diff --git a/class/defaults.yml b/class/defaults.yml index b529ff7..b2b869b 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -23,7 +23,7 @@ parameters: charts: etcd: source: https://charts.bitnami.com/bitnami - version: "9.1.0" + version: "12.0.18" helm_release_name: ${_instance} helm_values: diff --git a/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/networkpolicy.yaml b/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/networkpolicy.yaml new file mode 100644 index 0000000..1e3357e --- /dev/null +++ b/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/networkpolicy.yaml @@ -0,0 +1,27 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/component: etcd + app.kubernetes.io/instance: etcd + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: etcd + app.kubernetes.io/version: 3.6.4 + helm.sh/chart: etcd-12.0.18 + name: etcd + namespace: syn-etcd +spec: + egress: + - {} + ingress: + - ports: + - port: 2379 + - port: 2380 + podSelector: + matchLabels: + app.kubernetes.io/component: etcd + app.kubernetes.io/instance: etcd + app.kubernetes.io/name: etcd + policyTypes: + - Ingress + - Egress diff --git a/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/pdb.yaml b/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/pdb.yaml index f710bce..25bb382 100644 --- a/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/pdb.yaml +++ b/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/pdb.yaml @@ -2,10 +2,12 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: labels: + app.kubernetes.io/component: etcd app.kubernetes.io/instance: etcd app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: etcd - helm.sh/chart: etcd-9.1.0 + app.kubernetes.io/version: 3.6.4 + helm.sh/chart: etcd-12.0.18 name: etcd namespace: syn-etcd spec: diff --git a/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/preupgrade-hook-job.yaml b/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/preupgrade-hook-job.yaml new file mode 100644 index 0000000..b385a54 --- /dev/null +++ b/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/preupgrade-hook-job.yaml @@ -0,0 +1,127 @@ +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + helm.sh/hook: pre-upgrade + helm.sh/hook-delete-policy: before-hook-creation + labels: + app.kubernetes.io/component: etcd-pre-upgrade-job + app.kubernetes.io/instance: etcd + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: etcd + app.kubernetes.io/version: 3.6.4 + helm.sh/chart: etcd-12.0.18 + name: etcd-pre-upgrade + namespace: syn-etcd +spec: + template: + metadata: + annotations: null + labels: + app.kubernetes.io/component: etcd-pre-upgrade-job + app.kubernetes.io/instance: etcd + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: etcd + app.kubernetes.io/version: 3.6.4 + helm.sh/chart: etcd-12.0.18 + spec: + affinity: + nodeAffinity: null + podAffinity: null + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/component: etcd-pre-upgrade-job + app.kubernetes.io/instance: etcd + app.kubernetes.io/name: etcd + topologyKey: kubernetes.io/hostname + weight: 1 + automountServiceAccountToken: false + containers: + - args: + - /opt/bitnami/scripts/etcd/preupgrade.sh + command: + - /opt/bitnami/scripts/etcd/entrypoint.sh + env: + - name: BITNAMI_DEBUG + value: 'false' + - name: ETCD_ON_K8S + value: 'yes' + - name: ETCD_DATA_DIR + value: /bitnami/etcd/data + - name: ETCD_ROOT_PASSWORD_FILE + value: /opt/bitnami/etcd/secrets/password + - name: ETCD_INITIAL_CLUSTER + value: etcd-0=https://etcd-0.etcd-headless.syn-etcd.svc.cluster.local:2379 + - name: ETCD_CERT_FILE + value: /opt/bitnami/etcd/certs/client/cert.pem + - name: ETCD_KEY_FILE + value: /opt/bitnami/etcd/certs/client/key.pem + - name: ETCD_EXTRA_AUTH_FLAGS + value: --insecure-skip-tls-verify + envFrom: null + image: docker.io/bitnamilegacy/etcd:3.5.21-debian-12-r6 + imagePullPolicy: IfNotPresent + name: pre-upgrade-job + resources: + limits: + cpu: 375m + ephemeral-storage: 2Gi + memory: 384Mi + requests: + cpu: 250m + ephemeral-storage: 50Mi + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /opt/bitnami/etcd/conf/ + name: empty-dir + subPath: app-conf-dir + - mountPath: /tmp + name: empty-dir + subPath: tmp-dir + - mountPath: /opt/bitnami/etcd/certs/token/ + name: etcd-jwt-token + readOnly: true + - mountPath: /opt/bitnami/etcd/certs/client/ + name: etcd-client-certs + readOnly: true + - mountPath: /opt/bitnami/etcd/secrets + name: etcd-secrets + restartPolicy: Never + securityContext: + fsGroup: 1001 + fsGroupChangePolicy: Always + supplementalGroups: [] + sysctls: [] + volumes: + - emptyDir: {} + name: empty-dir + - name: etcd-jwt-token + secret: + defaultMode: 256 + secretName: etcd-etcd-token-private-key + - name: etcd-client-certs + secret: + defaultMode: 256 + secretName: etcd-etcd-client-auth + - name: etcd-secrets + projected: + sources: + - secret: + name: etcd-etcd-root-auth diff --git a/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/serviceaccount.yaml b/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/serviceaccount.yaml new file mode 100644 index 0000000..bdaf9b7 --- /dev/null +++ b/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: etcd + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: etcd + app.kubernetes.io/version: 3.6.4 + helm.sh/chart: etcd-12.0.18 + name: etcd + namespace: syn-etcd diff --git a/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/statefulset.yaml b/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/statefulset.yaml index 679db7d..989615a 100644 --- a/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/statefulset.yaml +++ b/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/statefulset.yaml @@ -6,7 +6,8 @@ metadata: app.kubernetes.io/instance: etcd app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: etcd - helm.sh/chart: etcd-9.1.0 + app.kubernetes.io/version: 3.6.4 + helm.sh/chart: etcd-12.0.18 name: etcd namespace: syn-etcd spec: @@ -26,7 +27,8 @@ spec: app.kubernetes.io/instance: etcd app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: etcd - helm.sh/chart: etcd-9.1.0 + app.kubernetes.io/version: 3.6.4 + helm.sh/chart: etcd-12.0.18 spec: affinity: nodeAffinity: null @@ -36,10 +38,12 @@ spec: - podAffinityTerm: labelSelector: matchLabels: + app.kubernetes.io/component: etcd app.kubernetes.io/instance: etcd app.kubernetes.io/name: etcd topologyKey: kubernetes.io/hostname weight: 1 + automountServiceAccountToken: false containers: - env: - name: BITNAMI_DEBUG @@ -54,8 +58,6 @@ spec: fieldPath: metadata.name - name: MY_STS_NAME value: etcd - - name: ETCDCTL_API - value: '3' - name: ETCD_ON_K8S value: 'yes' - name: ETCD_START_FROM_SNAPSHOT @@ -70,11 +72,8 @@ spec: value: info - name: ALLOW_NONE_AUTHENTICATION value: 'no' - - name: ETCD_ROOT_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: etcd-etcd-root-auth + - name: ETCD_ROOT_PASSWORD_FILE + value: /opt/bitnami/etcd/secrets/password - name: ETCD_AUTH_TOKEN value: jwt,priv-key=/opt/bitnami/etcd/certs/token/jwt-token.pem,sign-method=RS256,ttl=10m - name: ETCD_ADVERTISE_CLIENT_URLS @@ -85,6 +84,10 @@ spec: value: https://$(MY_POD_NAME).etcd-headless.syn-etcd.svc.cluster.local:2380 - name: ETCD_LISTEN_PEER_URLS value: https://0.0.0.0:2380 + - name: ETCD_INITIAL_CLUSTER_TOKEN + value: etcd-cluster-k8s + - name: ETCD_INITIAL_CLUSTER + value: etcd-0=https://etcd-0.etcd-headless.syn-etcd.svc.cluster.local:2380 - name: ETCD_CLUSTER_DOMAIN value: etcd-headless.syn-etcd.svc.cluster.local - name: ETCD_CERT_FILE @@ -125,13 +128,34 @@ spec: successThreshold: 1 timeoutSeconds: 5 resources: - limits: {} - requests: {} + limits: + cpu: 375m + ephemeral-storage: 2Gi + memory: 384Mi + requests: + cpu: 250m + ephemeral-storage: 50Mi + memory: 256Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1001 runAsNonRoot: true runAsUser: 1001 + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault volumeMounts: + - mountPath: /opt/bitnami/etcd/conf/ + name: empty-dir + subPath: app-conf-dir + - mountPath: /tmp + name: empty-dir + subPath: tmp-dir - mountPath: /bitnami/etcd name: data - mountPath: /opt/bitnami/etcd/certs/token/ @@ -143,10 +167,17 @@ spec: - mountPath: /opt/bitnami/etcd/certs/peer/ name: etcd-peer-certs readOnly: true + - mountPath: /opt/bitnami/etcd/secrets + name: etcd-secrets securityContext: fsGroup: 1001 - serviceAccountName: default + fsGroupChangePolicy: Always + supplementalGroups: [] + sysctls: [] + serviceAccountName: etcd volumes: + - emptyDir: {} + name: empty-dir - name: etcd-jwt-token secret: defaultMode: 256 @@ -159,6 +190,11 @@ spec: secret: defaultMode: 256 secretName: etcd-etcd-peer-auth + - name: etcd-secrets + projected: + sources: + - secret: + name: etcd-etcd-root-auth updateStrategy: type: RollingUpdate volumeClaimTemplates: diff --git a/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/svc-headless.yaml b/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/svc-headless.yaml index 60c3838..a210384 100644 --- a/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/svc-headless.yaml +++ b/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/svc-headless.yaml @@ -4,10 +4,12 @@ metadata: annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: 'true' labels: + app.kubernetes.io/component: etcd app.kubernetes.io/instance: etcd app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: etcd - helm.sh/chart: etcd-9.1.0 + app.kubernetes.io/version: 3.6.4 + helm.sh/chart: etcd-12.0.18 name: etcd-headless namespace: syn-etcd spec: @@ -21,6 +23,7 @@ spec: targetPort: peer publishNotReadyAddresses: true selector: + app.kubernetes.io/component: etcd app.kubernetes.io/instance: etcd app.kubernetes.io/name: etcd type: ClusterIP diff --git a/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/svc.yaml b/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/svc.yaml index 82830a4..32f0ad7 100644 --- a/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/svc.yaml +++ b/tests/golden/defaults/etcd/etcd/10_chart/etcd/templates/svc.yaml @@ -1,12 +1,13 @@ apiVersion: v1 kind: Service metadata: - annotations: null labels: + app.kubernetes.io/component: etcd app.kubernetes.io/instance: etcd app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: etcd - helm.sh/chart: etcd-9.1.0 + app.kubernetes.io/version: 3.6.4 + helm.sh/chart: etcd-12.0.18 name: etcd namespace: syn-etcd spec: @@ -20,6 +21,7 @@ spec: port: 2380 targetPort: peer selector: + app.kubernetes.io/component: etcd app.kubernetes.io/instance: etcd app.kubernetes.io/name: etcd sessionAffinity: None