This is an automated email from the ASF dual-hosted git repository.
hanahmily pushed a commit to branch auth
in repository https://gitbox.apache.org/repos/asf/skywalking-banyandb-helm.git
commit cf962e31bd662f81aeff597cccd5f82cbb2324be
Author: Gao Hongtao <hanahm...@gmail.com>
AuthorDate: Thu Sep 11 01:07:17 2025 +0000
Add authentication support for BanyanDB
- Introduced basic authentication configuration in `values.yaml` and
`parameters.md`, allowing users to enable authentication and specify
credentials.
- Updated StatefulSet templates to mount the credentials file and pass the
`--auth-config-file` argument to the BanyanDB containers.
- Enhanced documentation in `README.md` and `NOTES.txt` to guide users on
configuring authentication.
- Updated E2E test configurations to include authentication parameters for
testing.
This change improves security by allowing users to manage access to
BanyanDB instances.
---
.github/workflows/e2e.ci.yaml | 4 +-
CHANGES.md | 1 +
README.md | 35 ++++++++
chart/templates/NOTES.txt | 15 ++++
chart/templates/{NOTES.txt => auth_secret.yaml} | 18 +++-
chart/templates/cluster_liaison_statefulset.yaml | 56 ++++++++++--
chart/templates/standalone_statefulset.yaml | 56 +++++++++++-
chart/values.yaml | 41 +++++++++
doc/parameters.md | 106 ++++++++++++-----------
test/e2e/e2e-banyandb-cluster.yaml | 2 +
test/e2e/e2e-banyandb-standalone.yaml | 2 +
test/e2e/values.cluster.yaml | 10 ++-
test/e2e/values.lifecycle.yaml | 2 +-
test/e2e/values.standalone.yaml | 13 ++-
14 files changed, 292 insertions(+), 69 deletions(-)
diff --git a/.github/workflows/e2e.ci.yaml b/.github/workflows/e2e.ci.yaml
index e11bf3a..ea0fb9f 100644
--- a/.github/workflows/e2e.ci.yaml
+++ b/.github/workflows/e2e.ci.yaml
@@ -43,9 +43,9 @@ jobs:
config: test/e2e/e2e-banyandb-lifecycle.yaml
name: ${{ matrix.test.name }}
env:
- OAP_TAG: bf04afdb2a841c60d5e27f5a9fc62d0879a5600c
+ OAP_TAG: 79860ca5c76a77bbd93e76ce4861b24707dd5ee3
OAP_REPO: ghcr.io/apache/skywalking/oap
- UI_TAG: bf04afdb2a841c60d5e27f5a9fc62d0879a5600c
+ UI_TAG: 79860ca5c76a77bbd93e76ce4861b24707dd5ee3
UI_REPO: ghcr.io/apache/skywalking/ui
steps:
- uses: actions/checkout@v2
diff --git a/CHANGES.md b/CHANGES.md
index 002e468..13f2543 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -17,6 +17,7 @@ Release Notes.
- Enhance pod hostname configuration using headless services for improved
service discovery and networking
- Implement volume permissions init containers for proper file ownership and
permissions on mounted volumes
- Add the mount target for the trace mode
+- Add `auth` to configure the basic credential file.
#### Chores
diff --git a/README.md b/README.md
index 0274796..b918a54 100644
--- a/README.md
+++ b/README.md
@@ -90,6 +90,41 @@ $ helm install my-release \
> **Tip**: You can use the default [values.yaml](chart/values.yaml)
+## Authentication
+
+Basic authentication can be enabled for liaison and standalone modes. When
enabled, the chart mounts a credentials file and adds `--auth-config-file` to
BanyanDB.
+
+- Enable auth and provide users (plaintext passwords):
+
+```yaml
+auth:
+ enabled: true
+ users:
+ - username: admin
+ password: "changeme"
+```
+
+- Use an existing Secret (recommended for production). The Secret must contain
a key `credentials.yaml` (configurable via `auth.credentialsFileKey`) whose
value is the YAML content in the format required by BanyanDB
([docs](https://github.com/apache/skywalking-banyandb/blob/main/docs/operation/security.md#basic-authentication)):
+
+```yaml
+auth:
+ enabled: true
+ existingSecret: my-banyandb-auth
+ credentialsFileKey: credentials.yaml
+```
+
+The Secret name defaults to `<release>-banyandb-auth` when auto-created.
+
+### Retrieve credentials after install
+
+If the chart created the Secret (no `auth.existingSecret`), you can decode it:
+
+```bash
+kubectl get secret <release-name>-banyandb-auth -n <namespace> -o
jsonpath='{.data.credentials\.yaml}' | base64 --decode
+```
+
+Adjust the key if you changed `auth.credentialsFileKey`.
+
## Use external certificate authorities for TLS
If you'd like to use external certificate authorities, such as Vault,
corresponding annotations can be injected into
[banyandb](./chart/templates/statefulset.yaml).
diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
index 90d1748..dc20101 100644
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -1,3 +1,18 @@
+{{- if .Values.auth.enabled }}
+1. BanyanDB authentication is enabled.
+
+ Credentials file is mounted into liaison/standalone and picked by
`--auth-config-file`.
+
+{{- $useExisting := ne .Values.auth.existingSecret "" -}}
+{{- $secretName := ternary .Values.auth.existingSecret (printf "%s-auth"
(include "banyandb.fullname" .)) $useExisting -}}
+{{- $key := .Values.auth.credentialsFileKey -}}
+
+2. To view the credentials YAML stored in the Secret:
+
+ kubectl get secret {{ $secretName }} -n {{ .Release.Namespace }} -o
jsonpath='{.data.{{- printf "%s" $key | replace "." "\\." -}}}' | base64
--decode | sed -e 's/^/ /'
+
+ Note: adjust the key if you changed `auth.credentialsFileKey`.
+{{- end }}
{{/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
diff --git a/chart/templates/NOTES.txt b/chart/templates/auth_secret.yaml
similarity index 59%
copy from chart/templates/NOTES.txt
copy to chart/templates/auth_secret.yaml
index 90d1748..25342fe 100644
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/auth_secret.yaml
@@ -13,4 +13,20 @@ distributed under the License is distributed on an "AS IS"
BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-*/}}
\ No newline at end of file
+*/}}
+
+{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "banyandb.fullname" . }}-auth
+ labels: {{ include "banyandb.labels" . | nindent 4 }}
+type: Opaque
+data:
+ {{- $users := .Values.auth.users }}
+ {{- if not $users }}
+ {{- $users = list (dict "username" "admin" "password" (randAlphaNum 16)) }}
+ {{- end }}
+ {{- $cred := (dict "users" $users | toYaml | b64enc) }}
+ {{ .Values.auth.credentialsFileKey }}: "{{ $cred }}"
+{{- end }}
diff --git a/chart/templates/cluster_liaison_statefulset.yaml
b/chart/templates/cluster_liaison_statefulset.yaml
index 0c1ad4e..80f0c3b 100644
--- a/chart/templates/cluster_liaison_statefulset.yaml
+++ b/chart/templates/cluster_liaison_statefulset.yaml
@@ -45,7 +45,7 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
priorityClassName: {{ .Values.cluster.liaison.priorityClassName }}
- {{- if and .Values.storage.liaison.enabled
.Values.cluster.liaison.volumePermissions.enabled }}
+ {{- if or (and .Values.storage.liaison.enabled
.Values.cluster.liaison.volumePermissions.enabled) .Values.auth.enabled }}
initContainers:
- name: volume-permissions
image: {{ default "busybox:1.36"
.Values.cluster.liaison.volumePermissions.image }}
@@ -72,6 +72,29 @@ spec:
name: {{ $claim.claimName }}
{{- end }}
{{- end }}
+ {{- if .Values.auth.enabled }}
+ - name: auth-config-prepare
+ image: busybox:1.36
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ runAsUser: 0
+ command:
+ - sh
+ - -c
+ - |
+ set -euo pipefail
+ cp "/var/run/banyandb-auth/{{ .Values.auth.credentialsFileKey
}}" "/etc/banyandb/{{ .Values.auth.credentialsFileKey }}"
+ CHOWN_UID={{ default 1000
.Values.cluster.liaison.securityContext.runAsUser }}
+ CHOWN_GID={{ default 1000
.Values.cluster.liaison.securityContext.runAsGroup }}
+ chown ${CHOWN_UID}:${CHOWN_GID} "/etc/banyandb/{{
.Values.auth.credentialsFileKey }}"
+ chmod 0600 "/etc/banyandb/{{ .Values.auth.credentialsFileKey }}"
+ volumeMounts:
+ - mountPath: /var/run/banyandb-auth
+ name: banyandb-auth
+ readOnly: true
+ - mountPath: /etc/banyandb
+ name: banyandb-auth-writable
+ {{- end }}
containers:
- name: liaison
{{- if eq .Values.cluster.ui.type "Embedded" }}
@@ -125,11 +148,11 @@ spec:
- name: BYDB_ETCD_PASSWORD
value: {{ .Values.etcd.auth.rbac.rootPassword }}
{{- end }}
- {{- if .Values.etcd.auth.client.secureTransport }}
+ {{- if and .Values.cluster.liaison.tls
.Values.cluster.liaison.tls.etcdSecretName
.Values.etcd.auth.client.secureTransport }}
- name: BYDB_ETCD_TLS_CA_FILE
value: "/etc/tls/{{ .Values.cluster.liaison.tls.etcdSecretName
}}/ca.crt"
{{- end }}
- {{- if .Values.etcd.auth.client.enableAuthentication }}
+ {{- if and .Values.cluster.liaison.tls
.Values.cluster.liaison.tls.etcdSecretName
.Values.etcd.auth.client.enableAuthentication }}
- name: BYDB_ETCD_TLS_CERT_FILE
value: "/etc/tls/{{ .Values.cluster.liaison.tls.etcdSecretName
}}/tls.crt"
- name: BYDB_ETCD_TLS_KEY_FILE
@@ -147,6 +170,9 @@ spec:
{{- end }}
args:
- liaison
+ {{- if .Values.auth.enabled }}
+ - --auth-config-file=/etc/banyandb/{{
.Values.auth.credentialsFileKey }}
+ {{- end }}
ports:
- containerPort: 17912
name: grpc
@@ -216,7 +242,7 @@ spec:
{{- end }}
{{- end }}
- {{- if or .Values.storage.liaison.enabled
.Values.cluster.liaison.tls }}
+ {{- if or .Values.storage.liaison.enabled
.Values.cluster.liaison.tls .Values.auth.enabled }}
volumeMounts:
{{- if .Values.storage.liaison.enabled }}
{{- range $claim := .Values.storage.liaison.persistentVolumeClaims
}}
@@ -241,10 +267,15 @@ spec:
name: {{ .Values.cluster.liaison.tls.httpSecretName }}-volume
{{- end }}
{{- end }}
+ {{- if .Values.auth.enabled }}
+ - mountPath: /etc/banyandb
+ name: banyandb-auth-writable
+ {{- end }}
{{- end }}
- {{- if .Values.cluster.liaison.tls }}
+ {{- if or .Values.cluster.liaison.tls .Values.auth.enabled }}
volumes:
+ {{- if .Values.cluster.liaison.tls }}
{{- if .Values.cluster.liaison.tls.grpcSecretName }}
- name: {{ .Values.cluster.liaison.tls.grpcSecretName }}-volume
secret:
@@ -260,6 +291,21 @@ spec:
secret:
secretName: {{ .Values.cluster.liaison.tls.httpSecretName }}
{{- end }}
+ {{- end }}
+ {{- if .Values.auth.enabled }}
+ {{- $useExisting := ne .Values.auth.existingSecret "" }}
+ {{- $authSecret := ternary .Values.auth.existingSecret (printf
"%s-auth" (include "banyandb.fullname" .)) $useExisting }}
+ - name: banyandb-auth
+ secret:
+ secretName: {{ $authSecret }}
+ defaultMode: 0600
+ items:
+ - key: {{ .Values.auth.credentialsFileKey }}
+ path: {{ .Values.auth.credentialsFileKey }}
+ mode: 0600
+ - name: banyandb-auth-writable
+ emptyDir: {}
+ {{- end }}
{{- end }}
{{- if .Values.cluster.liaison.tolerations }}
diff --git a/chart/templates/standalone_statefulset.yaml
b/chart/templates/standalone_statefulset.yaml
index ebfcdb1..0864e43 100644
--- a/chart/templates/standalone_statefulset.yaml
+++ b/chart/templates/standalone_statefulset.yaml
@@ -43,8 +43,9 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
priorityClassName: {{ .Values.standalone.priorityClassName }}
- {{- if and .Values.storage.standalone.enabled
.Values.standalone.volumePermissions.enabled }}
+ {{- if or (and .Values.storage.standalone.enabled
.Values.standalone.volumePermissions.enabled) .Values.auth.enabled }}
initContainers:
+ {{- if and .Values.storage.standalone.enabled
.Values.standalone.volumePermissions.enabled }}
- name: volume-permissions
image: {{ default "busybox:1.36"
.Values.standalone.volumePermissions.image }}
imagePullPolicy: IfNotPresent
@@ -69,6 +70,30 @@ spec:
- mountPath: /mnt/{{ $claim.claimName }}
name: {{ $claim.claimName }}
{{- end }}
+ {{- end }}
+ {{- if .Values.auth.enabled }}
+ - name: auth-config-prepare
+ image: busybox:1.36
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ runAsUser: 0
+ command:
+ - sh
+ - -c
+ - |
+ set -euo pipefail
+ cp "/var/run/banyandb-auth/{{ .Values.auth.credentialsFileKey
}}" "/etc/banyandb/{{ .Values.auth.credentialsFileKey }}"
+ CHOWN_UID={{ default 1000
.Values.standalone.securityContext.runAsUser }}
+ CHOWN_GID={{ default 1000
.Values.standalone.securityContext.runAsGroup }}
+ chown ${CHOWN_UID}:${CHOWN_GID} "/etc/banyandb/{{
.Values.auth.credentialsFileKey }}"
+ chmod 0600 "/etc/banyandb/{{ .Values.auth.credentialsFileKey }}"
+ volumeMounts:
+ - mountPath: /var/run/banyandb-auth
+ name: banyandb-auth
+ readOnly: true
+ - mountPath: /etc/banyandb
+ name: banyandb-auth-writable
+ {{- end }}
{{- end }}
containers:
- name: standalone
@@ -105,6 +130,9 @@ spec:
{{- end }}
args:
- standalone
+ {{- if .Values.auth.enabled }}
+ - --auth-config-file=/etc/banyandb/{{
.Values.auth.credentialsFileKey }}
+ {{- end }}
ports:
- containerPort: 17912
name: grpc
@@ -172,7 +200,7 @@ spec:
{{- end }}
{{- end }}
- {{- if or .Values.storage.standalone.enabled .Values.standalone.tls
}}
+ {{- if or .Values.storage.standalone.enabled .Values.standalone.tls
.Values.auth.enabled }}
volumeMounts:
{{- if .Values.storage.standalone.enabled }}
{{- range $claim :=
.Values.storage.standalone.persistentVolumeClaims }}
@@ -202,20 +230,40 @@ spec:
name: {{ .Values.standalone.tls.httpSecretName }}-volume
{{- end }}
{{- end -}}
+ {{- if .Values.auth.enabled }}
+ - mountPath: /etc/banyandb
+ name: banyandb-auth-writable
+ {{- end }}
{{- end }}
- {{- if .Values.standalone.tls }}
+ {{- if or .Values.standalone.tls .Values.auth.enabled }}
volumes:
+ {{- if .Values.standalone.tls }}
{{- if .Values.standalone.tls.grpcSecretName }}
- name: {{ .Values.standalone.tls.grpcSecretName }}-volume
secret:
secretName: {{ .Values.standalone.tls.grpcSecretName }}
{{- end }}
- {{- if and .Values.standalone.tls.httpSecretName (ne
.Values.standalone.tls.httpSecretName .Values.standalone.tls.grpcSecretName) }}
+ {{- if and .Values.standalone.tls.httpSecretName (or (not
.Values.standalone.tls.grpcSecretName) (ne
.Values.standalone.tls.httpSecretName .Values.standalone.tls.grpcSecretName)) }}
- name: {{ .Values.standalone.tls.httpSecretName }}-volume
secret:
secretName: {{ .Values.standalone.tls.httpSecretName }}
{{- end }}
+ {{- end }}
+ {{- if .Values.auth.enabled }}
+ {{- $useExisting := ne .Values.auth.existingSecret "" }}
+ {{- $authSecret := ternary .Values.auth.existingSecret (printf
"%s-auth" (include "banyandb.fullname" .)) $useExisting }}
+ - name: banyandb-auth
+ secret:
+ secretName: {{ $authSecret }}
+ defaultMode: 0600
+ items:
+ - key: {{ .Values.auth.credentialsFileKey }}
+ path: {{ .Values.auth.credentialsFileKey }}
+ mode: 0600
+ - name: banyandb-auth-writable
+ emptyDir: {}
+ {{- end }}
{{- end }}
{{- if .Values.standalone.tolerations }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 46249d2..8bce7d5 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -40,6 +40,40 @@ image:
##
pullPolicy: IfNotPresent
+## @section Authentication configuration for BanyanDB
+##
+auth:
+ ## @param auth.enabled Enable basic authentication (boolean)
+ ## Defaults to false. When enabled, the chart mounts a credentials file and
+ ## passes --auth-config-file to liaison/standalone.
+ ##
+ enabled: false
+
+ ## @param auth.existingSecret Use an existing Secret for credentials
+ ## If set, the chart will NOT create a Secret and will mount this Secret
+ ## instead. The Secret must contain a key specified by
auth.credentialsFileKey
+ ## whose value is the YAML-formatted credentials content.
+ ##
+ existingSecret: ""
+
+ ## @param auth.credentialsFileKey Key name in the Secret that stores the
+ ## credentials YAML. This filename will also be used inside the pod via
subPath.
+ ##
+ credentialsFileKey: "credentials.yaml"
+
+ ## @param auth.users List of users to configure when not using existingSecret
+ ## Each user item must include plaintext fields: username, password.
+ ## If empty and auth.enabled=true, a default 'admin' user with a random
+ ## password will be generated.
+ ## Example:
+ ## users:
+ ## - username: admin
+ ## password: "changeme"
+ ## - username: viewer
+ ## password: "123456"
+ ##
+ users: []
+
## @section Configuration for standalone deployment
##
standalone:
@@ -55,6 +89,13 @@ standalone:
## @param standalone.containerSecurityContext Container-level security
context
## e.g. { readOnlyRootFilesystem: true, allowPrivilegeEscalation: false,
runAsNonRoot: true }
containerSecurityContext: {}
+ ## @param standalone.tls TLS configuration for the standalone pod
+ ## When set, provide optional secret names to mount TLS materials.
+ ## Example:
+ ## tls:
+ ## grpcSecretName: "my-grpc-tls"
+ ## httpSecretName: "my-http-tls"
+ tls: {}
## Volume permissions init container
## @param standalone.volumePermissions.enabled Enable volume permissions
init container
volumePermissions:
diff --git a/doc/parameters.md b/doc/parameters.md
index cabce51..b33c469 100644
--- a/doc/parameters.md
+++ b/doc/parameters.md
@@ -19,6 +19,15 @@ The content of this document describes the parameters that
can be configured in
| `image.tag` | Image tag/version (empty for latest) | `""`
|
| `image.pullPolicy` | Image pull policy (e.g. IfNotPresent) |
`IfNotPresent` |
+### Authentication configuration for BanyanDB
+
+| Name | Description
| Value |
+| ------------------------- |
-------------------------------------------------------- | ------------------ |
+| `auth.enabled` | Enable basic authentication (boolean)
| `false` |
+| `auth.existingSecret` | Use an existing Secret for credentials
| `""` |
+| `auth.credentialsFileKey` | Key name in the Secret that stores the
| `credentials.yaml` |
+| `auth.users` | List of users to configure when not using
existingSecret | `[]` |
+
### Configuration for standalone deployment
| Name | Description
| Value |
@@ -27,6 +36,7 @@ The content of this document describes the parameters that
can be configured in
| `standalone.podAnnotations` | Additional pod annotations
| `{}` |
| `standalone.securityContext` | Security context for the
pod | `{}` |
| `standalone.containerSecurityContext` | Container-level security
context | `{}` |
+| `standalone.tls` | TLS configuration for the
standalone pod | `{}` |
| `standalone.volumePermissions.enabled` | Enable volume permissions
init container | `false` |
| `standalone.volumePermissions.chownUser` | User ID to chown the
mounted volumes | `1000` |
| `standalone.volumePermissions.chownGroup` | Group ID to chown the
mounted volumes | `1000` |
@@ -242,58 +252,50 @@ The content of this document describes the parameters
that can be configured in
### Storage configuration for persistent volumes
-| Name | Description
| Value |
-| ----------------------------------------------------------- |
------------------------------------------------------- |
--------------------------------- |
-| `storage.data.enabled` | Enable
persistent storage for data nodes (boolean) | `true`
|
-| `storage.data.persistentVolumeClaims` | List of PVC
configurations for data nodes |
|
-| `storage.data.persistentVolumeClaims[0].mountTargets` | Mount targets
for the PVC | `["measure"]` |
-| `storage.data.persistentVolumeClaims[0].nodeRole` | Node role this
PVC is bound to (hot, warm, cold) | `hot` |
-| `storage.data.persistentVolumeClaims[0].existingClaimName` | Existing PVC
name (if any) | `nil` |
-| `storage.data.persistentVolumeClaims[0].claimName` | Name of the
PVC | `hot-measure-data`
|
-| `storage.data.persistentVolumeClaims[0].size` | Size of the
PVC | `50Gi`
|
-| `storage.data.persistentVolumeClaims[0].accessModes` | Access modes
for the PVC | `["ReadWriteOnce"]` |
-| `storage.data.persistentVolumeClaims[0].storageClass` | Storage class
for the PVC | `nil` |
-| `storage.data.persistentVolumeClaims[0].volumeMode` | Volume mode
for the PVC | `Filesystem`
|
-| `storage.data.persistentVolumeClaims[1].mountTargets` | Mount targets
for the PVC | `["stream"]` |
-| `storage.data.persistentVolumeClaims[1].nodeRole` | Node role this
PVC is bound to | `hot` |
-| `storage.data.persistentVolumeClaims[1].existingClaimName` | Existing PVC
name (if any) | `nil` |
-| `storage.data.persistentVolumeClaims[1].claimName` | Name of the
PVC | `hot-stream-data`
|
-| `storage.data.persistentVolumeClaims[1].size` | Size of the
PVC | `50Gi`
|
-| `storage.data.persistentVolumeClaims[1].accessModes` | Access modes
for the PVC | `["ReadWriteOnce"]` |
-| `storage.data.persistentVolumeClaims[1].storageClass` | Storage class
for the PVC | `nil` |
-| `storage.data.persistentVolumeClaims[1].volumeMode` | Volume mode
for the PVC | `Filesystem`
|
-| `storage.data.persistentVolumeClaims[2].mountTargets` | Mount targets
for the PVC | `["property"]` |
-| `storage.data.persistentVolumeClaims[2].nodeRole` | Node role this
PVC is bound to | `hot` |
-| `storage.data.persistentVolumeClaims[2].existingClaimName` | Existing PVC
name (if any) | `nil` |
-| `storage.data.persistentVolumeClaims[2].claimName` | Name of the
PVC | `hot-property-data`
|
-| `storage.data.persistentVolumeClaims[2].size` | Size of the
PVC | `5Gi`
|
-| `storage.data.persistentVolumeClaims[2].accessModes` | Access modes
for the PVC | `["ReadWriteOnce"]` |
-| `storage.data.persistentVolumeClaims[2].storageClass` | Storage class
for the PVC | `nil` |
-| `storage.data.persistentVolumeClaims[2].volumeMode` | Volume mode
for the PVC | `Filesystem`
|
-| `storage.data.persistentVolumeClaims[3].mountTargets` | Mount targets
for the PVC | `["trace"]` |
-| `storage.data.persistentVolumeClaims[3].nodeRole` | Node role this
PVC is bound to | `hot` |
-| `storage.data.persistentVolumeClaims[3].existingClaimName` | Existing PVC
name (if any) | `nil` |
-| `storage.data.persistentVolumeClaims[3].claimName` | Name of the
PVC | `hot-trace-data`
|
-| `storage.data.persistentVolumeClaims[3].size` | Size of the
PVC | `50Gi`
|
-| `storage.data.persistentVolumeClaims[3].accessModes` | Access modes
for the PVC | `["ReadWriteOnce"]` |
-| `storage.data.persistentVolumeClaims[3].storageClass` | Storage class
for the PVC | `nil` |
-| `storage.data.persistentVolumeClaims[3].volumeMode` | Volume mode
for the PVC | `Filesystem`
|
-| `storage.liaison.enabled` | Enable
persistent storage for liaison nodes (boolean) | `true`
|
-| `storage.liaison.persistentVolumeClaims` | List of PVC
configurations for liaison nodes |
|
-| `storage.liaison.persistentVolumeClaims[0].mountTargets` | Mount targets
for the PVC | `["measure","stream","trace"]` |
-| `storage.liaison.persistentVolumeClaims[0].claimName` | Name of the
PVC | `liaison-data`
|
-| `storage.liaison.persistentVolumeClaims[0].size` | Size of the
PVC | `10Gi`
|
-| `storage.liaison.persistentVolumeClaims[0].accessModes` | Access modes
for the PVC | `["ReadWriteOnce"]` |
-| `storage.liaison.persistentVolumeClaims[0].storageClass` | Storage class
for the PVC | `nil` |
-| `storage.liaison.persistentVolumeClaims[0].volumeMode` | Volume mode
for the PVC | `Filesystem`
|
-| `storage.standalone.enabled` | Enable
persistent storage for standalone mode (boolean) | `false`
|
-| `storage.standalone.persistentVolumeClaims` | List of PVC
configurations for standalone |
|
-| `storage.standalone.persistentVolumeClaims[0].mountTargets` | Mount targets
for the PVC |
`["measure","stream","property","trace"]` |
-| `storage.standalone.persistentVolumeClaims[0].claimName` | Name of the
PVC | `standalone-data`
|
-| `storage.standalone.persistentVolumeClaims[0].size` | Size of the
PVC | `200Gi`
|
-| `storage.standalone.persistentVolumeClaims[0].accessModes` | Access modes
for the PVC | `["ReadWriteOnce"]` |
-| `storage.standalone.persistentVolumeClaims[0].storageClass` | Storage class
for the PVC | `nil` |
-| `storage.standalone.persistentVolumeClaims[0].volumeMode` | Volume mode
for the PVC | `Filesystem`
|
+| Name | Description
| Value
|
+| ----------------------------------------------------------- |
------------------------------------------------------- |
-------------------------------------------- |
+| `storage.data.enabled` | Enable
persistent storage for data nodes (boolean) | `true`
|
+| `storage.data.persistentVolumeClaims` | List of PVC
configurations for data nodes |
|
+| `storage.data.persistentVolumeClaims[0].mountTargets` | Mount targets
for the PVC | `["measure"]`
|
+| `storage.data.persistentVolumeClaims[0].nodeRole` | Node role this
PVC is bound to (hot, warm, cold) | `hot`
|
+| `storage.data.persistentVolumeClaims[0].existingClaimName` | Existing PVC
name (if any) | `nil`
|
+| `storage.data.persistentVolumeClaims[0].claimName` | Name of the
PVC | `hot-measure-data`
|
+| `storage.data.persistentVolumeClaims[0].size` | Size of the
PVC | `50Gi`
|
+| `storage.data.persistentVolumeClaims[0].accessModes` | Access modes
for the PVC | `["ReadWriteOnce"]`
|
+| `storage.data.persistentVolumeClaims[0].storageClass` | Storage class
for the PVC | `nil`
|
+| `storage.data.persistentVolumeClaims[0].volumeMode` | Volume mode
for the PVC | `Filesystem`
|
+| `storage.data.persistentVolumeClaims[1].mountTargets` | Mount targets
for the PVC | `["stream"]`
|
+| `storage.data.persistentVolumeClaims[1].nodeRole` | Node role this
PVC is bound to | `hot`
|
+| `storage.data.persistentVolumeClaims[1].existingClaimName` | Existing PVC
name (if any) | `nil`
|
+| `storage.data.persistentVolumeClaims[1].claimName` | Name of the
PVC | `hot-stream-data`
|
+| `storage.data.persistentVolumeClaims[1].size` | Size of the
PVC | `50Gi`
|
+| `storage.data.persistentVolumeClaims[1].accessModes` | Access modes
for the PVC | `["ReadWriteOnce"]`
|
+| `storage.data.persistentVolumeClaims[1].storageClass` | Storage class
for the PVC | `nil`
|
+| `storage.data.persistentVolumeClaims[1].volumeMode` | Volume mode
for the PVC | `Filesystem`
|
+| `storage.data.persistentVolumeClaims[2].mountTargets` | Mount targets
for the PVC | `["property"]`
|
+| `storage.data.persistentVolumeClaims[2].nodeRole` | Node role this
PVC is bound to | `hot`
|
+| `storage.data.persistentVolumeClaims[2].existingClaimName` | Existing PVC
name (if any) | `nil`
|
+| `storage.data.persistentVolumeClaims[2].claimName` | Name of the
PVC | `hot-property-data`
|
+| `storage.data.persistentVolumeClaims[2].size` | Size of the
PVC | `5Gi`
|
+| `storage.data.persistentVolumeClaims[2].accessModes` | Access modes
for the PVC | `["ReadWriteOnce"]`
|
+| `storage.data.persistentVolumeClaims[2].storageClass` | Storage class
for the PVC | `nil`
|
+| `storage.data.persistentVolumeClaims[2].volumeMode` | Volume mode
for the PVC | `Filesystem`
|
+| `storage.liaison.enabled` | Enable
persistent storage for liaison nodes (boolean) | `true`
|
+| `storage.liaison.persistentVolumeClaims` | List of PVC
configurations for liaison nodes |
|
+| `storage.liaison.persistentVolumeClaims[0].mountTargets` | Mount targets
for the PVC | `["measure","stream"]`
|
+| `storage.liaison.persistentVolumeClaims[0].claimName` | Name of the
PVC | `liaison-data`
|
+| `storage.liaison.persistentVolumeClaims[0].size` | Size of the
PVC | `10Gi`
|
+| `storage.liaison.persistentVolumeClaims[0].accessModes` | Access modes
for the PVC | `["ReadWriteOnce"]`
|
+| `storage.liaison.persistentVolumeClaims[0].storageClass` | Storage class
for the PVC | `nil`
|
+| `storage.liaison.persistentVolumeClaims[0].volumeMode` | Volume mode
for the PVC | `Filesystem`
|
+| `storage.standalone.enabled` | Enable
persistent storage for standalone mode (boolean) | `false`
|
+| `storage.standalone.persistentVolumeClaims` | List of PVC
configurations for standalone |
|
+| `storage.standalone.persistentVolumeClaims[0].mountTargets` | Mount targets
for the PVC |
`["measure","stream","metadata","property"]` |
+| `storage.standalone.persistentVolumeClaims[0].claimName` | Name of the
PVC | `standalone-data`
|
+| `storage.standalone.persistentVolumeClaims[0].size` | Size of the
PVC | `200Gi`
|
+| `storage.standalone.persistentVolumeClaims[0].accessModes` | Access modes
for the PVC | `["ReadWriteOnce"]`
|
+| `storage.standalone.persistentVolumeClaims[0].storageClass` | Storage class
for the PVC | `nil`
|
+| `storage.standalone.persistentVolumeClaims[0].volumeMode` | Volume mode
for the PVC | `Filesystem`
|
### Service account configuration
diff --git a/test/e2e/e2e-banyandb-cluster.yaml
b/test/e2e/e2e-banyandb-cluster.yaml
index d84b8ed..73c743a 100644
--- a/test/e2e/e2e-banyandb-cluster.yaml
+++ b/test/e2e/e2e-banyandb-cluster.yaml
@@ -62,6 +62,8 @@ setup:
--set
oap.env.SW_ENVOY_METRIC_ALS_HTTP_ANALYSIS=k8s-mesh \
--set oap.env.SW_ENVOY_METRIC_ALS_TCP_ANALYSIS=k8s-mesh
\
--set
oap.env.K8S_SERVICE_NAME_RULE='e2e::${service.metadata.name}' \
+ --set oap.env.SW_STORAGE_BANYANDB_USER=admin \
+ --set oap.env.SW_STORAGE_BANYANDB_PASSWORD=banyandb \
--set oap.replicas=1 \
--set ui.image.repository=$UI_REPO \
--set ui.image.tag=$UI_TAG \
diff --git a/test/e2e/e2e-banyandb-standalone.yaml
b/test/e2e/e2e-banyandb-standalone.yaml
index 3cce8e5..8788128 100644
--- a/test/e2e/e2e-banyandb-standalone.yaml
+++ b/test/e2e/e2e-banyandb-standalone.yaml
@@ -62,6 +62,8 @@ setup:
--set
oap.env.SW_ENVOY_METRIC_ALS_HTTP_ANALYSIS=k8s-mesh \
--set oap.env.SW_ENVOY_METRIC_ALS_TCP_ANALYSIS=k8s-mesh
\
--set
oap.env.K8S_SERVICE_NAME_RULE='e2e::${service.metadata.name}' \
+ --set oap.env.SW_STORAGE_BANYANDB_USER=admin \
+ --set oap.env.SW_STORAGE_BANYANDB_PASSWORD=banyandb \
--set oap.replicas=1 \
--set ui.image.repository=$UI_REPO \
--set ui.image.tag=$UI_TAG \
diff --git a/test/e2e/values.cluster.yaml b/test/e2e/values.cluster.yaml
index 9cec173..1fe46d1 100644
--- a/test/e2e/values.cluster.yaml
+++ b/test/e2e/values.cluster.yaml
@@ -19,7 +19,7 @@
image:
repository: ghcr.io/apache/skywalking-banyandb
- tag: 7e5b2d0404e8ad6d5835eee6fe589a2544d0decb
+ tag: 46083529398b73504e9ca929ef367cd1776aef82
pullPolicy: IfNotPresent
cluster:
@@ -479,3 +479,11 @@ etcd:
fullnameOverride: ""
nameOverride: "banyandb"
+
+auth:
+ enabled: true
+ existingSecret: ""
+ credentialsFileKey: "credentials.yaml"
+ users:
+ - username: admin
+ password: banyandb
diff --git a/test/e2e/values.lifecycle.yaml b/test/e2e/values.lifecycle.yaml
index fde97e6..c547c6a 100644
--- a/test/e2e/values.lifecycle.yaml
+++ b/test/e2e/values.lifecycle.yaml
@@ -19,7 +19,7 @@
image:
repository: ghcr.io/apache/skywalking-banyandb
- tag: 7e5b2d0404e8ad6d5835eee6fe589a2544d0decb
+ tag: 46083529398b73504e9ca929ef367cd1776aef82
pullPolicy: IfNotPresent
cluster:
diff --git a/test/e2e/values.standalone.yaml b/test/e2e/values.standalone.yaml
index ff0a310..0839a30 100644
--- a/test/e2e/values.standalone.yaml
+++ b/test/e2e/values.standalone.yaml
@@ -25,7 +25,7 @@ etcd:
image:
repository: ghcr.io/apache/skywalking-banyandb
- tag: 7e5b2d0404e8ad6d5835eee6fe589a2544d0decb
+ tag: 46083529398b73504e9ca929ef367cd1776aef82
pullPolicy: IfNotPresent
standalone:
@@ -90,8 +90,7 @@ standalone:
# - key: memory
# value: "512Mi"
# tls:
- # grpcSecretName: ""
- # httpSecretName: ""
+ tls: {}
livenessProbe:
initialDelaySeconds: 20
periodSeconds: 5
@@ -196,3 +195,11 @@ serviceAccount:
fullnameOverride: ""
nameOverride: "banyandb"
+
+auth:
+ enabled: true
+ existingSecret: ""
+ credentialsFileKey: "credentials.yaml"
+ users:
+ - username: admin
+ password: banyandb
