├── CNAME ├── charts └── lakefs │ ├── ci │ ├── empty-values.yaml │ ├── s3-fallback-values.yaml │ └── secret-values.yaml │ ├── templates │ ├── additional-resources.yaml │ ├── configmap.yaml │ ├── mds │ │ ├── configmap.yaml │ │ ├── service.yaml │ │ ├── _mds.tpl │ │ └── deployment.yaml │ ├── serviceaccount.yaml │ ├── _gcp_proxy_container.tpl │ ├── service.yaml │ ├── _proxy_container.tpl │ ├── dev-postgresql.yaml │ ├── NOTES.txt │ ├── secret.yaml │ ├── ingress.yaml │ ├── _helpers.tpl │ ├── deployment.yaml │ └── _env.tpl │ ├── Chart.yaml │ ├── .helmignore │ ├── values.yaml │ └── README.md ├── artifacthub-repo.yml ├── README.md ├── examples └── lakefs │ └── enterprise │ ├── external-enterprise.yaml │ ├── external-fluffy.yaml │ ├── ldap-enterprise.yaml │ ├── ldap-fluffy.yaml │ ├── oidc-enterprise.yaml │ ├── oidc-fluffy.yaml │ ├── saml-enterprise.yaml │ └── saml-fluffy.yaml ├── .github └── workflows │ └── release.yml ├── CHANGELOG.md └── LICENSE /CNAME: -------------------------------------------------------------------------------- 1 | charts.lakefs.io -------------------------------------------------------------------------------- /charts/lakefs/ci/empty-values.yaml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /charts/lakefs/ci/s3-fallback-values.yaml: -------------------------------------------------------------------------------- 1 | s3Fallback: 2 | enabled: true 3 | -------------------------------------------------------------------------------- /artifacthub-repo.yml: -------------------------------------------------------------------------------- 1 | repositoryID: lakefs 2 | owners: 3 | - name: treeverse 4 | email: support@treeverse.io 5 | -------------------------------------------------------------------------------- /charts/lakefs/templates/additional-resources.yaml: -------------------------------------------------------------------------------- 1 | {{- range .Values.extraManifests }} 2 | --- 3 | {{ tpl (toYaml .) $ }} 4 | {{- end }} 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /charts/lakefs/ci/secret-values.yaml: -------------------------------------------------------------------------------- 1 | secrets: 2 | databaseConnectionString: postgres://postgres:password@localhost:5432/postgres?sslmode=disable 3 | authEncryptSecretKey: abcdefghi 4 | -------------------------------------------------------------------------------- /charts/lakefs/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ include "lakefs.fullname" . }} 5 | {{- with .Values.lakefsConfig }} 6 | data: 7 | config.yaml: 8 | {{- toYaml . | nindent 2 }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/lakefs/templates/mds/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.mds.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ include "mds.fullname" . }}-config 6 | labels: 7 | {{- include "mds.labels" . | nindent 4 }} 8 | {{- with .Values.mds.config }} 9 | data: 10 | config.yaml: | 11 | {{ toYaml . | indent 4 }} 12 | {{- end }} 13 | {{- end }} -------------------------------------------------------------------------------- /charts/lakefs/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{- include "lakefs.labels" . | nindent 4 }} 7 | {{- with .Values.serviceAccount.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | name: {{ default (include "lakefs.fullname" .) .Values.serviceAccount.name }} 12 | {{- end }} -------------------------------------------------------------------------------- /charts/lakefs/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: lakefs 3 | description: A Helm chart for running LakeFS on Kubernetes 4 | type: application 5 | version: 1.7.12 6 | appVersion: 1.73.0 7 | 8 | home: https://lakefs.io 9 | icon: https://lakefs.io/wp-content/uploads/2020/07/lake-fs-color-2.svg 10 | sources: 11 | - https://github.com/treeverse/lakeFS 12 | maintainers: 13 | - name: treeverse 14 | email: services@treeverse.io 15 | -------------------------------------------------------------------------------- /charts/lakefs/templates/mds/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.mds.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "mds.fullname" . }} 6 | labels: 7 | {{- include "mds.labels" . | nindent 4 }} 8 | spec: 9 | type: ClusterIP 10 | ports: 11 | - port: 8000 12 | targetPort: http 13 | protocol: TCP 14 | name: http 15 | selector: 16 | {{- include "mds.selectorLabels" . | nindent 4 }} 17 | {{- end }} -------------------------------------------------------------------------------- /charts/lakefs/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Treeverse Helm Charts Registry 2 | 3 | This repository serves as a collection of Helm Charts, including those used by various projects under Treeverse. 4 | 5 | - [lakeFS](https://github.com/treeverse/charts/tree/master/charts/lakefs) 6 | 7 | When preparing for a release, please update the CHANGELOG.md file with the detailed list of changes made since the last version. 8 | 9 | After the chart is released, please update the release notes with the changes from the CHANGELOG.md file. 10 | -------------------------------------------------------------------------------- /charts/lakefs/templates/_gcp_proxy_container.tpl: -------------------------------------------------------------------------------- 1 | {{- define "lakefs.gcpProxyContainer" }} 2 | {{- if .Values.lakefsConfig }} 3 | {{ $config := .Values.lakefsConfig | fromYaml }} 4 | {{- end }} 5 | {{- if .Values.gcpFallback.enabled }} 6 | - name: gcp-proxy 7 | image: eu.gcr.io/cloudsql-docker/gce-proxy:1.33.4 8 | imagePullPolicy: IfNotPresent 9 | command: 10 | - /cloud_sql_proxy 11 | - -term_timeout=10s 12 | env: 13 | {{- if .Values.gcpFallback.instance }} 14 | - name: INSTANCES 15 | value: {{ .Values.gcpFallback.instance }} 16 | {{- end }} 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /examples/lakefs/enterprise/external-enterprise.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | ingressClassName: 4 | hosts: 5 | # the ingress that will be created for lakeFS 6 | - host: 7 | paths: 8 | - / 9 | 10 | 11 | 12 | lakefsConfig: | 13 | auth: 14 | external_aws_auth: 15 | enabled: true 16 | # the maximum age in seconds for the GetCallerIdentity request 17 | #get_caller_identity_max_age: 60 18 | # headers that must be present by the client when doing login request 19 | required_headers: 20 | # same host as the lakeFS server ingress 21 | X-LakeFS-Server-ID: 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /charts/lakefs/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "lakefs.fullname" . }} 5 | labels: 6 | {{- include "lakefs.labels" . | nindent 4 }} 7 | annotations: 8 | {{- toYaml .Values.service.annotations | nindent 4 }} 9 | spec: 10 | type: {{ .Values.service.type }} 11 | ports: 12 | - port: {{ .Values.service.port }} 13 | targetPort: http 14 | {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePort)) }} 15 | nodePort: {{ .Values.service.nodePort }} 16 | {{- end }} 17 | protocol: TCP 18 | name: http 19 | selector: 20 | {{- include "lakefs.selectorLabels" . | nindent 4 }} 21 | -------------------------------------------------------------------------------- /charts/lakefs/templates/_proxy_container.tpl: -------------------------------------------------------------------------------- 1 | {{- define "lakefs.s3proxyContainer" }} 2 | {{- if .Values.lakefsConfig }} 3 | {{ $config := .Values.lakefsConfig | fromYaml }} 4 | {{- end }} 5 | {{- if .Values.s3Fallback.enabled }} 6 | - name: s3proxy 7 | image: andrewgaul/s3proxy 8 | ports: 9 | - containerPort: 7001 10 | env: 11 | - name: S3PROXY_AUTHORIZATION 12 | value: none 13 | {{- if .Values.s3Fallback.aws_access_key }} 14 | - name: JCLOUDS_IDENTITY 15 | value: {{ .Values.s3Fallback.aws_access_key }} 16 | - name: JCLOUDS_CREDENTIAL 17 | value: {{ .Values.s3Fallback.aws_secret_key }} 18 | {{- end }} 19 | - name: JCLOUDS_PROVIDER 20 | value: s3 21 | - name: JCLOUDS_ENDPOINT 22 | value: https://s3.amazonaws.com 23 | - name: S3PROXY_ENDPOINT 24 | value: "http://0.0.0.0:7001" 25 | - name: S3PROXY_VIRTUALHOST 26 | value: localhost 27 | - name: LOG_LEVEL 28 | value: {{ .Values.s3Fallback.log_level | default "info" }} 29 | {{- end }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /charts/lakefs/templates/dev-postgresql.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.useDevPostgres }} 2 | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: postgres 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: postgres-lakefs 12 | template: 13 | metadata: 14 | labels: 15 | app: postgres-lakefs 16 | spec: 17 | containers: 18 | - name: postgres 19 | image: postgres:11 20 | imagePullPolicy: "IfNotPresent" 21 | ports: 22 | - containerPort: 5432 23 | env: 24 | - name: POSTGRES_DB 25 | value: postgres 26 | - name: POSTGRES_USER 27 | value: lakefs 28 | - name: POSTGRES_PASSWORD 29 | value: lakefs 30 | --- 31 | apiVersion: v1 32 | kind: Service 33 | metadata: 34 | name: postgres-server 35 | labels: 36 | app: postgres-lakefs 37 | spec: 38 | type: ClusterIP 39 | ports: 40 | - port: 5432 41 | selector: 42 | app: postgres-lakefs 43 | 44 | {{- end}} 45 | -------------------------------------------------------------------------------- /examples/lakefs/enterprise/external-fluffy.yaml: -------------------------------------------------------------------------------- 1 | lakefsConfig: | 2 | auth: 3 | authentication_api: 4 | external_principals_enabled: true 5 | ingress: 6 | enabled: true 7 | ingressClassName: 8 | hosts: 9 | # the ingress that will be created for lakeFS 10 | - host: 11 | paths: 12 | - / 13 | 14 | fluffy: 15 | enabled: true 16 | image: 17 | repository: treeverse/fluffy 18 | pullPolicy: IfNotPresent 19 | privateRegistry: 20 | enabled: true 21 | secretToken: 22 | fluffyConfig: | 23 | auth: 24 | external: 25 | aws_auth: 26 | enabled: true 27 | # the maximum age in seconds for the GetCallerIdentity request 28 | #get_caller_identity_max_age: 60 29 | # headers that must be present by the client when doing login request 30 | required_headers: 31 | # same host as the lakeFS server ingress 32 | X-LakeFS-Server-ID: 33 | secrets: 34 | create: true 35 | sso: 36 | enabled: true 37 | rbac: 38 | enabled: true 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /examples/lakefs/enterprise/ldap-enterprise.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | ingressClassName: 4 | hosts: 5 | # the ingress that will be created for lakeFS 6 | - host: 7 | paths: 8 | - / 9 | 10 | enterprise: 11 | enabled: true 12 | auth: 13 | ldap: 14 | enabled: true 15 | bindPassword: 16 | 17 | image: 18 | privateRegistry: 19 | enabled: true 20 | secretToken: 21 | 22 | lakefsConfig: | 23 | blockstore: 24 | type: local 25 | features: 26 | local_rbac: true 27 | auth: 28 | ui_config: 29 | login_cookie_names: 30 | - internal_auth_session 31 | providers: 32 | ldap: 33 | server_endpoint: ldaps://ldap.company.com:636 34 | bind_dn: uid=,ou=Users,o=,dc=,dc=com 35 | username_attribute: uid 36 | user_base_dn: ou=Users,o=,dc=,dc=com 37 | user_filter: (objectClass=inetOrgPerson) 38 | default_user_group: "Developers" 39 | connection_timeout_seconds: 15 40 | request_timeout_seconds: 7 41 | 42 | -------------------------------------------------------------------------------- /examples/lakefs/enterprise/ldap-fluffy.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | ingressClassName: 4 | hosts: 5 | # the ingress that will be created for lakeFS 6 | - host: 7 | paths: 8 | - / 9 | 10 | fluffy: 11 | enabled: true 12 | image: 13 | privateRegistry: 14 | enabled: true 15 | secretToken: 16 | fluffyConfig: | 17 | auth: 18 | post_login_redirect_url: / 19 | ldap: 20 | server_endpoint: ldaps://ldap.company.com:636 21 | bind_dn: uid=,ou=Users,o=,dc=,dc=com 22 | username_attribute: uid 23 | user_base_dn: ou=Users,o=,dc=,dc=com 24 | user_filter: (objectClass=inetOrgPerson) 25 | connection_timeout_seconds: 15 26 | request_timeout_seconds: 7 27 | 28 | secrets: 29 | create: true 30 | 31 | sso: 32 | enabled: true 33 | ldap: 34 | enabled: true 35 | bind_password: 36 | rbac: 37 | enabled: true 38 | 39 | lakefsConfig: | 40 | blockstore: 41 | type: local 42 | auth: 43 | remote_authenticator: 44 | enabled: true 45 | default_user_group: "Developers" 46 | ui_config: 47 | login_cookie_names: 48 | - internal_auth_session -------------------------------------------------------------------------------- /charts/lakefs/templates/mds/_mds.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | MDS resource full name 3 | */}} 4 | {{- define "mds.fullname" -}} 5 | {{- $name := include "lakefs.fullname" . }} 6 | {{- printf "%s-mds" $name | trunc 63 }} 7 | {{- end }} 8 | 9 | {{/* 10 | Common labels 11 | */}} 12 | {{- define "mds.labels" -}} 13 | helm.sh/chart: {{ include "lakefs.chart" . }} 14 | {{ include "mds.selectorLabels" . }} 15 | {{- if .Chart.AppVersion }} 16 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 17 | {{- end }} 18 | app.kubernetes.io/managed-by: {{ .Release.Service }} 19 | {{- end }} 20 | 21 | {{/* 22 | Selector labels 23 | */}} 24 | {{- define "mds.selectorLabels" -}} 25 | app.kubernetes.io/name: {{ include "lakefs.name" . }}-mds 26 | app.kubernetes.io/instance: {{ .Release.Name }} 27 | app.kubernetes.io/component: mds 28 | app: {{ include "lakefs.name" . }}-mds 29 | {{- end }} 30 | 31 | {{/* 32 | MDS volumes 33 | */}} 34 | {{- define "mds.volumes" -}} 35 | - name: {{ include "mds.fullname" . }}-config 36 | configMap: 37 | name: {{ include "mds.fullname" . }}-config 38 | items: 39 | - key: config.yaml 40 | path: config.yaml 41 | {{ with .Values.mds.extraVolumes -}} 42 | {{- toYaml . }} 43 | {{- end -}} 44 | {{- end }} 45 | 46 | {{/* 47 | MDS volume mounts 48 | */}} 49 | {{- define "mds.volumeMounts" -}} 50 | - name: {{ include "mds.fullname" . }}-config 51 | mountPath: /app/config.yaml 52 | subPath: config.yaml 53 | {{ with .Values.mds.extraVolumeMounts -}} 54 | {{- toYaml . }} 55 | {{- end }} 56 | {{- end }} 57 | -------------------------------------------------------------------------------- /examples/lakefs/enterprise/oidc-enterprise.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | ingressClassName: 4 | hosts: 5 | # the ingress that will be created for lakeFS 6 | - host: 7 | paths: 8 | - / 9 | 10 | enterprise: 11 | enabled: true 12 | auth: 13 | oidc: 14 | enabled: true 15 | # secret given by the OIDC provider (e.g auth0, Okta, etc) 16 | client_secret: 17 | 18 | image: 19 | privateRegistry: 20 | enabled: true 21 | secretToken: 22 | 23 | lakefsConfig: | 24 | blockstore: 25 | type: local 26 | features: 27 | local_rbac: true 28 | auth: 29 | logout_redirect_url: https://oidc-provider-url.com/logout/example 30 | oidc: 31 | friendly_name_claim_name: 32 | default_initial_groups: ["Developers"] 33 | providers: 34 | oidc: 35 | post_login_redirect_url: / 36 | url: https://oidc-provider-url.com/ 37 | client_id: 38 | callback_base_url: https:// 39 | # the claim name that represents the client identifier in the OIDC provider (e.g Okta) 40 | logout_client_id_query_parameter: client_id 41 | # the query parameters that will be used to redirect the user to the OIDC provider (e.g Okta) after logout 42 | logout_endpoint_query_parameters: 43 | - returnTo 44 | - https:///oidc/login 45 | 46 | -------------------------------------------------------------------------------- /charts/lakefs/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Thank you for installing lakeFS! 2 | 3 | 1. Run the following to get a url to start setting up lakeFS: 4 | {{- if contains "NodePort" .Values.service.type }} 5 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "lakefs.fullname" . }}) 6 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 7 | echo http://$NODE_IP:$NODE_PORT/setup 8 | {{- else if contains "LoadBalancer" .Values.service.type }} 9 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 10 | You can watch the status of by running 'kubectl get svc -w {{ template "lakefs.fullname" . }}' 11 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "lakefs.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 12 | echo http://$SERVICE_IP:{{ .Values.service.port }}/setup 13 | {{- else if contains "ClusterIP" .Values.service.type }} 14 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 15 | kubectl wait --for=condition=ready pod $POD_NAME 16 | echo "Visit http://127.0.0.1:{{ .Values.deployment.port }}/setup to use your application" 17 | kubectl port-forward $POD_NAME {{ .Values.deployment.port }}:{{ .Values.deployment.port }} --namespace {{ .Release.Namespace }} 18 | {{- end }} 19 | 20 | 2. See the docs on how to create your first repository: https://docs.lakefs.io/quickstart/repository.html 21 | -------------------------------------------------------------------------------- /examples/lakefs/enterprise/oidc-fluffy.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | ingressClassName: 4 | hosts: 5 | # the ingress that will be created for lakeFS 6 | - host: 7 | paths: 8 | - / 9 | 10 | fluffy: 11 | enabled: true 12 | image: 13 | privateRegistry: 14 | enabled: true 15 | secretToken: 16 | fluffyConfig: | 17 | auth: 18 | logout_redirect_url: https://oidc-provider-url.com/logout/example 19 | oidc: 20 | enabled: true 21 | url: https://oidc-provider-url.com/ 22 | client_id: 23 | callback_base_url: https:// 24 | # the claim name that represents the client identifier in the OIDC provider (e.g Okta) 25 | logout_client_id_query_parameter: client_id 26 | # the query parameters that will be used to redirect the user to the OIDC provider (e.g Okta) after logout 27 | logout_endpoint_query_parameters: 28 | - returnTo 29 | - https:///oidc/login 30 | secrets: 31 | create: true 32 | sso: 33 | enabled: true 34 | oidc: 35 | enabled: true 36 | # secret given by the OIDC provider (e.g auth0, Okta, etc) 37 | client_secret: 38 | rbac: 39 | enabled: true 40 | 41 | lakefsConfig: | 42 | database: 43 | type: local 44 | blockstore: 45 | type: local 46 | features: 47 | local_rbac: true 48 | auth: 49 | ui_config: 50 | login_cookie_names: 51 | - internal_auth_session 52 | - oidc_auth_session 53 | oidc: 54 | friendly_name_claim_name: 55 | default_initial_groups: ["Developers"] 56 | 57 | -------------------------------------------------------------------------------- /examples/lakefs/enterprise/saml-enterprise.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | ingressClassName: 4 | hosts: 5 | # the ingress that will be created for lakeFS 6 | - host: 7 | paths: 8 | - / 9 | 10 | enterprise: 11 | enabled: true 12 | auth: 13 | saml: 14 | enabled: true 15 | createCertificateSecret: true 16 | certificate: 17 | samlRsaPublicCert: | 18 | -----BEGIN CERTIFICATE----- 19 | ... 20 | -----END CERTIFICATE----- 21 | samlRsaPrivateKey: | 22 | -----BEGIN PRIVATE KEY----- 23 | ... 24 | -----END PRIVATE KEY----- 25 | 26 | image: 27 | privateRegistry: 28 | enabled: true 29 | secretToken: 30 | 31 | lakefsConfig: | 32 | blockstore: 33 | type: local 34 | features: 35 | local_rbac: true 36 | auth: 37 | logout_redirect_url: https:// 38 | cookie_auth_verification: 39 | auth_source: saml 40 | # claim name to display user in the UI 41 | friendly_name_claim_name: displayName 42 | # claim name from IDP to use as the unique user name 43 | external_user_id_claim_name: samName 44 | default_initial_groups: 45 | - "Developers" 46 | providers: 47 | saml: 48 | post_login_redirect_url: https:// 49 | sp_root_url: https:// 50 | sp_sign_request: true 51 | # depends on IDP 52 | sp_signature_method: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" 53 | # url to the metadata of the IDP 54 | idp_metadata_url: "https:///federationmetadata/2007-06/federationmetadata.xml" 55 | # IDP SAML claims format default unspecified 56 | idp_authn_name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 57 | # depending on IDP setup, if CA certs are self signed and not trusted by a known CA 58 | #idp_skip_verify_tls_cert: true 59 | 60 | -------------------------------------------------------------------------------- /charts/lakefs/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.existingSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "lakefs.fullname" . }} 6 | labels: 7 | {{- include "lakefs.labels" . | nindent 4 }} 8 | type: Opaque 9 | data: 10 | {{- if (.Values.secrets).databaseConnectionString }} 11 | database_connection_string: {{ .Values.secrets.databaseConnectionString | default "" | b64enc }} 12 | {{- end }} 13 | {{- if (.Values.secrets).authEncryptSecretKey }} 14 | auth_encrypt_secret_key: {{ .Values.secrets.authEncryptSecretKey | default "" | b64enc }} 15 | {{- end }} 16 | 17 | {{- if (.Values.enterprise).enabled }} 18 | 19 | {{- if .Values.secrets.licenseContents }} 20 | license_contents: {{ .Values.secrets.licenseContents | default "" | b64enc }} 21 | {{- end }} 22 | 23 | {{- if (((.Values.enterprise).auth).ldap).enabled }} 24 | {{- if (((.Values.enterprise).auth).ldap).bindPassword }} 25 | # LDAP bind password secret, used for LDAP authentication 26 | ldap_bind_password: {{ .Values.enterprise.auth.ldap.bindPassword | b64enc }} 27 | {{- end }} 28 | {{- end }} 29 | {{- if (((.Values.enterprise).auth).oidc).enabled }} 30 | {{- if (((.Values.enterprise).auth).oidc).clientSecret }} 31 | # OIDC client secret, used for OIDC authentication 32 | oidc_client_secret: {{ .Values.enterprise.auth.oidc.clientSecret | b64enc }} 33 | {{- end }} 34 | {{- end }} 35 | {{- end }} 36 | {{- end }} 37 | --- 38 | 39 | # certificates to use with SAML SSO against server such as AD FS 40 | 41 | {{- if (.Values.enterprise).enabled }} 42 | {{- if (((.Values.enterprise).auth).saml).enabled }} 43 | {{- if (((.Values.enterprise).auth).saml).createCertificateSecret }} 44 | apiVersion: v1 45 | kind: Secret 46 | metadata: 47 | name: saml-certificates 48 | data: 49 | rsa_saml_public.pem: '{{ .Values.enterprise.auth.saml.certificate.samlRsaPublicCert | b64enc }}' 50 | rsa_saml_private.key: '{{ .Values.enterprise.auth.saml.certificate.samlRsaPrivateKey | b64enc }}' 51 | {{- end }} 52 | {{- end }} 53 | {{- end }} 54 | --- 55 | {{- if and .Values.image.privateRegistry.enabled .Values.image.privateRegistry.secretToken }} 56 | apiVersion: v1 57 | kind: Secret 58 | metadata: 59 | name: docker-registry 60 | type: kubernetes.io/dockerconfigjson 61 | data: 62 | .dockerconfigjson: {{ template "lakefs.dockerConfigJson" . }} 63 | {{- end }} -------------------------------------------------------------------------------- /examples/lakefs/enterprise/saml-fluffy.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | ingressClassName: 4 | hosts: 5 | # the ingress that will be created for lakeFS 6 | - host: 7 | paths: 8 | - / 9 | 10 | fluffy: 11 | enabled: true 12 | image: 13 | privateRegistry: 14 | enabled: true 15 | secretToken: 16 | fluffyConfig: | 17 | auth: 18 | # logout_redirect_url: https:// 19 | # post_login_redirect_url: https:// 20 | saml: 21 | sp_sign_request: true 22 | # depends on IDP 23 | sp_signature_method: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" 24 | # url to the metadata of the IDP 25 | idp_metadata_url: "https:///federationmetadata/2007-06/federationmetadata.xml" 26 | # IDP SAML claims format default unspecified 27 | # idp_authn_name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 28 | # claim name from IDP to use as the unique user name 29 | external_user_id_claim_name: samName 30 | # depending on IDP setup, if CA certs are self signed and not trusted by a known CA 31 | idp_skip_verify_tls_cert: true 32 | rbac: 33 | enabled: true 34 | secrets: 35 | create: true 36 | sso: 37 | enabled: true 38 | saml: 39 | enabled: true 40 | createSecret: true 41 | lakeFSServiceProviderIngress: https:// 42 | certificate: 43 | saml_rsa_public_cert: | 44 | -----BEGIN CERTIFICATE----- 45 | ... 46 | -----END CERTIFICATE----- 47 | saml_rsa_private_key: | 48 | -----BEGIN PRIVATE KEY----- 49 | ... 50 | -----END PRIVATE KEY----- 51 | 52 | lakefsConfig: | 53 | blockstore: 54 | type: local 55 | auth: 56 | cookie_auth_verification: 57 | # claim name to display user in the UI 58 | friendly_name_claim_name: displayName 59 | # claim name from IDP to use as the unique user name 60 | external_user_id_claim_name: samName 61 | default_initial_groups: 62 | - "Developers" 63 | ui_config: 64 | login_cookie_names: 65 | - internal_auth_session 66 | - saml_auth_session 67 | 68 | -------------------------------------------------------------------------------- /charts/lakefs/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "lakefs.fullname" . -}} 3 | {{- $svcPort := .Values.service.port -}} 4 | {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion -}} 5 | apiVersion: networking.k8s.io/v1 6 | {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} 7 | apiVersion: networking.k8s.io/v1beta1 8 | {{- else -}} 9 | apiVersion: extensions/v1beta1 10 | {{- end }} 11 | kind: Ingress 12 | metadata: 13 | name: {{ $fullName }} 14 | labels: 15 | {{- include "lakefs.labels" . | nindent 4 }} 16 | {{- with .Values.ingress.annotations }} 17 | annotations: 18 | {{- toYaml . | nindent 4 }} 19 | {{- end }} 20 | spec: 21 | {{- if .Values.ingress.ingressClassName }} 22 | ingressClassName: {{ .Values.ingress.ingressClassName }} 23 | {{- end }} 24 | {{- with .Values.ingress.defaultBackend }} 25 | defaultBackend: 26 | {{- toYaml . | nindent 4 }} 27 | {{- end }} 28 | {{- if .Values.ingress.tls }} 29 | tls: 30 | {{- range .Values.ingress.tls }} 31 | - hosts: 32 | {{- range .hosts }} 33 | - {{ . | quote }} 34 | {{- end }} 35 | secretName: {{ .secretName }} 36 | {{- end }} 37 | {{- end }} 38 | rules: 39 | {{- range .Values.ingress.hosts }} 40 | - host: {{ .host | quote }} 41 | http: 42 | paths: 43 | {{- range .paths }} 44 | - path: {{ . }} 45 | {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} 46 | pathType: Prefix 47 | backend: 48 | service: 49 | name: {{ $fullName }} 50 | port: 51 | number: {{ $svcPort }} 52 | {{- else }} 53 | backend: 54 | serviceName: {{ $fullName }} 55 | servicePort: {{ $svcPort }} 56 | {{- end }} 57 | {{- end }} 58 | {{- if (.pathsOverrides) }} 59 | {{- range .pathsOverrides }} 60 | - path: {{ .path }} 61 | {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} 62 | pathType: Prefix 63 | backend: 64 | service: 65 | name: {{ .serviceName }} 66 | port: 67 | number: {{ .servicePort }} 68 | {{- else }} 69 | backend: 70 | serviceName: {{ .serviceName }} 71 | servicePort: {{ .servicePort }} 72 | {{- end }} 73 | {{- end }} 74 | {{- end }} 75 | {{- end }} 76 | {{- end }} 77 | -------------------------------------------------------------------------------- /charts/lakefs/templates/mds/deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.mds.enabled -}} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: {{ include "mds.fullname" . }} 6 | labels: 7 | {{- include "mds.labels" . | nindent 4 }} 8 | spec: 9 | # Currently, MDS is not scalable, so we only run one replica 10 | replicas: 1 11 | selector: 12 | matchLabels: 13 | {{- include "mds.selectorLabels" . | nindent 6 }} 14 | template: 15 | metadata: 16 | annotations: 17 | checksum/config: {{ include (print $.Template.BasePath "/mds/configmap.yaml") . | sha256sum }} 18 | {{- with .Values.mds.podAnnotations }} 19 | {{- toYaml . | nindent 8 }} 20 | {{- end }} 21 | labels: 22 | {{- include "mds.selectorLabels" . | nindent 8 }} 23 | spec: 24 | {{- if .Values.image.privateRegistry.enabled }} 25 | imagePullSecrets: 26 | {{- if (.Values.image.privateRegistry).secretToken }} 27 | - name: "docker-registry" 28 | {{- else }} 29 | - name: {{ .Values.image.privateRegistry.secretName }} 30 | {{- end }} 31 | {{- end }} 32 | serviceAccountName: {{ include "lakefs.serviceAccountName" . }} 33 | {{- with .Values.mds.securityContext }} 34 | securityContext: 35 | {{- toYaml . | nindent 8 }} 36 | {{- end }} 37 | containers: 38 | - name: mds 39 | args: 40 | - --config 41 | - /app/config.yaml 42 | image: "{{ .Values.mds.image.repository }}:{{ .Values.mds.image.tag }}" 43 | imagePullPolicy: {{ .Values.mds.image.pullPolicy }} 44 | ports: 45 | - name: http 46 | containerPort: 8080 47 | protocol: TCP 48 | {{- with .Values.mds.readinessProbe }} 49 | readinessProbe: 50 | {{- toYaml . | nindent 12 }} 51 | {{- end }} 52 | {{- with .Values.mds.livenessProbe }} 53 | livenessProbe: 54 | {{- toYaml . | nindent 12 }} 55 | {{- end }} 56 | {{- with .Values.mds.extraEnvVars }} 57 | env: 58 | {{- toYaml . | nindent 12 }} 59 | {{- end }} 60 | resources: 61 | {{- toYaml .Values.mds.resources | nindent 12 }} 62 | volumeMounts: 63 | {{- include "mds.volumeMounts" . | nindent 12 }} 64 | volumes: 65 | {{- include "mds.volumes" . | nindent 8 }} 66 | {{- with .Values.nodeSelector }} 67 | nodeSelector: 68 | {{- toYaml . | nindent 8 }} 69 | {{- end }} 70 | {{- with .Values.affinity }} 71 | affinity: 72 | {{- toYaml . | nindent 8 }} 73 | {{- end }} 74 | {{- with .Values.tolerations }} 75 | tolerations: 76 | {{- toYaml . | nindent 8 }} 77 | {{- end }} 78 | {{- with .Values.topologySpreadConstraints }} 79 | topologySpreadConstraints: 80 | {{- toYaml . | nindent 8 }} 81 | {{- end }} 82 | {{- end }} 83 | -------------------------------------------------------------------------------- /charts/lakefs/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "lakefs.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 7 | {{- end }} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "lakefs.fullname" -}} 15 | {{- if .Values.fullnameOverride }} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 17 | {{- else }} 18 | {{- $name := default .Chart.Name .Values.nameOverride }} 19 | {{- if contains $name .Release.Name }} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 21 | {{- else }} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 23 | {{- end }} 24 | {{- end }} 25 | {{- end }} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "lakefs.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 32 | {{- end }} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "lakefs.labels" -}} 38 | helm.sh/chart: {{ include "lakefs.chart" . }} 39 | {{ include "lakefs.selectorLabels" . }} 40 | {{- if .Chart.AppVersion }} 41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 42 | {{- end }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end }} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "lakefs.selectorLabels" -}} 50 | app: {{ include "lakefs.name" . }} 51 | app.kubernetes.io/name: {{ include "lakefs.name" . }} 52 | app.kubernetes.io/instance: {{ .Release.Name }} 53 | {{- end }} 54 | 55 | {{/* 56 | Create the name of the service account to use 57 | */}} 58 | {{- define "lakefs.serviceAccountName" -}} 59 | {{- if .Values.serviceAccount.create }} 60 | {{- default (include "lakefs.fullname" .) .Values.serviceAccount.name }} 61 | {{- else }} 62 | {{- default "default" .Values.serviceAccount.name }} 63 | {{- end }} 64 | {{- end }} 65 | 66 | {{/* 67 | Define which repository to use according to the following: 68 | 1. Explicitly defined 69 | 2. Otherwise if enterprise is enabled - take enterprise image 70 | 3. Otherwise use OSS image 71 | */}} 72 | {{- define "lakefs.repository" -}} 73 | {{- if not .Values.image.repository }} 74 | {{- if (.Values.enterprise).enabled }} 75 | {{- default "treeverse/lakefs-enterprise" .Values.image.repository }} 76 | {{- else }} 77 | {{- default "treeverse/lakefs" .Values.image.repository }} 78 | {{- end }} 79 | {{- else }} 80 | {{- default .Values.image.repository }} 81 | {{- end }} 82 | {{- end }} 83 | 84 | {{- define "lakefs.checkDeprecated" -}} 85 | {{- if .Values.fluffy -}} 86 | {{- fail "Fluffy configuration detected. Please migrate to lakeFS Enterprise auth configuration and use treeverse/lakefs-enterprise docker image. See migration guide: https://docs.lakefs.io/latest/enterprise/upgrade/#kubernetes-migrating-with-helm-from-fluffy-to-new-lakefs-enterprise." -}} 87 | {{- end -}} 88 | {{- end -}} 89 | 90 | {{- define "lakefs.dockerConfigJson" }} 91 | {{- $token := .Values.image.privateRegistry.secretToken }} 92 | {{- $username := "externallakefs" }} 93 | {{- $registry := "https://index.docker.io/v1/" }} 94 | {{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" $registry $username $token (printf "%s:%s" $username $token | b64enc) | b64enc }} 95 | {{- end }} 96 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Lint and Release Charts 2 | 3 | on: 4 | push: 5 | branches: [master] 6 | pull_request: 7 | workflow_dispatch: 8 | inputs: 9 | confirm: 10 | description: 'Trigger chart release (this will create a new chart version if changes are detected)' 11 | required: false 12 | type: boolean 13 | default: true 14 | jobs: 15 | check-changelog: 16 | runs-on: ubuntu-latest 17 | steps: 18 | - name: Checkout 19 | uses: actions/checkout@v6 20 | with: 21 | fetch-depth: 0 22 | 23 | - name: Check if Chart.yaml was modified 24 | id: check-chart 25 | run: | 26 | git fetch origin ${{ github.base_ref || 'master' }} 27 | 28 | # Check if Chart.yaml was modified in this PR 29 | if git diff --name-only origin/${{ github.base_ref || 'master' }}...HEAD | grep -q "charts/lakefs/Chart.yaml"; then 30 | echo "chart_modified=true" >> $GITHUB_OUTPUT 31 | echo "Chart.yaml was modified" 32 | else 33 | echo "chart_modified=false" >> $GITHUB_OUTPUT 34 | echo "Chart.yaml was not modified - skipping CHANGELOG check" 35 | fi 36 | 37 | - name: Check CHANGELOG updated 38 | if: steps.check-chart.outputs.chart_modified == 'true' 39 | run: | 40 | # Check if CHANGELOG.md was modified in this PR 41 | git diff --name-only origin/${{ github.base_ref || 'master' }}...HEAD | grep -q "CHANGELOG.md" 42 | 43 | if [ $? -eq 0 ]; then 44 | echo "✅ CHANGELOG.md has been updated" 45 | exit 0 46 | else 47 | echo "❌ ERROR: Chart.yaml was modified but CHANGELOG.md was not updated" 48 | echo "Please update CHANGELOG.md to document your changes" 49 | exit 1 50 | fi 51 | 52 | lint: 53 | runs-on: ubuntu-latest 54 | steps: 55 | - name: Checkout 56 | uses: actions/checkout@v6 57 | with: 58 | fetch-depth: 0 59 | - name: gitLeaks 60 | uses: zricethezav/gitleaks-action@v1.3.0 61 | - name: Install chart-testing (lint) 62 | uses: helm/chart-testing-action@v2 63 | with: 64 | version: v3.8.0 65 | - name: Run chart-testing (list-changed) 66 | id: list-changed 67 | run: | 68 | changed=$(ct list-changed) 69 | if [[ -n "$changed" ]]; then 70 | echo "changed=true" >> $GITHUB_OUTPUT 71 | fi 72 | - name: Run chart-testing (lint) 73 | run: ct lint 74 | - name: Create kind cluster 75 | uses: helm/kind-action@v1 76 | # Only build a kind cluster if there are chart changes to test. 77 | if: ${{ steps.list-changed.outputs.changed == 'true' }} 78 | - name: Run chart-testing (install) 79 | if: ${{ steps.list-changed.outputs.changed == 'true' }} 80 | run: ct install 81 | release: 82 | runs-on: ubuntu-latest 83 | permissions: 84 | contents: write # needed to write releases 85 | pull-requests: read # needed for changelog 86 | needs: [lint, check-changelog] 87 | if: > 88 | (github.event_name == 'push' && github.ref == 'refs/heads/master') || 89 | (github.event_name == 'workflow_dispatch' && inputs.confirm == true) 90 | steps: 91 | - name: Checkout 92 | uses: actions/checkout@v6 93 | with: 94 | fetch-depth: 0 95 | - name: Configure Git 96 | run: | 97 | git config user.name "$GITHUB_ACTOR" 98 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 99 | - name: Run chart-releaser 100 | uses: helm/chart-releaser-action@v1.5.0 101 | env: 102 | CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" -------------------------------------------------------------------------------- /charts/lakefs/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for lakefs. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | replicaCount: 1 6 | 7 | image: 8 | pullPolicy: IfNotPresent 9 | privateRegistry: 10 | enabled: false 11 | secretToken: null 12 | secretName: null 13 | 14 | nameOverride: "" 15 | fullnameOverride: "" 16 | 17 | ingress: 18 | enabled: false 19 | annotations: {} 20 | # kubernetes.io/ingress.class: nginx 21 | # kubernetes.io/tls-acme: "true" 22 | ingressClassName: "" 23 | defaultBackend: {} 24 | hosts: 25 | - host: chart-example.local 26 | paths: [] 27 | # redirect to a different service based on path prefix for advanced use cases only 28 | # pathsOverrides: 29 | # - path: /some/path 30 | # serviceName: other-example.local 31 | # servicePort: 80 32 | tls: [] 33 | # - secretName: chart-example-tls 34 | # hosts: 35 | # - chart-example.local 36 | 37 | podAnnotations: {} 38 | jobPodAnnotations: 39 | sidecar.istio.io/inject: "false" 40 | 41 | deployment: 42 | port: 8000 43 | 44 | service: 45 | annotations: {} 46 | type: ClusterIP 47 | port: 80 48 | 49 | resources: {} 50 | 51 | nodeSelector: {} 52 | 53 | tolerations: [] 54 | 55 | affinity: {} 56 | 57 | ## Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. 58 | ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ 59 | ## 60 | topologySpreadConstraints: [] 61 | 62 | s3Fallback: 63 | enabled: false 64 | 65 | gcpFallback: 66 | enabled: false 67 | 68 | lakefsConfig: | 69 | database: 70 | type: local 71 | blockstore: 72 | type: local 73 | 74 | # yamllint disable rule:comments 75 | 76 | # Example: using node instance storage for caching committed data: 77 | # For more information: https://www.vipmind.me/infra/aws/how-to-use-ephemeral-disk-from-ec2-instance-in-eks.html 78 | #committedLocalCacheVolume: 79 | # hostPath: 80 | # path: /media/ephemeral0 81 | 82 | # yamllint enable 83 | 84 | serviceAccount: {} 85 | 86 | # to use an existing service account, replace the serviceAccount map above with the following: 87 | # serviceAccount: 88 | # name: "my-serviceaccount" 89 | 90 | # Extra Environment Values - allows yaml definitions 91 | extraEnvVars: 92 | # - name: VALUE_FROM_SECRET 93 | # valueFrom: 94 | # secretKeyRef: 95 | # name: secret_name 96 | # key: secret_key 97 | # Override K8S defaults for readinessProbe 98 | # readinessProbe: 99 | # failureThreshold: 10 100 | # periodSeconds: 5 101 | # successThreshold: 4 102 | # timeoutSeconds: 1 103 | # Override K8S defaults for livenessProbe 104 | # livenessProbe: 105 | # failureThreshold: 20 106 | # periodSeconds: 5 107 | # successThreshold: 4 108 | # timeoutSeconds: 1 109 | # initialDelaySeconds: 5 110 | 111 | # https://docs.lakefs.io/latest/datamanagment/metadata-search/#configuration-reference 112 | mds: 113 | enabled: false 114 | image: 115 | pullPolicy: IfNotPresent 116 | repository: treeverse/mds 117 | tag: "0.2.1" 118 | extraEnvVars: {} 119 | resources: 120 | # limits: 121 | # cpu: 500m 122 | # memory: 256Mi 123 | # requests: 124 | # cpu: 250m 125 | # memory: 128Mi 126 | readinessProbe: 127 | httpGet: 128 | path: /health 129 | port: http 130 | # failureThreshold: 10 131 | # periodSeconds: 5 132 | # successThreshold: 4 133 | # timeoutSeconds: 1 134 | # initialDelaySeconds: 5 135 | livenessProbe: 136 | httpGet: 137 | path: /health 138 | port: http 139 | # failureThreshold: 10 140 | # periodSeconds: 5 141 | # successThreshold: 4 142 | # timeoutSeconds: 1 143 | # initialDelaySeconds: 5 144 | config: 145 | lakefs: 146 | endpoint: "https://example.lakefs.io" 147 | access_key_id: "AKIAIOSFOLEXAMPLE" 148 | secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" 149 | metadata_settings: 150 | since: "1970-01-01T00:00:00+00" 151 | max_commits: 100 152 | repositories: 153 | # example-repo-1: 154 | # branches: 155 | # - main 156 | # - dev 157 | # example-repo-2: 158 | # branches: 159 | # - main 160 | # - feature-* 161 | 162 | # Start local postgres pod for quick start, not for production 163 | useDevPostgres: false 164 | 165 | # Name of existing secret to use 166 | existingSecret: null 167 | 168 | # Keys used for existingSecret 169 | secretKeys: 170 | authEncryptSecretKey: auth_encrypt_secret_key 171 | # Use the following to fetch PostgreSQL connection string from an existing secret: 172 | databaseConnectionString: null 173 | # Use to fetch license token from an existing secret: 174 | licenseContentsKey: null 175 | # Use the following to fetch LDAP bind password from an existing secret: 176 | ldapBindPassword: null 177 | # Use the following to fetch OIDC client secret from an existing secret: 178 | oidcClientSecret: null 179 | 180 | # Enterprise configuration 181 | enterprise: 182 | enabled: false 183 | 184 | # Enterprise auth configuration 185 | auth: 186 | rbac: 187 | enabled: true 188 | 189 | ldap: 190 | enabled: false 191 | bindPassword: null 192 | 193 | oidc: 194 | enabled: false 195 | clientSecret: null 196 | 197 | saml: 198 | enabled: false 199 | createCertificateSecret: false 200 | certificate: 201 | # certificates for AD FS IDP (e.g Azure AD) 202 | samlRsaPublicCert: null 203 | samlRsaPrivateKey: null 204 | 205 | secrets: 206 | licenseContents: null 207 | -------------------------------------------------------------------------------- /charts/lakefs/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- include "lakefs.checkDeprecated" . -}} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: {{ include "lakefs.fullname" . }} 6 | labels: 7 | {{- include "lakefs.labels" . | nindent 4 }} 8 | spec: 9 | replicas: {{ .Values.replicaCount }} 10 | selector: 11 | matchLabels: 12 | {{- include "lakefs.selectorLabels" . | nindent 6 }} 13 | template: 14 | metadata: 15 | annotations: 16 | checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} 17 | {{- with .Values.podAnnotations }} 18 | {{- toYaml . | nindent 8 }} 19 | {{- end }} 20 | labels: 21 | {{- include "lakefs.selectorLabels" . | nindent 8 }} 22 | spec: 23 | {{- if (.Values.image.privateRegistry).enabled }} 24 | imagePullSecrets: 25 | {{- if (.Values.image.privateRegistry).secretToken }} 26 | - name: "docker-registry" 27 | {{- else }} 28 | - name: {{ .Values.image.privateRegistry.secretName }} 29 | {{- end }} 30 | {{- end }} 31 | serviceAccountName: {{ include "lakefs.serviceAccountName" . }} 32 | securityContext: 33 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 34 | containers: 35 | - name: {{ .Chart.Name }} 36 | {{- if .Values.lakefsConfig }} 37 | args: ["run", "--config", "/etc/lakefs/config.yaml"] 38 | {{- else }} 39 | args: ["run"] 40 | {{- end }} 41 | securityContext: 42 | {{- toYaml .Values.securityContext | nindent 12 }} 43 | image: "{{ include "lakefs.repository" . }}:{{ .Values.image.tag | default .Chart.AppVersion }}" 44 | imagePullPolicy: {{ .Values.image.pullPolicy }} 45 | ports: 46 | - name: http 47 | containerPort: {{ .Values.deployment.port }} 48 | protocol: TCP 49 | readinessProbe: 50 | {{- if ((.Values.readinessProbe).failureThreshold) }} 51 | failureThreshold: {{ .Values.readinessProbe.failureThreshold }} 52 | {{- end }} 53 | {{- if ((.Values.readinessProbe).periodSeconds) }} 54 | periodSeconds: {{ .Values.readinessProbe.periodSeconds }} 55 | {{- end }} 56 | {{- if ((.Values.readinessProbe).successThreshold) }} 57 | successThreshold: {{ .Values.readinessProbe.successThreshold }} 58 | {{- end }} 59 | {{- if ((.Values.readinessProbe).timeoutSeconds) }} 60 | timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} 61 | {{- end }} 62 | httpGet: 63 | path: /_health 64 | port: http 65 | livenessProbe: 66 | {{- if ((.Values.livenessProbe).failureThreshold) }} 67 | failureThreshold: {{ .Values.livenessProbe.failureThreshold }} 68 | {{- end }} 69 | {{- if ((.Values.livenessProbe).periodSeconds) }} 70 | periodSeconds: {{ .Values.livenessProbe.periodSeconds }} 71 | {{- end }} 72 | {{- if ((.Values.livenessProbe).successThreshold) }} 73 | successThreshold: {{ .Values.livenessProbe.successThreshold }} 74 | {{- end }} 75 | {{- if ((.Values.livenessProbe).timeoutSeconds) }} 76 | timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} 77 | {{- end }} 78 | {{- if ((.Values.livenessProbe).initialDelaySeconds) }} 79 | initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} 80 | {{- end }} 81 | httpGet: 82 | path: /_health 83 | port: http 84 | resources: 85 | {{- toYaml .Values.resources | nindent 12 }} 86 | volumeMounts: 87 | {{- if .Values.extraVolumeMounts }} 88 | {{ toYaml .Values.extraVolumeMounts | nindent 12 }} 89 | {{- end }} 90 | {{- if .Values.committedLocalCacheVolume }} 91 | - name: committed-local-cache 92 | mountPath: "/lakefs/cache" 93 | {{- end }} 94 | {{- if .Values.lakefsConfig }} 95 | - name: config-volume 96 | mountPath: /etc/lakefs/config.yaml 97 | subPath: "config.yaml" 98 | readOnly: true 99 | {{- else }} 100 | - name: {{ .Chart.Name }}-local-data 101 | mountPath: "/lakefs/data" 102 | {{- end }} 103 | {{- if (((.Values.enterprise).auth).saml).enabled }} 104 | - name: secret-volume-license-token 105 | readOnly: true 106 | mountPath: /etc/saml_certs/ 107 | {{- end }} 108 | {{- if (.Values.enterprise).enabled }} 109 | {{- if or (and .Values.secrets .Values.secrets.licenseContents) (and .Values.existingSecret .Values.secretKeys.licenseContentsKey) }} 110 | - name: secret-volume-license-token 111 | mountPath: /etc/lakefs/license.tkn 112 | subPath: "license.tkn" 113 | readOnly: true 114 | {{- end }} 115 | {{- end }} 116 | {{- include "lakefs.env" . | nindent 10 }} 117 | {{- include "lakefs.s3proxyContainer" . | nindent 8}} 118 | {{- include "lakefs.gcpProxyContainer" . | nindent 8}} 119 | volumes: 120 | {{- include "lakefs.volumes" . | nindent 8 }} 121 | {{- with .Values.nodeSelector }} 122 | nodeSelector: 123 | {{- toYaml . | nindent 8 }} 124 | {{- end }} 125 | {{- with .Values.affinity }} 126 | affinity: 127 | {{- toYaml . | nindent 8 }} 128 | {{- end }} 129 | {{- with .Values.tolerations }} 130 | tolerations: 131 | {{- toYaml . | nindent 8 }} 132 | {{- end }} 133 | {{- with .Values.topologySpreadConstraints }} 134 | topologySpreadConstraints: 135 | {{- toYaml . | nindent 8 }} 136 | {{- end }} 137 | -------------------------------------------------------------------------------- /charts/lakefs/templates/_env.tpl: -------------------------------------------------------------------------------- 1 | {{- define "lakefs.env" -}} 2 | env: 3 | {{- if and .Values.existingSecret .Values.secretKeys.databaseConnectionString }} 4 | - name: LAKEFS_DATABASE_POSTGRES_CONNECTION_STRING 5 | valueFrom: 6 | secretKeyRef: 7 | name: {{ .Values.existingSecret }} 8 | key: {{ .Values.secretKeys.databaseConnectionString }} 9 | {{- else if and .Values.secrets (.Values.secrets).databaseConnectionString }} 10 | - name: LAKEFS_DATABASE_POSTGRES_CONNECTION_STRING 11 | valueFrom: 12 | secretKeyRef: 13 | name: {{ include "lakefs.fullname" . }} 14 | key: database_connection_string 15 | {{- end }} 16 | {{- if .Values.existingSecret }} 17 | - name: LAKEFS_AUTH_ENCRYPT_SECRET_KEY 18 | valueFrom: 19 | secretKeyRef: 20 | name: {{ .Values.existingSecret }} 21 | key: {{ .Values.secretKeys.authEncryptSecretKey }} 22 | {{- else if and .Values.secrets (.Values.secrets).authEncryptSecretKey }} 23 | - name: LAKEFS_AUTH_ENCRYPT_SECRET_KEY 24 | valueFrom: 25 | secretKeyRef: 26 | name: {{ include "lakefs.fullname" . }} 27 | key: auth_encrypt_secret_key 28 | {{- else }} 29 | - name: LAKEFS_AUTH_ENCRYPT_SECRET_KEY 30 | value: asdjfhjaskdhuioaweyuiorasdsjbaskcbkj 31 | {{- end }} 32 | {{- if (.Values.enterprise).enabled}} 33 | {{- if or (and .Values.secrets .Values.secrets.licenseContents) (and .Values.existingSecret .Values.secretKeys.licenseContentsKey) }} 34 | - name: LAKEFS_LICENSE_PATH 35 | value: '/etc/lakefs/license.tkn' 36 | {{- end }} 37 | - name: LAKEFS_USAGE_REPORT_ENABLED 38 | value: "true" 39 | - name: LAKEFS_FEATURES_LOCAL_RBAC 40 | value: "{{ (((.Values.enterprise).auth).rbac).enabled | default false }}" 41 | {{- if (((.Values.enterprise).auth).saml).enabled }} 42 | - name: LAKEFS_AUTH_COOKIE_AUTH_VERIFICATION_AUTH_SOURCE 43 | value: saml 44 | - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_URL 45 | value: /sso/login-saml 46 | - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL 47 | value: /sso/logout-saml 48 | - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_COOKIE_NAME 49 | value: "internal_auth_session,saml_auth_session" 50 | - name: LAKEFS_AUTH_PROVIDERS_SAML_POST_LOGIN_REDIRECT_URL 51 | value: / 52 | - name: LAKEFS_AUTH_PROVIDERS_SAML_SP_X509_KEY_PATH 53 | value: '/etc/saml_certs/rsa_saml_private.key' 54 | - name: LAKEFS_AUTH_PROVIDERS_SAML_SP_X509_CERT_PATH 55 | value: '/etc/saml_certs/rsa_saml_public.pem' 56 | {{- end }} 57 | {{- if (((.Values.enterprise).auth).oidc).enabled }} 58 | - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_URL 59 | value: '/oidc/login' 60 | - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL 61 | value: '/oidc/logout' 62 | - name: LAKEFS_AUTH_UI_CONFIG_LOGIN_COOKIE_NAME 63 | value: "internal_auth_session,oidc_auth_session" 64 | {{- if and .Values.existingSecret .Values.secretKeys.oidcClientSecret }} 65 | - name: LAKEFS_AUTH_PROVIDERS_OIDC_CLIENT_SECRET 66 | valueFrom: 67 | secretKeyRef: 68 | name: {{ .Values.existingSecret }} 69 | key: {{ .Values.secretKeys.oidcClientSecret }} 70 | {{- else if (((.Values.enterprise).auth).oidc).clientSecret }} 71 | - name: LAKEFS_AUTH_PROVIDERS_OIDC_CLIENT_SECRET 72 | valueFrom: 73 | secretKeyRef: 74 | name: {{ include "lakefs.fullname" . }} 75 | key: oidc_client_secret 76 | {{- end }} 77 | {{- end }} 78 | {{- if (((.Values.enterprise).auth).ldap).enabled }} 79 | - name: LAKEFS_AUTH_UI_CONFIG_LOGOUT_URL 80 | value: /logout 81 | {{- if and .Values.existingSecret .Values.secretKeys.ldapBindPassword }} 82 | - name: LAKEFS_AUTH_PROVIDERS_LDAP_BIND_PASSWORD 83 | valueFrom: 84 | secretKeyRef: 85 | name: {{ .Values.existingSecret }} 86 | key: {{ .Values.secretKeys.ldapBindPassword }} 87 | {{- else if (((.Values.enterprise).auth).ldap).bindPassword }} 88 | - name: LAKEFS_AUTH_PROVIDERS_LDAP_BIND_PASSWORD 89 | valueFrom: 90 | secretKeyRef: 91 | name: {{ include "lakefs.fullname" . }} 92 | key: ldap_bind_password 93 | {{- end }} 94 | {{- end }} 95 | {{- if (((.Values.enterprise).auth).rbac).enabled }} 96 | - name: LAKEFS_AUTH_UI_CONFIG_RBAC 97 | value: internal 98 | {{- end }} 99 | {{- end }} 100 | 101 | {{- if .Values.s3Fallback.enabled }} 102 | - name: LAKEFS_GATEWAYS_S3_FALLBACK_URL 103 | value: http://localhost:7001 104 | {{- end }} 105 | {{- if .Values.committedLocalCacheVolume }} 106 | - name: LAKEFS_COMMITTED_LOCAL_CACHE_DIR 107 | value: /lakefs/cache 108 | {{- end }} 109 | {{- if .Values.useDevPostgres }} 110 | - name: LAKEFS_DATABASE_TYPE 111 | value: postgres 112 | - name: LAKEFS_DATABASE_POSTGRES_CONNECTION_STRING 113 | value: 'postgres://lakefs:lakefs@postgres-server:5432/postgres?sslmode=disable' 114 | {{- end }} 115 | {{- if .Values.extraEnvVars }} 116 | {{- toYaml .Values.extraEnvVars | nindent 2 }} 117 | {{- end }} 118 | {{- if .Values.extraEnvVarsSecret }} 119 | envFrom: 120 | - secretRef: 121 | name: {{ .Values.extraEnvVarsSecret }} 122 | {{- end }} 123 | {{- end }} 124 | 125 | {{- define "lakefs.volumes" -}} 126 | {{- if .Values.extraVolumes }} 127 | {{ toYaml .Values.extraVolumes }} 128 | {{- end }} 129 | {{- if .Values.committedLocalCacheVolume }} 130 | - name: committed-local-cache 131 | {{- toYaml .Values.committedLocalCacheVolume | nindent 2 }} 132 | {{- end }} 133 | {{- if not .Values.lakefsConfig }} 134 | - name: {{ .Chart.Name }}-local-data 135 | {{- end}} 136 | {{- if .Values.lakefsConfig }} 137 | - name: config-volume 138 | configMap: 139 | name: {{ include "lakefs.fullname" . }} 140 | items: 141 | - key: config.yaml 142 | path: config.yaml 143 | {{- end }} 144 | {{- if (.Values.enterprise).enabled }} 145 | {{- if and .Values.existingSecret .Values.secretKeys.licenseContentsKey }} 146 | - name: secret-volume-license-token 147 | secret: 148 | secretName: {{ .Values.existingSecret }} 149 | items: 150 | - key: {{ .Values.secretKeys.licenseContentsKey }} 151 | path: license.tkn 152 | {{- else if and .Values.secrets .Values.secrets.licenseContents }} 153 | - name: secret-volume-license-token 154 | secret: 155 | secretName: {{ include "lakefs.fullname" . }} 156 | items: 157 | - key: license_contents 158 | path: license.tkn 159 | {{- end }} 160 | {{- end }} 161 | {{- if (((.Values.enterprise).auth).saml).enabled }} 162 | - name: secret-volume-license-token 163 | secret: 164 | secretName: saml-certificates 165 | {{- end }} 166 | {{- end }} 167 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | # 1.7.12 4 | 5 | :new: What's new: 6 | - Update lakeFS version to [1.73.0](https://github.com/treeverse/lakeFS/releases/tag/v1.73.0) 7 | 8 | # 1.7.11 9 | 10 | :new: What's new: 11 | - Update lakeFS version to [1.72.0](https://github.com/treeverse/lakeFS/releases/tag/v1.72.0) 12 | 13 | # 1.7.9 14 | 15 | :new: What's new: 16 | - Update lakeFS version to [1.71.0](https://github.com/treeverse/lakeFS/releases/tag/v1.71.0) 17 | - Update metadata search version to v0.2.1 18 | 19 | # 1.7.9 20 | 21 | :new: What's new: 22 | - Update lakeFS version to [1.70.1](https://github.com/treeverse/lakeFS/releases/tag/v1.70.1) 23 | 24 | # 1.7.8 25 | 26 | :bug: Bugs fixed: 27 | - Prevent overlapping mounts: use subPath to mount the config file at `/etc/lakefs/config.yaml` so `/etc/lakefs/license.tkn` can be mounted separately 28 | 29 | # 1.7.7 30 | 31 | :new: What's new: 32 | - Update lakeFS version to [1.69.0](https://github.com/treeverse/lakeFS/releases/tag/v1.69.0) 33 | 34 | # 1.7.6 35 | 36 | :new: What's new: 37 | - Update lakeFS version to [1.68.0](https://github.com/treeverse/lakeFS/releases/tag/v1.68.0) 38 | 39 | # 1.7.5 40 | 41 | :new: What's new: 42 | - Update lakeFS version to [1.67.0](https://github.com/treeverse/lakeFS/releases/tag/v1.67.0) 43 | 44 | # 1.7.4 45 | 46 | :new: What's new: 47 | - Update lakeFS version to [1.66.0](https://github.com/treeverse/lakeFS/releases/tag/v1.66.0) 48 | 49 | # 1.7.3 50 | 51 | :new: What's new: 52 | - Update lakeFS version to [1.65.2](https://github.com/treeverse/lakeFS/releases/tag/v1.65.2) 53 | 54 | # 1.7.2 55 | 56 | :new: What's new: 57 | - Update lakeFS version to [1.65.1](https://github.com/treeverse/lakeFS/releases/tag/v1.65.1) 58 | 59 | # 1.7.1 60 | 61 | :new: What's new: 62 | - Update lakeFS version to [1.65.0](https://github.com/treeverse/lakeFS/releases/tag/v1.65.0) 63 | 64 | # 1.7.0 65 | 66 | :new: What's new: 67 | - Support Metadata Search 68 | 69 | # 1.6.2 70 | 71 | :new: What's new: 72 | - Update lakeFS version to [1.64.1](https://github.com/treeverse/lakeFS/releases/tag/v1.64.1) 73 | 74 | # 1.6.1 75 | 76 | :new: What's new: 77 | - Update lakeFS version to [1.64.0](https://github.com/treeverse/lakeFS/releases/tag/v1.64.0) 78 | 79 | # 1.6.0 80 | 81 | :new: What's new: 82 | - Add license support to helm chart 83 | 84 | # 1.5.0 85 | 86 | ### Important 87 | Fluffy is no longer supported in this chart version, and all authentication capabilities (LDAP, OIDC, SAML, AWS IAM) are now built directly into lakeFS Enterprise. 88 | lakeFS-Enterprise image is now required for all enterprise authentication capabilities to work. 89 | For more information, see the [migration guide](https://docs.lakefs.io/latest/enterprise/upgrade/#kubernetes-migrating-with-helm-from-fluffy-to-new-lakefs-enterprise). 90 | 91 | :new: What's new: 92 | - Update lakeFS version to [1.63.0](https://github.com/treeverse/lakeFS/releases/tag/v1.63.0) 93 | 94 | # 1.4.20 95 | 96 | :new: What's new: 97 | - Update lakeFS version to [1.62.0](https://github.com/treeverse/lakeFS/releases/tag/v1.62.0) 98 | 99 | # 1.4.19 100 | 101 | :new: What's new: 102 | - Update lakeFS version to [1.61.0](https://github.com/treeverse/lakeFS/releases/tag/v1.61.0) 103 | - Update fluffy version to [0.13.2](https://github.com/treeverse/fluffy/releases/tag/v0.13.2), with latest security updates 104 | 105 | # 1.4.18 106 | 107 | :new: What's new: 108 | - Update lakeFS version to [1.60.0](https://github.com/treeverse/lakeFS/releases/tag/v1.60.0) 109 | 110 | # 1.4.17 111 | 112 | :new: What's new: 113 | - Update lakeFS version to [1.59.0](https://github.com/treeverse/lakeFS/releases/tag/v1.59.0) 114 | 115 | # 1.4.14 116 | 117 | :new: What's new: 118 | - Update lakeFS version to [1.58.0](https://github.com/treeverse/lakeFS/releases/tag/v1.58.0) 119 | 120 | ## 1.4.13 121 | 122 | :new: What's new: 123 | - Update lakeFS version to [1.57.0](https://github.com/treeverse/lakeFS/releases/tag/v1.57.0) 124 | 125 | ## 1.4.12 126 | 127 | :new: What's new: 128 | - Update lakeFS version to [1.56.0](https://github.com/treeverse/lakeFS/releases/tag/v1.56.0) 129 | 130 | ## 1.4.11 131 | 132 | :new: What's new: 133 | - Update lakeFS version to [1.55.0](https://github.com/treeverse/lakeFS/releases/tag/v1.55.0) 134 | 135 | ## 1.4.10 136 | 137 | :new: What's new: 138 | - Update fluffy version to [0.11.0](https://github.com/treeverse/fluffy/releases/tag/v0.11.0), support multi resource policies 139 | 140 | ## 1.4.9 141 | 142 | :new: What's new: 143 | - Update lakeFS version to [1.54.0](https://github.com/treeverse/lakeFS/releases/tag/v1.54.0) 144 | 145 | ## 1.4.7 146 | 147 | :new: What's new: 148 | - Update lakeFS version to [1.53.1](https://github.com/treeverse/lakeFS/releases/tag/v1.53.1) 149 | 150 | ## 1.4.6 151 | 152 | :new: What's new: 153 | - Update lakeFS version to [1.53.0](https://github.com/treeverse/lakeFS/releases/tag/v1.53.0) 154 | 155 | ## 1.4.5 156 | 157 | :new: What's new: 158 | - Update lakeFS version to [1.52.0](https://github.com/treeverse/lakeFS/releases/tag/v1.52.0) 159 | 160 | ## 1.4.4 161 | 162 | :new: What's new: 163 | - Update lakeFS version to [1.51.0](https://github.com/treeverse/lakeFS/releases/tag/v1.51.0) 164 | 165 | ## 1.4.3 166 | 167 | :new: What's new: 168 | - Fix v1.4.1 and v1.4.2 to use Fluffy v0.9.0 - v0.8.4 wasn't published 169 | 170 | ## 1.4.2 171 | 172 | :new: What's new: 173 | - Update lakeFS version to [1.50.0](https://github.com/treeverse/lakeFS/releases/tag/v1.50.0) 174 | 175 | ## 1.4.1 176 | 177 | :new: What's new: 178 | - Update Fluffy version to 0.8.4 179 | 180 | ## 1.4.0 181 | 182 | ### Important 183 | 184 | This chart introduces the use of lakeFS-Enterprise image when using fluffy. 185 | For enterprise users when upgrading to this chart, either: 186 | 1. Remove the `image.repository` configuration from your `values.yaml` file so that the correct image is fetched 187 | 2. Modify the value to `treeverse/lakefs-enterprise` 188 | 189 | **This chart is backwards compatible and does not require any special migration** 190 | 191 | :new: What's new: 192 | - Updated lakeFS version to [1.49.1](https://github.com/treeverse/lakeFS/releases/tag/v1.49.1) 193 | 194 | ## 1.3.33 195 | 196 | :new: What's new: 197 | - Updated lakeFS version to [1.49.1](https://github.com/treeverse/lakeFS/releases/tag/v1.49.1) 198 | 199 | 200 | ## 1.3.32 201 | 202 | :new: What's new: 203 | - Updated lakeFS version to [1.49.0](https://github.com/treeverse/lakeFS/releases/tag/v1.49.0) 204 | 205 | ## 1.3.31 206 | 207 | :new: What's new: 208 | - Update Fluffy version to 0.8.3 209 | 210 | ## 1.3.30 211 | 212 | :new: What's new: 213 | - Updated lakeFS version to [1.48.2](https://github.com/treeverse/lakeFS/releases/tag/v1.48.2) 214 | 215 | ## 1.3.29 216 | 217 | :new: What's new: 218 | - Updated lakeFS version to [1.48.1](https://github.com/treeverse/lakeFS/releases/tag/v1.48.1) 219 | 220 | ## v1.3.28 221 | 222 | ### Do **NOT** use this version, 1.48.0 breaks backwards compatibility 223 | 224 | :new: What's new: 225 | - Updated lakeFS version to [1.48.0](https://github.com/treeverse/lakeFS/releases/tag/v1.48.0) 226 | 227 | ## v1.3.27 228 | 229 | :new: What's new: 230 | - Updated lakeFS version to [1.47.0](https://github.com/treeverse/lakeFS/releases/tag/v1.47.0) 231 | 232 | ## v1.3.26 233 | 234 | :new: What's new: 235 | - Updated lakeFS version to [1.46.0](https://github.com/treeverse/lakeFS/releases/tag/v1.46.0) 236 | 237 | ## v1.3.24 238 | 239 | :new: What's new: 240 | - Updated lakeFS version to [1.45.0](https://github.com/treeverse/lakeFS/releases/tag/v1.45.0) 241 | - Updated fluffy version to [0.8.0](https://github.com/treeverse/fluffy/releases/tag/v0.8.0) 242 | 243 | ## v1.3.23 244 | 245 | :new: What's new: 246 | - Updated lakeFS version to [1.44.0](https://github.com/treeverse/lakeFS/releases/tag/v1.44.0) 247 | 248 | ## v1.3.19 249 | 250 | :new: What's new: 251 | - Updated lakeFS version to [1.43.0](https://github.com/treeverse/lakeFS/releases/tag/v1.43.0) 252 | 253 | ## v1.3.18 254 | 255 | :new: What's new: 256 | - Updated lakeFS version to [1.42.0](https://github.com/treeverse/lakeFS/releases/tag/v1.42.0) 257 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /charts/lakefs/README.md: -------------------------------------------------------------------------------- 1 | # lakeFS Helm Chart 2 | 3 | A Helm chart to deploy lakeFS on Kubernetes. 4 | 5 | ## Installing the Chart 6 | 7 | First, add the lakeFS helm repository: 8 | 9 | ```bash 10 | helm repo add lakefs https://charts.lakefs.io 11 | ``` 12 | 13 | ### Quickstart 14 | 15 | For learning purposes, you can install lakeFS with the following commands: 16 | 17 | ```bash 18 | # Deploy lakeFS with helm release "my-lakefs" 19 | helm install my-lakefs lakefs/lakefs 20 | ``` 21 | 22 | This will start lakeFS while data will be stored inside the container and will not be persisted. 23 | 24 | ### Custom Configuration 25 | 26 | To install the chart with custom configuration values: 27 | 28 | ```bash 29 | # Deploy lakeFS with helm release "my-lakefs" 30 | helm install -f my-values.yaml my-lakefs lakefs/lakefs 31 | ``` 32 | 33 | Example `my-values.yaml` using PostgreSQL: 34 | 35 | ```yaml 36 | secrets: 37 | databaseConnectionString: postgres://postgres:myPassword@my-lakefs-db.rds.amazonaws.com:5432/lakefs?search_path=lakefs 38 | authEncryptSecretKey: 39 | lakefsConfig: | 40 | database: 41 | type: postgres 42 | blockstore: 43 | type: s3 44 | s3: 45 | region: us-east-1 46 | gateways: 47 | s3: 48 | domain_name: s3.lakefs.example.com 49 | ``` 50 | 51 | Example `my-values.yaml` using PostgreSQL with Cloud SQL Auth Proxy in GCP: 52 | 53 | ```yaml 54 | secrets: 55 | databaseConnectionString: postgres://:@localhost:5432/ 56 | authEncryptSecretKey: 57 | lakefsConfig: | 58 | database: 59 | type: postgres 60 | blockstore: 61 | type: gs 62 | gs: 63 | credentials_json: '' 64 | serviceAccount: 65 | name: 66 | gcpFallback: 67 | enabled: true 68 | instance: ::=tcp:5432 69 | ``` 70 | 71 | Example `my-values.yaml` using DynamoDB: 72 | ```yaml 73 | secrets: 74 | authEncryptSecretKey: 75 | lakefsConfig: | 76 | database: 77 | type: dynamodb 78 | dynamodb: 79 | table_name: my-lakefs 80 | aws_region: us-east-1 81 | blockstore: 82 | type: s3 83 | s3: 84 | region: us-east-1 85 | gateways: 86 | s3: 87 | domain_name: s3.lakefs.example.com 88 | ``` 89 | 90 | The `lakefsConfig` parameter is the lakeFS configuration documented [here](https://docs.lakefs.io/reference/configuration.html), but without sensitive information. 91 | Sensitive information like `database_connection_string` (used by PostgreSQL) is given through "secrets" section, and will be injected into Kubernetes secrets. 92 | 93 | You should give your Kubernetes nodes access to all S3 buckets (or other resources) you intend to use lakeFS with. 94 | If you can't provide such access, lakeFS can be configured to use an AWS key-pair to authenticate (part of the `lakefsConfig` YAML). 95 | 96 | ## Notable Chart Upgrades 97 | 98 | ### Upgrading from chart version 0.9.4 or lower 99 | 100 | Introducing changes to the [security model in lakeFS](https://docs.lakefs.io/posts/security_update.html) 101 | The lakeFS service will not run if the migration version isn't compatible with the binary. 102 | Before running the new version you will be required to run migrate, with the new version. 103 | Please refer to this [upgrade documentation](https://docs.lakefs.io/reference/access-control-lists.html#migrating-from-the-previous-version-of-acls) for more information on the specific migration from RBAC to ACL 104 | 105 | ### Upgrading from chart version 0.7.XX or lower 106 | 107 | If you are using Postgres as your database, make sure your `lakefsConfig` property contains the key `database.type` and that it is set to `postgres`. Before this version, the Helm chart set this property implicitly. 108 | 109 | ### Upgrading from chart version 0.5.XX or lower (lakeFS v0.70.XX or lower) 110 | 111 | Introducing [lakeFS v0.80.0](https://github.com/treeverse/lakeFS/releases/tag/v0.80.0), with **Key Value Store** support. As part of this upgrade, the entire database will be ported to the new KV. 112 | Before performing this upgrade, it is strongly recommended to perform these steps: 113 | * Commit all uncommitted data on branches 114 | * Create a snapshot of your database 115 | 116 | In order to prevent loss of data during this process, it is recommended to stop all the pods running `lakeFS`. 117 | This can be achieved by scaling the number of pods down to 0: 118 | 119 | ```bash 120 | # Stopping all pods running release my-lakefs 121 | kubectl scale --replicas=0 deployment my-lakefs 122 | ``` 123 | 124 | Once all `lakeFS` pods are stopped, you can upgrade using the `upgrade` command 125 | 126 | ```bash 127 | # Upgrade lakeFS to the latest helm release 128 | helm upgrade -f my-values.yaml my-lakefs lakefs/lakefs --set kv_upgrade=true 129 | ``` 130 | 131 | **Please note the `kv_upgrade` flag, which is required for this upgrade** (It is not required for a fresh installation of `lakeFS` with KV) 132 | 133 | 134 | ## Configurations 135 | 136 | | **Parameter** | **Description** | **Default** | 137 | |---------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------| 138 | | `secrets.databaseConnectionString` | PostgreSQL connection string to be used by lakeFS. (Ignored when existingSecret is set) | | 139 | | `secrets.authEncryptSecretKey` | A random (cryptographically safe) generated string that is used for encryption and HMAC signing. (Ignored when existingSecret is set) | | 140 | | `existingSecret` | Name of existing secret to use for the chart's secrets (by default the charts create a secret to hold the authEncryptSecretKey and databaseConnectionString | | 141 | | `secretKeys.databaseConnectionString` | Name of key in existing secret to use for a PostgreSQL databaseConnectionString (no default). Only used when sed when `existingSecret is set` | | 142 | | `secretKeys.authEncryptSecretKey` | Name of key in existing secret to use for authEncryptSecretKey. Only used when existingSecret is set. | | 143 | | `lakefsConfig` | lakeFS config YAML stringified, as shown above. See [reference](https://docs.lakefs.io/reference/configuration.html) for available configurations. | | 144 | | `replicaCount` | Number of lakeFS pods | `1` | 145 | | `resources` | Pod resource requests & limits | `{}` | 146 | | `service.type` | Kubernetes service type | ClusterIP | 147 | | `service.port` | Kubernetes service external port | 80 | 148 | | `extraEnvVars` | Adds additional environment variables to the deployment (in yaml syntax) | `{}` See [values.yaml](values.yaml) | 149 | | `extraEnvVarsSecret` | Name of a Kubernetes secret containing extra environment variables | | 150 | | `s3Fallback.enabled` | If set to true, an [S3Proxy](https://github.com/gaul/s3proxy) container will be started. Requests to lakeFS S3 gateway with a non-existing repository will be forwarded to this container. | | 151 | | `s3Fallback.aws_access_key` | An AWS access key to be used by the S3Proxy for authentication | | 152 | | `s3Fallback.aws_secret_key` | An AWS secret key to be used by the S3Proxy for authentication | | 153 | | `gcpFallback.enabled` | If set to true, an [GCP Proxy](https://github.com/GoogleCloudPlatform/cloud-sql-proxy) container will be started. | | 154 | | `gcpFallback.instance` | The instance to connect to. See the example above for the format. | | 155 | | `committedLocalCacheVolume` | A volume definition to be mounted by lakeFS and used for caching committed metadata. See [here](https://kubernetes.io/docs/concepts/storage/volumes/#volume-types) for a list of supported volume types. The default values.yaml file shows an example of how to use this parameter. | | 156 | | `serviceAccount.name` | Name of the service account to use for the lakeFS pods. If not set, use the `default` service account. | | 157 | --------------------------------------------------------------------------------