hazelcast · plytro · Sep 17, 2023 · Sep 18, 2023 · Sep 18, 2023
diff --git a/stable/hazelcast-enterprise/Chart.yaml b/stable/hazelcast-enterprise/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: hazelcast-enterprise
-version: 5.10.5
+version: 5.10.7
 appVersion: "5.3.2"
 kubeVersion: ">=1.19.0-0"
 description: Hazelcast is a streaming and memory-first application platform for fast, stateful, data-intensive workloads on-premises, at the edge or as a fully managed cloud service.

diff --git a/stable/hazelcast-enterprise/templates/mancenter-statefulset.yaml b/stable/hazelcast-enterprise/templates/mancenter-statefulset.yaml
@@ -66,6 +66,10 @@ spec:
       {{- if .Values.mancenter.topologySpreadConstraints }}
       topologySpreadConstraints:
 {{ toYaml .Values.mancenter.topologySpreadConstraints | indent 8 }}
+      {{- end }}
+      {{- if .Values.mancenter.initContainers }}
+      initContainers:
+{{ toYaml .Values.mancenter.initContainers | nindent 8 }}
       {{- end }}
       containers:
       - name: {{ template "mancenter.fullname" . }}
@@ -164,19 +168,33 @@ spec:
         - name: MC_LICENSE_KEY
           value: {{ .Values.hazelcast.licenseKey }}
         {{- end }}
+        {{- $securityResetCommand := "" }}
+        {{- $securityConfigureCommand := "" }}
+        {{- with .Values.mancenter.security}}
+          {{- if or .activeDirectory.enabled .devMode.enabled}}
+            {{- $securityResetCommand = "./bin/mc-conf.sh security reset --lenient=true -H /data; " }}
+          {{- end }}
+          {{- if .activeDirectory.enabled }}
+            {{- with .activeDirectory }}
+              {{- $adminGroups := join ";" .adminGroups }}
+              {{- $userGroups := join ";" .userGroups }} 
+              {{- $readOnlyGroups := join ";" .readOnlyGroups }}
+              {{- $metricOnlyGroups := join ";" .metricOnlyGroups }}
+              {{- $nestedGroups := ternary "--nested-group-search" "" .nestedGroupSearch }}
+              {{- $securityConfigureCommand = printf "./bin/mc-conf.sh active-directory configure --home=/data --lenient=true --url='%s' --domain='%s' --user-search-filter='%s' --admin-groups='%s' --read-write-groups='%s' --read-only-groups='%s' --metrics-only-groups='%s' %s --verbose; " .url .domain .userSearchFilter  $adminGroups $userGroups $readOnlyGroups $metricOnlyGroups $nestedGroups }}
+            {{- end }}
+          {{- else if or $.Values.mancenter.devMode.enabled .devMode.enabled }}
+            {{- $securityConfigureCommand = "./bin/mc-conf.sh dev-mode configure; " }}
+          {{- end }}
+        {{- end }}
         {{- $clusterConfigCommand := "" }}
         {{- if .Values.mancenter.clusterConfig.create }}
         {{- $clusterConfigCommand = "./bin/mc-conf.sh cluster add --lenient=true -H /data -cc /config/hazelcast-client.yaml; " }}
         {{- end }}
-        {{- if .Values.mancenter.devMode.enabled }}
-        - name: MC_INIT_CMD
-          value: "{{ $clusterConfigCommand }}./bin/mc-conf.sh dev-mode configure"
-        {{- else if .Values.mancenter.clusterConfig.create }}
         - name: MC_INIT_CMD
-          value: "{{ $clusterConfigCommand }}"
-        {{- end }}
+          value: "{{ $securityResetCommand }}{{ $securityConfigureCommand }}{{ $clusterConfigCommand }}{{ $securityResetCommand }}{{ $securityConfigureCommand }}"
         - name: JAVA_OPTS
-          value: "{{ if or .Values.mancenter.licenseKey .Values.mancenter.licenseKeySecretName .Values.hazelcast.licenseKey .Values.hazelcast.licenseKeySecretName }}-Dhazelcast.mc.license=$(MC_LICENSE_KEY){{ end }} {{ if or .Values.mancenter.readinessProbe.enabled .Values.mancenter.livenessProbe.enabled }}-Dhazelcast.mc.healthCheck.enable=true{{ end }} -DserviceName={{ template "hazelcast.serviceName" . }} -Dnamespace={{ .Release.Namespace }} -Dhazelcast.mc.tls.enabled={{ .Values.mancenter.ssl }} -Dmancenter.ssl={{ .Values.mancenter.ssl }} {{ .Values.mancenter.javaOpts }}"
+          value: "{{ if or .Values.mancenter.licenseKey .Values.mancenter.licenseKeySecretName .Values.hazelcast.licenseKey .Values.hazelcast.licenseKeySecretName }}-Dhazelcast.mc.license=$(MC_LICENSE_KEY){{ end }} {{ if or .Values.mancenter.readinessProbe.enabled .Values.mancenter.livenessProbe.enabled }}-Dhazelcast.mc.healthCheck.enable=true{{ end }} {{ if $securityResetCommand }} -Dhazelcast.mc.lock.skip=true {{ end }} -DserviceName={{ template "hazelcast.serviceName" . }} -Dnamespace={{ .Release.Namespace }} -Dhazelcast.mc.tls.enabled={{ .Values.mancenter.ssl }} -Dmancenter.ssl={{ .Values.mancenter.ssl }} {{ .Values.mancenter.javaOpts }}"
         {{- with .Values.mancenter.env }}
           {{- toYaml . | nindent 8 }}
         {{- end }}        
@@ -232,7 +250,7 @@ spec:
     spec:
       accessModes:
       {{- range .Values.mancenter.persistence.accessModes }}
-      - {{ . | quote }}
+        - {{ . | quote }}
       {{- end }}
       {{- if .Values.mancenter.persistence.storageClass }}
       {{- if (eq "-" .Values.mancenter.persistence.storageClass) }}
@@ -244,5 +262,5 @@ spec:
       resources:
         requests:
           storage: {{ .Values.mancenter.persistence.size | quote }}
-      {{- end }}
-{{- end -}}
+  {{- end -}}
+{{- end -}}
diff --git a/stable/hazelcast-enterprise/templates/statefulset.yaml b/stable/hazelcast-enterprise/templates/statefulset.yaml
@@ -159,14 +159,14 @@ spec:
         - name: HZ_LICENSEKEY
           value: {{ .Values.hazelcast.licenseKey }}
           {{- end }}
-        {{- if .Values.customVolume }}
-        - name: CLASSPATH
-          value: "/data/custom:/data/custom/*"
-        {{- end }}
         - name: POD_NAME
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
+        {{- if .Values.customVolume }}
+        - name: CLASSPATH
+          value: "/data/custom:/data/custom/*"
+        {{- end }}
         {{- if .Values.metrics.enabled }}
         - name: PROMETHEUS_PORT
           value: "{{ .Values.metrics.service.port }}"
@@ -216,7 +216,7 @@ spec:
         {{- if .Values.customVolume }}
         - name: hazelcast-custom
 {{ toYaml .Values.customVolume | indent 10 }}
-            {{- end }}
+        {{- end }}
         {{- if .Values.persistence.enabled }}
         {{- if .Values.persistence.hostPath }}
         - name: persistence

diff --git a/stable/hazelcast-enterprise/values.yaml b/stable/hazelcast-enterprise/values.yaml
@@ -333,6 +333,7 @@ env: []
 mancenter:
   # enabled is a flag to enable Management Center application
   enabled: true
+
   ## Hazelcast Management Center image version
   ## ref: https://hub.docker.com/r/hazelcast/management-center/tags/
   ##
@@ -343,7 +344,6 @@ mancenter:
     tag: "5.3.2"
     # digest is the Hazelcast Management Center image digest that will be used only if the tag is empty
     digest: ""
-    #
     # pullPolicy is the Docker image pull policy
     # It's recommended to change this to 'Always' if the image tag is 'latest'
     # ref: http://kubernetes.io/docs/user-guide/images/#updating-images
@@ -355,10 +355,11 @@ mancenter:
     # pullSecrets:
     # - myRegistryKeySecretName
 
-  # Dev mode is for the Hazelcast clusters running on your local for development
-  # or evaluation purposes and it provides quick access to the Management Center without requiring any security credentials
-  devMode:
-    enabled: false
+  # Init containers for Management Center
+  initContainers: []
+  #  - name: init-myservice
+  #    image: busybox:1.28
+  #    command: ['sh', '-c', "sleep 2"]
 
   # ingress configuration for mancenter
   ingress:
@@ -389,9 +390,34 @@ mancenter:
   # licenseKeySecretName is the name of the secret where the Hazelcast Management Center License Key is stored (can be used instead of licenseKey)
   # licenseKeySecretName:
 
+  # Dev mode is for the Hazelcast clusters running on your local for development or evaluation purposes and it provides quick access to the Management Center without requiring any security credentials
+  # Deprected in favor of the `security` config block.
+  # This is mutually exclusive with adminCredentialsSecretName
+  devMode:
+    enabled: false
+
   # adminCredentialsSecretName is Kubernetes Secret Name for admin credentials. Secret has to contain `username` and `password` literals. please check Management Center documentation for password requirements
+  # If this is set it will conflict with devMode or security.activeDirectory.enabled == true
   # adminCredentialsSecretName:
 
+  security:
+    # The follow options are mutually exclusive
+    devMode:
+      enabled: false
+    activeDirectory:
+      enabled: false
+      url: ldap://localhost:10389
+      domain: example.com
+      userSearchFilter: "(&(objectClass=user)(userPrincipalName={0}))"
+      nestedGroupSearch: true
+      adminGroups: #[]
+        - HazelcastMCAdmin
+      userGroups: #[]
+        - HazelcastMCUser
+      readOnlyGroups: #[]
+        - HazelcastMCReadonlyUser
+      metricOnlyGroups: #[]
+        - HazelcastMCMetricsOnlyUser
 
   # existingConfigMap defines a ConfigMap which contains Hazelcast Client configuration file(s) that are used instead of hazelcast-client.yaml configuration below
   # existingConfigMap:
@@ -403,6 +429,10 @@ mancenter:
           enabled: true
           service-name: ${serviceName}
           namespace: ${namespace}
+  # Cluster config creation will create the connection to the Hazelcast cluster based on the yaml.hazelcast-client
+  clusterConfig:
+    # create is a flag used to enable cluster config creation
+    create: true
 
   # annotations is an array of metadata for Management Center Statefulset
   annotations: {}
@@ -478,7 +508,7 @@ mancenter:
     labels: {}
     #  key: value
     # ClusterIP of the service
-    clusterIP: 
+    clusterIP:
     # loadBalancerIP statically set IP or set empty to use dynamic IP allocation
     loadBalancerIP:
 
@@ -514,15 +544,11 @@ mancenter:
     # failureThreshold is the minimum consecutive failures for the probe to be considered failed after having succeeded
     failureThreshold: 3
 
-  # Cluster config creation will create the connection to the Hazelcast cluster based on the yaml.hazelcast-client
-  clusterConfig:
-    create: true
-
   # secretsMountName is the secret name that is mounted as '/data/secrets/' (e.g. with keystore/trustore files)
   # secretsMountName:
 
   # Additional Environment variables
-  env: [] 
+  env: []
     # - name: DB_USERNAME
     #   valueFrom:
     #     secretKeyRef:
@@ -566,11 +592,12 @@ externalAccess:
     #
     nodePorts: []
 
-    # Labels for the services that will be created.
+    ## Labels for the services that will be created.
     labels: {}
 
     # Annotations for the services that will be created.
     annotations: {}
+
 test:
   ## Hazelcast chart test hook image version
   image:
@@ -593,6 +620,17 @@ test:
     # runAsGroup is the primary group ID used to run all processes within any container of the pod
     runAsGroup: 65534
 
+  # Configure resource requests and limits
+  # ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  #
+  # resources:
+  #   requests:
+  #     memory: 256Mi
+  #     cpu: 100m
+  #   limits:
+  #     memory: 1024Mi
+  #     cpu: 200m
+
 ## Array of extra objects to deploy with the release
 ##
 extraDeploy: []
diff --git a/stable/hazelcast/Chart.yaml b/stable/hazelcast/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: hazelcast
-version: 5.8.6
+version: 5.8.8
 appVersion: "5.3.2"
 kubeVersion: ">=1.19.0-0"
 description: Hazelcast is a streaming and memory-first application platform for fast, stateful, data-intensive workloads on-premises, at the edge or as a fully managed cloud service.

diff --git a/stable/hazelcast/templates/mancenter-statefulset.yaml b/stable/hazelcast/templates/mancenter-statefulset.yaml
@@ -66,6 +66,10 @@ spec:
       {{- if .Values.mancenter.topologySpreadConstraints }}
       topologySpreadConstraints:
 {{ toYaml .Values.mancenter.topologySpreadConstraints | indent 8 }}
+      {{- end }}
+      {{- if .Values.mancenter.initContainers }}
+      initContainers:
+{{ toYaml .Values.mancenter.initContainers | nindent 8 }}
       {{- end }}
       containers:
       - name: {{ template "mancenter.fullname" . }}
@@ -85,6 +89,7 @@ spec:
           httpGet:
             path: {{ if .Values.mancenter.contextPath }}{{ .Values.mancenter.contextPath }}{{ end }}/health
             port: 8081
+            scheme: HTTP
           initialDelaySeconds: {{ .Values.mancenter.livenessProbe.initialDelaySeconds }}
           periodSeconds: {{ .Values.mancenter.livenessProbe.periodSeconds }}
           timeoutSeconds: {{ .Values.mancenter.livenessProbe.timeoutSeconds }}
@@ -150,23 +155,46 @@ spec:
             secretKeyRef:
               name: {{ .Values.mancenter.licenseKeySecretName }}
               key: key
-        {{- else if .Values.mancenter.licenseKey}}
+        {{- else if .Values.mancenter.licenseKey }}
         - name: MC_LICENSE_KEY
           value: {{ .Values.mancenter.licenseKey }}
+        {{- else if .Values.hazelcast.licenseKeySecretName }}
+        - name: MC_LICENSE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.hazelcast.licenseKeySecretName }}
+              key: key
+        {{- else if .Values.hazelcast.licenseKey}}
+        - name: MC_LICENSE_KEY
+          value: {{ .Values.hazelcast.licenseKey }}
+        {{- end }}
+        {{- $securityResetCommand := "" }}
+        {{- $securityConfigureCommand := "" }}
+        {{- with .Values.mancenter.security}}
+          {{- if or .activeDirectory.enabled .devMode.enabled}}
+            {{- $securityResetCommand = "./bin/mc-conf.sh security reset --lenient=true -H /data; " }}
+          {{- end }}
+          {{- if .activeDirectory.enabled }}
+            {{- with .activeDirectory }}
+              {{- $adminGroups := join ";" .adminGroups }}
+              {{- $userGroups := join ";" .userGroups }} 
+              {{- $readOnlyGroups := join ";" .readOnlyGroups }}
+              {{- $metricOnlyGroups := join ";" .metricOnlyGroups }}
+              {{- $nestedGroups := ternary "--nested-group-search" "" .nestedGroupSearch }}
+              {{- $securityConfigureCommand = printf "./bin/mc-conf.sh active-directory configure --home=/data --lenient=true --url='%s' --domain='%s' --user-search-filter='%s' --admin-groups='%s' --read-write-groups='%s' --read-only-groups='%s' --metrics-only-groups='%s' %s --verbose; " .url .domain .userSearchFilter  $adminGroups $userGroups $readOnlyGroups $metricOnlyGroups $nestedGroups }}
+            {{- end }}
+          {{- else if or $.Values.mancenter.devMode.enabled .devMode.enabled }}
+            {{- $securityConfigureCommand = "./bin/mc-conf.sh dev-mode configure; " }}
+          {{- end }}
         {{- end }}
         {{- $clusterConfigCommand := "" }}
         {{- if .Values.mancenter.clusterConfig.create }}
         {{- $clusterConfigCommand = "./bin/mc-conf.sh cluster add --lenient=true -H /data -cc /config/hazelcast-client.yaml; " }}
         {{- end }}
-        {{- if .Values.mancenter.devMode.enabled }}
         - name: MC_INIT_CMD
-          value: "{{ $clusterConfigCommand }}./bin/mc-conf.sh dev-mode configure"
-        {{- else if .Values.mancenter.clusterConfig.create }}
-        - name: MC_INIT_CMD
-          value: "{{ $clusterConfigCommand }}"
-        {{- end }}
+          value: "{{ $securityResetCommand }}{{ $securityConfigureCommand }}{{ $clusterConfigCommand }}{{ $securityResetCommand }}{{ $securityConfigureCommand }}"
         - name: JAVA_OPTS
-          value: "{{ if or .Values.mancenter.licenseKey .Values.mancenter.licenseKeySecretName }}-Dhazelcast.mc.license=$(MC_LICENSE_KEY){{ end }} {{ if or .Values.mancenter.readinessProbe.enabled .Values.mancenter.livenessProbe.enabled }}-Dhazelcast.mc.healthCheck.enable=true{{ end }} -DserviceName={{ template "hazelcast.serviceName" . }} -Dnamespace={{ .Release.Namespace }} -Dhazelcast.mc.tls.enabled={{ .Values.mancenter.ssl }} {{ .Values.mancenter.javaOpts }}"
+          value: "{{ if or .Values.mancenter.licenseKey .Values.mancenter.licenseKeySecretName .Values.hazelcast.licenseKey .Values.hazelcast.licenseKeySecretName }}-Dhazelcast.mc.license=$(MC_LICENSE_KEY){{ end }} {{ if or .Values.mancenter.readinessProbe.enabled .Values.mancenter.livenessProbe.enabled }}-Dhazelcast.mc.healthCheck.enable=true{{ end }} {{ if $securityResetCommand }} -Dhazelcast.mc.lock.skip=true {{ end }} -DserviceName={{ template "hazelcast.serviceName" . }} -Dnamespace={{ .Release.Namespace }} -Dhazelcast.mc.tls.enabled={{ .Values.mancenter.ssl }} -Dmancenter.ssl={{ .Values.mancenter.ssl }} {{ .Values.mancenter.javaOpts }}"
         {{- with .Values.mancenter.env }}
           {{- toYaml . | nindent 8 }}
         {{- end }}        
@@ -188,36 +216,35 @@ spec:
       serviceAccountName: {{ template "hazelcast.serviceAccountName" . }}
       automountServiceAccountToken: {{ .Values.serviceAccount.automountToken }}
       volumes:
-      - name: config
-        configMap:
-           {{- if .Values.mancenter.existingConfigMap }}
-           name: {{ .Values.mancenter.existingConfigMap }}
-           {{- else }}
-           name: {{ template "mancenter.fullname" . }}-configuration
-           {{- end }}
-      {{- if .Values.mancenter.secretsMountName }}
-      - name: mancenter-secrets
-        secret:
-          secretName: {{ .Values.mancenter.secretsMountName }}
-      {{- end }}
-      - name: mancenter-storage
-        {{- if and (eq .Values.mancenter.persistence.enabled true) .Values.mancenter.persistence.existingClaim }}
-        persistentVolumeClaim:
-          claimName: {{ .Values.mancenter.persistence.existingClaim }}
-        {{- else if (eq .Values.mancenter.persistence.enabled false) }}
-        emptyDir: {}
-        {{- end }}
-      {{- if .Values.mancenter.customVolume }}
-      - name: mancenter-custom
-{{ toYaml .Values.mancenter.customVolume | indent 8 }}
-      {{- end }}
-    {{ if and (eq .Values.mancenter.persistence.enabled true) (empty .Values.mancenter.persistence.existingClaim) }}
+        - name: config
+          configMap:
+            {{- if .Values.mancenter.existingConfigMap }}
+            name: {{ .Values.mancenter.existingConfigMap }}
+            {{- else }}
+            name: {{ template "mancenter.fullname" . }}-configuration
+            {{- end }}
+        {{- if .Values.mancenter.secretsMountName }}
+        - name: mancenter-secrets
+          secret:
+            secretName: {{ .Values.mancenter.secretsMountName }}
+        {{- end }}
+        - name: mancenter-storage
+          {{- if and (eq .Values.mancenter.persistence.enabled true) .Values.mancenter.persistence.existingClaim }}
+          persistentVolumeClaim:
+            claimName: {{ .Values.mancenter.persistence.existingClaim }}
+          {{- else if (eq .Values.mancenter.persistence.enabled false) }}
+          emptyDir: {}
+          {{- end }}
+        {{- if .Values.mancenter.customVolume }}
+        - name: mancenter-custom
+{{ toYaml .Values.mancenter.customVolume | indent 10 }}
+        {{- end }}
+      {{ if and (eq .Values.mancenter.persistence.enabled true) (empty .Values.mancenter.persistence.existingClaim) }}
   volumeClaimTemplates:
   - metadata:
       name: mancenter-storage
       labels:
         app.kubernetes.io/name: {{ template "mancenter.name" . }}
-        helm.sh/chart: "{{ .Chart.Name }}"
         app.kubernetes.io/instance: "{{ .Release.Name }}"
         app.kubernetes.io/managed-by: "{{ .Release.Service }}"
     spec:
@@ -236,4 +263,4 @@ spec:
         requests:
           storage: {{ .Values.mancenter.persistence.size | quote }}
   {{- end -}}
-{{- end -}}
+{{- end -}}