diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f5571529..a87e201f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -37,6 +37,9 @@ variables: GITHUB_REPO_URL: description: "The Github Repo URL for release-please, in the format of 'owner/repo'" value: "mendersoftware/mender-helm" + GITHUB_USER: + description: "The Github user for release-please" + value: "mender-test-bot" GITHUB_USER_NAME: description: "The Github username for release-please" value: "mender-test-bot" @@ -65,14 +68,14 @@ stages: - version-bump include: - - project: 'Northern.tech/Mender/mendertesting' - file: '.gitlab-ci-check-commits-signoffs.yml' - - project: 'Northern.tech/Mender/mendertesting' - file: '.gitlab-ci-check-license.yml' - - project: 'Northern.tech/Mender/mendertesting' - file: '.gitlab-ci-github-status-updates.yml' - - project: 'Northern.tech/Mender/mendertesting' - file: '.gitlab-ci-check-helm-version-bump.yml' + - project: "Northern.tech/Mender/mendertesting" + file: ".gitlab-ci-check-commits-signoffs.yml" + - project: "Northern.tech/Mender/mendertesting" + file: ".gitlab-ci-check-license.yml" + - project: "Northern.tech/Mender/mendertesting" + file: ".gitlab-ci-github-status-updates.yml" + - project: "Northern.tech/Mender/mendertesting" + file: ".gitlab-ci-check-helm-version-bump.yml" .set_eks_helmci_vars: &set_eks_helmci_vars - export AWS_DEFAULT_REGION=eu-central-1 @@ -87,6 +90,19 @@ include: --output text)) - aws sts get-caller-identity +.pre_helm_tests: &pre_helm_tests + - eksctl utils write-kubeconfig --cluster=${EKS_CLUSTER_NAME} + - kubectl create ns "${NAMESPACE}" + - kubectl config set-context --current --namespace="${NAMESPACE}" + - echo "INFO - installing helm from scratch" + - tests/ci-deps-k8s.sh + - | + kubectl create secret docker-registry my-mender-pull-secret \ + --docker-username=${REGISTRY_MENDER_IO_USERNAME} \ + --docker-password=${REGISTRY_MENDER_IO_PASSWORD} \ + --docker-email=${REGISTRY_MENDER_IO_EMAIL} \ + --docker-server=registry.mender.io + build:setup_eks_cluster: image: ${PIPELINE_TOOLBOX_IMAGE} stage: .pre @@ -148,7 +164,7 @@ build: before_script: - apt-get update -y - apt-get install -y curl make - - curl -L https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | DESIRED_VERSION="v3.8.2" bash + - curl -L https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | DESIRED_VERSION="v3.10.2" bash script: - make lint - make package @@ -157,8 +173,7 @@ build: paths: - mender-*.tgz -.get_kubectl_and_tools: &get_kubectl_and_tools - # Install kubectl +.get_kubectl_and_tools: &get_kubectl_and_tools # Install kubectl - apt update && apt install -yyq curl - curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.23.6/bin/linux/amd64/kubectl - chmod +x ./kubectl @@ -171,8 +186,8 @@ build: # Install kubectx - apt install -yyq kubectx -.setup_eks_cluster_staging: &setup_eks_cluster_staging - # Configure AWS CLI for staging cluster +.setup_eks_cluster_staging: + &setup_eks_cluster_staging # Configure AWS CLI for staging cluster - *set_eks_helmci_vars - aws eks --region $CI_JOBS_AWS_REGION_STAGING update-kubeconfig --name $CI_JOBS_AWS_EKS_CLUSTER_NAME_STAGING - kubectl config set-context --current --namespace=mender-helm-tests @@ -205,32 +220,18 @@ test:helm_chart_install: aud: https://gitlab.com before_script: - *set_eks_helmci_vars - - | - eksctl utils write-kubeconfig --cluster=${EKS_CLUSTER_NAME} - kubectl create ns "${NAMESPACE}" - kubectl config set-context --current --namespace="${NAMESPACE}" - - | - echo "DEBUG - get kubectl nodes" - kubectl config current-context - kubectl get nodes - - | - echo "INFO - installing helm from scratch" - tests/ci-deps-k8s.sh + - *pre_helm_tests script: - tests/ci-make-deps.sh - | echo "INFO - installing mender" source ./tests/variables.sh helm upgrade -i mender \ - -f mender/values.yaml \ - -f tests/keys.yaml \ -f tests/values-helmci.yaml \ --wait \ --timeout=${HELM_UPGRADE_TIMEOUT:-15m} \ - --set global.image.username=${REGISTRY_MENDER_IO_USERNAME} \ - --set global.image.password="${REGISTRY_MENDER_IO_PASSWORD}" \ - --set global.s3.AWS_ACCESS_KEY_ID="${MINIO_accessKey}" \ - --set global.s3.AWS_SECRET_ACCESS_KEY="${MINIO_secretKey}" \ + --set global.s3.AWS_ACCESS_KEY_ID="${SEAWEEDFS_ACCESS_KEY_ID}" \ + --set global.s3.AWS_SECRET_ACCESS_KEY="${SEAWEEDFS_SECRET_ACCESS_KEY}" \ --namespace "${NAMESPACE}" \ ./mender || exit 3; - make test @@ -254,25 +255,15 @@ test:helm_chart_install_sub_charts: - if: '$CI_COMMIT_BRANCH == "master" || $CI_COMMIT_BRANCH == "master-next" || $RUN_HELM_CHART_INSTALL == "true" || $CI_COMMIT_TAG' variables: NAMESPACE: "mender-setup-test-sub-charts" - INSTALL_MINIO_DEP_ONLY: "true" + INSTALL_SEAWEEDFS_DEP_ONLY: "true" id_tokens: AWS_OIDC_TOKEN: aud: https://gitlab.com before_script: - *set_eks_helmci_vars - - | - eksctl utils write-kubeconfig --cluster=${EKS_CLUSTER_NAME} - kubectl create ns "${NAMESPACE}" - kubectl config set-context --current --namespace="${NAMESPACE}" - - | - echo "DEBUG - get kubectl nodes" - kubectl config current-context - kubectl get nodes - - | - echo "INFO - installing helm from scratch" - tests/ci-deps-k8s.sh + - *pre_helm_tests script: - - tests/ci-make-deps.sh $INSTALL_MINIO_DEP_ONLY + - tests/ci-make-deps.sh $INSTALL_SEAWEEDFS_DEP_ONLY - | kubectl apply -f - <= 3.7.0 +- Kubernetes 1.26+ +- Helm >= 3.10.0 +- Object storage (AWS S3, Azure Blob Storage, GCS, MinIO, SeaweedFS) -## External services required -This Helm chart does not install the following external services and dependencies which are required to run Mender: +## Object storage setup +Supported object storage services are: +* Amazon S3 +* Azure Blob Storage +* Google Cloud Storage +* Cloudflare R2 -- MinIO +You can also use other S3-compatible object storage services like MinIO or +SeaweedFS, for development and testing purposes only. -### Installing mongodb +Following some setup sample. Please refer to the official documentation of the +object storage service you are using for more information. -MongoDB is integrated as a sub-chart deployment: you can enable it with -the following settings: +### Amazon S3 -``` -mongodb: - enabled: true +Create a new bucket in Amazon S3, then a IAM user and its access key with +the proper permissions to access the bucket. + +You can find the required permissions in the +[Requirements section](https://docs.mender.io/overview/requirements#amazon-s3-iam-policies) +of the official documentation. + +Then, export the following environment variables: -# or via the --set argument: ---set="mongodb.enabled=true" +```bash +export AWS_ACCESS_KEY_ID="replace-with-your-access-key-id" +export AWS_SECRET_ACCESS="replace-with-your-secret-access-key" +export AWS_REGION="replace-with-your-aws-region" +export STORAGE_BUCKET="replace-with-your-bucket-name" ``` -You can customize it by following the [provider's](https://artifacthub.io/packages/helm/bitnami/mongodb) -specifications. -It's recommended to use an external deployment in Production. +### SeaweedFS + +Alternatively to Amazon S3, you can install SeaweedFS, a compatible S3 +solution. -### Installing MinIO +**Important**: the following setup is intended for development +and testing purposes only. For production usage, it's recommended to use +an external object storage service like AWS S3 or Azure Blob Storage. -You can install MinIO using the official MinIO Helm chart using `helm`: +Installing SeaweedFS: ```bash -cat >minio-operator.yml <seaweedfs.yml <minio.yml <values.yaml < + hosts: + - ${MENDER_SERVER_DOMAIN} + tls: + - secretName: + hosts: + - ${MENDER_SERVER_DOMAIN} -# or via the --set argument: ---set="nats.enabled=true" -``` +api_gateway: + storage_proxy: + enabled: true + url: "${STORAGE_ENDPOINT}" + customRule: "PathRegexp(\`^/${STORAGE_BUCKET}\`)" -You can customize it by following the [provider's](https://docs.nats.io/running-a-nats-service/nats-kubernetes/helm-charts) -specifications. -It's recommended to use an external deployment in Production. +deployments: + customEnvs: + - name: DEPLOYMENTS_STORAGE_PROXY_URI + value: "${MENDER_SERVER_URL}" -## Installing the Chart +EOF +``` To install the chart with the release name `my-release` using `helm`: @@ -127,56 +148,11 @@ The command deploys Mender on the Kubernetes cluster in the default configuratio > **Tip**: List all releases using `helm list` -This is the minimum `values.yaml` file needed to install Mender: -```yaml -global: - image: - username: - password: - url: https://mender.example.com - -api_gateway: - certs: - cert: |- - -----BEGIN CERTIFICATE----- - MIIFcjCCBFq... - key: |- - -----BEGIN PRIVATE KEY----- - MIIEvgIBADA... - -device_auth: - certs: - key: |- - -----BEGIN RSA PRIVATE KEY----- - MIIEvgIBADA... - -tenantadm: - certs: - key: |- - -----BEGIN RSA PRIVATE KEY----- - MIIEvgIBADA... - -useradm: - certs: - key: |- - -----BEGIN RSA PRIVATE KEY----- - MIIEvgIBADA... -``` +## Upgrading from Helm Chart 5.x and Meneder Server 3.7.x -You can generate your `cert` and `key` for `api-gareway` using `openssl`: - -```bash -openssl req -x509 -sha256 -nodes -days 3650 -newkey ec:<(openssl ecparam -name prime256v1) -keyout private.key -out certificate.crt -subj /CN="your.host.name" -``` - -You can generate the RSA private keys for `device-auth`, `tenantadm` and `useradm` using `openssl`: - -```bash -openssl genpkey -algorithm RSA -out device_auth.key -pkeyopt rsa_keygen_bits:3072 -openssl rsa -in device_auth.key -out device_auth_converted.key -mv device_auth_converted.key device_auth.key -``` +Please refer to [this document](UPGRADE_from_v5_to_v6.md) for the upgrade +procedure details. ## Uninstalling the Chart diff --git a/UPGRADE_from_v5_to_v6.md b/UPGRADE_from_v5_to_v6.md new file mode 100644 index 00000000..ef51d2aa --- /dev/null +++ b/UPGRADE_from_v5_to_v6.md @@ -0,0 +1,213 @@ +# Upgrading from Helm Chart 5.x and Meneder Server 3.7.x + +With the latest changes in the Helm Chart for the Mender Server, +starting from version 4.0 of the Mender Server, we’ve made some important +architectural shifts that may impact the way you use the chart and configure +your deployments. These changes are meant to streamline the way +services are handled, improve security, and fix issues with +sub-chart compatibility. For this reason, we recommend that you review the +following upgrade advices. + +Until the helm chart version 5.x, the chart is compatible with both +Mender 3.6 and 3.7. Starting from Mender Server 4.0, you have to use at least the +chart version 6.0.x. + +## Before you start +Ensure you have the mender values file from the previous installation. +You will need it as a base for the new installation: + +```bash +cp mender-3.7.7.yml mender-values.yml +``` + +You can now start editing the `mender-values.yml` file with the following +changes. + +## Helm Chart v6.x.x deprecations + +### Global section deprecations +The `global` section is internally dedicated to the global configuration, +for sub-charts also. So we are moving the Mender resources from the `global` +key to the `default` key. For this reason, the `global.image` key is +moved to the `default.image` key: please make sure to comment out +your `global.image` key: +```yaml +global: + # image: + # tag: mender-3.7.7 +``` + +### New repositories location +Following a migration from multiple repositories to a single Monorepo, the +Container repositories has been moved to respect the new structure. +Additionally, the `mender-x.y` tag has been replaced with the `vx.y` tag. +* Enterprise registry: + From `registry.mender.io/mendersoftware/deployments-enterprise:mender-3.7` + to `registry.mender.io/mender-server-enterprise/deployments:v4.0` + +* Open Source registry: + From `docker.io/mendersoftware/deployments:mender-3.7` + to `docker.io/mendersoftware/deployments:v4.0` + +The new repository structure is already reflected in the default `values.yaml` +file; please make sure to not override it in your `mender-values.yaml` file. + +In more details, the services without the `-enterprise` suffix in the +base name has not changed. +For the Enterprise version, all the microservices are available in the +enterprise registry as opposed to previously where the opensource ones +were residing in the Docker Hub. + +### Drop the "mender-" prefix in the tags names +The new image tags drop the `mender-` prefix, so this is no longer valid: + +```yaml +# previous version no longer valid +global: + image: + tag: mender-3.7.7 +``` +Instead the new tag is simply `v4.0.0`: + +```yaml +# new version +default: + image: + tag: v4.0.0 +``` +The default values is handling this already, so you don't need to change it. + +```yaml +global: +# image: + +default: +# image: +``` + + +### ImagePullSecrets instead cleartext credentials: +**Enterprise version only**: for improved security, the `global.image.username` +and `global.image.password` are deprecated in favor of `default:imagePullSecrets`: +with this new Helm Chart release, you have to manually create a new Docker +Registry secret, like this: +```bash +export MENDER_REGISTRY_USERNAME="replace-with-your-username" +export MENDER_REGISTRY_PASSWORD="replace-with-your-password" +export MENDER_REGISTRY_EMAIL="replace-with-your-email" + +kubectl create secret docker-registry my-mender-pull-secret \ + --docker-username=${MENDER_REGISTRY_USERNAME} \ + --docker-password=${MENDER_REGISTRY_PASSWORD} \ + --docker-email=${MENDER_REGISTRY_EMAIL} \ + --docker-server=registry.mender.io +``` +and reference it in the `mender-values.yaml` file: + +```yaml +global: + # image: + # username: "redacted" + # password: "redacted" +default: + imagePullSecrets: + - name: my-mender-pull-secret +``` + +### Rootless gui container +For improved security, the `gui` container is now rootles; this means that +the `gui.httpPort` is switched from `80` to the unprivileged `8090` port. +Make sure you are not overriding the `gui.httpPort` in your +`mender-values.yaml` file. + +### Service Keys automatically generated +You can choose to specify the `device_auth.certs.key`, +`useradm.certs.key`, and `tenantadm.certs.key` keys in +the `mender-values.yaml` file, but it is not mandatory anymore. +If you don't specify them, the Helm Chart will generate them for you. + +### NATS and MongoDB subcharts enabled by default +To facilitate the first Helm Chart installation, the MongoDB and NATS +subcharts are enabled by default: +```yaml +mongodb: + enabled: true + +nats: + enabled: true +``` +If you are using an external MongoDB or NATS instance, please make sure to +explicitly disable them before the upgrade: +```yaml +mongodb: + enabled: false + +nats: + enabled: false +``` + +### Redis subchart disabled by default +The Redis subchart is disabled by default, because not used in the Open +Source version. If you want to use it in the Enterprise version, please +make sure to enable it: +```yaml +redis: + enabled: true +``` + +### Enterprise false by default +The Enterprise version is disabled by default. If you are using it, please +make sure to enable it: +```yaml +global: + enterprise: true +``` + +### Storage Proxy enabled by default +By default, the Storage Proxy is enabled. If you don't want to use it, please +restore the previous configuration: +```yaml +api_gateway: + storage_proxy: + enabled: false + +deployments: + customEnvs: [] +``` + +But if you want to use it, you have to set the `DEPLOYMENTS_STORAGE_PROXY_URI` +environment variable to the URL exposed, the bucket name in the +API Gateway configuration, and the `s3.AWS_URI` to the storage endpoint: +```yaml +global: + s3: + AWS_URI: "${STORAGE_ENDPOINT:?must be set to your bucket endpoint URL}" + AWS_FORCE_PATH_STYLE: "true" + +api_gateway: + storage_proxy: + enabled: true + url: "${STORAGE_ENDPOINT}" + customRule: "PathRegexp(`^/${STORAGE_BUCKET:?must be set to your bucket name}`)" + passHostHeader: false + +deployments: + customEnvs: + - name: DEPLOYMENTS_STORAGE_PROXY_URI + value: "https://${MENDER_SERVER_DOMAIN:?must be set to your server domain}" +``` + +where: +* `MENDER_SERVER_DOMAIN` is the domain of the Mender Server, e.g: + `mender.example.com` +* `STORAGE_ENDPOINT` is the endpoint of the storage, e.g: + `https://s3.${AWS_REGION}.amazonaws.com` +* `AWS_BUCKET` is the name of the bucket, e.g: `mender-artifacts` + + +## Upgrade procedure +Now you can upgrade the Helm Chart: + +```bash +helm upgrade my-release -f values.yaml ./mender +``` diff --git a/mender/CHANGELOG.md b/mender/CHANGELOG.md index 5e2cce73..d2e7dde2 100644 --- a/mender/CHANGELOG.md +++ b/mender/CHANGELOG.md @@ -1,265 +1,37 @@ # Mender Helm chart -## 5.11.0 - 2024-10-14 - - -### Bug Fixes - - -- Traefik container ports optionals([MEN-7595](https://northerntech.atlassian.net/browse/MEN-7595)) ([12dc357](https://github.com/mendersoftware/mender-helm/commit/12dc357184f39edf878105f4cde2787dbcd1b0b7)) by @oldgiova - You can choose to not to set either httpPort or httpsPort in the - api_gateway, to prevent upload timeout with the Mender Cli, as reported - by customers. - - -### Features - - -- Add gui hpa ([8f6d9f4](https://github.com/mendersoftware/mender-helm/commit/8f6d9f46c0c9db16939a8c851ed4bda21e7ca5f3)) by @oldgiova - Added Horizontal Pod Autoscaler resource to the gui container, to scale - it automatically when the service experiences more load. - - -## Version 5.10.1 -* Fix invalid regexp in default storage proxy rule. - -## Version 5.10.0 -* Change `generate_delta_worker` to StatefulSet and add `persistence` values - * The new `persistence` values specifies the parameters of the PVC template of - the statefulset. -* Upgrade Traefik to v3.1.2 -* Upgrade to Mender version `3.7.7` - -## Version 5.9.4 -* Update default traefik tag to v2.11.6 - -## Version 5.9.3 -* Update default value `auditlogs.logRetentionSeconds` to `7776000` (90 days) - -## Version 5.9.2 -* Fix: generate delta worker mongodb secret when using an external secret and - the mongodb subchart is enabled. - -## Version 5.9.1 -* Upgrade to Mender version `3.7.5` - -## Version 5.9.0 -* Added `pdb.maxUnavailable` option. -* Added `deviceconnect` PodDisruptionBudget - -## Version 5.8.3 -* Fix: correctly setup the Integration Version. - -## Version 5.8.2 -* Fix: correctly setup the Mender Version in the iot-manager service. - -## Version 5.8.1 -* Fix: managing redis connection string in the `deployments` service, when using an external Redis. - -## Version 5.8.0 -* Added helm chart tests. -* Default `updateStrategy.rollingUpdate.maxUnavailable` to 0 to complete the helm upgrade with - all the services running. -* Removed `helm.sh/chart` annotation to avoid a full restart every release. -* Added Redis to the Deployments service - -## Version 5.7.1 -* Fix: skipping smtp secret creation when using `global.smtp.existingSecret`. -* Fix: the NATS image were not aligned with the subchart version - -## Version 5.7.0 -* `generate_delta_worker`: don't enforce tags for the image. -* Added `api_gateway.accesslogs` parameter to enable/disable access logs. -* Bump traefik image to v2.11.2 -* Move from megabytes to mebibytes for consistency. -* Added `inventory.mongodbExistingSecret` to override the default MongoDB secret. -* Not using `HAVE_ENTERPRISE` when in hosted mode. -* Added `podMonitor` resource for monitoring the `api-gateway` service (Traefik metrics). -* Allow overriding fullname (thanks @ignatiusreza) -* Removed unused `mender.name` function. -* Added `probesOverrides` to override the default timeout for readiness and liveness probes. -* Fix naming problem in templates using api_gateway and NodePort (thanks @j-rivero) - -## Version 5.6.2 -* Upgrade to Mender version `3.7.4`. - -## Version 5.6.1 -* Upgrade NATS to version `2.9.20` with the subchart `0.19.17`. - -## Version 5.6.0 -* MongoDB sub-chart - * Bump chart version to 13.18.5 - * Bump app version to MongoDB 6.0 (tag: `6.0.13`) -* Upgrade to Mender version `3.7.3`. - -> If your running an existing cluster with MongoDB 5.0, we recommend following -> the upgrade procedure from the -> [official documentation](https://www.mongodb.com/docs/manual/release-notes/6.0-upgrade-replica-set/). - -## 5.5.4 -* fix malformed Authorization header when authRateLimit is set -* Bump traefik image to v2.11.0 - -## 5.5.3 -* create artifact worker: change container name from workflows -* generate delta worker: change container name from workflows -* fix devicemonitor env variables -* IoT Manager: added support for an external secret containing an AES encryption key -* Workflows: added support for custom secret file mounted as a volume - -## 5.5.2 -* Upgrade to Mender version `3.7.2`. -* By default, `automigrate` is set to `false` for the generate delta worker and the create artifac worker services: - the migrations are performed by migration jobs. - -## 5.5.1 -* Fix NATS address when `global.nats.existingSecret` is defined -* Fix indent issue when using multiple custom imagePullSecrets -* Fix artifact storage secret for the Deployments storage daemon - when using an existing external secret -* Forcing Traefik `passHostHeader` option to `false` when using the `api_gateway.storage_proxy` -* Added `referrerPolicy: "no-referrer"` by default in Traefik -* Bump to traefik `2.10.7` -* feat: support for X-MEN-RBAC-Releases-Tags -* feat: support for custom updateStrategy -* fix missing auditlog variable in the device auth service -* fix Redis environment variables when using an external Redis -* Added `global.redis.existingSecret` option - -## 5.5.0 -* Fix mongodb uri creation when using the mongodb subchart and replicast architecture -* Added customEnv option to set default or per-service custom env variables -* Added generic `storage_proxy` service, that could - work for both minio and Amazon S3, and it's going to replace the `api_gateway.minio` configuration. -* Add OpenID Connect authentication API to user authentication routes in the gateway. -* **Deprecations**: - * `api_gateway.minio` is deprecated in favor of `api_gateway.storage_proxy`. - This entry could be used, but it is no longer maintained, and could be removed - in future releases. - **How to upgrade**: - * set `api_gateway.minio.enabled=false` - * set `api_gateway.storage_proxy.enabled=true` - * set `api_gateway.storage_proxy.url` to the external storage url that you want to map externally. For example `https://fleetstorage.example.com`. - If you leave it empty, it uses the Amazon S3 external URL. - - -## Version 5.4.1 -* Upgrade to Mender version `3.7.1`. -* Removed useless variables from the gui container. -* Added custom service account support (thanks @bdomars) - -## Version 5.4.0 -* Upgrade to Mender version `3.7.0`. -* Update the Redis settings to use a connection string, required by Mender 3.7.0 -* **Deprecations**: - * `global.redis.username` and `global.redis.password` are deprecated in Mender 3.7.0. - Use redis connection string format in the `global.redis.URL`: - * Standalone mode: - ``` - (redis|rediss|unix)://[:@](|)[:[/]][?option=value] - ``` - * Cluster mode: - ``` - (redis|rediss|unix)[+srv]://[:@][,[,...]][:][?option=value] - ``` - * `device_auth.env.DEVICEAUTH_REDIS_DB`: use the new redis connection string format instead. - * `device_auth.env.DEVICEAUTH_REDIS_TIMEOUT_SEC`: use the new redis connection string format instead. - * `device_auth.env.USERADM_REDIS_DB`: use the new redis connection string format instead. - * `device_auth.env.USERADM_REDIS_TIMEOUT_SEC`: use the new redis connection string format instead. - -## Version 5.3.0 -* Split single db-migration job into multiple jobs -* Traefik updated to `v2.10.5` -* Upgrade to Mender version `3.6.3`. - -## Version 5.2.6 -* Add graceful shutdown for deviceconnect, defaults to `60s`. -* Fix: indent cronjob annotations correctly (thanks @vphoikka) - -## Version 5.2.5 -* Added support to external Image Pull Secrets -* Added support to extraArgs to the `api_gateway` service -* Traefik updated to `v2.10.4` -* You can now add pre-existing `priorityClassName` to the resources -* Added PodDisruptionBudget resources to the most critical services -* Added option to use existing secrets for certificates (thanks @bdomars) -* Allow to use external secrets for NATS, MongoDB, and S3 (thanks @benjamin-texier) - -## Version 5.2.4 -* Added HPA to the most critical services -* Reorganized `templates` directory with service subfolders -* Fixed an issue with automigrate: false - -## Version 5.2.3 -* `gui` service: added option for the error server block -* Upgrade to Mender version `3.6.2`. - -## Version 5.2.2 -* Added the `deployments.directUpload.skipVerify` parameter, defaults to `false`. -* Fix: use the `deployments.directUpload.jitter` parameter in the deployments-storage-daemon cronjob. - -## Version 5.2.1 -* Upgrade to Mender version `3.6.1`. - -## Version 5.2.0 -* MongoDB sub-chart - * Bump app version to MongoDB 5.0 (tag: `5.0.19-debian-11-r13`) - * Set default update strategy - * Set default Pod Disruption Budget - -> If your running an existing cluster with MongoDB 4.4, we recommend following -> the upgrade procedure from the -> [official documentation](https://www.mongodb.com/docs/manual/release-notes/5.0-upgrade-replica-set/). - -## Version 5.1.0 -* Upgrade to Mender version `3.6.0`. -* Added `auditlogs.logRetentionSeconds` conf parameter for tuning auditlog settings -* Added Mender Ingress Resource -* **BREAKING CHANGES**: - * This version of the Helm chart is not compatible with Mender versions older than `3.6.0`. -* Added optional `api_gateway.compression` parameter for Traefik compression -* Added optional `api_gateway.security_redirect` parameter to add a custom redirection to a company security policy -* Added optional `api_gateway.minio.customRule` to custom redirects -* Added optional `api_gateway.authRateLimit` as a custom ratelimit for Auth module only -* Added `contentTypeNosniff` to the Traefik configuration -* Fix: missing WORKFLOWS_NATS_URI in the db-migration-job - -## Version 5.0.3 -* Fix: using the correct variables for useradm auditlogs settings - -## Version 5.0.2 -* Fix: always using the redis `master` address instead of the `headless` one, which leads to sporadic errors in writing when you have replicas in place. - -## Version 5.0.1 -* Fix: workaround for a [known issue](https://github.com/bitnami/charts/issues/10843) with `bitnami/mongodb` when replicaset and auth are enabled - -## Version 5.0.0 -* **BREAKING CHANGES**: - * Switch Redis service to an optional sub Chart: now Redis is a global - service: the same Redis Cluster is used by both `useradm` and `device-auth` - services. You cannot use two different Redis Clusters. - It's recommended to use an external Redis Cluster in Production, instead - of the integrated sub-chart, which is enabled by default. -* Added Chart Name prefix to the Resource names -* Switch MongoDB service to optional sub Chart -* Switch NATS service to optional sub Chart - -## Version 4.0.3 -* [fix: issues with Amazon S3 artifact storage](https://northerntech.atlassian.net/browse/MEN-6482) - -## Version 4.0.2 -* [fix: device-auth-license-count ImagePullBackOff](https://github.com/mendersoftware/mender-helm/pull/151) - -## Version 4.0.1 -* Using global `registry.image.tag` instead of specifying it in every deployment - -## Version 4.0.0 -* **BREAKING CHANGE**: drop Helm v2 support: bump Helm ApiVersion to v2. -* Decoupling Helm Chart version (`version: 4.0.0`) from Mender version (`appVersion: "3.4.0"`): from now on, they can be updated independently. -* Secret `s3-artifacts` renamed to `artifacts-storage` -* Fixed variables for the `smtp` secret -* Changed `api-gateway` container ports from `80-443` to `9080-9443` -* Added `deployments-storage-daemon` cronjob -* Added `device-auth-license-count` cronjob -* Added Security Context -* Added Helm Chart Hooks: it runs db migration before the a Helm upgrade/install. +## Version 6.0.0 + +- **BREAKING** Incompatible with mender-server < v4.0 +- **BREAKING** Update docker image references to follow new repository scheme + - Default registry is inferred from value `global.enterprise` + - If true: registry.mender.io/mender-server-enterprise + - If false: docker.io/mendersoftware + - Default tag follows {{ Chart.AppVersion }} (starting from v4.0.0) + - Enterprise Docker repository changed to registry.mender.io/mender-server-enterprise + - Changes to enterprise images: + - registry.mender.io/mendersoftware/deployments-enterprise -> registry.mender.io/mender-server-enterprise/deployments + - registry.mender.io/mendersoftware/deviceauth-enterprise -> registry.mender.io/mender-server-enterprise/deviceauth + - registry.mender.io/mendersoftware/inventory-enterprise -> registry.mender.io/mender-server-enterprise/inventory + - registry.mender.io/mendersoftware/useradm-enterprise -> registry.mender.io/mender-server-enterprise/useradm + - registry.mender.io/mendersoftware/workflows-enterprise -> registry.mender.io/mender-server-enterprise/workflows + - workflows-worker and workflows-server uses the same image + - docker.io/mendersoftware/workflows-worker -> docker.io/mendersoftware/workflows + - registry.mender.io/mendersoftware/workflows-enterprise-worker -> registry.mender.io/mender-server-enterprise/workflows +- **DEPRECATION** `global.image` value is now deprecated and scheduled for removal + - The new `default.image` is used as default image for all Mender components + - `global.image.username` and `global.image.password` is deprecated and scheduled for removal + - Superseded by `default.imagePullSecrets` +- All default values for service level `image` values have been unset + - The image is resolved from `default.image` +- `tenantadm.certs.key` is no longer required. +- Autogenerate missing required secrets. + - `device_auth.certs.key` and `useradm.certs.key` are automatically generated if value is missing. +- Changed gui httpPort default from privileged 80 to unpriviliged 8090 +- Changed default `api_gateway.env.SSL` to `false` +- Changed default `global.enterprise` to `false` +- Removed deprecated redis configurations + - `redis.username`, `redis.password`, `redis.addr` + - These have all been replaced by the redis connection string format: + - `redis://:@addr[/]` +- Requires helm >= 3.10.0 diff --git a/mender/CHANGELOG_v4.x_v5.x.md b/mender/CHANGELOG_v4.x_v5.x.md new file mode 100644 index 00000000..ef772c8b --- /dev/null +++ b/mender/CHANGELOG_v4.x_v5.x.md @@ -0,0 +1,263 @@ +# Mender Helm chart + +## 5.11.0 - 2024-10-14 + + +### Bug Fixes + +- Traefik container ports optionals([MEN-7595](https://northerntech.atlassian.net/browse/MEN-7595)) ([12dc357](https://github.com/mendersoftware/mender-helm/commit/12dc357184f39edf878105f4cde2787dbcd1b0b7)) by @oldgiova + You can choose to not to set either httpPort or httpsPort in the + api_gateway, to prevent upload timeout with the Mender Cli, as reported + by customers. + + +### Features + +- Add gui hpa ([8f6d9f4](https://github.com/mendersoftware/mender-helm/commit/8f6d9f46c0c9db16939a8c851ed4bda21e7ca5f3)) by @oldgiova + Added Horizontal Pod Autoscaler resource to the gui container, to scale + it automatically when the service experiences more load. + + +## Version 5.10.1 +* Fix invalid regexp in default storage proxy rule. + +## Version 5.10.0 +* Change `generate_delta_worker` to StatefulSet and add `persistence` values + * The new `persistence` values specifies the parameters of the PVC template of + the statefulset. +* Upgrade Traefik to v3.1.2 +* Upgrade to Mender version `3.7.7` + +## Version 5.9.4 +* Update default traefik tag to v2.11.6 + +## Version 5.9.3 +* Update default value `auditlogs.logRetentionSeconds` to `7776000` (90 days) + +## Version 5.9.2 +* Fix: generate delta worker mongodb secret when using an external secret and + the mongodb subchart is enabled. + +## Version 5.9.1 +* Upgrade to Mender version `3.7.5` + +## Version 5.9.0 +* Added `pdb.maxUnavailable` option. +* Added `deviceconnect` PodDisruptionBudget + +## Version 5.8.3 +* Fix: correctly setup the Integration Version. + +## Version 5.8.2 +* Fix: correctly setup the Mender Version in the iot-manager service. + +## Version 5.8.1 +* Fix: managing redis connection string in the `deployments` service, when using an external Redis. + +## Version 5.8.0 +* Added helm chart tests. +* Default `updateStrategy.rollingUpdate.maxUnavailable` to 0 to complete the helm upgrade with + all the services running. +* Removed `helm.sh/chart` annotation to avoid a full restart every release. +* Added Redis to the Deployments service + +## Version 5.7.1 +* Fix: skipping smtp secret creation when using `global.smtp.existingSecret`. +* Fix: the NATS image were not aligned with the subchart version + +## Version 5.7.0 +* `generate_delta_worker`: don't enforce tags for the image. +* Added `api_gateway.accesslogs` parameter to enable/disable access logs. +* Bump traefik image to v2.11.2 +* Move from megabytes to mebibytes for consistency. +* Added `inventory.mongodbExistingSecret` to override the default MongoDB secret. +* Not using `HAVE_ENTERPRISE` when in hosted mode. +* Added `podMonitor` resource for monitoring the `api-gateway` service (Traefik metrics). +* Allow overriding fullname (thanks @ignatiusreza) +* Removed unused `mender.name` function. +* Added `probesOverrides` to override the default timeout for readiness and liveness probes. +* Fix naming problem in templates using api_gateway and NodePort (thanks @j-rivero) + +## Version 5.6.2 +* Upgrade to Mender version `3.7.4`. + +## Version 5.6.1 +* Upgrade NATS to version `2.9.20` with the subchart `0.19.17`. + +## Version 5.6.0 +* MongoDB sub-chart + * Bump chart version to 13.18.5 + * Bump app version to MongoDB 6.0 (tag: `6.0.13`) +* Upgrade to Mender version `3.7.3`. + +> If your running an existing cluster with MongoDB 5.0, we recommend following +> the upgrade procedure from the +> [official documentation](https://www.mongodb.com/docs/manual/release-notes/6.0-upgrade-replica-set/). + +## 5.5.4 +* fix malformed Authorization header when authRateLimit is set +* Bump traefik image to v2.11.0 + +## 5.5.3 +* create artifact worker: change container name from workflows +* generate delta worker: change container name from workflows +* fix devicemonitor env variables +* IoT Manager: added support for an external secret containing an AES encryption key +* Workflows: added support for custom secret file mounted as a volume + +## 5.5.2 +* Upgrade to Mender version `3.7.2`. +* By default, `automigrate` is set to `false` for the generate delta worker and the create artifac worker services: + the migrations are performed by migration jobs. + +## 5.5.1 +* Fix NATS address when `global.nats.existingSecret` is defined +* Fix indent issue when using multiple custom imagePullSecrets +* Fix artifact storage secret for the Deployments storage daemon + when using an existing external secret +* Forcing Traefik `passHostHeader` option to `false` when using the `api_gateway.storage_proxy` +* Added `referrerPolicy: "no-referrer"` by default in Traefik +* Bump to traefik `2.10.7` +* feat: support for X-MEN-RBAC-Releases-Tags +* feat: support for custom updateStrategy +* fix missing auditlog variable in the device auth service +* fix Redis environment variables when using an external Redis +* Added `global.redis.existingSecret` option + +## 5.5.0 +* Fix mongodb uri creation when using the mongodb subchart and replicast architecture +* Added customEnv option to set default or per-service custom env variables +* Added generic `storage_proxy` service, that could + work for both minio and Amazon S3, and it's going to replace the `api_gateway.minio` configuration. +* Add OpenID Connect authentication API to user authentication routes in the gateway. +* **Deprecations**: + * `api_gateway.minio` is deprecated in favor of `api_gateway.storage_proxy`. + This entry could be used, but it is no longer maintained, and could be removed + in future releases. + **How to upgrade**: + * set `api_gateway.minio.enabled=false` + * set `api_gateway.storage_proxy.enabled=true` + * set `api_gateway.storage_proxy.url` to the external storage url that you want to map externally. For example `https://fleetstorage.example.com`. + If you leave it empty, it uses the Amazon S3 external URL. + + +## Version 5.4.1 +* Upgrade to Mender version `3.7.1`. +* Removed useless variables from the gui container. +* Added custom service account support (thanks @bdomars) + +## Version 5.4.0 +* Upgrade to Mender version `3.7.0`. +* Update the Redis settings to use a connection string, required by Mender 3.7.0 +* **Deprecations**: + * `global.redis.username` and `global.redis.password` are deprecated in Mender 3.7.0. + Use redis connection string format in the `global.redis.URL`: + * Standalone mode: + ``` + (redis|rediss|unix)://[:@](|)[:[/]][?option=value] + ``` + * Cluster mode: + ``` + (redis|rediss|unix)[+srv]://[:@][,[,...]][:][?option=value] + ``` + * `device_auth.env.DEVICEAUTH_REDIS_DB`: use the new redis connection string format instead. + * `device_auth.env.DEVICEAUTH_REDIS_TIMEOUT_SEC`: use the new redis connection string format instead. + * `device_auth.env.USERADM_REDIS_DB`: use the new redis connection string format instead. + * `device_auth.env.USERADM_REDIS_TIMEOUT_SEC`: use the new redis connection string format instead. + +## Version 5.3.0 +* Split single db-migration job into multiple jobs +* Traefik updated to `v2.10.5` +* Upgrade to Mender version `3.6.3`. + +## Version 5.2.6 +* Add graceful shutdown for deviceconnect, defaults to `60s`. +* Fix: indent cronjob annotations correctly (thanks @vphoikka) + +## Version 5.2.5 +* Added support to external Image Pull Secrets +* Added support to extraArgs to the `api_gateway` service +* Traefik updated to `v2.10.4` +* You can now add pre-existing `priorityClassName` to the resources +* Added PodDisruptionBudget resources to the most critical services +* Added option to use existing secrets for certificates (thanks @bdomars) +* Allow to use external secrets for NATS, MongoDB, and S3 (thanks @benjamin-texier) + +## Version 5.2.4 +* Added HPA to the most critical services +* Reorganized `templates` directory with service subfolders +* Fixed an issue with automigrate: false + +## Version 5.2.3 +* `gui` service: added option for the error server block +* Upgrade to Mender version `3.6.2`. + +## Version 5.2.2 +* Added the `deployments.directUpload.skipVerify` parameter, defaults to `false`. +* Fix: use the `deployments.directUpload.jitter` parameter in the deployments-storage-daemon cronjob. + +## Version 5.2.1 +* Upgrade to Mender version `3.6.1`. + +## Version 5.2.0 +* MongoDB sub-chart + * Bump app version to MongoDB 5.0 (tag: `5.0.19-debian-11-r13`) + * Set default update strategy + * Set default Pod Disruption Budget + +> If your running an existing cluster with MongoDB 4.4, we recommend following +> the upgrade procedure from the +> [official documentation](https://www.mongodb.com/docs/manual/release-notes/5.0-upgrade-replica-set/). + +## Version 5.1.0 +* Upgrade to Mender version `3.6.0`. +* Added `auditlogs.logRetentionSeconds` conf parameter for tuning auditlog settings +* Added Mender Ingress Resource +* **BREAKING CHANGES**: + * This version of the Helm chart is not compatible with Mender versions older than `3.6.0`. +* Added optional `api_gateway.compression` parameter for Traefik compression +* Added optional `api_gateway.security_redirect` parameter to add a custom redirection to a company security policy +* Added optional `api_gateway.minio.customRule` to custom redirects +* Added optional `api_gateway.authRateLimit` as a custom ratelimit for Auth module only +* Added `contentTypeNosniff` to the Traefik configuration +* Fix: missing WORKFLOWS_NATS_URI in the db-migration-job + +## Version 5.0.3 +* Fix: using the correct variables for useradm auditlogs settings + +## Version 5.0.2 +* Fix: always using the redis `master` address instead of the `headless` one, which leads to sporadic errors in writing when you have replicas in place. + +## Version 5.0.1 +* Fix: workaround for a [known issue](https://github.com/bitnami/charts/issues/10843) with `bitnami/mongodb` when replicaset and auth are enabled + +## Version 5.0.0 +* **BREAKING CHANGES**: + * Switch Redis service to an optional sub Chart: now Redis is a global + service: the same Redis Cluster is used by both `useradm` and `device-auth` + services. You cannot use two different Redis Clusters. + It's recommended to use an external Redis Cluster in Production, instead + of the integrated sub-chart, which is enabled by default. +* Added Chart Name prefix to the Resource names +* Switch MongoDB service to optional sub Chart +* Switch NATS service to optional sub Chart + +## Version 4.0.3 +* [fix: issues with Amazon S3 artifact storage](https://northerntech.atlassian.net/browse/MEN-6482) + +## Version 4.0.2 +* [fix: device-auth-license-count ImagePullBackOff](https://github.com/mendersoftware/mender-helm/pull/151) + +## Version 4.0.1 +* Using global `registry.image.tag` instead of specifying it in every deployment + +## Version 4.0.0 +* **BREAKING CHANGE**: drop Helm v2 support: bump Helm ApiVersion to v2. +* Decoupling Helm Chart version (`version: 4.0.0`) from Mender version (`appVersion: "3.4.0"`): from now on, they can be updated independently. +* Secret `s3-artifacts` renamed to `artifacts-storage` +* Fixed variables for the `smtp` secret +* Changed `api-gateway` container ports from `80-443` to `9080-9443` +* Added `deployments-storage-daemon` cronjob +* Added `device-auth-license-count` cronjob +* Added Security Context +* Added Helm Chart Hooks: it runs db migration before the a Helm upgrade/install. diff --git a/mender/Chart.yaml b/mender/Chart.yaml index e7ec0bae..ff4231f7 100644 --- a/mender/Chart.yaml +++ b/mender/Chart.yaml @@ -1,9 +1,8 @@ apiVersion: v2 -appVersion: "3.7.7" -description: Mender is a robust and secure way to update all your software and - deploy your IoT devices at scale with support for customization +appVersion: v4.0.0 +description: Mender is a robust and secure way to update all your software and deploy your IoT devices at scale with support for customization name: mender -version: 5.11.0 +version: 6.0.0 keywords: - mender - iot diff --git a/mender/templates/NOTES.txt b/mender/templates/NOTES.txt index eab271bd..711445bb 100644 --- a/mender/templates/NOTES.txt +++ b/mender/templates/NOTES.txt @@ -1,5 +1,5 @@ -Mender v{{ trimPrefix "mender-" .Values.global.image.tag }} has been deployed! +Mender helm {{ .Chart.Version }} has been deployed! Thank you for using Mender. Release name: {{ .Release.Name }} diff --git a/mender/templates/_helpers.tpl b/mender/templates/_helpers.tpl index 715e7fff..a3ed57ad 100644 --- a/mender/templates/_helpers.tpl +++ b/mender/templates/_helpers.tpl @@ -86,7 +86,7 @@ Redis connection string MongoDB URI */}} {{- define "mongodb_uri" }} - {{- if and .Values.mongodb.enabled ( not .Values.global.mongodb.URL ) }} + {{- if and .Values.mongodb.enabled }} {{- if and (eq .Values.mongodb.architecture "replicaset") .Values.mongodb.externalAccess.enabled (eq .Values.mongodb.externalAccess.service.type "ClusterIP") }} {{- if and .Values.mongodb.auth.enabled .Values.mongodb.auth.rootPassword }} {{- printf "mongodb://root:%s@%s-0" .Values.mongodb.auth.rootPassword ( include "mongodb.fullname" .Subcharts.mongodb ) | b64enc | quote -}} @@ -233,54 +233,95 @@ spec: {{- printf "%s-%s" ( include "mender.fullname" .dot ) .component }} {{- end }} -{{- define "mender.resources" -}} -{{- $resources := dict }} -{{- range . }}{{- if . }} -{{- $resources := mergeOverwrite $resources (deepCopy .) }} -{{- end }}{{- end }} -{{- if $resources }} -{{- toYaml $resources }} +{{/* Helper for "mender.image" */}} +{{- define "mender.image.registry" }} +{{- if and .override.image .override.image.registry }} +{{- print .override.image.registry -}} +{{- else if and .dot.Values.global + .dot.Values.global.image + .dot.Values.global.image.registry}} +{{- print .dot.Values.global.image.registry -}} +{{- else if and .dot.Values.default.image .dot.Values.default.image.registry}} +{{- print .dot.Values.default.image.registry -}} +{{- else if .dot.Values.global.enterprise }} +{{- print "registry.mender.io" -}} +{{- else }} +{{- print "docker.io" -}} +{{- end }} +{{- end }} + +{{/* Helper for "mender.image" */}} +{{- define "mender.image.repository" }} +{{- if and .override.image .override.image.repository }} +{{- print .override.image.repository -}} +{{- else if and .dot.Values.global + .dot.Values.global.image + .dot.Values.global.image.repository }} +{{- print .dot.Values.global.image.repository }} +{{- else if and .dot.Values.default.image .dot.Values.default.image.repository}} +{{- print .dot.Values.default.image.repository -}} +{{- else if .dot.Values.global.enterprise }} +{{- print "mender-server-enterprise" -}} +{{- else }} +{{- print "mendersoftware" -}} +{{- end }} +{{- end }} + +{{/* Helper for "mender.image" */}} +{{- define "mender.image.tag" }} +{{- if and .override.image .override.image.tag }} +{{- print .override.image.tag -}} +{{- else if and .dot.Values.global + .dot.Values.global.image + .dot.Values.global.image.tag }} +{{- print .dot.Values.global.image.tag -}} +{{- else if and .dot.Values.default.image .dot.Values.default.image.tag}} +{{- print .dot.Values.default.image.tag -}} +{{- else }} +{{- print .dot.Chart.AppVersion -}} {{- end }} {{- end }} {{/* -Define Mender major and minor version -to be able to apply some conditional logic +Synopsis: +image: {{ include "mender.image" (dict + "dot" . + "component" "" + "override" .Values. }} */}} -{{- define "menderVersionMajor" }} -{{- $dot := (ternary . .dot (empty .dot)) -}} -{{- $mndr_version := split "." $dot.Chart.AppVersion }} -{{- with $dot.Values.global.image }} - {{- if contains "-" .tag }} - {{- $mndr_splitted := split "-" .tag -}} - {{- if (regexMatch "^[0-9]+\\.[0-9]+" $mndr_splitted._1) }} - {{- $mndr_version = split "." $mndr_splitted._1 }} - {{- end }} - {{- else }} - {{- if (regexMatch "^[0-9]+\\.[0-9]+" $mndr_splitted._1) }} - {{- $mndr_version = split "." .tag }} - {{- end }} - {{- end }} +{{- define "mender.image" }} +{{- printf "%s/%s/%s:%s" + (include "mender.image.registry" .) + (include "mender.image.repository" .) + (default .component .imageComponent) + (include "mender.image.tag" .) }} +{{- end }} + +{{/* +Synopsis: +imagePullPolicy: {{ include "mender.imagePullPolicy" (dict + "dot" . + "component" "" + "override" .Values. }} +*/}} +{{- define "mender.imagePullPolicy" }} +{{- if and .override.image .override.image.pullPolicy }} +{{ .override.image.pullPolicy }} +{{- else if and .dot.Values.default.image .dot.Values.default.image.pullPolicy }} +{{- .dot.Values.default.image.pullPolicy }} +{{- else }} +{{- "IfNotPresent" }} {{- end }} -{{- printf "%s" $mndr_version._0 }} {{- end }} -{{- define "menderVersionMinor" }} -{{- $dot := (ternary . .dot (empty .dot)) -}} -{{- $mndr_version := split "." $dot.Chart.AppVersion }} -{{- with $dot.Values.global.image }} - {{- if contains "-" .tag }} - {{- $mndr_splitted := split "-" .tag -}} - {{- if (regexMatch "^[0-9]+\\.[0-9]+" $mndr_splitted._1) }} - {{- $mndr_version = split "." $mndr_splitted._1 }} - {{- end }} - {{- else }} - {{- if (regexMatch "^[0-9]+\\.[0-9]+" $mndr_splitted._1) }} - {{- $mndr_version = split "." .tag }} - {{- end }} - {{- end }} +{{- define "mender.resources" -}} +{{- $resources := dict }} +{{- range . }}{{- if . }} +{{- $resources := mergeOverwrite $resources (deepCopy .) }} +{{- end }}{{- end }} +{{- if $resources }} +{{- toYaml $resources }} {{- end }} -{{- printf "%s" $mndr_version._1 }} {{- end }} {{/* diff --git a/mender/templates/api-gateway/deployment.yaml b/mender/templates/api-gateway/deployment.yaml index 967c583f..0fc280de 100644 --- a/mender/templates/api-gateway/deployment.yaml +++ b/mender/templates/api-gateway/deployment.yaml @@ -1,5 +1,6 @@ {{- if .Values.api_gateway.enabled }} {{- $merged := merge (deepCopy .Values.api_gateway) (deepCopy (default (dict) .Values.default)) -}} +{{- $context := dict "dot" . "override" .Values.api_gateway "component" "api-gateway" "imageComponent" "traefik" }} {{- if or .Values.api_gateway.podSecurityContext.enabled .Values.api_gateway.containerSecurityContext.enabled }} {{- if and .Values.api_gateway.httpPort (lt (int .Values.api_gateway.httpPort) 1024) }} {{- fail ".Values.api_gateway.httpPort can't be less than 1024 when Security Context is enabled" }} @@ -64,8 +65,11 @@ spec: containers: - name: api-gateway - image: {{ .Values.api_gateway.image.registry }}/{{ .Values.api_gateway.image.repository }}:{{ .Values.api_gateway.image.tag }} - imagePullPolicy: {{ .Values.api_gateway.image.imagePullPolicy }} + image: {{ printf "%s/%s:%s" + (include "mender.image.registry" $context) + (include "mender.image.repository" $context) + (include "mender.image.tag" $context) }} + imagePullPolicy: {{ include "mender.imagePullPolicy" $context }} {{- if .Values.api_gateway.containerSecurityContext.enabled }} securityContext: {{- omit .Values.api_gateway.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -176,7 +180,7 @@ spec: {{- end }} {{- end }} -{{- if .Values.global.image.username }} +{{- if and .Values.global.image .Values.global.image.username }} imagePullSecrets: - name: docker-registry {{- else }} diff --git a/mender/templates/auditlogs/_podtemplate.yaml b/mender/templates/auditlogs/_podtemplate.yaml index a30fa8bb..5134078c 100644 --- a/mender/templates/auditlogs/_podtemplate.yaml +++ b/mender/templates/auditlogs/_podtemplate.yaml @@ -23,8 +23,8 @@ spec: {{- end }} containers: - name: {{ ternary "auditlogs" "auditlogs-migration" (empty .migration) | quote }} - image: {{ .dot.Values.auditlogs.image.registry }}/{{ .dot.Values.auditlogs.image.repository }}:{{ .dot.Values.auditlogs.image.tag | default .dot.Values.global.image.tag }} - imagePullPolicy: {{ .dot.Values.auditlogs.image.imagePullPolicy }} + image: {{ include "mender.image" . }} + imagePullPolicy: {{ include "mender.imagePullPolicy" . }} {{- if .dot.Values.auditlogs.containerSecurityContext.enabled }} securityContext: {{- omit .dot.Values.auditlogs.containerSecurityContext "enabled" | toYaml | nindent 6 }} {{- end }} @@ -82,7 +82,7 @@ spec: name: {{ .dot.Values.global.mongodb.existingSecret | default (ternary "mongodb-common" "mongodb-common-prerelease" (empty .migration)) }} - {{- if .dot.Values.global.image.username }} + {{- if and .dot.Values.global.image .dot.Values.global.image.username }} imagePullSecrets: - name: {{ ternary "docker-registry" "docker-registry-prerelease" (empty .migration) }} {{- else }} diff --git a/mender/templates/auditlogs/deployment.yaml b/mender/templates/auditlogs/deployment.yaml index b6a8678d..11bb6ada 100644 --- a/mender/templates/auditlogs/deployment.yaml +++ b/mender/templates/auditlogs/deployment.yaml @@ -1,5 +1,5 @@ {{- if and .Values.auditlogs.enabled .Values.global.enterprise }} -{{- $context := (dict "dot" . "component" "auditlogs") -}} +{{- $context := dict "dot" . "component" "auditlogs" "override" .Values.auditlogs -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/mender/templates/auditlogs/job.yaml b/mender/templates/auditlogs/job.yaml index bfbbc5dc..1ef2b7f2 100644 --- a/mender/templates/auditlogs/job.yaml +++ b/mender/templates/auditlogs/job.yaml @@ -1,5 +1,10 @@ {{- if and .Values.auditlogs.enabled .Values.global.enterprise .Values.dbmigration.enable }} -{{- $context := (dict "dot" . "component" "auditlogs" "migration" "true" "restartPolicy" (default "Never" .Values.auditlogs.migrationRestartPolicy) "extraResources" .Values.auditlogs.migrationResources) }} +{{- $context := dict "dot" . + "component" "auditlogs" + "override" .Values.auditlogs + "migration" "true" + "restartPolicy" (default "Never" .Values.auditlogs.migrationRestartPolicy) + "extraResources" .Values.auditlogs.migrationResources }} apiVersion: batch/v1 kind: Job metadata: diff --git a/mender/templates/constraint.tpl b/mender/templates/constraint.tpl new file mode 100644 index 00000000..24a18144 --- /dev/null +++ b/mender/templates/constraint.tpl @@ -0,0 +1,3 @@ +{{- if semverCompare "<3.10.0" .Capabilities.HelmVersion.Version }} +{{- fail "Chart requires helm >= 3.10.0" }} +{{- end }} diff --git a/mender/templates/create-artifact-worker/deployment.yaml b/mender/templates/create-artifact-worker/deployment.yaml index 537c0f6b..e76a1563 100644 --- a/mender/templates/create-artifact-worker/deployment.yaml +++ b/mender/templates/create-artifact-worker/deployment.yaml @@ -1,4 +1,7 @@ {{- if .Values.create_artifact_worker.enabled }} +{{- $context := dict "dot" . + "override" .Values.create_artifact_worker + "component" "create-artifact-worker" -}} {{- $merged := merge (deepCopy .Values.create_artifact_worker) (deepCopy (default (dict) .Values.default)) -}} apiVersion: apps/v1 kind: Deployment @@ -49,8 +52,8 @@ spec: containers: - name: create-artifact-worker - image: {{ .Values.create_artifact_worker.image.registry }}/{{ .Values.create_artifact_worker.image.repository }}:{{ .Values.create_artifact_worker.image.tag | default .Values.global.image.tag }} - imagePullPolicy: {{ .Values.create_artifact_worker.image.imagePullPolicy }} + image: {{ include "mender.image" $context }} + imagePullPolicy: {{ include "mender.imagePullPolicy" $context }} {{- if .Values.create_artifact_worker.containerSecurityContext.enabled }} securityContext: {{- omit .Values.create_artifact_worker.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -92,7 +95,7 @@ spec: name: {{ .Values.global.nats.existingSecret }} {{- end }} -{{- if .Values.global.image.username }} +{{- if and .Values.global.image .Values.global.image.username }} imagePullSecrets: - name: docker-registry {{- else }} diff --git a/mender/templates/deployments/_podtemplate.yaml b/mender/templates/deployments/_podtemplate.yaml index 8bec204a..c530dc64 100644 --- a/mender/templates/deployments/_podtemplate.yaml +++ b/mender/templates/deployments/_podtemplate.yaml @@ -27,12 +27,8 @@ spec: {{- end }} containers: - name: {{ ternary "deployments" "deployments-migration" (empty .migration) | quote }} - {{- if .dot.Values.global.enterprise }} - image: {{ .dot.Values.deployments.image.registry | default "registry.mender.io" }}/{{ .dot.Values.deployments.image.repository | default "mendersoftware/deployments-enterprise" }}:{{ .dot.Values.deployments.image.tag | default .dot.Values.global.image.tag }} - {{- else }} - image: {{ .dot.Values.deployments.image.registry | default "docker.io" }}/{{ .dot.Values.deployments.image.repository | default "mendersoftware/deployments" }}:{{ .dot.Values.deployments.image.tag | default .dot.Values.global.image.tag }} - {{- end }} - imagePullPolicy: {{ .dot.Values.deployments.image.imagePullPolicy }} + image: {{ include "mender.image" . }} + imagePullPolicy: {{ include "mender.imagePullPolicy" . }} {{- if .dot.Values.deployments.containerSecurityContext.enabled }} securityContext: {{- omit .dot.Values.deployments.containerSecurityContext "enabled" | toYaml | nindent 6 }} {{- end }} @@ -138,7 +134,7 @@ spec: {{- end }} - {{- if .dot.Values.global.image.username }} + {{- if and .dot.Values.global.image .dot.Values.global.image.username }} imagePullSecrets: - name: {{ ternary "docker-registry" "docker-registry-prerelease" (empty .migration) }} {{- else }} diff --git a/mender/templates/deployments/cronjob.yaml b/mender/templates/deployments/cronjob.yaml index a3dca5b1..80b8cde8 100644 --- a/mender/templates/deployments/cronjob.yaml +++ b/mender/templates/deployments/cronjob.yaml @@ -1,4 +1,7 @@ {{- if .Values.deployments.directUpload.enabled }} +{{- $context := dict "dot" . + "component" "deployments" + "override" .Values.deployments -}} {{- $merged := merge (deepCopy .Values.deployments) (deepCopy (default (dict) .Values.default)) -}} apiVersion: batch/v1 kind: CronJob @@ -38,11 +41,8 @@ spec: {{- end }} containers: - name: deployments-storage-daemon - {{- if .Values.global.enterprise }} - image: {{ .Values.deployments.image.registry | default "registry.mender.io" }}/{{ .Values.deployments.image.repository | default "mendersoftware/deployments-enterprise" }}:{{ .Values.deployments.image.tag | default .Values.global.image.tag }} - {{- else }} - image: {{ .Values.deployments.image.registry | default "docker.io" }}/{{ .Values.deployments.image.repository | default "mendersoftware/deployments" }}:{{ .Values.deployments.image.tag | default .Values.global.image.tag }} - {{- end }} + image: {{ include "mender.image" $context }} + imagePullPolicy: {{ include "mender.imagePullPolicy" $context }} args: ["storage-daemon", "--time-jitter={{ .Values.deployments.directUpload.jitter}}"] env: - name: DEPLOYMENTS_STORAGE_DEFAULT @@ -63,7 +63,7 @@ spec: {{- end }} restartPolicy: Never -{{- if .Values.global.image.username }} +{{- if and .Values.global.image .Values.global.image.username }} imagePullSecrets: - name: docker-registry {{- else }} diff --git a/mender/templates/deployments/deployment.yaml b/mender/templates/deployments/deployment.yaml index e161cd24..2ba1b37a 100644 --- a/mender/templates/deployments/deployment.yaml +++ b/mender/templates/deployments/deployment.yaml @@ -1,5 +1,5 @@ {{- if .Values.deployments.enabled }} -{{- $context := (dict "dot" . "component" "deployments") -}} +{{- $context := dict "dot" . "component" "deployments" "override" .Values.deployments -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/mender/templates/deployments/job.yaml b/mender/templates/deployments/job.yaml index 4f8e4093..2adc77e3 100644 --- a/mender/templates/deployments/job.yaml +++ b/mender/templates/deployments/job.yaml @@ -1,5 +1,10 @@ {{- if and .Values.deployments.enabled .Values.dbmigration.enable }} -{{- $context := (dict "dot" . "component" "deployments" "migration" "true" "restartPolicy" (default "Never" .Values.deployments.migrationRestartPolicy) "extraResources" .Values.deployments.migrationResources) }} +{{- $context := dict "dot" . + "override" .Values.deployments + "component" "deployments" + "migration" "true" + "restartPolicy" (default "Never" .Values.deployments.migrationRestartPolicy) + "extraResources" .Values.deployments.migrationResources -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/mender/templates/device-auth/_podtemplate.yaml b/mender/templates/device-auth/_podtemplate.yaml index 8bcd5c16..3f916628 100644 --- a/mender/templates/device-auth/_podtemplate.yaml +++ b/mender/templates/device-auth/_podtemplate.yaml @@ -25,13 +25,8 @@ spec: containers: - name: {{ ternary "device-auth" "device-auth-migration" (empty .migration) | quote }} - {{- if .dot.Values.global.enterprise }} - image: {{ .dot.Values.device_auth.image.registry | default "registry.mender.io" }}/{{ .dot.Values.device_auth.image.repository | default "mendersoftware/deviceauth-enterprise" }}:{{ .dot.Values.device_auth.image.tag | default .dot.Values.global.image.tag }} - {{- else }} - image: {{ .dot.Values.device_auth.image.registry | default "docker.io" }}/{{ .dot.Values.device_auth.image.repository | default "mendersoftware/deviceauth" }}:{{ .dot.Values.device_auth.image.tag | default .dot.Values.global.image.tag }} - {{- end }} - - imagePullPolicy: {{ .dot.Values.device_auth.image.imagePullPolicy }} + image: {{ include "mender.image" . }} + imagePullPolicy: {{ include "mender.imagePullPolicy" . }} {{- if .dot.Values.device_auth.containerSecurityContext.enabled }} securityContext: {{- omit .dot.Values.device_auth.containerSecurityContext "enabled" | toYaml | nindent 6 }} {{- end }} @@ -80,17 +75,15 @@ spec: {{- if (not .migration) }} volumeMounts: - name: rsa - {{- if .dot.Values.global.enterprise }} - mountPath: "/etc/deviceauth-enterprise/rsa/" - {{- else }} mountPath: "/etc/deviceauth/rsa/" - {{- end }} readOnly: true {{- end }} env: - name: DEVICEAUTH_INVENTORY_ADDR value: {{ .dot.Values.device_auth.env.DEVICEAUTH_INVENTORY_ADDR | quote }} + - name: DEVICEAUTH_SERVER_PRIV_KEY_PATH + value: /etc/deviceauth/rsa/private.pem - name: DEVICEAUTH_ORCHESTRATOR_ADDR value: {{ .dot.Values.device_auth.env.DEVICEAUTH_ORCHESTRATOR_ADDR | quote }} - name: DEVICEAUTH_JWT_ISSUER @@ -111,30 +104,15 @@ spec: value: "true" {{- end }} {{- if and .dot.Values.global.enterprise }} - {{- if and ( le (int (include "menderVersionMajor" .)) 3 ) ( lt (int (include "menderVersionMinor" .)) 7 ) }} - # redis_address deprecated from 3.7 - - name: DEVICEAUTH_REDIS_ADDR - value: {{ include "redis_address" . }} - - name: DEVICEAUTH_REDIS_USERNAME - value: {{ .dot.Values.global.redis.username | default "" | quote }} - - name: DEVICEAUTH_REDIS_PASSWORD - value: {{ .dot.Values.global.redis.password | default "" | quote }} - - name: DEVICEAUTH_REDIS_DB - value: {{ .dot.Values.useradm.env.DEVICEAUTH_REDIS_DB | default "1" | quote }} - - name: DEVICEAUTH_REDIS_TIMEOUT_SEC - value: {{ .dot.Values.useradm.env.DEVICEAUTH_REDIS_TIMEOUT_SEC | default "1" | quote }} - {{- else }} {{- if not .dot.Values.global.redis.existingSecret }} - # redis_address deprecated from 3.7 - name: DEVICEAUTH_REDIS_CONNECTION_STRING value: {{ include "redis_connection_string" . }} - {{- end }} - name: DEVICEAUTH_REDIS_KEY_PREFIX value: {{ .dot.Values.device_auth.env.DEVICEAUTH_REDIS_KEY_PREFIX | default "deviceauth:v1" | quote }} - {{- end }} - name: DEVICEAUTH_REDIS_LIMITS_EXPIRE_SEC value: {{ .dot.Values.device_auth.env.DEVICEAUTH_REDIS_LIMITS_EXPIRE_SEC | default "3600" | quote }} {{- end }} + {{- end }} {{- include "mender.customEnvs" (merge (deepCopy .dot.Values.device_auth) (deepCopy (default (dict) .dot.Values.default))) | nindent 4 }} # Supported configuration settings: https://github.com/mendersoftware/deviceauth/blob/master/config.yaml @@ -144,14 +122,12 @@ spec: secretRef: name: {{ .dot.Values.global.mongodb.existingSecret | default (ternary "mongodb-common" "mongodb-common-prerelease" (empty .migration)) }} - {{- if not (and ( le (int (include "menderVersionMajor" .)) 3 ) ( lt (int (include "menderVersionMinor" .)) 7 ) ) }} {{- if and .dot.Values.global.redis.existingSecret .dot.Values.global.enterprise ( not .dot.Values.global.redis.URL ) ( not .dot.Values.redis.enabled ) }} # Redis existingSecret - prefix: DEVICEAUTH_ secretRef: name: {{ .dot.Values.global.redis.existingSecret | quote }} {{- end }} - {{- end }} {{- with (coalesce .dot.Values.device_auth.nodeSelector .dot.Values.default.nodeSelector) }} @@ -162,16 +138,14 @@ spec: volumes: - name: rsa secret: - {{- with .dot.Values.device_auth.certs }} - {{- if .existingSecret }} + {{- if and .dot.Values.device_auth.certs .dot.Values.device_auth.certs.existingSecret }} secretName: {{ .existingSecret }} {{- else }} secretName: rsa-device-auth {{- end }} - {{- end }} {{- end }} - {{- if .dot.Values.global.image.username }} + {{- if and .dot.Values.global.image .dot.Values.global.image.username }} imagePullSecrets: - name: {{ ternary "docker-registry" "docker-registry-prerelease" (empty .migration) }} {{- else }} diff --git a/mender/templates/device-auth/cronjob.yaml b/mender/templates/device-auth/cronjob.yaml index 1232865f..df090908 100644 --- a/mender/templates/device-auth/cronjob.yaml +++ b/mender/templates/device-auth/cronjob.yaml @@ -1,5 +1,6 @@ {{- if and (.Values.device_auth.enabled) (.Values.global.enterprise) (.Values.device_license_count.enabled) }} +{{- $context := dict "dot" . "component" "deviceauth" "override" .Values.device_auth}} {{- $merged := merge (deepCopy .Values.device_auth) (deepCopy (default (dict) .Values.default)) -}} apiVersion: batch/v1 kind: CronJob @@ -32,7 +33,8 @@ spec: {{- end }} containers: - name: device-auth-license-count - image: {{ .Values.device_auth.image.registry | default "registry.mender.io" }}/{{ .Values.device_auth.image.repository | default "mendersoftware/deviceauth-enterprise" }}:{{ .Values.device_auth.image.tag | default .Values.global.image.tag }} + image: {{ include "mender.image" $context }} + imagePullPolicy: {{ include "mender.imagePullPolicy" $context }} command: ["/usr/bin/deviceauth-enterprise", "license-count"] envFrom: @@ -42,7 +44,7 @@ spec: restartPolicy: Never -{{- if .Values.global.image.username }} +{{- if and .Values.global.image .Values.global.image.username }} imagePullSecrets: - name: docker-registry {{- else }} diff --git a/mender/templates/device-auth/deployment.yaml b/mender/templates/device-auth/deployment.yaml index 5868e14b..c0751d49 100644 --- a/mender/templates/device-auth/deployment.yaml +++ b/mender/templates/device-auth/deployment.yaml @@ -1,5 +1,8 @@ {{- if .Values.device_auth.enabled }} -{{- $context := (dict "dot" . "component" "device-auth") -}} +{{- $context := dict "dot" . + "component" "device-auth" + "imageComponent" "deviceauth" + "override" .Values.device_auth -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/mender/templates/device-auth/job.yaml b/mender/templates/device-auth/job.yaml index 6478f900..9d3d02d8 100644 --- a/mender/templates/device-auth/job.yaml +++ b/mender/templates/device-auth/job.yaml @@ -1,5 +1,10 @@ {{- if and .Values.device_auth.enabled .Values.dbmigration.enable }} -{{- $context := (dict "dot" . "component" "deviceauth" "migration" "true" "restartPolicy" (default "Never" .Values.device_auth.migrationRestartPolicy) "extraResources" .Values.device_auth.migrationResources) }} +{{- $context := dict "dot" . + "component" "deviceauth" + "override" .Values.device_auth + "migration" "true" + "restartPolicy" (default "Never" .Values.device_auth.migrationRestartPolicy) + "extraResources" .Values.device_auth.migrationResources }} apiVersion: batch/v1 kind: Job metadata: diff --git a/mender/templates/device-auth/secret.yaml b/mender/templates/device-auth/secret.yaml index 298d61c4..a3817a3d 100644 --- a/mender/templates/device-auth/secret.yaml +++ b/mender/templates/device-auth/secret.yaml @@ -14,6 +14,10 @@ metadata: app.kubernetes.io/part-of: mender helm.sh/chart: "{{ .Chart.Name }}" data: + {{- if and .Values.device_auth.certs .Values.device_auth.certs.key }} private.pem: {{ .Values.device_auth.certs.key | b64enc }} + {{- else }} + private.pem: {{ genPrivateKey "ed25519" | b64enc }} + {{- end }} {{- end }} {{- end }} diff --git a/mender/templates/deviceconfig/_podtemplate.yaml b/mender/templates/deviceconfig/_podtemplate.yaml index 8b82f373..27314208 100644 --- a/mender/templates/deviceconfig/_podtemplate.yaml +++ b/mender/templates/deviceconfig/_podtemplate.yaml @@ -24,8 +24,8 @@ spec: containers: - name: {{ ternary "deviceconfig" "deviceconfig-migration" (empty .migration) | quote }} - image: {{ .dot.Values.deviceconfig.image.registry }}/{{ .dot.Values.deviceconfig.image.repository }}:{{ .dot.Values.deviceconfig.image.tag | default .dot.Values.global.image.tag }} - imagePullPolicy: {{ .dot.Values.deviceconfig.image.imagePullPolicy }} + image: {{ include "mender.image" . }} + imagePullPolicy: {{ include "mender.imagePullPolicy" . }} {{- if .dot.Values.deviceconfig.containerSecurityContext.enabled }} securityContext: {{- omit .dot.Values.deviceconfig.containerSecurityContext "enabled" | toYaml | nindent 6 }} {{- end }} @@ -89,7 +89,7 @@ spec: secretRef: name: {{ .dot.Values.global.mongodb.existingSecret | default (ternary "mongodb-common" "mongodb-common-prerelease" (empty .migration)) }} - {{- if .dot.Values.global.image.username }} + {{- if and .dot.Values.global.image .dot.Values.global.image.username }} imagePullSecrets: - name: {{ ternary "docker-registry" "docker-registry-prerelease" (empty .migration) }} {{- else }} diff --git a/mender/templates/deviceconfig/deployment.yaml b/mender/templates/deviceconfig/deployment.yaml index 9f3c01bf..66d47221 100644 --- a/mender/templates/deviceconfig/deployment.yaml +++ b/mender/templates/deviceconfig/deployment.yaml @@ -1,5 +1,7 @@ {{- if .Values.deviceconfig.enabled }} -{{- $context := (dict "dot" . "component" "deviceconfig") -}} +{{- $context := dict "dot" . + "component" "deviceconfig" + "override" .Values.deviceconfig -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/mender/templates/deviceconfig/job.yaml b/mender/templates/deviceconfig/job.yaml index 4255fa8c..a28a6ca7 100644 --- a/mender/templates/deviceconfig/job.yaml +++ b/mender/templates/deviceconfig/job.yaml @@ -1,5 +1,10 @@ {{- if and .Values.deviceconfig.enabled .Values.dbmigration.enable }} -{{- $context := (dict "dot" . "component" "deviceconfig" "migration" "true" "restartPolicy" (default "Never" .Values.deviceconfig.migrationRestartPolicy) "extraResources" .Values.deviceconfig.migrationResources) }} +{{- $context := dict "dot" . + "component" "deviceconfig" + "override" .Values.deviceconfig + "migration" "true" + "restartPolicy" (default "Never" .Values.deviceconfig.migrationRestartPolicy) + "extraResources" .Values.deviceconfig.migrationResources -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/mender/templates/deviceconnect/_podtemplate.yaml b/mender/templates/deviceconnect/_podtemplate.yaml index 06bfc67e..4e965ccf 100644 --- a/mender/templates/deviceconnect/_podtemplate.yaml +++ b/mender/templates/deviceconnect/_podtemplate.yaml @@ -23,8 +23,8 @@ spec: {{- end }} containers: - name: {{ ternary "deviceconnect" "deviceconnect-migration" (empty .migration) | quote }} - image: {{ .dot.Values.deviceconnect.image.registry }}/{{ .dot.Values.deviceconnect.image.repository }}:{{ .dot.Values.deviceconnect.image.tag | default .dot.Values.global.image.tag }} - imagePullPolicy: {{ .dot.Values.deviceconnect.image.imagePullPolicy }} + image: {{ include "mender.image" . }} + imagePullPolicy: {{ include "mender.imagePullPolicy" . }} {{- if .dot.Values.deviceconnect.containerSecurityContext.enabled }} securityContext: {{- omit .dot.Values.deviceconnect.containerSecurityContext "enabled" | toYaml | nindent 6 }} {{- end }} @@ -124,7 +124,7 @@ spec: terminationGracePeriodSeconds: {{ .dot.Values.deviceconnect.terminationGracePeriodSeconds }} {{- end }} - {{- if .dot.Values.global.image.username }} + {{- if and .dot.Values.global.image .dot.Values.global.image.username }} imagePullSecrets: - name: {{ ternary "docker-registry" "docker-registry-prerelease" (empty .migration) }} {{- else }} diff --git a/mender/templates/deviceconnect/deployment.yaml b/mender/templates/deviceconnect/deployment.yaml index 1b684e13..eb255d22 100644 --- a/mender/templates/deviceconnect/deployment.yaml +++ b/mender/templates/deviceconnect/deployment.yaml @@ -1,5 +1,7 @@ {{- if .Values.deviceconnect.enabled }} -{{- $context := (dict "dot" . "component" "deviceconnect") -}} +{{- $context := dict "dot" . + "override" .Values.deviceconnect + "component" "deviceconnect" -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/mender/templates/deviceconnect/job.yaml b/mender/templates/deviceconnect/job.yaml index 6d946900..a342554b 100644 --- a/mender/templates/deviceconnect/job.yaml +++ b/mender/templates/deviceconnect/job.yaml @@ -1,5 +1,10 @@ {{- if .Values.dbmigration.enable }} -{{- $context := (dict "dot" . "component" "deviceconnect" "migration" "true" "restartPolicy" (default "Never" .Values.deviceconnect.migrationRestartPolicy) "extraResources" .Values.deviceconnect.migrationResources) }} +{{- $context := dict "dot" . + "component" "deviceconnect" + "override" .Values.deviceconnect + "migration" "true" + "restartPolicy" (default "Never" .Values.deviceconnect.migrationRestartPolicy) + "extraResources" .Values.deviceconnect.migrationResources -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/mender/templates/devicemonitor/_podtemplate.yaml b/mender/templates/devicemonitor/_podtemplate.yaml index 4da10f8c..7d425c29 100644 --- a/mender/templates/devicemonitor/_podtemplate.yaml +++ b/mender/templates/devicemonitor/_podtemplate.yaml @@ -23,8 +23,8 @@ spec: {{- end }} containers: - name: {{ ternary "devicemonitor" "devicemonitor-migration" (empty .migration) | quote }} - image: {{ .dot.Values.devicemonitor.image.registry }}/{{ .dot.Values.devicemonitor.image.repository }}:{{ .dot.Values.devicemonitor.image.tag | default .dot.Values.global.image.tag }} - imagePullPolicy: {{ .dot.Values.devicemonitor.image.imagePullPolicy }} + image: {{ include "mender.image" . }} + imagePullPolicy: {{ include "mender.imagePullPolicy" . }} {{- if .dot.Values.devicemonitor.containerSecurityContext.enabled }} securityContext: {{- omit .dot.Values.devicemonitor.containerSecurityContext "enabled" | toYaml | nindent 6 }} {{- end }} @@ -89,7 +89,7 @@ spec: name: {{ .dot.Values.global.mongodb.existingSecret | default (ternary "mongodb-common" "mongodb-common-prerelease" (empty .migration)) }} - {{- if .dot.Values.global.image.username }} + {{- if and .dot.Values.global.image .dot.Values.global.image.username }} imagePullSecrets: - name: {{ ternary "docker-registry" "docker-registry-prerelease" (empty .migration) }} {{- else }} diff --git a/mender/templates/devicemonitor/deployment.yaml b/mender/templates/devicemonitor/deployment.yaml index d9675bae..c3ff81c8 100644 --- a/mender/templates/devicemonitor/deployment.yaml +++ b/mender/templates/devicemonitor/deployment.yaml @@ -1,5 +1,7 @@ {{- if and .Values.devicemonitor.enabled .Values.global.enterprise }} -{{- $context := (dict "dot" . "component" "devicemonitor") -}} +{{- $context := dict "dot" . + "component" "devicemonitor" + "override" .Values.devicemonitor -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/mender/templates/devicemonitor/job.yaml b/mender/templates/devicemonitor/job.yaml index 1d50ce67..4ab71b4b 100644 --- a/mender/templates/devicemonitor/job.yaml +++ b/mender/templates/devicemonitor/job.yaml @@ -1,5 +1,10 @@ {{- if and .Values.global.enterprise .Values.dbmigration.enable }} -{{- $context := (dict "dot" . "component" "devicemonitor" "migration" "true" "restartPolicy" (default "Never" .Values.devicemonitor.migrationRestartPolicy) "extraResources" .Values.devicemonitor.migrationResources) }} +{{- $context := dict "dot" . + "component" "devicemonitor" + "override" .Values.devicemonitor + "migration" "true" + "restartPolicy" (default "Never" .Values.devicemonitor.migrationRestartPolicy) + "extraResources" .Values.devicemonitor.migrationResources -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/mender/templates/generate-delta-worker/statefulset.yaml b/mender/templates/generate-delta-worker/statefulset.yaml index 26f4eee6..e2634a95 100644 --- a/mender/templates/generate-delta-worker/statefulset.yaml +++ b/mender/templates/generate-delta-worker/statefulset.yaml @@ -1,4 +1,7 @@ {{- if and .Values.global.enterprise .Values.generate_delta_worker.enabled }} +{{- $context := dict "dot" . + "override" .Values.generate_delta_worker + "component" "generate-delta-worker" }} {{- $merged := merge (deepCopy .Values.generate_delta_worker) (deepCopy (default (dict) .Values.default)) -}} apiVersion: apps/v1 kind: StatefulSet @@ -73,8 +76,8 @@ spec: containers: - name: generate-delta-worker - image: {{ .Values.generate_delta_worker.image.registry }}/{{ .Values.generate_delta_worker.image.repository }}:{{ .Values.generate_delta_worker.image.tag | default .Values.global.image.tag }} - imagePullPolicy: {{ .Values.generate_delta_worker.image.imagePullPolicy }} + image: {{ include "mender.image" $context }} + imagePullPolicy: {{ include "mender.imagePullPolicy" $context }} resources: {{ toYaml .Values.generate_delta_worker.resources | indent 10 }} @@ -127,7 +130,7 @@ spec: {{- end }} {{- end }} -{{- if .Values.global.image.username }} +{{- if and .Values.global.image .Values.global.image.username }} imagePullSecrets: - name: docker-registry {{- else }} diff --git a/mender/templates/gui/deployment.yaml b/mender/templates/gui/deployment.yaml index 609cce83..f892c822 100644 --- a/mender/templates/gui/deployment.yaml +++ b/mender/templates/gui/deployment.yaml @@ -1,4 +1,5 @@ {{- if .Values.gui.enabled }} +{{- $context := dict "dot" . "override" .Values.gui "component" "gui"}} {{- $merged := merge (deepCopy .Values.gui) (deepCopy (default (dict) .Values.default)) -}} apiVersion: apps/v1 kind: Deployment @@ -52,8 +53,8 @@ spec: containers: - name: gui - image: {{ .Values.gui.image.registry }}/{{ .Values.gui.image.repository }}:{{ .Values.gui.image.tag | default .Values.global.image.tag }} - imagePullPolicy: {{ .Values.gui.image.imagePullPolicy }} + image: {{ include "mender.image" $context }} + imagePullPolicy: {{ include "mender.imagePullPolicy" $context }} {{- if .Values.gui.containerSecurityContext.enabled }} securityContext: {{- omit .Values.gui.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} @@ -90,9 +91,9 @@ spec: - name: HAVE_MULTITENANT value: {{ .Values.global.enterprise | quote }} - name: MENDER_VERSION - value: {{ trimPrefix "mender-" .Values.global.image.tag | quote }} + value: {{ trimPrefix "v" .Chart.AppVersion | quote }} - name: INTEGRATION_VERSION - value: {{ trimPrefix "mender-" .Values.global.image.tag | quote }} + value: {{ trimPrefix "v" .Chart.AppVersion | quote }} {{- end }} {{- if and .Values.auditlogs.enabled .Values.global.enterprise }} - name: HAVE_AUDITLOGS @@ -112,7 +113,7 @@ spec: {{- end }} {{- include "mender.customEnvs" (merge (deepCopy .Values.gui) (deepCopy (default (dict) .Values.default))) | nindent 8 }} -{{- if .Values.global.image.username }} +{{- if and .Values.global.image .Values.global.image.username }} imagePullSecrets: - name: docker-registry {{- else }} diff --git a/mender/templates/inventory/_podtemplate.yaml b/mender/templates/inventory/_podtemplate.yaml index 1eeafb37..a36ae770 100644 --- a/mender/templates/inventory/_podtemplate.yaml +++ b/mender/templates/inventory/_podtemplate.yaml @@ -24,14 +24,8 @@ spec: {{- end }} containers: - name: {{ ternary "inventory" "inventory-migration" (empty .migration) | quote }} - - {{- if .dot.Values.global.enterprise }} - image: {{ .dot.Values.inventory.image.registry | default "registry.mender.io" }}/{{ .dot.Values.inventory.image.repository | default "mendersoftware/inventory-enterprise" }}:{{ .dot.Values.inventory.image.tag | default .dot.Values.global.image.tag }} - {{- else }} - image: {{ .dot.Values.inventory.image.registry | default "docker.io" }}/{{ .dot.Values.inventory.image.repository | default "mendersoftware/inventory" }}:{{ .dot.Values.inventory.image.tag | default .dot.Values.global.image.tag }} - {{- end }} - - imagePullPolicy: {{ .dot.Values.inventory.image.imagePullPolicy }} + image: {{ include "mender.image" . }} + imagePullPolicy: {{ include "mender.imagePullPolicy" . }} {{- if .dot.Values.inventory.containerSecurityContext.enabled }} securityContext: {{- omit .dot.Values.inventory.containerSecurityContext "enabled" | toYaml | nindent 6 }} {{- end }} @@ -81,21 +75,32 @@ spec: - name: INVENTORY_MIDDLEWARE value: {{ .dot.Values.inventory.env.INVENTORY_MIDDLEWARE | quote }} {{- if and .dot.Values.global.enterprise }} - {{- if not (and ( le (int (include "menderVersionMajor" .)) 3 ) ( lt (int (include "menderVersionMinor" .)) 7 )) }} {{- if not .dot.Values.global.redis.existingSecret }} - name: INVENTORY_REDIS_CONNECTION_STRING value: {{ include "redis_connection_string" . }} - {{- end }} - name: INVENTORY_REDIS_KEY_PREFIX value: {{ .dot.Values.device_auth.env.INVENTORY_REDIS_KEY_PREFIX | default "inventory:v1" | quote }} - name: INVENTORY_REDIS_CACHE_EXPIRE_SEC value: {{ .dot.Values.useradm.env.INVENTORY_REDIS_CACHE_EXPIRE_SEC | default "1800" | quote }} {{- end }} {{- end }} + - name: INVENTORY_NATS_URI + {{- if .dot.Values.global.nats.existingSecret }} + valueFrom: + secretKeyRef: + key: NATS_URI + name: {{ .dot.Values.global.nats.existingSecret }} + {{- else }} + value: {{ template "nats_uri" . }} + {{- end }} {{- include "mender.customEnvs" (merge (deepCopy .dot.Values.inventory) (deepCopy (default (dict) .dot.Values.default))) | nindent 4 }} - # Supported configuration settings: https://github.com/mendersoftware/inventory-enterprise/blob/master/config.yaml - # Set in order, last value for the key will be used in case duplications. + {{- /* + Supported configuration settings: + https://github.com/mendersoftware/inventory-enterprise/blob/master/config.yaml + Set in order, last value for the key will be used in case duplications. + */}} + envFrom: - prefix: INVENTORY_ secretRef: @@ -105,16 +110,14 @@ spec: name: {{ .dot.Values.global.mongodb.existingSecret | default (ternary "mongodb-common" "mongodb-common-prerelease" (empty .migration)) }} {{- end }} - {{- if not (and ( le (int (include "menderVersionMajor" .)) 3 ) ( lt (int (include "menderVersionMinor" .)) 7 ) ) }} {{- if and .dot.Values.global.redis.existingSecret .dot.Values.global.enterprise ( not .dot.Values.global.redis.URL ) ( not .dot.Values.redis.enabled ) }} # Redis existingSecret - prefix: INVENTORY_ secretRef: name: {{ .dot.Values.global.redis.existingSecret | quote }} {{- end }} - {{- end }} - {{- if .dot.Values.global.image.username }} + {{- if and .dot.Values.global.image .dot.Values.global.image.username }} imagePullSecrets: - name: {{ ternary "docker-registry" "docker-registry-prerelease" (empty .migration) }} {{- else }} diff --git a/mender/templates/inventory/deployment.yaml b/mender/templates/inventory/deployment.yaml index 82d7a32f..de9892f9 100644 --- a/mender/templates/inventory/deployment.yaml +++ b/mender/templates/inventory/deployment.yaml @@ -1,5 +1,5 @@ {{- if .Values.inventory.enabled }} -{{- $context := (dict "dot" . "component" "inventory") -}} +{{- $context := dict "dot" . "component" "inventory" "override" .Values.inventory -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/mender/templates/inventory/job.yaml b/mender/templates/inventory/job.yaml index aca62a2e..468d3c21 100644 --- a/mender/templates/inventory/job.yaml +++ b/mender/templates/inventory/job.yaml @@ -1,5 +1,10 @@ {{- if .Values.dbmigration.enable }} -{{- $context := (dict "dot" . "component" "inventory" "migration" "true" "restartPolicy" (default "Never" .Values.inventory.migrationRestartPolicy) "extraResources" .Values.inventory.migrationResources) }} +{{- $context := dict "dot" . + "component" "inventory" + "override" .Values.inventory + "migration" "true" + "restartPolicy" (default "Never" .Values.inventory.migrationRestartPolicy) + "extraResources" .Values.inventory.migrationResources -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/mender/templates/iot-manager/_podtemplate.yaml b/mender/templates/iot-manager/_podtemplate.yaml index db3591de..b0b8b938 100644 --- a/mender/templates/iot-manager/_podtemplate.yaml +++ b/mender/templates/iot-manager/_podtemplate.yaml @@ -23,8 +23,8 @@ spec: {{- end }} containers: - name: {{ ternary "iot-manager" "iot-manager-migration" (empty .migration) | quote }} - image: {{ .dot.Values.iot_manager.image.registry }}/{{ .dot.Values.iot_manager.image.repository }}:{{ .dot.Values.iot_manager.image.tag | default .dot.Values.global.image.tag }} - imagePullPolicy: {{ .dot.Values.iot_manager.image.imagePullPolicy }} + image: {{ include "mender.image" . }} + imagePullPolicy: {{ include "mender.imagePullPolicy" . }} {{- if .dot.Values.iot_manager.containerSecurityContext.enabled }} securityContext: {{- omit .dot.Values.iot_manager.containerSecurityContext "enabled" | toYaml | nindent 6 }} {{- end }} @@ -71,7 +71,19 @@ spec: {{- end }} env: - # Supported configuration settings: https://github.com/mendersoftware/iot-manager/blob/master/config.yaml + - name: IOT_MANAGER_NATS_URI + {{- if .dot.Values.global.nats.existingSecret }} + valueFrom: + secretKeyRef: + key: NATS_URI + name: {{ .dot.Values.global.nats.existingSecret }} + {{- else }} + value: {{ template "nats_uri" . }} + {{- end }} + {{- /* + Supported configuration settings: + https://github.com/mendersoftware/iot-manager/blob/master/config.yaml + */}} {{- include "mender.customEnvs" (merge (deepCopy .dot.Values.iot_manager) (deepCopy (default (dict) .dot.Values.default))) | nindent 4 }} # Set in order, last value for the key will be used in case duplications. @@ -87,7 +99,7 @@ spec: {{- end }} - {{- if .dot.Values.global.image.username }} + {{- if and .dot.Values.global.image .dot.Values.global.image.username }} imagePullSecrets: - name: {{ ternary "docker-registry" "docker-registry-prerelease" (empty .migration) }} {{- else }} diff --git a/mender/templates/iot-manager/deployment.yaml b/mender/templates/iot-manager/deployment.yaml index 768fb4d1..79d0e4b9 100644 --- a/mender/templates/iot-manager/deployment.yaml +++ b/mender/templates/iot-manager/deployment.yaml @@ -1,5 +1,5 @@ {{- if and .Values.iot_manager.enabled }} -{{- $context := (dict "dot" . "component" "iot-manager") -}} +{{- $context := dict "dot" . "component" "iot-manager" "override" .Values.iot_manager -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/mender/templates/iot-manager/job.yaml b/mender/templates/iot-manager/job.yaml index d40cb585..2cc7e354 100644 --- a/mender/templates/iot-manager/job.yaml +++ b/mender/templates/iot-manager/job.yaml @@ -1,5 +1,10 @@ {{- if and .Values.iot_manager.enabled .Values.dbmigration.enable }} -{{- $context := (dict "dot" . "component" "iot-manager" "migration" "true" "restartPolicy" (default "Never" .Values.iot_manager.migrationRestartPolicy) "extraResources" .Values.iot_manager.migrationResources) }} +{{- $context := dict "dot" . + "component" "iot-manager" + "override" .Values.iot_manager + "migration" "true" + "restartPolicy" (default "Never" .Values.iot_manager.migrationRestartPolicy) + "extraResources" .Values.iot_manager.migrationResources -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/mender/templates/secrets/secret-docker-registry-prerelease.yaml b/mender/templates/secrets/secret-docker-registry-prerelease.yaml index ca702170..9e599ab6 100644 --- a/mender/templates/secrets/secret-docker-registry-prerelease.yaml +++ b/mender/templates/secrets/secret-docker-registry-prerelease.yaml @@ -1,4 +1,4 @@ -{{- if .Values.global.image.username }} +{{- if and .Values.global.image .Values.global.image.username }} apiVersion: v1 kind: Secret metadata: diff --git a/mender/templates/secrets/secret-docker-registry.yaml b/mender/templates/secrets/secret-docker-registry.yaml index 7cd3275f..7332f905 100644 --- a/mender/templates/secrets/secret-docker-registry.yaml +++ b/mender/templates/secrets/secret-docker-registry.yaml @@ -1,4 +1,4 @@ -{{- if .Values.global.image.username }} +{{- if and .Values.global.image .Values.global.image.username }} apiVersion: v1 kind: Secret metadata: diff --git a/mender/templates/tenantadm/_podtemplate.yaml b/mender/templates/tenantadm/_podtemplate.yaml index cde602c2..d54f3f54 100644 --- a/mender/templates/tenantadm/_podtemplate.yaml +++ b/mender/templates/tenantadm/_podtemplate.yaml @@ -23,8 +23,8 @@ spec: {{- end }} containers: - name: {{ ternary "tenantadm" "tenantadm-migration" (empty .migration) | quote }} - image: {{ .dot.Values.tenantadm.image.registry }}/{{ .dot.Values.tenantadm.image.repository }}:{{ .dot.Values.tenantadm.image.tag | default .dot.Values.global.image.tag }} - imagePullPolicy: {{ .dot.Values.tenantadm.image.imagePullPolicy }} + image: {{ include "mender.image" . }} + imagePullPolicy: {{ include "mender.imagePullPolicy" . }} {{- if .dot.Values.tenantadm.containerSecurityContext.enabled }} securityContext: {{- omit .dot.Values.tenantadm.containerSecurityContext "enabled" | toYaml | nindent 6 }} {{- end }} @@ -66,7 +66,11 @@ spec: periodSeconds: 5 {{- end }} - {{- if (not .migration) }} + {{- if and (not .migration) + .dot.Values.tenantadm.certs + (or .dot.Values.tenantadm.certs.key + .dot.Values.tenantadm.certs.existingSecret) + }} volumeMounts: - name: rsa mountPath: "/etc/tenantadm/rsa/" @@ -102,7 +106,11 @@ spec: nodeSelector: {{ toYaml . | nindent 4 }} {{- end }} - {{- if (not .migration) }} + {{- if and (not .migration) + .dot.Values.tenantadm.certs + (or .dot.Values.tenantadm.certs.key + .dot.Values.tenantadm.certs.existingSecret) + }} volumes: - name: rsa secret: @@ -115,7 +123,7 @@ spec: {{- end }} {{- end }} - {{- if .dot.Values.global.image.username }} + {{- if and .dot.Values.global.image .dot.Values.global.image.username }} imagePullSecrets: - name: {{ ternary "docker-registry" "docker-registry-prerelease" (empty .migration) }} {{- else }} diff --git a/mender/templates/tenantadm/deployment.yaml b/mender/templates/tenantadm/deployment.yaml index 0cfff2e6..64a45fe4 100644 --- a/mender/templates/tenantadm/deployment.yaml +++ b/mender/templates/tenantadm/deployment.yaml @@ -1,5 +1,5 @@ {{- if and (.Values.global.enterprise) (.Values.tenantadm.enabled) }} -{{- $context := (dict "dot" . "component" "tenantadm") -}} +{{- $context := (dict "dot" . "component" "tenantadm" "override" .Values.tenantadm) -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/mender/templates/tenantadm/job.yaml b/mender/templates/tenantadm/job.yaml index 6d073707..267a0fdb 100644 --- a/mender/templates/tenantadm/job.yaml +++ b/mender/templates/tenantadm/job.yaml @@ -1,5 +1,11 @@ {{- if and (.Values.global.enterprise) (.Values.tenantadm.enabled) (.Values.dbmigration.enable) }} -{{- $context := (dict "dot" . "component" "tenantadm" "migration" "true" "args" (default (list "migrate") .Values.tenantadm.migrationArgs ) "restartPolicy" (default "Never" .Values.tenantadm.migrationRestartPolicy) "extraResources" .Values.tenantadm.migrationResources) }} +{{- $context := dict "dot" . + "component" "tenantadm" + "override" .Values.tenantadm + "migration" "true" + "args" (default (list "migrate") .Values.tenantadm.migrationArgs ) + "restartPolicy" (default "Never" .Values.tenantadm.migrationRestartPolicy) + "extraResources" .Values.tenantadm.migrationResources -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/mender/templates/tenantadm/secret.yaml b/mender/templates/tenantadm/secret.yaml index e324e4f0..8c04813f 100644 --- a/mender/templates/tenantadm/secret.yaml +++ b/mender/templates/tenantadm/secret.yaml @@ -1,5 +1,10 @@ -{{- if and (.Values.global.enterprise) (.Values.tenantadm.enabled) }} -{{- if not .Values.tenantadm.certs.existingSecret }} +{{- /* This is for backward compatibility only */}} +{{- if and + .Values.global.enterprise + .Values.tenantadm.enabled + .Values.tenantadm.certs + .Values.tenantadm.certs.key + (not .Values.tenantadm.certs.existingSecret) -}} {{- $dummy := required "Valid private key for tenantadm is required!" .Values.tenantadm.certs -}} apiVersion: v1 kind: Secret @@ -14,6 +19,9 @@ metadata: app.kubernetes.io/part-of: mender helm.sh/chart: "{{ .Chart.Name }}" data: + {{- if and .Values.tenantadm.certs .Values.tenantadm.certs.key }} private.pem: {{ .Values.tenantadm.certs.key | b64enc }} -{{- end }} + {{- else }} + private.pem: {{ genPrivateKey "ed25519" | b64enc }} + {{- end }} {{- end }} diff --git a/mender/templates/useradm/_podtemplate.yaml b/mender/templates/useradm/_podtemplate.yaml index 32743b23..f0d0e8f4 100644 --- a/mender/templates/useradm/_podtemplate.yaml +++ b/mender/templates/useradm/_podtemplate.yaml @@ -24,12 +24,8 @@ spec: {{- end }} containers: - name: {{ ternary "useradm" "useradm-migration" (empty .migration) | quote }} - {{- if .dot.Values.global.enterprise }} - image: {{ .dot.Values.useradm.image.registry | default "registry.mender.io" }}/{{ .dot.Values.useradm.image.repository | default "mendersoftware/useradm-enterprise" }}:{{ .dot.Values.useradm.image.tag | default .dot.Values.global.image.tag }} - {{- else }} - image: {{ .dot.Values.useradm.image.registry | default "docker.io" }}/{{ .dot.Values.useradm.image.repository | default "mendersoftware/useradm" }}:{{ .dot.Values.useradm.image.tag | default .dot.Values.global.image.tag }} - {{- end }} - imagePullPolicy: {{ .dot.Values.useradm.image.imagePullPolicy }} + image: {{ include "mender.image" . }} + imagePullPolicy: {{ include "mender.imagePullPolicy" . }} {{- if .dot.Values.useradm.containerSecurityContext.enabled }} securityContext: {{- omit .dot.Values.useradm.containerSecurityContext "enabled" | toYaml | nindent 6 }} {{- end }} @@ -78,11 +74,7 @@ spec: {{- if (not .migration) }} volumeMounts: - name: rsa - {{- if .dot.Values.global.enterprise }} - mountPath: "/etc/useradm-enterprise/rsa/" - {{- else }} mountPath: "/etc/useradm/rsa/" - {{- end }} readOnly: true {{- end }} @@ -97,6 +89,8 @@ spec: value: {{ .dot.Values.useradm.env.USERADM_JWT_EXP_TIMEOUT | quote }} - name: USERADM_BASE_URL value: {{ .dot.Values.global.url | quote }} + - name: USERADM_SERVER_PRIV_KEY_PATH + value: /etc/useradm/rsa/private.pem {{- if and (.dot.Values.global.enterprise) (.dot.Values.tenantadm.enabled) }} - name: USERADM_HAVE_ADDONS value: "true" @@ -110,29 +104,20 @@ spec: value: "true" {{- end }} {{- if and .dot.Values.global.enterprise }} - {{- if and ( le (int (include "menderVersionMajor" .)) 3 ) ( lt (int (include "menderVersionMinor" .)) 7 ) }} - - name: USERADM_REDIS_ADDR - value: {{ include "redis_address" . }} - - name: USERADM_REDIS_USERNAME - value: {{ .dot.Values.global.redis.username | default "" | quote }} - - name: USERADM_REDIS_PASSWORD - value: {{ .dot.Values.global.redis.password | default "" | quote }} - - name: USERADM_REDIS_DB - value: {{ .dot.Values.useradm.env.USERADM_REDIS_DB | default "1" | quote }} - - name: USERADM_REDIS_TIMEOUT_SEC - value: {{ .dot.Values.useradm.env.USERADM_REDIS_TIMEOUT_SEC | default "1" | quote }} - {{- else }} + - name: USERADM_PLAN_DEFINITIONS_PATH + value: /etc/useradm/plans.yaml {{- if not .dot.Values.global.redis.existingSecret }} # redis_address deprecated from 3.7 - name: USERADM_REDIS_CONNECTION_STRING value: {{ include "redis_connection_string" . }} - {{- end }} + - name: USERADM_REDIS_TIMEOUT_SEC + value: {{ .dot.Values.useradm.env.USERADM_REDIS_TIMEOUT_SEC | default "1" | quote }} - name: USERADM_REDIS_KEY_PREFIX value: {{ .dot.Values.device_auth.env.USERADM_REDIS_KEY_PREFIX | default "useradm:v1" | quote }} - {{- end }} - name: USERADM_REDIS_LIMITS_EXPIRE_SEC value: {{ .dot.Values.useradm.env.USERADM_REDIS_LIMITS_EXPIRE_SEC | default "3600" | quote }} {{- end }} + {{- end }} {{- include "mender.customEnvs" (merge (deepCopy .dot.Values.useradm) (deepCopy (default (dict) .dot.Values.default))) | nindent 4 }} # Supported configuration settings: https://github.com/mendersoftware/useradm/blob/master/config.yaml @@ -142,30 +127,26 @@ spec: secretRef: name: {{ .dot.Values.global.mongodb.existingSecret | default (ternary "mongodb-common" "mongodb-common-prerelease" (empty .migration)) }} - {{- if not (and ( le (int (include "menderVersionMajor" .)) 3 ) ( lt (int (include "menderVersionMinor" .)) 7 ) ) }} {{- if and .dot.Values.global.redis.existingSecret .dot.Values.global.enterprise ( not .dot.Values.global.redis.URL ) ( not .dot.Values.redis.enabled ) }} # Redis existingSecret - prefix: USERADM_ secretRef: name: {{ .dot.Values.global.redis.existingSecret | quote }} {{- end }} - {{- end }} {{- if (not .migration) }} volumes: - name: rsa secret: - {{- with .dot.Values.useradm.certs }} - {{- if .existingSecret }} - secretName: {{ .existingSecret }} + {{- if and .dot.Values.useradm.certs .dot.Values.useradm.certs.existingSecret }} + secretName: {{ .dot.Values.useradm.certs.existingSecret }} {{- else }} secretName: rsa-useradm {{- end }} - {{- end }} {{- end }} - {{- if .dot.Values.global.image.username }} + {{- if and .dot.Values.global.image .dot.Values.global.image.username }} imagePullSecrets: - name: {{ ternary "docker-registry" "docker-registry-prerelease" (empty .migration) }} {{- else }} diff --git a/mender/templates/useradm/deployment.yaml b/mender/templates/useradm/deployment.yaml index 656907b6..53a13179 100644 --- a/mender/templates/useradm/deployment.yaml +++ b/mender/templates/useradm/deployment.yaml @@ -1,5 +1,7 @@ {{- if .Values.useradm.enabled }} -{{- $context := (dict "dot" . "component" "useradm") -}} +{{- $context := (dict "dot" . + "component" "useradm" + "override" .Values.useradm) -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/mender/templates/useradm/job.yaml b/mender/templates/useradm/job.yaml index 23a797c3..44c77d38 100644 --- a/mender/templates/useradm/job.yaml +++ b/mender/templates/useradm/job.yaml @@ -1,5 +1,10 @@ {{- if and .Values.global.enterprise .Values.dbmigration.enable }} -{{- $context := (dict "dot" . "component" "useradm" "migration" "true" "restartPolicy" (default "Never" .Values.useradm.migrationRestartPolicy) "extraResources" .Values.useradm.migrationResources) }} +{{- $context := dict "dot" . + "component" "useradm" + "override" .Values.useradm + "migration" "true" + "restartPolicy" (default "Never" .Values.useradm.migrationRestartPolicy) + "extraResources" .Values.useradm.migrationResources }} apiVersion: batch/v1 kind: Job metadata: diff --git a/mender/templates/useradm/secret.yaml b/mender/templates/useradm/secret.yaml index 30766bae..f7cfcb2c 100644 --- a/mender/templates/useradm/secret.yaml +++ b/mender/templates/useradm/secret.yaml @@ -14,6 +14,10 @@ metadata: app.kubernetes.io/part-of: mender helm.sh/chart: "{{ .Chart.Name }}" data: + {{- if and .Values.useradm.certs .Values.useradm.certs.key }} private.pem: {{ .Values.useradm.certs.key | b64enc }} + {{- else }} + private.pem: {{ genPrivateKey "ed25519" | b64enc }} + {{- end }} {{- end }} {{- end }} diff --git a/mender/templates/workflows/_podtemplate.yaml b/mender/templates/workflows/_podtemplate.yaml index 9997fe47..0ca499e0 100644 --- a/mender/templates/workflows/_podtemplate.yaml +++ b/mender/templates/workflows/_podtemplate.yaml @@ -23,12 +23,8 @@ spec: {{- end }} containers: - name: {{ ternary "workflows" "workflows-migration" (empty .migration) | quote }} - {{- if .dot.Values.global.enterprise }} - image: {{ .dot.Values.workflows.image.registry | default "registry.mender.io" }}/{{ .dot.Values.workflows.image.repository | default "mendersoftware/workflows-enterprise" }}{{ ternary "" "-worker" (empty .worker) }}:{{ .dot.Values.workflows.image.tag | default .dot.Values.global.image.tag }} - {{- else }} - image: {{ .dot.Values.workflows.image.registry | default "docker.io" }}/{{ .dot.Values.workflows.image.repository | default "mendersoftware/workflows" }}{{ ternary "" "-worker" (empty .worker) }}:{{ .dot.Values.workflows.image.tag | default .dot.Values.global.image.tag }} - {{- end }} - imagePullPolicy: {{ .dot.Values.workflows.image.imagePullPolicy }} + image: {{ include "mender.image" . }} + imagePullPolicy: {{ include "mender.imagePullPolicy" . }} {{- if .dot.Values.workflows.containerSecurityContext.enabled }} securityContext: {{- omit .dot.Values.workflows.containerSecurityContext "enabled" | toYaml | nindent 6 }} {{- end }} @@ -37,22 +33,22 @@ spec: resources: {{- nindent 6 . }} {{- end }} - {{- if (not .migration) }} - {{- if and .dot.Values.workflows.automigrate (not .worker) }} - args: ["server", "--automigrate"] - {{- else if and (not .dot.Values.workflows.automigrate) (not .worker) }} - args: ["server"] - {{- else if and .dot.Values.workflows.automigrate .worker }} - args: ["worker", "--excluded-workflows", "generate_artifact", "--automigrate"] - {{- else if and (not .dot.Values.workflows.automigrate) .worker }} - args: ["worker", "--excluded-workflows", "generate_artifact"] - {{- else }} - {{- fail "Missing args. This condition is not expected" }} - {{- end }} - {{- else }} - args: ["migrate", "--skip-nats"] - {{- end }} - + args: + {{- if .migration}} + - migrate + - --skip-nats + {{- else }} + {{- if .worker }} + - worker + - --excluded-workflows + - generate_artifact + {{- else }} + - server + {{- end }} + {{- if .dot.Values.workflows.automigrate }} + - --automigrate + {{- end }} + {{- end }} {{- if and (not .migration) (not .worker) }} # Readiness/liveness probes @@ -126,7 +122,7 @@ spec: volumeMounts: {{ toYaml .volumeMounts | nindent 6 }} {{- end }} - {{- if .dot.Values.global.image.username }} + {{- if and .dot.Values.global.image .dot.Values.global.image.username }} imagePullSecrets: - name: {{ ternary "docker-registry" "docker-registry-prerelease" (empty .migration) }} {{- else }} diff --git a/mender/templates/workflows/deployment-server.yaml b/mender/templates/workflows/deployment-server.yaml index 06744ab4..3d03999e 100644 --- a/mender/templates/workflows/deployment-server.yaml +++ b/mender/templates/workflows/deployment-server.yaml @@ -1,5 +1,5 @@ {{- if .Values.workflows.enabled }} -{{- $context := (dict "dot" . "component" "workflows-server") -}} +{{- $context := dict "dot" . "component" "workflows-server" "imageComponent" "workflows" "override" .Values.workflows -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/mender/templates/workflows/deployment-worker.yaml b/mender/templates/workflows/deployment-worker.yaml index f9c71102..854a4626 100644 --- a/mender/templates/workflows/deployment-worker.yaml +++ b/mender/templates/workflows/deployment-worker.yaml @@ -1,5 +1,9 @@ {{- if .Values.workflows.enabled }} -{{- $context := (dict "dot" . "component" "workflows-worker" "worker" "true") -}} +{{- $context := dict "dot" . + "component" "workflows-worker" + "imageComponent" "workflows" + "override" .Values.workflows + "worker" "true" -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/mender/templates/workflows/job.yaml b/mender/templates/workflows/job.yaml index ff031445..1aae4f8c 100644 --- a/mender/templates/workflows/job.yaml +++ b/mender/templates/workflows/job.yaml @@ -1,5 +1,10 @@ {{- if and .Values.global.enterprise .Values.dbmigration.enable }} -{{- $context := (dict "dot" . "component" "workflows" "migration" "true" "restartPolicy" (default "Never" .Values.workflows.migrationRestartPolicy) "extraResources" .Values.workflows.migrationResources) }} +{{- $context := dict "dot" . + "component" "workflows" + "override" .Values.workflows + "migration" "true" + "restartPolicy" (default "Never" .Values.workflows.migrationRestartPolicy) + "extraResources" .Values.workflows.migrationResources -}} apiVersion: batch/v1 kind: Job metadata: diff --git a/mender/values.yaml b/mender/values.yaml index 7a85756e..8a5a7d58 100644 --- a/mender/values.yaml +++ b/mender/values.yaml @@ -1,31 +1,23 @@ fullnameOverride: "" global: - enterprise: true + enterprise: false hosted: false auditlogs: true priorityClassName: "" - image: - registry: registry.mender.io - username: null - password: null - tag: mender-3.7.7 - mongodb: existingSecret: "" - URL: mongodb://mongodb + URL: "" nats: existingSecret: "" - URL: nats://nats:4222 + URL: "" redis: - username: null - password: null URL: "" existingSecret: "" storage: "aws" s3: existingSecret: "" - AWS_URI: "" + AWS_URI: "https://mender.example.com" AWS_EXTERNAL_URI: "" AWS_BUCKET: mender-artifact-storage AWS_REGION: us-east-1 @@ -60,6 +52,16 @@ default: affinity: {} tolerations: {} + # The default.image depends on the state of `global.enterprise`: + # If true: registry.mender.io/mender-server-enterprise + # If false: docker.io/mendersoftware + # The tag defaults to the chart version. + # image: + # registry: docker.io|registry.mender.io + # repository: mendersoftware|mender-server-enterprise + # tag: {{ .Chart.AppVersion }} + # pullPolicy: IfNotPresent + # HorizontalPodAutoscaler default resources hpa: {} # enabled: true @@ -97,7 +99,8 @@ default: maxUnavailable: 0 # Override the properties of the Readiness and Liveness probes - probesOverrides: {} + probesOverrides: + {} # timeoutSeconds: 1 # successThreshold: 1 # failureThreshold: 3 @@ -130,14 +133,13 @@ ingress: # serviceName: ssl-redirect # servicePort: use-annotation hosts: - - mender.example.org + - mender.example.com tls: # this secret must exists or can be created from a working cert-manager # instance - secretName: mender-ingress-tls hosts: - - mender.example.org - + - mender.example.com # Helm chart smoke tests tests: @@ -145,7 +147,7 @@ tests: # Using default values from https://artifacthub.io/packages/helm/bitnami/mongodb mongodb: - enabled: false + enabled: true architecture: replicaset externalAccess: enabled: false @@ -187,13 +189,14 @@ mongodb: # Using default values from # https://github.com/nats-io/k8s/tree/main/helm/charts/nats nats: - enabled: false + enabled: true cluster: enabled: true replicas: 3 fullnameOverride: "" nats: - image: "nats:2.9.20-scratch" + image: + tag: "2.9.20-scratch" jetstream: enabled: true memStorage: @@ -234,16 +237,16 @@ api_gateway: httpPort: 80 httpsPort: 443 env: - SSL: true + SSL: false minio: - enabled: true + enabled: false podAnnotations: {} url: "http://minio:9000" customRule: null storage_proxy: - enabled: false - url: "" - customRule: "HostRegexp(`{domain:^artifacts.*$}`)" + enabled: true + url: "http://seaweedfs-s3:8333" + customRule: "PathRegexp(`^/mender-artifact-storage`)" passHostHeader: false compression: true security_redirect: null @@ -289,7 +292,8 @@ api_gateway: # prometheus pod monitor podMonitor: enabled: false - customLabels: {} + customLabels: + {} # prometheus-operated: "true" # Override the properties of the Readiness, Liveness and Startup probes @@ -316,10 +320,10 @@ deployments: jitter: "3s" skipVerify: false daemonSchedule: "15 * * * *" - image: - registry: "" - repository: "" - imagePullPolicy: IfNotPresent + # image: + # registry: "" + # repository: "" + # pullPolicy: IfNotPresent imagePullSecrets: [] nodeSelector: {} service: @@ -360,7 +364,9 @@ deployments: # memory: 64Mi # custom envs - customEnvs: [] + customEnvs: + - name: DEPLOYMENTS_STORAGE_PROXY_URI + value: "mender.example.com" # - name: LOG_LEVEL # value: DEBUG @@ -372,7 +378,8 @@ deployments: # maxUnavailable: 25% # Override the properties of the Readiness, Liveness and Startup probes - probesOverrides: {} + probesOverrides: + {} # timeoutSeconds: 2 # successThreshold: 2 # failureThreshold: 6 @@ -390,10 +397,10 @@ device_auth: cpu: 350m memory: 128Mi affinity: {} - image: - registry: "" - repository: "" - imagePullPolicy: IfNotPresent + # image: + # registry: "" + # repository: "" + # pullPolicy: IfNotPresent imagePullSecrets: [] nodeSelector: {} service: @@ -458,7 +465,8 @@ device_auth: # maxUnavailable: 25% # Override the properties of the Readiness, Liveness and Startup probes - probesOverrides: {} + probesOverrides: + {} # timeoutSeconds: 2 # successThreshold: 2 # failureThreshold: 6 @@ -493,10 +501,11 @@ generate_delta_worker: cpu: 100m memory: 128Mi affinity: {} - image: - registry: registry.mender.io - repository: mendersoftware/generate-delta-worker - imagePullPolicy: IfNotPresent + # image: + # registry: "" + # repository: "" + # tag: "" + # pullPolicy: IfNotPresent imagePullSecrets: [] nodeSelector: {} priorityClassName: "" @@ -525,10 +534,11 @@ gui: cpu: 5m memory: 16Mi affinity: {} - image: - registry: docker.io - repository: mendersoftware/gui - imagePullPolicy: IfNotPresent + # image: + # registry: docker.io + # repository: mendersoftware/gui + # tag: "" + # pullPolicy: IfNotPresent imagePullSecrets: [] nodeSelector: {} service: @@ -537,7 +547,7 @@ gui: type: ClusterIP port: 80 portError: 8080 - httpPort: 80 + httpPort: 8090 podSecurityContext: enabled: false runAsNonRoot: true @@ -561,7 +571,8 @@ gui: # maxUnavailable: 25% # Override the properties of the Readiness, Liveness and Startup probes - probesOverrides: {} + probesOverrides: + {} # timeoutSeconds: 2 # successThreshold: 2 # failureThreshold: 6 @@ -583,10 +594,11 @@ inventory: cpu: 300m memory: 128Mi affinity: {} - image: - registry: "" - repository: "" - imagePullPolicy: IfNotPresent + # image: + # registry: "" + # repository: "" + # tag: "" + # pullPolicy: IfNotPresent imagePullSecrets: [] nodeSelector: {} service: @@ -637,7 +649,8 @@ inventory: # value: DEBUG # Override the properties of the Readiness, Liveness and Startup probes - probesOverrides: {} + probesOverrides: + {} # timeoutSeconds: 2 # successThreshold: 2 # failureThreshold: 6 @@ -654,10 +667,11 @@ tenantadm: cpu: 150m memory: 64Mi affinity: {} - image: - registry: registry.mender.io - repository: mendersoftware/tenantadm - imagePullPolicy: IfNotPresent + # image: + # registry: "" + # repository: "" + # tag: "" + # pullPolicy: IfNotPresent imagePullSecrets: [] nodeSelector: {} service: @@ -682,12 +696,6 @@ tenantadm: hpa: {} pdb: {} priorityClassName: "" - certs: {} - # key: |- - # -----BEGIN PRIVATE KEY----- - # ... - # -----END PRIVATE KEY----- - # existingSecret: my-secret-name ## Migration Job @@ -723,7 +731,8 @@ tenantadm: # maxUnavailable: 25% # Override the properties of the Readiness, Liveness and Startup probes - probesOverrides: {} + probesOverrides: + {} # timeoutSeconds: 2 # successThreshold: 2 # failureThreshold: 6 @@ -741,10 +750,11 @@ useradm: cpu: 150m memory: 64Mi affinity: {} - image: - registry: "" - repository: "" - imagePullPolicy: IfNotPresent + # image: + # registry: "" + # repository: "" + # tag: "" + # pullPolicy: IfNotPresent imagePullSecrets: [] nodeSelector: {} service: @@ -809,7 +819,8 @@ useradm: # maxUnavailable: 25% # Override the properties of the Readiness, Liveness and Startup probes - probesOverrides: {} + probesOverrides: + {} # timeoutSeconds: 2 # successThreshold: 2 # failureThreshold: 6 @@ -827,10 +838,11 @@ workflows: cpu: 10m memory: 64Mi affinity: {} - image: - registry: "" - repository: "" - imagePullPolicy: IfNotPresent + # image: + # registry: "" + # repository: "" + # tag: "" + # pullPolicy: IfNotPresent imagePullSecrets: [] nodeSelector: {} service: @@ -891,12 +903,12 @@ workflows: # secretName: my-credential-file # Override the properties of the Readiness, Liveness and Startup probes - probesOverrides: {} + probesOverrides: + {} # timeoutSeconds: 2 # successThreshold: 2 # failureThreshold: 6 - create_artifact_worker: enabled: true podAnnotations: {} @@ -910,10 +922,11 @@ create_artifact_worker: cpu: 100m memory: 128Mi affinity: {} - image: - registry: docker.io - repository: mendersoftware/create-artifact-worker - imagePullPolicy: IfNotPresent + # image: + # registry: "" + # repository: "" + # tag: "" + # pullPolicy: IfNotPresent imagePullSecrets: [] nodeSelector: {} podSecurityContext: @@ -954,10 +967,11 @@ auditlogs: cpu: 50m memory: 128Mi affinity: {} - image: - registry: registry.mender.io - repository: mendersoftware/auditlogs - imagePullPolicy: IfNotPresent + # image: + # registry: "" + # repository: "" + # tag: "" + # pullPolicy: IfNotPresent imagePullSecrets: [] nodeSelector: {} service: @@ -1006,7 +1020,8 @@ auditlogs: # maxUnavailable: 25% # Override the properties of the Readiness, Liveness and Startup probes - probesOverrides: {} + probesOverrides: + {} # timeoutSeconds: 2 # successThreshold: 2 # failureThreshold: 6 @@ -1024,10 +1039,11 @@ iot_manager: cpu: 50m memory: 128Mi affinity: {} - image: - registry: docker.io - repository: mendersoftware/iot-manager - imagePullPolicy: IfNotPresent + # image: + # registry: "" + # repository: "" + # tag: "" + # pullPolicy: IfNotPresent imagePullSecrets: [] nodeSelector: {} service: @@ -1081,7 +1097,8 @@ iot_manager: existingSecret: "" # Override the properties of the Readiness, Liveness and Startup probes - probesOverrides: {} + probesOverrides: + {} # timeoutSeconds: 2 # successThreshold: 2 # failureThreshold: 6 @@ -1099,10 +1116,11 @@ deviceconnect: cpu: 100m memory: 128Mi affinity: {} - image: - registry: docker.io - repository: mendersoftware/deviceconnect - imagePullPolicy: IfNotPresent + # image: + # registry: "" + # repository: "" + # tag: "" + # pullPolicy: IfNotPresent imagePullSecrets: [] nodeSelector: {} service: @@ -1153,7 +1171,8 @@ deviceconnect: # maxUnavailable: 25% # Override the properties of the Readiness, Liveness and Startup probes - probesOverrides: {} + probesOverrides: + {} # timeoutSeconds: 2 # successThreshold: 2 # failureThreshold: 6 @@ -1171,10 +1190,11 @@ deviceconfig: cpu: 100m memory: 128Mi affinity: {} - image: - registry: docker.io - repository: mendersoftware/deviceconfig - imagePullPolicy: IfNotPresent + # image: + # registry: "" + # repository: "" + # tag: "" + # pullPolicy: IfNotPresent imagePullSecrets: [] nodeSelector: {} service: @@ -1223,7 +1243,8 @@ deviceconfig: # maxUnavailable: 25% # Override the properties of the Readiness, Liveness and Startup probes - probesOverrides: {} + probesOverrides: + {} # timeoutSeconds: 2 # successThreshold: 2 # failureThreshold: 6 @@ -1241,10 +1262,10 @@ devicemonitor: cpu: 100m memory: 128Mi affinity: {} - image: - registry: registry.mender.io - repository: mendersoftware/devicemonitor - imagePullPolicy: IfNotPresent + # image: + # registry: "" + # repository: "" + # pullPolicy: IfNotPresent imagePullSecrets: [] nodeSelector: {} service: @@ -1296,7 +1317,8 @@ devicemonitor: # maxUnavailable: 25% # Override the properties of the Readiness, Liveness and Startup probes - probesOverrides: {} + probesOverrides: + {} # timeoutSeconds: 2 # successThreshold: 2 # failureThreshold: 6 @@ -1305,7 +1327,7 @@ devicemonitor: # Using a bitnami sub-chart by default = test usage only # It's recommended to use a suitable Redis Cluster for Production redis: - enabled: true + enabled: false architecture: replication commonAnnotations: helm.sh/hook: "pre-install" diff --git a/tests/ci-make-deps.sh b/tests/ci-make-deps.sh index 538f86d4..66d50679 100755 --- a/tests/ci-make-deps.sh +++ b/tests/ci-make-deps.sh @@ -13,36 +13,34 @@ # See the License for the specific language governing permissions and # limitations under the License. -. tests/variables.sh . tests/functions.sh set -e -local_minio_only=${1:-"false"} +local_seaweedfs_only=${1:-"false"} -log "deploying dependencies: minio" -kubectl create secret generic mender-minio --from-literal=root-user=${MINIO_accessKey} --from-literal=root-password=${MINIO_secretKey} -kubectl apply -f tests/minio-standalone/minio.yaml +log "deploying dependencies: seaweedfs" +helm install seaweedfs --wait -f tests/seaweedfs.yaml seaweedfs/seaweedfs -if [[ "$local_minio_only" == "true" ]]; then +if [[ "$local_seaweedfs_only" == "true" ]]; then log "not deploying mongodb" else log "deploying dependencies: mongodb" helm install mender-mongo bitnami/mongodb \ --version 12.1.31 \ - --set "image.tag=4.4.13-debian-10-r63" \ + --set "image.tag=6.0.13-debian-11-r21" \ --set "auth.enabled=false" \ --set "persistence.enabled=false" \ -f ./tests/affinity-x86_64-standard.yaml fi -if [[ "$local_minio_only" == "true" ]]; then +if [[ "$local_seaweedfs_only" == "true" ]]; then log "not deploying nats" else log "deploying dependencies: nats" helm install nats nats/nats \ --version 0.8.2 \ - --set "nats.image=nats:2.7.4-scratch" \ + --set "nats.image=nats:2.9.25-scratch" \ --set "nats.jetstream.enabled=true" \ -f ./tests/affinity-x86_64-standard.yaml fi diff --git a/tests/seaweedfs.yaml b/tests/seaweedfs.yaml new file mode 100644 index 00000000..a2740621 --- /dev/null +++ b/tests/seaweedfs.yaml @@ -0,0 +1,13 @@ +--- +global: + createClusterRole: false +filer: + s3: + enabled: true + enableAuth: true + createBuckets: + - name: "mender-artifacts-seaweedfs" + storageClass: "gp2" +s3: + enabled: true + enableAuth: true diff --git a/tests/test-002-create-tenant-and-user-and-login.sh b/tests/test-002-create-tenant-and-user-and-login.sh index 00deeb65..9320623d 100644 --- a/tests/test-002-create-tenant-and-user-and-login.sh +++ b/tests/test-002-create-tenant-and-user-and-login.sh @@ -1,6 +1,6 @@ #!/bin/bash # Copyright 2023 Northern.tech AS -# +# # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -36,7 +36,7 @@ echo "> Creating a new tenant: $TENANT_NAME" TENANT_ID=$(kubectl exec $TENANTADM -- tenantadm create-org --name $TENANT_NAME --username "$ADMIN_USERNAME" --password "$ADMIN_PASSWORD" --plan "enterprise") echo "> Creating a new user for the tenant: $USER_USERNAME / $USER_PASSWORD" -kubectl exec $USERADM -- useradm-enterprise create-user --username "$USER_USERNAME" --password "$USER_PASSWORD" --tenant-id "$TENANT_ID" --roles "RBAC_ROLE_PERMIT_ALL" +kubectl exec $USERADM -- useradm create-user --username "$USER_USERNAME" --password "$USER_PASSWORD" --tenant-id "$TENANT_ID" --roles "RBAC_ROLE_PERMIT_ALL" # sleep one second, to let the workflow execute sleep 1 diff --git a/tests/values-helmci-5.x.yaml b/tests/values-helmci-5.x.yaml new file mode 100644 index 00000000..b5da3ee8 --- /dev/null +++ b/tests/values-helmci-5.x.yaml @@ -0,0 +1,19 @@ +global: + mongodb: + URL: mongodb://mender-mongo-mongodb + s3: + AWS_URI: http://seaweedfs-s3:8333 + AWS_REGION: eu-central-1 + +redis: + architecture: standalone + master: + persistence: + enabled: false + replica: + persistence: + enabled: false + +api_gateway: + env: + SSL: false diff --git a/tests/values-helmci-internal-backing-services.yaml b/tests/values-helmci-internal-backing-services.yaml index 764a173c..f535b45a 100644 --- a/tests/values-helmci-internal-backing-services.yaml +++ b/tests/values-helmci-internal-backing-services.yaml @@ -1,10 +1,12 @@ global: - mongodb: - URL: "" - nats: - URL: "" - redis: - URL: "" + enterprise: true + s3: + AWS_URI: http://seaweedfs-s3:8333 + AWS_REGION: us-east-1 + +default: + imagePullSecrets: + - name: my-mender-pull-secret ingress: enabled: true @@ -58,7 +60,6 @@ nats: cluster: enabled: false nats: - image: "nats:2.7.4-scratch" jetstream: enabled: true memStorage: @@ -69,7 +70,7 @@ nats: podAnnotations: {} statefulSetAnnotations: {} serviceAnnotations: {} - + # Redis as a subchart # Using a standalone bitnami helm chart by default = test usage only # It's recommended to use a suitable Redis Cluster for Production @@ -87,7 +88,3 @@ redis: replica: persistence: enabled: false - -api_gateway: - env: - SSL: false diff --git a/tests/values-helmci.yaml b/tests/values-helmci.yaml index 3c18af7f..00b7bf2d 100644 --- a/tests/values-helmci.yaml +++ b/tests/values-helmci.yaml @@ -1,11 +1,24 @@ global: + enterprise: true mongodb: URL: mongodb://mender-mongo-mongodb + nats: + URL: "nats://nats:4222" s3: - AWS_URI: http://mender-minio:9000 - AWS_REGION: eu-central-1 + AWS_URI: http://seaweedfs-s3:8333 + AWS_REGION: us-east-1 +default: + imagePullSecrets: + - name: my-mender-pull-secret + + +mongodb: + enabled: false +nats: + enabled: false redis: + enabled: true architecture: standalone master: persistence: @@ -13,7 +26,3 @@ redis: replica: persistence: enabled: false - -api_gateway: - env: - SSL: false diff --git a/tests/values-opensource.yaml b/tests/values-opensource.yaml index b8a7568c..53d83ea9 100644 --- a/tests/values-opensource.yaml +++ b/tests/values-opensource.yaml @@ -1,14 +1,7 @@ global: - enterprise: false - mongodb: - URL: "" - nats: - URL: "" - redis: - URL: "" s3: - AWS_URI: http://mender-minio:9000 - AWS_REGION: eu-central-1 + AWS_URI: http://seaweedfs-s3:8333 + AWS_REGION: us-east-1 ingress: enabled: true @@ -61,7 +54,6 @@ nats: cluster: enabled: false nats: - image: "nats:2.7.4-scratch" jetstream: enabled: true memStorage: @@ -72,25 +64,4 @@ nats: podAnnotations: {} statefulSetAnnotations: {} serviceAnnotations: {} - -# Redis as a subchart -# Using a standalone bitnami helm chart by default = test usage only -# It's recommended to use a suitable Redis Cluster for Production -redis: - enabled: true - architecture: replication - commonAnnotations: - helm.sh/hook: "pre-install" - helm.sh/hook-weight: "-50" - auth: - enabled: false - master: - persistence: - enabled: false - replica: - persistence: - enabled: false -api_gateway: - env: - SSL: false diff --git a/tests/variables.sh b/tests/variables.sh index 06fe0a75..6e87209c 100644 --- a/tests/variables.sh +++ b/tests/variables.sh @@ -1,5 +1,5 @@ # Copyright 2022 Northern.tech AS -# +# # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -13,7 +13,7 @@ # limitations under the License. export TEST_NAME=mender-helm-test -export MINIO_accessKey=AKIAIOSFODNN7EXAMPLE -export MINIO_secretKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY +export SEAWEEDFS_ACCESS_KEY_ID=$(kubectl get secret seaweedfs-s3-secret -o jsonpath='{.data.admin_access_key_id}' |base64 -d) +export SEAWEEDFS_SECRET_ACCESS_KEY=$(kubectl get secret seaweedfs-s3-secret -o jsonpath='{.data.admin_secret_access_key}' |base64 -d) +export STORAGE_ENDPOINT="http://seaweedfs-s3:8333" export MENDER_HELM_CHART_VERSION=`cat ./mender/Chart.yaml | grep ^version: | awk '{print($NF);}' | sed -e 's/"//g'` -