@helm-charts/bitnami-etcd v2.2.2-0.1.0

@helm-charts/bitnami-etcd

etcd is a distributed key value store that provides a reliable way to store data across a cluster of machines

## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry and imagePullSecrets
##
# global:
#   imageRegistry: myRegistryName
#   imagePullSecrets:
#     - myRegistryKeySecretName

## Bitnami etcd image version
## ref: https://hub.docker.com/r/bitnami/etcd/tags/
##
image:
  registry: docker.io
  repository: bitnami/etcd
  tag: 3.3.12
  ## Specify a imagePullPolicy
  ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
  ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
  ##
  pullPolicy: Always
  ## Optionally specify an array of imagePullSecrets.
  ## Secrets must be manually created in the namespace.
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  ##
  # pullSecrets:
  #   - myRegistryKeySecretName

  ## Set to true if you would like to see extra information on logs
  ## It turns BASH and NAMI debugging in minideb
  ## ref:  https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging
  debug: false

statefulset:
  ## Update strategy, can be set to RollingUpdate or OnDelete by default.
  ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
  ##
  updateStrategy: RollingUpdate
  ## Partition update strategy
  ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions
  ##
  # rollingUpdatePartition:
  ## Pod management policy
  ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
  ##
  podManagementPolicy: OrderedReady
  ## Number od replicas
  ##
  replicaCount: 1

## ConfigMap that includes the etcd.conf.yml file
##
# configFileConfigMap:

## ConfigMap that includes extra environment variables
##
# envVarsConfigMap:

## etcd docker image available customizations
## https://github.com/bitnami/bitnami-docker-etcd#configuration
##
## Allow to use etcd without configuring RBAC authentication
allowNoneAuthentication: true

## Authentication parameteres
## https://github.com/bitnami/bitnami-docker-etcd#security
##
auth:
  rbac:
    enabled: true
    ## etcd root user password. The root user is always `root`.
    # rootPassword:
    ## Name of the existing secret containing credentials for the root user.
    # existingSecret:

  client:
    ## Switch to encrypt client communication using TLS certificates
    secureTransport: false
    ## Switch to automatically create the TLS certificates
    useAutoTLS: false
    ## Switch to enable host authentication using TLS certificates. Requires existing secret.
    enableAuthentication: false
    ## Name of the existing secret containing cert files for client communication.
    # existingSecret:

  peer:
    ## Switch to encrypt client communication using TLS certificates
    secureTransport: false
    ## Switch to automatically create the TLS certificates
    useAutoTLS: false
    ## Switch to enable host authentication using TLS certificates. Requires existing secret.
    enableAuthentication: false
    ## Name of the existing secret containing cert files for client communication.
    # existingSecret:

## Kubernetes Security Context
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
securityContext:
  enabled: true
  fsGroup: 1001
  runAsUser: 1001

## Kubernetes configuration
## For minikube, set this to NodePort, elsewhere use LoadBalancer
##
service:
  dnsBase: svc.cluster.local
  type: ClusterIP
  port: 2379
  ## Specify the nodePort value for the LoadBalancer and NodePort service types for the client port
  ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
  ##
  # nodePort:
  peerPort: 2380
  ## Specify the nodePort value for the LoadBalancer and NodePort service types for the peer port
  ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
  ##
  # peerNodePort:
  ## Provide any additional annotations which may be required. This can be used to
  ## set the LoadBalancer service type to internal only.
  ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
  ##
  annotations: {}
  ## Use loadBalancerIP to request a specific static IP,
  ## otherwise leave blank
  ##
  # loadBalancerIP:

## etcd data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
##   set, choosing the default provisioner.  (gp2 on AWS, standard on
##   GKE, AWS & OpenStack)
##
persistence:
  enabled: true
  # storageClass: "-"
  accessModes:
    - ReadWriteOnce
  size: 8Gi
  annotations: {}

## Node labels and tolerations for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
nodeSelector: {}
tolerations: []

## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
#  limits:
#    cpu: 200m
#    memory: 1Gi
#  requests:
#    memory: 256Mi
#    cpu: 250m

## Configure extra options for liveness and readiness probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
livenessProbe:
  enabled: false
  initialDelaySeconds: 10
  periodSeconds: 10
  timeoutSeconds: 5
  failureThreshold: 2
  successThreshold: 1

readinessProbe:
  enabled: false
  initialDelaySeconds: 5
  periodSeconds: 10
  timeoutSeconds: 5
  failureThreshold: 6
  successThreshold: 1

## Pod annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}

metrics:
  enabled: false
  podAnnotations:
    prometheus.io/scrape: 'true'
    prometheus.io/port: '2379'

etcd

etcd is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance.

TL;DR;

$ helm install bitnami/etcd

Introduction

This chart bootstraps a etcd deployment on a Kubernetes cluster using the Helm package manager.

Bitnami charts can be used with Kubeapps for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of Bitnami Kubernetes Production Runtime (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.

Prerequisites

• Kubernetes 1.4+ with Beta APIs enabled
• PV provisioner support in the underlying infrastructure

Installing the Chart

To install the chart with the release name my-release:

$ helm install --name my-release bitnami/etcd

The command deploys etcd on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.

Tip: List all releases using helm list

Uninstalling the Chart

To uninstall/delete the my-release deployment:

$ helm delete my-release

The command removes all the Kubernetes components associated with the chart and deletes the release.

Configuration

The following tables lists the configurable parameters of the etcd chart and their default values.

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

$ helm install --name my-release \
  --set auth.rootPassword=secretpassword bitnami/etcd

The above command sets the etcd etcd account password to secretpassword. Additionally it creates a database named my-database.

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

$ helm install --name my-release -f values.yaml bitnami/etcd

Tip: You can use the default values.yaml

Using custom configuration

In order to use custom configuration parameters, two options are available:

• Using environment variables: etcd allows setting environment variables that map to configuration settings. In order to set extra environment variables, use the envVarsConfigMap value to point to a ConfigMap that contains them. Example:

$ cat << EOF > /tmp/configurationEnvVars.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: etcd-env-vars
  namespace: default
data:
  ETCD_AUTO_COMPACTION_RETENTION: "0"
  ETCD_HEARTBEAT_INTERVAL: "150"
EOF

$ kubectl create -f /tmp/configurationEnvVars.yaml

$ helm install bitnami/etcd --set envVarsConfigMap=etcd-env-vars

• Using a custom etcd.conf.yml: The etcd chart allows mounting a custom etcd.conf.yml file using the configFileConfigMap value. Example:

$ kubectl create configmap etcd-conf --from-file=etcd.conf.yml

$ helm install bitnami/etcd --set configFileConfigMap=etcd-conf

Production and horizontal scaling

The following repo contains the recommended production settings for etcd server in an alternative values file. Please read carefully the comments in the values-production.yaml file to set up your environment.

$ helm install --name my-release -f ./values-production.yaml bitnami/etcd

To horizontally scale this chart once it has been deployed:

$ kubectl scale statefulset my-etcd --replicas=5

Enable security for etcd

Configure RBAC

In order to enable Role-based access control for etcd you can run the following command:

$ helm install --name my-release --set auth.rbac.enabled --set auth.rbac.rootPassword=YOUR-PASSWORD bitnami/etcd

The previous command will deploy etcd creating a root user with its associate root role with access to everything. The rest of users will use the guest role and won't have permissions to do anything.

Configure certificated for peer communication

In order to enable secure transport between peer nodes deploy the helm chart with these options:

$ helm install --name my-release --set auth.peer.secureTransport=true --set auth.peer.useAutoTLS=true bitnami/etcd

Configure certificates for client comminication

In order to enable secure transport between client and server you have to create a secret containing the cert and key files and the CA used to sign those client certificates.

You can create that secret with this command:

$ kubectl create secret generic etcd-client-certs --from-file=ca.crt=path/to/ca.crt --from-file=cert.pem=path/to/cert.pem --from-file=key.pem=path/to/key.pem

Once the secret is created, you can deploy the helm chart with these options:

$ helm install --name my-release --set auth.client.secureTransport=true --set auth.client.enableAuthentication=true --set auth.client.existingSecret=etcd-client-certs bitnami/etcd

Ref: etcd security model

Ref: Generate self-signed certificagtes for etcd

Persistence

The Bitnami etcd image stores the etcd data at the /bitnami/etcd path of the container.

Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. See the Configuration section to configure the PVC or to disable persistence.

Upgrading

To 1.0.0

Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments. Use the workaround below to upgrade from versions previous to 1.0.0. The following example assumes that the release name is etcd:

$ kubectl delete statefulset etcd --cascade=false