From c672d343296dbfe5fe3a348c93759e6e9e4010c8 Mon Sep 17 00:00:00 2001 From: Alexandre Dutra Date: Wed, 7 Aug 2024 15:57:57 +0200 Subject: [PATCH] Helm Chart: mention imagePullSecrets in values.yaml (#9292) This setting is already supported, but wasn't properly documented so far. --- helm/nessie/README.md | 31 ++++++++++++++++++++----------- helm/nessie/values.yaml | 8 ++++++++ 2 files changed, 28 insertions(+), 11 deletions(-) diff --git a/helm/nessie/README.md b/helm/nessie/README.md index 3fa34e7234d..ce70af66dca 100644 --- a/helm/nessie/README.md +++ b/helm/nessie/README.md @@ -79,7 +79,7 @@ $ helm uninstall --namespace nessie-ns nessie | cassandra.secret.name | string | `"cassandra-creds"` | The secret name to pull Cassandra credentials from. | | cassandra.secret.password | string | `"cassandra_password"` | The secret key storing the Cassandra password. | | cassandra.secret.username | string | `"cassandra_username"` | The secret key storing the Cassandra username. | -| catalog | object | `{"enabled":false,"iceberg":{"configDefaults":{},"configOverrides":{},"defaultWarehouse":null,"objectStoresHealthCheckEnabled":true,"warehouses":[{"configDefaults":{},"configOverrides":{},"location":null,"name":null}]},"storage":{"adls":{"advancedConfig":{},"defaultOptions":{"accountSecret":{"accountKey":null,"accountName":null,"name":null},"authType":null,"endpoint":null,"externalEndpoint":null,"maxRetries":null,"maxRetryDelay":null,"retryDelay":null,"retryPolicy":null,"sasTokenSecret":{"name":null,"sasToken":null},"tryTimeout":null},"filesystems":[],"transport":{"connectTimeout":null,"connectionIdleTimeout":null,"maxHttpConnections":null,"readBlockSize":null,"readTimeout":null,"writeBlockSize":null,"writeTimeout":null}},"gcs":{"buckets":[],"defaultOptions":{"authCredentialsJsonSecret":{"key":null,"name":null},"authType":null,"clientLibToken":null,"decryptionKey":null,"deleteBatchSize":null,"encryptionKey":null,"externalHost":null,"host":null,"oauth2TokenSecret":{"expiresAt":null,"name":null,"token":null},"projectId":null,"quotaProjectId":null,"readChunkSize":null,"userProject":null,"writeChunkSize":null},"transport":{"connectTimeout":null,"initialRetryDelay":null,"initialRpcTimeout":null,"logicalTimeout":null,"maxAttempts":null,"maxRetryDelay":null,"maxRpcTimeout":null,"readTimeout":null,"retryDelayMultiplier":null,"rpcTimeoutMultiplier":null,"totalTimeout":null}},"retryAfter":null,"s3":{"buckets":[],"defaultOptions":{"accessKeySecret":{"awsAccessKeyId":null,"awsSecretAccessKey":null,"name":null},"accessPoint":null,"allowCrossRegionAccessPoint":false,"assumeRole":{"clientSessionDuration":null,"externalId":null,"roleArn":null,"roleSessionName":null,"sessionIamPolicy":null,"stsEndpoint":null},"clientAuthenticationMode":null,"endpoint":null,"externalEndpoint":null,"pathStyleAccess":false,"region":null,"serverAuthenticationMode":null},"sessionCredentials":{"sessionCredentialCacheMaxEntries":null,"sessionCredentialRefreshGracePeriod":null,"stsClientsCacheMaxEntries":null},"transport":{"connectTimeout":null,"connectionAcquisitionTimeout":null,"connectionMaxIdleTime":null,"connectionTimeToLive":null,"expectContinueEnabled":null,"maxHttpConnections":null,"readTimeout":null}}}}` | The Nessie catalog server configuration. | +| catalog | object | `{"enabled":false,"iceberg":{"configDefaults":{},"configOverrides":{},"defaultWarehouse":null,"objectStoresHealthCheckEnabled":true,"warehouses":[{"configDefaults":{},"configOverrides":{},"location":null,"name":null}]},"storage":{"adls":{"advancedConfig":{},"defaultOptions":{"accountSecret":{"accountKey":null,"accountName":null,"name":null},"authType":null,"endpoint":null,"externalEndpoint":null,"maxRetries":null,"maxRetryDelay":null,"retryDelay":null,"retryPolicy":null,"sasTokenSecret":{"name":null,"sasToken":null},"tryTimeout":null},"filesystems":[],"transport":{"connectTimeout":null,"connectionIdleTimeout":null,"maxHttpConnections":null,"readBlockSize":null,"readTimeout":null,"writeBlockSize":null,"writeTimeout":null}},"gcs":{"buckets":[],"defaultOptions":{"authCredentialsJsonSecret":{"key":null,"name":null},"authType":null,"clientLibToken":null,"decryptionKey":null,"deleteBatchSize":null,"encryptionKey":null,"externalHost":null,"host":null,"oauth2TokenSecret":{"expiresAt":null,"name":null,"token":null},"projectId":null,"quotaProjectId":null,"readChunkSize":null,"userProject":null,"writeChunkSize":null},"transport":{"connectTimeout":null,"initialRetryDelay":null,"initialRpcTimeout":null,"logicalTimeout":null,"maxAttempts":null,"maxRetryDelay":null,"maxRpcTimeout":null,"readTimeout":null,"retryDelayMultiplier":null,"rpcTimeoutMultiplier":null,"totalTimeout":null}},"retryAfter":null,"s3":{"buckets":[],"defaultOptions":{"accessKeySecret":{"awsAccessKeyId":null,"awsSecretAccessKey":null,"name":null},"accessPoint":null,"allowCrossRegionAccessPoint":false,"authType":null,"clientIam":{"enabled":null,"externalId":null,"policy":null,"roleArn":null,"roleSessionName":null,"sessionDuration":null,"statements":null},"endpoint":null,"externalEndpoint":null,"pathStyleAccess":false,"region":null,"requestSigningEnabled":null,"serverIam":{"enabled":null,"externalId":null,"policy":null,"roleArn":null,"roleSessionName":null,"sessionDuration":null},"stsEndpoint":null},"sessionCredentials":{"sessionCredentialCacheMaxEntries":null,"sessionCredentialRefreshGracePeriod":null,"stsClientsCacheMaxEntries":null},"transport":{"connectTimeout":null,"connectionAcquisitionTimeout":null,"connectionMaxIdleTime":null,"connectionTimeToLive":null,"expectContinueEnabled":null,"maxHttpConnections":null,"readTimeout":null}}}}` | The Nessie catalog server configuration. | | catalog.enabled | bool | `false` | Whether to enable the REST catalog service. | | catalog.iceberg | object | `{"configDefaults":{},"configOverrides":{},"defaultWarehouse":null,"objectStoresHealthCheckEnabled":true,"warehouses":[{"configDefaults":{},"configOverrides":{},"location":null,"name":null}]}` | Iceberg catalog settings. | | catalog.iceberg.configDefaults | object | `{}` | Iceberg config defaults applicable to all clients and warehouses. Any properties that are common to all iceberg clients should be included here. They will be passed to all clients on all warehouses as config defaults. These defaults can be overridden on a per-warehouse basis, see below. | @@ -90,7 +90,7 @@ $ helm uninstall --namespace nessie-ns nessie | catalog.iceberg.warehouses[0].configDefaults | object | `{}` | Iceberg config defaults specific to this warehouse. They override any defaults specified above in catalog.iceberg.configDefaults. | | catalog.iceberg.warehouses[0].configOverrides | object | `{}` | Iceberg config overrides specific to this warehouse. They override any defaults specified above in catalog.iceberg.configOverrides. | | catalog.iceberg.warehouses[0].location | string | `nil` | Location of the warehouse. Required. Used to determine the base location of a table. Scheme must be either s3 (Amazon S3), gs (Google GCS) or abfs / abfss (Azure ADLS). Storage properties for each location can be defined below. | -| catalog.storage | object | `{"adls":{"advancedConfig":{},"defaultOptions":{"accountSecret":{"accountKey":null,"accountName":null,"name":null},"authType":null,"endpoint":null,"externalEndpoint":null,"maxRetries":null,"maxRetryDelay":null,"retryDelay":null,"retryPolicy":null,"sasTokenSecret":{"name":null,"sasToken":null},"tryTimeout":null},"filesystems":[],"transport":{"connectTimeout":null,"connectionIdleTimeout":null,"maxHttpConnections":null,"readBlockSize":null,"readTimeout":null,"writeBlockSize":null,"writeTimeout":null}},"gcs":{"buckets":[],"defaultOptions":{"authCredentialsJsonSecret":{"key":null,"name":null},"authType":null,"clientLibToken":null,"decryptionKey":null,"deleteBatchSize":null,"encryptionKey":null,"externalHost":null,"host":null,"oauth2TokenSecret":{"expiresAt":null,"name":null,"token":null},"projectId":null,"quotaProjectId":null,"readChunkSize":null,"userProject":null,"writeChunkSize":null},"transport":{"connectTimeout":null,"initialRetryDelay":null,"initialRpcTimeout":null,"logicalTimeout":null,"maxAttempts":null,"maxRetryDelay":null,"maxRpcTimeout":null,"readTimeout":null,"retryDelayMultiplier":null,"rpcTimeoutMultiplier":null,"totalTimeout":null}},"retryAfter":null,"s3":{"buckets":[],"defaultOptions":{"accessKeySecret":{"awsAccessKeyId":null,"awsSecretAccessKey":null,"name":null},"accessPoint":null,"allowCrossRegionAccessPoint":false,"assumeRole":{"clientSessionDuration":null,"externalId":null,"roleArn":null,"roleSessionName":null,"sessionIamPolicy":null,"stsEndpoint":null},"clientAuthenticationMode":null,"endpoint":null,"externalEndpoint":null,"pathStyleAccess":false,"region":null,"serverAuthenticationMode":null},"sessionCredentials":{"sessionCredentialCacheMaxEntries":null,"sessionCredentialRefreshGracePeriod":null,"stsClientsCacheMaxEntries":null},"transport":{"connectTimeout":null,"connectionAcquisitionTimeout":null,"connectionMaxIdleTime":null,"connectionTimeToLive":null,"expectContinueEnabled":null,"maxHttpConnections":null,"readTimeout":null}}}` | Catalog storage settings. | +| catalog.storage | object | `{"adls":{"advancedConfig":{},"defaultOptions":{"accountSecret":{"accountKey":null,"accountName":null,"name":null},"authType":null,"endpoint":null,"externalEndpoint":null,"maxRetries":null,"maxRetryDelay":null,"retryDelay":null,"retryPolicy":null,"sasTokenSecret":{"name":null,"sasToken":null},"tryTimeout":null},"filesystems":[],"transport":{"connectTimeout":null,"connectionIdleTimeout":null,"maxHttpConnections":null,"readBlockSize":null,"readTimeout":null,"writeBlockSize":null,"writeTimeout":null}},"gcs":{"buckets":[],"defaultOptions":{"authCredentialsJsonSecret":{"key":null,"name":null},"authType":null,"clientLibToken":null,"decryptionKey":null,"deleteBatchSize":null,"encryptionKey":null,"externalHost":null,"host":null,"oauth2TokenSecret":{"expiresAt":null,"name":null,"token":null},"projectId":null,"quotaProjectId":null,"readChunkSize":null,"userProject":null,"writeChunkSize":null},"transport":{"connectTimeout":null,"initialRetryDelay":null,"initialRpcTimeout":null,"logicalTimeout":null,"maxAttempts":null,"maxRetryDelay":null,"maxRpcTimeout":null,"readTimeout":null,"retryDelayMultiplier":null,"rpcTimeoutMultiplier":null,"totalTimeout":null}},"retryAfter":null,"s3":{"buckets":[],"defaultOptions":{"accessKeySecret":{"awsAccessKeyId":null,"awsSecretAccessKey":null,"name":null},"accessPoint":null,"allowCrossRegionAccessPoint":false,"authType":null,"clientIam":{"enabled":null,"externalId":null,"policy":null,"roleArn":null,"roleSessionName":null,"sessionDuration":null,"statements":null},"endpoint":null,"externalEndpoint":null,"pathStyleAccess":false,"region":null,"requestSigningEnabled":null,"serverIam":{"enabled":null,"externalId":null,"policy":null,"roleArn":null,"roleSessionName":null,"sessionDuration":null},"stsEndpoint":null},"sessionCredentials":{"sessionCredentialCacheMaxEntries":null,"sessionCredentialRefreshGracePeriod":null,"stsClientsCacheMaxEntries":null},"transport":{"connectTimeout":null,"connectionAcquisitionTimeout":null,"connectionMaxIdleTime":null,"connectionTimeToLive":null,"expectContinueEnabled":null,"maxHttpConnections":null,"readTimeout":null}}}` | Catalog storage settings. | | catalog.storage.adls.advancedConfig | object | `{}` | Custom ADLS configuration options, see javadocs of com.azure.core.util.Configuration. Not overridable on a per-filesystem basis. | | catalog.storage.adls.defaultOptions.accountSecret | object | `{"accountKey":null,"accountName":null,"name":null}` | A secret containing the account name and key to use. Required when authType is STORAGE_SHARED_KEY. | | catalog.storage.adls.defaultOptions.accountSecret.accountKey | string | `nil` | Secret key containing the account key. | @@ -153,19 +153,27 @@ $ helm uninstall --namespace nessie-ns nessie | catalog.storage.s3.defaultOptions.accessKeySecret.name | string | `nil` | The secret name to pull AWS credentials from. | | catalog.storage.s3.defaultOptions.accessPoint | string | `nil` | AWS Access point for this bucket. Access points can be used to perform S3 operations by specifying a mapping of bucket to access points. This is useful for multi-region access, cross-region access, disaster recovery, etc. See https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-access-points.html. | | catalog.storage.s3.defaultOptions.allowCrossRegionAccessPoint | bool | `false` | Authorize cross-region calls when contacting an access point. The default is false. | -| catalog.storage.s3.defaultOptions.assumeRole | object | `{"clientSessionDuration":null,"externalId":null,"roleArn":null,"roleSessionName":null,"sessionIamPolicy":null,"stsEndpoint":null}` | Settings only relevant when clientAuthenticationMode is ASSUME_ROLE. | -| catalog.storage.s3.defaultOptions.assumeRole.clientSessionDuration | string | `nil` | A higher bound estimate of the expected duration of client "sessions" working with data in this bucket. A session, for example, is the lifetime of an Iceberg REST catalog object on the client side. This value is used for validating expiration times of credentials associated with the warehouse. If unset, a default of one hour is assumed. | -| catalog.storage.s3.defaultOptions.assumeRole.externalId | string | `nil` | An identifier for the party assuming the role. This parameter must match the external ID configured in IAM rules that govern the assume role process for the specified roleArn. | -| catalog.storage.s3.defaultOptions.assumeRole.roleArn | string | `nil` | The ARN of the role to assume for accessing S3 data. This parameter is required for Amazon S3, but may not be required for other storage providers (e.g. Minio does not use it at all). | -| catalog.storage.s3.defaultOptions.assumeRole.roleSessionName | string | `nil` | An identifier for the assumed role session. This parameter is most important in cases when the same role is assumed by different principals in different use cases. | -| catalog.storage.s3.defaultOptions.assumeRole.sessionIamPolicy | string | `nil` | The IAM policy in JSON format to be used as an inline session policy. Optional. | -| catalog.storage.s3.defaultOptions.assumeRole.stsEndpoint | string | `nil` | The STS endpoint. Optional; if not provided, the default is used. This parameter must be set if the cloud provider is not AMAZON and the catalog is configured to use S3 sessions (e.g. to use the "assume role" functionality). | -| catalog.storage.s3.defaultOptions.clientAuthenticationMode | string | `nil` | Controls the authentication mode for Catalog clients accessing this bucket. Valid values are: - REQUEST_SIGNING: Each client I/O request is individually authorized (signed) by the Catalog server. This is the default. - ASSUME_ROLE: Clients receive session credentials (according to the role and IAM policy from bucket configuration) for the whole duration of client sessions. | +| catalog.storage.s3.defaultOptions.authType | string | `nil` | Controls the authentication mode for the Catalog server. Valid values are: - APPLICATION_GLOBAL: Use the default AWS credentials provider chain. - STATIC: Static credentials provided through the accessKeySecret option. The default is STATIC. | +| catalog.storage.s3.defaultOptions.clientIam.enabled | string | `nil` | Whether to enable client assume-role/scoped-down credentials functionality. | +| catalog.storage.s3.defaultOptions.clientIam.externalId | string | `nil` | An identifier for the party assuming the role. This parameter must match the external ID configured in IAM rules that govern the assume role process for the specified roleArn. | +| catalog.storage.s3.defaultOptions.clientIam.policy | string | `nil` | The ARN of the role to assume for accessing S3 data. This parameter is required for Amazon S3, but may not be required for other storage providers (e.g. Minio does not use it at all). | +| catalog.storage.s3.defaultOptions.clientIam.roleArn | string | `nil` | An identifier for the assumed role session. This parameter is most important in cases when the same role is assumed by different principals in different use cases. | +| catalog.storage.s3.defaultOptions.clientIam.roleSessionName | string | `nil` | The IAM policy in JSON format to be used as an inline session policy. Optional. If not supplied, Nessie will generate a policy scoped down to a table's location. | +| catalog.storage.s3.defaultOptions.clientIam.sessionDuration | string | `nil` | A higher bound estimate of the expected duration of client "sessions" working with data in this bucket. A session, for example, is the lifetime of an Iceberg REST catalog object on the client side. This value is used for validating expiration times of credentials associated with the warehouse. If unset, a default of one hour is assumed. | +| catalog.storage.s3.defaultOptions.clientIam.statements | string | `nil` | Additional IAM policy statements in JSON format to add to generated per-table IAM policies. | | catalog.storage.s3.defaultOptions.endpoint | string | `nil` | Endpoint URI, required for private clouds. Optional; if not provided, the default is used. | | catalog.storage.s3.defaultOptions.externalEndpoint | string | `nil` | Endpoint URI, required for private clouds. Optional; if not provided, the default is used. If the endpoint URIs for the Nessie server and clients differ, this one defines the endpoint used for the Nessie server. | | catalog.storage.s3.defaultOptions.pathStyleAccess | bool | `false` | Whether to use path-style access. Optional; if not provided, the default is used. If true, path-style access will be used, as in: https:///. If false, a virtual-hosted style will be used instead, as in: https://.. | | catalog.storage.s3.defaultOptions.region | string | `nil` | DNS name of the region, required for AWS. | -| catalog.storage.s3.defaultOptions.serverAuthenticationMode | string | `nil` | Controls the authentication mode for the Catalog server. Valid values are: - APPLICATION_GLOBAL: Use the default AWS credentials provider chain. - STATIC: Static credentials provided through the accessKeySecret option. The default is STATIC. | +| catalog.storage.s3.defaultOptions.requestSigningEnabled | string | `nil` | Optional parameter to disable S3 request signing. Default is to enable S3 request signing. | +| catalog.storage.s3.defaultOptions.serverIam | object | `{"enabled":null,"externalId":null,"policy":null,"roleArn":null,"roleSessionName":null,"sessionDuration":null}` | Settings only relevant when clientAuthenticationMode is ASSUME_ROLE. | +| catalog.storage.s3.defaultOptions.serverIam.enabled | string | `nil` | Whether to enable server assume-role functionality. | +| catalog.storage.s3.defaultOptions.serverIam.externalId | string | `nil` | An identifier for the party assuming the role. This parameter must match the external ID configured in IAM rules that govern the assume role process for the specified roleArn. | +| catalog.storage.s3.defaultOptions.serverIam.policy | string | `nil` | The ARN of the role to assume for accessing S3 data. This parameter is required for Amazon S3, but may not be required for other storage providers (e.g. Minio does not use it at all). | +| catalog.storage.s3.defaultOptions.serverIam.roleArn | string | `nil` | An identifier for the assumed role session. This parameter is most important in cases when the same role is assumed by different principals in different use cases. | +| catalog.storage.s3.defaultOptions.serverIam.roleSessionName | string | `nil` | The IAM policy in JSON format to be used as an inline session policy. Optional. | +| catalog.storage.s3.defaultOptions.serverIam.sessionDuration | string | `nil` | A higher bound estimate of the expected duration of client "sessions" working with data in this bucket. A session, for example, is the lifetime of an Iceberg REST catalog object on the client side. This value is used for validating expiration times of credentials associated with the warehouse. If unset, a default of one hour is assumed. | +| catalog.storage.s3.defaultOptions.stsEndpoint | string | `nil` | The STS endpoint. Optional; if not provided, the default is used. This parameter must be set if the cloud provider is not AMAZON and the catalog is configured to use S3 sessions (e.g. to use the "assume role" functionality). | | catalog.storage.s3.sessionCredentials.sessionCredentialCacheMaxEntries | string | `nil` | Maximum number of entries to keep in the session credentials cache (assumed role credentials). Not overridable on a per-bucket basis. The default is 1000. | | catalog.storage.s3.sessionCredentials.sessionCredentialRefreshGracePeriod | string | `nil` | The time period to subtract from the S3 session credentials (assumed role credentials) expiry time to define the time when those credentials become eligible for refreshing. Not overridable on a per-bucket basis. The default is PT5M (5 minutes). | | catalog.storage.s3.sessionCredentials.stsClientsCacheMaxEntries | string | `nil` | Maximum number of entries to keep in the STS clients cache. Not overridable on a per-bucket basis. The default is 50. | @@ -188,6 +196,7 @@ $ helm uninstall --namespace nessie-ns nessie | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy. | | image.repository | string | `"ghcr.io/projectnessie/nessie"` | The image repository to pull from. | | image.tag | string | `""` | Overrides the image tag whose default is the chart version. | +| imagePullSecrets | list | `[]` | References to secrets in the same namespace to use for pulling any of the images used by this chart. Each entry is a LocalObjectReference to an existing secret in the namespace. The secret must contain a .dockerconfigjson key with a base64-encoded Docker configuration file. See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ for more information. | | ingress.annotations | object | `{}` | Annotations to add to the ingress. | | ingress.className | string | `""` | Specifies the ingressClassName; leave empty if you don't want to customize it | | ingress.enabled | bool | `false` | Specifies whether an ingress should be created. | diff --git a/helm/nessie/values.yaml b/helm/nessie/values.yaml index c42f55134f6..3e066c45a27 100644 --- a/helm/nessie/values.yaml +++ b/helm/nessie/values.yaml @@ -12,6 +12,14 @@ image: # -- The path to the directory where the application.properties file should be mounted. configDir: /deployments/config +# -- References to secrets in the same namespace to use for pulling any of the images used by this +# chart. Each entry is a LocalObjectReference to an existing secret in the namespace. The secret +# must contain a .dockerconfigjson key with a base64-encoded Docker configuration file. See +# https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ for more +# information. +imagePullSecrets: [] +# - name: registry-creds + # -- The minimum log level for the Nessie server. If you need to debug Nessie, set this to DEBUG, # then add the following to the advancedConfig section: # `quarkus.log.category."".level: DEBUG`