14 KiB
nplus-environment-operator
Installs the nplus operator managin the custom resource definitions for nplus and nscale
nplus-environment-operator Chart Configuration
You can customize / configure nplus-environment-operator by setting configuration values on the command line or in values files, that you can pass to helm. Please see the samples directory for details.
In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component.
Template Functions
You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, or escaped quotes).
Global Values
All values can be set per component, per instance or globally per environment.
Example: global.ingress.domain sets the domain on instance level. You can still set a different domain on a component, such as administrator.
In that case, simply set ingress.domain for the administrator chart and that setting will have priority:
- Prio 1 - Component Level:
ingress.domain - Prio 2 - Instance Level:
global.ingress.domain - Prio 3 - Environment Level:
global.environment.ingress.domain
Using Values in Templates
As it would be a lot of typing to write .Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domainin your
template code, this is automatically done by nplus. You can simply type .this.ingress.domain and you will get a condensed and defaulted version
of your Values.
So an example in your values.yaml would be:
administrator:
waitFor:
- '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600'
This example shows .this.nappl.port which might come from a component, instance or global setting. You do not need to care.
The .Release.Namespace is set by helm. You have access to all Release and Chart Metadata, just like in your chart code.
The .component.prefix is calculated by nplus and gives you some handy shortcuts to internal variables:
-
.component.chartNameThe name of the chart as in.Chart.Name, but with override by.Values.nameOverride -
.component.shortChartNameA shorter Version of the name -napplinstead ofnplus-component-nappl -
.component.prefixThe instance Prefix used to name the resources including-. This prefix is dropped, if the.Release.Nameequals.Release.Namespacefor those of you that only run one nplus Instance per namespace -
.component.nameThe name of the component, including.Values.nameOverrideand some logic -
.component.fullNameThe fullName inlcuding.Values.fullnameOverrideand some logic -
.component.chartMainly theChart.NameandChart.Version -
.component.storagePathThe path where the component config is stored in the conf PVC -
.component.handlerThe handler (either helm, argoCD or manual) -
.instance.nameThe name of the instance, but with override by.Values.instanceOverride -
.instance.groupThe group, this instance belongs to. Override by.Values.groupOverride -
.instance.versionThe nscale version (mostly taken from Application Layer), this instance is deploying. -
.environment.nameThe name of the environment, but with override by.Values.environmentNameOverride
Keys
You can set any of the following values for this component:
| Key | Description | Default |
|---|---|---|
| env | Sets additional environment variables for the configuration. | |
| envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | |
| envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | |
| fullnameOverride | This overrides the output of the internal fullname function | |
| image.name | the name of the image to use | "operator" |
| image.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | ["nscale-cr", "nplus-cr"] |
| image.repo | if you use a private repo, feel free to set it here | "cr.nplus.cloud/subscription" |
| image.tag | the tag of the image to use | "latest" |
| ingress.annotations | Adds extra Annotations to the ingress | |
| ingress.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | http https in zero trust mode |
| ingress.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | public |
| ingress.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | "/monitoring" |
| ingress.cookie | on component level, set cookie affinity for the ingress example: XtConLoadBalancerSession for nscale Web |
|
| ingress.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | |
| ingress.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | |
| ingress.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | true |
| ingress.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" |
| ingress.proxyReadTimeout | Sets the annotation nginx.ingress.kubernetes.io/proxy-read-timeout on the ingress object, if set. |
|
| ingress.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | {{ .this.ingress.domain }}-tls |
| ingress.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | |
| meta.language | Sets the language of the main service (in the service container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | |
| meta.ports.http | The http port this component uses (if any). In zero trust mode, this will be disabled. this is a constant value of the component and should not be changed. |
info only, do not change8080 |
| meta.ports.https | The tls / https port, this component uses (if any) this is a constant value of the component and should not be changed. |
info only, do not change8443 |
| meta.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | |
| meta.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | |
| meta.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | |
| meta.tenant | sets tenant information to be able to invoice per use in a cloud environment | |
| meta.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be core, else pipeliner This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | "envoperator" |
| meta.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | |
| minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | |
| nameOverride | This overrides the output of the internal name function | |
| nodeSelector | select specific nodes for this component | |
| resources.limits.cpu | The maximum allowed CPU for the container | "1" |
| resources.limits.memory | The maximum allowed RAM for the container | "512Mi" |
| resources.requests.cpu | Set the share of guaranteed CPU to the container. | "1m" |
| resources.requests.memory | Set the share of guaranteed RAM to the container | "64Mi" |
| security.containerSecurityContext.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive you should not change this |
info only, do not changefalse |
| security.containerSecurityContext.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment you should not change this |
info only, do not changetrue |
| security.podSecurityContext.fsGroup | The file system group as which new files are created there is normally no need to change this |
info only, do not change1001 |
| security.podSecurityContext.fsGroupChangePolicy | Under which condition should the fsGroup be changed there is normally no need to change this |
info only, do not change"OnRootMismatch" |
| security.podSecurityContext.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security there is normally no need to change this |
info only, do not change1001 |
| security.zeroTrust | turns on Zero Trust Mode, disabling all http communication, even the internal http probes | false |
| service.annotations | adds extra Annotations to the service | |
| service.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | true |
| service.selector | The selector can be component or type component selects only pods that are in the replicaset. type selects any pod that has the given type |
"component" |
| telemetry.openTelemetry | turns Open Telemetry on | |
| telemetry.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | |
| terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | |
| timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | Europe/Berlin |
| tolerations | Set tolerations for this component | |
| ui | Enables the web ui, default under /monitoring | true |
| utils.debug | Turn debugging on will give you stack trace etc. Please check out the Chart Developer Guide | false |
| utils.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | false |
| utils.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | false |
| utils.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use helm template and store manifests for later applying them to multiple namespaces, you might want to turn this false to be able to use kubectl apply -n <namespace> -f template.yaml later |
true |
| utils.maintenance | in Maintenance Mode, all waitFor actions will be skipped, the Health Checks are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | false |
| utils.renderComments | You can turn Comment rendering on to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | true |