUBLIC_TITLE valueFrom: secretKeyRef: name: ui-secret - key: public-title + key: NUXT_PUBLIC_TITLE - name: NUXT_PUBLIC_LOGO valueFrom: secretKeyRef: name: ui-secret - key: public-logo + key: NUXT_PUBLIC_LOGO - name: NUXT_PUBLIC_ICON valueFrom: secretKeyRef: name: ui-secret - key: public-icon + key: NUXT_PUBLIC_ICON - name: NUXT_PUBLIC_TOUCH valueFrom: secretKeyRef: name: ui-secret - key: public-touch + key: NUXT_PUBLIC_TOUCH - name: NUXT_PUBLIC_BROKER_HOST valueFrom: secretKeyRef: name: ui-secret - key: public-broker-host + key: NUXT_PUBLIC_BROKER_HOST - name: NUXT_PUBLIC_BROKER_PORT valueFrom: secretKeyRef: name: ui-secret - key: public-broker-port + key: NUXT_PUBLIC_BROKER_PORT - name: NUXT_PUBLIC_BROKER_EXTRA valueFrom: secretKeyRef: name: ui-secret - key: public-broker-extra + key: NUXT_PUBLIC_BROKER_EXTRA - name: NUXT_PUBLIC_DATABASE_EXTRA valueFrom: secretKeyRef: name: ui-secret - key: public-database-extra + key: NUXT_PUBLIC_DATABASE_EXTRA - name: NUXT_PUBLIC_LINKS_KEYCLOAK_HREF valueFrom: secretKeyRef: name: ui-secret - key: public-links-keycloak-href + key: NUXT_PUBLIC_LINKS_KEYCLOAK_HREF - name: NUXT_PUBLIC_LINKS_KEYCLOAK_TEXT valueFrom: secretKeyRef: name: ui-secret - key: public-links-keycloak-text + key: NUXT_PUBLIC_LINKS_KEYCLOAK_TEXT - name: NUXT_PUBLIC_LINKS_RABBITMQ_HREF valueFrom: secretKeyRef: name: ui-secret - key: public-links-rabbitmq-href + key: NUXT_PUBLIC_LINKS_RABBITMQ_HREF - name: NUXT_PUBLIC_LINKS_RABBITMQ_TEXT valueFrom: secretKeyRef: name: ui-secret - key: public-links-rabbitmq-text + key: NUXT_PUBLIC_LINKS_RABBITMQ_TEXT - name: NUXT_PUBLIC_PID_DEFAULT_PUBLISHER valueFrom: secretKeyRef: name: ui-secret - key: public-pid-default-publisher + key: NUXT_PUBLIC_PID_DEFAULT_PUBLISHER - name: NUXT_PUBLIC_DOI_ENABLED valueFrom: secretKeyRef: name: ui-secret - key: public-doi-enabled + key: NUXT_PUBLIC_DOI_ENABLED - name: NUXT_PUBLIC_DOI_ENDPOINT valueFrom: secretKeyRef: name: ui-secret - key: public-doi-endpoint + key: NUXT_PUBLIC_DOI_ENDPOINT volumeMounts: {{- if .Values.ui.extraVolumeMounts }} {{- .Values.ui.extraVolumeMounts | toYaml | nindent 12 }} diff --git a/helm/dbrepo/templates/upload-deployment.yaml b/helm/dbrepo/templates/upload-deployment.yaml index 0e757b14e9c7fe66ec0b56153149db383fd2b200..85e3fc7ca05450328c2fae95bccd352c9851a401 100644 --- a/helm/dbrepo/templates/upload-deployment.yaml +++ b/helm/dbrepo/templates/upload-deployment.yaml @@ -40,8 +40,7 @@ spec: capabilities: drop: - ALL - resources: - {{- toYaml .Values.resources | nindent 12 }} + resources: {{- toYaml .Values.resources | nindent 12 }} containers: - name: upload-service image: "{{ .Values.uploadservice.image.repository }}:{{ .Values.uploadservice.image.tag }}" @@ -72,8 +71,7 @@ spec: secretKeyRef: name: s3-dbrepo-upload-bucket-secret key: AWS_REGION - resources: - {{- toYaml .Values.resources | nindent 12 }} + resources: {{- toYaml .Values.resources | nindent 12 }} volumes: - name: tusd-data emptyDir: {} diff --git a/helm/dbrepo/values.yaml b/helm/dbrepo/values.yaml index 0d4ea185e72991a0e6b67258054c026c5a020a5b..316dcbb6b343e6f73c75a8948d0754edb9f43208 100644 --- a/helm/dbrepo/values.yaml +++ b/helm/dbrepo/values.yaml @@ -11,7 +11,35 @@ global: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) adaptSecurityContext: auto ## @param global.storageClass Global StorageClass for Persistent Volume(s) - storageClass: "" + storageClass: "rbd-storagepool-cluster" + + +## resource limits required by ares cluster +resources: + limits: + cpu: 500m + memory: 756Mi + requests: + cpu: 100m + memory: 256Mi + +resourcesWStorage: + limits: + cpu: 500m + ephemeral-storage: 50Mi + memory: 756Mi + requests: + cpu: 100m + ephemeral-storage: 20Mi + memory: 256Mi + +resourcesLittle: + limits: + cpu: 100m + memory: 512Mi + requests: + cpu: 50m + memory: 256Mi ## @section Common parameters @@ -35,6 +63,11 @@ metadatadb: enabled: true ## @skip metadatadb.fullnameOverride fullnameOverride: metadata-db + global: + compatibility: + openshift: + adaptSecurityContext: force + storageClass: "rbd-storagepool-cluster" ## @param metadatadb.host The hostname for the microservices. host: metadata-db rootUser: @@ -70,6 +103,27 @@ metadatadb: persistence: ## @param metadatadb.persistence.enabled Enable persistent storage. enabled: true + securityContext: + capabilities: + drop: + - ALL + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsUser: null + podSecurityContext: + runAsNonRoot: true + fsGroup: null + runAsUser: null + resources: + requests: + cpu: 50m + ephemeral-storage: 10Mi + memory: 512Mi + limits: + cpu: 150m + ephemeral-storage: 20Mi + memory: 768Mi ## @section Auth Service @@ -126,6 +180,16 @@ authservice: - name: config-map mountPath: /opt/bitnami/keycloak/data/import ## @skip authservice.replicaCount The number of replicas. + resources: + requests: + cpu: 50m + ephemeral-storage: 10Mi + memory: 512Mi + limits: + cpu: 250m + ephemeral-storage: 10Mi + memory: 768Mi + replicaCount: 2 ## @section Data Database @@ -148,8 +212,26 @@ datadb: metrics: ## @skip datadb.metrics.enabled enabled: true + resources: + requests: + cpu: 50m + ephemeral-storage: 10Mi + memory: 512Mi + limits: + cpu: 150m + ephemeral-storage: 10Mi + memory: 768Mi ## @skip datadb.primary primary: + resources: + requests: + cpu: 25m + ephemeral-storage: 10Mi + memory: 512Mi + limits: + cpu: 100m + ephemeral-storage: 10Mi + memory: 768Mi service: extraPorts: - name: "sidecar" @@ -161,8 +243,8 @@ datadb: image: registry.datalab.tuwien.ac.at/dbrepo/data-db-sidecar:1.4.5 imagePullPolicy: Always securityContext: - runAsUser: 1001 - runAsGroup: 0 + # runAsUser: 1001 + # runAsGroup: 0 runAsNonRoot: true allowPrivilegeEscalation: false seccompProfile: @@ -170,6 +252,15 @@ datadb: capabilities: drop: - ALL + resources: + requests: + cpu: 25m + ephemeral-storage: 10Mi + memory: 512Mi + limits: + cpu: 100m + ephemeral-storage: 10Mi + memory: 768Mi ports: - name: "sidecar" containerPort: 8080 @@ -204,6 +295,15 @@ datadb: emptyDir: { } persistence: enabled: true + resources: + requests: + cpu: 25m + ephemeral-storage: 10Mi + memory: 512Mi + limits: + cpu: 100m + ephemeral-storage: 10Mi + memory: 768Mi ## @skip datadb.secondary secondary: replicaCount: 2 @@ -243,8 +343,8 @@ uploadservice: ## @skip uploadservice.securityContext securityContext: allowPrivilegeEscalation: false - runAsUser: 1000 - runAsGroup: 1000 + # runAsUser: 1000 + # runAsGroup: 1000 runAsNonRoot: true seccompProfile: type: RuntimeDefault @@ -337,6 +437,15 @@ brokerservice: managerPortEnabled: true # loadBalancerIP: ## @param brokerservice.replicaCount The number of replicas. + resources: + requests: + cpu: 50m + ephemeral-storage: 10Mi + memory: 512Mi + limits: + cpu: 300m + ephemeral-storage: 100Mi + memory: 768Mi replicaCount: 1 ## @section Analyse Service @@ -358,20 +467,20 @@ analyseservice: ## @param analyseservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy fsGroupChangePolicy: Always ## @param analyseservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface - sysctls: [ ] + # sysctls: [ ] ## @param analyseservice.podSecurityContext.supplementalGroups Set filesystem extra groups supplementalGroups: [ ] ## @param analyseservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup - fsGroup: 1001 + # fsGroup: 1001 containerSecurityContext: ## @param analyseservice.containerSecurityContext.enabled Enabled containers' Security Context enabled: true ## @param analyseservice.containerSecurityContext.seLinuxOptions Set SELinux options in container seLinuxOptions: { } ## @param analyseservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser - runAsUser: 1001 + # runAsUser: 1001 ## @param analyseservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup - runAsGroup: 1001 + # runAsGroup: 1001 ## @param analyseservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot runAsNonRoot: true ## @param analyseservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation @@ -420,20 +529,20 @@ metadataservice: ## @param metadataservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy fsGroupChangePolicy: Always ## @param metadataservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface - sysctls: [ ] + # sysctls: [ ] ## @param metadataservice.podSecurityContext.supplementalGroups Set filesystem extra groups supplementalGroups: [ ] ## @param metadataservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup - fsGroup: 1001 + # fsGroup: 1001 containerSecurityContext: ## @param metadataservice.containerSecurityContext.enabled Enabled containers' Security Context enabled: true ## @param metadataservice.containerSecurityContext.seLinuxOptions Set SELinux options in container seLinuxOptions: { } ## @param metadataservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser - runAsUser: 1001 + # runAsUser: 1001 ## @param metadataservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup - runAsGroup: 1001 + #รค runAsGroup: 1001 ## @param metadataservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot runAsNonRoot: true ## @param metadataservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation @@ -446,14 +555,13 @@ metadataservice: seccompProfile: ## @param metadataservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile type: "RuntimeDefault" - ## @skip metadataservice.resources resources: requests: cpu: 250m memory: 512Mi limits: - cpu: 1000m - memory: 2048Mi + cpu: 500m + memory: 1024Mi ## @param metadataservice.endpoint The Metadata Service endpoint. endpoint: http://metadata-service crossref: @@ -486,16 +594,9 @@ metadataservice: ## @param metadataservice.sparql.connectionTimeout The connection timeout for sparql queries fetching remote data in ms. connectionTimeout: 10000 s3: - ## @param metadataservice.s3.endpoint The S3-capable endpoint the microservice connects to. - endpoint: http://storage-service-s3:8333 bucket: import: dbrepo-upload export: dbrepo-download - auth: - ## @param metadataservice.s3.auth.username The S3-capable endpoint username (or access key id). - username: seaweedfsadmin - ## @param metadataservice.s3.auth.password The S3-capable endpoint user password (or access key secret). - password: seaweedfsadmin ## @param metadataservice.replicaCount The number of replicas. replicaCount: 2 @@ -520,20 +621,20 @@ dataservice: ## @param dataservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy fsGroupChangePolicy: Always ## @param dataservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface - sysctls: [ ] + # sysctls: [ ] ## @param dataservice.podSecurityContext.supplementalGroups Set filesystem extra groups supplementalGroups: [ ] ## @param dataservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup - fsGroup: 1001 + # fsGroup: 1001 containerSecurityContext: ## @param dataservice.containerSecurityContext.enabled Enabled containers' Security Context enabled: true ## @param dataservice.containerSecurityContext.seLinuxOptions Set SELinux options in container seLinuxOptions: { } ## @param dataservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser - runAsUser: 1001 + # runAsUser: 1001 ## @param dataservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup - runAsGroup: 1001 + # runAsGroup: 1001 ## @param dataservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot runAsNonRoot: true ## @param dataservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation @@ -572,16 +673,9 @@ dataservice: ## @param dataservice.rabbitmq.consumer.password The user password for the consumer to read tuples from the broker service. In many cases this value is equal to `identityservice.userPasswords`. password: admin s3: - ## @param dataservice.s3.endpoint The S3-capable endpoint the microservice connects to. - endpoint: http://storage-service-s3:8333 bucket: import: dbrepo-upload export: dbrepo-download - auth: - ## @param dataservice.s3.auth.username The S3-capable endpoint username (or access key id). - username: seaweedfsadmin - ## @param dataservice.s3.auth.password The S3-capable endpoint user password (or access key secret). - password: seaweedfsadmin ## @param dataservice.s3.filePath The local location to download/upload files from/to S3-capable endpoint. filePath: /s3 ## @param dataservice.replicaCount The number of replicas. @@ -608,20 +702,20 @@ searchservice: ## @param searchservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy fsGroupChangePolicy: Always ## @param searchservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface - sysctls: [ ] + # sysctls: [ ] ## @param searchservice.podSecurityContext.supplementalGroups Set filesystem extra groups supplementalGroups: [ ] ## @param searchservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup - fsGroup: 1001 + # fsGroup: 1001 containerSecurityContext: ## @param searchservice.containerSecurityContext.enabled Enabled containers' Security Context enabled: true ## @param searchservice.containerSecurityContext.seLinuxOptions Set SELinux options in container seLinuxOptions: { } ## @param searchservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser - runAsUser: 1001 + # runAsUser: 1001 ## @param searchservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup - runAsGroup: 1001 + # runAsGroup: 1001 ## @param searchservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot runAsNonRoot: true ## @param searchservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation @@ -634,14 +728,13 @@ searchservice: seccompProfile: ## @param searchservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile type: "RuntimeDefault" - ## @skip searchservice.resources resources: requests: cpu: 250m memory: 512Mi limits: - cpu: 1000m - memory: 2048Mi + cpu: 500m + memory: 1024Mi ## @skip searchservice.init init: image: @@ -698,6 +791,19 @@ identityservice: enabled: true ## @skip identityservice.fullnameOverride fullnameOverride: identity-service + podSecurityContext: + runAsNonRoot: true + fsGroup: null + runAsUser: null + containerSecurityContext: + enabled: true + capabilities: + drop: + - ALL + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsUser: null #todo: does not overwrite global: ## @param identityservice.global.ldapDomain The LDAP domain name in domain "dbrepo.at" form or explicit in "dc=dbrepo,dc=at" form. ldapDomain: dc=dbrepo,dc=at @@ -763,20 +869,20 @@ ui: ## @param ui.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy fsGroupChangePolicy: Always ## @param ui.podSecurityContext.sysctls Set kernel settings using the sysctl interface - sysctls: [ ] + # sysctls: [ ] ## @param ui.podSecurityContext.supplementalGroups Set filesystem extra groups supplementalGroups: [ ] ## @param ui.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup - fsGroup: 1001 + # fsGroup: 1001 containerSecurityContext: ## @param ui.containerSecurityContext.enabled Enabled containers' Security Context enabled: true ## @param ui.containerSecurityContext.seLinuxOptions Set SELinux options in container seLinuxOptions: { } ## @param ui.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser - runAsUser: 1001 + # runAsUser: 1001 ## @param ui.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup - runAsGroup: 1001 + # runAsGroup: 1001 ## @param ui.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot runAsNonRoot: true ## @param ui.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation @@ -789,14 +895,13 @@ ui: seccompProfile: ## @param ui.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile type: "RuntimeDefault" - ## @skip ui.resources resources: requests: cpu: 250m memory: 512Mi limits: - cpu: 1000m - memory: 2048Mi + cpu: 500m + memory: 1024Mi public: api: ## @param ui.public.api.client The endpoint for the client api. Defaults to the value of `gateway`. @@ -860,44 +965,30 @@ ui: ## @section Ingress ingress: - ## @param ingress.enabled Enable the ingress. - enabled: false - ## @param ingress.className The ingress class name. + enabled: true className: nginx tls: - ## @param ingress.tls.enabled Enable the ingress. enabled: true - ## @param ingress.tls.secretName The secret holding the SSL/TLS certificate. Needs to have keys `tls.crt` and `tls.key` and optionally `ca.crt`. - secretName: ingress-cert + secretName: dbrepo-ingress-tls-cert annotations: - ## @skip ingress.annotations.basic The ingress rules for proxying requests directly to services. - basic: { } - # nginx.org/path-regex: "case_sensitive" - # nginx.ingress.kubernetes.io/use-regex: "true" - # cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer - ## @skip ingress.annotations.rewriteApi The ingress rules for rewriting certain paths to /api/. + basic: +# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer + nginx.ingress.kubernetes.io/use-regex: "true" rewriteApi: - # nginx.org/path-regex: "case_sensitive" - # cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer +# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: /api/$1 - ## @skip ingress.annotations.rewriteRoot The ingress rules for rewriting certain paths to /. rewriteRoot: - # nginx.org/path-regex: "case_sensitive" - # cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer +# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: /$1 - ## @skip ingress.annotations.rewriteRootSecure The ingress rules for rewriting certain paths to / and force SSL/TLS encrypted traffic. rewriteRootSecure: - # nginx.org/path-regex: "case_sensitive" - # cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer +# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: /$1 - ## @skip ingress.annotations.rewritePid The ingress rules for rewriting certain paths to /api/identifier/. rewritePid: - # nginx.org/path-regex: "case_sensitive" - # cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer +# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: /api/identifier/$1