github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/pkg/scanners/helm/test/mysql/charts/common/README.md (about) 1 # Bitnami Common Library Chart 2 3 A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. 4 5 ## TL;DR 6 7 ```yaml 8 dependencies: 9 - name: common 10 version: 0.x.x 11 repository: https://charts.bitnami.com/bitnami 12 ``` 13 14 ```bash 15 $ helm dependency update 16 ``` 17 18 ```yaml 19 apiVersion: v1 20 kind: ConfigMap 21 metadata: 22 name: {{ include "common.names.fullname" . }} 23 data: 24 myvalue: "Hello World" 25 ``` 26 27 ## Introduction 28 29 This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. 30 31 Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. 32 33 ## Prerequisites 34 35 - Kubernetes 1.19+ 36 - Helm 3.2.0+ 37 38 ## Parameters 39 40 The following table lists the helpers available in the library which are scoped in different sections. 41 42 ### Affinities 43 44 | Helper identifier | Description | Expected Input | 45 |-------------------------------|------------------------------------------------------|------------------------------------------------| 46 | `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | 47 | `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | 48 | `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | 49 | `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | 50 51 ### Capabilities 52 53 | Helper identifier | Description | Expected Input | 54 |------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| 55 | `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | 56 | `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | 57 | `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | 58 | `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | 59 | `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | 60 | `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | 61 | `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | 62 | `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | 63 | `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | 64 | `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | 65 66 ### Errors 67 68 | Helper identifier | Description | Expected Input | 69 |-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| 70 | `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | 71 72 ### Images 73 74 | Helper identifier | Description | Expected Input | 75 |-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| 76 | `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | 77 | `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | 78 | `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | 79 80 ### Ingress 81 82 | Helper identifier | Description | Expected Input | 83 |-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| 84 | `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | 85 | `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | 86 | `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | 87 | `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | 88 89 ### Labels 90 91 | Helper identifier | Description | Expected Input | 92 |-----------------------------|------------------------------------------------------|-------------------| 93 | `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | 94 | `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context | 95 96 ### Names 97 98 | Helper identifier | Description | Expected Input | 99 |-------------------------|------------------------------------------------------------|-------------------| 100 | `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | 101 | `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | 102 | `common.names.chart` | Chart name plus version | `.` Chart context | 103 104 ### Secrets 105 106 | Helper identifier | Description | Expected Input | 107 |---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| 108 | `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | 109 | `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | 110 | `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | 111 | `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | 112 113 ### Storage 114 115 | Helper identifier | Description | Expected Input | 116 |-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| 117 | `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | 118 119 ### TplValues 120 121 | Helper identifier | Description | Expected Input | 122 |---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| 123 | `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | 124 125 ### Utils 126 127 | Helper identifier | Description | Expected Input | 128 |--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| 129 | `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | 130 | `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | 131 | `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | 132 | `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | 133 134 ### Validations 135 136 | Helper identifier | Description | Expected Input | 137 |--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| 138 | `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | 139 | `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | 140 | `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | 141 | `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | 142 | `common.validations.values.redis.passwords` | This helper will ensure required password for Redis™ are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | 143 | `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | 144 | `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | 145 146 ### Warnings 147 148 | Helper identifier | Description | Expected Input | 149 |------------------------------|----------------------------------|------------------------------------------------------------| 150 | `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | 151 152 ## Special input schemas 153 154 ### ImageRoot 155 156 ```yaml 157 registry: 158 type: string 159 description: Docker registry where the image is located 160 example: docker.io 161 162 repository: 163 type: string 164 description: Repository and image name 165 example: bitnami/nginx 166 167 tag: 168 type: string 169 description: image tag 170 example: 1.16.1-debian-10-r63 171 172 pullPolicy: 173 type: string 174 description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' 175 176 pullSecrets: 177 type: array 178 items: 179 type: string 180 description: Optionally specify an array of imagePullSecrets (evaluated as templates). 181 182 debug: 183 type: boolean 184 description: Set to true if you would like to see extra information on logs 185 example: false 186 187 ## An instance would be: 188 # registry: docker.io 189 # repository: bitnami/nginx 190 # tag: 1.16.1-debian-10-r63 191 # pullPolicy: IfNotPresent 192 # debug: false 193 ``` 194 195 ### Persistence 196 197 ```yaml 198 enabled: 199 type: boolean 200 description: Whether enable persistence. 201 example: true 202 203 storageClass: 204 type: string 205 description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. 206 example: "-" 207 208 accessMode: 209 type: string 210 description: Access mode for the Persistent Volume Storage. 211 example: ReadWriteOnce 212 213 size: 214 type: string 215 description: Size the Persistent Volume Storage. 216 example: 8Gi 217 218 path: 219 type: string 220 description: Path to be persisted. 221 example: /bitnami 222 223 ## An instance would be: 224 # enabled: true 225 # storageClass: "-" 226 # accessMode: ReadWriteOnce 227 # size: 8Gi 228 # path: /bitnami 229 ``` 230 231 ### ExistingSecret 232 233 ```yaml 234 name: 235 type: string 236 description: Name of the existing secret. 237 example: mySecret 238 keyMapping: 239 description: Mapping between the expected key name and the name of the key in the existing secret. 240 type: object 241 242 ## An instance would be: 243 # name: mySecret 244 # keyMapping: 245 # password: myPasswordKey 246 ``` 247 248 #### Example of use 249 250 When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. 251 252 ```yaml 253 # templates/secret.yaml 254 --- 255 apiVersion: v1 256 kind: Secret 257 metadata: 258 name: {{ include "common.names.fullname" . }} 259 labels: 260 app: {{ include "common.names.fullname" . }} 261 type: Opaque 262 data: 263 password: {{ .Values.password | b64enc | quote }} 264 265 # templates/dpl.yaml 266 --- 267 ... 268 env: 269 - name: PASSWORD 270 valueFrom: 271 secretKeyRef: 272 name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} 273 key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} 274 ... 275 276 # values.yaml 277 --- 278 name: mySecret 279 keyMapping: 280 password: myPasswordKey 281 ``` 282 283 ### ValidateValue 284 285 #### NOTES.txt 286 287 ```console 288 {{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} 289 {{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} 290 291 {{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} 292 ``` 293 294 If we force those values to be empty we will see some alerts 295 296 ```console 297 $ helm install test mychart --set path.to.value00="",path.to.value01="" 298 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: 299 300 export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode) 301 302 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: 303 304 export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode) 305 ``` 306 307 ## Upgrading 308 309 ### To 1.0.0 310 311 [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. 312 313 **What changes were introduced in this major version?** 314 315 - Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. 316 - Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. 317 - The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts 318 319 **Considerations when upgrading to this version** 320 321 - If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues 322 - If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore 323 - If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 324 325 **Useful links** 326 327 - https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ 328 - https://helm.sh/docs/topics/v2_v3_migration/ 329 - https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ 330 331 ## License 332 333 Copyright © 2022 Bitnami 334 335 Licensed under the Apache License, Version 2.0 (the "License"); 336 you may not use this file except in compliance with the License. 337 You may obtain a copy of the License at 338 339 http://www.apache.org/licenses/LICENSE-2.0 340 341 Unless required by applicable law or agreed to in writing, software 342 distributed under the License is distributed on an "AS IS" BASIS, 343 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 344 See the License for the specific language governing permissions and 345 limitations under the License.