diff --git a/README.md b/README.md index aaf885c5..c75adf94 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ webmethods/terracottabigmemorymax 1.4.0 4.4.0 Terracot webmethods/terracottabigmemorymax 2.1.1 4.5.0 Terracotta BigMemory Max Helm Chart for Kubernetes webmethods/terracotta 1.0.0 < 11.1.0.12 Terracotta Helm Chart for Kubernetes webmethods/terracotta 2.0.0 >= 11.1.0.12 Terracotta Helm Chart for Kubernetes -webmethods/terracotta 3.0.0 12.x Terracotta Helm Chart for Kubernetes +webmethods/terracotta 3.1.0 12.x Terracotta Helm Chart for Kubernetes webmethods/universalmessaging 1.1.0 10.15 Universal Messaging (UM) Helm Chart for Kubernetes webmethods/apianalyticstore 1.0.0 1.0 API Analytics Store Helm Chart for Kubernetes ``` diff --git a/terracotta/helm/Chart.yaml b/terracotta/helm/Chart.yaml index c211bdf2..a0e05e2b 100644 --- a/terracotta/helm/Chart.yaml +++ b/terracotta/helm/Chart.yaml @@ -33,7 +33,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "3.0.0" +version: "3.1.0" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/terracotta/helm/README.md b/terracotta/helm/README.md index 6668a320..8b749b11 100644 --- a/terracotta/helm/README.md +++ b/terracotta/helm/README.md @@ -2,26 +2,30 @@ ## Table of Contents -- [Overview](#overview) -- [Disclaimer and Warnings](#disclaimer-and-warnings) -- [Version History](#version-history) -- [Compatibility Matrix](#compatibility-matrix) -- [Prerequisites](#prerequisites) -- [Platforms](#platforms) -- [Installation](#installation) - - [Add the Helm Repository](#add-the-helm-repository) - - [Install the Chart](#install-the-chart) - - [Verify Installation](#verify-installation) - [Configuration](#configuration) - [Upgrading](#upgrading) - [Uninstalling](#uninstalling) - [Setup Guide](#setup-guide) +- [How to use the helm chart to perform various operations](#how-to-use-the-helm-chart-to-perform-various-operations) - [Creating a new Terracotta cluster](#creating-a-new-terracotta-cluster) - - [With default settings](#with-default-settings) + - [With default settings](#with-default-settings) - [Node/Stripe scaling](#nodestripe-scaling) + - [Adding a node in all stripes of an activated cluster](#adding-a-node-in-all-stripes-of-an-activated-cluster) + - [Removing a node from all stripes of an activated cluster](#removing-a-node-from-all-stripes-of-an-activated-cluster) + - [Adding a stripe to an activated cluster](#adding-a-stripe-to-an-activated-cluster) + - [Removing a stripe from an activated cluster](#removing-a-stripe-from-an-activated-cluster) - [Running In Consistency Mode](#running-in-consistency-mode) - [Running with Security](#running-with-security) + - [Creation procedure of myrelease-terracotta-stripe-1-security-configmap](#creation-procedure-of-myrelease-terracotta-stripe-1-security-configmap) + - [Creation procedure of myrelease-terracotta-stripe-2-security-configmap](#creation-procedure-of-myrelease-terracotta-stripe-2-security-configmap) + - [Creation procedure of myrelease-tool-security-configmap](#creation-procedure-of-myrelease-tool-security-configmap) + - [Creation procedure of myrelease-tms-security-configmap](#creation-procedure-of-myrelease-tms-security-configmap) + - [REST Gateway](#rest-gateway) + - [Configuring the REST Gateway](#configuring-the-rest-gateway) + - [Running with Security](#running-with-security-1) + - [Creation procedure of myrelease-trg-security-configmap](#creation-procedure-of-myrelease-trg-security-configmap) - [F.A.Q and Troubleshooting](#faq-and-troubleshooting) +- [Values](#values) ## Overview @@ -57,11 +61,12 @@ invalidated._ ## Version History -| Version | Changes and Description | -|---------|---------------------------------------| -| `1.0.0' | Initial release | -| `2.0.0' | Support for release name in resources | -| `3.0.0' | Updated folder path (XPC) | +| Version | Changes and Description | +| ------- | ----------------------------------------------------------- | +| `1.0.0` | Initial release | +| `2.0.0` | Support for release name in resources | +| `3.0.0` | Updated folder path (XPC) | +| `3.1.0` | REST Gateway StatefulSet, Service and config volume support | ⚠️ Resources and resources names have been updated from version 1 to version to so doing a helm uninstall/install with new version 2 from version 1 will not re-use the previous PVC (data). You may need to perform a manual sync of the PVC @@ -72,10 +77,10 @@ data. ## Compatibility Matrix | NAME | CHART VERSION | APP VERSION | -| :-------------------- |:-------------:|:--------------:| +| :-------------------- | :-----------: | :------------: | | webmethods/terracotta | `1.x` | `< 11.1.0.12` | | webmethods/terracotta | `2.x` | `>= 11.1.0.12` | -| webmethods/terracotta | `3.x` | `12.x` | +| webmethods/terracotta | `3.x` | `12.x` | ## Prerequisites @@ -125,19 +130,28 @@ kubectl get services The following table lists the main configurable parameters of the Terracotta chart and their default values. -| Parameter | Description | Default | -| ----------------------- | --------------------------------------- | ------------------------- | -| `stripes` | Number of stripes in the cluster | `2` | -| `nodes` | Number of nodes per stripe | `2` | -| `offheaps` | Off-heap memory configuration | `"offheap-1:512MB"` | -| `datadirs` | Data directory configuration | `"dataroot-1,dataroot-2"` | -| `failoverPriority` | Failover priority mode | `"availability"` | -| `clusterName` | Name of the Terracotta cluster | `"my-cluster"` | -| `namespaceOverride` | Override default namespace | `""` | -| `voters` | Number of voter pods (consistency mode) | `0` | -| `security.isConfigured` | Enable security features | `false` | -| `security.sslEnabled` | Enable SSL/TLS | `"false"` | -| `security.authc` | Authentication method | `""` | +| Parameter | Description | Default | +| ------------------------------- | ---------------------------------------------------------------------------------------- | ------------------------------ | +| `stripes` | Number of stripes in the cluster | `2` | +| `nodes` | Number of nodes per stripe | `2` | +| `offheaps` | Off-heap memory configuration | `"offheap-1:512MB"` | +| `datadirs` | Data directory configuration | `"dataroot-1,dataroot-2"` | +| `failoverPriority` | Failover priority mode | `"availability"` | +| `clusterName` | Name of the Terracotta cluster | `"my-cluster"` | +| `namespaceOverride` | Override default namespace | `""` | +| `voters` | Number of voter pods (consistency mode) | `0` | +| `security.isConfigured` | Enable security features | `false` | +| `security.sslEnabled` | Enable SSL/TLS | `"false"` | +| `security.authc` | Authentication method | `""` | +| `trg.trgImage` | REST Gateway container image | `ibmwebmethods.azurecr.io/...` | +| `trg.storage` | PVC size for REST Gateway run data and audit logs | `1Gi` | +| `trg.resources` | CPU/memory resource requests and limits for the REST Gateway pod | `{}` | +| `trg.extraEnvs` | Extra environment variables for the REST Gateway pod (key/value map, `TRG_*` convention) | `{}` | +| `trg.jsonLogging` | Enable JSON logging for REST Gateway | `false` | +| `trg.jsonAuditLogging` | Enable JSON audit logging for REST Gateway | `true` | +| `trg.jsonSecurityLogging` | Enable JSON security logging for REST Gateway | `true` | +| `trg.affinity` | Pod affinity rules for the REST Gateway | | +| `trg.topologySpreadConstraints` | Pod topology spread constraints for the REST Gateway | | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example: @@ -388,149 +402,250 @@ This chart can also be used to run secure Terracotta cluster and TMS. terracotta.security.whitelist can be configured with values similar to terracotta server start up script. For ex - If only ssl is required values.yaml can be configured like following- - ``` - security: - isConfigured: true - sslEnabled: "true" - ``` + ``` + security: + isConfigured: true + sslEnabled: "true" + ``` - If ssl with authentication is required values.yaml can be configured like following - + If ssl with authentication is required values.yaml can be configured like following - - ``` - security: - isConfigured: true - sslEnabled: "true" - authc: "file" - ``` + ``` + security: + isConfigured: true + sslEnabled: "true" + authc: "file" + ``` 3. This chart requires various configmaps to be present in the namespace in which the terracotta cluster is supposed to be deployed. It contains the security root directories for various nodes of the terracotta cluster. For ex - For running 2 stripes 2 nodes secure cluster in the default namespace following configmaps need to be created in the default namespace. - ``` - myrelease-terracotta-stripe-1-security-configmap -> It should contain the security root directory for myrelease-terracotta-stripe-1. - myrelease-terracotta-stripe-2-security-configmap -> It should contain the security root directory for myrelease-terracotta-stripe-2. - myrelease-tool-security-configmap -> It should contain the client security root directory for communicating with the various terracotta server nodes. - myrelease-tms-security-configmap -> It should contain the security root directory for terracotta management server and the tms.properties file . - ``` + ``` + myrelease-terracotta-stripe-1-security-configmap -> It should contain the security root directory for myrelease-terracotta-stripe-1. + myrelease-terracotta-stripe-2-security-configmap -> It should contain the security root directory for myrelease-terracotta-stripe-2. + myrelease-tool-security-configmap -> It should contain the client security root directory for communicating with the various terracotta server nodes. + myrelease-tms-security-configmap -> It should contain the security root directory for terracotta management server and the tms.properties file. + myrelease-trg-security-configmap -> It should contain the security root directory and the rest-gateway.properties config file for the REST Gateway. + ``` - kubectl create configmap can be used for the creation of the above mentioned configmaps. + kubectl create configmap can be used for the creation of the above mentioned configmaps. - ##### Creation procedure of myrelease-terracotta-stripe-1-security-configmap +4. Once, all the below mentioned configmaps are deployed in the designated namespace inside the kubernetes cluster helm + install could be triggered. - ``` - mdh@SAG-1HXQKG3:~/Downloads/myrelease-terracotta-stripe-1-security$ ls - access-control identity trusted-authority - ``` + ``` + Note - There are two ways in which node identity certificates can be configured. + 1. Identity certificate named .jks for each node within identity folder of the security root directory could be configured. + This way during scaling up the number of nodes in a stripe, its security configmap needs to be updated everytime + before triggering helm upgrade via creation of new security.tar.gz from the updated security root directory and then finally updating the configmap + via ` kubectl create configmap myrelease-terracotta-stripe-1-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - `. - Step 1: create tar.gz file from the above directory like following - + 2. Single identity certificate for the whole stripe named wildcard.jks can be configured with CN as `*.myrelease-terracotta-stripe-..svc.cluster.local`. + This way the same certificate could be used for all the nodes in single stripe and hence there is no need to update the security configmap for the stripes in case of scaling up the number of nodes in stripes. + ``` - ``` - tar -czf security.tar.gz myrelease-terracotta-stripe-1-security - ``` +##### Creation procedure of myrelease-terracotta-stripe-1-security-configmap - Step 2 : create configmap from the security.tar.gz using following command - +``` +mdh@SAG-1HXQKG3:~/Downloads/myrelease-terracotta-stripe-1-security$ ls +access-control identity trusted-authority +``` - ``` - kubectl create configmap myrelease-terracotta-stripe-1-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - - ``` +Step 1: create tar.gz file from the above directory like following - - ##### Creation procedure of myrelease-terracotta-stripe-2-security-configmap +``` +tar -czf security.tar.gz myrelease-terracotta-stripe-1-security +``` - ``` - mdh@SAG-1HXQKG3:~/Downloads/myrelease-terracotta-stripe-2-security$ ls - access-control identity trusted-authority - ``` +Step 2 : create configmap from the security.tar.gz using following command - - Step 1: create tar.gz file from the above directory like following - +``` +kubectl create configmap myrelease-terracotta-stripe-1-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - +``` - ``` - tar -czf security.tar.gz myrelease-terracotta-stripe-2-security - ``` +##### Creation procedure of myrelease-terracotta-stripe-2-security-configmap - Step 2 : create configmap from the security.tar.gz using following command - +``` +mdh@SAG-1HXQKG3:~/Downloads/myrelease-terracotta-stripe-2-security$ ls +access-control identity trusted-authority +``` - ``` - kubectl create configmap myrelease-terracotta-stripe-2-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - - ``` +Step 1: create tar.gz file from the above directory like following - - ##### Creation procedure of myrelease-tool-security-configmap +``` +tar -czf security.tar.gz myrelease-terracotta-stripe-2-security +``` - ``` - mdh@SAG-1HXQKG3:~/Downloads/myrelease-tool-security$ ls - identity trusted-authority - ``` +Step 2 : create configmap from the security.tar.gz using following command - - Step 1: create tar.gz file from the above directory like following - +``` +kubectl create configmap myrelease-terracotta-stripe-2-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - +``` - ``` - tar -czf security.tar.gz myrelease-tool-security - ``` +##### Creation procedure of myrelease-tool-security-configmap - Step 2 : create configmap from the security.tar.gz using following command - +``` +mdh@SAG-1HXQKG3:~/Downloads/myrelease-tool-security$ ls +identity trusted-authority +``` - ``` - kubectl create configmap myrelease-tool-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - - ``` +Step 1: create tar.gz file from the above directory like following - - ##### Creation procedure of myrelease-tms-security-configmap +``` +tar -czf security.tar.gz myrelease-tool-security +``` - An additional tms.properties must also be present in myrelease-tms-security-configmap which is necessary for configuring security in TMS. For ex - +Step 2 : create configmap from the security.tar.gz using following command - - ``` - mdh@SAG-1HXQKG3:~/Downloads/myrelease-tms-security$ ls - client tms tms.properties +``` +kubectl create configmap myrelease-tool-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - +``` - tms.properties file must have following properties configured like following - +##### Creation procedure of myrelease-tms-security-configmap - # tms directory should be configured like following - tms.security.root.directory=/opt/terracotta/config/tms +An additional tms.properties must also be present in myrelease-tms-security-configmap which is necessary for configuring security in TMS. For ex - - # if audit directory is required - tms.security.audit.directory= +``` +mdh@SAG-1HXQKG3:~/Downloads/myrelease-tms-security$ ls +security tms.properties - # Whether HTTPS should be configured for connections between browsers and the TMS. - tms.security.https.enabled=true +tms.properties file must have following properties configured like following - - # client directory should be configured like following - tms.security.root.directory.connection.default=/opt/terracotta/config/client - ``` +# tms directory should be configured like following +tms.security.root.directory=/opt/terracotta/config/security/tms - Next create a tar.gz for security folder like following - +# if audit directory is required +tms.security.audit.directory= - ``` - mdh@SAG-1HXQKG3:~/Downloads/myrelease-tms-security$ tar -czf security.tar.gz . - This is necessary since the docker container for tms looks for tms.properties file inside /opt/softwareag/config inside container. - ``` +# Whether HTTPS should be configured for connections between browsers and the TMS. +tms.security.https.enabled=true - ``` - Note- The directory names for creating security.tar.gz i.e myrelease-terracotta-stripe-1-security, myrelease-tool-security etc. must be as its shown in - the above example because these are the names that's used internally by terracotta operator. - ``` +# client directory should be configured like following +tms.security.root.directory.connection.default=/opt/terracotta/config/security/cluster +``` -4. Once, all the above mentioned configmaps are deployed in the designated namespace inside the kubernetes cluster helm - install could be triggered. +The `security` folder layout is as follow: ``` -Note - There are two ways in which node identity certificates can be configured. -1. Identity certificate named .jks for each node within identity folder of the security root directory could be configured. - This way during scaling up the number of nodes in a stripe, its security configmap needs to be updated everytime - before triggering helm upgrade via creation of new security.tar.gz from the updated security root directory and then finally updating the configmap - via ` kubectl create configmap myrelease-terracotta-stripe-1-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - `. +security/ + tms/ + cluster/ + identity/ + trusted-authority/ +``` -2. Single identity certificate for the whole stripe named wildcard.jks can be configured with CN as `*.myrelease-terracotta-stripe-..svc.cluster.local`. - This way the same certificate could be used for all the nodes in single stripe and hence there is no need to update the security configmap for the stripes in case of scaling up the number of nodes in stripes. +Next create a tar.gz for security folder like following - + +``` +mdh@SAG-1HXQKG3:~/Downloads/myrelease-tms-security$ tar -czf security.tar.gz . +This is necessary since the docker container for tms looks for tms.properties file inside /opt/softwareag/config inside container. +``` + +``` +Note- The directory names for creating security.tar.gz i.e myrelease-terracotta-stripe-1-security, myrelease-tool-security etc. must be as its shown in +the above example because these are the names that's used internally by terracotta operator. +``` + +### REST Gateway + +The Terracotta REST Gateway provides a REST API frontend for Terracotta Ehcache 3 and Terracotta Store. +It is deployed as a StatefulSet (one replica) with a PVC for audit logs and runtime data under `/opt/terracotta/run`. + +After a default install the following additional resources appear: + +``` +kubectl get statefulsets +NAME READY AGE +myrelease-trg 1/1 14m + +kubectl get pvc +NAME STATUS CAPACITY ACCESS MODES +trgdata-myrelease-trg-0 Bound 1Gi RWO + +kubectl get svc +NAME TYPE CLUSTER-IP PORT(S) +myrelease-trg-service ClusterIP None 8080/TCP +``` + +#### Configuring the REST Gateway + +The REST Gateway is configured entirely through environment variables using the `TRG_*` convention +(Spring Boot property `trg.connection.url` → env var `TRG_CONNECTION_URL`). A configuration file +is not required. The connection URL to the Terracotta cluster is set automatically by the chart. + +Use `trg.extraEnvs` to pass any additional settings: + +```yaml +trg: + extraEnvs: + TRG_HTTP_FIREWALL: "false" + LOGGING_LEVEL_COM_TERRACOTTATECH_API: DEBUG +``` + +#### Running with Security + +When `terracotta.security.isConfigured=true`, an init container unpacks a `security.tar.gz` +archive into `/opt/terracotta/config` before the REST Gateway starts. The chart expects a +ConfigMap named `-trg-security-configmap` in the same namespace. + +The security archive works exactly like the TMS one: it contains the security root directory +**and** the `rest-gateway.properties` application config file. The init container extracts +everything into `/opt/terracotta/config`. + +##### Creation procedure of myrelease-trg-security-configmap + +Prepare the security folder together with the application config file: + +``` +myrelease-trg-security/ + security/ + trg/ + cluster/ + identity/ # REST Gateway node identity + trusted-authority/ + rest-gateway.properties # application config (optional, placed alongside the security folder) +``` + +A minimal `rest-gateway.properties` pointing at the security root: + +```properties +trg.security.cluster.secure.dir=/opt/terracotta/config/security/cluster +``` + +Step 1 — create the archive from the directory containing both the security folder and the +properties file: + +```bash +tar -czf security.tar.gz myrelease-trg-security/* +``` + +Step 2 — create the ConfigMap: + +```bash +kubectl create configmap myrelease-trg-security-configmap \ + --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - +``` + +After the init container runs, the layout inside the pod is: + +``` +/opt/terracotta/config/security/cluster/identity/ +/opt/terracotta/config/security/cluster/trusted-authority/ +/opt/terracotta/config/rest-gateway.properties ``` ## F.A.Q and Troubleshooting -1. Please ensure that operator have enough permission to create all the kubernetes resource in the cluster. + +1. Please ensure that operator have enough permission to create all the kubernetes resource in the cluster. 2. User should also ensure they have enough permission to install crds in the cluster. + ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| extraEnvs | string | `nil` | Exta environment properties to be passed on to the terracotta runtime extraEnvs: name: extraEnvironmentVariable value: "myvalue" | +| extraEnvs | string | `nil` | Extra environment properties to be passed on to the terracotta runtime extraEnvs: name: extraEnvironmentVariable value: "myvalue" | | extraLabels | object | `{}` | Extra Labels | | fullnameOverride | string | `""` | | | imagePullSecrets | list | `[{"name":"regcred"}]` | Image pull secret reference. By default looks for `regcred`. | @@ -546,6 +661,7 @@ Note - There are two ways in which node identity certificates can be configured. | terracotta.affinity | string | `nil` | Configure pod affinity for terracotta server | | terracotta.clusterName | string | `"my-cluster"` | | | terracotta.datadirs | string | `"dataroot-1,dataroot-2"` | | +| terracotta.extraEnvs | string | `nil` | Extra environment properties to be passed to the container | | terracotta.failoverPriority | string | `"availability"` | | | terracotta.jsonAuditLogging | bool | `true` | | | terracotta.jsonLogging | bool | `false` | | @@ -565,11 +681,13 @@ Note - There are two ways in which node identity certificates can be configured. | terracotta.voterImage | string | `"ibmwebmethods.azurecr.io/terracotta-voter"` | | | terracotta.voters | int | `0` | | | terracottaOperator.connectionTimeout | string | `"30s"` | | +| terracottaOperator.extraEnvs | string | `nil` | Extra environment properties to be passed to the container | | terracottaOperator.operatorImage | string | `"ibmwebmethods.azurecr.io/terracotta-operator"` | | | terracottaOperator.requestTimeout | string | `"30s"` | | | terracottaOperator.serviceAccount.create | bool | `true` | | | terracottaOperator.serviceAccount.name | string | `""` | | | tms.affinity | string | `nil` | Configure pod affinity for tms server | +| tms.extraEnvs | string | `nil` | Extra environment properties to be passed to the container | | tms.jsonAuditLogging | bool | `true` | | | tms.jsonLogging | bool | `false` | | | tms.jsonSecurityLogging | bool | `true` | | @@ -577,7 +695,13 @@ Note - There are two ways in which node identity certificates can be configured. | tms.storage | string | `"5Gi"` | | | tms.tmsImage | string | `"ibmwebmethods.azurecr.io/terracotta-management-server"` | | | tms.topologySpreadConstraints | string | `nil` | Configure pod topologySpreadConstraints for tms server | +| trg.affinity | string | `nil` | Configure pod affinity for the REST gateway | +| trg.connectionTimeout | string | `"604800"` | Connection timeout before failing the server. This is currently not possible to set it to infinite using 0 (issue: TDB-21419). | +| trg.extraEnvs | string | `nil` | Extra environment properties to be passed to the container | | trg.jsonAuditLogging | bool | `true` | | | trg.jsonLogging | bool | `false` | | | trg.jsonSecurityLogging | bool | `true` | | +| trg.resources | object | `{}` | | +| trg.storage | string | `"1Gi"` | | +| trg.topologySpreadConstraints | string | `nil` | Configure pod topologySpreadConstraints for the REST gateway | | trg.trgImage | string | `"ibmwebmethods.azurecr.io/terracotta-rest-gateway"` | | diff --git a/terracotta/helm/README.md.gotmpl b/terracotta/helm/README.md.gotmpl index 7ab4f5ff..667b31e7 100644 --- a/terracotta/helm/README.md.gotmpl +++ b/terracotta/helm/README.md.gotmpl @@ -2,26 +2,30 @@ ## Table of Contents -- [Overview](#overview) -- [Disclaimer and Warnings](#disclaimer-and-warnings) -- [Version History](#version-history) -- [Compatibility Matrix](#compatibility-matrix) -- [Prerequisites](#prerequisites) -- [Platforms](#platforms) -- [Installation](#installation) - - [Add the Helm Repository](#add-the-helm-repository) - - [Install the Chart](#install-the-chart) - - [Verify Installation](#verify-installation) - [Configuration](#configuration) - [Upgrading](#upgrading) - [Uninstalling](#uninstalling) - [Setup Guide](#setup-guide) +- [How to use the helm chart to perform various operations](#how-to-use-the-helm-chart-to-perform-various-operations) - [Creating a new Terracotta cluster](#creating-a-new-terracotta-cluster) - - [With default settings](#with-default-settings) + - [With default settings](#with-default-settings) - [Node/Stripe scaling](#nodestripe-scaling) + - [Adding a node in all stripes of an activated cluster](#adding-a-node-in-all-stripes-of-an-activated-cluster) + - [Removing a node from all stripes of an activated cluster](#removing-a-node-from-all-stripes-of-an-activated-cluster) + - [Adding a stripe to an activated cluster](#adding-a-stripe-to-an-activated-cluster) + - [Removing a stripe from an activated cluster](#removing-a-stripe-from-an-activated-cluster) - [Running In Consistency Mode](#running-in-consistency-mode) - [Running with Security](#running-with-security) + - [Creation procedure of myrelease-terracotta-stripe-1-security-configmap](#creation-procedure-of-myrelease-terracotta-stripe-1-security-configmap) + - [Creation procedure of myrelease-terracotta-stripe-2-security-configmap](#creation-procedure-of-myrelease-terracotta-stripe-2-security-configmap) + - [Creation procedure of myrelease-tool-security-configmap](#creation-procedure-of-myrelease-tool-security-configmap) + - [Creation procedure of myrelease-tms-security-configmap](#creation-procedure-of-myrelease-tms-security-configmap) + - [REST Gateway](#rest-gateway) + - [Configuring the REST Gateway](#configuring-the-rest-gateway) + - [Running with Security](#running-with-security-1) + - [Creation procedure of myrelease-trg-security-configmap](#creation-procedure-of-myrelease-trg-security-configmap) - [F.A.Q and Troubleshooting](#faq-and-troubleshooting) +- [Values](#values) ## Overview @@ -57,11 +61,12 @@ invalidated._ ## Version History -| Version | Changes and Description | -|---------|---------------------------------------| -| `1.0.0' | Initial release | -| `2.0.0' | Support for release name in resources | -| `3.0.0' | Updated folder path (XPC) | +| Version | Changes and Description | +| ------- | ----------------------------------------------------------- | +| `1.0.0` | Initial release | +| `2.0.0` | Support for release name in resources | +| `3.0.0` | Updated folder path (XPC) | +| `3.1.0` | REST Gateway StatefulSet, Service and config volume support | ⚠️ Resources and resources names have been updated from version 1 to version to so doing a helm uninstall/install with new version 2 from version 1 will not re-use the previous PVC (data). You may need to perform a manual sync of the PVC @@ -72,10 +77,10 @@ data. ## Compatibility Matrix | NAME | CHART VERSION | APP VERSION | -| :-------------------- |:-------------:|:--------------:| +| :-------------------- | :-----------: | :------------: | | webmethods/terracotta | `1.x` | `< 11.1.0.12` | | webmethods/terracotta | `2.x` | `>= 11.1.0.12` | -| webmethods/terracotta | `3.x` | `12.x` | +| webmethods/terracotta | `3.x` | `12.x` | ## Prerequisites @@ -125,19 +130,28 @@ kubectl get services The following table lists the main configurable parameters of the Terracotta chart and their default values. -| Parameter | Description | Default | -| ----------------------- | --------------------------------------- | ------------------------- | -| `stripes` | Number of stripes in the cluster | `2` | -| `nodes` | Number of nodes per stripe | `2` | -| `offheaps` | Off-heap memory configuration | `"offheap-1:512MB"` | -| `datadirs` | Data directory configuration | `"dataroot-1,dataroot-2"` | -| `failoverPriority` | Failover priority mode | `"availability"` | -| `clusterName` | Name of the Terracotta cluster | `"my-cluster"` | -| `namespaceOverride` | Override default namespace | `""` | -| `voters` | Number of voter pods (consistency mode) | `0` | -| `security.isConfigured` | Enable security features | `false` | -| `security.sslEnabled` | Enable SSL/TLS | `"false"` | -| `security.authc` | Authentication method | `""` | +| Parameter | Description | Default | +| ------------------------------- | ---------------------------------------------------------------------------------------- | ------------------------------ | +| `stripes` | Number of stripes in the cluster | `2` | +| `nodes` | Number of nodes per stripe | `2` | +| `offheaps` | Off-heap memory configuration | `"offheap-1:512MB"` | +| `datadirs` | Data directory configuration | `"dataroot-1,dataroot-2"` | +| `failoverPriority` | Failover priority mode | `"availability"` | +| `clusterName` | Name of the Terracotta cluster | `"my-cluster"` | +| `namespaceOverride` | Override default namespace | `""` | +| `voters` | Number of voter pods (consistency mode) | `0` | +| `security.isConfigured` | Enable security features | `false` | +| `security.sslEnabled` | Enable SSL/TLS | `"false"` | +| `security.authc` | Authentication method | `""` | +| `trg.trgImage` | REST Gateway container image | `ibmwebmethods.azurecr.io/...` | +| `trg.storage` | PVC size for REST Gateway run data and audit logs | `1Gi` | +| `trg.resources` | CPU/memory resource requests and limits for the REST Gateway pod | `{}` | +| `trg.extraEnvs` | Extra environment variables for the REST Gateway pod (key/value map, `TRG_*` convention) | `{}` | +| `trg.jsonLogging` | Enable JSON logging for REST Gateway | `false` | +| `trg.jsonAuditLogging` | Enable JSON audit logging for REST Gateway | `true` | +| `trg.jsonSecurityLogging` | Enable JSON security logging for REST Gateway | `true` | +| `trg.affinity` | Pod affinity rules for the REST Gateway | | +| `trg.topologySpreadConstraints` | Pod topology spread constraints for the REST Gateway | | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example: @@ -388,142 +402,243 @@ This chart can also be used to run secure Terracotta cluster and TMS. terracotta.security.whitelist can be configured with values similar to terracotta server start up script. For ex - If only ssl is required values.yaml can be configured like following- - ``` - security: - isConfigured: true - sslEnabled: "true" - ``` + ``` + security: + isConfigured: true + sslEnabled: "true" + ``` - If ssl with authentication is required values.yaml can be configured like following - + If ssl with authentication is required values.yaml can be configured like following - - ``` - security: - isConfigured: true - sslEnabled: "true" - authc: "file" - ``` + ``` + security: + isConfigured: true + sslEnabled: "true" + authc: "file" + ``` 3. This chart requires various configmaps to be present in the namespace in which the terracotta cluster is supposed to be deployed. It contains the security root directories for various nodes of the terracotta cluster. For ex - For running 2 stripes 2 nodes secure cluster in the default namespace following configmaps need to be created in the default namespace. - ``` - myrelease-terracotta-stripe-1-security-configmap -> It should contain the security root directory for myrelease-terracotta-stripe-1. - myrelease-terracotta-stripe-2-security-configmap -> It should contain the security root directory for myrelease-terracotta-stripe-2. - myrelease-tool-security-configmap -> It should contain the client security root directory for communicating with the various terracotta server nodes. - myrelease-tms-security-configmap -> It should contain the security root directory for terracotta management server and the tms.properties file . - ``` + ``` + myrelease-terracotta-stripe-1-security-configmap -> It should contain the security root directory for myrelease-terracotta-stripe-1. + myrelease-terracotta-stripe-2-security-configmap -> It should contain the security root directory for myrelease-terracotta-stripe-2. + myrelease-tool-security-configmap -> It should contain the client security root directory for communicating with the various terracotta server nodes. + myrelease-tms-security-configmap -> It should contain the security root directory for terracotta management server and the tms.properties file. + myrelease-trg-security-configmap -> It should contain the security root directory and the rest-gateway.properties config file for the REST Gateway. + ``` - kubectl create configmap can be used for the creation of the above mentioned configmaps. + kubectl create configmap can be used for the creation of the above mentioned configmaps. - ##### Creation procedure of myrelease-terracotta-stripe-1-security-configmap +4. Once, all the below mentioned configmaps are deployed in the designated namespace inside the kubernetes cluster helm + install could be triggered. - ``` - mdh@SAG-1HXQKG3:~/Downloads/myrelease-terracotta-stripe-1-security$ ls - access-control identity trusted-authority - ``` + ``` + Note - There are two ways in which node identity certificates can be configured. + 1. Identity certificate named .jks for each node within identity folder of the security root directory could be configured. + This way during scaling up the number of nodes in a stripe, its security configmap needs to be updated everytime + before triggering helm upgrade via creation of new security.tar.gz from the updated security root directory and then finally updating the configmap + via ` kubectl create configmap myrelease-terracotta-stripe-1-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - `. - Step 1: create tar.gz file from the above directory like following - + 2. Single identity certificate for the whole stripe named wildcard.jks can be configured with CN as `*.myrelease-terracotta-stripe-..svc.cluster.local`. + This way the same certificate could be used for all the nodes in single stripe and hence there is no need to update the security configmap for the stripes in case of scaling up the number of nodes in stripes. + ``` - ``` - tar -czf security.tar.gz myrelease-terracotta-stripe-1-security - ``` +##### Creation procedure of myrelease-terracotta-stripe-1-security-configmap - Step 2 : create configmap from the security.tar.gz using following command - +``` +mdh@SAG-1HXQKG3:~/Downloads/myrelease-terracotta-stripe-1-security$ ls +access-control identity trusted-authority +``` - ``` - kubectl create configmap myrelease-terracotta-stripe-1-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - - ``` +Step 1: create tar.gz file from the above directory like following - - ##### Creation procedure of myrelease-terracotta-stripe-2-security-configmap +``` +tar -czf security.tar.gz myrelease-terracotta-stripe-1-security +``` - ``` - mdh@SAG-1HXQKG3:~/Downloads/myrelease-terracotta-stripe-2-security$ ls - access-control identity trusted-authority - ``` +Step 2 : create configmap from the security.tar.gz using following command - - Step 1: create tar.gz file from the above directory like following - +``` +kubectl create configmap myrelease-terracotta-stripe-1-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - +``` - ``` - tar -czf security.tar.gz myrelease-terracotta-stripe-2-security - ``` +##### Creation procedure of myrelease-terracotta-stripe-2-security-configmap - Step 2 : create configmap from the security.tar.gz using following command - +``` +mdh@SAG-1HXQKG3:~/Downloads/myrelease-terracotta-stripe-2-security$ ls +access-control identity trusted-authority +``` - ``` - kubectl create configmap myrelease-terracotta-stripe-2-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - - ``` +Step 1: create tar.gz file from the above directory like following - - ##### Creation procedure of myrelease-tool-security-configmap +``` +tar -czf security.tar.gz myrelease-terracotta-stripe-2-security +``` - ``` - mdh@SAG-1HXQKG3:~/Downloads/myrelease-tool-security$ ls - identity trusted-authority - ``` +Step 2 : create configmap from the security.tar.gz using following command - - Step 1: create tar.gz file from the above directory like following - +``` +kubectl create configmap myrelease-terracotta-stripe-2-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - +``` - ``` - tar -czf security.tar.gz myrelease-tool-security - ``` +##### Creation procedure of myrelease-tool-security-configmap - Step 2 : create configmap from the security.tar.gz using following command - +``` +mdh@SAG-1HXQKG3:~/Downloads/myrelease-tool-security$ ls +identity trusted-authority +``` - ``` - kubectl create configmap myrelease-tool-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - - ``` +Step 1: create tar.gz file from the above directory like following - - ##### Creation procedure of myrelease-tms-security-configmap +``` +tar -czf security.tar.gz myrelease-tool-security +``` - An additional tms.properties must also be present in myrelease-tms-security-configmap which is necessary for configuring security in TMS. For ex - +Step 2 : create configmap from the security.tar.gz using following command - - ``` - mdh@SAG-1HXQKG3:~/Downloads/myrelease-tms-security$ ls - client tms tms.properties +``` +kubectl create configmap myrelease-tool-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - +``` - tms.properties file must have following properties configured like following - +##### Creation procedure of myrelease-tms-security-configmap - # tms directory should be configured like following - tms.security.root.directory=/opt/terracotta/config/tms +An additional tms.properties must also be present in myrelease-tms-security-configmap which is necessary for configuring security in TMS. For ex - - # if audit directory is required - tms.security.audit.directory= +``` +mdh@SAG-1HXQKG3:~/Downloads/myrelease-tms-security$ ls +security tms.properties - # Whether HTTPS should be configured for connections between browsers and the TMS. - tms.security.https.enabled=true +tms.properties file must have following properties configured like following - - # client directory should be configured like following - tms.security.root.directory.connection.default=/opt/terracotta/config/client - ``` +# tms directory should be configured like following +tms.security.root.directory=/opt/terracotta/config/security/tms - Next create a tar.gz for security folder like following - +# if audit directory is required +tms.security.audit.directory= - ``` - mdh@SAG-1HXQKG3:~/Downloads/myrelease-tms-security$ tar -czf security.tar.gz . - This is necessary since the docker container for tms looks for tms.properties file inside /opt/softwareag/config inside container. - ``` +# Whether HTTPS should be configured for connections between browsers and the TMS. +tms.security.https.enabled=true - ``` - Note- The directory names for creating security.tar.gz i.e myrelease-terracotta-stripe-1-security, myrelease-tool-security etc. must be as its shown in - the above example because these are the names that's used internally by terracotta operator. - ``` +# client directory should be configured like following +tms.security.root.directory.connection.default=/opt/terracotta/config/security/cluster +``` -4. Once, all the above mentioned configmaps are deployed in the designated namespace inside the kubernetes cluster helm - install could be triggered. +The `security` folder layout is as follow: ``` -Note - There are two ways in which node identity certificates can be configured. -1. Identity certificate named .jks for each node within identity folder of the security root directory could be configured. - This way during scaling up the number of nodes in a stripe, its security configmap needs to be updated everytime - before triggering helm upgrade via creation of new security.tar.gz from the updated security root directory and then finally updating the configmap - via ` kubectl create configmap myrelease-terracotta-stripe-1-security-configmap --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - `. +security/ + tms/ + cluster/ + identity/ + trusted-authority/ +``` -2. Single identity certificate for the whole stripe named wildcard.jks can be configured with CN as `*.myrelease-terracotta-stripe-..svc.cluster.local`. - This way the same certificate could be used for all the nodes in single stripe and hence there is no need to update the security configmap for the stripes in case of scaling up the number of nodes in stripes. +Next create a tar.gz for security folder like following - + +``` +mdh@SAG-1HXQKG3:~/Downloads/myrelease-tms-security$ tar -czf security.tar.gz . +This is necessary since the docker container for tms looks for tms.properties file inside /opt/softwareag/config inside container. +``` + +``` +Note- The directory names for creating security.tar.gz i.e myrelease-terracotta-stripe-1-security, myrelease-tool-security etc. must be as its shown in +the above example because these are the names that's used internally by terracotta operator. +``` + +### REST Gateway + +The Terracotta REST Gateway provides a REST API frontend for Terracotta Ehcache 3 and Terracotta Store. +It is deployed as a StatefulSet (one replica) with a PVC for audit logs and runtime data under `/opt/terracotta/run`. + +After a default install the following additional resources appear: + +``` +kubectl get statefulsets +NAME READY AGE +myrelease-trg 1/1 14m + +kubectl get pvc +NAME STATUS CAPACITY ACCESS MODES +trgdata-myrelease-trg-0 Bound 1Gi RWO + +kubectl get svc +NAME TYPE CLUSTER-IP PORT(S) +myrelease-trg-service ClusterIP None 8080/TCP +``` + +#### Configuring the REST Gateway + +The REST Gateway is configured entirely through environment variables using the `TRG_*` convention +(Spring Boot property `trg.connection.url` → env var `TRG_CONNECTION_URL`). A configuration file +is not required. The connection URL to the Terracotta cluster is set automatically by the chart. + +Use `trg.extraEnvs` to pass any additional settings: + +```yaml +trg: + extraEnvs: + TRG_HTTP_FIREWALL: "false" + LOGGING_LEVEL_COM_TERRACOTTATECH_API: DEBUG +``` + +#### Running with Security + +When `terracotta.security.isConfigured=true`, an init container unpacks a `security.tar.gz` +archive into `/opt/terracotta/config` before the REST Gateway starts. The chart expects a +ConfigMap named `-trg-security-configmap` in the same namespace. + +The security archive works exactly like the TMS one: it contains the security root directory +**and** the `rest-gateway.properties` application config file. The init container extracts +everything into `/opt/terracotta/config`. + +##### Creation procedure of myrelease-trg-security-configmap + +Prepare the security folder together with the application config file: + +``` +myrelease-trg-security/ + security/ + trg/ + cluster/ + identity/ # REST Gateway node identity + trusted-authority/ + rest-gateway.properties # application config (optional, placed alongside the security folder) +``` + +A minimal `rest-gateway.properties` pointing at the security root: + +```properties +trg.security.cluster.secure.dir=/opt/terracotta/config/security/cluster +``` + +Step 1 — create the archive from the directory containing both the security folder and the +properties file: + +```bash +tar -czf security.tar.gz myrelease-trg-security/* +``` + +Step 2 — create the ConfigMap: + +```bash +kubectl create configmap myrelease-trg-security-configmap \ + --from-file security.tar.gz -o yaml --dry-run=client | kubectl apply -f - +``` + +After the init container runs, the layout inside the pod is: + +``` +/opt/terracotta/config/security/cluster/identity/ +/opt/terracotta/config/security/cluster/trusted-authority/ +/opt/terracotta/config/rest-gateway.properties ``` ## F.A.Q and Troubleshooting -1. Please ensure that operator have enough permission to create all the kubernetes resource in the cluster. + +1. Please ensure that operator have enough permission to create all the kubernetes resource in the cluster. 2. User should also ensure they have enough permission to install crds in the cluster. + {{ template "chart.valuesSection" . }} diff --git a/terracotta/helm/templates/operator/deployment.yaml b/terracotta/helm/templates/operator/deployment.yaml index d91c0c6a..e56a2591 100644 --- a/terracotta/helm/templates/operator/deployment.yaml +++ b/terracotta/helm/templates/operator/deployment.yaml @@ -62,6 +62,10 @@ spec: - name: {{ $key }} value: {{ $val }} {{- end }} + {{- range $key, $val := .Values.terracottaOperator.extraEnvs }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} serviceAccountName: {{ template "kube-terracotta.operator.serviceAccountName" . }} {{- with .Values.imagePullSecrets }} diff --git a/terracotta/helm/templates/terracotta.yaml b/terracotta/helm/templates/terracotta.yaml index 19c46c54..0a856864 100644 --- a/terracotta/helm/templates/terracotta.yaml +++ b/terracotta/helm/templates/terracotta.yaml @@ -61,6 +61,10 @@ spec: - name: {{ $key }} value: {{ $val }} {{- end }} + {{- range $key, $val := .Values.terracotta.extraEnvs }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} {{- if (gt (int .Values.terracotta.voters) 0) }} voters: {{ .Values.terracotta.voters }} {{- end }} diff --git a/terracotta/helm/templates/tms-statefulset.yaml b/terracotta/helm/templates/tms-statefulset.yaml index 0818c452..83a0692c 100644 --- a/terracotta/helm/templates/tms-statefulset.yaml +++ b/terracotta/helm/templates/tms-statefulset.yaml @@ -65,6 +65,10 @@ spec: - name: {{ $key }} value: {{ $val }} {{- end }} + {{- range $key, $val := .Values.tms.extraEnvs }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} ports: - name: tmc-port containerPort: 9480 diff --git a/terracotta/helm/templates/trg-service.yaml b/terracotta/helm/templates/trg-service.yaml new file mode 100644 index 00000000..46d6c4d2 --- /dev/null +++ b/terracotta/helm/templates/trg-service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kube-terracotta.fullname" . }}-trg-service + namespace: {{ template "kube-terracotta.namespace" . }} + labels: + app: "trg" + {{- include "common.labels.standard" . | nindent 4 }} + {{- include "kube-terracotta.labels" . | nindent 4 }} + {{- with .Values.extraLabels -}} + {{ toYaml . | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: trg-port + port: 8080 + selector: + app: "trg" diff --git a/terracotta/helm/templates/trg-statefulset.yaml b/terracotta/helm/templates/trg-statefulset.yaml new file mode 100644 index 00000000..e24906b0 --- /dev/null +++ b/terracotta/helm/templates/trg-statefulset.yaml @@ -0,0 +1,109 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "kube-terracotta.fullname" . }}-trg + namespace: {{ template "kube-terracotta.namespace" . }} + labels: + app: "trg" + {{- include "common.labels.standard" . | nindent 4 }} + {{- include "kube-terracotta.labels" . | nindent 4 }} + {{- with .Values.extraLabels -}} + {{ toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: "trg" + serviceName: {{ template "kube-terracotta.fullname" . }}-trg-service + template: + metadata: + labels: + app: "trg" + spec: + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + serviceAccountName: {{ template "kube-terracotta.fullname" . }}-sa + {{- with .Values.trg.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.trg.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.terracotta.security.isConfigured }} + initContainers: + - name: "trg-server-init" + image: busybox:latest + imagePullPolicy: {{ .Values.pullPolicy }} + command: ["/bin/sh", "-c", "tar -xzf /certs/trg/security.tar.gz --directory /opt/terracotta/config"] + volumeMounts: + - name: trg-security-volume + mountPath: /certs/trg + - name: emptydir + mountPath: /opt/terracotta/config + {{- end }} + containers: + - name: "trg-server" + image: "{{ $.Values.trg.trgImage }}:{{ $.Values.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.pullPolicy }} + env: + - name: TRG_CONNECTION_URL + value: "terracotta://{{ template "serverUrl" . }}" + - name: TRG_CONFIG_FILE + value: "/opt/terracotta/config/rest-gateway.properties" + - name: TRG_CONNECTION_TIMEOUT + value: {{ .Values.trg.connectionTimeout | quote }} + - name: "JSON_LOGGING" + value: {{ .Values.trg.jsonLogging | quote }} + - name: "JSON_LOGGING_AUDIT" + value: {{ .Values.trg.jsonAuditLogging | quote }} + - name: "JSON_LOGGING_SECURITY" + value: {{ .Values.trg.jsonSecurityLogging | quote }} + {{- range $key, $val := .Values.extraEnvs }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} + {{- range $key, $val := .Values.tms.extraEnvs }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} + ports: + - name: trg-port + containerPort: 8080 + volumeMounts: + - name: trgdata + mountPath: /opt/terracotta/run + {{- if .Values.terracotta.security.isConfigured }} + - name: emptydir + mountPath: /opt/terracotta/config + {{- end }} + {{- if .Values.trg.resources }} + resources: +{{ toYaml .Values.trg.resources | indent 12 }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.terracotta.security.isConfigured }} + volumes: + - name: trg-security-volume + configMap: + name: {{ template "kube-terracotta.fullname" . }}-trg-security-configmap + - name: emptydir + emptyDir: + {{- end }} + volumeClaimTemplates: + - metadata: + name: trgdata + spec: + volumeMode: "Filesystem" + accessModes: [ "ReadWriteOnce" ] + {{- if .Values.storageClass }} + storageClassName: {{ .Values.storageClass }} + {{- end }} + resources: + requests: + storage: {{ .Values.trg.storage }} diff --git a/terracotta/helm/values.yaml b/terracotta/helm/values.yaml index f244fb15..045572e8 100644 --- a/terracotta/helm/values.yaml +++ b/terracotta/helm/values.yaml @@ -19,7 +19,7 @@ securityContext: # -- Extra Labels extraLabels: {} -# -- Exta environment properties to be passed on to the terracotta runtime +# -- Extra environment properties to be passed on to the terracotta runtime # extraEnvs: # name: extraEnvironmentVariable # value: "myvalue" @@ -37,6 +37,8 @@ terracottaOperator: name: "" connectionTimeout: "30s" requestTimeout: "30s" + # -- Extra environment properties to be passed to the container + extraEnvs: terracotta: serverImage: "ibmwebmethods.azurecr.io/terracotta-server" @@ -67,6 +69,8 @@ terracotta: affinity: # -- Configure pod topologySpreadConstraints for terracotta server topologySpreadConstraints: + # -- Extra environment properties to be passed to the container + extraEnvs: tms: tmsImage: "ibmwebmethods.azurecr.io/terracotta-management-server" @@ -75,6 +79,8 @@ tms: jsonSecurityLogging: true storage: 5Gi resources: {} + # -- Extra environment properties to be passed to the container + extraEnvs: # limits: # memory: 16Gi # requests: @@ -89,4 +95,19 @@ trg: trgImage: "ibmwebmethods.azurecr.io/terracotta-rest-gateway" jsonLogging: false jsonAuditLogging: true - jsonSecurityLogging: true \ No newline at end of file + jsonSecurityLogging: true + # -- Connection timeout before failing the server. This is currently not possible to set it to infinite using 0 (issue: TDB-21419). + connectionTimeout: "604800" + storage: 1Gi + resources: {} + # -- Extra environment properties to be passed to the container + extraEnvs: + # limits: + # memory: 2Gi + # requests: + # memory: 512Mi + + # -- Configure pod affinity for the REST gateway + affinity: + # -- Configure pod topologySpreadConstraints for the REST gateway + topologySpreadConstraints: