mariadb
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
##
15
16
## @param global.imageRegistry Global Docker Image registry
17
## @param global.imagePullSecrets Global Docker registry secret names as an array
18
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
19
##
20
global:
21
imageRegistry: ""
22
## E.g.
23
## imagePullSecrets:
24
## - myRegistryKeySecretName
25
##
26
imagePullSecrets: []
27
defaultStorageClass: ""
28
## Security parameters
29
##
30
security:
31
## @param global.security.allowInsecureImages Allows skipping image verification
32
allowInsecureImages: false
33
## Compatibility adaptations for Kubernetes platforms
34
##
35
compatibility:
36
## Compatibility adaptations for Openshift
37
##
38
openshift:
39
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
40
##
41
adaptSecurityContext: auto
42
org: ""
43
## @section Common parameters
44
##
45
46
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
47
##
48
kubeVersion: ""
49
## @param nameOverride String to partially override mariadb.fullname
50
##
51
nameOverride: ""
52
## @param fullnameOverride String to fully override mariadb.fullname
53
##
54
fullnameOverride: ""
55
## @param clusterDomain Default Kubernetes cluster domain
56
##
57
clusterDomain: cluster.local
58
## @param commonAnnotations Common annotations to add to all MariaDB resources (sub-charts are not considered)
59
##
60
commonAnnotations: {}
61
## @param commonLabels Common labels to add to all MariaDB resources (sub-charts are not considered)
62
##
63
commonLabels: {}
64
## @param schedulerName Name of the scheduler (other than default) to dispatch pods
65
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
66
##
67
schedulerName: ""
68
## @param runtimeClassName Name of the Runtime Class for all MariaDB pods
69
## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/
70
##
71
runtimeClassName: ""
72
## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template)
73
##
74
extraDeploy: []
75
## Enable diagnostic mode in the deployment
76
##
77
diagnosticMode:
78
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
79
##
80
enabled: false
81
## @param diagnosticMode.command Command to override all containers in the deployment
82
##
83
command:
84
- sleep
85
## @param diagnosticMode.args Args to override all containers in the deployment
86
##
87
args:
88
- infinity
89
## @param serviceBindings.enabled Create secret for service binding (Experimental)
90
## Ref: https://servicebinding.io/service-provider/
91
##
92
serviceBindings:
93
enabled: false
94
## @section MariaDB common parameters
95
##
96
97
## Iamguarded MariaDB image
98
## @param image.registry [default: REGISTRY_NAME] MariaDB image registry
99
## @param image.repository [default: REPOSITORY_NAME/mariadb] MariaDB image repository
100
## @skip image.tag MariaDB image tag (immutable tags are recommended)
101
## @param image.digest MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
102
## @param image.pullPolicy MariaDB image pull policy
103
## @param image.pullSecrets Specify docker-registry secret names as an array
104
## @param image.debug Specify if debug logs should be enabled
105
##
106
image:
107
registry: cgr.dev
108
repository: chainguard-private/mariadb-iamguarded
109
tag: 12.2.2
110
digest: ""
111
## Specify a imagePullPolicy
112
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
113
##
114
pullPolicy: IfNotPresent
115
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
116
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
117
## Example:
118
## pullSecrets:
119
## - myRegistryKeySecretName
120
##
121
pullSecrets: []
122
## Set to true if you would like to see extra information on logs
123
## It turns BASH and/or NAMI debugging in the image
124
##
125
debug: false
126
## @param architecture MariaDB architecture (`standalone` or `replication`)
127
##
128
architecture: standalone
129
## MariaDB Authentication parameters
130
##
131
auth:
132
## @param auth.rootPassword Password for the `root` user. Ignored if existing secret is provided.
133
##
134
rootPassword: ""
135
## @param auth.database Name for a custom database to create
136
##
137
database: my_database
138
## @param auth.username Name for a custom user to create
139
##
140
username: ""
141
## @param auth.password Password for the new user. Ignored if existing secret is provided
142
##
143
password: ""
144
## @param auth.replicationUser MariaDB replication user
145
##
146
replicationUser: replicator
147
## @param auth.replicationPassword MariaDB replication user password. Ignored if existing secret is provided
148
##
149
replicationPassword: ""
150
## @param auth.existingSecret Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password`
151
##
152
existingSecret: ""
153
## @param auth.forcePassword Force users to specify required passwords
154
##
155
forcePassword: false
156
## @param auth.usePasswordFiles Mount credentials as files instead of using environment variables
157
##
158
usePasswordFiles: true
159
## @param auth.customPasswordFiles Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication`
160
## Example:
161
## customPasswordFiles:
162
## root: /vault/secrets/mariadb-root
163
## user: /vault/secrets/mariadb-user
164
## replicator: /vault/secrets/mariadb-replicator
165
##
166
customPasswordFiles: {}
167
## @param initdbScripts Dictionary of initdb scripts
168
## Specify dictionary of scripts to be run at first boot
169
## Example:
170
## initdbScripts:
171
## my_init_script.sh: |
172
## #!/bin/bash
173
## echo "Do something."
174
##
175
initdbScripts: {}
176
## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`)
177
##
178
initdbScriptsConfigMap: ""
179
## @section TLS/SSL parameters
180
##
181
## @param tls.enabled Enable TLS in MariaDB
182
## @param tls.existingSecret Existing secret that contains TLS certificates
183
## @param tls.certFilename The secret key from the existingSecret if 'cert' key different from the default (tls.crt)
184
## @param tls.certKeyFilename The secret key from the existingSecret if 'key' key different from the default (tls.key)
185
## @param tls.certCAFilename The secret key from the existingSecret if 'ca' key different from the default (tls.crt)
186
## @param tls.ca CA certificate for TLS. Ignored if `tls.existingSecret` is set
187
## @param tls.cert TLS certificate. Ignored if `tls.master.existingSecret` is set
188
## @param tls.key TLS key. Ignored if `tls.master.existingSecret` is set
189
##
190
tls:
191
enabled: false
192
existingSecret: ""
193
certFilename: tls.crt
194
certKeyFilename: tls.key
195
certCAFilename: ""
196
ca: ""
197
cert: ""
198
key: ""
199
## @param tls.autoGenerated.enabled Enable automatic generation of certificates for TLS
200
## @param tls.autoGenerated.engine Mechanism to generate the certificates (allowed values: helm, cert-manager)
201
autoGenerated:
202
enabled: true
203
engine: helm
204
## @param tls.autoGenerated.certManager.existingIssuer The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine)
205
## @param tls.autoGenerated.certManager.existingIssuerKind Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine)
206
## @param tls.autoGenerated.certManager.keyAlgorithm Key algorithm for the certificates (only for `cert-manager` engine)
207
## @param tls.autoGenerated.certManager.keySize Key size for the certificates (only for `cert-manager` engine)
208
## @param tls.autoGenerated.certManager.duration Duration for the certificates (only for `cert-manager` engine)
209
## @param tls.autoGenerated.certManager.renewBefore Renewal period for the certificates (only for `cert-manager` engine)
210
certManager:
211
existingIssuer: ""
212
existingIssuerKind: ""
213
keySize: 2048
214
keyAlgorithm: RSA
215
duration: 2160h
216
renewBefore: 360h
217
## @section Transparent Data Encryption parameters
218
## ref: https://mariadb.com/kb/en/file-key-management-encryption-plugin/
219
##
220
## @param tde.enabled Enable Transparent Data Encryption using the File Key Management Encryption Plugin for MariaDB
221
## @param tde.existingSecret Existing secret that contains Transparent Data Encryption key files used when secretsStoreProvider is not enabled
222
## @param tde.randomKeyFilename File name of the 'random keyfile' when it is different from the default (keyfile.key), is also used for key name in the existingSecret
223
## @param tde.encryptedKeyFilename File name of the 'encrypted keyfile' when it is different from the default (keyfile.enc), is also used for key name in the existingSecret
224
## @param tde.fileKeyManagementEncryptionAlgorithm Encryption algorithm used for encrypting data (allowed values: AES_CTR, AES_CBC | default: AES_CTR)
225
## @param tde.innodbEncryptTables Enables automatic encryption of all InnoDB tablespaces (allowed values: FORCE, ON, OFF | default: FORCE)
226
## @param tde.innodbEncryptLog Enables encryption of the InnoDB redo log (allowed values: ON, OFF | default: ON)
227
## @param tde.innodbEncryptTemporaryTables Enables automatic encryption of the InnoDB temporary tablespace (allowed values: ON, OFF | default: ON)
228
## @param tde.innodbEncryptionThreads Number of threads to use for encryption (default: 4)
229
## @param tde.encryptTmpDiskTables Enables automatic encryption of all internal on-disk temporary tables that are created during query execution (allowed values: ON, OFF | default: ON)
230
## @param tde.encryptTmpTiles Enables automatic encryption of temporary files, such as those created for filesort operations, binary log file caches, etc. (allowed values: ON, OFF | default: ON)
231
## @param tde.encryptBINLOG Enables encrypting binary logs including relay logs (allowed values: ON, OFF | default: ON)
232
## @param tde.ariaEncryptTables Enables automatic encryption of all Aria tablespaces (allowed values: ON, OFF | default: ON)
233
##
234
tde:
235
enabled: false
236
existingSecret: ""
237
randomKeyFilename: keyfile.key
238
encryptedKeyFilename: keyfile.enc
239
fileKeyManagementEncryptionAlgorithm: AES_CTR
240
innodbEncryptTables: FORCE
241
innodbEncryptLog: "ON"
242
innodbEncryptTemporaryTables: "ON"
243
encryptTmpDiskTables: "ON"
244
encryptTmpTiles: "ON"
245
encryptBINLOG: "ON"
246
ariaEncryptTables: "ON"
247
innodbEncryptionThreads: 4
248
## @param tde.secretsStoreProvider.enabled Enable use of secrets store provider for Transparent Data Encryption key files
249
## @param tde.secretsStoreProvider.provider Type of provider used in secrets store provider class (allowed values: vault)
250
secretsStoreProvider:
251
enabled: false
252
provider: vault
253
## @param tde.secretsStoreProvider.vault.roleName The name of the HashiCorp Vault role used for accessing the key files (only for `vault` provider)
254
## @param tde.secretsStoreProvider.vault.address The URL of the HashiCorp Vault server (only for `vault` provider)
255
## @param tde.secretsStoreProvider.vault.authMountPath The HashiCorp Vault auth mount path (only for `vault` provider)
256
## @param tde.secretsStoreProvider.vault.randomKeySecretPath The HashiCorp Vault secret path for the 'random keyfile' (only for `vault` provider)
257
## @param tde.secretsStoreProvider.vault.randomKeySecretKey The HashiCorp Vault secret key for the 'random keyfile' (only for `vault` provider)
258
## @param tde.secretsStoreProvider.vault.encryptedKeySecretPath The HashiCorp Vault secret path for the 'encrypted keyfile' (only for `vault` provider)
259
## @param tde.secretsStoreProvider.vault.encryptedKeySecretKey The HashiCorp Vault secret key for the 'encrypted keyfile' (only for `vault` provider)
260
vault:
261
roleName: ""
262
address: ""
263
authMountPath: ""
264
randomKeySecretPath: ""
265
randomKeySecretKey: ""
266
encryptedKeySecretPath: ""
267
encryptedKeySecretKey: ""
268
## @section MariaDB Primary parameters
269
##
270
271
## Mariadb Primary parameters
272
##
273
primary:
274
## @param primary.name Name of the primary database (eg primary, master, leader, ...)
275
##
276
name: primary
277
## @param primary.command Override default container command on MariaDB Primary container(s) (useful when using custom images)
278
##
279
command: []
280
## @param primary.args Override default container args on MariaDB Primary container(s) (useful when using custom images)
281
##
282
args: []
283
## @param primary.lifecycleHooks for the MariaDB Primary container(s) to automate configuration before or after startup
284
##
285
lifecycleHooks: {}
286
## @param primary.automountServiceAccountToken Mount Service Account token in pod
287
##
288
automountServiceAccountToken: false
289
## @param primary.hostAliases Add deployment host aliases
290
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
291
##
292
hostAliases: []
293
## @param primary.containerPorts.mysql Container port for mysql
294
##
295
containerPorts:
296
mysql: 3306
297
## @param primary.configuration [string] MariaDB Primary configuration to be injected as ConfigMap
298
## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file
299
##
300
configuration: |-
301
[mysqld]
302
skip-name-resolve
303
explicit_defaults_for_timestamp
304
basedir=/opt/iamguarded/mariadb
305
datadir=/iamguarded/mariadb/data
306
plugin_dir=/opt/iamguarded/mariadb/plugin
307
port={{ .Values.primary.containerPorts.mysql }}
308
socket=/opt/iamguarded/mariadb/tmp/mysql.sock
309
tmpdir=/opt/iamguarded/mariadb/tmp
310
max_allowed_packet=16M
311
bind-address=*
312
pid-file=/opt/iamguarded/mariadb/tmp/mysqld.pid
313
log-error=/opt/iamguarded/mariadb/logs/mysqld.log
314
character-set-server=UTF8
315
collation-server=utf8_general_ci
316
slow_query_log=0
317
long_query_time=10.0
318
binlog_expire_logs_seconds=2592000
319
{{- if .Values.tls.enabled }}
320
ssl_cert=/opt/iamguarded/mariadb/certs/{{ .Values.tls.certFilename }}
321
ssl_key=/opt/iamguarded/mariadb/certs/{{ .Values.tls.certKeyFilename }}
322
{{- if (include "mariadb.tlsCACert" .) }}
323
ssl_ca={{ include "mariadb.tlsCACert" . }}
324
{{- end }}
325
{{- end }}
326
{{- if .Values.tde.enabled }}
327
plugin_load_add=file_key_management
328
file_key_management_filename=/opt/iamguarded/mariadb/tde/{{ .Values.tde.encryptedKeyFilename }}
329
file_key_management_filekey=FILE:/opt/iamguarded/mariadb/tde/{{ .Values.tde.randomKeyFilename }}
330
file_key_management_encryption_algorithm={{ .Values.tde.fileKeyManagementEncryptionAlgorithm }}
331
innodb_encrypt_tables={{ .Values.tde.innodbEncryptTables }}
332
innodb_encrypt_log={{ .Values.tde.innodbEncryptLog }}
333
innodb_encrypt_temporary_tables={{ .Values.tde.innodbEncryptTemporaryTables }}
334
innodb_encryption_threads={{ .Values.tde.innodbEncryptionThreads }}
335
encrypt_tmp_disk_tables={{ .Values.tde.encryptTmpDiskTables }}
336
encrypt_tmp_files={{ .Values.tde.encryptTmpTiles }}
337
encrypt_binlog={{ .Values.tde.encryptBINLOG }}
338
aria_encrypt_tables={{ .Values.tde.ariaEncryptTables }}
339
{{- end }}
340
341
[client]
342
port=3306
343
socket=/opt/iamguarded/mariadb/tmp/mysql.sock
344
default-character-set=UTF8
345
plugin_dir=/opt/iamguarded/mariadb/plugin
346
347
[manager]
348
port=3306
349
socket=/opt/iamguarded/mariadb/tmp/mysql.sock
350
pid-file=/opt/iamguarded/mariadb/tmp/mysqld.pid
351
## @param primary.existingConfigmap Name of existing ConfigMap with MariaDB Primary configuration.
352
## NOTE: When it's set the 'configuration' parameter is ignored
353
##
354
existingConfigmap: ""
355
## @param primary.updateStrategy.type MariaDB primary statefulset strategy type
356
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
357
##
358
updateStrategy:
359
## StrategyType
360
## Can be set to RollingUpdate or OnDelete
361
##
362
type: RollingUpdate
363
## @param primary.rollingUpdatePartition Partition update strategy for Mariadb Primary statefulset
364
## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions
365
##
366
rollingUpdatePartition: ""
367
## @param primary.podAnnotations Additional pod annotations for MariaDB primary pods
368
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
369
##
370
podAnnotations: {}
371
## @param primary.podLabels Extra labels for MariaDB primary pods
372
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
373
##
374
podLabels: {}
375
## @param primary.podAffinityPreset MariaDB primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
376
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
377
##
378
podAffinityPreset: ""
379
## @param primary.podAntiAffinityPreset MariaDB primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
380
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
381
##
382
podAntiAffinityPreset: soft
383
## Mariadb Primary node affinity preset
384
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
385
##
386
nodeAffinityPreset:
387
## @param primary.nodeAffinityPreset.type MariaDB primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
388
##
389
type: ""
390
## @param primary.nodeAffinityPreset.key MariaDB primary node label key to match Ignored if `primary.affinity` is set.
391
## E.g.
392
## key: "kubernetes.io/e2e-az-name"
393
##
394
key: ""
395
## @param primary.nodeAffinityPreset.values MariaDB primary node label values to match. Ignored if `primary.affinity` is set.
396
## E.g.
397
## values:
398
## - e2e-az1
399
## - e2e-az2
400
##
401
values: []
402
## @param primary.affinity Affinity for MariaDB primary pods assignment
403
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
404
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
405
##
406
affinity: {}
407
## @param primary.nodeSelector Node labels for MariaDB primary pods assignment
408
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
409
##
410
nodeSelector: {}
411
## @param primary.tolerations Tolerations for MariaDB primary pods assignment
412
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
413
##
414
tolerations: []
415
## @param primary.schedulerName Name of the k8s scheduler (other than default)
416
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
417
##
418
schedulerName: ""
419
## @param primary.terminationGracePeriodSeconds In seconds, time the given to the MySQL primary pod needs to terminate gracefully
420
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
421
##
422
terminationGracePeriodSeconds: ""
423
## @param primary.podManagementPolicy podManagementPolicy to manage scaling operation of MariaDB primary pods
424
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
425
##
426
podManagementPolicy: ""
427
## @param primary.topologySpreadConstraints Topology Spread Constraints for MariaDB primary pods assignment
428
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
429
## E.g.
430
## topologySpreadConstraints:
431
## - maxSkew: 1
432
## topologyKey: topology.kubernetes.io/zone
433
## whenUnsatisfiable: DoNotSchedule
434
##
435
topologySpreadConstraints: []
436
## @param primary.priorityClassName Priority class for MariaDB primary pods assignment
437
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
438
##
439
priorityClassName: ""
440
## @param primary.runtimeClassName Runtime Class for MariaDB primary pods
441
## Ref: https://kubernetes.io/docs/concepts/containers/runtime-class/
442
##
443
runtimeClassName: ""
444
## MariaDB primary Pod security context
445
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
446
## @param primary.podSecurityContext.enabled Enable security context for MariaDB primary pods
447
## @param primary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
448
## @param primary.podSecurityContext.sysctls Set kernel settings using the sysctl interface
449
## @param primary.podSecurityContext.supplementalGroups Set filesystem extra groups
450
## @param primary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem
451
##
452
podSecurityContext:
453
enabled: true
454
fsGroupChangePolicy: Always
455
sysctls: []
456
supplementalGroups: []
457
fsGroup: 1001
458
## MariaDB primary container security context
459
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
460
## @param primary.containerSecurityContext.enabled MariaDB primary container securityContext
461
## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
462
## @param primary.containerSecurityContext.runAsUser User ID for the MariaDB primary container
463
## @param primary.containerSecurityContext.runAsGroup Group ID for the MariaDB primary container
464
## @param primary.containerSecurityContext.runAsNonRoot Set primary container's Security Context runAsNonRoot
465
## @param primary.containerSecurityContext.privileged Set primary container's Security Context privileged
466
## @param primary.containerSecurityContext.allowPrivilegeEscalation Set primary container's Security Context allowPrivilegeEscalation
467
## @param primary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
468
## @param primary.containerSecurityContext.capabilities.drop List of capabilities to be dropped
469
## @param primary.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
470
##
471
containerSecurityContext:
472
enabled: true
473
seLinuxOptions: {}
474
runAsUser: 1001
475
runAsGroup: 1001
476
runAsNonRoot: true
477
privileged: false
478
allowPrivilegeEscalation: false
479
readOnlyRootFilesystem: true
480
capabilities:
481
drop: ["ALL"]
482
seccompProfile:
483
type: "RuntimeDefault"
484
## MariaDB primary init container security context
485
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
486
## @param primary.initContainerSecurityContext.enabled MariaDB primary init container securityContext
487
## @param primary.initContainerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in init container
488
## @param primary.initContainerSecurityContext.runAsUser User ID for the MariaDB primary init container
489
## @param primary.initContainerSecurityContext.runAsGroup Group ID for the MariaDB primary init container
490
## @param primary.initContainerSecurityContext.runAsNonRoot Set primary init container's Security Context runAsNonRoot
491
## @param primary.initContainerSecurityContext.privileged Set primary init container's Security Context privileged
492
## @param primary.initContainerSecurityContext.allowPrivilegeEscalation Set primary init container's Security Context allowPrivilegeEscalation
493
## @param primary.initContainerSecurityContext.readOnlyRootFilesystem Set init container's Security Context readOnlyRootFilesystem
494
## @param primary.initContainerSecurityContext.capabilities.drop List of capabilities to be dropped
495
## @param primary.initContainerSecurityContext.seccompProfile.type Set init container's Security Context seccomp profile
496
##
497
initContainerSecurityContext:
498
enabled: true
499
seLinuxOptions: {}
500
runAsUser: 1001
501
runAsGroup: 1001
502
runAsNonRoot: true
503
privileged: false
504
allowPrivilegeEscalation: false
505
readOnlyRootFilesystem: true
506
capabilities:
507
drop: ["ALL"]
508
seccompProfile:
509
type: "RuntimeDefault"
510
## MariaDB primary container's resource requests and limits
511
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
512
## We usually recommend not to specify default resources and to leave this as a conscious
513
## choice for the user. This also increases chances charts run on environments with little
514
## resources, such as Minikube. If you do want to specify resources, uncomment the following
515
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
516
## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).
517
##
518
resourcesPreset: "small"
519
## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
520
## Example:
521
## resources:
522
## requests:
523
## cpu: 2
524
## memory: 512Mi
525
## limits:
526
## cpu: 3
527
## memory: 1024Mi
528
##
529
resources: {}
530
## Configure extra options for MariaDB primary containers' liveness, readiness and startup probes
531
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
532
## @param primary.startupProbe.enabled Enable startupProbe
533
## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
534
## @param primary.startupProbe.periodSeconds Period seconds for startupProbe
535
## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe
536
## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe
537
## @param primary.startupProbe.successThreshold Success threshold for startupProbe
538
##
539
startupProbe:
540
enabled: false
541
initialDelaySeconds: 120
542
periodSeconds: 15
543
timeoutSeconds: 5
544
failureThreshold: 10
545
successThreshold: 1
546
## Configure extra options for liveness probe
547
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
548
## @param primary.livenessProbe.enabled Enable livenessProbe
549
## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
550
## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe
551
## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
552
## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe
553
## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe
554
##
555
livenessProbe:
556
enabled: true
557
initialDelaySeconds: 120
558
periodSeconds: 10
559
timeoutSeconds: 1
560
failureThreshold: 3
561
successThreshold: 1
562
## @param primary.readinessProbe.enabled Enable readinessProbe
563
## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
564
## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe
565
## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
566
## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe
567
## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe
568
##
569
readinessProbe:
570
enabled: true
571
initialDelaySeconds: 30
572
periodSeconds: 10
573
timeoutSeconds: 1
574
failureThreshold: 3
575
successThreshold: 1
576
## @param primary.customStartupProbe Override default startup probe for MariaDB primary containers
577
##
578
customStartupProbe: {}
579
## @param primary.customLivenessProbe Override default liveness probe for MariaDB primary containers
580
##
581
customLivenessProbe: {}
582
## @param primary.customReadinessProbe Override default readiness probe for MariaDB primary containers
583
##
584
customReadinessProbe: {}
585
## @param primary.startupWaitOptions Override default builtin startup wait check options for MariaDB primary containers
586
## `iamguarded/mariadb` Docker image has built-in startup check mechanism,
587
## which periodically checks if MariaDB service has started up and stops it
588
## if all checks have failed after X tries. Use these to control these checks.
589
## Example (with default options):
590
## startupWaitOptions:
591
## retries: 300
592
## waitTime: 2
593
##
594
startupWaitOptions: {}
595
## @param primary.extraFlags MariaDB primary additional command line flags
596
## Can be used to specify command line flags, for example:
597
## E.g.
598
## extraFlags: "--max-connect-errors=1000 --max_connections=155"
599
##
600
extraFlags: ""
601
## @param primary.extraEnvVars Extra environment variables to be set on MariaDB primary containers
602
## E.g.
603
## extraEnvVars:
604
## - name: TZ
605
## value: "Europe/Paris"
606
##
607
extraEnvVars: []
608
## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for MariaDB primary containers
609
##
610
extraEnvVarsCM: ""
611
## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for MariaDB primary containers
612
##
613
extraEnvVarsSecret: ""
614
## Enable persistence using Persistent Volume Claims
615
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
616
##
617
persistence:
618
## @param primary.persistence.enabled Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir
619
##
620
enabled: true
621
## @param primary.persistence.existingClaim Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas
622
## NOTE: When it's set the rest of persistence parameters are ignored
623
##
624
existingClaim: ""
625
## @param primary.persistence.subPath Subdirectory of the volume to mount at
626
##
627
subPath: ""
628
## @param primary.persistence.storageClass MariaDB primary persistent volume storage Class
629
## If defined, storageClassName: <storageClass>
630
## If set to "-", storageClassName: "", which disables dynamic provisioning
631
## If undefined (the default) or set to null, no storageClassName spec is
632
## set, choosing the default provisioner. (gp2 on AWS, standard on
633
## GKE, AWS & OpenStack)
634
##
635
storageClass: ""
636
## @param primary.persistence.labels Labels for the PVC
637
##
638
labels: {}
639
## @param primary.persistence.annotations MariaDB primary persistent volume claim annotations
640
##
641
annotations: {}
642
## @param primary.persistence.accessModes MariaDB primary persistent volume access Modes
643
##
644
accessModes:
645
- ReadWriteOnce
646
## @param primary.persistence.size MariaDB primary persistent volume size
647
##
648
size: 8Gi
649
## @param primary.persistence.selector Selector to match an existing Persistent Volume
650
## selector:
651
## matchLabels:
652
## app: my-app
653
##
654
selector: {}
655
## @param primary.extraVolumes Optionally specify extra list of additional volumes to the MariaDB Primary pod(s)
656
##
657
extraVolumes: []
658
## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MariaDB Primary container(s)
659
##
660
extraVolumeMounts: []
661
## @param primary.initContainers Add additional init containers for the MariaDB Primary pod(s)
662
##
663
initContainers: []
664
## @param primary.sidecars Add additional sidecar containers for the MariaDB Primary pod(s)
665
##
666
sidecars: []
667
## MariaDB Primary Service parameters
668
##
669
service:
670
## @param primary.service.type MariaDB Primary Kubernetes service type
671
##
672
type: ClusterIP
673
ports:
674
## @param primary.service.ports.mysql MariaDB Primary Kubernetes service port for MariaDB
675
##
676
mysql: 3306
677
## @param primary.service.ports.metrics MariaDB Primary Kubernetes service port for metrics
678
##
679
metrics: 9104
680
## @param primary.service.nodePorts.mysql MariaDB Primary Kubernetes service node port
681
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
682
##
683
nodePorts:
684
mysql: ""
685
## @param primary.service.clusterIP MariaDB Primary Kubernetes service clusterIP IP
686
##
687
clusterIP: ""
688
## @param primary.service.loadBalancerIP MariaDB Primary loadBalancerIP if service type is `LoadBalancer`
689
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
690
##
691
loadBalancerIP: ""
692
## @param primary.service.externalTrafficPolicy Enable client source IP preservation
693
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
694
##
695
externalTrafficPolicy: Cluster
696
## @param primary.service.loadBalancerSourceRanges Address that are allowed when MariaDB Primary service is LoadBalancer
697
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
698
## E.g.
699
## loadBalancerSourceRanges:
700
## - 10.10.10.0/24
701
##
702
loadBalancerSourceRanges: []
703
## @param primary.service.extraPorts Extra ports to expose (normally used with the `sidecar` value)
704
##
705
extraPorts: []
706
## @param primary.service.annotations Provide any additional annotations which may be required
707
##
708
annotations: {}
709
## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
710
## If "ClientIP", consecutive client requests will be directed to the same Pod
711
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
712
##
713
sessionAffinity: None
714
## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity
715
## sessionAffinityConfig:
716
## clientIP:
717
## timeoutSeconds: 300
718
##
719
sessionAffinityConfig: {}
720
## @param primary.service.headless.annotations Annotations of the headless service
721
##
722
headless:
723
annotations: {}
724
## MariaDB primary Pod Disruption Budget configuration
725
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
726
##
727
pdb:
728
## @param primary.pdb.create Enable/disable a Pod Disruption Budget creation for MariaDB primary pods
729
##
730
create: true
731
## @param primary.pdb.minAvailable Minimum number/percentage of MariaDB primary pods that must still be available after the eviction
732
##
733
minAvailable: ""
734
## @param primary.pdb.maxUnavailable Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction. Defaults to `1` if both `primary.pdb.minAvailable` and `primary.pdb.maxUnavailable` are empty.
735
##
736
maxUnavailable: ""
737
## @param primary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet
738
##
739
revisionHistoryLimit: 10
740
## @section MariaDB Secondary parameters
741
##
742
743
## Mariadb Secondary parameters
744
##
745
secondary:
746
## @param secondary.name Name of the secondary database (eg secondary, slave, ...)
747
##
748
name: secondary
749
## @param secondary.replicaCount Number of MariaDB secondary replicas
750
##
751
replicaCount: 1
752
## @param secondary.command Override default container command on MariaDB Secondary container(s) (useful when using custom images)
753
##
754
command: []
755
## @param secondary.args Override default container args on MariaDB Secondary container(s) (useful when using custom images)
756
##
757
args: []
758
## @param secondary.lifecycleHooks for the MariaDB Secondary container(s) to automate configuration before or after startup
759
##
760
lifecycleHooks: {}
761
## @param secondary.automountServiceAccountToken Mount Service Account token in pod
762
##
763
automountServiceAccountToken: false
764
## @param secondary.hostAliases Add deployment host aliases
765
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
766
##
767
hostAliases: []
768
## @param secondary.containerPorts.mysql Container port for mysql
769
##
770
containerPorts:
771
mysql: 3306
772
## @param secondary.configuration [string] MariaDB Secondary configuration to be injected as ConfigMap
773
## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file
774
##
775
configuration: |-
776
[mysqld]
777
skip-name-resolve
778
explicit_defaults_for_timestamp
779
basedir=/opt/iamguarded/mariadb
780
datadir=/iamguarded/mariadb/data
781
port={{ .Values.secondary.containerPorts.mysql }}
782
socket=/opt/iamguarded/mariadb/tmp/mysql.sock
783
tmpdir=/opt/iamguarded/mariadb/tmp
784
max_allowed_packet=16M
785
bind-address=0.0.0.0
786
pid-file=/opt/iamguarded/mariadb/tmp/mysqld.pid
787
log-error=/opt/iamguarded/mariadb/logs/mysqld.log
788
character-set-server=UTF8
789
collation-server=utf8_general_ci
790
slow_query_log=0
791
long_query_time=10.0
792
binlog_expire_logs_seconds=2592000
793
{{- if .Values.tls.enabled }}
794
ssl_cert=/opt/iamguarded/mariadb/certs/{{ .Values.tls.certFilename }}
795
ssl_key=/opt/iamguarded/mariadb/certs/{{ .Values.tls.certKeyFilename }}
796
{{- if (include "mariadb.tlsCACert" .) }}
797
ssl_ca={{ include "mariadb.tlsCACert" . }}
798
{{- end }}
799
{{- end }}
800
801
[client]
802
port=3306
803
socket=/opt/iamguarded/mariadb/tmp/mysql.sock
804
default-character-set=UTF8
805
806
[manager]
807
port=3306
808
socket=/opt/iamguarded/mariadb/tmp/mysql.sock
809
pid-file=/opt/iamguarded/mariadb/tmp/mysqld.pid
810
## @param secondary.existingConfigmap Name of existing ConfigMap with MariaDB Secondary configuration.
811
## NOTE: When it's set the 'configuration' parameter is ignored
812
##
813
existingConfigmap: ""
814
## @param secondary.updateStrategy.type MariaDB secondary statefulset strategy type
815
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
816
##
817
updateStrategy:
818
## StrategyType
819
## Can be set to RollingUpdate or OnDelete
820
##
821
type: RollingUpdate
822
## @param secondary.rollingUpdatePartition Partition update strategy for Mariadb Secondary statefulset
823
## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions
824
##
825
rollingUpdatePartition: ""
826
## @param secondary.podAnnotations Additional pod annotations for MariaDB secondary pods
827
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
828
##
829
podAnnotations: {}
830
## @param secondary.podLabels Extra labels for MariaDB secondary pods
831
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
832
##
833
podLabels: {}
834
## @param secondary.podAffinityPreset MariaDB secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard`
835
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
836
##
837
podAffinityPreset: ""
838
## @param secondary.podAntiAffinityPreset MariaDB secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard`
839
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
840
##
841
podAntiAffinityPreset: soft
842
## Mariadb Secondary node affinity preset
843
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
844
##
845
nodeAffinityPreset:
846
## @param secondary.nodeAffinityPreset.type MariaDB secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard`
847
##
848
type: ""
849
## @param secondary.nodeAffinityPreset.key MariaDB secondary node label key to match Ignored if `secondary.affinity` is set.
850
## E.g.
851
## key: "kubernetes.io/e2e-az-name"
852
##
853
key: ""
854
## @param secondary.nodeAffinityPreset.values MariaDB secondary node label values to match. Ignored if `secondary.affinity` is set.
855
## E.g.
856
## values:
857
## - e2e-az1
858
## - e2e-az2
859
##
860
values: []
861
## @param secondary.affinity Affinity for MariaDB secondary pods assignment
862
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
863
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
864
##
865
affinity: {}
866
## @param secondary.nodeSelector Node labels for MariaDB secondary pods assignment
867
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
868
##
869
nodeSelector: {}
870
## @param secondary.tolerations Tolerations for MariaDB secondary pods assignment
871
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
872
##
873
tolerations: []
874
## @param secondary.topologySpreadConstraints Topology Spread Constraints for MariaDB secondary pods assignment
875
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
876
## E.g.
877
## topologySpreadConstraints:
878
## - maxSkew: 1
879
## topologyKey: topology.kubernetes.io/zone
880
## whenUnsatisfiable: DoNotSchedule
881
##
882
topologySpreadConstraints: []
883
## @param secondary.priorityClassName Priority class for MariaDB secondary pods assignment
884
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
885
##
886
priorityClassName: ""
887
## @param secondary.runtimeClassName Runtime Class for MariaDB secondary pods
888
## Ref: https://kubernetes.io/docs/concepts/containers/runtime-class/
889
##
890
runtimeClassName: ""
891
## @param secondary.schedulerName Name of the k8s scheduler (other than default)
892
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
893
##
894
schedulerName: ""
895
## @param secondary.terminationGracePeriodSeconds In seconds, time the given to the MySQL secondary pod needs to terminate gracefully
896
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
897
##
898
terminationGracePeriodSeconds: ""
899
## @param secondary.podManagementPolicy podManagementPolicy to manage scaling operation of MariaDB secondary pods
900
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
901
##
902
podManagementPolicy: ""
903
## MariaDB secondary Pod security context
904
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
905
## @param secondary.podSecurityContext.enabled Enable security context for MariaDB secondary pods
906
## @param secondary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
907
## @param secondary.podSecurityContext.sysctls Set kernel settings using the sysctl interface
908
## @param secondary.podSecurityContext.supplementalGroups Set filesystem extra groups
909
## @param secondary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem
910
##
911
podSecurityContext:
912
enabled: true
913
fsGroupChangePolicy: Always
914
sysctls: []
915
supplementalGroups: []
916
fsGroup: 1001
917
## MariaDB secondary container security context
918
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
919
## @param secondary.containerSecurityContext.enabled MariaDB secondary container securityContext
920
## @param secondary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
921
## @param secondary.containerSecurityContext.runAsUser User ID for the MariaDB secondary container
922
## @param secondary.containerSecurityContext.runAsGroup Group ID for the MariaDB secondary container
923
## @param secondary.containerSecurityContext.runAsNonRoot Set secondary container's Security Context runAsNonRoot
924
## @param secondary.containerSecurityContext.privileged Set secondary container's Security Context privileged
925
## @param secondary.containerSecurityContext.allowPrivilegeEscalation Set secondary container's Security Context allowPrivilegeEscalation
926
## @param secondary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
927
## @param secondary.containerSecurityContext.capabilities.drop List of capabilities to be dropped
928
## @param secondary.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
929
##
930
containerSecurityContext:
931
enabled: true
932
seLinuxOptions: {}
933
runAsUser: 1001
934
runAsGroup: 1001
935
runAsNonRoot: true
936
privileged: false
937
allowPrivilegeEscalation: false
938
readOnlyRootFilesystem: true
939
capabilities:
940
drop: ["ALL"]
941
seccompProfile:
942
type: "RuntimeDefault"
943
## MariaDB secondary container's resource requests and limits
944
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
945
## We usually recommend not to specify default resources and to leave this as a conscious
946
## choice for the user. This also increases chances charts run on environments with little
947
## resources, such as Minikube. If you do want to specify resources, uncomment the following
948
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
949
## @param secondary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production).
950
##
951
resourcesPreset: "small"
952
## @param secondary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
953
## Example:
954
## resources:
955
## requests:
956
## cpu: 2
957
## memory: 512Mi
958
## limits:
959
## cpu: 3
960
## memory: 1024Mi
961
##
962
resources: {}
963
## Configure extra options for MariaDB Secondary containers' liveness, readiness and startup probes
964
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
965
## @param secondary.startupProbe.enabled Enable startupProbe
966
## @param secondary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
967
## @param secondary.startupProbe.periodSeconds Period seconds for startupProbe
968
## @param secondary.startupProbe.timeoutSeconds Timeout seconds for startupProbe
969
## @param secondary.startupProbe.failureThreshold Failure threshold for startupProbe
970
## @param secondary.startupProbe.successThreshold Success threshold for startupProbe
971
##
972
startupProbe:
973
enabled: false
974
initialDelaySeconds: 120
975
periodSeconds: 15
976
timeoutSeconds: 5
977
failureThreshold: 10
978
successThreshold: 1
979
## Configure extra options for liveness probe
980
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
981
## @param secondary.livenessProbe.enabled Enable livenessProbe
982
## @param secondary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
983
## @param secondary.livenessProbe.periodSeconds Period seconds for livenessProbe
984
## @param secondary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
985
## @param secondary.livenessProbe.failureThreshold Failure threshold for livenessProbe
986
## @param secondary.livenessProbe.successThreshold Success threshold for livenessProbe
987
##
988
livenessProbe:
989
enabled: true
990
initialDelaySeconds: 120
991
periodSeconds: 10
992
timeoutSeconds: 1
993
failureThreshold: 3
994
successThreshold: 1
995
## @param secondary.readinessProbe.enabled Enable readinessProbe
996
## @param secondary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
997
## @param secondary.readinessProbe.periodSeconds Period seconds for readinessProbe
998
## @param secondary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
999
## @param secondary.readinessProbe.failureThreshold Failure threshold for readinessProbe
1000
## @param secondary.readinessProbe.successThreshold Success threshold for readinessProbe
1001
##
1002
readinessProbe:
1003
enabled: true
1004
initialDelaySeconds: 30
1005
periodSeconds: 10
1006
timeoutSeconds: 1
1007
failureThreshold: 3
1008
successThreshold: 1
1009
## @param secondary.customStartupProbe Override default startup probe for MariaDB secondary containers
1010
##
1011
customStartupProbe: {}
1012
## @param secondary.customLivenessProbe Override default liveness probe for MariaDB secondary containers
1013
##
1014
customLivenessProbe: {}
1015
## @param secondary.customReadinessProbe Override default readiness probe for MariaDB secondary containers
1016
##
1017
customReadinessProbe: {}
1018
## @param secondary.startupWaitOptions Override default builtin startup wait check options for MariaDB secondary containers
1019
## `iamguarded/mariadb` Docker image has built-in startup check mechanism,
1020
## which periodically checks if MariaDB service has started up and stops it
1021
## if all checks have failed after X tries. Use these to control these checks.
1022
## Example (with default options):
1023
## startupWaitOptions:
1024
## retries: 300
1025
## waitTime: 2
1026
##
1027
startupWaitOptions: {}
1028
## @param secondary.extraFlags MariaDB secondary additional command line flags
1029
## Can be used to specify command line flags, for example:
1030
## E.g.
1031
## extraFlags: "--max-connect-errors=1000 --max_connections=155"
1032
##
1033
extraFlags: ""
1034
## @param secondary.extraEnvVars Extra environment variables to be set on MariaDB secondary containers
1035
## E.g.
1036
## extraEnvVars:
1037
## - name: TZ
1038
## value: "Europe/Paris"
1039
##
1040
extraEnvVars: []
1041
## @param secondary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for MariaDB secondary containers
1042
##
1043
extraEnvVarsCM: ""
1044
## @param secondary.extraEnvVarsSecret Name of existing Secret containing extra env vars for MariaDB secondary containers
1045
##
1046
extraEnvVarsSecret: ""
1047
## Enable persistence using Persistent Volume Claims
1048
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
1049
##
1050
persistence:
1051
## @param secondary.persistence.enabled Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim`
1052
##
1053
enabled: true
1054
## @param secondary.persistence.subPath Subdirectory of the volume to mount at
1055
##
1056
subPath: ""
1057
## @param secondary.persistence.storageClass MariaDB secondary persistent volume storage Class
1058
## If defined, storageClassName: <storageClass>
1059
## If set to "-", storageClassName: "", which disables dynamic provisioning
1060
## If undefined (the default) or set to null, no storageClassName spec is
1061
## set, choosing the default provisioner. (gp2 on AWS, standard on
1062
## GKE, AWS & OpenStack)
1063
##
1064
storageClass: ""
1065
## @param secondary.persistence.labels Labels for the PVC
1066
##
1067
labels: {}
1068
## @param secondary.persistence.annotations MariaDB secondary persistent volume claim annotations
1069
##
1070
annotations: {}
1071
## @param secondary.persistence.accessModes MariaDB secondary persistent volume access Modes
1072
##
1073
accessModes:
1074
- ReadWriteOnce
1075
## @param secondary.persistence.size MariaDB secondary persistent volume size
1076
##
1077
size: 8Gi
1078
## @param secondary.persistence.selector Selector to match an existing Persistent Volume
1079
## selector:
1080
## matchLabels:
1081
## app: my-app
1082
##
1083
selector: {}
1084
## @param secondary.extraVolumes Optionally specify extra list of additional volumes to the MariaDB secondary pod(s)
1085
##
1086
extraVolumes: []
1087
## @param secondary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MariaDB secondary container(s)
1088
##
1089
extraVolumeMounts: []
1090
## @param secondary.initContainers Add additional init containers for the MariaDB secondary pod(s)
1091
##
1092
initContainers: []
1093
## @param secondary.sidecars Add additional sidecar containers for the MariaDB secondary pod(s)
1094
##
1095
sidecars: []
1096
## MariaDB Secondary Service parameters
1097
##
1098
service:
1099
## @param secondary.service.type MariaDB secondary Kubernetes service type
1100
##
1101
type: ClusterIP
1102
ports:
1103
## @param secondary.service.ports.mysql MariaDB secondary Kubernetes service port for MariaDB
1104
##
1105
mysql: 3306
1106
## @param secondary.service.ports.metrics MariaDB secondary Kubernetes service port for metrics
1107
##
1108
metrics: 9104
1109
## @param secondary.service.nodePorts.mysql MariaDB secondary Kubernetes service node port
1110
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
1111
##
1112
nodePorts:
1113
mysql: ""
1114
## @param secondary.service.clusterIP MariaDB secondary Kubernetes service clusterIP IP
1115
## e.g:
1116
## clusterIP: None
1117
##
1118
clusterIP: ""
1119
## @param secondary.service.loadBalancerIP MariaDB secondary loadBalancerIP if service type is `LoadBalancer`
1120
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
1121
##
1122
loadBalancerIP: ""
1123
## @param secondary.service.externalTrafficPolicy Enable client source IP preservation
1124
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
1125
##
1126
externalTrafficPolicy: Cluster
1127
## @param secondary.service.loadBalancerSourceRanges Address that are allowed when MariaDB secondary service is LoadBalancer
1128
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1129
## E.g.
1130
## loadBalancerSourceRanges:
1131
## - 10.10.10.0/24
1132
##
1133
loadBalancerSourceRanges: []
1134
## @param secondary.service.extraPorts Extra ports to expose (normally used with the `sidecar` value)
1135
##
1136
extraPorts: []
1137
## @param secondary.service.annotations Provide any additional annotations which may be required
1138
##
1139
annotations: {}
1140
## @param secondary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
1141
## If "ClientIP", consecutive client requests will be directed to the same Pod
1142
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
1143
##
1144
sessionAffinity: None
1145
## @param secondary.service.sessionAffinityConfig Additional settings for the sessionAffinity
1146
## sessionAffinityConfig:
1147
## clientIP:
1148
## timeoutSeconds: 300
1149
##
1150
sessionAffinityConfig: {}
1151
## MariaDB secondary Pod Disruption Budget configuration
1152
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
1153
##
1154
pdb:
1155
## @param secondary.pdb.create Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods
1156
##
1157
create: true
1158
## @param secondary.pdb.minAvailable Minimum number/percentage of MariaDB secondary pods that should remain scheduled
1159
##
1160
minAvailable: ""
1161
## @param secondary.pdb.maxUnavailable Maximum number/percentage of MariaDB secondary pods that may be made unavailable. Defaults to `1` if both `secondary.pdb.minAvailable` and `secondary.pdb.maxUnavailable` are empty.
1162
##
1163
maxUnavailable: ""
1164
## @param secondary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet
1165
##
1166
revisionHistoryLimit: 10
1167
## @section RBAC parameters
1168
##
1169
1170
## MariaDB pods ServiceAccount
1171
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
1172
##
1173
serviceAccount:
1174
## @param serviceAccount.create Enable the creation of a ServiceAccount for MariaDB pods
1175
##
1176
create: true
1177
## @param serviceAccount.name Name of the created ServiceAccount
1178
## If not set and create is true, a name is generated using the mariadb.fullname template
1179
##
1180
name: ""
1181
## @param serviceAccount.annotations Annotations for MariaDB Service Account
1182
##
1183
annotations: {}
1184
## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account
1185
##
1186
automountServiceAccountToken: false
1187
## Role Based Access
1188
## ref: https://kubernetes.io/docs/admin/authorization/rbac/
1189
##
1190
rbac:
1191
## @param rbac.create Whether to create and use RBAC resources or not
1192
##
1193
create: false
1194
## @section Password update job
1195
##
1196
passwordUpdateJob:
1197
## @param passwordUpdateJob.enabled Enable password update job
1198
##
1199
enabled: false
1200
## @param passwordUpdateJob.backoffLimit set backoff limit of the job
1201
##
1202
backoffLimit: 10
1203
## @param passwordUpdateJob.command Override default container command on MariaDB Primary container(s) (useful when using custom images)
1204
##
1205
command: []
1206
## @param passwordUpdateJob.args Override default container args on MariaDB Primary container(s) (useful when using custom images)
1207
##
1208
args: []
1209
## @param passwordUpdateJob.extraCommands Extra commands to pass to the generation job
1210
##
1211
extraCommands: ""
1212
## @param passwordUpdateJob.previousPasswords.rootPassword Previous root password (set if the password secret was already changed)
1213
## @param passwordUpdateJob.previousPasswords.password Previous password (set if the password secret was already changed)
1214
## @param passwordUpdateJob.previousPasswords.replicationPassword Previous replication password (set if the password secret was already changed)
1215
## @param passwordUpdateJob.previousPasswords.existingSecret Name of a secret containing the previous passwords (set if the password secret was already changed)
1216
previousPasswords:
1217
rootPassword: ""
1218
password: ""
1219
replicationPassword: ""
1220
existingSecret: ""
1221
## Configure Container Security Context
1222
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1223
## @param passwordUpdateJob.containerSecurityContext.enabled Enabled containers' Security Context
1224
## @param passwordUpdateJob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1225
## @param passwordUpdateJob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1226
## @param passwordUpdateJob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1227
## @param passwordUpdateJob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
1228
## @param passwordUpdateJob.containerSecurityContext.privileged Set container's Security Context privileged
1229
## @param passwordUpdateJob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
1230
## @param passwordUpdateJob.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
1231
## @param passwordUpdateJob.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1232
## @param passwordUpdateJob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1233
##
1234
containerSecurityContext:
1235
enabled: true
1236
seLinuxOptions: {}
1237
runAsUser: 1001
1238
runAsGroup: 1001
1239
runAsNonRoot: true
1240
privileged: false
1241
readOnlyRootFilesystem: true
1242
allowPrivilegeEscalation: false
1243
capabilities:
1244
drop: ["ALL"]
1245
seccompProfile:
1246
type: "RuntimeDefault"
1247
## Configure Pods Security Context
1248
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1249
## @param passwordUpdateJob.podSecurityContext.enabled Enabled credential init job pods' Security Context
1250
## @param passwordUpdateJob.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1251
## @param passwordUpdateJob.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1252
## @param passwordUpdateJob.podSecurityContext.supplementalGroups Set filesystem extra groups
1253
## @param passwordUpdateJob.podSecurityContext.fsGroup Set credential init job pod's Security Context fsGroup
1254
##
1255
podSecurityContext:
1256
enabled: true
1257
fsGroupChangePolicy: Always
1258
sysctls: []
1259
supplementalGroups: []
1260
fsGroup: 1001
1261
## @param passwordUpdateJob.extraEnvVars Array containing extra env vars to configure the credential init job
1262
## For example:
1263
## extraEnvVars:
1264
## - name: GF_DEFAULT_INSTANCE_NAME
1265
## value: my-instance
1266
##
1267
extraEnvVars: []
1268
## @param passwordUpdateJob.extraEnvVarsCM ConfigMap containing extra env vars to configure the credential init job
1269
##
1270
extraEnvVarsCM: ""
1271
## @param passwordUpdateJob.extraEnvVarsSecret Secret containing extra env vars to configure the credential init job (in case of sensitive data)
1272
##
1273
extraEnvVarsSecret: ""
1274
## @param passwordUpdateJob.extraVolumes Optionally specify extra list of additional volumes for the credential init job
1275
##
1276
extraVolumes: []
1277
## @param passwordUpdateJob.extraVolumeMounts Array of extra volume mounts to be added to the jwt Container (evaluated as template). Normally used with `extraVolumes`.
1278
##
1279
extraVolumeMounts: []
1280
## @param passwordUpdateJob.initContainers Add additional init containers for the MariaDB Primary pod(s)
1281
##
1282
initContainers: []
1283
## Container resource requests and limits
1284
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1285
## @param passwordUpdateJob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if passwordUpdateJob.resources is set (passwordUpdateJob.resources is recommended for production).
1286
##
1287
resourcesPreset: "micro"
1288
## @param passwordUpdateJob.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1289
## Example:
1290
## resources:
1291
## requests:
1292
## cpu: 2
1293
## memory: 512Mi
1294
## limits:
1295
## cpu: 3
1296
## memory: 1024Mi
1297
##
1298
resources: {}
1299
## @param passwordUpdateJob.customLivenessProbe Custom livenessProbe that overrides the default one
1300
##
1301
customLivenessProbe: {}
1302
## @param passwordUpdateJob.customReadinessProbe Custom readinessProbe that overrides the default one
1303
##
1304
customReadinessProbe: {}
1305
## @param passwordUpdateJob.customStartupProbe Custom startupProbe that overrides the default one
1306
##
1307
customStartupProbe: {}
1308
## @param passwordUpdateJob.automountServiceAccountToken Mount Service Account token in pod
1309
##
1310
automountServiceAccountToken: false
1311
## @param passwordUpdateJob.hostAliases Add deployment host aliases
1312
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1313
##
1314
hostAliases: []
1315
## @param passwordUpdateJob.annotations [object] Add annotations to the job
1316
##
1317
annotations: {}
1318
## @param passwordUpdateJob.podLabels Additional pod labels
1319
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1320
##
1321
podLabels: {}
1322
## @param passwordUpdateJob.podAnnotations Additional pod annotations
1323
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1324
##
1325
podAnnotations: {}
1326
## @section Volume Permissions parameters
1327
##
1328
1329
## Init containers parameters:
1330
## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section.
1331
##
1332
volumePermissions:
1333
## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup`
1334
##
1335
enabled: false
1336
## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry
1337
## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository
1338
## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended)
1339
## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1340
## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
1341
## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array
1342
##
1343
image:
1344
registry: cgr.dev
1345
repository: chainguard-private/os-shell-iamguarded
1346
tag: 1.0.0
1347
digest: ""
1348
pullPolicy: IfNotPresent
1349
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
1350
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1351
## Example:
1352
## pullSecrets:
1353
## - myRegistryKeySecretName
1354
##
1355
pullSecrets: []
1356
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
1357
##
1358
resourcesPreset: "nano"
1359
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1360
## Example:
1361
## resources:
1362
## requests:
1363
## cpu: 2
1364
## memory: 512Mi
1365
## limits:
1366
## cpu: 3
1367
## memory: 1024Mi
1368
##
1369
resources: {}
1370
## @section Metrics parameters
1371
##
1372
1373
## Mysqld Prometheus exporter parameters
1374
##
1375
metrics:
1376
## @param metrics.enabled Start a side-car prometheus exporter
1377
##
1378
enabled: false
1379
## @param metrics.image.registry [default: REGISTRY_NAME] Exporter image registry
1380
## @param metrics.image.repository [default: REPOSITORY_NAME/mysqld-exporter] Exporter image repository
1381
## @skip metrics.image.tag Exporter image tag (immutable tags are recommended)
1382
## @param metrics.image.digest Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1383
## @param metrics.image.pullPolicy Exporter image pull policy
1384
## @param metrics.image.pullSecrets Specify docker-registry secret names as an array
1385
##
1386
image:
1387
registry: cgr.dev
1388
repository: chainguard-private/prometheus-mysqld-exporter-iamguarded
1389
tag: 0.18.0
1390
digest: ""
1391
pullPolicy: IfNotPresent
1392
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
1393
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1394
## Example:
1395
## pullSecrets:
1396
## - myRegistryKeySecretName
1397
##
1398
pullSecrets: []
1399
## @param metrics.annotations [object] Annotations for the Exporter pod
1400
##
1401
annotations:
1402
prometheus.io/scrape: "true"
1403
prometheus.io/port: "9104"
1404
## @param metrics.extraArgs [object] Extra args to be passed to mysqld_exporter
1405
## ref: https://github.com/prometheus/mysqld_exporter/
1406
## E.g.
1407
## - --collect.auto_increment.columns
1408
## - --collect.binlog_size
1409
## - --collect.engine_innodb_status
1410
## - --collect.engine_tokudb_status
1411
## - --collect.global_status
1412
## - --collect.global_variables
1413
## - --collect.info_schema.clientstats
1414
## - --collect.info_schema.innodb_metrics
1415
## - --collect.info_schema.innodb_tablespaces
1416
## - --collect.info_schema.innodb_cmp
1417
## - --collect.info_schema.innodb_cmpmem
1418
## - --collect.info_schema.processlist
1419
## - --collect.info_schema.processlist.min_time
1420
## - --collect.info_schema.query_response_time
1421
## - --collect.info_schema.tables
1422
## - --collect.info_schema.tables.databases
1423
## - --collect.info_schema.tablestats
1424
## - --collect.info_schema.userstats
1425
## - --collect.perf_schema.eventsstatements
1426
## - --collect.perf_schema.eventsstatements.digest_text_limit
1427
## - --collect.perf_schema.eventsstatements.limit
1428
## - --collect.perf_schema.eventsstatements.timelimit
1429
## - --collect.perf_schema.eventswaits
1430
## - --collect.perf_schema.file_events
1431
## - --collect.perf_schema.file_instances
1432
## - --collect.perf_schema.indexiowaits
1433
## - --collect.perf_schema.tableiowaits
1434
## - --collect.perf_schema.tablelocks
1435
## - --collect.perf_schema.replication_group_member_stats
1436
## - --collect.slave_status
1437
## - --collect.slave_hosts
1438
## - --collect.heartbeat
1439
## - --collect.heartbeat.database
1440
## - --collect.heartbeat.table
1441
##
1442
extraArgs:
1443
primary: []
1444
secondary: []
1445
## @param metrics.extraVolumeMounts [object] Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s)
1446
##
1447
extraVolumeMounts:
1448
primary: []
1449
secondary: []
1450
## @param metrics.containerPorts.http Container port for http
1451
##
1452
containerPorts:
1453
http: 9104
1454
## MariaDB metrics container Security Context
1455
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1456
## @param metrics.containerSecurityContext.enabled Enable security context for MariaDB metrics container
1457
## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1458
## @param metrics.containerSecurityContext.runAsUser User ID for the MariaDB metrics container
1459
## @param metrics.containerSecurityContext.runAsGroup Group ID for the MariaDB metrics container
1460
## @param metrics.containerSecurityContext.runAsNonRoot Set metrics container's Security Context runAsNonRoot
1461
## @param metrics.containerSecurityContext.privileged Set metrics container's Security Context privileged
1462
## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set metrics container's Security Context allowPrivilegeEscalation
1463
## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
1464
## @param metrics.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1465
## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1466
## Example:
1467
## containerSecurityContext:
1468
## enabled: true
1469
## capabilities:
1470
## drop: ["NET_RAW"]
1471
## readOnlyRootFilesystem: true
1472
##
1473
containerSecurityContext:
1474
enabled: false
1475
privileged: false
1476
runAsNonRoot: true
1477
seLinuxOptions: {}
1478
runAsUser: 1001
1479
runAsGroup: 1001
1480
readOnlyRootFilesystem: true
1481
allowPrivilegeEscalation: false
1482
capabilities:
1483
drop: ["ALL"]
1484
seccompProfile:
1485
type: "RuntimeDefault"
1486
## Mysqld Prometheus exporter resource requests and limits
1487
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1488
## We usually recommend not to specify default resources and to leave this as a conscious
1489
## choice for the user. This also increases chances charts run on environments with little
1490
## resources, such as Minikube. If you do want to specify resources, uncomment the following
1491
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
1492
## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production).
1493
##
1494
resourcesPreset: "nano"
1495
## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1496
## Example:
1497
## resources:
1498
## requests:
1499
## cpu: 2
1500
## memory: 512Mi
1501
## limits:
1502
## cpu: 3
1503
## memory: 1024Mi
1504
##
1505
resources: {}
1506
## Configure extra options for liveness probe
1507
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
1508
## @param metrics.livenessProbe.enabled Enable livenessProbe
1509
## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
1510
## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe
1511
## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
1512
## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe
1513
## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe
1514
##
1515
livenessProbe:
1516
enabled: true
1517
initialDelaySeconds: 120
1518
periodSeconds: 10
1519
timeoutSeconds: 1
1520
successThreshold: 1
1521
failureThreshold: 3
1522
## Configure extra options for readiness probe
1523
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
1524
## @param metrics.readinessProbe.enabled Enable readinessProbe
1525
## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
1526
## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe
1527
## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
1528
## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe
1529
## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe
1530
##
1531
readinessProbe:
1532
enabled: true
1533
initialDelaySeconds: 30
1534
periodSeconds: 10
1535
timeoutSeconds: 1
1536
successThreshold: 1
1537
failureThreshold: 3
1538
## Prometheus Service Monitor
1539
## ref: https://github.com/coreos/prometheus-operator
1540
##
1541
serviceMonitor:
1542
## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
1543
##
1544
enabled: false
1545
## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in
1546
##
1547
namespace: ""
1548
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
1549
##
1550
jobLabel: ""
1551
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
1552
##
1553
interval: 30s
1554
## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
1555
## e.g:
1556
## scrapeTimeout: 30s
1557
##
1558
scrapeTimeout: ""
1559
## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
1560
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
1561
##
1562
relabelings: []
1563
## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
1564
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
1565
##
1566
metricRelabelings: []
1567
## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1568
##
1569
honorLabels: false
1570
## @param metrics.serviceMonitor.selector ServiceMonitor selector labels
1571
##
1572
## selector:
1573
## prometheus: my-prometheus
1574
##
1575
selector: {}
1576
## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
1577
##
1578
labels: {}
1579
## Prometheus Operator PrometheusRule configuration
1580
##
1581
prometheusRule:
1582
## @param metrics.prometheusRule.enabled if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`)
1583
##
1584
enabled: false
1585
## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace)
1586
##
1587
namespace: ""
1588
## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
1589
##
1590
additionalLabels: {}
1591
## @param metrics.prometheusRule.rules Prometheus Rule definitions
1592
## - alert: MariaDB-Down
1593
## expr: absent(up{job="mariadb"} == 1)
1594
## for: 5m
1595
## labels:
1596
## severity: warning
1597
## service: mariadb
1598
## annotations:
1599
## message: 'MariaDB instance {{ `{{` }} $labels.instance {{ `}}` }} is down'
1600
## summary: MariaDB instance is down
1601
##
1602
rules: []
1603
## @section NetworkPolicy parameters
1604
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1605
##
1606
networkPolicy:
1607
## @param networkPolicy.enabled Enable creation of NetworkPolicy resources
1608
##
1609
enabled: true
1610
## @param networkPolicy.allowExternal The Policy model to apply
1611
## When set to false, only pods with the correct client label will have network access to the ports MariaDB is
1612
## listening on. When true, MariaDB will accept connections from any source (with the correct destination port).
1613
##
1614
allowExternal: true
1615
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1616
##
1617
allowExternalEgress: true
1618
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1619
## e.g:
1620
## extraIngress:
1621
## - ports:
1622
## - port: 1234
1623
## from:
1624
## - podSelector:
1625
## - matchLabels:
1626
## - role: frontend
1627
## - podSelector:
1628
## - matchExpressions:
1629
## - key: role
1630
## operator: In
1631
## values:
1632
## - frontend
1633
##
1634
extraIngress: []
1635
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1636
## e.g:
1637
## extraEgress:
1638
## - ports:
1639
## - port: 1234
1640
## to:
1641
## - podSelector:
1642
## - matchLabels:
1643
## - role: frontend
1644
## - podSelector:
1645
## - matchExpressions:
1646
## - key: role
1647
## operator: In
1648
## values:
1649
## - frontend
1650
##
1651
extraEgress: []
1652
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1653
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1654
##
1655
ingressNSMatchLabels: {}
1656
ingressNSPodMatchLabels: {}
1657