futureporn
/
fp
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

use supertokens
ci / build (push) Failing after 1s Details

This commit is contained in:
CJ_Clippy 2024-11-05 11:48:21 -08:00
parent 4c71649c76
commit 255503acb6
230 changed files with 27245 additions and 7570 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
MANTRAS.md
View File

@ -48,4 +48,6 @@ In other words, pick something for a name and roll with the punches.
### Never Settle ### Never Settle
> "But it's also about looking at things anew and what they could be instead of what they are" > "But it's also about looking at things anew and what they could be instead of what they are"
> -- Rodney Mullen > -- Rodney Mullen
### Success requires continuing even when it's painful

6
Makefile
View File

@ -13,10 +13,10 @@ secrets:
flux: flux:
./scripts/flux-bootstrap.sh ./scripts/flux-bootstrap.sh
chisel: cluster: echoenv kind namespaces gateway secrets velero flux metrics chisel
./scripts/k8s-chisel.sh
cluster: echoenv kind namespaces secrets velero flux metrics chisel gateway:
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml
metrics: metrics:
./scripts/k8s-metrics.sh ./scripts/k8s-metrics.sh

333
Tiltfile
View File

@ -9,6 +9,18 @@ secret_settings(
disable_scrub=True disable_scrub=True
) )
## @warning Don't use kubefwd, it's unreliable. In my testing, it deleted important /etc/hosts entries.
## Our workaround for SSL in dev is to use a VPS with caddy and chisel.
## Caddy handles SSL certs/termination and chisel proxies into our cluster.
## This means that cert-manager is only used in staging and production env (not development.)
## This also means Gateway and HTTPRoute is only used in staging and production.
## @todo Caddy/Chisel is not ideal since that setup is out-of-scope of the monorepo. For now it's the best solution because it unblocks our DX
##
## @see https://blog.tilt.dev/2021/09/09/kubefwd-operator.html
# v1alpha1.extension_repo(name='default', url='https://github.com/tilt-dev/tilt-extensions')
# v1alpha1.extension(name='kubefwd:config', repo_name='default', repo_path='kubefwd')
## helm_remote and deploy_cert_manager are BANNED because they use too much bandwidth and crash my computer ## helm_remote and deploy_cert_manager are BANNED because they use too much bandwidth and crash my computer
## ##
## cert-manager slows down Tilt updates so I prefer to keep it commented unless I specifically need to test certs ## cert-manager slows down Tilt updates so I prefer to keep it commented unless I specifically need to test certs
@ -26,6 +38,17 @@ load('ext://dotenv', 'dotenv')
dotenv(fn='.env.development') dotenv(fn='.env.development')
## Right now we use Tilt/Helm in dev and Flux/Kustomize/Helm in production.
## It is a pipedream to use the same deployment/templating tool in development as we do in production. This vastly simplifies deployment.
## We can't use Flux in development unless we figure out a way for flux/kustomize to reference our fp Helm chart as a relative directory.
## Right now, we reference gitea.futureporn.net (kind: GitRepository) where Kustomize downloads the fp Helm chart.
## We could possibly rewrite our fp Helm chart as a Kustomization and then deprecate Helm in development.
## k8s_yaml(kustomize('./flux/apps/development'))
## We are constrained to CrossNamespaceObjectReference kind list
## @see https://fluxcd.io/flux/components/helm/api/v2/#helm.toolkit.fluxcd.io/v2.CrossNamespaceObjectReference
## @see https://github.com/fluxcd/helm-controller/blob/c8ae4b6ad225d37b19bacb634db784d6096908ac/api/v2beta2/reference_types.go#L53
# helm_remote( # helm_remote(
# 'velero', # 'velero',
# repo_name='velero', # repo_name='velero',
@ -64,13 +87,8 @@ dotenv(fn='.env.development')
# namespace='futureporn', # namespace='futureporn',
# version='7.1.4', # version='7.1.4',
# ) # )
# helm_remote(
# 'frp-operator',
# repo_name='frp-operator',
# repo_url='https://zufardhiyaulhaq.com/frp-operator/charts/releases/',
# namespace='futureporn',
# version='1.0.0'
# )
# helm_remote( # helm_remote(
# 'kubernetes-ingress-controller', # 'kubernetes-ingress-controller',
# repo_name='kubernetes-ingress-controller', # repo_name='kubernetes-ingress-controller',
@ -91,18 +109,23 @@ dotenv(fn='.env.development')
k8s_yaml(helm(
'./charts/traefik/traefik',
namespace='futureporn',
values=[
'./charts/traefik/values-overrides.yaml'
]
))
k8s_yaml(helm( k8s_yaml(helm(
'./charts/fp', './charts/fp',
values=['./charts/fp/values.yaml'], values=['./charts/fp/values.yaml'],
)) ))
## we are using a local helm chart instead of using helm_remote because that command makes the tilt builds Hella slow. # we are using a local helm chart instead of using helm_remote because that command makes the tilt builds Hella slow.
## to download this chart, we used the following commands. # to download this chart, we used the following commands.
## future re-pulling is needed to keep things up-to-date. # future re-pulling is needed to keep things up-to-date.
## #
## helm repo add bitnami https://charts.bitnami.com/bitnami # helm repo add bitnami https://charts.bitnami.com/bitnami
## helm pull bitnami/postgresql --untar --destination ./charts/postgresql # helm pull bitnami/postgresql --untar --destination ./charts/postgresql
k8s_yaml(helm( k8s_yaml(helm(
'./charts/postgresql/postgresql', './charts/postgresql/postgresql',
namespace='futureporn', namespace='futureporn',
@ -120,6 +143,32 @@ k8s_yaml(helm(
] ]
)) ))
# k8s_yaml(helm(
# './charts/drupal/drupal',
# namespace='futureporn',
# values=[
# './charts/drupal/values-overrides.yaml'
# ]
# ))
# k8s_yaml(helm(
# './charts/phpmyadmin/phpmyadmin',
# namespace='futureporn',
# values=[
# './charts/phpmyadmin/values-overrides.yaml'
# ]
# ))
# k8s_yaml(helm(
# './charts/mariadb/mariadb',
# namespace='futureporn',
# values=[
# './charts/mariadb/values-overrides.yaml'
# ]
# ))
# k8s_yaml(helm( # k8s_yaml(helm(
# './charts/external-secrets/external-secrets', # './charts/external-secrets/external-secrets',
# namespace='futureporn', # namespace='futureporn',
@ -127,19 +176,11 @@ k8s_yaml(helm(
k8s_yaml(helm(
'./charts/traefik/traefik',
namespace='futureporn',
values=[
'./charts/traefik/values-overrides.yaml'
]
))
# ## redis is for uppy
## redis is for uppy # ## before you think of switching to valkey, dragonfly, or one of the other redis alternatives, STOP. Uppy is picky.
## before you think of switching to valkey, dragonfly, or one of the other redis alternatives, STOP. Uppy is picky. # ## I tested dragonfly, valkey, and KeyDB. Uppy's ioredis client was unable to connect. "ECONNREFUSED" ...
## I tested dragonfly, valkey, and KeyDB. Uppy's ioredis client was unable to connect. "ECONNREFUSED" ... # ## Uppy was only happy connecting to official redis.
## Uppy was only happy connecting to official redis.
k8s_yaml(helm( k8s_yaml(helm(
'./charts/redis/redis', './charts/redis/redis',
namespace='futureporn', namespace='futureporn',
@ -154,14 +195,15 @@ k8s_yaml(helm(
values=['./charts/cert-manager/values-overrides.yaml'] values=['./charts/cert-manager/values-overrides.yaml']
)) ))
## chisel-operator helm chart is not ready for general use. It has an invalid DNS name, "v1.1" that prevents successful deployment k8s_yaml(helm(
## instead, we use kustomize to deploy './charts/chisel-operator/chisel-operator',
## @see ./Makefile namespace='futureporn',
# k8s_yaml(helm( values=['./charts/chisel-operator/values-overrides.yaml']
# './charts/chisel-operator/chisel-operator', ))
# namespace='futureporn', k8s_resource(
# values=['./charts/chisel-operator/values-overrides.yaml'] workload='chisel-operator',
# )) labels=['networking'],
)
## ngrok ## ngrok
# k8s_yaml(helm( # k8s_yaml(helm(
@ -172,24 +214,7 @@ k8s_yaml(helm(
# docker_build('fp/link2cid', './packages/link2cid') # docker_build('fp/link2cid', './packages/link2cid')
docker_build(
'fp/strapi',
'.',
dockerfile='./dockerfiles/strapi.dockerfile',
target='strapi',
only=[
'./.npmrc',
'./package.json',
'./pnpm-lock.yaml',
'./pnpm-workspace.yaml',
'./services/strapi',
'./packages/types',
],
live_update=[
sync('./services/strapi', '/usr/src/app')
],
pull=False,
)
docker_build( docker_build(
'fp/bot', 'fp/bot',
@ -239,6 +264,12 @@ docker_build(
load('ext://uibutton', 'cmd_button') load('ext://uibutton', 'cmd_button')
cmd_button('supertokens:seed',
argv=['./scripts/supertokens-seed.sh'],
resource='supertokens',
icon_name='start',
text='create supertokens database',
)
cmd_button('postgres:restore', cmd_button('postgres:restore',
argv=['./scripts/postgres-restore.sh'], argv=['./scripts/postgres-restore.sh'],
resource='postgresql-primary', resource='postgresql-primary',
@ -265,6 +296,12 @@ cmd_button('capture-worker:create',
icon_name='send', icon_name='send',
text='Recording Integration Test' text='Recording Integration Test'
) )
# cmd_button('drupal:init',
# argv=['./scripts/drupal-init-wrapper.sh'],
# resource='drupal',
# icon_name='send',
# text='Initialize Drupal'
# )
cmd_button('postgres:migrate', cmd_button('postgres:migrate',
argv=['./scripts/postgres-migrations.sh'], argv=['./scripts/postgres-migrations.sh'],
@ -304,9 +341,6 @@ docker_build(
'.', '.',
dockerfile='dockerfiles/next.dockerfile', dockerfile='dockerfiles/next.dockerfile',
target='dev', target='dev',
build_args={
'NEXT_PUBLIC_STRAPI_URL': 'https://strapi.fp.sbtp.xyz',
},
live_update=[ live_update=[
sync('./services/next', '/app/services/next') sync('./services/next', '/app/services/next')
], ],
@ -314,12 +348,12 @@ docker_build(
) )
docker_build( docker_build(
'fp/build', 'fp/factory',
'.', '.',
dockerfile='./dockerfiles/build.dockerfile', dockerfile='./dockerfiles/factory.dockerfile',
target='dev', target='dev',
live_update=[ live_update=[
sync('./services/build', '/app/services/build') sync('./services/factory', '/app/services/factory')
], ],
pull=False, pull=False,
) )
@ -327,30 +361,30 @@ docker_build(
docker_build( # docker_build(
'fp/mailbox', # 'fp/mailbox',
'.', # '.',
dockerfile='dockerfiles/mailbox.dockerfile', # dockerfile='dockerfiles/mailbox.dockerfile',
target='mailbox', # target='mailbox',
only=[ # only=[
'./.npmrc', # './.npmrc',
'./package.json', # './package.json',
'./pnpm-lock.yaml', # './pnpm-lock.yaml',
'./pnpm-workspace.yaml', # './pnpm-workspace.yaml',
'./services/mailbox', # './services/mailbox',
'./packages/types', # './packages/types',
'./packages/utils', # './packages/utils',
'./packages/fetchers', # './packages/fetchers',
'./packages/video', # './packages/video',
'./packages/storage', # './packages/storage',
], # ],
live_update=[ # live_update=[
sync('./services/mailbox', '/app'), # sync('./services/mailbox', '/app'),
run('cd /app && pnpm i', trigger=['./services/mailbox/package.json', './services/mailbox/pnpm-lock.yaml']), # run('cd /app && pnpm i', trigger=['./services/mailbox/package.json', './services/mailbox/pnpm-lock.yaml']),
], # ],
pull=False, # pull=False,
# entrypoint='pnpm nodemon --ext js,ts,json,yaml --exec node --no-warnings=ExperimentalWarning --loader ts-node/esm ./src/index.ts' # # entrypoint='pnpm nodemon --ext js,ts,json,yaml --exec node --no-warnings=ExperimentalWarning --loader ts-node/esm ./src/index.ts'
) # )
@ -380,30 +414,11 @@ docker_build(
# k8s_resource(
# workload='kubernetes-ingress-controller-manager',
# links=[
# link(os.getenv('NGROK_URL'), 'Endpoint')
# ],
# labels='ngrok'
# )
# k8s_resource(
# workload='frp-operator-controller-manager',
# labels='tunnel'
# )
# k8s_resource(
# workload='echo',
# links=[
# link('https://echo.fp.sbtp.xyz'),
# link('http://echo.futureporn.svc.cluster.local:8001')
# ],
# labels='debug'
# )
k8s_resource( k8s_resource(
workload='scout', workload='scout',
resource_deps=['postgresql-primary'], resource_deps=['postgresql-primary'],
port_forwards=['8134'], # port_forwards=['8134'],
labels=['backend'], labels=['backend'],
) )
k8s_resource( k8s_resource(
@ -416,32 +431,16 @@ k8s_resource(
) )
k8s_resource( k8s_resource(
workload='next', workload='next',
port_forwards=['3000'],
links=[ links=[
link('https://next.fp.sbtp.xyz'), link('https://next.fp.sbtp.xyz'),
link('https://next.fp.sbtp.xyz/api/auth/dashboard'),
], ],
resource_deps=['postgrest', 'postgresql-primary'], resource_deps=['postgrest', 'postgresql-primary'],
labels=['frontend'], labels=['frontend'],
) )
k8s_resource(
workload='strapi',
port_forwards=['1339'],
links=[
link('https://strapi.fp.sbtp.xyz/admin'),
link('https://strapi.fp.sbtp.xyz'),
],
resource_deps=['postgresql-primary'],
labels=['backend'],
)
k8s_resource(
workload='game-2048', # whoami is for testing routing
port_forwards=['8088:80'],
labels=['frontend'],
links=[
link('https://game-2048.fp.sbtp.xyz/')
]
)
k8s_resource( k8s_resource(
workload='whoami', workload='whoami',
labels=['frontend'], labels=['frontend'],
@ -451,7 +450,7 @@ k8s_resource(
) )
k8s_resource( k8s_resource(
workload='postgresql-primary', workload='postgresql-primary',
port_forwards=['5432'], # port_forwards=['5432'],
labels=['database'], labels=['database'],
) )
k8s_resource( k8s_resource(
@ -459,18 +458,65 @@ k8s_resource(
labels=['database'] labels=['database']
) )
# k8s_resource(
# workload='mariadb',
# labels=['database']
# )
# k8s_resource(
# workload='drupal',
# resource_deps=['mariadb'],
# labels=['backend'],
# port_forwards=['9797:8080'],
# links=[
# link('https://drupal.fp.sbtp.xyz'),
# ],
# )
k8s_resource( k8s_resource(
workload='mailbox', workload='chart-velero',
resource_deps=['postgresql-primary', 'strapi'], resource_deps=['postgresql-primary'],
labels=['backend'], labels=['backend'],
) )
k8s_resource( k8s_resource(
workload='build', workload='chart-velero-upgrade-crds',
resource_deps=['postgrest'], resource_deps=['postgresql-primary'],
labels=['backend'], labels=['backend'],
) )
# k8s_resource(
# workload='logto',
# port_forwards=['3001', '3002'],
# links=[
# link('https://logto.fp.sbtp.xyz'),
# link('https://logto-admin.fp.sbtp.xyz'),
# ],
# labels=['backend'],
# )
# k8s_resource(
# workload='logto-database-seed',
# labels=['database'],
# )
# k8s_resource(
# workload='phpmyadmin',
# port_forwards=['5151:8080'],
# labels=['database'],
# )
k8s_resource(
workload='supertokens',
links=[
link('https://supertokens.fp.sbtp.xyz'),
],
labels=['backend'],
)
# k8s_resource(
# workload='mailbox',
# resource_deps=['postgresql-primary', 'postgrest'],
# labels=['backend'],
# )
# k8s_resource( # k8s_resource(
# workload='nitter', # workload='nitter',
# port_forwards=['6060:10606'], # port_forwards=['6060:10606'],
@ -507,10 +553,11 @@ k8s_resource(
labels=['networking'], labels=['networking'],
) )
# k8s_resource(
# workload='ngrok-manager', k8s_resource(
# labels=['networking'], workload='factory',
# ) labels=['backend'],
)
k8s_resource( k8s_resource(
workload='redis-master', workload='redis-master',
@ -526,20 +573,30 @@ k8s_resource(
labels=['backend'], labels=['backend'],
resource_deps=['postgrest', 'postgresql-primary'], resource_deps=['postgrest', 'postgresql-primary'],
) )
k8s_resource( # k8s_resource(
workload='chihaya', # workload='chihaya',
labels=['backend'] # labels=['backend']
) # )
k8s_resource( k8s_resource(
workload='postgrest', workload='postgrest',
port_forwards=['9000'], # port_forwards=['9000'],
labels=['database'], labels=['database'],
links=[
link('https://postgrest.fp.sbtp.xyz'),
],
resource_deps=['postgresql-primary'], resource_deps=['postgresql-primary'],
) )
k8s_resource(
workload='traefik',
links=[
link('https://traefik.fp.sbtp.xyz/whoami'),
link('https://traefik.fp.sbtp.xyz/postgrest'),
],
labels=['networking'],
)
k8s_resource( k8s_resource(
workload='pgadmin4', workload='pgadmin4',
port_forwards=['5050:80'], # port_forwards=['5050:80'],
labels=['database'], labels=['database'],
) )
k8s_resource( k8s_resource(

19
charts/README.md
View File

@ -35,7 +35,7 @@ We override default values in the parent folder.
### chisel-operator ### chisel-operator
pnpx tiged 'https://github.com/FyraLabs/chisel-operator/charts/chisel-operator#v0.3.4' ./charts/chisel-operator/chisel-operator helm pull oci://ghcr.io/fyralabs/chisel-operator/chisel-operator --version 0.1.0 --untar --destination ./charts/chisel-operator
### ngrok ### ngrok
@ -45,7 +45,7 @@ We override default values in the parent folder.
### traefik ### traefik
helm repo add traefik https://traefik.github.io/charts helm repo add traefik https://traefik.github.io/charts
helm pull traefik/traefik --version 30.0.2 --untar --destination ./charts/traefik helm pull traefik/traefik --version 33.0.0 --untar --destination ./charts/traefik
### velero ### velero
@ -55,4 +55,17 @@ We override default values in the parent folder.
### external-secrets-operator ### external-secrets-operator
helm repo add external-secrets https://charts.external-secrets.io helm repo add external-secrets https://charts.external-secrets.io
helm pull external-secrets/external-secrets --version 0.10.2 --untar --destination ./charts/external-secrets helm pull external-secrets/external-secrets --version 0.10.2 --untar --destination ./charts/external-secrets
### drupal
helm pull oci://registry-1.docker.io/bitnamicharts/drupal --version 20.0.10 --untar --destination ./charts/drupal
### mariadb
helm repo add bitnami https://charts.bitnami.com/bitnami --force-update
helm pull bitnami/mariadb --untar --destination ./charts/mariadb
### phpmyadmin
helm pull bitnami/phpmyadmin --version 17.0.7 --untar --destination ./charts/phpmyadmin

23
charts/chisel-operator/chisel-operator/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
charts/chisel-operator/chisel-operator/Chart.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v2
appVersion: v0.4.1
description: Kubernetes Operator for deploying Chisel reverse proxies
name: chisel-operator
type: application
version: 0.1.0

62
charts/chisel-operator/chisel-operator/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "chisel-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "chisel-operator.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "chisel-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "chisel-operator.labels" -}}
helm.sh/chart: {{ include "chisel-operator.chart" . }}
{{ include "chisel-operator.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "chisel-operator.selectorLabels" -}}
app.kubernetes.io/name: {{ include "chisel-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "chisel-operator.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "chisel-operator.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

101
charts/chisel-operator/chisel-operator/templates/crds/exit-node-provisioner.yaml Normal file
View File

@ -0,0 +1,101 @@
{{- if .Values.createCrds }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: exitnodeprovisioners.chisel-operator.io
spec:
group: chisel-operator.io
names:
categories: []
kind: ExitNodeProvisioner
plural: exitnodeprovisioners
shortNames: []
singular: exitnodeprovisioner
scope: Namespaced
versions:
- additionalPrinterColumns: []
name: v1
schema:
openAPIV3Schema:
description: Auto-generated derived type for ExitNodeProvisionerSpec via `CustomResource`
properties:
spec:
description: ExitNodeProvisioner is a custom resource that represents a Chisel exit node provisioner on a cloud provider.
oneOf:
- required:
- DigitalOcean
- required:
- Linode
- required:
- AWS
properties:
AWS:
properties:
auth:
description: Reference to a secret containing the AWS access key ID and secret access key, under the `access_key_id` and `secret_access_key` secret keys
type: string
region:
description: Region ID for the AWS region to provision the exit node in See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html
type: string
security_group:
description: Security group name to use for the exit node, uses the default security group if not specified
nullable: true
type: string
size:
default: t2.micro
description: Size for the EC2 instance See https://aws.amazon.com/ec2/instance-types/
type: string
required:
- auth
- region
type: object
DigitalOcean:
properties:
auth:
description: Reference to a secret containing the DigitalOcean API token, under the `DIGITALOCEAN_TOKEN` secret key
type: string
region:
default: ''
description: Region ID of the DigitalOcean datacenter to provision the exit node in If empty, DigitalOcean will randomly select a region for you, which might not be what you want See https://slugs.do-api.dev/
type: string
size:
default: s-1vcpu-1gb
description: Size for the DigitalOcean droplet See https://slugs.do-api.dev/
type: string
ssh_fingerprints:
default: []
description: SSH key fingerprints to add to the exit node
items:
type: string
type: array
required:
- auth
type: object
Linode:
properties:
auth:
description: Name of the secret containing the Linode API token, under the `LINODE_TOKEN` secret key
type: string
region:
description: Region ID of the Linode datacenter to provision the exit node in See https://api.linode.com/v4/regions
type: string
size:
default: g6-nanode-1
description: Size for the Linode instance See https://api.linode.com/v4/linode/
type: string
required:
- auth
- region
type: object
type: object
required:
- spec
title: ExitNodeProvisioner
type: object
served: true
storage: true
subresources: {}
{{- end }}

84
charts/chisel-operator/chisel-operator/templates/crds/exit-node.yaml Normal file
View File

@ -0,0 +1,84 @@
{{- if .Values.createCrds -}}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: exitnodes.chisel-operator.io
spec:
group: chisel-operator.io
names:
categories: []
kind: ExitNode
plural: exitnodes
shortNames: []
singular: exitnode
scope: Namespaced
versions:
- additionalPrinterColumns: []
name: v1
schema:
openAPIV3Schema:
description: Auto-generated derived type for ExitNodeSpec via `CustomResource`
properties:
spec:
description: ExitNode is a custom resource that represents a Chisel exit node. It will be used as the reverse proxy for all services in the cluster.
properties:
auth:
description: Optional authentication secret name to connect to the control plane
nullable: true
type: string
chisel_image:
description: Optional value for the chisel client image used to connect to the chisel server If not provided, jpillora/chisel:latest is used
nullable: true
type: string
default_route:
default: false
description: Optional boolean value for whether to make the exit node the default route for the cluster If true, the exit node will be the default route for the cluster default value is false
type: boolean
external_host:
description: Optional real external hostname/IP of exit node If not provided, the host field will be used
nullable: true
type: string
fingerprint:
description: Optional but highly recommended fingerprint to perform host-key validation against the server's public key
nullable: true
type: string
host:
description: Hostname or IP address of the chisel server
type: string
port:
description: Control plane port of the chisel server
format: uint16
minimum: 0.0
type: integer
required:
- host
- port
type: object
status:
nullable: true
properties:
id:
nullable: true
type: string
ip:
type: string
name:
type: string
provider:
type: string
required:
- ip
- name
- provider
type: object
required:
- spec
title: ExitNode
type: object
served: true
storage: true
subresources:
status: {}
{{- end -}}

49
charts/chisel-operator/chisel-operator/templates/deployment.yaml Normal file
View File

@ -0,0 +1,49 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "chisel-operator.fullname" . }}
labels:
name: {{- include "chisel-operator.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount}}
selector:
matchLabels:
{{- include "chisel-operator.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "chisel-operator.selectorLabels" . | nindent 8 }}
spec:
{{- if .Values.serviceAccount.create }}
serviceAccountName: {{ include "chisel-operator.serviceAccountName" . }}
automountServiceAccountToken: true # This is required
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "chisel-operator.serviceAccountName" . }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

58
charts/chisel-operator/chisel-operator/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,58 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "chisel-operator.serviceAccountName" . }}
labels:
{{- include "chisel-operator.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "chisel-operator.serviceAccountName" . }}
labels:
{{- include "chisel-operator.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["apps"]
resources: ["deployments", "deployments/*"]
verbs: ["*"]
- apiGroups: [""]
resources: ["services", "services/status", "services/finalizers"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["chisel-operator.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "chisel-operator.serviceAccountName" . }}
labels:
{{- include "chisel-operator.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ include "chisel-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ include "chisel-operator.serviceAccountName" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}

51
charts/chisel-operator/chisel-operator/values.yaml Normal file
View File

@ -0,0 +1,51 @@
# Default values for chisel-operator.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1 # Right now only 1 replica is supported
# LeaderElection and multiple replicas may be supported in the future.
# For now, we recommend running only 1 replica else Chisel Operator may constantly
# recreate resources, wasting your API resources and costing you money.
image:
repository: ghcr.io/fyralabs/chisel-operator
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
# tag:
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
# Create CRDs for Chisel Operator
createCrds: true

3
charts/drupal/README.md Normal file
View File

@ -0,0 +1,3 @@
## drupal notes
To initialize drupal with all the modules we need, use the "Initialize Drupal" button in Tilt's UI. Or see the script it executes in ../../scripts/drupal-init.sh

25
charts/drupal/drupal/.helmignore Normal file
View File

@ -0,0 +1,25 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# img folder
img/
# Changelog
CHANGELOG.md

9
charts/drupal/drupal/Chart.lock Normal file
View File

@ -0,0 +1,9 @@
dependencies:
- name: mariadb
repository: oci://registry-1.docker.io/bitnamicharts
version: 19.0.7
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.24.0
digest: sha256:1a41985df21415bc1a7fdd62b58daa1b60b31f2c2ebda4b9506e099a372b338c
generated: "2024-10-03T11:38:53.545931255Z"

42
charts/drupal/drupal/Chart.yaml Normal file
View File

@ -0,0 +1,42 @@
annotations:
category: CMS
images: |
- name: apache-exporter
image: docker.io/bitnami/apache-exporter:1.0.9-debian-12-r1
- name: drupal
image: docker.io/bitnami/drupal:11.0.5-debian-12-r1
- name: os-shell
image: docker.io/bitnami/os-shell:12-debian-12-r31
licenses: Apache-2.0
apiVersion: v2
appVersion: 11.0.5
dependencies:
- condition: mariadb.enabled
name: mariadb
repository: oci://registry-1.docker.io/bitnamicharts
version: 19.x.x
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
tags:
- bitnami-common
version: 2.x.x
description: Drupal is one of the most versatile open source content management systems
in the world. It is pre-configured with the Ctools and Views modules, Drush and
Let's Encrypt auto-configuration support.
home: https://bitnami.com
icon: https://bitnami.com/assets/stacks/drupal/img/drupal-stack-220x234.png
keywords:
- drupal
- cms
- blog
- http
- web
- application
- php
maintainers:
- name: Broadcom, Inc. All Rights Reserved.
url: https://github.com/bitnami/charts
name: drupal
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/drupal
version: 20.0.10

586
charts/drupal/drupal/README.md Normal file
View File

@ -0,0 +1,586 @@
<!--- app-name: Drupal -->
# Bitnami package for Drupal
Drupal is one of the most versatile open source content management systems in the world. It is pre-configured with the Ctools and Views modules, Drush and Let's Encrypt auto-configuration support.
[Overview of Drupal](http://drupal.org)
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
## TL;DR
```console
helm install my-release oci://registry-1.docker.io/bitnamicharts/drupal
```
Looking to use Drupal in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog.
## Introduction
This chart bootstraps a [Drupal](https://github.com/bitnami/containers/tree/main/bitnami/drupal) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
It also packages the [Bitnami MariaDB chart](https://github.com/bitnami/charts/tree/main/bitnami/mariadb) which is required for bootstrapping a MariaDB deployment as a database for the Drupal application.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Prerequisites
- Kubernetes 1.23+
- Helm 3.8.0+
- PV provisioner support in the underlying infrastructure
- ReadWriteMany volumes for deployment scaling
## Installing the Chart
To install the chart with the release name `my-release`:
```console
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/drupal
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
The command deploys Drupal on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Configuration and installation details
### Resource requests and limits
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
### [Rolling VS Immutable tags](https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Image
The `image` parameter allows specifying which image will be pulled for the chart.
#### Private registry
If you configure the `image` value to one in a private registry, you will need to [specify an image pull secret](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod).
1. Manually create image pull secret(s) in the namespace. See [this YAML example reference](https://kubernetes.io/docs/concepts/containers/images/#creating-a-secret-with-a-docker-config). Consult your image registry's documentation about getting the appropriate secret.
2. Note that the `imagePullSecrets` configuration value cannot currently be passed to helm using the `--set` parameter, so you must supply these using a `values.yaml` file, such as:
```yaml
imagePullSecrets:
- name: SECRET_NAME
```
3. Install the chart
### Setting Pod's affinity
This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters.
## Persistence
The [Bitnami Drupal](https://github.com/bitnami/containers/tree/main/bitnami/drupal) image stores the Drupal data and configurations at the `/bitnami/drupal` path of the container.
Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube.
See the [Parameters](#parameters) section to configure the PVC or to disable persistence.
### Existing PersistentVolumeClaim
1. Create the PersistentVolume
2. Create the PersistentVolumeClaim
3. Install the chart
```console
helm install my-release --set persistence.existingClaim=PVC_NAME oci://REGISTRY_NAME/REPOSITORY_NAME/drupal
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
### Host path
#### System compatibility
- The local filesystem accessibility to a container in a pod with `hostPath` has been tested on OSX/MacOS with xhyve, and Linux with VirtualBox.
- Windows has not been tested with the supported VM drivers. Minikube does however officially support [Mounting Host Folders](https://minikube.sigs.k8s.io/docs/handbook/mount/) per pod. Or you may manually sync your container whenever host files are changed with tools like [docker-sync](https://github.com/EugenMayer/docker-sync) or [docker-bg-sync](https://github.com/cweagans/docker-bg-sync).
#### Mounting steps
1. The specified `hostPath` directory must already exist (create one if it does not).
2. Install the chart
```console
helm install my-release --set persistence.hostPath=/PATH/TO/HOST/MOUNT oci://REGISTRY_NAME/REPOSITORY_NAME/drupal
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
This will mount the `drupal-data` volume into the `hostPath` directory. The site data will be persisted if the mount path contains valid data, else the site data will be initialized at first launch.
3. Because the container cannot control the host machine's directory permissions, you must set the Drupal file directory permissions yourself and disable or clear Drupal cache. See Drupal Core's [INSTALL.txt](https://cgit.drupalcode.org/drupal/tree/core/INSTALL.txt?h=8.3.x#n152) for setting file permissions, and see [Drupal handbook page](https://www.drupal.org/node/2598914) to disable the cache, or [Drush handbook](https://drushcommands.com/drush-8x/cache/cache-rebuild/) to clear cache.
## Parameters
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` |
| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
| Name | Description | Value |
| ------------------- | ---------------------------------------------------------------------------------------------------------- | ----- |
| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` |
| `nameOverride` | String to partially override drupal.fullname template (will maintain the release name) | `""` |
| `fullnameOverride` | String to fully override drupal.fullname template | `""` |
| `namespaceOverride` | String to fully override common.names.namespace | `""` |
| `commonAnnotations` | Common annotations to add to all Drupal resources (sub-charts are not considered). Evaluated as a template | `{}` |
| `commonLabels` | Common labels to add to all Drupal resources (sub-charts are not considered). Evaluated as a template | `{}` |
| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template). | `[]` |
### Drupal parameters
| Name | Description | Value |
| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `image.registry` | Drupal image registry | `REGISTRY_NAME` |
| `image.repository` | Drupal Image name | `REPOSITORY_NAME/drupal` |
| `image.digest` | Drupal image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | Drupal image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `image.debug` | Specify if debug logs should be enabled | `false` |
| `replicaCount` | Number of Drupal Pods to run (requires ReadWriteMany PVC support) | `1` |
| `drupalProfile` | Drupal installation profile | `standard` |
| `drupalSkipInstall` | Skip Drupal installation wizard. Useful for migrations and restoring from SQL dump | `false` |
| `drupalUsername` | User of the application | `user` |
| `drupalPassword` | Application password | `""` |
| `drupalEmail` | Admin email | `user@example.com` |
| `allowEmptyPassword` | Allow DB blank passwords | `true` |
| `command` | Override default container command (useful when using custom images) | `[]` |
| `args` | Override default container args (useful when using custom images) | `[]` |
| `updateStrategy.type` | Update strategy - only really applicable for deployments with RWO PVs attached | `RollingUpdate` |
| `priorityClassName` | Drupal pods' priorityClassName | `""` |
| `schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `hostAliases` | Add deployment host aliases | `[]` |
| `extraEnvVars` | Extra environment variables | `[]` |
| `extraEnvVarsCM` | ConfigMap containing extra env vars | `""` |
| `extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `""` |
| `extraVolumes` | Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | `[]` |
| `extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. | `[]` |
| `initContainers` | Add additional init containers to the pod (evaluated as a template) | `[]` |
| `pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` |
| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` |
| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. | `""` |
| `sidecars` | Attach additional containers to the pod (evaluated as a template) | `[]` |
| `tolerations` | Tolerations for pod assignment | `[]` |
| `serviceAccount.create` | Specifies whether a service account should be created | `true` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` |
| `serviceAccount.annotations` | Add annotations | `{}` |
| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account. | `false` |
| `existingSecret` | Name of a secret with the application password | `""` |
| `smtpHost` | SMTP host | `""` |
| `smtpPort` | SMTP port | `""` |
| `smtpUser` | SMTP user | `""` |
| `smtpPassword` | SMTP password | `""` |
| `smtpProtocol` | SMTP Protocol (options: ssl,tls, nil) | `""` |
| `containerPorts` | Container ports | `{}` |
| `extraContainerPorts` | Optionally specify extra list of additional ports for Drupal container(s) | `[]` |
| `sessionAffinity` | Control where client requests go, to the same pod or round-robin. Values: ClientIP or None | `None` |
| `persistence.enabled` | Enable persistence using PVC | `true` |
| `persistence.storageClass` | PVC Storage Class for Drupal volume | `""` |
| `persistence.accessModes` | PVC Access Mode for Drupal volume | `["ReadWriteOnce"]` |
| `persistence.size` | PVC Storage Request for Drupal volume | `8Gi` |
| `persistence.existingClaim` | A manually managed Persistent Volume Claim | `""` |
| `persistence.hostPath` | If defined, the drupal-data volume will mount to the specified hostPath. | `""` |
| `persistence.annotations` | Persistent Volume Claim annotations | `{}` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
| `affinity` | Affinity for pod assignment | `{}` |
| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` |
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` |
| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `podSecurityContext.enabled` | Enable Drupal pods' Security Context | `true` |
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `podSecurityContext.fsGroup` | Drupal pods' group ID | `1001` |
| `containerSecurityContext.enabled` | Enabled Drupal containers' Security Context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `containerSecurityContext.runAsUser` | Set Drupal containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsGroup` | Set Drupal containers' Security Context runAsGroup | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set Controller container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set Drupal container's Security Context privileged | `false` |
| `containerSecurityContext.allowPrivilegeEscalation` | Set Drupal container's Security Context allowPrivilegeEscalation | `false` |
| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set Drupal container's Security Context readOnlyRootFilesystem | `true` |
| `startupProbe.enabled` | Enable startupProbe | `false` |
| `startupProbe.path` | Request path for startupProbe | `/user/login` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `600` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `600` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
| `readinessProbe.path` | Request path for readinessProbe | `/user/login` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `customStartupProbe` | Override default startup probe | `{}` |
| `customLivenessProbe` | Override default liveness probe | `{}` |
| `customReadinessProbe` | Override default readiness probe | `{}` |
| `lifecycleHooks` | LifecycleHook to set additional configuration at startup Evaluated as a template | `{}` |
| `podAnnotations` | Pod annotations | `{}` |
| `podLabels` | Add additional labels to the pod (evaluated as a template) | `{}` |
### Traffic Exposure Parameters
| Name | Description | Value |
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `service.type` | Kubernetes Service type | `LoadBalancer` |
| `service.ports.http` | Service HTTP port | `80` |
| `service.ports.https` | Service HTTPS port | `443` |
| `service.loadBalancerSourceRanges` | Restricts access for LoadBalancer (only with `service.type: LoadBalancer`) | `[]` |
| `service.loadBalancerIP` | loadBalancerIP for the Drupal Service (optional, cloud specific) | `""` |
| `service.nodePorts` | Kubernetes node port | `{}` |
| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
| `service.clusterIP` | %%MAIN_CONTAINER_NAME%% service Cluster IP | `""` |
| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `service.annotations` | Additional custom annotations for %%MAIN_CONTAINER_NAME%% service | `{}` |
| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `ingress.enabled` | Enable ingress controller resource | `false` |
| `ingress.pathType` | Ingress Path type | `ImplementationSpecific` |
| `ingress.apiVersion` | Override API Version (automatically detected if not set) | `""` |
| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
| `ingress.hostname` | Default host for the ingress resource | `drupal.local` |
| `ingress.path` | The Path to Drupal. You may need to set this to '/*' in order to use this | `/` |
| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
| `ingress.tls` | Enable TLS configuration for the hostname defined at ingress.hostname parameter | `false` |
| `ingress.tlsWwwPrefix` | Adds www subdomain to default cert | `false` |
| `ingress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` |
| `ingress.extraPaths` | Any additional arbitrary paths that may need to be added to the ingress under the main host. | `[]` |
| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` |
| `ingress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` |
| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
### Database parameters
| Name | Description | Value |
| ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
| `mariadb.enabled` | Whether to deploy a mariadb server to satisfy the applications database requirements | `true` |
| `mariadb.architecture` | MariaDB architecture (`standalone` or `replication`) | `standalone` |
| `mariadb.auth.rootPassword` | Password for the MariaDB `root` user | `""` |
| `mariadb.auth.database` | Database name to create | `bitnami_drupal` |
| `mariadb.auth.username` | Database user to create | `bn_drupal` |
| `mariadb.auth.password` | Password for the database | `""` |
| `mariadb.primary.persistence.enabled` | Enable database persistence using PVC | `true` |
| `mariadb.primary.persistence.storageClass` | MariaDB primary persistent volume storage Class | `""` |
| `mariadb.primary.persistence.accessModes` | Database Persistent Volume Access Modes | `["ReadWriteOnce"]` |
| `mariadb.primary.persistence.size` | Database Persistent Volume Size | `8Gi` |
| `mariadb.primary.persistence.hostPath` | Set path in case you want to use local host path volumes (not recommended in production) | `""` |
| `mariadb.primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas | `""` |
| `externalDatabase.host` | Host of the existing database | `""` |
| `externalDatabase.port` | Port of the existing database | `3306` |
| `externalDatabase.user` | Existing username in the external db | `bn_drupal` |
| `externalDatabase.password` | Password for the above username. Ignored if existing secret is provided | `""` |
| `externalDatabase.database` | Name of the existing database | `bitnami_drupal` |
| `externalDatabase.existingSecret` | Name of a secret with the database password. (externalDatabase.password will be ignored and picked up from this secret). The secret has to contain the key db-password | `""` |
### Volume Permissions parameters
| Name | Description | Value |
| ------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` |
| `volumePermissions.image.repository` | Init container volume-permissions image name | `REPOSITORY_NAME/os-shell` |
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
### Metrics parameters
| Name | Description | Value |
| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- |
| `metrics.enabled` | Start a exporter side-car | `false` |
| `metrics.image.registry` | Apache exporter image registry | `REGISTRY_NAME` |
| `metrics.image.repository` | Apache exporter image repository | `REPOSITORY_NAME/apache-exporter` |
| `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` |
| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `metrics.podAnnotations` | Additional annotations for Metrics exporter pod | `{}` |
| `metrics.service.type` | Drupal exporter service type | `ClusterIP` |
| `metrics.service.ports.metrics` | Drupal exporter service port | `9117` |
| `metrics.service.externalTrafficPolicy` | Drupal exporter service external traffic policy | `Cluster` |
| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `metrics.service.loadBalancerIP` | Drupal exporter service Load Balancer IP | `""` |
| `metrics.service.loadBalancerSourceRanges` | Drupal exporter service Load Balancer sources | `[]` |
| `metrics.service.annotations` | Additional custom annotations for Drupal exporter service | `{}` |
| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` |
| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` |
| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` |
| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` |
| `metrics.serviceMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` |
| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` |
| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` |
| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` |
| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` |
| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` |
| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` |
| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` |
### Certificate injection parameters
| Name | Description | Value |
| ---------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ---------------------------------------- |
| `certificates.customCertificate.certificateSecret` | Secret containing the certificate and key to add | `""` |
| `certificates.customCertificate.chainSecret.name` | Name of the secret containing the certificate chain | `secret-name` |
| `certificates.customCertificate.chainSecret.key` | Key of the certificate chain file inside the secret | `secret-key` |
| `certificates.customCertificate.certificateLocation` | Location in the container to store the certificate | `/etc/ssl/certs/ssl-cert-snakeoil.pem` |
| `certificates.customCertificate.keyLocation` | Location in the container to store the private key | `/etc/ssl/private/ssl-cert-snakeoil.key` |
| `certificates.customCertificate.chainLocation` | Location in the container to store the certificate chain | `/etc/ssl/certs/mychain.pem` |
| `certificates.customCAs` | Defines a list of secrets to import into the container trust store | `[]` |
| `certificates.command` | Override default container command (useful when using custom images) | `[]` |
| `certificates.args` | Override default container args (useful when using custom images) | `[]` |
| `certificates.extraEnvVars` | Container sidecar extra environment variables (eg proxy) | `[]` |
| `certificates.extraEnvVarsCM` | ConfigMap containing extra env vars | `""` |
| `certificates.extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `""` |
| `certificates.image.registry` | Container sidecar registry | `REGISTRY_NAME` |
| `certificates.image.repository` | Container sidecar image | `REPOSITORY_NAME/os-shell` |
| `certificates.image.digest` | Container sidecar image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `certificates.image.pullPolicy` | Container sidecar image pull policy | `IfNotPresent` |
| `certificates.image.pullSecrets` | Container sidecar image pull secrets | `[]` |
### NetworkPolicy parameters
| Name | Description | Value |
| --------------------------------------- | --------------------------------------------------------------- | ------ |
| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
The above parameters map to the env variables defined in [bitnami/drupal](https://github.com/bitnami/containers/tree/main/bitnami/drupal). For more information please refer to the [bitnami/drupal](https://github.com/bitnami/containers/tree/main/bitnami/drupal) image documentation.
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
helm install my-release \
--set drupalUsername=admin,drupalPassword=password,mariadb.auth.rootPassword=secretpassword \
oci://REGISTRY_NAME/REPOSITORY_NAME/drupal
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
The above command sets the Drupal administrator account username and password to `admin` and `password` respectively. Additionally, it sets the MariaDB `root` user password to `secretpassword`.
> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available.
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
```console
helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/drupal
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/drupal/values.yaml)
## Troubleshooting
Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
## Upgrading
### To 19.0.0
This major release bumps the MariaDB version to 11.4. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-11-3-to-mariadb-11-4/) for upgrading from MariaDB 11.3 to 11.4. No major issues are expected during the upgrade.
### To 18.0.0
This major bump changes the following security defaults:
- `runAsGroup` is changed from `0` to `1001`
- `readOnlyRootFilesystem` is set to `true`
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
- The `networkPolicy` section has been normalized amongst all Bitnami charts. Compared to the previous approach, the values section has been simplified (check the Parameters section) and now it set to `enabled=true` by default. Egress traffic is allowed by default and ingress traffic is allowed by all pods but only to the ports set in `containerPorts` and `extraContainerPorts`.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
Also, this major release bumps the MariaDB chart version to [18.x.x](https://github.com/bitnami/charts/pull/24804); no major issues are expected during the upgrade.
### To 17.0.0
This major release bumps the MariaDB version to 11.2. No major issues are expected during the upgrade.
### To 16.0.0
This major release bumps the MariaDB version to 11.1. No major issues are expected during the upgrade.
### To 15.0.0
This major release bumps the MariaDB version to 11.0. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-0/) for upgrading from MariaDB 10.11 to 11.0. No major issues are expected during the upgrade.
### To 14.0.0
This major release bumps the MariaDB version to 10.11. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for upgrading from MariaDB 10.6 to 10.11. No major issues are expected during the upgrade.
### To 12.0.0
This major release bumps the MariaDB version to 10.6. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/) for upgrading from MariaDB 10.5 to 10.6. No major issues are expected during the upgrade.
### To 11.0.0
This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository.
Affected values:
- `service.port` was deprecated, we recommend using `service.ports.http` instead.
- `service.httpsPort` was deprecated, we recommend using `service.ports.https` instead.
- `persistence.accessMode` has been deprecated, we recommend using `persistence.accessModes` instead.
Additionally also updates the MariaDB subchart to it newest major, 10.0.0, which contains similar changes.
### To 10.0.0
[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
#### What changes were introduced in this major version?
- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
- Move dependency information from the *requirements.yaml* to the *Chart.yaml*
- After running `helm dependency update`, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock*
- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
#### Considerations when upgrading to this version
- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues
- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3
#### Useful links
- <https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-resolve-helm2-helm3-post-migration-issues-index.html>
- <https://helm.sh/docs/topics/v2_v3_migration/>
- <https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/>
### To 9.0.0
MariaDB dependency version was bumped to a new major version that introduces several incompatilibites. Therefore, backwards compatibility is not guaranteed unless an external database is used. Check [MariaDB Upgrading Notes](https://github.com/bitnami/charts/tree/main/bitnami/mariadb#to-800) for more information.
To upgrade to `9.0.0`, you have two alternatives:
- Install a new Drupal chart, and migrate your Drupal site using backup/restore tools such as [Drupal Backup and Migrate](https://www.drupal.org/project/backup_migrate).
- Reuse the PVC used to hold the MariaDB data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is `drupal`):
> NOTE: Please, create a backup of your database before running any of those actions. The steps below would be only valid if your application (e.g. any plugins or custom code) is compatible with MariaDB 10.5.x
Obtain the credentials and the name of the PVC used to hold the MariaDB data on your current release:
```console
export DRUPAL_PASSWORD=$(kubectl get secret --namespace default drupal -o jsonpath="{.data.drupal-password}" | base64 -d)
export MARIADB_ROOT_PASSWORD=$(kubectl get secret --namespace default drupal-mariadb -o jsonpath="{.data.mariadb-root-password}" | base64 -d)
export MARIADB_PASSWORD=$(kubectl get secret --namespace default drupal-mariadb -o jsonpath="{.data.mariadb-password}" | base64 -d)
export MARIADB_PVC=$(kubectl get pvc -l app=mariadb,component=master,release=drupal -o jsonpath="{.items[0].metadata.name}")
```
Upgrade your release (maintaining the version) disabling MariaDB and scaling Drupal replicas to 0:
```console
helm upgrade drupal oci://REGISTRY_NAME/REPOSITORY_NAME/drupal --set drupalPassword=$DRUPAL_PASSWORD --set replicaCount=0 --set mariadb.enabled=false --version 8.2.1
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
Finally, upgrade you release to 9.0.0 reusing the existing PVC, and enabling back MariaDB:
```console
helm upgrade drupal oci://REGISTRY_NAME/REPOSITORY_NAME/drupal --set mariadb.primary.persistence.existingClaim=$MARIADB_PVC --set mariadb.auth.rootPassword=$MARIADB_ROOT_PASSWORD --set mariadb.auth.password=$MARIADB_PASSWORD --set drupalPassword=$DRUPAL_PASSWORD
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
You should see the lines below in MariaDB container logs:
```console
$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=drupal,app.kubernetes.io/name=mariadb,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}")
...
mariadb 12:13:24.98 INFO ==> Using persisted data
mariadb 12:13:25.01 INFO ==> Running mysql_upgrade
...
```
### To 8.0.0
The [Bitnami Drupal](https://github.com/bitnami/containers/tree/main/bitnami/drupal) image was migrated to a "non-root" user approach. Previously the container ran as the `root` user and the Apache daemon was started as the `daemon` user. From now on, both the container and the Apache daemon run as user `1001`. You can revert this behavior by setting the parameters `containerSecurityContext.runAsUser` to `root`.
Consequences:
- The HTTP/HTTPS ports exposed by the container are now `8080/8443` instead of `80/443`.
- Backwards compatibility is not guaranteed.
To upgrade to `8.0.0`, backup Drupal data and the previous MariaDB databases, install a new Drupal chart and import the backups and data, ensuring the `1001` user has the appropriate permissions on the migrated volume.
This upgrade also adapts the chart to the latest Bitnami good practices. Check the Parameters section for more information.
### To 6.0.0
Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec.
In <https://github.com/helm/charts/pull/17295> the `apiVersion` of the deployment resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage.
This major version signifies this change.
### To 2.0.0
Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments.
Use the workaround below to upgrade from versions previous to 2.0.0. The following example assumes that the release name is drupal:
```console
kubectl patch deployment drupal-drupal --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]'
kubectl delete statefulset drupal-mariadb --cascade=false
```
## License
Copyright &copy; 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
<http://www.apache.org/licenses/LICENSE-2.0>
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

88
charts/drupal/drupal/templates/NOTES.txt Normal file
View File

@ -0,0 +1,88 @@
CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
{{- if or .Values.mariadb.enabled .Values.externalDatabase.host -}}
** Please be patient while the chart is being deployed **
1. Get the Drupal URL:
{{- if .Values.ingress.enabled }}
You should be able to access your new Drupal installation through
http://{{- .Values.ingress.hostname }}/
{{- else if eq .Values.service.type "LoadBalancer" }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -w {{ include "common.names.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ include "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
{{- $port:=(coalesce .Values.service.ports.http .Values.service.port) | toString }}
echo "Drupal URL: http://$SERVICE_IP{{- if ne $port "80" }}:{{ coalesce .Values.service.ports.http .Values.service.port }}{{ end }}/"
{{- else if eq .Values.service.type "ClusterIP" }}
echo "Drupal URL: http://127.0.0.1:8080/"
kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ include "common.names.fullname" . }} 8080:{{ coalesce .Values.service.ports.http .Values.service.port }}
{{- end }}
{{- if eq .Values.service.type "NodePort" }}
Or running:
export NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo "Drupal URL: http://$NODE_IP:$NODE_PORT/"
{{- end }}
2. Get your Drupal login credentials by running:
echo Username: {{ .Values.drupalUsername }}
echo Password: $(kubectl get secret --namespace {{ include "common.names.namespace" . }} {{ template "drupal.secretName" . }} -o jsonpath="{.data.drupal-password}" | base64 -d)
{{- else -}}
########################################################################################
### ERROR: You did not provide an external database host in your 'helm install' call ###
########################################################################################
This deployment will be incomplete until you configure Drupal with a resolvable database
host. To configure Drupal to use and external database host:
1. Complete your Drupal deployment by running:
export APP_PASSWORD=$(kubectl get secret --namespace {{ include "common.names.namespace" . }} {{ template "drupal.secretName" . }} -o jsonpath="{.data.drupal-password}" | base64 -d)
## PLEASE UPDATE THE EXTERNAL DATABASE CONNECTION PARAMETERS IN THE FOLLOWING COMMAND AS NEEDED ##
helm upgrade --namespace {{ include "common.names.namespace" . }} {{ .Release.Name }} oci://registry-1.docker.io/bitnamicharts/{{ .Chart.Name }} \
--set drupalPassword=$APP_PASSWORD,service.type={{ .Values.service.type }},mariadb.enabled=false{{- if not (empty .Values.externalDatabase.user) }},externalDatabase.user={{ .Values.externalDatabase.user }}{{- end }}{{- if not (empty .Values.externalDatabase.password) }},externalDatabase.password={{ .Values.externalDatabase.password }}{{- end }}{{- if not (empty .Values.externalDatabase.database) }},externalDatabase.database={{ .Values.externalDatabase.database }}{{- end }},externalDatabase.host=YOUR_EXTERNAL_DATABASE_HOST{{- if .Values.global }}{{- if .Values.global.imagePullSecrets }},global.imagePullSecrets={{ .Values.global.imagePullSecrets }}{{- end }}{{- end }}
{{- end }}
{{- include "common.warnings.rollingTag" .Values.image }}
{{- include "common.warnings.rollingTag" .Values.metrics.image }}
{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
{{- include "common.warnings.rollingTag" .Values.certificates.image }}
{{- $passwordValidationErrors := list -}}
{{- if not .Values.existingSecret -}}
{{- $secretName := include "drupal.secretName" . -}}
{{- $requiredDrupalPassword := dict "valueKey" "drupalPassword" "secret" $secretName "field" "drupal-password" "context" $ -}}
{{- $requiredDrupalPasswordError := include "common.validations.values.single.empty" $requiredDrupalPassword -}}
{{- $passwordValidationErrors = append $passwordValidationErrors $requiredDrupalPasswordError -}}
{{- end -}}
{{- $mariadbSecretName := include "drupal.databaseSecretName" . -}}
{{- $mariadbPasswordValidationErrors := include "common.validations.values.mariadb.passwords" (dict "secret" $mariadbSecretName "subchart" true "context" $) -}}
{{- $passwordValidationErrors = append $passwordValidationErrors $mariadbPasswordValidationErrors -}}
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $) -}}
{{- include "common.warnings.resources" (dict "sections" (list "metrics" "" "volumePermissions") "context" $) }}
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image .Values.certificates.image) "context" $) }}

144
charts/drupal/drupal/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,144 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "drupal.mariadb.fullname" -}}
{{- printf "%s-%s" .Release.Name "mariadb" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the proper certificate image name
*/}}
{{- define "certificates.image" -}}
{{- include "common.images.image" ( dict "imageRoot" .Values.certificates.image "global" .Values.global ) -}}
{{- end -}}
{{/*
Return the proper Drupal image name
*/}}
{{- define "drupal.image" -}}
{{- include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) -}}
{{- end -}}
{{/*
Return the proper image name (for the metrics image)
*/}}
{{- define "drupal.metrics.image" -}}
{{- include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) -}}
{{- end -}}
{{/*
Return the proper image name (for the init container volume-permissions image)
*/}}
{{- define "drupal.volumePermissions.image" -}}
{{- include "common.images.image" ( dict "imageRoot" .Values.volumePermissions.image "global" .Values.global ) -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "drupal.imagePullSecrets" -}}
{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image .Values.certificates.image) "global" .Values.global) -}}
{{- end -}}
{{/*
Return the proper Storage Class
*/}}
{{- define "drupal.storageClass" -}}
{{- include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) -}}
{{- end -}}
{{/*
Drupal credential secret name
*/}}
{{- define "drupal.secretName" -}}
{{- coalesce .Values.existingSecret (include "common.names.fullname" .) -}}
{{- end -}}
{{/*
Return the MariaDB Hostname
*/}}
{{- define "drupal.databaseHost" -}}
{{- if .Values.mariadb.enabled }}
{{- if eq .Values.mariadb.architecture "replication" }}
{{- printf "%s-%s" (include "drupal.mariadb.fullname" .) "primary" | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s" (include "drupal.mariadb.fullname" .) -}}
{{- end -}}
{{- else -}}
{{- printf "%s" .Values.externalDatabase.host -}}
{{- end -}}
{{- end -}}
{{/*
Return the MariaDB Port
*/}}
{{- define "drupal.databasePort" -}}
{{- if .Values.mariadb.enabled }}
{{- printf "3306" -}}
{{- else -}}
{{- printf "%d" (.Values.externalDatabase.port | int ) -}}
{{- end -}}
{{- end -}}
{{/*
Return the MariaDB Database Name
*/}}
{{- define "drupal.databaseName" -}}
{{- if .Values.mariadb.enabled }}
{{- printf "%s" .Values.mariadb.auth.database -}}
{{- else -}}
{{- printf "%s" .Values.externalDatabase.database -}}
{{- end -}}
{{- end -}}
{{/*
Return the MariaDB User
*/}}
{{- define "drupal.databaseUser" -}}
{{- if .Values.mariadb.enabled }}
{{- printf "%s" .Values.mariadb.auth.username -}}
{{- else -}}
{{- printf "%s" .Values.externalDatabase.user -}}
{{- end -}}
{{- end -}}
{{/*
Return the MariaDB Secret Name
*/}}
{{- define "drupal.databaseSecretName" -}}
{{- if .Values.mariadb.enabled }}
{{- printf "%s" (include "drupal.mariadb.fullname" .) -}}
{{- else if .Values.externalDatabase.existingSecret -}}
{{- printf "%s" .Values.externalDatabase.existingSecret -}}
{{- else -}}
{{- printf "%s-%s" (include "common.names.fullname" .) "externaldb" -}}
{{- end -}}
{{- end -}}
{{/*
Return the database password key
*/}}
{{- define "drupal.databasePasswordKey" -}}
{{- if .Values.mariadb.enabled -}}
mariadb-password
{{- else -}}
db-password
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "drupal.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

384
charts/drupal/drupal/templates/deployment.yaml Normal file
View File

@ -0,0 +1,384 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
{{- if .Values.updateStrategy }}
strategy: {{- toYaml .Values.updateStrategy | nindent 4 }}
{{- end }}
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
{{- if or .Values.podAnnotations (and .Values.metrics.enabled .Values.metrics.podAnnotations) }}
annotations:
{{- if .Values.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.podAnnotations "context" $) | nindent 8 }}
{{- end }}
{{- end }}
spec:
{{- include "drupal.imagePullSecrets" . | nindent 6 }}
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
serviceAccountName: {{ include "drupal.serviceAccountName" . }}
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }}
{{- end }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- if .Values.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
{{- if .Values.hostAliases }}
# yamllint disable rule:indentation
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
# yamllint enable rule:indentation
{{- end }}
initContainers:
- name: prepare-base-dir
image: {{ include "drupal.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
command:
- /bin/bash
args:
- -ec
- |
#!/bin/bash
. /opt/bitnami/scripts/liblog.sh
. /opt/bitnami/scripts/libfs.sh
info "Copying base dir to empty dir"
# In order to not break the application functionality (such as upgrades or plugins) we need
# to make the base directory writable, so we need to copy it to an empty dir volume
cp -r --preserve=mode /opt/bitnami/drupal /emptydir/app-base-dir
info "Copying symlinks to stdout/stderr"
# We copy the logs folder because it has symlinks to stdout and stderr
if ! is_dir_empty /opt/bitnami/apache/logs; then
cp -r /opt/bitnami/apache/logs /emptydir/apache-logs-dir
fi
info "Copy operation completed"
volumeMounts:
- name: empty-dir
mountPath: /emptydir
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
- name: volume-permissions
image: {{ include "drupal.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
command:
- sh
- -c
- |
mkdir -p "/bitnami/drupal"
chown -R "{{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}" "/bitnami/drupal"
securityContext:
runAsUser: 0
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
{{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: drupal-data
mountPath: /bitnami/drupal
{{- end }}
{{- if .Values.certificates.customCAs }}
- name: certificates
image: {{ template "certificates.image" . }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.certificates.image.pullPolicy }}
imagePullSecrets:
{{- range (default .Values.image.pullSecrets .Values.certificates.image.pullSecrets) }}
- name: {{ . }}
{{- end }}
command:
{{- if .Values.certificates.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.certificates.command "context" $) | nindent 12 }}
{{- else if .Values.certificates.customCertificate.certificateSecret }}
- sh
- -c
- install_packages ca-certificates openssl
{{- else }}
- sh
- -c
- install_packages ca-certificates openssl
&& openssl req -new -x509 -days 3650 -nodes -sha256
-subj "/CN=$(hostname)" -addext "subjectAltName = DNS:$(hostname)"
-out /etc/ssl/certs/ssl-cert-snakeoil.pem
-keyout /etc/ssl/private/ssl-cert-snakeoil.key -extensions v3_req
{{- end }}
{{- if .Values.certificates.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.certificates.args "context" $) | nindent 12 }}
{{- end }}
env: {{- include "common.tplvalues.render" (dict "value" .Values.certificates.extraEnvVars "context" $) | nindent 12 }}
envFrom:
{{- if .Values.certificates.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.certificates.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.certificates.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.certificates.extraEnvVarsSecret "context" $) }}
{{- end }}
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
readOnly: false
- name: etc-ssl-private
mountPath: /etc/ssl/private
readOnly: false
- name: custom-ca-certificates
mountPath: /usr/local/share/ca-certificates
readOnly: true
{{- end }}
{{- if .Values.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: {{ include "common.names.fullname" . }}
image: {{ template "drupal.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.image.debug | quote }}
- name: ALLOW_EMPTY_PASSWORD
value: {{ ternary "yes" "no" .Values.allowEmptyPassword | quote }}
- name: APACHE_HTTP_PORT_NUMBER
value: {{ .Values.containerPorts.http | quote }}
- name: APACHE_HTTPS_PORT_NUMBER
value: {{ .Values.containerPorts.https | quote }}
- name: DRUPAL_DATABASE_HOST
value: {{ include "drupal.databaseHost" . | quote }}
- name: DRUPAL_DATABASE_PORT_NUMBER
value: {{ include "drupal.databasePort" . | quote }}
- name: DRUPAL_DATABASE_NAME
value: {{ include "drupal.databaseName" . | quote }}
- name: DRUPAL_DATABASE_USER
value: {{ include "drupal.databaseUser" . | quote }}
- name: DRUPAL_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "drupal.databaseSecretName" . }}
key: {{ include "drupal.databasePasswordKey" . | quote }}
- name: DRUPAL_SKIP_BOOTSTRAP
value: {{ ternary "yes" "no" .Values.drupalSkipInstall | quote }}
- name: DRUPAL_PROFILE
value: {{ .Values.drupalProfile | quote }}
- name: DRUPAL_USERNAME
value: {{ .Values.drupalUsername | quote }}
- name: DRUPAL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "drupal.secretName" . }}
key: drupal-password
- name: DRUPAL_EMAIL
value: {{ .Values.drupalEmail | quote }}
{{- if .Values.smtpHost }}
- name: SMTP_HOST
value: {{ .Values.smtpHost | quote }}
{{- end }}
{{- if .Values.smtpPort }}
- name: SMTP_PORT
value: {{ .Values.smtpPort | quote }}
{{- end }}
{{- if .Values.smtpUser }}
- name: SMTP_USER
value: {{ .Values.smtpUser | quote }}
{{- end }}
{{- if .Values.smtpPassword }}
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "drupal.secretName" . }}
key: smtp-password
{{- end }}
{{- if .Values.smtpProtocol }}
- name: SMTP_PROTOCOL
value: {{ .Values.smtpProtocol | quote }}
{{- end }}
{{- if .Values.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if .Values.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.containerPorts.http }}
- name: https
containerPort: {{ .Values.containerPorts.https }}
{{- if .Values.extraContainerPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraContainerPorts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.startupProbe.enabled }}
startupProbe:
httpGet:
path: {{ .Values.startupProbe.path }}
port: http
initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
successThreshold: {{ .Values.startupProbe.successThreshold }}
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
{{- end }}
{{- if .Values.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.livenessProbe.enabled }}
livenessProbe:
tcpSocket:
port: http
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: {{ .Values.readinessProbe.path }}
port: http
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- end }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /opt/bitnami/apache/conf
subPath: apache-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/apache/logs
subPath: apache-logs-dir
- name: empty-dir
mountPath: /opt/bitnami/apache/var/run
subPath: apache-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/php/etc
subPath: php-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/php/tmp
subPath: php-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/php/var
subPath: php-var-dir
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/drupal
subPath: app-base-dir
- name: drupal-data
mountPath: /bitnami/drupal
{{- if .Values.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ template "drupal.metrics.image" . }}
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
command: [ '/bin/apache_exporter', '--scrape_uri', 'http://status.localhost:{{ .Values.containerPorts.http }}/server-status/?auto' ]
ports:
- name: metrics
containerPort: 9117
livenessProbe:
httpGet:
path: /metrics
port: metrics
initialDelaySeconds: 15
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /metrics
port: metrics
initialDelaySeconds: 5
timeoutSeconds: 1
{{- if .Values.metrics.resourcesPreset }}
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- else if ne .Values.metrics.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
- name: drupal-data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (printf "%s-drupal" (include "common.names.fullname" .)) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
{{- end }}

19
charts/drupal/drupal/templates/externaldb-secrets.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (not .Values.mariadb.enabled) (not .Values.externalDatabase.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-externaldb" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
db-password: {{ default "" .Values.externalDatabase.password | b64enc | quote }}
{{- end }}

9
charts/drupal/drupal/templates/extra-list.yaml Normal file
View File

@ -0,0 +1,9 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}

66
charts/drupal/drupal/templates/ingress.yaml Normal file
View File

@ -0,0 +1,66 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.ingress.enabled }}
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
annotations:
{{- if .Values.ingress.certManager }}
kubernetes.io/tls-acme: "true"
{{- end }}
{{- if or .Values.ingress.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }}
{{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
{{- end }}
rules:
{{- if .Values.ingress.hostname }}
- host: {{ .Values.ingress.hostname }}
http:
paths:
- path: {{ .Values.ingress.path }}
{{- if eq "true" (include "common.ingress.supportsPathType" .) }}
pathType: {{ .Values.ingress.pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }}
{{- if .Values.ingress.extraPaths }}
{{- toYaml .Values.ingress.extraPaths | nindent 10 }}
{{- end }}
{{- end }}
{{- range (coalesce .Values.ingress.extraHosts .Values.ingress.hosts) }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default "/" .path }}
{{- if eq "true" (include "common.ingress.supportsPathType" $) }}
pathType: {{ default "ImplementationSpecific" .pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.ingress.extraRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }}
{{- end }}
{{- if or .Values.ingress.tls .Values.ingress.extraTls }}
tls:
{{- if .Values.ingress.tls }}
- hosts:
- {{ .Values.ingress.hostname | quote }}
{{- if and (or (.Values.ingress.tlsWwwPrefix) (eq (index .Values.ingress.annotations "nginx.ingress.kubernetes.io/from-to-www-redirect") "true" )) (not (contains "www." .Values.ingress.hostname)) }}
- {{ printf "www.%s" (tpl .Values.ingress.hostname $) | quote }}
{{- end }}
secretName: {{ printf "%s-tls" .Values.ingress.hostname }}
{{- end }}
{{- if .Values.ingress.extraTls }}
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

39
charts/drupal/drupal/templates/metrics-svc.yaml Normal file
View File

@ -0,0 +1,39 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-metrics" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: metrics
{{- if or .Values.metrics.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.metrics.service.type }}
{{- if eq .Values.metrics.service.type "LoadBalancer" }}
externalTrafficPolicy: {{ .Values.metrics.service.externalTrafficPolicy }}
{{- end }}
{{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }}
{{- end }}
{{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{- toYaml .Values.metrics.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
ports:
- name: metrics
port: {{ .Values.metrics.service.ports.metrics }}
protocol: TCP
targetPort: metrics
{{- if .Values.metrics.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
{{- end }}

80
charts/drupal/drupal/templates/networkpolicy.yaml Normal file
View File

@ -0,0 +1,80 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
policyTypes:
- Ingress
- Egress
{{- if .Values.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allow outbound connections to MariaDB
- ports:
- port: {{ include "drupal.databasePort" . }}
{{- if .Values.mariadb.enabled }}
to:
- podSelector:
matchLabels:
app.kubernetes.io/name: mariadb
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- if .Values.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.containerPorts.http }}
- port: {{ .Values.containerPorts.https }}
{{- range .Values.extraContainerPorts }}
- port: {{ . }}
{{- end }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

26
charts/drupal/drupal/templates/pdb.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.pdb.create }}
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.pdb.minAvailable }}
minAvailable: {{ .Values.pdb.minAvailable }}
{{- end }}
{{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }}
maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.podLabels .Values.commonLabels) "context" .) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
{{- end }}

23
charts/drupal/drupal/templates/prometheusrule.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.metrics.prometheusRule.additionalLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
groups:
- name: {{ include "common.names.fullname" . }}
rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }}
{{- end }}

23
charts/drupal/drupal/templates/pv.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.persistence.enabled .Values.persistence.hostPath (not .Values.persistence.existingClaim) -}}
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ printf "%s-drupal" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
capacity:
storage: {{ .Values.persistence.size | quote }}
hostPath:
path: {{ .Values.persistence.hostPath | quote }}
{{- end -}}

33
charts/drupal/drupal/templates/pvc.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ printf "%s-drupal" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if or .Values.persistence.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.persistence.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.persistence.hostPath }}
storageClassName: ""
{{- end }}
accessModes:
{{- if not (empty .Values.persistence.accessModes) }}
{{- range .Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
{{- else }}
- {{ .Values.persistence.accessMode | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- include "drupal.storageClass" . | nindent 2 }}
{{- end -}}

26
charts/drupal/drupal/templates/secrets.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if not .Values.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if .Values.drupalPassword }}
drupal-password: {{ default "" .Values.drupalPassword | b64enc | quote }}
{{- else }}
drupal-password: {{ randAlphaNum 10 | b64enc | quote }}
{{- end }}
{{- if .Values.smtpPassword }}
smtp-password: {{ .Values.smtpPassword | b64enc | quote }}
{{- end }}
{{- end }}

18
charts/drupal/drupal/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "drupal.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}

43
charts/drupal/drupal/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,43 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: metrics
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.honorLabels }}
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabellings }}
relabelings: {{- toYaml .Values.metrics.serviceMonitor.relabellings | nindent 6 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: metrics
{{- end }}

57
charts/drupal/drupal/templates/svc.yaml Normal file
View File

@ -0,0 +1,57 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if or .Values.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if .Values.service.sessionAffinity }}
sessionAffinity: {{ .Values.service.sessionAffinity }}
{{- end }}
{{- if .Values.service.sessionAffinityConfig }}
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }}
{{- end }}
{{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
{{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }}
{{- end }}
ports:
- name: http
port: {{ coalesce .Values.service.ports.http .Values.service.port }}
targetPort: http
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.http)) }}
nodePort: {{ .Values.service.nodePorts.http }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
- name: https
port: {{ coalesce .Values.service.ports.https .Values.service.httpsPort }}
targetPort: https
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.https)) }}
nodePort: {{ .Values.service.nodePorts.https }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if .Values.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}

22
charts/drupal/drupal/templates/tls-secrets.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.secrets }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .name }}
namespace: {{ include "common.names.namespace" $ | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }}
{{- if $.Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ .certificate | b64enc }}
tls.key: {{ .key | b64enc }}
{{- end }}
{{- end }}

233
charts/drupal/drupal/values.schema.json Normal file
View File

@ -0,0 +1,233 @@
{
"$schema": "http://json-schema.org/schema#",
"type": "object",
"properties": {
"drupalUsername": {
"type": "string",
"title": "Username",
"form": true
},
"drupalPassword": {
"type": "string",
"title": "Password",
"form": true,
"description": "Defaults to a random 10-character alphanumeric string if not set"
},
"drupalEmail": {
"type": "string",
"title": "Admin email",
"form": true
},
"persistence": {
"type": "object",
"properties": {
"drupal": {
"type": "object",
"properties": {
"size": {
"type": "string",
"title": "Persistent Volume Size",
"form": true,
"render": "slider",
"sliderMin": 1,
"sliderMax": 100,
"sliderUnit": "Gi"
}
}
}
}
},
"ingress": {
"type": "object",
"form": true,
"title": "Ingress Configuration",
"properties": {
"enabled": {
"type": "boolean",
"form": true,
"title": "Use a custom hostname",
"description": "Enable the ingress resource that allows you to access the Drupal installation."
},
"hostname": {
"type": "string",
"form": true,
"title": "Hostname",
"hidden": {
"value": false,
"path": "ingress/enabled"
}
}
}
},
"service": {
"type": "object",
"form": true,
"title": "Service Configuration",
"properties": {
"type": {
"type": "string",
"form": true,
"title": "Service Type",
"description": "Allowed values: \"ClusterIP\", \"NodePort\" and \"LoadBalancer\""
}
}
},
"mariadb": {
"type": "object",
"title": "MariaDB Details",
"form": true,
"properties": {
"enabled": {
"type": "boolean",
"title": "Use a new MariaDB database hosted in the cluster",
"form": true,
"description": "Whether to deploy a mariadb server to satisfy the applications database requirements. To use an external database switch this off and configure the external database details"
},
"primary": {
"type": "object",
"properties": {
"persistence": {
"type": "object",
"properties": {
"size": {
"type": "string",
"title": "Volume Size",
"form": true,
"hidden": {
"value": false,
"path": "mariadb/enabled"
},
"render": "slider",
"sliderMin": 1,
"sliderMax": 100,
"sliderUnit": "Gi"
}
}
}
}
}
}
},
"externalDatabase": {
"type": "object",
"title": "External Database Details",
"description": "If MariaDB is disabled. Use this section to specify the external database details",
"form": true,
"hidden": "mariadb/enabled",
"properties": {
"host": {
"type": "string",
"form": true,
"title": "Database Host"
},
"user": {
"type": "string",
"form": true,
"title": "Database Username"
},
"password": {
"type": "string",
"form": true,
"title": "Database Password"
},
"database": {
"type": "string",
"form": true,
"title": "Database Name"
},
"port": {
"type": "integer",
"form": true,
"title": "Database Port"
}
}
},
"resources": {
"type": "object",
"title": "Requested Resources",
"description": "Configure resource requests",
"form": true,
"properties": {
"requests": {
"type": "object",
"properties": {
"memory": {
"type": "string",
"form": true,
"render": "slider",
"title": "Memory Request",
"sliderMin": 10,
"sliderMax": 2048,
"sliderUnit": "Mi"
},
"cpu": {
"type": "string",
"form": true,
"render": "slider",
"title": "CPU Request",
"sliderMin": 10,
"sliderMax": 2000,
"sliderUnit": "m"
}
}
}
}
},
"metrics": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"title": "Enable Metrics",
"description": "Prometheus Exporter / Metrics",
"form": true
},
"serviceMonitor": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"title": "Create Prometheus Operator ServiceMonitor",
"description": "Create a ServiceMonitor to track metrics using Prometheus Operator",
"form": true,
"hidden": {
"value": false,
"path": "metrics/enabled"
}
}
}
}
}
},
"serviceAccount": {
"type": "object",
"properties": {
"drupal": {
"type": "object",
"properties": {
"create": {
"type": "string",
"title": "Specifies whether a service account should be created",
"form": true
},
"name": {
"type": "string",
"title": "The name of the service account to use",
"form": true
},
"annotations": {
"type": "string",
"title": "Add annotations",
"form": true
},
"automountServiceAccountToken": {
"type": "string",
"title": "Automount API credentials for a service account",
"form": true
}
}
}
}
}
}
}

982
charts/drupal/drupal/values.yaml Normal file
View File

@ -0,0 +1,982 @@
# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0
## @section Global parameters
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets Global Docker registry secret names as an array
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
##
global:
imageRegistry: ""
## E.g.
## imagePullSecrets:
## - myRegistryKeySecretName
##
imagePullSecrets: []
defaultStorageClass: ""
storageClass: ""
## Compatibility adaptations for Kubernetes platforms
##
compatibility:
## Compatibility adaptations for Openshift
##
openshift:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: auto
## @section Common parameters
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
##
kubeVersion: ""
## @param nameOverride String to partially override drupal.fullname template (will maintain the release name)
##
nameOverride: ""
## @param fullnameOverride String to fully override drupal.fullname template
##
fullnameOverride: ""
## @param namespaceOverride String to fully override common.names.namespace
##
namespaceOverride: ""
## @param commonAnnotations Common annotations to add to all Drupal resources (sub-charts are not considered). Evaluated as a template
##
commonAnnotations: {}
## @param commonLabels Common labels to add to all Drupal resources (sub-charts are not considered). Evaluated as a template
##
commonLabels: {}
## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template).
##
extraDeploy: []
## @section Drupal parameters
## Bitnami Drupal image version
## ref: https://hub.docker.com/r/bitnami/drupal/tags/
## @param image.registry [default: REGISTRY_NAME] Drupal image registry
## @param image.repository [default: REPOSITORY_NAME/drupal] Drupal Image name
## @skip image.tag Drupal Image tag
## @param image.digest Drupal image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param image.pullPolicy Drupal image pull policy
## @param image.pullSecrets Specify docker-registry secret names as an array
## @param image.debug Specify if debug logs should be enabled
##
image:
registry: docker.io
repository: bitnami/drupal
tag: 11.0.5-debian-12-r1
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## e.g:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Set to true if you would like to see extra information on logs
##
debug: false
## @param replicaCount Number of Drupal Pods to run (requires ReadWriteMany PVC support)
##
replicaCount: 1
## @param drupalProfile Drupal installation profile
## ref: https://github.com/bitnami/containers/tree/main/bitnami/drupal#configuration
##
drupalProfile: standard
## @param drupalSkipInstall Skip Drupal installation wizard. Useful for migrations and restoring from SQL dump
## ref: https://github.com/bitnami/containers/tree/main/bitnami/drupal#configuration
##
drupalSkipInstall: false
## @param drupalUsername User of the application
## ref: https://github.com/bitnami/containers/tree/main/bitnami/drupal#configuration
##
drupalUsername: user
## @param drupalPassword Application password
## Defaults to a random 10-character alphanumeric string if not set
## ref: https://github.com/bitnami/containers/tree/main/bitnami/drupal#configuration
##
drupalPassword: ""
## @param drupalEmail Admin email
## ref: https://github.com/bitnami/containers/tree/main/bitnami/drupal#configuration
##
drupalEmail: user@example.com
## @param allowEmptyPassword Allow DB blank passwords
## ref: https://github.com/bitnami/containers/tree/main/bitnami/drupal#environment-variables
##
allowEmptyPassword: true
## @param command Override default container command (useful when using custom images)
##
command: []
## @param args Override default container args (useful when using custom images)
##
args: []
## @param updateStrategy.type Update strategy - only really applicable for deployments with RWO PVs attached
## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the
## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will
## terminate the single previous pod, so that the new, incoming pod can attach to the PV
##
updateStrategy:
type: RollingUpdate
## @param priorityClassName Drupal pods' priorityClassName
##
priorityClassName: ""
## @param schedulerName Name of the k8s scheduler (other than default)
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
schedulerName: ""
## @param topologySpreadConstraints Topology Spread Constraints for pod assignment
## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
## The value is evaluated as a template
##
topologySpreadConstraints: []
## @param automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: false
## @param hostAliases [array] Add deployment host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases:
## Necessary for apache-exporter to work
##
- ip: "127.0.0.1"
hostnames:
- "status.localhost"
## @param extraEnvVars Extra environment variables
## For example:
##
extraEnvVars: []
# - name: BEARER_AUTH
# value: true
## @param extraEnvVarsCM ConfigMap containing extra env vars
##
extraEnvVarsCM: ""
## @param extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data)
##
extraEnvVarsSecret: ""
## @param extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts`
##
extraVolumes: []
## @param extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`.
##
extraVolumeMounts: []
## @param initContainers Add additional init containers to the pod (evaluated as a template)
##
initContainers: []
## Pod Disruption Budget configuration
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
## @param pdb.create Enable/disable a Pod Disruption Budget creation
## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty.
##
pdb:
create: true
minAvailable: ""
maxUnavailable: ""
## @param sidecars Attach additional containers to the pod (evaluated as a template)
##
sidecars: []
## @param tolerations Tolerations for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
serviceAccount:
## @param serviceAccount.create Specifies whether a service account should be created
##
create: true
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template
##
name: ""
## @param serviceAccount.annotations Add annotations
##
annotations: {}
## @param serviceAccount.automountServiceAccountToken Automount API credentials for a service account.
##
automountServiceAccountToken: false
## @param existingSecret Name of a secret with the application password
##
existingSecret: ""
## SMTP mail delivery configuration
## ref: https://github.com/bitnami/containers/tree/main/bitnami/drupal/#smtp-configuration
## @param smtpHost SMTP host
## @param smtpPort SMTP port
## @param smtpUser SMTP user
## @param smtpPassword SMTP password
## @param smtpProtocol SMTP Protocol (options: ssl,tls, nil)
##
smtpHost: ""
smtpPort: ""
smtpUser: ""
smtpPassword: ""
smtpProtocol: ""
## @param containerPorts [object] Container ports
##
containerPorts:
http: 8080
https: 8443
## @param extraContainerPorts Optionally specify extra list of additional ports for Drupal container(s)
## e.g:
## extraContainerPorts:
## - name: myservice
## containerPort: 9090
##
extraContainerPorts: []
## @param sessionAffinity Control where client requests go, to the same pod or round-robin. Values: ClientIP or None
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
##
sessionAffinity: "None"
## Enable persistence using Persistent Volume Claims
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
##
persistence:
## @param persistence.enabled Enable persistence using PVC
##
enabled: true
## @param persistence.storageClass PVC Storage Class for Drupal volume
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
storageClass: ""
## @param persistence.accessModes PVC Access Mode for Drupal volume
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
##
accessModes:
- ReadWriteOnce
## @param persistence.size PVC Storage Request for Drupal volume
##
size: 8Gi
## @param persistence.existingClaim A manually managed Persistent Volume Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
##
existingClaim: ""
## @param persistence.hostPath If defined, the drupal-data volume will mount to the specified hostPath.
## Requires persistence.enabled: true
## Requires persistence.existingClaim: nil|false
## Default: nil.
##
hostPath: ""
## @param persistence.annotations Persistent Volume Claim annotations
##
annotations: {}
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAffinityPreset: ""
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAntiAffinityPreset: soft
## Node affinity preset
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
##
nodeAffinityPreset:
type: ""
## E.g.
## key: "kubernetes.io/e2e-az-name"
##
key: ""
## E.g.
## values:
## - e2e-az1
## - e2e-az2
##
values: []
## @param affinity Affinity for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
##
affinity: {}
## @param nodeSelector Node labels for pod assignment. Evaluated as a template.
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
##
nodeSelector: {}
## Drupal container's resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "micro"
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param podSecurityContext.enabled Enable Drupal pods' Security Context
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
## @param podSecurityContext.fsGroup Drupal pods' group ID
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context (only main container)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param containerSecurityContext.enabled Enabled Drupal containers' Security Context
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param containerSecurityContext.runAsUser Set Drupal containers' Security Context runAsUser
## @param containerSecurityContext.runAsGroup Set Drupal containers' Security Context runAsGroup
## @param containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot
## @param containerSecurityContext.privileged Set Drupal container's Security Context privileged
## @param containerSecurityContext.allowPrivilegeEscalation Set Drupal container's Security Context allowPrivilegeEscalation
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
## @param containerSecurityContext.readOnlyRootFilesystem Set Drupal container's Security Context readOnlyRootFilesystem
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
## Configure extra options for startup probe
## Drupal core exposes /user/login to unauthenticated requests, making it a good
## default startup and readiness path. However, that may not always be the
## case. For example, if the image value is overridden to an image containing a
## module that alters that route, or an image that does not auto-install Drupal.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
## @param startupProbe.enabled Enable startupProbe
## @param startupProbe.path Request path for startupProbe
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
## @param startupProbe.periodSeconds Period seconds for startupProbe
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
## @param startupProbe.failureThreshold Failure threshold for startupProbe
## @param startupProbe.successThreshold Success threshold for startupProbe
##
startupProbe:
enabled: false
path: /user/login
initialDelaySeconds: 600
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
successThreshold: 1
## Configure extra options for liveness probe
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
## @param livenessProbe.enabled Enable livenessProbe
## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
## @param livenessProbe.periodSeconds Period seconds for livenessProbe
## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
## @param livenessProbe.successThreshold Success threshold for livenessProbe
##
livenessProbe:
enabled: true
initialDelaySeconds: 600
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
successThreshold: 1
## Configure extra options for readiness probe
## Drupal core exposes /user/login to unauthenticated requests, making it a good
## default startup and readiness path. However, that may not always be the
## case. For example, if the image value is overridden to an image containing a
## module that alters that route, or an image that does not auto-install Drupal.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
## @param readinessProbe.enabled Enable readinessProbe
## @param readinessProbe.path Request path for readinessProbe
## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
## @param readinessProbe.periodSeconds Period seconds for readinessProbe
## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
## @param readinessProbe.successThreshold Success threshold for readinessProbe
##
readinessProbe:
enabled: true
path: /user/login
initialDelaySeconds: 30
periodSeconds: 5
timeoutSeconds: 1
failureThreshold: 5
successThreshold: 1
## @param customStartupProbe Override default startup probe
##
customStartupProbe: {}
## @param customLivenessProbe Override default liveness probe
##
customLivenessProbe: {}
## @param customReadinessProbe Override default readiness probe
##
customReadinessProbe: {}
## @param lifecycleHooks LifecycleHook to set additional configuration at startup Evaluated as a template
##
lifecycleHooks: {}
## @param podAnnotations Pod annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## @param podLabels Add additional labels to the pod (evaluated as a template)
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podLabels: {}
## @section Traffic Exposure Parameters
## Kubernetes configuration. For minikube, set this to NodePort, elsewhere use LoadBalancer
##
service:
## @param service.type Kubernetes Service type
##
type: LoadBalancer
## @param service.ports.http Service HTTP port
## @param service.ports.https Service HTTPS port
##
ports:
http: 80
https: 443
## @param service.loadBalancerSourceRanges Restricts access for LoadBalancer (only with `service.type: LoadBalancer`)
## e.g:
## loadBalancerSourceRanges:
## - 0.0.0.0/0
##
loadBalancerSourceRanges: []
## @param service.loadBalancerIP loadBalancerIP for the Drupal Service (optional, cloud specific)
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
loadBalancerIP: ""
## @param service.nodePorts [object] Kubernetes node port
## nodePorts:
## http: <to set explicitly, choose port between 30000-32767>
## https: <to set explicitly, choose port between 30000-32767>
##
nodePorts:
http: ""
https: ""
## @param service.externalTrafficPolicy Enable client source IP preservation
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
##
externalTrafficPolicy: Cluster
## @param service.clusterIP %%MAIN_CONTAINER_NAME%% service Cluster IP
## e.g.:
## clusterIP: None
##
clusterIP: ""
## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value)
##
extraPorts: []
## @param service.annotations Additional custom annotations for %%MAIN_CONTAINER_NAME%% service
##
annotations: {}
## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
## If "ClientIP", consecutive client requests will be directed to the same Pod
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
##
sessionAffinity: None
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
## sessionAffinityConfig:
## clientIP:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
## Configure the ingress resource that allows you to access the
## Drupal installation. Set up the URL
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
ingress:
## @param ingress.enabled Enable ingress controller resource
##
enabled: false
## DEPRECATED: Use ingress.annotations instead of ingress.certManager
## certManager: false
##
## @param ingress.pathType Ingress Path type
##
pathType: ImplementationSpecific
## @param ingress.apiVersion Override API Version (automatically detected if not set)
##
apiVersion: ""
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
##
ingressClassName: ""
## @param ingress.hostname Default host for the ingress resource
##
hostname: drupal.local
## @param ingress.path The Path to Drupal. You may need to set this to '/*' in order to use this
## with ALB ingress controllers.
##
path: /
## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
## For a full list of possible ingress annotations, please see
## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
## Use this parameter to set the required annotations for cert-manager, see
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
##
## e.g:
## annotations:
## kubernetes.io/ingress.class: nginx
## cert-manager.io/cluster-issuer: cluster-issuer-name
##
annotations: {}
## @param ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter
## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it
##
tls: false
## @param ingress.tlsWwwPrefix Adds www subdomain to default cert
## Creates tls host with ingress.hostname: {{ print "www.%s" .Values.ingress.hostname }}
## Is enabled if "nginx.ingress.kubernetes.io/from-to-www-redirect" is "true"
tlsWwwPrefix: false
## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
## extraHosts:
## - name: drupal.local
## path: /
extraHosts: []
## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host.
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
## extraPaths:
## - path: /*
## backend:
## serviceName: ssl-redirect
## servicePort: use-annotation
extraPaths: []
## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
## extraTls:
## - hosts:
## - drupal.local
## secretName: drupal.local-tls
extraTls: []
## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
## key and certificate should start with -----BEGIN CERTIFICATE----- or
## -----BEGIN RSA PRIVATE KEY-----
##
## name should line up with a tlsSecret set further up
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
##
## It is also possible to create and manage the certificates outside of this helm chart
## Please see README.md for more information
## Example:
## - name: drupal.local-tls
## key:
## certificate:
##
secrets: []
## @param ingress.extraRules Additional rules to be covered with this ingress record
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
## e.g:
## extraRules:
## - host: example.local
## http:
## path: /
## backend:
## service:
## name: example-svc
## port:
## name: http
##
extraRules: []
## @section Database parameters
## MariaDB chart configuration
## https://github.com/bitnami/charts/blob/main/bitnami/mariadb/values.yaml
##
mariadb:
## @param mariadb.enabled Whether to deploy a mariadb server to satisfy the applications database requirements
## To use an external database set this to false and configure the externalDatabase parameters
##
enabled: true
## @param mariadb.architecture MariaDB architecture (`standalone` or `replication`)
##
architecture: standalone
## MariaDB Authentication parameters
## @param mariadb.auth.rootPassword Password for the MariaDB `root` user
## @param mariadb.auth.database Database name to create
## @param mariadb.auth.username Database user to create
## @param mariadb.auth.password Password for the database
##
auth:
## ref: https://github.com/bitnami/containers/tree/main/bitnami/mariadb#setting-the-root-password-on-first-run
##
rootPassword: ""
## ref: https://github.com/bitnami/containers/blob/main/bitnami/mariadb/README.md#creating-a-database-on-first-run
##
database: bitnami_drupal
## ref: https://github.com/bitnami/containers/blob/main/bitnami/mariadb/README.md#creating-a-database-user-on-first-run
##
username: bn_drupal
password: ""
primary:
## Enable persistence using Persistent Volume Claims
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
## @param mariadb.primary.persistence.enabled Enable database persistence using PVC
## @param mariadb.primary.persistence.storageClass MariaDB primary persistent volume storage Class
## @param mariadb.primary.persistence.accessModes Database Persistent Volume Access Modes
## @param mariadb.primary.persistence.size Database Persistent Volume Size
## @param mariadb.primary.persistence.hostPath Set path in case you want to use local host path volumes (not recommended in production)
## @param mariadb.primary.persistence.existingClaim Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas
##
persistence:
enabled: true
## mariadb data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
storageClass: ""
accessModes:
- ReadWriteOnce
size: 8Gi
hostPath: ""
existingClaim: ""
## External database configuration
## @param externalDatabase.host Host of the existing database
## @param externalDatabase.port Port of the existing database
## @param externalDatabase.user Existing username in the external db
## @param externalDatabase.password Password for the above username. Ignored if existing secret is provided
## @param externalDatabase.database Name of the existing database
## @param externalDatabase.existingSecret Name of a secret with the database password. (externalDatabase.password will be ignored and picked up from this secret). The secret has to contain the key db-password
##
externalDatabase:
host: ""
port: 3306
user: bn_drupal
password: ""
database: bitnami_drupal
existingSecret: ""
## @section Volume Permissions parameters
## Init containers parameters:
## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section.
##
volumePermissions:
## @param volumePermissions.enabled Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work)
##
enabled: false
## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry
## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image name
## @skip volumePermissions.image.tag Init container volume-permissions image tag
## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array
##
image:
registry: docker.io
repository: bitnami/os-shell
tag: 12-debian-12-r31
digest: ""
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## e.g:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Init containers' resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## @section Metrics parameters
## Prometheus Exporter / Metrics
##
metrics:
## @param metrics.enabled Start a exporter side-car
##
enabled: false
## @param metrics.image.registry [default: REGISTRY_NAME] Apache exporter image registry
## @param metrics.image.repository [default: REPOSITORY_NAME/apache-exporter] Apache exporter image repository
## @skip metrics.image.tag Apache exporter image tag
## @param metrics.image.digest Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param metrics.image.pullPolicy Image pull policy
## @param metrics.image.pullSecrets Specify docker-registry secret names as an array
##
image:
registry: docker.io
repository: bitnami/apache-exporter
tag: 1.0.9-debian-12-r1
digest: ""
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## e.g:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
##
resources: {}
##
## @param metrics.podAnnotations [object] Additional annotations for Metrics exporter pod
##
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9117"
## Drupal exporter service parameters
##
service:
## @param metrics.service.type Drupal exporter service type
##
type: ClusterIP
## @param metrics.service.ports.metrics Drupal exporter service port
##
ports:
metrics: 9117
## @param metrics.service.externalTrafficPolicy Drupal exporter service external traffic policy
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
##
externalTrafficPolicy: Cluster
## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value)
##
extraPorts: []
## @param metrics.service.loadBalancerIP Drupal exporter service Load Balancer IP
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
loadBalancerIP: ""
## @param metrics.service.loadBalancerSourceRanges Drupal exporter service Load Balancer sources
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## e.g.
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## @param metrics.service.annotations Additional custom annotations for Drupal exporter service
##
annotations: {}
## Prometheus Service Monitor
## ref: https://github.com/coreos/prometheus-operator
## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
serviceMonitor:
## @param metrics.serviceMonitor.enabled Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator
##
enabled: false
## @param metrics.serviceMonitor.namespace The namespace in which the ServiceMonitor will be created
##
namespace: ""
## @param metrics.serviceMonitor.interval The interval at which metrics should be scraped
##
interval: 30s
## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended
##
scrapeTimeout: ""
## @param metrics.serviceMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping.
##
relabellings: []
## @param metrics.serviceMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion.
##
metricRelabelings: []
## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
##
honorLabels: false
## @param metrics.serviceMonitor.additionalLabels Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus
##
additionalLabels: {}
## Custom PrometheusRule to be defined
## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
##
prometheusRule:
## @param metrics.prometheusRule.enabled Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator
##
enabled: false
## @param metrics.prometheusRule.namespace The namespace in which the prometheusRule will be created
##
namespace: ""
## @param metrics.prometheusRule.additionalLabels Additional labels for the prometheusRule
##
additionalLabels: {}
## @param metrics.prometheusRule.rules Custom Prometheus rules
## e.g:
## rules:
## - alert: ApacheDown
## expr: apache_up{service="{{ template "common.names.fullname" . }}-metrics"} == 0
## for: 2m
## labels:
## severity: error
## annotations:
## summary: Drupal instance {{ "{{ $labels.instance }}" }} down
## description: Drupal instance {{ "{{ $labels.instance }}" }} is down
##
rules: []
## @section Certificate injection parameters
## Add custom certificates and certificate authorities to drupal container
##
certificates:
## @param certificates.customCertificate.certificateSecret Secret containing the certificate and key to add
## @param certificates.customCertificate.chainSecret.name Name of the secret containing the certificate chain
## @param certificates.customCertificate.chainSecret.key Key of the certificate chain file inside the secret
## @param certificates.customCertificate.certificateLocation Location in the container to store the certificate
## @param certificates.customCertificate.keyLocation Location in the container to store the private key
## @param certificates.customCertificate.chainLocation Location in the container to store the certificate chain
##
customCertificate:
certificateSecret: ""
chainSecret:
name: secret-name
key: secret-key
certificateLocation: /etc/ssl/certs/ssl-cert-snakeoil.pem
keyLocation: /etc/ssl/private/ssl-cert-snakeoil.key
chainLocation: /etc/ssl/certs/mychain.pem
## @param certificates.customCAs Defines a list of secrets to import into the container trust store
##
customCAs: []
## @param certificates.command Override default container command (useful when using custom images)
##
command: []
## @param certificates.args Override default container args (useful when using custom images)
##
args: []
## @param certificates.extraEnvVars Container sidecar extra environment variables (eg proxy)
##
extraEnvVars: []
## @param certificates.extraEnvVarsCM ConfigMap containing extra env vars
##
extraEnvVarsCM: ""
## @param certificates.extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data)
##
extraEnvVarsSecret: ""
## @param certificates.image.registry [default: REGISTRY_NAME] Container sidecar registry
## @param certificates.image.repository [default: REPOSITORY_NAME/os-shell] Container sidecar image
## @skip certificates.image.tag Container sidecar image tag
## @param certificates.image.digest Container sidecar image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param certificates.image.pullPolicy Container sidecar image pull policy
## @param certificates.image.pullSecrets Container sidecar image pull secrets
##
image:
registry: docker.io
repository: bitnami/os-shell
tag: 12-debian-12-r31
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
##
pullPolicy: IfNotPresent
## e.g:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## @section NetworkPolicy parameters
## Network Policy configuration
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
##
enabled: true
## @param networkPolicy.allowExternal Don't require server label for connections
## The Policy model to apply. When set to false, only pods with the correct
## server label will have network access to the ports server is listening
## on. When true, server will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraIngress:
## - ports:
## - port: 1234
## from:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
extraIngress: []
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraEgress:
## - ports:
## - port: 1234
## to:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
extraEgress: []
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}

15
charts/drupal/values-overrides.yaml Normal file
View File

@ -0,0 +1,15 @@
# @see https://artifacthub.io/packages/helm/bitnami/drupal?modal=values
fullnameOverride: drupal
mariadb:
enabled: false
allowEmptyPassword: true
externalDatabase:
host: "mariadb.futureporn.svc.cluster.local"
port: 3306
user: drupal
database: drupal
existingSecret: externaldb
image:
debug: true
tag: 10.3.6-debian-12-r1

39
charts/fp/templates-staging/chihaya.yaml Normal file
View File

@ -0,0 +1,39 @@
# ---
# apiVersion: v1
# kind: Service
# metadata:
# name: chihaya
# namespace: futureporn
# annotations:
# external-dns.alpha.kubernetes.io/hostname: "{{ .Values.chihaya.hostname }}"
# spec:
# type: LoadBalancer
# selector:
# app: chihaya
# ports:
# - name: http
# port: 80
# targetPort: 80
# ---
# apiVersion: apps/v1
# kind: Deployment
# metadata:
# name: chihaya
# spec:
# replicas: 1
# selector:
# matchLabels:
# app: chihaya
# template:
# metadata:
# labels:
# app: chihaya
# spec:
# containers:
# - name: chihaya
# image: "quay.io/jzelinskie/chihaya-git:latest"
# ports:
# - containerPort: 80

0
charts/fp/templates/mailbox.yaml → charts/fp/templates-staging/mailbox.yaml
View File

79
charts/fp/templates/chihaya.yaml
View File

@ -1,79 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: chihaya
namespace: futureporn
annotations:
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.chihaya.hostname }}"
spec:
type: LoadBalancer
selector:
app: chihaya
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: chihaya
spec:
replicas: 1
selector:
matchLabels:
app: chihaya
template:
metadata:
labels:
app: chihaya
spec:
containers:
- name: chihaya
image: "quay.io/jzelinskie/chihaya-git:latest"
ports:
- containerPort: 80
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: chihaya-http
namespace: futureporn
spec:
entryPoints:
- web
routes:
- match: Host(`chihaya.fp.sbtp.xyz`)
kind: Rule
middlewares:
- name: redirect
namespace: futureporn
services:
- name: chihaya
port: web
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: chihaya-https
namespace: futureporn
annotations:
cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
spec:
entryPoints:
- websecure
routes:
- match: Host(`chihaya.fp.sbtp.xyz`)
kind: Rule
services:
- name: chihaya
namespace: futureporn
port: web
tls:
secretName: chihaya-tls

13
charts/fp/templates/chisel.yaml
View File

@ -1,23 +1,14 @@
{{ if ne .Values.environment "production" }} {{ if ne .Values.environment "production" }}
## chisel-operator acts on all Services of type LoadBalancer, randomly assigning them to an available ExitNode.
## Thus, we need to create lots of ExitNodes to ensure that
## each services gets an ExitNode
{{- $exitNodeCount := 9 }} # Define the number of ExitNodes you need
{{- range $i := until $exitNodeCount }}
--- ---
apiVersion: chisel-operator.io/v1 apiVersion: chisel-operator.io/v1
kind: ExitNode kind: ExitNode
metadata: metadata:
name: exit-node-{{ $i }} name: vault-exit-node
namespace: futureporn namespace: futureporn
spec: spec:
host: "155.138.254.201" host: {{ quote .Values.chisel.exitNode.host }}
port: 9090 port: 9090
auth: chisel auth: chisel
{{- end }}
{{ end }} {{ end }}

24
charts/fp/templates/build.yaml → charts/fp/templates/factory.yaml
View File

@ -3,23 +3,23 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: build name: factory
namespace: futureporn namespace: futureporn
labels: labels:
app.kubernetes.io/name: build app.kubernetes.io/name: factory
spec: spec:
replicas: {{ .Values.build.replicas }} replicas: {{ .Values.factory.replicas }}
selector: selector:
matchLabels: matchLabels:
app: build app: factory
template: template:
metadata: metadata:
labels: labels:
app: build app: factory
spec: spec:
containers: containers:
- name: build - name: factory
image: "{{ .Values.build.imageName }}" image: "{{ .Values.factory.imageName }}"
volumeMounts: volumeMounts:
- name: capture-worker-cache - name: capture-worker-cache
mountPath: "{{ .Values.capture.cache.dir }}" mountPath: "{{ .Values.capture.cache.dir }}"
@ -34,6 +34,16 @@ spec:
secretKeyRef: secretKeyRef:
name: postgrest name: postgrest
key: automationUserJwt key: automationUserJwt
- name: PATREON_CREATOR_ACCESS_TOKEN
valueFrom:
secretKeyRef:
name: patreon
key: creatorAccessToken
- name: PATREON_CREATOR_REFRESH_TOKEN
valueFrom:
secretKeyRef:
name: patreon
key: creatorRefreshToken
- name: POSTGREST_URL - name: POSTGREST_URL
value: "{{ .Values.postgrest.url }}" value: "{{ .Values.postgrest.url }}"
- name: SCOUT_URL - name: SCOUT_URL

102
charts/fp/templates/game-2048.yaml
View File

@ -1,102 +0,0 @@
# ---
# apiVersion: networking.k8s.io/v1
# kind: Ingress
# metadata:
# name: game-2048
# namespace: futureporn
# spec:
# ingressClassName: ngrok
# rules:
# - host: "{{ .Values.ngrok.hostname }}"
# http:
# paths:
# - path: /
# pathType: Prefix
# backend:
# service:
# name: game-2048
# port:
# number: 80
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: game-2048-http
namespace: futureporn
spec:
entryPoints:
- web
routes:
- match: Host(`game-2048.fp.sbtp.xyz`)
kind: Rule
middlewares:
- name: redirect
namespace: futureporn
services:
- name: game-2048
port: 80
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: game-2048-https
namespace: futureporn
annotations:
cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
spec:
entryPoints:
- websecure
routes:
- match: Host(`game-2048.fp.sbtp.xyz`)
kind: Rule
services:
- name: game-2048
namespace: futureporn
port: 80
tls:
secretName: game-2048-tls
---
apiVersion: v1
kind: Service
metadata:
name: game-2048
namespace: futureporn
annotations:
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.game2048.hostname }}"
spec:
type: LoadBalancer
selector:
app: game-2048
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: game-2048
namespace: futureporn
spec:
replicas: 1
selector:
matchLabels:
app: game-2048
template:
metadata:
labels:
app: game-2048
spec:
containers:
- name: game-2048
image: alexwhen/docker-2048
ports:
- name: http
containerPort: 80

12
charts/fp/templates/gateway.yaml Normal file
View File

@ -0,0 +1,12 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: example-gateway
namespace: futureporn
spec:
gatewayClassName: example-class
listeners:
- name: http
protocol: HTTP
port: 80

63
charts/fp/templates/next.yaml
View File

@ -1,44 +1,4 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: next-http
namespace: futureporn
spec:
entryPoints:
- web
routes:
- match: Host(`next.fp.sbtp.xyz`)
kind: Rule
middlewares:
- name: redirect
namespace: futureporn
services:
- name: next
port: web
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: next-https
namespace: futureporn
annotations:
cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
spec:
entryPoints:
- websecure
routes:
- match: Host(`next.fp.sbtp.xyz`)
kind: Rule
services:
- name: next
namespace: futureporn
port: web
tls:
secretName: next-tls
--- ---
apiVersion: v1 apiVersion: v1
@ -57,6 +17,29 @@ spec:
value: 0.0.0.0 value: 0.0.0.0
- name: NEXT_PUBLIC_UPPY_COMPANION_URL - name: NEXT_PUBLIC_UPPY_COMPANION_URL
value: "{{ .Values.uppy.url }}" value: "{{ .Values.uppy.url }}"
- name: NEXT_PUBLIC_POSTGREST_URL
value: "{{ .Values.postgrest.url }}"
- name: NEXT_PUBLIC_WEBSITE_DOMAIN
value: {{ printf "https://%s" .Values.next.hostname | quote }}
- name: NEXT_PUBLIC_API_DOMAIN
value: {{ .Values.next.hostname | quote }}
- name: PATREON_CLIENT_ID
valueFrom:
secretKeyRef:
name: patreon
key: clientId
- name: PATREON_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: patreon
key: clientSecret
- name: SUPERTOKENS_API_KEYS
valueFrom:
secretKeyRef:
name: supertokens
key: apiKeys
- name: SUPERTOKENS_URL
value: {{ printf "https://%s" .Values.supertokens.hostname | quote }}
ports: ports:
- name: web - name: web
containerPort: 3000 containerPort: 3000

2
charts/fp/templates/pgadmin4.yaml
View File

@ -43,7 +43,7 @@ metadata:
name: pgadmin4 name: pgadmin4
namespace: futureporn namespace: futureporn
spec: spec:
type: NodePort type: ClusterIP
ports: ports:
- port: 5050 - port: 5050
targetPort: 80 targetPort: 80

31
charts/fp/templates/postgrest.yaml
View File

@ -1,18 +1,41 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: postgrest-httproute
namespace: futureporn
spec:
parentRefs:
- name: example-gateway
hostnames:
- "{{ .Values.postgrest.hostname }}"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: postgrest
port: {{ .Values.postgrest.port }}
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: postgrest name: postgrest
namespace: futureporn namespace: futureporn
annotations:
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.postgrest.hostname }}"
spec: spec:
type: ClusterIP type: LoadBalancer
selector: selector:
app: postgrest app: postgrest
ports: ports:
- name: web - name: http
port: {{ .Values.postgrest.port }} port: {{ .Values.postgrest.port }}
targetPort: http targetPort: {{ .Values.postgrest.port }}
protocol: TCP
--- ---

227
charts/fp/templates/strapi.yaml
View File

@ -1,227 +0,0 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: strapi-http
namespace: futureporn
spec:
entryPoints:
- web
routes:
- match: Host(`strapi.fp.sbtp.xyz`)
kind: Rule
middlewares:
- name: redirect
namespace: futureporn
services:
- name: strapi
port: http
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: strapi-https
namespace: futureporn
annotations:
cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
spec:
entryPoints:
- websecure
routes:
- match: Host(`strapi.fp.sbtp.xyz`)
kind: Rule
services:
- name: strapi
namespace: futureporn
port: http
tls:
secretName: strapi-tls
---
apiVersion: v1
kind: Service
metadata:
name: strapi
namespace: futureporn
annotations:
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.strapi.hostname }}"
spec:
type: LoadBalancer
selector:
app: strapi
ports:
- name: http
port: 1339
targetPort: http
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: strapi
namespace: futureporn
labels:
app.kubernetes.io/name: strapi
spec:
replicas: {{ .Values.strapi.replicas }}
selector:
matchLabels:
app: strapi
template:
metadata:
labels:
app: strapi
spec:
containers:
- name: strapi
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 5
periodSeconds: 5
image: "{{ .Values.strapi.imageName }}"
ports:
- name: http
containerPort: 1339
env:
- name: NODE_EXTRA_CA_CERTS
value: "{{ .Values.strapi.nodeExtraCaCerts }}"
- name: ADMIN_JWT_SECRET
valueFrom:
secretKeyRef:
name: strapi
key: adminJwtSecret
- name: API_TOKEN_SALT
valueFrom:
secretKeyRef:
name: strapi
key: apiTokenSalt
- name: APP_KEYS
valueFrom:
secretKeyRef:
name: strapi
key: appKeys
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: strapi
key: databaseUrl
- name: CDN_BUCKET_USC_URL
valueFrom:
secretKeyRef:
name: strapi
key: cdnBucketUscUrl
- name: DATABASE_CLIENT
value: postgres
- name: DATABASE_HOST
value: postgresql.futureporn.svc.cluster.local
- name: DATABASE_NAME
value: futureporn-strapi
- name: JWT_SECRET
valueFrom:
secretKeyRef:
name: strapi
key: jwtSecret
- name: MUX_PLAYBACK_RESTRICTION_ID
valueFrom:
secretKeyRef:
name: strapi
key: muxPlaybackRestrictionId
- name: MUX_SIGNING_KEY_ID
valueFrom:
secretKeyRef:
name: strapi
key: muxSigningKeyId
- name: MUX_SIGNING_KEY_PRIVATE_KEY
valueFrom:
secretKeyRef:
name: strapi
key: muxSigningKeyPrivateKey
- name: NODE_ENV
value: production
- name: S3_USC_BUCKET_APPLICATION_KEY
valueFrom:
secretKeyRef:
name: strapi
key: s3UscBucketApplicationKey
- name: S3_USC_BUCKET_ENDPOINT
valueFrom:
secretKeyRef:
name: strapi
key: s3UscBucketEndpoint
- name: S3_USC_BUCKET_KEY_ID
valueFrom:
secretKeyRef:
name: strapi
key: s3UscBucketKeyId
- name: S3_USC_BUCKET_NAME
valueFrom:
secretKeyRef:
name: strapi
key: s3UscBucketName
- name: S3_USC_BUCKET_REGION
valueFrom:
secretKeyRef:
name: strapi
key: s3UscBucketRegion
- name: SENDGRID_API_KEY
valueFrom:
secretKeyRef:
name: strapi
key: sendgridApiKey
- name: TRANSFER_TOKEN_SALT
valueFrom:
secretKeyRef:
name: strapi
key: transferTokenSalt
- name: STRAPI_URL
value: "{{ .Values.strapi.url }}"
- name: PORT
value: "{{ .Values.strapi.port }}"
resources:
limits:
cpu: 1000m
memory: 2Gi
restartPolicy: Always
# ---
# apiVersion: v1
# kind: PersistentVolumeClaim
# metadata:
# name: strapi
# namespace: futureporn
# annotations:
# meta.helm.sh/release-name: fp
# meta.helm.sh/release-namespace: futureporn
# labels:
# app.kubernetes.io/managed-by: {{ .Values.managedBy }}
# spec:
# accessModes:
# - ReadWriteOnce
# resources:
# requests:
# storage: 100Gi
# storageClassName: {{ .Values.storageClassName }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: strapi
namespace: futureporn
spec:
secretName: strapi-tls
issuerRef:
name: "{{ .Values.certManager.issuer }}"
kind: ClusterIssuer
dnsNames:
- "{{ .Values.strapi.hostname }}"

138
charts/fp/templates/supertokens.yaml Normal file
View File

@ -0,0 +1,138 @@
# ---
# apiVersion: traefik.io/v1alpha1
# kind: IngressRoute
# metadata:
# name: supertokens-http
# namespace: futureporn
# spec:
# entryPoints:
# - web
# routes:
# - match: Host(`auth.fp.sbtp.xyz`)
# kind: Rule
# middlewares:
# - name: redirect
# namespace: futureporn
# services:
# - name: supertokens
# port: 3567
# ---
# apiVersion: traefik.io/v1alpha1
# kind: IngressRoute
# metadata:
# name: supertokens-https
# namespace: futureporn
# annotations:
# cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}"
# spec:
# entryPoints:
# - websecure
# routes:
# - match: Host(`auth.fp.sbtp.xyz`)
# kind: Rule
# services:
# - name: supertokens
# namespace: futureporn
# port: 3567
# tls:
# secretName: supertokens-tls
# ---
# apiVersion: batch/v1
# kind: Job
# metadata:
# name: supertokens-database-seed
# namespace: futureporn
# spec:
# template:
# spec:
# containers:
# - name: supertokens-database-seed
# image: postgres:latest
# imagePullPolicy: IfNotPresent
# env:
# - name: DB_DATABASE
# value: postgres
# # valueFrom:
# # secretKeyRef:
# # name: supertokens
# # key: postgresqlUri
# command:
# - /bin/sh
# - -c
# - psql -a -f CREATE DATABASE supertokens;
# restartPolicy: OnFailure
---
apiVersion: v1
kind: Service
metadata:
name: supertokens
namespace: futureporn
annotations:
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.supertokens.hostname }}"
spec:
type: LoadBalancer
selector:
app: supertokens
ports:
- name: http
port: {{ .Values.supertokens.port }}
targetPort: {{ .Values.supertokens.port }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: supertokens
namespace: futureporn
spec:
replicas: {{ .Values.supertokens.replicas }}
selector:
matchLabels:
app: supertokens
template:
metadata:
labels:
app: supertokens
spec:
containers:
- name: supertokens
image: registry.supertokens.io/supertokens/supertokens-postgresql
ports:
- name: http
containerPort: {{ .Values.supertokens.port }}
# livenessProbe:
# httpGet:
# path: /hello
# port: http
# failureThreshold: 3
# initialDelaySeconds: 10
# periodSeconds: 10
# readinessProbe:
# httpGet:
# path: /hello
# port: http
# failureThreshold: 3
# initialDelaySeconds: 10
# periodSeconds: 10
# timeoutSeconds: 30
env:
## @see https://github.com/supertokens/supertokens-docker-postgresql/blob/master/README.md
- name: DISABLE_TELEMETRY
value: "true"
- name: SUPERTOKENS_PORT
value: "{{ .Values.supertokens.port }}"
- name: POSTGRESQL_CONNECTION_URI
valueFrom:
secretKeyRef:
name: supertokens
key: postgresqlUri
- name: API_KEYS
valueFrom:
secretKeyRef:
name: supertokens
key: apiKeys

122
charts/fp/templates/traefik.yaml
View File

@ -1,11 +1,115 @@
--- # ---
apiVersion: traefik.io/v1alpha1 # apiVersion: traefik.io/v1alpha1
kind: Middleware # kind: Middleware
metadata: # metadata:
name: redirect # name: redirect
namespace: futureporn # namespace: futureporn
# spec:
# redirectScheme:
# scheme: https
# permanent: true
# ---
# apiVersion: traefik.io/v1alpha1
# kind: Middleware
# metadata:
# name: traefik-dashboard-basicauth
# namespace: futureporn
# spec:
# basicAuth:
# secret: traefik-dashboard-auth
# ---
# apiVersion: traefik.io/v1alpha1
# kind: IngressRoute
# metadata:
# name: traefik-dashboard-custom
# namespace: futureporn
# spec:
# entryPoints:
# - websecure
# - web
# routes:
# - match: PathPrefix(`/board`)
# kind: Rule
# # priority: 2147483647
# # middlewares:
# # - name: traefik-dashboard-basicauth
# # namespace: traefik
# services:
# - name: dashboard@internal
# kind: TraefikService
# ---
# apiVersion: traefik.io/v1alpha1
# kind: IngressRoute
# metadata:
# name: traefik-api-custom
# namespace: futureporn
# spec:
# entryPoints:
# - websecure
# - web
# routes:
# - match: PathPrefix(`/api`)
# kind: Rule
# # priority: 2147483647
# # middlewares:
# # - name: traefik-dashboard-basicauth
# # namespace: traefik
# services:
# - name: api@internal
# kind: TraefikService
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: whoami-httproute
namespace: futureporn
spec: spec:
redirectScheme: parentRefs:
scheme: https - name: traefik-gateway
permanent: true hostnames:
- traefik.futureporn.svc.cluster.local
rules:
- matches:
- path:
type: PathPrefix
value: /whoami
filters:
- type: ResponseHeaderModifier
responseHeaderModifier:
add:
- name: x-cj-was-here
value: "true"
backendRefs:
- name: whoami
port: 8888
- matches:
- path:
type: PathPrefix
value: /postgrest
backendRefs:
- name: postgrest
port: 9000
# ---
# apiVersion: gateway.networking.k8s.io/v1
# kind: HTTPRoute
# metadata:
# name: whoami-httproute
# namespace: futureporn
# spec:
# parentRefs:
# - name: traefik-gateway
# hostnames:
# - traefik.futureporn.svc.cluster.local
# rules:
# - matches:

66
charts/fp/templates/whoami.yaml
View File

@ -3,45 +3,27 @@
{{ if ne .Values.environment "production" }} {{ if ne .Values.environment "production" }}
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: whoami-http
namespace: futureporn
spec:
entryPoints:
- web
routes:
- match: Host(`whoami.fp.sbtp.xyz`)
kind: Rule
middlewares:
- name: redirect
namespace: futureporn
services:
- name: whoami
port: 80
--- # ---
apiVersion: traefik.io/v1alpha1 # apiVersion: gateway.networking.k8s.io/v1
kind: IngressRoute # kind: HTTPRoute
metadata: # metadata:
name: whoami-https # name: whoami-httproute
namespace: futureporn # namespace: futureporn
annotations: # spec:
cert-manager.io/cluster-issuer: "{{ .Values.certManager.issuer }}" # parentRefs:
spec: # - name: traefik-gateway
entryPoints: # hostnames:
- websecure # - traefik.futureporn
routes: # rules:
- match: Host(`whoami.fp.sbtp.xyz`) # - matches:
kind: Rule # - path:
services: # type: PathPrefix
- name: whoami # value: /whoami
namespace: futureporn # backendRefs:
port: 80 # - name: whoami
tls: # port: {{ .Values.whoami.port }}
secretName: whoami-tls
--- ---
apiVersion: v1 apiVersion: v1
@ -56,8 +38,8 @@ spec:
selector: selector:
app: whoami app: whoami
ports: ports:
- port: 80 - port: {{ .Values.whoami.port }}
targetPort: 80 targetPort: {{ .Values.whoami.port }}
--- ---
@ -79,8 +61,10 @@ spec:
containers: containers:
- name: whoami - name: whoami
image: containous/whoami image: containous/whoami
args:
- --port={{ .Values.whoami.port }}
ports: ports:
- containerPort: 80 - containerPort: {{ .Values.whoami.port }}
{{ end }} {{ end }}

27
charts/fp/values.yaml
View File

@ -33,9 +33,9 @@ mailbox:
cdnBucketUrl: https://fp-dev.b-cdn.net cdnBucketUrl: https://fp-dev.b-cdn.net
s3BucketName: fp-dev s3BucketName: fp-dev
port: 5000 port: 5000
build: factory:
replicas: 1 replicas: 1
imageName: fp/build imageName: fp/factory
strapi: strapi:
replicas: 1 replicas: 1
imageName: fp/strapi imageName: fp/strapi
@ -79,25 +79,32 @@ scout:
imageName: fp/scout imageName: fp/scout
replicas: 1 replicas: 1
port: 8134 port: 8134
url: http://scout.futureporn.svc.cluster.local:8134 url: http://scout.fp.sbtp.xyz
postgrest: postgrest:
url: http://postgrest.futureporn.svc.cluster.local:9000 hostname: postgrest.fp.sbtp.xyz
image: postgrest/postgrest image: postgrest/postgrest
replicas: 1 replicas: 1
port: 9000 port: 9000
schemas: api schemas: api
# postgresql:
# image: postgres:16
# replicas: 1
# user: futureporn
# port: 5432
chisel: chisel:
exitNode: exitNode:
host: "155.138.254.201" host: "155.138.254.201"
port: 9090 port: 9090
game2048: game2048:
hostname: game-2048.fp.sbtp.xyz hostname: game-2048.fp.sbtp.xyz
supertokens:
port: 3348
hostname: supertokens.fp.sbtp.xyz
replicas: 1
logto:
admin:
port: 3002
hostname: logto-admin.fp.sbtp.xyz
main:
port: 3001
hostname: logto.fp.sbtp.xyz
whoami: whoami:
hostname: whoami.fp.sbtp.xyz hostname: whoami.fp.sbtp.xyz
port: 8888
migrations: migrations:
imageName: fp/migrations imageName: fp/migrations

25
charts/mariadb/mariadb/.helmignore Normal file
View File

@ -0,0 +1,25 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# img folder
img/
# Changelog
CHANGELOG.md

6
charts/mariadb/mariadb/Chart.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.23.0
digest: sha256:fbd6439f12ded949c04553b9c52a4c8153a8f2790147d972b314ddcd46921a14
generated: "2024-09-23T12:24:39.221888112Z"

36
charts/mariadb/mariadb/Chart.yaml Normal file
View File

@ -0,0 +1,36 @@
annotations:
category: Database
images: |
- name: mariadb
image: docker.io/bitnami/mariadb:11.4.3-debian-12-r1
- name: mysqld-exporter
image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-12-r34
- name: os-shell
image: docker.io/bitnami/os-shell:12-debian-12-r30
licenses: Apache-2.0
apiVersion: v2
appVersion: 11.4.3
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
tags:
- bitnami-common
version: 2.x.x
description: MariaDB is an open source, community-developed SQL database server that
is widely in use around the world due to its enterprise features, flexibility, and
collaboration with leading tech firms.
home: https://bitnami.com
icon: https://bitnami.com/assets/stacks/mariadb/img/mariadb-stack-220x234.png
keywords:
- mariadb
- mysql
- database
- sql
- prometheus
maintainers:
- name: Broadcom, Inc. All Rights Reserved.
url: https://github.com/bitnami/charts
name: mariadb
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/mariadb
version: 19.1.0

650
charts/mariadb/mariadb/README.md Normal file
View File

@ -0,0 +1,650 @@
<!--- app-name: MariaDB -->
# Bitnami package for MariaDB
MariaDB is an open source, community-developed SQL database server that is widely in use around the world due to its enterprise features, flexibility, and collaboration with leading tech firms.
[Overview of MariaDB](https://mariadb.org/)
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
## TL;DR
```console
helm install my-release oci://registry-1.docker.io/bitnamicharts/mariadb
```
Looking to use MariaDB in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog.
## Introduction
This chart bootstraps a [MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) replication cluster deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
MariaDB is developed as open source software and as a relational database it provides an SQL interface for accessing data. The latest versions of MariaDB also include GIS and JSON features.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Prerequisites
- Kubernetes 1.23+
- Helm 3.8.0+
- PV provisioner support in the underlying infrastructure
## Installing the Chart
To install the chart with the release name `my-release`:
```console
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
The command deploys MariaDB on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Configuration and installation details
### Resource requests and limits
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcesPreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
### [Rolling VS Immutable tags](https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Change MariaDB version
To modify the MariaDB version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/mariadb/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters.
### Initialize a fresh instance
The [Bitnami MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image allows you to use your custom scripts to initialize a fresh instance. Custom scripts may be specified using the `initdbScripts` parameter. Alternatively, an external ConfigMap may be created with all the initialization scripts and the ConfigMap passed to the chart via the `initdbScriptsConfigMap` parameter. Note that this will override the `initdbScripts` parameter.
The allowed extensions are `.sh`, `.sql` and `.sql.gz`.
These scripts are treated differently depending on their extension. While `.sh` scripts are executed on all the nodes, `.sql` and `.sql.gz` scripts are only executed on the primary nodes. This is because `.sh` scripts support conditional tests to identify the type of node they are running on, while such tests are not supported in `.sql` or `.sql.gz` files.
When using a `.sh` script, you may wish to perform a "one-time" action like creating a database. This can be achieved by adding a condition in the script to ensure that it is executed only on one node, as shown in the example below:
```yaml
initdbScripts:
my_init_script.sh: |
#!/bin/sh
if [[ $(hostname) == *primary* ]]; then
echo "Primary node"
mysql -P 3306 -uroot -prandompassword -e "create database new_database";
else
echo "No primary node"
fi
```
### Sidecars and Init Containers
If additional containers are needed in the same pod as MariaDB (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter.
```yaml
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below:
```yaml
service:
extraPorts:
- name: extraPort
port: 11311
targetPort: 11311
```
> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers.
If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example:
```yaml
initContainers:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/).
## Persistence
The [Bitnami MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image stores the MariaDB data and configurations at the `/bitnami/mariadb` path of the container.
The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) volume at this location. The volume is created using dynamic volume provisioning, by default. An existing PersistentVolumeClaim can also be defined.
If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/).
### Adjust permissions of persistent volume mountpoint
As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it.
By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions.
As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination. You can enable this initContainer by setting `volumePermissions.enabled` to `true`.
## Parameters
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `global.imageRegistry` | Global Docker Image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` |
| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
| Name | Description | Value |
| ------------------------- | --------------------------------------------------------------------------------------- | --------------- |
| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` |
| `nameOverride` | String to partially override mariadb.fullname | `""` |
| `fullnameOverride` | String to fully override mariadb.fullname | `""` |
| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` |
| `commonAnnotations` | Common annotations to add to all MariaDB resources (sub-charts are not considered) | `{}` |
| `commonLabels` | Common labels to add to all MariaDB resources (sub-charts are not considered) | `{}` |
| `schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` |
| `runtimeClassName` | Name of the Runtime Class for all MariaDB pods | `""` |
| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` |
| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` |
| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` |
| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` |
### MariaDB common parameters
| Name | Description | Value |
| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- |
| `image.registry` | MariaDB image registry | `REGISTRY_NAME` |
| `image.repository` | MariaDB image repository | `REPOSITORY_NAME/mariadb` |
| `image.digest` | MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | MariaDB image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `image.debug` | Specify if debug logs should be enabled | `false` |
| `architecture` | MariaDB architecture (`standalone` or `replication`) | `standalone` |
| `auth.rootPassword` | Password for the `root` user. Ignored if existing secret is provided. | `""` |
| `auth.database` | Name for a custom database to create | `my_database` |
| `auth.username` | Name for a custom user to create | `""` |
| `auth.password` | Password for the new user. Ignored if existing secret is provided | `""` |
| `auth.replicationUser` | MariaDB replication user | `replicator` |
| `auth.replicationPassword` | MariaDB replication user password. Ignored if existing secret is provided | `""` |
| `auth.existingSecret` | Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` | `""` |
| `auth.forcePassword` | Force users to specify required passwords | `false` |
| `auth.usePasswordFiles` | Mount credentials as files instead of using environment variables | `false` |
| `auth.customPasswordFiles` | Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` | `{}` |
| `initdbScripts` | Dictionary of initdb scripts | `{}` |
| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `""` |
### MariaDB Primary parameters
| Name | Description | Value |
| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` |
| `primary.command` | Override default container command on MariaDB Primary container(s) (useful when using custom images) | `[]` |
| `primary.args` | Override default container args on MariaDB Primary container(s) (useful when using custom images) | `[]` |
| `primary.lifecycleHooks` | for the MariaDB Primary container(s) to automate configuration before or after startup | `{}` |
| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `primary.hostAliases` | Add deployment host aliases | `[]` |
| `primary.containerPorts.mysql` | Container port for mysql | `3306` |
| `primary.configuration` | MariaDB Primary configuration to be injected as ConfigMap | `""` |
| `primary.existingConfigmap` | Name of existing ConfigMap with MariaDB Primary configuration. | `""` |
| `primary.updateStrategy.type` | MariaDB primary statefulset strategy type | `RollingUpdate` |
| `primary.rollingUpdatePartition` | Partition update strategy for Mariadb Primary statefulset | `""` |
| `primary.podAnnotations` | Additional pod annotations for MariaDB primary pods | `{}` |
| `primary.podLabels` | Extra labels for MariaDB primary pods | `{}` |
| `primary.podAffinityPreset` | MariaDB primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `primary.podAntiAffinityPreset` | MariaDB primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `primary.nodeAffinityPreset.type` | MariaDB primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `primary.nodeAffinityPreset.key` | MariaDB primary node label key to match Ignored if `primary.affinity` is set. | `""` |
| `primary.nodeAffinityPreset.values` | MariaDB primary node label values to match. Ignored if `primary.affinity` is set. | `[]` |
| `primary.affinity` | Affinity for MariaDB primary pods assignment | `{}` |
| `primary.nodeSelector` | Node labels for MariaDB primary pods assignment | `{}` |
| `primary.tolerations` | Tolerations for MariaDB primary pods assignment | `[]` |
| `primary.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `primary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB primary pods | `""` |
| `primary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB primary pods assignment | `[]` |
| `primary.priorityClassName` | Priority class for MariaDB primary pods assignment | `""` |
| `primary.runtimeClassName` | Runtime Class for MariaDB primary pods | `""` |
| `primary.podSecurityContext.enabled` | Enable security context for MariaDB primary pods | `true` |
| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` |
| `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` |
| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` |
| `primary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB primary container | `1001` |
| `primary.containerSecurityContext.runAsNonRoot` | Set primary container's Security Context runAsNonRoot | `true` |
| `primary.containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` |
| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` |
| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `micro` |
| `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `primary.startupProbe.enabled` | Enable startupProbe | `false` |
| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` |
| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` |
| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` |
| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `primary.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` |
| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `primary.readinessProbe.enabled` | Enable readinessProbe | `true` |
| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` |
| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `primary.customStartupProbe` | Override default startup probe for MariaDB primary containers | `{}` |
| `primary.customLivenessProbe` | Override default liveness probe for MariaDB primary containers | `{}` |
| `primary.customReadinessProbe` | Override default readiness probe for MariaDB primary containers | `{}` |
| `primary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB primary containers | `{}` |
| `primary.extraFlags` | MariaDB primary additional command line flags | `""` |
| `primary.extraEnvVars` | Extra environment variables to be set on MariaDB primary containers | `[]` |
| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB primary containers | `""` |
| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB primary containers | `""` |
| `primary.persistence.enabled` | Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | `true` |
| `primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas | `""` |
| `primary.persistence.subPath` | Subdirectory of the volume to mount at | `""` |
| `primary.persistence.storageClass` | MariaDB primary persistent volume storage Class | `""` |
| `primary.persistence.labels` | Labels for the PVC | `{}` |
| `primary.persistence.annotations` | MariaDB primary persistent volume claim annotations | `{}` |
| `primary.persistence.accessModes` | MariaDB primary persistent volume access Modes | `["ReadWriteOnce"]` |
| `primary.persistence.size` | MariaDB primary persistent volume size | `8Gi` |
| `primary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` |
| `primary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB Primary pod(s) | `[]` |
| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB Primary container(s) | `[]` |
| `primary.initContainers` | Add additional init containers for the MariaDB Primary pod(s) | `[]` |
| `primary.sidecars` | Add additional sidecar containers for the MariaDB Primary pod(s) | `[]` |
| `primary.service.type` | MariaDB Primary Kubernetes service type | `ClusterIP` |
| `primary.service.ports.mysql` | MariaDB Primary Kubernetes service port for MariaDB | `3306` |
| `primary.service.ports.metrics` | MariaDB Primary Kubernetes service port for metrics | `9104` |
| `primary.service.nodePorts.mysql` | MariaDB Primary Kubernetes service node port | `""` |
| `primary.service.clusterIP` | MariaDB Primary Kubernetes service clusterIP IP | `""` |
| `primary.service.loadBalancerIP` | MariaDB Primary loadBalancerIP if service type is `LoadBalancer` | `""` |
| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
| `primary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB Primary service is LoadBalancer | `[]` |
| `primary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `primary.service.annotations` | Provide any additional annotations which may be required | `{}` |
| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `primary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB primary pods | `true` |
| `primary.pdb.minAvailable` | Minimum number/percentage of MariaDB primary pods that must still be available after the eviction | `""` |
| `primary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction. Defaults to `1` if both `primary.pdb.minAvailable` and `primary.pdb.maxUnavailable` are empty. | `""` |
| `primary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` |
### MariaDB Secondary parameters
| Name | Description | Value |
| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
| `secondary.name` | Name of the secondary database (eg secondary, slave, ...) | `secondary` |
| `secondary.replicaCount` | Number of MariaDB secondary replicas | `1` |
| `secondary.command` | Override default container command on MariaDB Secondary container(s) (useful when using custom images) | `[]` |
| `secondary.args` | Override default container args on MariaDB Secondary container(s) (useful when using custom images) | `[]` |
| `secondary.lifecycleHooks` | for the MariaDB Secondary container(s) to automate configuration before or after startup | `{}` |
| `secondary.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `secondary.hostAliases` | Add deployment host aliases | `[]` |
| `secondary.containerPorts.mysql` | Container port for mysql | `3306` |
| `secondary.configuration` | MariaDB Secondary configuration to be injected as ConfigMap | `""` |
| `secondary.existingConfigmap` | Name of existing ConfigMap with MariaDB Secondary configuration. | `""` |
| `secondary.updateStrategy.type` | MariaDB secondary statefulset strategy type | `RollingUpdate` |
| `secondary.rollingUpdatePartition` | Partition update strategy for Mariadb Secondary statefulset | `""` |
| `secondary.podAnnotations` | Additional pod annotations for MariaDB secondary pods | `{}` |
| `secondary.podLabels` | Extra labels for MariaDB secondary pods | `{}` |
| `secondary.podAffinityPreset` | MariaDB secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `secondary.podAntiAffinityPreset` | MariaDB secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `secondary.nodeAffinityPreset.type` | MariaDB secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `secondary.nodeAffinityPreset.key` | MariaDB secondary node label key to match Ignored if `secondary.affinity` is set. | `""` |
| `secondary.nodeAffinityPreset.values` | MariaDB secondary node label values to match. Ignored if `secondary.affinity` is set. | `[]` |
| `secondary.affinity` | Affinity for MariaDB secondary pods assignment | `{}` |
| `secondary.nodeSelector` | Node labels for MariaDB secondary pods assignment | `{}` |
| `secondary.tolerations` | Tolerations for MariaDB secondary pods assignment | `[]` |
| `secondary.topologySpreadConstraints` | Topology Spread Constraints for MariaDB secondary pods assignment | `[]` |
| `secondary.priorityClassName` | Priority class for MariaDB secondary pods assignment | `""` |
| `secondary.runtimeClassName` | Runtime Class for MariaDB secondary pods | `""` |
| `secondary.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `secondary.podManagementPolicy` | podManagementPolicy to manage scaling operation of MariaDB secondary pods | `""` |
| `secondary.podSecurityContext.enabled` | Enable security context for MariaDB secondary pods | `true` |
| `secondary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `secondary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` |
| `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` |
| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` |
| `secondary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB secondary container | `1001` |
| `secondary.containerSecurityContext.runAsNonRoot` | Set secondary container's Security Context runAsNonRoot | `true` |
| `secondary.containerSecurityContext.privileged` | Set secondary container's Security Context privileged | `false` |
| `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set secondary container's Security Context allowPrivilegeEscalation | `false` |
| `secondary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `secondary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `secondary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `secondary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). | `micro` |
| `secondary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `secondary.startupProbe.enabled` | Enable startupProbe | `false` |
| `secondary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` |
| `secondary.startupProbe.periodSeconds` | Period seconds for startupProbe | `15` |
| `secondary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
| `secondary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `10` |
| `secondary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `secondary.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `secondary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` |
| `secondary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `secondary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `secondary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `secondary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `secondary.readinessProbe.enabled` | Enable readinessProbe | `true` |
| `secondary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` |
| `secondary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `secondary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `secondary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `secondary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `secondary.customStartupProbe` | Override default startup probe for MariaDB secondary containers | `{}` |
| `secondary.customLivenessProbe` | Override default liveness probe for MariaDB secondary containers | `{}` |
| `secondary.customReadinessProbe` | Override default readiness probe for MariaDB secondary containers | `{}` |
| `secondary.startupWaitOptions` | Override default builtin startup wait check options for MariaDB secondary containers | `{}` |
| `secondary.extraFlags` | MariaDB secondary additional command line flags | `""` |
| `secondary.extraEnvVars` | Extra environment variables to be set on MariaDB secondary containers | `[]` |
| `secondary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB secondary containers | `""` |
| `secondary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB secondary containers | `""` |
| `secondary.persistence.enabled` | Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` | `true` |
| `secondary.persistence.subPath` | Subdirectory of the volume to mount at | `""` |
| `secondary.persistence.storageClass` | MariaDB secondary persistent volume storage Class | `""` |
| `secondary.persistence.labels` | Labels for the PVC | `{}` |
| `secondary.persistence.annotations` | MariaDB secondary persistent volume claim annotations | `{}` |
| `secondary.persistence.accessModes` | MariaDB secondary persistent volume access Modes | `["ReadWriteOnce"]` |
| `secondary.persistence.size` | MariaDB secondary persistent volume size | `8Gi` |
| `secondary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` |
| `secondary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB secondary pod(s) | `[]` |
| `secondary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB secondary container(s) | `[]` |
| `secondary.initContainers` | Add additional init containers for the MariaDB secondary pod(s) | `[]` |
| `secondary.sidecars` | Add additional sidecar containers for the MariaDB secondary pod(s) | `[]` |
| `secondary.service.type` | MariaDB secondary Kubernetes service type | `ClusterIP` |
| `secondary.service.ports.mysql` | MariaDB secondary Kubernetes service port for MariaDB | `3306` |
| `secondary.service.ports.metrics` | MariaDB secondary Kubernetes service port for metrics | `9104` |
| `secondary.service.nodePorts.mysql` | MariaDB secondary Kubernetes service node port | `""` |
| `secondary.service.clusterIP` | MariaDB secondary Kubernetes service clusterIP IP | `""` |
| `secondary.service.loadBalancerIP` | MariaDB secondary loadBalancerIP if service type is `LoadBalancer` | `""` |
| `secondary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
| `secondary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB secondary service is LoadBalancer | `[]` |
| `secondary.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `secondary.service.annotations` | Provide any additional annotations which may be required | `{}` |
| `secondary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `secondary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `secondary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods | `true` |
| `secondary.pdb.minAvailable` | Minimum number/percentage of MariaDB secondary pods that should remain scheduled | `""` |
| `secondary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB secondary pods that may be made unavailable. Defaults to `1` if both `secondary.pdb.minAvailable` and `secondary.pdb.maxUnavailable` are empty. | `""` |
| `secondary.revisionHistoryLimit` | Maximum number of revisions that will be maintained in the StatefulSet | `10` |
### RBAC parameters
| Name | Description | Value |
| --------------------------------------------- | -------------------------------------------------------------- | ------- |
| `serviceAccount.create` | Enable the creation of a ServiceAccount for MariaDB pods | `true` |
| `serviceAccount.name` | Name of the created ServiceAccount | `""` |
| `serviceAccount.annotations` | Annotations for MariaDB Service Account | `{}` |
| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
| `rbac.create` | Whether to create and use RBAC resources or not | `false` |
### Volume Permissions parameters
| Name | Description | Value |
| ------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` |
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` |
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` |
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
### Metrics parameters
| Name | Description | Value |
| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- |
| `metrics.enabled` | Start a side-car prometheus exporter | `false` |
| `metrics.image.registry` | Exporter image registry | `REGISTRY_NAME` |
| `metrics.image.repository` | Exporter image repository | `REPOSITORY_NAME/mysqld-exporter` |
| `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` |
| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `metrics.annotations` | Annotations for the Exporter pod | `{}` |
| `metrics.extraArgs` | Extra args to be passed to mysqld_exporter | `{}` |
| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` |
| `metrics.containerPorts.http` | Container port for http | `9104` |
| `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` |
| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `metrics.containerSecurityContext.runAsUser` | User ID for the MariaDB metrics container | `1001` |
| `metrics.containerSecurityContext.runAsGroup` | Group ID for the MariaDB metrics container | `1001` |
| `metrics.containerSecurityContext.runAsNonRoot` | Set metrics container's Security Context runAsNonRoot | `true` |
| `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` |
| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` |
| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` |
| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` |
| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` |
| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` |
| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` |
| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` |
| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` |
| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` |
| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` |
| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` |
| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` |
| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` |
| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` |
| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` |
| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` |
| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` |
| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` |
| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` |
### NetworkPolicy parameters
| Name | Description | Value |
| --------------------------------------- | --------------------------------------------------------------- | ------ |
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` |
| `networkPolicy.allowExternal` | The Policy model to apply | `true` |
| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
The above parameters map to the env variables defined in [bitnami/mariadb](https://github.com/bitnami/containers/tree/main/bitnami/mariadb). For more information please refer to the [bitnami/mariadb](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image documentation.
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
helm install my-release \
--set auth.rootPassword=secretpassword,auth.database=app_database \
oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
The above command sets the MariaDB `root` account password to `secretpassword`. Additionally it creates a database named `my_database`.
> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```console
helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/mariadb/values.yaml)
## Troubleshooting
Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
## Upgrading
It's necessary to set the `auth.rootPassword` parameter when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Administrator credentials' section. Please note down the password and run the command below to upgrade your chart:
```console
helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb --set auth.rootPassword=[ROOT_PASSWORD]
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
| Note: you need to substitute the placeholder _[ROOT_PASSWORD]_ with the value obtained in the installation notes.
### To 17.0.0
This major bump changes the following security defaults:
- `runAsGroup` is changed from `0` to `1001`
- `readOnlyRootFilesystem` is set to `true`
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
### To 16.0.0
This section enables NetworkPolicies by default to increase security of the application. It also adapts the values in the `networkPolicy` section to the current Bitnami standards. The removed sections are `networkPolicy.metrics.*`, `networkPolicy.ingressRules.*` and `networkPolicy.egressRules.*`. Check the Parameters table for the new structure.
### To 14.0.0
This major release bumps the MariaDB version to 11.1. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-between-minor-versions-on-linux/) for upgrading from MariaDB 11.0 to 11.1. No major issues are expected during the upgrade.
### To 13.0.0
This major release bumps the MariaDB version to 11.0. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-0/) for upgrading from MariaDB 10.11 to 11.0. No major issues are expected during the upgrade.
### To 11.0.0
This major release bumps default MariaDB branch to 10.6. Follow the [official instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/) from upgrading between 10.5 and 10.6.
No major issues are expected during the upgrade.
### To 10.0.0
This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository.
Affected values:
- `primary.service.port` was deprecated, we recommend using `primary.service.ports.mysql` instead.
- `primary.service.nodePort` was deprecated, we recommend using `primary.service.nodePorts.mysql` instead.
- `secondary.service.port` was deprecated, we recommend using `secondary.service.ports.mysql` instead.
- `secondary.service.nodePort` was deprecated, we recommend using `secondary.service.nodePorts.mysql` instead.
- `metrics.serviceMonitor.additionalLabels` was deprecated, we recommend using `metrics.serviceMonitor.selector` instead.
- `primary.pdb.enabled` renamed as `primary.pdb.create`.
- `secondary.pdb.enabled` renamed as `secondary.pdb.create`.
- `primary.updateStrategy` changed from String type (previously default to 'rollingUpdate') to Object type, allowing users to configure other updateStrategy parameters, similar to other charts.
- Removed value `primary.rollingUpdatePartition`, now configured using `primary.updateStrategy` setting `primary.updateStrategy.rollingUpdate.partition`.
- `secondary.updateStrategy` changed from String type (previously default to 'rollingUpdate') to Object type, allowing users to configure other updateStrategy parameters, similar to other charts.
- Removed value `secondary.rollingUpdatePartition`, now configured using `secondary.updateStrategy` setting `secondary.updateStrategy.rollingUpdate.partition`.
- `metrics.serviceMonitor.relabellings`, previously used to configure ServiceMonitor metricRelabelings, has been replaced with the value `metrics.serviceMonitor.metricRelabelings`, and new value `metrics.serviceMonitor.relabelings` can be used to set ServiceMonitor relabelings parameter
### To 9.0.0
[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
### To 8.0.0
- Several parameters were renamed or disappeared in favor of new ones on this major version:
- The terms _master_ and _slave_ have been replaced by the terms _primary_ and _secondary_. Therefore, parameters prefixed with `master` or `slave` are now prefixed with `primary` or `secondary`, respectively.
- `securityContext.*` is deprecated in favor of `primary.podSecurityContext`, `primary.containerSecurityContext`, `secondary.podSecurityContext`, and `secondary.containerSecurityContext`.
- Credentials parameter are reorganized under the `auth` parameter.
- `replication.enabled` parameter is deprecated in favor of `architecture` parameter that accepts two values: `standalone` and `replication`.
- The default MariaDB version was updated from 10.3 to 10.5. According to the official documentation, upgrading from 10.3 should be painless. However, there are some things that have changed which could affect an upgrade:
- [Incompatible changes upgrading from MariaDB 10.3 to MariaDB 10.4](https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/#incompatible-changes-between-103-and-104).
- [Incompatible changes upgrading from MariaDB 10.4 to MariaDB 10.5](https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/#incompatible-changes-between-104-and-105).
- Chart labels were adapted to follow the [Helm charts standard labels](https://helm.sh/docs/chart_best_practices/labels/#standard-labels).
- This version also introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/main/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade.
Consequences:
Backwards compatibility is not guaranteed. To upgrade to `8.0.0`, install a new release of the MariaDB chart, and migrate the data from your previous release. You have 2 alternatives to do so:
- Create a backup of the database, and restore it on the new release using tools such as [mysqldump](https://mariadb.com/kb/en/mysqldump/).
- Reuse the PVC used to hold the master data on your previous release. To do so, use the `primary.persistence.existingClaim` parameter. The following example assumes that the release name is `mariadb`:
```console
helm install mariadb oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb --set auth.rootPassword=[ROOT_PASSWORD] --set primary.persistence.existingClaim=[EXISTING_PVC]
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
| Note: you need to substitute the placeholder _[EXISTING_PVC]_ with the name of the PVC used on your previous release, and _[ROOT_PASSWORD]_ with the root password used in your previous release.
### To 7.0.0
Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec.
In <https://github.com/helm/charts/pull/17308> the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage.
This major version bump signifies this change.
### To 6.0.0
MariaDB version was updated from 10.1 to 10.3, there are no changes in the chart itself. According to the official documentation, upgrading from 10.1 should be painless. However, there are some things that have changed which could affect an upgrade:
- [Incompatible changes upgrading from MariaDB 10.1 to MariaDB 10.2](https://mariadb.com/kb/en/library/upgrading-from-mariadb-101-to-mariadb-102//#incompatible-changes-between-101-and-102)
- [Incompatible changes upgrading from MariaDB 10.2 to MariaDB 10.3](https://mariadb.com/kb/en/library/upgrading-from-mariadb-102-to-mariadb-103/#incompatible-changes-between-102-and-103)
### To 5.0.0
Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments.
Use the workaround below to upgrade from versions previous to 5.0.0. The following example assumes that the release name is mariadb:
```console
kubectl delete statefulset opencart-mariadb --cascade=false
```
## License
Copyright &copy; 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
<http://www.apache.org/licenses/LICENSE-2.0>
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

77
charts/mariadb/mariadb/templates/NOTES.txt Normal file
View File

@ -0,0 +1,77 @@
CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
** Please be patient while the chart is being deployed **
{{- if .Values.diagnosticMode.enabled }}
The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with:
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }}
Get the list of pods by executing:
kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
Access the pod you want to debug by executing
kubectl exec --namespace {{ .Release.Namespace }} -ti <NAME OF THE POD> -- bash
In order to replicate the container startup scripts execute this command:
/opt/bitnami/scripts/mariadb/entrypoint.sh /opt/bitnami/scripts/mariadb/run.sh
{{- else }}
Tip:
Watch the deployment status using the command: kubectl get pods -w --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
Services:
echo Primary: {{ include "mariadb.primary.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ coalesce .Values.primary.service.ports.mysql .Values.primary.service.port }}
{{- if eq .Values.architecture "replication" }}
echo Secondary: {{ include "mariadb.secondary.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ coalesce .Values.secondary.service.ports.mysql .Values.secondary.service.port }}
{{- end }}
Administrator credentials:
Username: root
Password : $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "mariadb.secretName" . }} -o jsonpath="{.data.mariadb-root-password}" | base64 -d)
To connect to your database:
1. Run a pod that you can use as a client:
kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --image {{ template "mariadb.image" . }} --namespace {{ .Release.Namespace }} --command -- bash
2. To connect to primary service (read/write):
mysql -h {{ include "mariadb.primary.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} -uroot -p {{ .Values.auth.database }}
{{- if eq .Values.architecture "replication" }}
3. To connect to secondary service (read-only):
mysql -h {{ include "mariadb.secondary.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} -uroot -p {{ .Values.auth.database }}
{{- end }}
To upgrade this helm chart:
1. Obtain the password as described on the 'Administrator credentials' section and set the 'auth.rootPassword' parameter as shown below:
ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "mariadb.secretName" . }} -o jsonpath="{.data.mariadb-root-password}" | base64 -d)
helm upgrade --namespace {{ .Release.Namespace }} {{ .Release.Name }} oci://registry-1.docker.io/bitnamicharts/mariadb --set auth.rootPassword=$ROOT_PASSWORD
{{- include "common.warnings.rollingTag" .Values.image }}
{{- include "common.warnings.rollingTag" .Values.metrics.image }}
{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
{{- include "mariadb.validateValues" . }}
{{- if not .Values.auth.customPasswordFiles -}}
{{- $passwordValidationErrors := include "common.validations.values.mariadb.passwords" (dict "secret" (include "common.names.fullname" .) "context" $) -}}
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}}
{{- end }}
{{- end }}
{{- include "common.warnings.resources" (dict "sections" (list "metrics" "primary" "secondary" "volumePermissions") "context" $) }}
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }}

164
charts/mariadb/mariadb/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,164 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{- define "mariadb.primary.fullname" -}}
{{- if eq .Values.architecture "replication" }}
{{- printf "%s-%s" (include "common.names.fullname" .) .Values.primary.name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- include "common.names.fullname" . -}}
{{- end -}}
{{- end -}}
{{- define "mariadb.secondary.fullname" -}}
{{- printf "%s-%s" (include "common.names.fullname" .) .Values.secondary.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the proper MariaDB image name
*/}}
{{- define "mariadb.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper metrics image name
*/}}
{{- define "mariadb.metrics.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper image name (for the init container volume-permissions image)
*/}}
{{- define "mariadb.volumePermissions.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "mariadb.imagePullSecrets" -}}
{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }}
{{- end -}}
{{ template "mariadb.initdbScriptsCM" . }}
{{/*
Get the initialization scripts ConfigMap name.
*/}}
{{- define "mariadb.initdbScriptsCM" -}}
{{- if .Values.initdbScriptsConfigMap -}}
{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}}
{{- else -}}
{{- printf "%s-init-scripts" (include "mariadb.primary.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "mariadb.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the configmap with the MariaDB Primary configuration
*/}}
{{- define "mariadb.primary.configmapName" -}}
{{- if .Values.primary.existingConfigmap -}}
{{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}}
{{- else -}}
{{- printf "%s" (include "mariadb.primary.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap object should be created for MariaDB Secondary
*/}}
{{- define "mariadb.primary.createConfigmap" -}}
{{- if and .Values.primary.configuration (not .Values.primary.existingConfigmap) }}
{{- true -}}
{{- else -}}
{{- end -}}
{{- end -}}
{{/*
Return the configmap with the MariaDB Primary configuration
*/}}
{{- define "mariadb.secondary.configmapName" -}}
{{- if .Values.secondary.existingConfigmap -}}
{{- printf "%s" (tpl .Values.secondary.existingConfigmap $) -}}
{{- else -}}
{{- printf "%s" (include "mariadb.secondary.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap object should be created for MariaDB Secondary
*/}}
{{- define "mariadb.secondary.createConfigmap" -}}
{{- if and (eq .Values.architecture "replication") .Values.secondary.configuration (not .Values.secondary.existingConfigmap) }}
{{- true -}}
{{- else -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret with MariaDB credentials
*/}}
{{- define "mariadb.secretName" -}}
{{- if .Values.auth.existingSecret -}}
{{- printf "%s" (tpl .Values.auth.existingSecret $) -}}
{{- else -}}
{{- printf "%s" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a secret object should be created for MariaDB
*/}}
{{- define "mariadb.createSecret" -}}
{{- if not (or .Values.auth.existingSecret .Values.auth.customPasswordFiles) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message, and call fail.
*/}}
{{- define "mariadb.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "mariadb.validateValues.architecture" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/* Validate values of MariaDB - must provide a valid architecture */}}
{{- define "mariadb.validateValues.architecture" -}}
{{- if and (ne .Values.architecture "standalone") (ne .Values.architecture "replication") -}}
mariadb: architecture
Invalid architecture selected. Valid values are "standalone" and
"replication". Please set a valid architecture (--set architecture="xxxx")
{{- end -}}
{{- end -}}
{{/*
Get existing password to access MariaDB
*/}}
{{- define "mariadb.secret.existPassword" -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "mariadb.secretName" .)).data -}}
{{- if hasKey $secret "mariadb-password" }}
{{- true -}}
{{- end -}}
{{- end -}}

9
charts/mariadb/mariadb/templates/extra-list.yaml Normal file
View File

@ -0,0 +1,9 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}

76
charts/mariadb/mariadb/templates/networkpolicy.yaml Normal file
View File

@ -0,0 +1,76 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ template "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
policyTypes:
- Ingress
- Egress
{{- if .Values.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allow connection to other cluster pods
- ports:
- port: {{ .Values.primary.containerPorts.mysql }}
- port: {{ .Values.secondary.containerPorts.mysql }}
to:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.primary.containerPorts.mysql }}
- port: {{ .Values.secondary.containerPorts.mysql }}
{{- if .Values.metrics.enabled }}
- port: {{ .Values.metrics.containerPorts.http }}
{{- end }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

20
charts/mariadb/mariadb/templates/primary/configmap.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if (include "mariadb.primary.createConfigmap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "mariadb.primary.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: primary
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
my.cnf: |-
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }}
{{- end -}}

19
charts/mariadb/mariadb/templates/primary/initialization-configmap.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.initdbScripts (not .Values.initdbScriptsConfigMap) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-init-scripts" (include "mariadb.primary.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: primary
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
{{- include "common.tplvalues.render" (dict "value" .Values.initdbScripts "context" .) | nindent 2 }}
{{ end }}

28
charts/mariadb/mariadb/templates/primary/pdb.yaml Normal file
View File

@ -0,0 +1,28 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.primary.pdb.create }}
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ include "mariadb.primary.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: primary
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.primary.pdb.minAvailable }}
minAvailable: {{ .Values.primary.pdb.minAvailable }}
{{- end }}
{{- if or .Values.primary.pdb.maxUnavailable (not .Values.primary.pdb.minAvailable) }}
maxUnavailable: {{ .Values.primary.pdb.maxUnavailable | default 1 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: primary
{{- end }}

443
charts/mariadb/mariadb/templates/primary/statefulset.yaml Normal file
View File

@ -0,0 +1,443 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ include "mariadb.primary.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: primary
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: 1
revisionHistoryLimit: {{ .Values.primary.revisionHistoryLimit }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: primary
serviceName: {{ include "mariadb.primary.fullname" . }}
{{- if .Values.primary.updateStrategy }}
updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }}
{{- end }}
template:
metadata:
annotations:
{{- if (include "mariadb.primary.createConfigmap" .) }}
checksum/configuration: {{ include (print $.Template.BasePath "/primary/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.primary.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.primary.podAnnotations "context" $) | nindent 8 }}
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/component: primary
spec:
{{- include "mariadb.imagePullSecrets" . | nindent 6 }}
automountServiceAccountToken: {{ .Values.primary.automountServiceAccountToken }}
{{- if .Values.primary.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if or .Values.primary.schedulerName .Values.schedulerName }}
schedulerName: {{ (coalesce .Values.primary.schedulerName .Values.schedulerName) | quote }}
{{- end }}
serviceAccountName: {{ template "mariadb.serviceAccountName" . }}
{{- if .Values.primary.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.primary.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.primary.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.primary.schedulerName }}
schedulerName: {{ .Values.primary.schedulerName }}
{{- end }}
{{- if .Values.primary.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.primary.priorityClassName }}
priorityClassName: {{ .Values.primary.priorityClassName | quote }}
{{- else if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
{{- if .Values.primary.runtimeClassName }}
runtimeClassName: {{ .Values.primary.runtimeClassName | quote }}
{{- else if .Values.runtimeClassName }}
runtimeClassName: {{ .Values.runtimeClassName | quote }}
{{- end }}
{{- if .Values.primary.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
initContainers:
- name: preserve-logs-symlinks
image: {{ include "mariadb.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.primary.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.primary.resources }}
resources: {{ toYaml .Values.primary.resources | nindent 12 }}
{{- else if ne .Values.primary.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }}
{{- end }}
command:
- /bin/bash
args:
- -ec
- |
#!/bin/bash
. /opt/bitnami/scripts/libfs.sh
# We copy the logs folder because it has symlinks to stdout and stderr
if ! is_dir_empty /opt/bitnami/mariadb/logs; then
cp -r /opt/bitnami/mariadb/logs /emptydir/app-logs-dir
fi
volumeMounts:
- name: empty-dir
mountPath: /emptydir
{{- if and .Values.primary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.primary.persistence.enabled }}
- name: volume-permissions
image: {{ include "mariadb.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
command:
- /bin/bash
- -ec
- |
chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /bitnami/mariadb
securityContext:
runAsUser: 0
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
{{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: data
mountPath: /bitnami/mariadb
{{- if .Values.primary.persistence.subPath }}
subPath: {{ .Values.primary.persistence.subPath }}
{{- end }}
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- if .Values.primary.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.primary.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: mariadb
image: {{ include "mariadb.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.primary.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
{{- else if .Values.primary.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else if .Values.primary.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.primary.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
{{- if .Values.auth.usePasswordFiles }}
- name: MARIADB_ROOT_PASSWORD_FILE
value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }}
{{- else }}
- name: MARIADB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "mariadb.secretName" . }}
key: mariadb-root-password
{{- end }}
{{- if not (empty .Values.auth.username) }}
- name: MARIADB_USER
value: {{ .Values.auth.username | quote }}
{{- if .Values.auth.usePasswordFiles }}
- name: MARIADB_PASSWORD_FILE
value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-password" .Values.auth.customPasswordFiles.user }}
{{- else }}
- name: MARIADB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "mariadb.secretName" . }}
key: mariadb-password
{{- end }}
{{- end }}
- name: MARIADB_DATABASE
value: {{ .Values.auth.database | quote }}
{{- if eq .Values.architecture "replication" }}
- name: MARIADB_REPLICATION_MODE
value: "master"
- name: MARIADB_REPLICATION_USER
value: {{ .Values.auth.replicationUser | quote }}
{{- if .Values.auth.usePasswordFiles }}
- name: MARIADB_REPLICATION_PASSWORD_FILE
value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-replication-password" .Values.auth.customPasswordFiles.replicator }}
{{- else }}
- name: MARIADB_REPLICATION_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "mariadb.secretName" . }}
key: mariadb-replication-password
{{- end }}
{{- end }}
{{- if .Values.primary.extraFlags }}
- name: MARIADB_EXTRA_FLAGS
value: "{{ .Values.primary.extraFlags }}"
{{- end }}
{{- if .Values.primary.startupWaitOptions }}
- name: MARIADB_STARTUP_WAIT_RETRIES
value: "{{ .Values.primary.startupWaitOptions.retries | default 300 }}"
- name: MARIADB_STARTUP_WAIT_SLEEP_TIME
value: "{{ .Values.primary.startupWaitOptions.sleepTime | default 2 }}"
{{- end }}
{{- if .Values.primary.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }}
envFrom:
{{- if .Values.primary.extraEnvVarsCM }}
- configMapRef:
name: {{ .Values.primary.extraEnvVarsCM }}
{{- end }}
{{- if .Values.primary.extraEnvVarsSecret }}
- secretRef:
name: {{ .Values.primary.extraEnvVarsSecret }}
{{- end }}
{{- end }}
ports:
- name: mysql
containerPort: {{ .Values.primary.containerPorts.mysql }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.primary.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.primary.startupProbe.enabled }}
startupProbe: {{- omit .Values.primary.startupProbe "enabled" | toYaml | nindent 12 }}
exec:
command:
- /bin/bash
- -ec
- |
password_aux="${MARIADB_ROOT_PASSWORD:-}"
if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then
password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE")
fi
mariadb-admin ping -uroot -p"${password_aux}"
{{- end }}
{{- if .Values.primary.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.primary.livenessProbe.enabled }}
livenessProbe: {{- omit .Values.primary.livenessProbe "enabled" | toYaml | nindent 12 }}
exec:
command:
- /bin/bash
- -ec
- |
password_aux="${MARIADB_ROOT_PASSWORD:-}"
if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then
password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE")
fi
mariadb-admin status -uroot -p"${password_aux}"
{{- end }}
{{- if .Values.primary.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.primary.readinessProbe.enabled }}
readinessProbe: {{- omit .Values.primary.readinessProbe "enabled" | toYaml | nindent 12 }}
exec:
command:
- /bin/bash
- -ec
- |
password_aux="${MARIADB_ROOT_PASSWORD:-}"
if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then
password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE")
fi
mariadb-admin ping -uroot -p"${password_aux}"
{{- end }}
{{- end }}
{{- if .Values.primary.resources }}
resources: {{ toYaml .Values.primary.resources | nindent 12 }}
{{- else if ne .Values.primary.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: data
mountPath: /bitnami/mariadb
{{- if .Values.primary.persistence.subPath }}
subPath: {{ .Values.primary.persistence.subPath }}
{{- end }}
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
mountPath: /docker-entrypoint-initdb.d
{{- end }}
{{- if or .Values.primary.configuration .Values.primary.existingConfigmap }}
- name: config
mountPath: /opt/bitnami/mariadb/conf/my.cnf
subPath: my.cnf
{{- end }}
{{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }}
- name: mariadb-credentials
mountPath: /opt/bitnami/mariadb/secrets/
{{- end }}
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/mariadb/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/mariadb/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/mariadb/logs
subPath: app-logs-dir
{{- if .Values.primary.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ include "mariadb.metrics.image" . }}
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
{{- if .Values.metrics.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
env:
{{- if .Values.auth.usePasswordFiles }}
- name: MARIADB_ROOT_PASSWORD_FILE
value: {{ default "/opt/bitnami/mysqld-exporter/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }}
{{- else }}
- name: MARIADB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "mariadb.secretName" . }}
key: mariadb-root-password
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else }}
command:
- /bin/bash
- -ec
- |
password_aux="${MARIADB_ROOT_PASSWORD:-}"
if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then
password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE")
fi
MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:{{ .Values.primary.containerPorts.mysql }} --mysqld.username=root --web.listen-address=:{{ .Values.metrics.containerPorts.http }} {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }}
{{- end }}
ports:
- name: metrics
containerPort: {{ .Values.metrics.containerPorts.http }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.metrics.livenessProbe.enabled }}
livenessProbe: {{- omit .Values.metrics.livenessProbe "enabled" | toYaml | nindent 12 }}
httpGet:
path: /metrics
port: metrics
{{- end }}
{{- if .Values.metrics.readinessProbe.enabled }}
readinessProbe: {{- omit .Values.metrics.readinessProbe "enabled" | toYaml | nindent 12 }}
httpGet:
path: /metrics
port: metrics
{{- end }}
{{- end }}
{{- if .Values.metrics.resources }}
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- else if ne .Values.metrics.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }}
- name: mariadb-credentials
mountPath: /opt/bitnami/mysqld-exporter/secrets/
{{- end }}
{{- if .Values.metrics.extraVolumeMounts.primary }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts.primary "context" $) | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.primary.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.primary.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
{{- if or .Values.primary.configuration .Values.primary.existingConfigmap }}
- name: config
configMap:
name: {{ include "mariadb.primary.configmapName" . }}
{{- end }}
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
configMap:
name: {{ template "mariadb.initdbScriptsCM" . }}
{{- end }}
{{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }}
- name: mariadb-credentials
secret:
secretName: {{ template "mariadb.secretName" . }}
items:
- key: mariadb-root-password
path: mariadb-root-password
- key: mariadb-password
path: mariadb-password
{{- if eq .Values.architecture "replication" }}
- key: mariadb-replication-password
path: mariadb-replication-password
{{- end }}
{{- end }}
{{- if .Values.primary.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }}
- name: data
persistentVolumeClaim:
claimName: {{ tpl .Values.primary.persistence.existingClaim . }}
{{- else if not .Values.primary.persistence.enabled }}
- name: data
emptyDir: {}
{{- else if and .Values.primary.persistence.enabled (not .Values.primary.persistence.existingClaim) }}
volumeClaimTemplates:
- metadata:
name: data
{{- $claimLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.persistence.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.matchLabels" ( dict "customLabels" $claimLabels "context" $ ) | nindent 10 }}
app.kubernetes.io/component: primary
{{- if .Values.primary.persistence.annotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.primary.persistence.annotations "context" $ ) | nindent 10 }}
{{- end }}
spec:
accessModes:
{{- range .Values.primary.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.primary.persistence.size | quote }}
{{ include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) }}
{{- if .Values.primary.persistence.selector }}
selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }}
{{- end -}}
{{- end }}

62
charts/mariadb/mariadb/templates/primary/svc.yaml Normal file
View File

@ -0,0 +1,62 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "mariadb.primary.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: primary
annotations:
{{- if or .Values.primary.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.annotations .Values.commonAnnotations ) "context" . ) }}
{{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.primary.service.type }}
{{- if and .Values.primary.service.clusterIP (eq .Values.primary.service.type "ClusterIP") }}
clusterIP: {{ .Values.primary.service.clusterIP }}
{{- end }}
{{- if and .Values.primary.service.externalTrafficPolicy (or (eq .Values.primary.service.type "LoadBalancer") (eq .Values.primary.service.type "NodePort")) }}
externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if and (eq .Values.primary.service.type "LoadBalancer") .Values.primary.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{- toYaml .Values.primary.service.loadBalancerSourceRanges | nindent 4 }}
{{ end }}
{{- if (and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerIP))) }}
loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }}
{{- end }}
{{- if .Values.primary.service.sessionAffinity }}
sessionAffinity: {{ .Values.primary.service.sessionAffinity }}
{{- end }}
{{- if .Values.primary.service.sessionAffinityConfig }}
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.sessionAffinityConfig "context" $) | nindent 4 }}
{{- end }}
ports:
- name: mysql
port: {{ coalesce .Values.primary.service.ports.mysql .Values.primary.service.port }}
protocol: TCP
targetPort: mysql
{{- if (and (or (eq .Values.primary.service.type "NodePort") (eq .Values.primary.service.type "LoadBalancer")) (coalesce .Values.primary.service.nodePorts.mysql .Values.primary.service.nodePort)) }}
nodePort: {{ coalesce .Values.primary.service.nodePorts.mysql .Values.primary.service.nodePort }}
{{- else if eq .Values.primary.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if and .Values.metrics.enabled (gt (.Values.primary.service.ports.metrics | int) 0) }}
- name: metrics
port: {{ .Values.primary.service.ports.metrics }}
protocol: TCP
targetPort: metrics
{{- end }}
{{- if .Values.primary.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: primary

24
charts/mariadb/mariadb/templates/prometheusrules.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: metrics
{{- if .Values.metrics.prometheusRule.additionalLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
groups:
- name: {{ include "common.names.fullname" . }}
rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 6 }}
{{- end }}

23
charts/mariadb/mariadb/templates/role.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: Role
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
{{- end }}

23
charts/mariadb/mariadb/templates/rolebinding.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
kind: RoleBinding
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ include "mariadb.serviceAccountName" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "common.names.fullname" . -}}
{{- end }}

20
charts/mariadb/mariadb/templates/secondary/configmap.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if (include "mariadb.secondary.createConfigmap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "mariadb.secondary.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: secondary
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
my.cnf: |-
{{- include "common.tplvalues.render" ( dict "value" .Values.secondary.configuration "context" $ ) | nindent 4 }}
{{- end -}}

28
charts/mariadb/mariadb/templates/secondary/pdb.yaml Normal file
View File

@ -0,0 +1,28 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (eq .Values.architecture "replication") .Values.secondary.pdb.create }}
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ include "mariadb.secondary.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: secondary
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.secondary.pdb.minAvailable }}
minAvailable: {{ .Values.secondary.pdb.minAvailable }}
{{- end }}
{{- if or .Values.secondary.pdb.maxUnavailable (not .Values.secondary.pdb.minAvailable) }}
maxUnavailable: {{ .Values.secondary.pdb.maxUnavailable | default 1 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondary.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: secondary
{{- end }}

414
charts/mariadb/mariadb/templates/secondary/statefulset.yaml Normal file
View File

@ -0,0 +1,414 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if eq .Values.architecture "replication" }}
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ include "mariadb.secondary.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: secondary
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.secondary.replicaCount }}
revisionHistoryLimit: {{ .Values.secondary.revisionHistoryLimit }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondary.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: secondary
serviceName: {{ include "mariadb.secondary.fullname" . }}
podManagementPolicy: {{ .Values.secondary.podManagementPolicy }}
{{- if .Values.secondary.updateStrategy }}
updateStrategy: {{- toYaml .Values.secondary.updateStrategy | nindent 4 }}
{{- end }}
template:
metadata:
annotations:
{{- if (include "mariadb.secondary.createConfigmap" .) }}
checksum/configuration: {{ include (print $.Template.BasePath "/secondary/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.secondary.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.secondary.podAnnotations "context" $) | nindent 8 }}
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/component: secondary
spec:
{{- include "mariadb.imagePullSecrets" . | nindent 6 }}
{{- if or .Values.secondary.schedulerName .Values.schedulerName }}
schedulerName: {{ (coalesce .Values.secondary.schedulerName .Values.schedulerName) | quote }}
{{- end }}
serviceAccountName: {{ template "mariadb.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.secondary.automountServiceAccountToken }}
{{- if .Values.secondary.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.secondary.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.secondary.podAffinityPreset "component" "secondary" "customLabels" $podLabels "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.secondary.podAntiAffinityPreset "component" "secondary" "customLabels" $podLabels "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.secondary.nodeAffinityPreset.type "key" .Values.secondary.nodeAffinityPreset.key "values" .Values.secondary.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.secondary.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.secondary.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.secondary.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.topologySpreadConstraints "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.secondary.priorityClassName }}
priorityClassName: {{ .Values.secondary.priorityClassName | quote }}
{{- else if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
{{- if .Values.secondary.runtimeClassName }}
runtimeClassName: {{ .Values.secondary.runtimeClassName | quote }}
{{- else if .Values.runtimeClassName }}
runtimeClassName: {{ .Values.runtimeClassName | quote }}
{{- end }}
{{- if .Values.secondary.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.secondary.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
initContainers:
- name: preserve-logs-symlinks
image: {{ include "mariadb.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.secondary.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.secondary.resources }}
resources: {{ toYaml .Values.secondary.resources | nindent 12 }}
{{- else if ne .Values.secondary.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.secondary.resourcesPreset) | nindent 12 }}
{{- end }}
command:
- /bin/bash
args:
- -ec
- |
#!/bin/bash
. /opt/bitnami/scripts/libfs.sh
# We copy the logs folder because it has symlinks to stdout and stderr
if ! is_dir_empty /opt/bitnami/mariadb/logs; then
cp -r /opt/bitnami/mariadb/logs /emptydir/app-logs-dir
fi
volumeMounts:
- name: empty-dir
mountPath: /emptydir
{{- if and .Values.secondary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.secondary.persistence.enabled }}
- name: volume-permissions
image: {{ include "mariadb.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
command:
- /bin/bash
- -ec
- |
chown -R {{ .Values.secondary.containerSecurityContext.runAsUser }}:{{ .Values.secondary.podSecurityContext.fsGroup }} /bitnami/mariadb
securityContext:
runAsUser: 0
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
{{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: data
mountPath: /bitnami/mariadb
{{- if .Values.secondary.persistence.subPath }}
subPath: {{ .Values.secondary.persistence.subPath }}
{{- end }}
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- if .Values.secondary.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.secondary.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: mariadb
image: {{ include "mariadb.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.secondary.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.secondary.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
{{- else if .Values.secondary.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else if .Values.secondary.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.secondary.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
- name: MARIADB_REPLICATION_MODE
value: "slave"
- name: MARIADB_MASTER_HOST
value: {{ include "mariadb.primary.fullname" . }}
- name: MARIADB_MASTER_PORT_NUMBER
value: {{ coalesce .Values.primary.service.ports.mysql .Values.primary.service.port | quote }}
- name: MARIADB_MASTER_ROOT_USER
value: "root"
{{- if .Values.auth.usePasswordFiles }}
- name: MARIADB_MASTER_ROOT_PASSWORD_FILE
value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }}
{{- else }}
- name: MARIADB_MASTER_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "mariadb.secretName" . }}
key: mariadb-root-password
{{- end }}
- name: MARIADB_REPLICATION_USER
value: {{ .Values.auth.replicationUser | quote }}
{{- if .Values.auth.usePasswordFiles }}
- name: MARIADB_REPLICATION_PASSWORD_FILE
value: {{ default "/opt/bitnami/mariadb/secrets/mariadb-replication-password" .Values.auth.customPasswordFiles.replicator }}
{{- else }}
- name: MARIADB_REPLICATION_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "mariadb.secretName" . }}
key: mariadb-replication-password
{{- end }}
{{- if .Values.secondary.extraFlags }}
- name: MARIADB_EXTRA_FLAGS
value: "{{ .Values.secondary.extraFlags }}"
{{- end }}
{{- if .Values.secondary.startupWaitOptions }}
- name: MARIADB_STARTUP_WAIT_RETRIES
value: "{{ .Values.secondary.startupWaitOptions.retries | default 300 }}"
- name: MARIADB_STARTUP_WAIT_SLEEP_TIME
value: "{{ .Values.secondary.startupWaitOptions.sleepTime | default 2 }}"
{{- end }}
{{- if .Values.secondary.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if or .Values.secondary.extraEnvVarsCM .Values.secondary.extraEnvVarsSecret }}
envFrom:
{{- if .Values.secondary.extraEnvVarsCM }}
- configMapRef:
name: {{ .Values.secondary.extraEnvVarsCM }}
{{- end }}
{{- if .Values.secondary.extraEnvVarsSecret }}
- secretRef:
name: {{ .Values.secondary.extraEnvVarsSecret }}
{{- end }}
{{- end }}
ports:
- name: mysql
containerPort: {{ .Values.secondary.containerPorts.mysql }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.secondary.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.secondary.startupProbe.enabled }}
startupProbe: {{- omit .Values.secondary.startupProbe "enabled" | toYaml | nindent 12 }}
exec:
command:
- /bin/bash
- -ec
- |
password_aux="${MARIADB_MASTER_ROOT_PASSWORD:-}"
if [[ -f "${MARIADB_MASTER_ROOT_PASSWORD_FILE:-}" ]]; then
password_aux=$(cat "$MARIADB_MASTER_ROOT_PASSWORD_FILE")
fi
mariadb-admin ping -uroot -p"${password_aux}"
{{- end }}
{{- if .Values.secondary.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.secondary.livenessProbe.enabled }}
livenessProbe: {{- omit .Values.secondary.livenessProbe "enabled" | toYaml | nindent 12 }}
exec:
command:
- /bin/bash
- -ec
- |
password_aux="${MARIADB_MASTER_ROOT_PASSWORD:-}"
if [[ -f "${MARIADB_MASTER_ROOT_PASSWORD_FILE:-}" ]]; then
password_aux=$(cat "$MARIADB_MASTER_ROOT_PASSWORD_FILE")
fi
mariadb-admin status -uroot -p"${password_aux}"
{{- end }}
{{- if .Values.secondary.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.secondary.readinessProbe.enabled }}
readinessProbe: {{- omit .Values.secondary.readinessProbe "enabled" | toYaml | nindent 12 }}
exec:
command:
- /bin/bash
- -ec
- |
password_aux="${MARIADB_MASTER_ROOT_PASSWORD:-}"
if [[ -f "${MARIADB_MASTER_ROOT_PASSWORD_FILE:-}" ]]; then
password_aux=$(cat "$MARIADB_MASTER_ROOT_PASSWORD_FILE")
fi
mariadb-admin ping -uroot -p"${password_aux}"
{{- end }}
{{- end }}
{{- if .Values.secondary.resources }}
resources: {{ toYaml .Values.secondary.resources | nindent 12 }}
{{- else if ne .Values.secondary.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.secondary.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: data
mountPath: /bitnami/mariadb
{{- if .Values.secondary.persistence.subPath }}
subPath: {{ .Values.secondary.persistence.subPath }}
{{- end }}
{{- if or .Values.secondary.configuration .Values.secondary.existingConfigmap }}
- name: config
mountPath: /opt/bitnami/mariadb/conf/my.cnf
subPath: my.cnf
{{- end }}
{{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }}
- name: mariadb-credentials
mountPath: /opt/bitnami/mariadb/secrets/
{{- end }}
{{- if .Values.secondary.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/mariadb/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/mariadb/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/mariadb/logs
subPath: app-logs-dir
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ include "mariadb.metrics.image" . }}
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
{{- if .Values.metrics.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
env:
{{- if .Values.auth.usePasswordFiles }}
- name: MARIADB_ROOT_PASSWORD_FILE
value: {{ default "/opt/bitnami/mysqld-exporter/secrets/mariadb-root-password" .Values.auth.customPasswordFiles.root }}
{{- else }}
- name: MARIADB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "mariadb.secretName" . }}
key: mariadb-root-password
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else }}
command:
- /bin/bash
- -ec
- |
password_aux="${MARIADB_ROOT_PASSWORD:-}"
if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then
password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE")
fi
MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:{{ .Values.secondary.containerPorts.mysql }} --mysqld.username=root --web.listen-address=:{{ .Values.metrics.containerPorts.http }} {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }}
{{- end }}
ports:
- name: metrics
containerPort: {{ .Values.metrics.containerPorts.http }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.metrics.livenessProbe.enabled }}
livenessProbe: {{- omit .Values.metrics.livenessProbe "enabled" | toYaml | nindent 12 }}
httpGet:
path: /metrics
port: metrics
{{- end }}
{{- if .Values.metrics.readinessProbe.enabled }}
readinessProbe: {{- omit .Values.metrics.readinessProbe "enabled" | toYaml | nindent 12 }}
httpGet:
path: /metrics
port: metrics
{{- end }}
{{- end }}
{{- if .Values.metrics.resources }}
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- else if ne .Values.metrics.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
{{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }}
- name: mariadb-credentials
mountPath: /opt/bitnami/mysqld-exporter/secrets/
{{- end }}
- name: empty-dir
mountPath: /tmp
subPath: app-tmp-dir
{{- if .Values.metrics.extraVolumeMounts.secondary }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts.secondary "context" $) | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.secondary.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.secondary.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
{{- if or .Values.secondary.configuration .Values.secondary.existingConfigmap }}
- name: config
configMap:
name: {{ include "mariadb.secondary.configmapName" . }}
{{- end }}
{{- if and .Values.auth.usePasswordFiles (not .Values.auth.customPasswordFiles) }}
- name: mariadb-credentials
secret:
secretName: {{ template "mariadb.secretName" . }}
items:
- key: mariadb-root-password
path: mariadb-root-password
- key: mariadb-replication-password
path: mariadb-replication-password
{{- end }}
- name: empty-dir
emptyDir: {}
{{- if .Values.secondary.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- if not .Values.secondary.persistence.enabled }}
- name: data
emptyDir: {}
{{- else }}
volumeClaimTemplates:
- metadata:
name: data
{{- $claimLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondary.persistence.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.matchLabels" ( dict "customLabels" $claimLabels "context" $ ) | nindent 10 }}
app.kubernetes.io/component: secondary
{{- if .Values.secondary.persistence.annotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.secondary.persistence.annotations "context" $ ) | nindent 10 }}
{{- end }}
spec:
accessModes:
{{- range .Values.secondary.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.secondary.persistence.size | quote }}
{{ include "common.storage.class" (dict "persistence" .Values.secondary.persistence "global" .Values.global) }}
{{- if .Values.secondary.persistence.selector }}
selector: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.persistence.selector "context" $) | nindent 10 }}
{{- end -}}
{{- end }}
{{- end }}

64
charts/mariadb/mariadb/templates/secondary/svc.yaml Normal file
View File

@ -0,0 +1,64 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if eq .Values.architecture "replication" }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "mariadb.secondary.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: secondary
annotations:
{{- if or .Values.secondary.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondary.service.annotations .Values.commonAnnotations ) "context" . ) }}
{{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.secondary.service.type }}
{{- if and .Values.secondary.service.clusterIP (eq .Values.secondary.service.type "ClusterIP") }}
clusterIP: {{ .Values.secondary.service.clusterIP }}
{{- end }}
{{- if and .Values.secondary.service.externalTrafficPolicy (or (eq .Values.secondary.service.type "LoadBalancer") (eq .Values.secondary.service.type "NodePort")) }}
externalTrafficPolicy: {{ .Values.secondary.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if and (eq .Values.secondary.service.type "LoadBalancer") .Values.secondary.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{- toYaml .Values.secondary.service.loadBalancerSourceRanges | nindent 4 }}
{{ end }}
{{- if and (eq .Values.secondary.service.type "LoadBalancer") (not (empty .Values.secondary.service.loadBalancerIP)) }}
loadBalancerIP: {{ .Values.secondary.service.loadBalancerIP }}
{{- end }}
{{- if .Values.secondary.service.sessionAffinity }}
sessionAffinity: {{ .Values.secondary.service.sessionAffinity }}
{{- end }}
{{- if .Values.secondary.service.sessionAffinityConfig }}
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.service.sessionAffinityConfig "context" $) | nindent 4 }}
{{- end }}
ports:
- name: mysql
port: {{ coalesce .Values.secondary.service.ports.mysql .Values.secondary.service.port }}
protocol: TCP
targetPort: mysql
{{- if (and (or (eq .Values.secondary.service.type "NodePort") (eq .Values.secondary.service.type "LoadBalancer")) (coalesce .Values.secondary.service.nodePorts.mysql .Values.secondary.service.nodePort)) }}
nodePort: {{ coalesce .Values.secondary.service.nodePorts.mysql .Values.secondary.service.nodePort }}
{{- else if eq .Values.secondary.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if and .Values.metrics.enabled (gt (.Values.secondary.service.ports.metrics | int) 0) }}
- name: metrics
port: {{ .Values.secondary.service.ports.metrics }}
protocol: TCP
targetPort: metrics
{{- end }}
{{- if .Values.secondary.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.secondary.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondary.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: secondary
{{- end }}

98
charts/mariadb/mariadb/templates/secrets.yaml Normal file
View File

@ -0,0 +1,98 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- $host := include "mariadb.primary.fullname" . }}
{{- $port := print .Values.primary.service.ports.mysql }}
{{- $rootPassword := include "common.secrets.passwords.manage" ( dict "secret" ( include "mariadb.secretName" . ) "key" "mariadb-root-password" "providedValues" ( list "auth.rootPassword" ) "context" $ ) | trimAll "\"" | b64dec }}
{{- $password := .Values.auth.password }}
{{- if and .Values.auth.username ( include "mariadb.secret.existPassword" . ) }}
{{- $password = include "common.secrets.passwords.manage" ( dict "secret" ( include "mariadb.secretName" . ) "key" "mariadb-password" "providedValues" ( list "auth.password" ) "context" $ ) | trimAll "\"" | b64dec }}
{{- else if ( and .Values.auth.username ( not .Values.auth.forcePassword ) ( empty .Values.auth.password ) ) }}
{{- $password = randAlphaNum 10 }}
{{- end }}
{{- if eq ( include "mariadb.createSecret" . ) "true" }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if ( not .Values.auth.forcePassword ) }}
mariadb-root-password: {{ print $rootPassword | b64enc | quote }}
{{- else }}
mariadb-root-password: {{ required "A MariaDB Root Password is required!" .Values.auth.rootPassword | b64enc | quote }}
{{- end }}
{{- if .Values.auth.username }}
{{- if ( not .Values.auth.forcePassword ) }}
mariadb-password: {{ print $password | b64enc | quote }}
{{- else }}
mariadb-password: {{ required "A MariaDB Database Password is required!" $password | b64enc | quote }}
{{- end }}
{{- end }}
{{- if eq .Values.architecture "replication" }}
{{- if ( not .Values.auth.forcePassword ) }}
mariadb-replication-password: {{ include "common.secrets.passwords.manage" ( dict "secret" ( include "common.names.fullname" . ) "key" "mariadb-replication-password" "providedValues" ( list "auth.replicationPassword" ) "context" $ ) }}
{{- else }}
mariadb-replication-password: {{ required "A MariaDB Replication Password is required!" .Values.auth.replicationPassword | b64enc | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.serviceBindings.enabled }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}-svcbind-root
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: servicebinding.io/mysql
data:
provider: {{ print "bitnami" | b64enc | quote }}
type: {{ print "mysql" | b64enc | quote }}
host: {{ print $host | b64enc | quote }}
port: {{ print $port | b64enc | quote }}
username: {{ print "root" | b64enc | quote }}
password: {{ print $rootPassword | b64enc | quote }}
uri: {{ printf "mysql://root:%s@%s:%s" $rootPassword $host $port | b64enc | quote }}
{{- if .Values.auth.username }}
{{- $database := .Values.auth.database }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}-svcbind-custom-user
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: servicebinding.io/mysql
data:
provider: {{ print "bitnami" | b64enc | quote }}
type: {{ print "mysql" | b64enc | quote }}
host: {{ print $host | b64enc | quote }}
port: {{ print $port | b64enc | quote }}
username: {{ print .Values.auth.username | b64enc | quote }}
{{- if $database }}
database: {{ print $database | b64enc | quote }}
{{- end }}
{{- if and .Values.auth.forcePassword ( empty $password ) }}
password: {{ required "A MariaDB Database Password is required!" $password | b64enc | quote }}
{{- else }}
password: {{ print $password | b64enc | quote }}
{{- end }}
uri: {{ printf "mysql://%s:%s@%s:%s/%s" .Values.auth.username $password $host $port $database | b64enc | quote }}
{{- end }}
{{- end }}

18
charts/mariadb/mariadb/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "mariadb.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}

44
charts/mariadb/mariadb/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,44 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel | quote }}
endpoints:
- port: metrics
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.honorLabels }}
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelings }}
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
{{- if .Values.metrics.serviceMonitor.selector }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
{{- end }}
{{- end }}

176
charts/mariadb/mariadb/values.schema.json Normal file
View File

@ -0,0 +1,176 @@
{
"$schema": "http://json-schema.org/schema#",
"type": "object",
"properties": {
"architecture": {
"type": "string",
"title": "MariaDB architecture",
"form": true,
"description": "Allowed values: `standalone` or `replication`"
},
"auth": {
"type": "object",
"title": "Authentication configuration",
"form": true,
"properties": {
"rootPassword": {
"type": "string",
"title": "MariaDB root password",
"form": true,
"description": "Defaults to a random 10-character alphanumeric string if not set"
},
"database": {
"type": "string",
"title": "MariaDB custom database",
"description": "Name of the custom database to be created during the 1st initialization of MariaDB",
"form": true
},
"username": {
"type": "string",
"title": "MariaDB custom user",
"description": "Name of the custom user to be created during the 1st initialization of MariaDB. This user only has permissions on the MariaDB custom database",
"form": true
},
"password": {
"type": "string",
"title": "Password for MariaDB custom user",
"description": "Defaults to a random 10-character alphanumeric string if not set",
"form": true,
"hidden": {
"value": false,
"path": "usePassword"
}
},
"replicationUser": {
"type": "string",
"title": "MariaDB replication user",
"description": "Name of user used to manage replication.",
"form": true,
"hidden": {
"value": "standalone",
"path": "architecture"
}
},
"replicationPassword": {
"type": "string",
"title": "Password for MariaDB replication user",
"description": "Defaults to a random 10-character alphanumeric string if not set",
"form": true,
"hidden": {
"value": "standalone",
"path": "architecture"
}
}
}
},
"primary": {
"type": "object",
"title": "Primary replicas settings",
"form": true,
"properties": {
"persistence": {
"type": "object",
"title": "Persistence for primary replicas",
"form": true,
"properties": {
"enabled": {
"type": "boolean",
"form": true,
"title": "Enable persistence",
"description": "Enable persistence using Persistent Volume Claims"
},
"size": {
"type": "string",
"title": "Persistent Volume Size",
"form": true,
"render": "slider",
"sliderMin": 1,
"sliderMax": 100,
"sliderUnit": "Gi",
"hidden": {
"value": false,
"path": "persistence/enabled"
}
}
}
}
}
},
"secondary": {
"type": "object",
"title": "Secondary replicas settings",
"form": true,
"hidden": {
"value": false,
"path": "replication/enabled"
},
"properties": {
"persistence": {
"type": "object",
"title": "Persistence for secondary replicas",
"form": true,
"properties": {
"enabled": {
"type": "boolean",
"form": true,
"title": "Enable persistence",
"description": "Enable persistence using Persistent Volume Claims"
},
"size": {
"type": "string",
"title": "Persistent Volume Size",
"form": true,
"render": "slider",
"sliderMin": 1,
"sliderMax": 100,
"sliderUnit": "Gi",
"hidden": {
"value": false,
"path": "persistence/enabled"
}
}
}
}
}
},
"volumePermissions": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"form": true,
"title": "Enable Init Containers",
"description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination"
}
}
},
"metrics": {
"type": "object",
"form": true,
"title": "Prometheus metrics details",
"properties": {
"enabled": {
"type": "boolean",
"title": "Create Prometheus metrics exporter",
"description": "Create a side-car container to expose Prometheus metrics",
"form": true
},
"serviceMonitor": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"title": "Create Prometheus Operator ServiceMonitor",
"description": "Create a ServiceMonitor to track metrics using Prometheus Operator",
"form": true,
"hidden": {
"value": false,
"path": "metrics/enabled"
}
}
}
}
}
}
}
}

1373
charts/mariadb/mariadb/values.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

8
charts/mariadb/values-overrides.yaml Normal file
View File

@ -0,0 +1,8 @@
# @see https://artifacthub.io/packages/helm/bitnami/mariadb?modal=values
fullnameOverride: mariadb
# architecture: replication
architecture: standalone
auth:
username: drupal
database: drupal
existingSecret: mariadb

25
charts/phpmyadmin/phpmyadmin/.helmignore Normal file
View File

@ -0,0 +1,25 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# img folder
img/
# Changelog
CHANGELOG.md

9
charts/phpmyadmin/phpmyadmin/Chart.lock Normal file
View File

@ -0,0 +1,9 @@
dependencies:
- name: mariadb
repository: oci://registry-1.docker.io/bitnamicharts
version: 19.0.6
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.23.0
digest: sha256:8626b452b34cfdd615a5e97ad13de70344e5fd14ee39db107795e20d5006b3c8
generated: "2024-09-19T09:40:39.92295583Z"

38
charts/phpmyadmin/phpmyadmin/Chart.yaml Normal file
View File

@ -0,0 +1,38 @@
annotations:
category: Infrastructure
images: |
- name: apache-exporter
image: docker.io/bitnami/apache-exporter:1.0.8-debian-12-r9
- name: phpmyadmin
image: docker.io/bitnami/phpmyadmin:5.2.1-debian-12-r42
licenses: Apache-2.0
apiVersion: v2
appVersion: 5.2.1
dependencies:
- condition: db.bundleTestDB
name: mariadb
repository: oci://registry-1.docker.io/bitnamicharts
tags:
- phpmyadmin-database
version: 19.x.x
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
tags:
- bitnami-common
version: 2.x.x
description: phpMyAdmin is a free software tool written in PHP, intended to handle
the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations
on MySQL and MariaDB.
home: https://bitnami.com
icon: https://bitnami.com/assets/stacks/phpmyadmin/img/phpmyadmin-stack-220x234.png
keywords:
- mariadb
- mysql
- phpmyadmin
maintainers:
- name: Broadcom, Inc. All Rights Reserved.
url: https://github.com/bitnami/charts
name: phpmyadmin
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/phpmyadmin
version: 17.0.7

588
charts/phpmyadmin/phpmyadmin/README.md Normal file
View File

@ -0,0 +1,588 @@
<!--- app-name: phpMyAdmin -->
# Bitnami package for phpMyAdmin
phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL and MariaDB.
[Overview of phpMyAdmin](https://www.phpmyadmin.net/)
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
## TL;DR
```console
helm install my-release oci://registry-1.docker.io/bitnamicharts/phpmyadmin
```
Looking to use phpMyAdmin in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog.
## Introduction
This chart bootstraps a [phpMyAdmin](https://github.com/bitnami/containers/tree/main/bitnami/phpmyadmin) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
As a portable web application written primarily in PHP, phpMyAdmin has become one of the most popular MySQL administration tools, especially for web hosting services.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Prerequisites
- Kubernetes 1.23+
- Helm 3.8.0+
## Installing the Chart
To install the chart with the release name `my-release`:
```console
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/phpmyadmin
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
The command deploys phpMyAdmin on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Configuration and installation details
### Resource requests and limits
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
### [Rolling VS Immutable tags](https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Ingress
This chart provides support for Ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress-controller](https://github.com/bitnami/charts/tree/main/bitnami/nginx-ingress-controller) or [contour](https://github.com/bitnami/charts/tree/main/bitnami/contour) you can utilize the ingress controller to serve your application.
To enable ingress integration, please set `ingress.enabled` to `true`.
#### Hosts
Most likely you will only want to have one hostname that maps to this phpMyAdmin installation. If that's your case, the property `ingress.hostname` will set it. However, it is possible to have more than one host. To facilitate this, the `ingress.extraHosts` object can be specified as an array. You can also use `ingress.extraTLS` to add the TLS configuration for extra hosts.
For each host indicated at `ingress.extraHosts`, please indicate a `name`, `path`, and any `annotations` that you may want the ingress controller to know about.
For annotations, please see [this document](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md). Not all annotations are supported by all ingress controllers, but this document does a good job of indicating which annotation is supported by many popular ingress controllers.
### TLS Secrets
This chart will facilitate the creation of TLS secrets for use with the ingress controller, however, this is not required. There are some common use cases:
- Helm generates and manages certificate secrets (default).
- User generates certificates and helm manages secrets.
- User generates and manages certificates separately.
- An additional tool (like [cert-manager](https://github.com/jetstack/cert-manager/)) manages the secrets for the application.
In the second case, a certificate and a key are needed. We would expect them to look like this:
- certificate files should look like (and there can be more than one certificate if there is a certificate chain)
```console
-----BEGIN CERTIFICATE-----
MIID6TCCAtGgAwIBAgIJAIaCwivkeB5EMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
...
jScrvkiBO65F46KioCL9h5tDvomdU1aqpI/CBzhvZn1c0ZTf87tGQR8NK7v7
-----END CERTIFICATE-----
```
- keys should look like:
```console
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvLYcyu8f3skuRyUgeeNpeDvYBCDcgq+LsWap6zbX5f8oLqp4
...
wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc=
-----END RSA PRIVATE KEY-----
```
If you are going to generate certificates yourself and want helm to manage the secret, please copy these values into the `certificate` and `key` values for a given `ingress.secrets` entry.
If you want to manage TLS secrets outside of Helm, please know that you can create a TLS secret and pass its name via the parameter `ingress.existingSecretName`.
To make use of cert-manager, you need to add the the `cert-manager.io/cluster-issuer:` annotation to the ingress object via `ingress.annotations`.
### Adding extra environment variables
In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property.
```yaml
extraEnvVars:
- name: LOG_LEVEL
value: DEBUG
```
Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values.
### Sidecars and Init Containers
If you have a need for additional containers to run within the same pod as the PhpMyAdmin app (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
```yaml
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
Similarly, you can add extra init containers using the `initContainers` parameter.
```yaml
initContainers:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
### Deploying extra resources
There are cases where you may want to deploy extra objects, such a ConfigMap containing your app's configuration or some extra deployment with a micro service used by your app. For covering this case, the chart allows adding the full specification of other objects using the `extraDeploy` parameter.
### Setting Pod's affinity
This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `XpodAntiAffinityPreset`, or `nodeAffinityPreset` parameters.
## Parameters
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
### Common parameters
| Name | Description | Value |
| ------------------- | -------------------------------------------------------------------------------------------- | --------------- |
| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` |
| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` |
| `fullnameOverride` | String to fully override common.names.fullname template | `""` |
| `commonLabels` | Add labels to all the deployed resources | `{}` |
| `commonAnnotations` | Add annotations to all the deployed resources | `{}` |
| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` |
| `extraDeploy` | Array of extra objects to deploy with the release | `[]` |
### phpMyAdmin parameters
| Name | Description | Value |
| -------------------- | ---------------------------------------------------------------------------------------------------------- | ---------------------------- |
| `image.registry` | phpMyAdmin image registry | `REGISTRY_NAME` |
| `image.repository` | phpMyAdmin image repository | `REPOSITORY_NAME/phpmyadmin` |
| `image.digest` | phpMyAdmin image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `image.debug` | Enable phpmyadmin image debug mode | `false` |
| `command` | Override default container command (useful when using custom images) | `[]` |
| `args` | Override default container args (useful when using custom images) | `[]` |
| `lifecycleHooks` | for the phpmyadmin container(s) to automate configuration before or after startup | `{}` |
| `extraEnvVars` | Extra environment variables to be set on PhpMyAdmin container | `[]` |
| `extraEnvVarsCM` | Name of a existing ConfigMap containing extra env vars | `""` |
| `extraEnvVarsSecret` | Name of a existing Secret containing extra env vars | `""` |
### phpMyAdmin deployment parameters
| Name | Description | Value |
| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
| `automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `hostAliases` | Deployment pod host aliases | `[]` |
| `containerPorts.http` | HTTP port to expose at container level | `8080` |
| `containerPorts.https` | HTTPS port to expose at container level | `8443` |
| `extraContainerPorts` | Optionally specify extra list of additional ports for phpMyAdmin container(s) | `[]` |
| `updateStrategy.type` | Strategy to use to update Pods | `RollingUpdate` |
| `podSecurityContext.enabled` | Enable phpMyAdmin pods' Security Context | `true` |
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `podSecurityContext.fsGroup` | User ID for the container | `1001` |
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `replicas` | Number of replicas | `1` |
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` |
| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `startupProbe.enabled` | Enable startupProbe | `false` |
| `startupProbe.httpGet.path` | Request path for startupProbe | `/` |
| `startupProbe.httpGet.port` | Port for startupProbe | `http` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `30` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.tcpSocket.port` | Port for livenessProbe | `http` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `30` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
| `readinessProbe.httpGet.path` | Request path for readinessProbe | `/` |
| `readinessProbe.httpGet.port` | Port for readinessProbe | `http` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `30` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `customStartupProbe` | Override default startup probe | `{}` |
| `customLivenessProbe` | Override default liveness probe | `{}` |
| `customReadinessProbe` | Override default readiness probe | `{}` |
| `podLabels` | Extra labels for PhpMyAdmin pods | `{}` |
| `podAnnotations` | Annotations for PhpMyAdmin pods | `{}` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
| `affinity` | Affinity for pod assignment. Evaluated as a template. | `{}` |
| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` |
| `tolerations` | Tolerations for pod assignment. Evaluated as a template. | `[]` |
| `priorityClassName` | phpmyadmin pods' priorityClassName | `""` |
| `schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `extraVolumes` | Optionally specify extra list of additional volumes for PhpMyAdmin pods | `[]` |
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for PhpMyAdmin container(s) | `[]` |
| `initContainers` | Add init containers to the PhpMyAdmin pods | `[]` |
| `pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` |
| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` |
| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. | `""` |
| `sidecars` | Add sidecar containers to the PhpMyAdmin pods | `[]` |
### Traffic Exposure parameters
| Name | Description | Value |
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.ports.http` | Service HTTP port | `80` |
| `service.ports.https` | Service HTTPS port | `443` |
| `service.nodePorts.http` | Kubernetes http node port | `""` |
| `service.nodePorts.https` | Kubernetes https node port | `""` |
| `service.clusterIP` | PhpMyAdmin service clusterIP IP | `""` |
| `service.loadBalancerIP` | Load balancer IP for the phpMyAdmin Service (optional, cloud specific) | `""` |
| `service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` |
| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `service.annotations` | Provide any additional annotations that may be required for the PhpMyAdmin service | `{}` |
| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `ingress.enabled` | Set to true to enable ingress record generation | `false` |
| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` |
| `ingress.hostname` | When the ingress is enabled, a host pointing to this will be created | `phpmyadmin.local` |
| `ingress.pathType` | Ingress path type | `ImplementationSpecific` |
| `ingress.path` | Default path for the ingress record | `/` |
| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` |
| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` |
| `ingress.tls` | Enable TLS configuration for the hostname defined at `ingress.hostname` parameter | `false` |
| `ingress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` |
| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` |
| `ingress.secrets` | If you're providing your own certificates and want to manage the secret via helm, | `[]` |
| `ingress.existingSecretName` | If you're providing your own certificate and want to manage the secret yourself, | `""` |
| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` |
| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` |
### Database parameters
| Name | Description | Value |
| -------------------------- | ----------------------------------------------------------------- | ------- |
| `db.allowArbitraryServer` | Enable connection to arbitrary MySQL server | `true` |
| `db.port` | Database port to use to connect | `3306` |
| `db.chartName` | Database suffix if included in the same release | `""` |
| `db.host` | Database Hostname. Ignored when `db.chartName` is set. | `""` |
| `db.bundleTestDB` | Deploy a MariaDB instance for testing purposes | `false` |
| `db.enableSsl` | Enable SSL for the connection between phpMyAdmin and the database | `false` |
| `db.ssl.clientKey` | Client key file when using SSL | `""` |
| `db.ssl.clientCertificate` | Client certificate file when using SSL | `""` |
| `db.ssl.caCertificate` | CA file when using SSL | `""` |
| `db.ssl.ciphers` | List of allowable ciphers for connections when using SSL | `[]` |
| `db.ssl.verify` | Enable SSL certificate validation | `true` |
| `mariadb` | MariaDB chart configuration | `{}` |
### Other Parameters
| Name | Description | Value |
| --------------------------------------------- | ---------------------------------------------------------------------- | ------- |
| `serviceAccount.create` | Enable creation of ServiceAccount for PhpMyAdmin pod | `true` |
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
### Metrics parameters
| Name | Description | Value |
| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- |
| `metrics.enabled` | Start a side-car prometheus exporter | `false` |
| `metrics.image.registry` | Apache exporter image registry | `REGISTRY_NAME` |
| `metrics.image.repository` | Apache exporter image repository | `REPOSITORY_NAME/apache-exporter` |
| `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` |
| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `metrics.service.type` | Prometheus metrics service type | `ClusterIP` |
| `metrics.service.port` | Prometheus metrics service port | `9117` |
| `metrics.service.annotations` | Annotations for Prometheus metrics service | `{}` |
| `metrics.service.clusterIP` | phpmyadmin service Cluster IP | `""` |
| `metrics.service.loadBalancerIP` | Load Balancer IP if the Prometheus metrics server type is `LoadBalancer` | `""` |
| `metrics.service.loadBalancerSourceRanges` | phpmyadmin service Load Balancer sources | `[]` |
| `metrics.service.externalTrafficPolicy` | phpmyadmin service external traffic policy | `Cluster` |
| `metrics.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `metrics.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` |
| `metrics.serviceMonitor.namespace` | Specify the namespace in which the serviceMonitor resource will be created | `""` |
| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` |
| `metrics.serviceMonitor.interval` | Specify the interval at which metrics should be scraped | `30s` |
| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` |
| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` |
| `metrics.serviceMonitor.metricRelabelings` | Specify Metric Relabelings to add to the scrape endpoint | `[]` |
| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` |
| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` |
| `metrics.serviceMonitor.selector` | ServiceMonitor selector labels | `{}` |
### NetworkPolicy parameters
| Name | Description | Value |
| --------------------------------------- | --------------------------------------------------------------- | ------ |
| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
For more information please refer to the [bitnami/phpmyadmin](https://github.com/bitnami/containers/tree/main/bitnami/phpmyadmin) image documentation.
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
helm install my-release \
--set db.host=mymariadb,db.port=3306 oci://REGISTRY_NAME/REPOSITORY_NAME/phpmyadmin
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
The above command sets the phpMyAdmin to connect to a database in `mymariadb` host and `3306` port respectively.
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
```console
helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/phpmyadmin
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/phpmyadmin/values.yaml)
## Troubleshooting
Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
## Upgrading
### To 17.0.0
This major release bumps the MariaDB version to 11.4. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-11-3-to-mariadb-11-4/) for upgrading from MariaDB 11.3 to 11.4. No major issues are expected during the upgrade.
### To 16.0.0
This major bump changes the following security defaults:
- `runAsGroup` is changed from `0` to `1001`
- `readOnlyRootFilesystem` is set to `true`
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
- The `networkPolicy` section has been normalized amongst all Bitnami charts. Compared to the previous approach, the values section has been simplified (check the Parameters section) and now it set to `enabled=true` by default. Egress traffic is allowed by default and ingress traffic is allowed by all pods but only to the ports set in `containerPorts` and `extraContainerPorts`.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
### To 15.0.0
This major release bumps the MariaDB chart version to [18.x.x](https://github.com/bitnami/charts/pull/24804); no major issues are expected during the upgrade.
### To 14.0.0
This major release bumps the MariaDB version to 11.2. No major issues are expected during the upgrade.
### To 13.0.0
This major release bumps the MariaDB version to 11.1. No major issues are expected during the upgrade.
### To 12.0.0
This major release bumps the MariaDB version to 11.0. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-0/) for upgrading from MariaDB 10.11 to 11.0. No major issues are expected during the upgrade.
### To 11.0.0
This major release bumps the MariaDB version to 10.11. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for upgrading from MariaDB 10.6 to 10.11. No major issues are expected during the upgrade.
### To 10.0.0
This major release bumps the MariaDB version to 10.6. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/) for upgrading from MariaDB 10.5 to 10.6. No major issues are expected during the upgrade.
### To 9.0.0
This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository.
Affected values:
- `service.port` was deprecated. We recommend using `service.ports.http` instead.
- `service.httpsPort` was deprecated. We recommend using `service.ports.https` instead.
- `metrics.serviceMonitor.additionalLabels` renamed as `metrics.serviceMonitor.labels`
Additionally updates the MariaDB subchart to it newest major, 10.0.0, which contains similar changes. Check [MariaDB Upgrading Notes](https://github.com/bitnami/charts/tree/main/bitnami/mariadb#to-1000) for more information.
### To 8.0.0
- Chart labels were adapted to follow the [Helm charts standard labels](https://helm.sh/docs/chart_best_practices/labels/#standard-labels).
Consequences:
- Backwards compatibility is not guaranteed. However, you can easily workaround this issue by removing PhpMyAdmin deployment before upgrading (the following example assumes that the release name is `phpmyadmin`):
```console
export MARIADB_ROOT_PASSWORD=$(kubectl get secret --namespace default phpmyadmin-mariadb -o jsonpath="{.data.mariadb-root-password}" | base64 -d)
export MARIADB_PASSWORD=$(kubectl get secret --namespace default phpmyadmin-mariadb -o jsonpath="{.data.mariadb-password}" | base64 -d)
kubectl delete deployments.apps phpmyadmin
helm upgrade phpmyadmin oci://REGISTRY_NAME/REPOSITORY_NAME/phpmyadmin --set mariadb.auth.rootPassword=$MARIADB_ROOT_PASSWORD,mariadb.auth.password=$MARIADB_PASSWORD
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
### To 7.0.0
In this major there were two main changes introduced:
1. Adaptation to Helm v2 EOL
2. Updated MariaDB dependency version
Please read the update notes carefully.
#### 1. Adaptation to Helm v2 EOL
[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
##### What changes were introduced in this major version?
- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
- Move dependency information from the *requirements.yaml* to the *Chart.yaml*
- After running `helm dependency update`, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock*
- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
##### Considerations when upgrading to this version
- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues
- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3
##### Useful links
- <https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-resolve-helm2-helm3-post-migration-issues-index.html>
- <https://helm.sh/docs/topics/v2_v3_migration/>
- <https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/>
#### 2. Updated MariaDB dependency version
In this major the MariaDB dependency version was also bumped to a new major version that introduces several incompatilibites. Therefore, backwards compatibility is not guaranteed unless an external database is used. Check [MariaDB Upgrading Notes](https://github.com/bitnami/charts/tree/main/bitnami/mariadb#to-800) for more information.
To upgrade to `7.0.0`, it should be done reusing the PVCs used to hold both the MariaDB and phpMyAdmin data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is `phpmyadmin` and that `db.bundleTestDB=true` when the chart was first installed):
> NOTE: Please, create a backup of your database before running any of those actions. The steps below would be only valid if your application (e.g. any plugins or custom code) is compatible with MariaDB 10.5.x
Obtain the credentials and the names of the PVCs used to hold both the MariaDB and phpMyAdmin data on your current release:
```console
export MARIADB_ROOT_PASSWORD=$(kubectl get secret --namespace default phpmyadmin-mariadb -o jsonpath="{.data.mariadb-root-password}" | base64 -d)
export MARIADB_PASSWORD=$(kubectl get secret --namespace default phpmyadmin-mariadb -o jsonpath="{.data.mariadb-password}" | base64 -d)
export MARIADB_PVC=$(kubectl get pvc -l app=mariadb,component=master,release=phpmyadmin -o jsonpath="{.items[0].metadata.name}")
```
Delete the phpMyAdmin deployment and delete the MariaDB statefulsets:
```console
kubectl delete deployments.apps phpmyadmin
kubectl delete statefulsets.apps phpmyadmin-mariadb-master
kubectl delete statefulsets.apps phpmyadmin-mariadb-slave
```
Now the upgrade works:
```console
helm upgrade phpmyadmin oci://REGISTRY_NAME/REPOSITORY_NAME/phpmyadmin --set mariadb.primary.persistence.existingClaim=$MARIADB_PVC --set mariadb.auth.rootPassword=$MARIADB_ROOT_PASSWORD --set mariadb.auth.password=$MARIADB_PASSWORD --set db.bundleTestDB=true
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
Finally, you should see the lines below in MariaDB container logs:
```console
$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=phpmyadmin,app.kubernetes.io/name=mariadb,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}")
...
mariadb 12:13:24.98 INFO ==> Using persisted data
mariadb 12:13:25.01 INFO ==> Running mysql_upgrade
...
```
### To 6.0.0
The [Bitnami phpMyAdmin](https://github.com/bitnami/containers/tree/main/bitnami/phpmyadmin) image was migrated to a "non-root" user approach. Previously the container ran as the `root` user and the Apache daemon was started as the `daemon` user. From now on, both the container and the Apache daemon run as user `1001`. You can revert this behavior by setting the parameters `containerSecurityContext.runAsUser` to `root`.
Chart labels and Ingress configuration were also adapted to follow the Helm charts best practices.
Consequences:
- The HTTP/HTTPS ports exposed by the container are now `8080/8443` instead of `80/443`.
- No writing permissions will be granted on `config.inc.php` by default.
- Backwards compatibility is not guaranteed.
To upgrade to `6.0.0`, backup your previous MariaDB databases, install a new phpMyAdmin chart and import the MariaDB backups.
This version also introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/main/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade.
### To 1.0.0
Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments.
Use the workaround below to upgrade from versions previous to `1.0.0`. The following example assumes that the release name is `phpmyadmin`:
```console
kubectl patch deployment phpmyadmin-phpmyadmin --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]'
```
## License
Copyright &copy; 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
<http://www.apache.org/licenses/LICENSE-2.0>
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

69
charts/phpmyadmin/phpmyadmin/templates/NOTES.txt Normal file
View File

@ -0,0 +1,69 @@
CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
** Please be patient while the chart is being deployed **
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
You should be able to access your new phpMyAdmin installation through
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.hostname }}/
{{- else if eq .Values.service.type "LoadBalancer" }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "common.names.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
{{- $port:=( coalesce .Values.service.ports.http .Values.service.port) | toString }}
echo "phpMyAdmin URL: http://$SERVICE_IP{{- if ne $port "80" }}:{{coalesce .Values.service.ports.http .Values.service.port }}{{ end }}/"
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }}'
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo "phpMyAdmin URL: http://$NODE_IP:$NODE_PORT"
{{- else if contains "ClusterIP" .Values.service.type }}
echo "phpMyAdmin URL: http://127.0.0.1:{{coalesce .Values.service.ports.http .Values.service.port }}"
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{coalesce .Values.service.ports.http .Values.service.port }}:{{coalesce .Values.service.ports.http .Values.service.port }}
{{- end }}
2. How to log in
{{- if or (.Values.db.chartName) (.Values.db.host) }}
phpMyAdmin has been configured to connect to a database in {{ if .Values.db.chartName }}{{ template "phpmyadmin.dbfullname" . }}{{ else }}{{ .Values.db.host }}{{ end }}
{{- if .Values.db.port }}with port {{ .Values.db.port }} {{ end }}
Please login using a database username and password.
{{- else if .Values.db.bundleTestDB }}
For testing purposes, phpMyAdmin has been configured to point to a test MariaDB
instance. Please login using the following credentials:
Username: root
Password : $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "phpmyadmin.mariadb.fullname" . }} -o jsonpath="{.data.mariadb-root-password}" | base64 -d)
{{- else }}
phpMyAdmin has not been configure to point to a specific database. Please provide the db host,
username and password at log in or upgrade the release with a specific database:
$ helm upgrade {{ .Release.Name }} oci://registry-1.docker.io/bitnamicharts/phpmyadmin --set db.host=mydb
{{- end }}
{{- include "phpmyadmin.validateValues" . -}}
{{- include "phpmyadmin.checkRollingTags" . -}}
{{- $passwordValidationErrors := list -}}
{{- if .Values.mariadb.enabled }}
{{- $mariadbSecretName := include "magento.databaseSecretName" . -}}
{{- $mariadbPasswordValidationErrors := include "common.validations.values.mariadb.passwords" (dict "secret" $mariadbSecretName "subchart" true "context" $) -}}
{{- $passwordValidationErrors = append $passwordValidationErrors $mariadbPasswordValidationErrors -}}
{{- end }}
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $) -}}
{{- include "common.warnings.resources" (dict "sections" (list "metrics" "") "context" $) }}
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.metrics.image) "context" $) }}

86
charts/phpmyadmin/phpmyadmin/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,86 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper PHPMyAdmin image name
*/}}
{{- define "phpmyadmin.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper image name (for the metrics image)
*/}}
{{- define "phpmyadmin.metrics.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "phpmyadmin.imagePullSecrets" -}}
{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image) "global" .Values.global) -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "phpmyadmin.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "phpmyadmin.mariadb.fullname" -}}
{{- printf "%s-%s" .Release.Name "mariadb" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a fully qualified database name if the database is part of the same release than phpmyadmin.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "phpmyadmin.dbfullname" -}}
{{- printf "%s-%s" .Release.Name .Values.db.chartName | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Compile all warnings into a single message, and call fail.
*/}}
{{- define "phpmyadmin.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "phpmyadmin.validateValues.db.ssl" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/* Validate values of phpMyAdmin - must provide a valid database ssl configuration */}}
{{- define "phpmyadmin.validateValues.db.ssl" -}}
{{- if and .Values.db.enableSsl (empty .Values.db.ssl.clientKey) (empty .Values.db.ssl.clientCertificate) (empty .Values.db.ssl.caCertificate) -}}
phpMyAdmin: db.ssl
Invalid database ssl configuration. You enabled SSL for the connection
between phpMyAdmin and the database but no key/certificates were provided
(--set db.ssl.clientKey="xxxx", --set db.ssl.clientCertificate="yyyy")
{{- end -}}
{{- end -}}
{{/*
Check if there are rolling tags in the images
*/}}
{{- define "phpmyadmin.checkRollingTags" -}}
{{- include "common.warnings.rollingTag" .Values.image }}
{{- include "common.warnings.rollingTag" .Values.metrics.image }}
{{- end -}}

27
charts/phpmyadmin/phpmyadmin/templates/certs.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.db.enableSsl }}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-certs" (include "common.names.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if not (empty .Values.db.ssl.clientKey) }}
server_key.pem: {{ .Values.db.ssl.clientKey | b64enc | quote }}
{{- end }}
{{- if not (empty .Values.db.ssl.clientCertificate) }}
server_certificate.pem: {{ .Values.db.ssl.clientCertificate | b64enc | quote }}
{{- end }}
{{- if not (empty .Values.db.ssl.caCertificate) }}
ca_certificate.pem: {{ .Values.db.ssl.caCertificate | b64enc | quote }}
{{- end }}
{{- end }}

306
charts/phpmyadmin/phpmyadmin/templates/deployment.yaml Normal file
View File

@ -0,0 +1,306 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
replicas: {{ .Values.replicas }}
strategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }}
template:
metadata:
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
{{- if or .Values.podAnnotations (and .Values.metrics.enabled .Values.metrics.podAnnotations) }}
annotations:
{{- if .Values.podAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $) | nindent 8 }}
{{- end }}
{{- end }}
spec:
{{- include "phpmyadmin.imagePullSecrets" . | nindent 6 }}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
{{- if .Values.hostAliases }}
# yamllint disable rule:indentation
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
# yamllint enable rule:indentation
{{- end }}
{{- if .Values.affinity }}
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }}
{{- end }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- if .Values.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.serviceAccount.create }}
serviceAccountName: {{ template "phpmyadmin.serviceAccountName" . }}
{{- end }}
initContainers:
- name: prepare-base-dir
image: {{ include "phpmyadmin.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
command:
- /bin/bash
args:
- -ec
- |
#!/bin/bash
. /opt/bitnami/scripts/liblog.sh
. /opt/bitnami/scripts/libfs.sh
info "Copying base dir to empty dir"
# In order to not break the application functionality (such as upgrades or plugins) we need
# to make the base directory writable, so we need to copy it to an empty dir volume
cp -r --preserve=mode /opt/bitnami/phpmyadmin /emptydir/app-base-dir
info "Copying symlinks to stdout/stderr"
# We copy the logs folder because it has symlinks to stdout and stderr
if ! is_dir_empty /opt/bitnami/apache/logs; then
cp -r /opt/bitnami/apache/logs /emptydir/apache-logs-dir
fi
info "Copying php var directory"
# PhpMyAdmin will fail to start if the php var folder is not populated
if ! is_dir_empty /opt/bitnami/php/var; then
cp -r /opt/bitnami/php/var /emptydir/php-var-dir
fi
info "Copy operation completed"
volumeMounts:
- name: empty-dir
mountPath: /emptydir
{{- if .Values.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: {{ template "phpmyadmin.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.image.debug | quote }}
- name: DATABASE_PORT_NUMBER
value: {{ .Values.db.port | quote }}
{{- if .Values.db.chartName }}
- name: DATABASE_HOST
value: {{ (include "phpmyadmin.dbfullname" .) | quote }}
{{- else if .Values.db.bundleTestDB }}
- name: DATABASE_HOST
value: {{ (include "phpmyadmin.mariadb.fullname" .) | quote }}
{{- else }}
- name: DATABASE_HOST
value: {{ .Values.db.host | quote }}
{{- end }}
{{- if and (not .Values.db.chartName) (not .Values.db.host) }}
- name: PHPMYADMIN_ALLOW_NO_PASSWORD
value: "true"
- name: PHPMYADMIN_ALLOW_ARBITRARY_SERVER
value: {{ .Values.db.allowArbitraryServer | quote }}
{{- else }}
- name: PHPMYADMIN_ALLOW_NO_PASSWORD
value: "false"
{{- end }}
- name: DATABASE_ENABLE_SSL
value: {{ ternary "yes" "no" .Values.db.enableSsl | quote }}
{{- if .Values.db.enableSsl }}
{{- if not (empty .Values.db.ssl.clientKey) }}
- name: DATABASE_SSL_KEY
value: "/db_certs/server_key.pem"
{{- end }}
{{- if not (empty .Values.db.ssl.clientCertificate) }}
- name: DATABASE_SSL_CERT
value: "/db_certs/server_certificate.pem"
{{- end }}
{{- if not (empty .Values.db.ssl.caCertificate) }}
- name: DATABASE_SSL_CA
value: "/db_certs/ca_certificate.pem"
{{- end }}
{{- if .Values.db.ssl.ciphers }}
- name: DATABASE_SSL_CIPHERS
values: {{ .Values.db.ssl.ciphers | quote }}
{{- end }}
- name: DATABASE_SSL_VERIFY
value: {{ ternary "yes" "no" .Values.db.ssl.verify | quote }}
{{- end }}
{{- if .Values.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }}
envFrom:
{{- if .Values.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.containerPorts.http }}
protocol: TCP
- name: https
containerPort: {{ .Values.containerPorts.https }}
protocol: TCP
{{- if .Values.extraContainerPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraContainerPorts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.startupProbe.enabled }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.livenessProbe.enabled }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.readinessProbe.enabled }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /opt/bitnami/apache/conf
subPath: apache-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/apache/logs
subPath: apache-logs-dir
- name: empty-dir
mountPath: /opt/bitnami/apache/var/run
subPath: apache-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/php/etc
subPath: php-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/php/tmp
subPath: php-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/php/var
subPath: php-var-dir
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/phpmyadmin
subPath: app-base-dir
{{- if .Values.db.enableSsl }}
- name: ssl-certs
mountPath: /db_certs
{{- end }}
{{- if .Values.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ template "phpmyadmin.metrics.image" . }}
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
command: ['/bin/apache_exporter', '--scrape_uri', 'http://status.localhost:8080/server-status/?auto']
ports:
- name: metrics
containerPort: 9117
livenessProbe:
httpGet:
path: /metrics
port: metrics
initialDelaySeconds: 15
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /metrics
port: metrics
initialDelaySeconds: 5
timeoutSeconds: 1
{{- if .Values.metrics.resources }}
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- else if ne .Values.metrics.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- if .Values.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
{{- if .Values.db.enableSsl }}
- name: ssl-certs
secret:
secretName: {{ printf "%s-certs" (include "common.names.fullname" .) }}
items:
{{- if not (empty .Values.db.ssl.clientKey) }}
- key: server_key.pem
path: server_key.pem
{{- end }}
{{- if not (empty .Values.db.ssl.clientCertificate) }}
- key: server_certificate.pem
path: server_certificate.pem
{{- end }}
{{- if not (empty .Values.db.ssl.caCertificate) }}
- key: ca_certificate.pem
path: ca_certificate.pem
{{- end }}
{{- end }}
{{- if .Values.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
{{- end }}

9
charts/phpmyadmin/phpmyadmin/templates/extra-list.yaml Normal file
View File

@ -0,0 +1,9 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}

65
charts/phpmyadmin/phpmyadmin/templates/ingress.yaml Normal file
View File

@ -0,0 +1,65 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.ingress.enabled }}
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if or .Values.ingress.annotations .Values.commonAnnotations .Values.ingress.certManager }}
annotations:
{{- if .Values.ingress.certManager }}
kubernetes.io/tls-acme: "true"
{{- end }}
{{- if or .Values.ingress.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }}
{{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
{{- end }}
spec:
{{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
{{- end }}
rules:
{{- if .Values.ingress.hostname }}
- host: {{ .Values.ingress.hostname }}
http:
paths:
{{- if .Values.ingress.extraPaths }}
{{- toYaml .Values.ingress.extraPaths | nindent 10 }}
{{- end }}
- path: {{ .Values.ingress.path }}
{{- if eq "true" (include "common.ingress.supportsPathType" .) }}
pathType: {{ .Values.ingress.pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }}
{{- end }}
{{- range .Values.ingress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default "/" .path }}
{{- if eq "true" (include "common.ingress.supportsPathType" $) }}
pathType: {{ default "ImplementationSpecific" .pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.ingress.extraRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }}
{{- end }}
{{- if or .Values.ingress.tls .Values.ingress.extraTls }}
tls:
{{- if .Values.ingress.tls }}
- hosts:
- {{ .Values.ingress.hostname }}
secretName: {{ .Values.ingress.existingSecretName | default (printf "%s-tls" .Values.ingress.hostname) }}
{{- end }}
{{- if .Values.ingress.extraTls }}
{{- include "common.tplvalues.render" ( dict "value" .Values.ingress.extraTls "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

45
charts/phpmyadmin/phpmyadmin/templates/metrics-svc.yaml Normal file
View File

@ -0,0 +1,45 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-metrics" (include "common.names.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: metrics
{{- if or .Values.metrics.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.metrics.service.type }}
{{- if and .Values.metrics.service.clusterIP (eq .Values.metrics.service.type "ClusterIP") }}
clusterIP: {{ .Values.metrics.service.clusterIP }}
{{- end }}
{{- if (or (eq .Values.metrics.service.type "LoadBalancer") (eq .Values.metrics.service.type "NodePort")) }}
externalTrafficPolicy: {{ .Values.metrics.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if eq .Values.metrics.service.type "LoadBalancer" }}
loadBalancerSourceRanges: {{ .Values.metrics.service.loadBalancerSourceRanges }}
{{- end }}
{{- if (and (eq .Values.metrics.service.type "LoadBalancer") (not (empty .Values.metrics.service.loadBalancerIP))) }}
loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }}
{{- end }}
{{- if .Values.metrics.service.sessionAffinity }}
sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
{{- end }}
{{- if .Values.metrics.service.sessionAffinityConfig }}
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.sessionAffinityConfig "context" $) | nindent 4 }}
{{- end }}
ports:
- port: {{ .Values.metrics.service.port }}
targetPort: metrics
protocol: TCP
name: metrics
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
{{- end }}

80
charts/phpmyadmin/phpmyadmin/templates/networkpolicy.yaml Normal file
View File

@ -0,0 +1,80 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
policyTypes:
- Ingress
- Egress
{{- if .Values.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allow outbound connections to MariaDB
- ports:
- port: {{ .Values.db.port }}
{{- if .Values.db.bundleTestDB }}
to:
- podSelector:
matchLabels:
app.kubernetes.io/name: mariadb
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- if .Values.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.containerPorts.http }}
- port: {{ .Values.containerPorts.https }}
{{- range .Values.extraContainerPorts }}
- port: {{ . }}
{{- end }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

26
charts/phpmyadmin/phpmyadmin/templates/pdb.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.pdb.create }}
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.pdb.minAvailable }}
minAvailable: {{ .Values.pdb.minAvailable }}
{{- end }}
{{- if or .Values.pdb.maxUnavailable ( not .Values.pdb.minAvailable ) }}
maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
{{- end }}

59
charts/phpmyadmin/phpmyadmin/templates/service.yaml Normal file
View File

@ -0,0 +1,59 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if or .Values.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
{{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if .Values.service.sessionAffinity }}
sessionAffinity: {{ .Values.service.sessionAffinity }}
{{- end }}
{{- if .Values.service.sessionAffinityConfig }}
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }}
{{- end }}
ports:
- name: http
port: {{ coalesce .Values.service.ports.http .Values.service.port }}
protocol: TCP
targetPort: http
{{- if (and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.http))) }}
nodePort: {{ .Values.service.nodePorts.http }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
- name: https
port: {{ coalesce .Values.service.ports.https .Values.service.httpsPort }}
protocol: TCP
targetPort: https
{{- if (and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.https))) }}
nodePort: {{ .Values.service.nodePorts.https }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if .Values.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}

18
charts/phpmyadmin/phpmyadmin/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ template "phpmyadmin.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
{{- end }}

46
charts/phpmyadmin/phpmyadmin/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,46 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: metrics
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel | quote }}
endpoints:
- port: metrics
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.honorLabels }}
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelings }}
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: metrics
{{- if .Values.metrics.serviceMonitor.selector }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
{{- end }}
{{- end }}

43
charts/phpmyadmin/phpmyadmin/templates/tls-secrets.yaml Normal file
View File

@ -0,0 +1,43 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.ingress.enabled (not .Values.ingress.existingSecretName) }}
{{- if .Values.ingress.secrets }}
{{- range .Values.ingress.secrets }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .name }}
namespace: {{ $.Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }}
{{- if $.Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ .certificate | b64enc }}
tls.key: {{ .key | b64enc }}
---
{{- end }}
{{- else if and .Values.ingress.tls (and (not (hasKey .Values.ingress.annotations "cert-manager.io/cluster-issuer")) (not .Values.ingress.certManager)) }}
{{- $secretName := printf "%s-tls" .Values.ingress.hostname }}
{{- $ca := genCA "phpmyadmin-ca" 365 }}
{{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
{{- end }}
{{- end }}

803
charts/phpmyadmin/phpmyadmin/values.yaml Normal file
View File

@ -0,0 +1,803 @@
# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0
## @section Global parameters
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets Global Docker registry secret names as an array
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
##
global:
imageRegistry: ""
## E.g.
## imagePullSecrets:
## - myRegistryKeySecretName
##
imagePullSecrets: []
defaultStorageClass: ""
## Compatibility adaptations for Kubernetes platforms
##
compatibility:
## Compatibility adaptations for Openshift
##
openshift:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: disabled
## @section Common parameters
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
##
kubeVersion: ""
## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
##
nameOverride: ""
## @param fullnameOverride String to fully override common.names.fullname template
##
fullnameOverride: ""
## @param commonLabels Add labels to all the deployed resources
##
commonLabels: {}
## @param commonAnnotations Add annotations to all the deployed resources
##
commonAnnotations: {}
## @param clusterDomain Kubernetes Cluster Domain
##
clusterDomain: cluster.local
## @param extraDeploy Array of extra objects to deploy with the release
##
extraDeploy: []
## @section phpMyAdmin parameters
## Bitnami PhpMyAdmin image version
## ref: https://hub.docker.com/r/bitnami/phpmyadmin/tags/
## @param image.registry [default: REGISTRY_NAME] phpMyAdmin image registry
## @param image.repository [default: REPOSITORY_NAME/phpmyadmin] phpMyAdmin image repository
## @skip image.tag phpMyAdmin image tag (immutable tags are recommended)
## @param image.digest phpMyAdmin image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param image.pullPolicy Image pull policy
## @param image.pullSecrets Specify docker-registry secret names as an array
## @param image.debug Enable phpmyadmin image debug mode
##
image:
registry: docker.io
repository: bitnami/phpmyadmin
tag: 5.2.1-debian-12-r42
digest: ""
## Specify a imagePullPolicy
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Enable debug mode
##
debug: false
## @param command Override default container command (useful when using custom images)
##
command: []
## @param args Override default container args (useful when using custom images)
##
args: []
## @param lifecycleHooks for the phpmyadmin container(s) to automate configuration before or after startup
##
lifecycleHooks: {}
## @param extraEnvVars Extra environment variables to be set on PhpMyAdmin container
## For example:
## extraEnvVars:
## - name: PHP_UPLOAD_MAX_FILESIZE
## value: "80M"
##
extraEnvVars: []
## @param extraEnvVarsCM Name of a existing ConfigMap containing extra env vars
##
extraEnvVarsCM: ""
## @param extraEnvVarsSecret Name of a existing Secret containing extra env vars
##
extraEnvVarsSecret: ""
## @section phpMyAdmin deployment parameters
## @param automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: false
## @param hostAliases [array] Deployment pod host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases:
## Necessary for apache-exporter to work
##
- ip: "127.0.0.1"
hostnames:
- "status.localhost"
## phpMyAdmin container ports to open
## @param containerPorts.http HTTP port to expose at container level
## @param containerPorts.https HTTPS port to expose at container level
##
containerPorts:
http: 8080
https: 8443
## @param extraContainerPorts Optionally specify extra list of additional ports for phpMyAdmin container(s)
## e.g:
## extraContainerPorts:
## - name: myservice
## containerPort: 9090
##
extraContainerPorts: []
## @param updateStrategy.type Strategy to use to update Pods
##
updateStrategy:
## StrategyType
## Can be set to RollingUpdate or OnDelete
##
type: RollingUpdate
## phpMyAdmin pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param podSecurityContext.enabled Enable phpMyAdmin pods' Security Context
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
## @param podSecurityContext.fsGroup User ID for the container
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## phpMyAdmin containers' Security Context (only main container)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param containerSecurityContext.enabled Enabled containers' Security Context
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param containerSecurityContext.privileged Set container's Security Context privileged
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
## phpMyAdmin number of pod replicas
## @param replicas Number of replicas
replicas: 1
## phpMyAdmin containers' resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "micro"
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## phpMyAdmin containers' startup probe. Evaluated as a template.
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
## @param startupProbe.enabled Enable startupProbe
## @param startupProbe.httpGet.path Request path for startupProbe
## @param startupProbe.httpGet.port Port for startupProbe
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
## @param startupProbe.periodSeconds Period seconds for startupProbe
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
## @param startupProbe.failureThreshold Failure threshold for startupProbe
## @param startupProbe.successThreshold Success threshold for startupProbe
##
startupProbe:
enabled: false
initialDelaySeconds: 30
timeoutSeconds: 30
periodSeconds: 10
successThreshold: 1
failureThreshold: 6
httpGet:
path: /
port: http
## phpMyAdmin containers' liveness probe. Evaluated as a template.
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
## @param livenessProbe.enabled Enable livenessProbe
## @param livenessProbe.tcpSocket.port Port for livenessProbe
## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
## @param livenessProbe.periodSeconds Period seconds for livenessProbe
## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
## @param livenessProbe.successThreshold Success threshold for livenessProbe
##
livenessProbe:
enabled: true
initialDelaySeconds: 30
timeoutSeconds: 30
periodSeconds: 10
successThreshold: 1
failureThreshold: 6
tcpSocket:
port: http
## phpMyAdmin containers' readiness probes. Evaluated as a template.
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
## @param readinessProbe.enabled Enable readinessProbe
## @param readinessProbe.httpGet.path Request path for readinessProbe
## @param readinessProbe.httpGet.port Port for readinessProbe
## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
## @param readinessProbe.periodSeconds Period seconds for readinessProbe
## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
## @param readinessProbe.successThreshold Success threshold for readinessProbe
##
readinessProbe:
enabled: true
initialDelaySeconds: 30
timeoutSeconds: 30
periodSeconds: 10
successThreshold: 1
failureThreshold: 6
httpGet:
path: /
port: http
## @param customStartupProbe Override default startup probe
##
customStartupProbe: {}
## @param customLivenessProbe Override default liveness probe
##
customLivenessProbe: {}
## @param customReadinessProbe Override default readiness probe
##
customReadinessProbe: {}
## @param podLabels Extra labels for PhpMyAdmin pods
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podLabels: {}
## @param podAnnotations Annotations for PhpMyAdmin pods
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAffinityPreset: ""
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAntiAffinityPreset: soft
## Node affinity preset
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
##
nodeAffinityPreset:
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
##
type: ""
## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.
## E.g.
## key: "kubernetes.io/e2e-az-name"
##
key: ""
## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
## E.g.
## values:
## - e2e-az1
## - e2e-az2
##
values: []
## @param affinity Affinity for pod assignment. Evaluated as a template.
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
##
affinity: {}
## @param nodeSelector Node labels for pod assignment. Evaluated as a template.
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
##
nodeSelector: {}
## @param tolerations Tolerations for pod assignment. Evaluated as a template.
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## @param priorityClassName phpmyadmin pods' priorityClassName
##
priorityClassName: ""
## @param schedulerName Name of the k8s scheduler (other than default)
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
schedulerName: ""
## @param topologySpreadConstraints Topology Spread Constraints for pod assignment
## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
## The value is evaluated as a template
##
topologySpreadConstraints: []
## @param extraVolumes Optionally specify extra list of additional volumes for PhpMyAdmin pods
##
extraVolumes: []
## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for PhpMyAdmin container(s)
##
extraVolumeMounts: []
## @param initContainers Add init containers to the PhpMyAdmin pods
## Example:
## initContainers:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
initContainers: []
## Pod Disruption Budget configuration
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
## @param pdb.create Enable/disable a Pod Disruption Budget creation
## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty.
##
pdb:
create: true
minAvailable: ""
maxUnavailable: ""
## @param sidecars Add sidecar containers to the PhpMyAdmin pods
## Example:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
sidecars: []
## @section Traffic Exposure parameters
## Service configuration
##
service:
## @param service.type Kubernetes Service type
##
type: ClusterIP
## @param service.ports.http Service HTTP port
## @param service.ports.https Service HTTPS port
##
ports:
http: 80
https: 443
## Specify the nodePort values for the LoadBalancer and NodePort service types
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
## @param service.nodePorts.http Kubernetes http node port
## @param service.nodePorts.https Kubernetes https node port
##
nodePorts:
http: ""
https: ""
## @param service.clusterIP PhpMyAdmin service clusterIP IP
## e.g:
## clusterIP: None
##
clusterIP: ""
## @param service.loadBalancerIP Load balancer IP for the phpMyAdmin Service (optional, cloud specific)
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
##
loadBalancerIP: ""
## @param service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## Example:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## @param service.externalTrafficPolicy Enable client source IP preservation
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
##
externalTrafficPolicy: Cluster
## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value)
##
extraPorts: []
## @param service.annotations Provide any additional annotations that may be required for the PhpMyAdmin service
##
annotations: {}
## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
## If "ClientIP", consecutive client requests will be directed to the same Pod
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
##
sessionAffinity: None
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
## sessionAffinityConfig:
## clientIP:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
## Ingress configuration
##
ingress:
## @param ingress.enabled Set to true to enable ingress record generation
##
enabled: false
## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
##
apiVersion: ""
## DEPRECATED: Use ingress.annotations instead of ingress.certManager
## certManager: false
##
## @param ingress.hostname When the ingress is enabled, a host pointing to this will be created
##
hostname: phpmyadmin.local
## @param ingress.pathType Ingress path type
##
pathType: ImplementationSpecific
## @param ingress.path Default path for the ingress record
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
##
path: /
## @param ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
## e.g:
## extraPaths:
## - path: /*
## backend:
## serviceName: ssl-redirect
## servicePort: use-annotation
##
extraPaths: []
## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
## For a full list of possible ingress annotations, please see
## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
## Use this parameter to set the required annotations for cert-manager, see
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
##
## e.g:
## annotations:
## kubernetes.io/ingress.class: nginx
## cert-manager.io/cluster-issuer: cluster-issuer-name
##
annotations: {}
## @param ingress.tls Enable TLS configuration for the hostname defined at `ingress.hostname` parameter
## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
## You can use the ingress.secrets parameter to create this TLS secret, relay on cert-manager to create it, or
## let the chart create self-signed certificates for you
##
tls: false
## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
## Example:
## extraHosts:
## - name: phpmyadmin.local
## path: /
##
extraHosts: []
## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
## Example:
## extraTls:
## - hosts:
## - phpmyadmin.local
## secretName: phpmyadmin.local-tls
##
extraTls: []
## @param ingress.secrets If you're providing your own certificates and want to manage the secret via helm,
## please use this to add the certificates as secrets key and certificate should start with
## -----BEGIN CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY-----
## name should line up with a secretName set further up
##
## If it is not set and you're using cert-manager, this is unneeded, as it will create the secret for you
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created
## It is also possible to create and manage the certificates outside of this helm chart
## Please see README.md for more information
##
## Example
## secrets:
## - name: phpmyadmin.local-tls
## key: ""
## certificate: ""
##
secrets: []
## @param ingress.existingSecretName If you're providing your own certificate and want to manage the secret yourself,
## please provide the name of the secret with this parameter. This secret will then be used for tls termination.
## It has higher priority than the cert-manager or the generation of the certificate from the chart.
##
## Example:
## existingSecretName: "byo-phpmyadmin-tls"
##
existingSecretName: ""
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
##
ingressClassName: ""
## @param ingress.extraRules Additional rules to be covered with this ingress record
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
## e.g:
## extraRules:
## - host: phpmyadmin.local
## http:
## path: /
## backend:
## service:
## name: phpmyadmin-svc
## port:
## name: http
##
extraRules: []
## @section Database parameters
## Database configuration
##
db:
## @param db.allowArbitraryServer Enable connection to arbitrary MySQL server
## If you do not want the user to be able to specify an arbitrary MySQL server at login time, set this to false
##
allowArbitraryServer: true
## @param db.port Database port to use to connect
##
port: 3306
## @param db.chartName Database suffix if included in the same release
## If you are deploying phpMyAdmin as part of a release and the database is part
## of the release, you can pass a suffix that will be used to find the database
## in releasename-dbSuffix. Please note that this setting precedes db.host
## e.g:
## chartName: mariadb
##
chartName: ""
## @param db.host Database Hostname. Ignored when `db.chartName` is set.
## e.g:
## host: foo
##
host: ""
## @param db.bundleTestDB Deploy a MariaDB instance for testing purposes
##
bundleTestDB: false
## @param db.enableSsl Enable SSL for the connection between phpMyAdmin and the database
##
enableSsl: false
ssl:
## @param db.ssl.clientKey Client key file when using SSL
##
clientKey: ""
## @param db.ssl.clientCertificate Client certificate file when using SSL
##
clientCertificate: ""
## @param db.ssl.caCertificate CA file when using SSL
##
caCertificate: ""
## @param db.ssl.ciphers List of allowable ciphers for connections when using SSL
##
ciphers: []
## @param db.ssl.verify Enable SSL certificate validation
##
verify: true
## @param mariadb MariaDB chart configuration
## https://github.com/bitnami/charts/blob/main/bitnami/mariadb/values.yaml
##
mariadb: {}
## @section Other Parameters
## Service account for PhpMyAdmin to use.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
##
serviceAccount:
## @param serviceAccount.create Enable creation of ServiceAccount for PhpMyAdmin pod
##
create: true
## @param serviceAccount.name The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the common.names.fullname template
##
name: ""
## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
## Can be set to false if pods using this serviceAccount do not need to use K8s API
##
automountServiceAccountToken: false
## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
##
annotations: {}
## @section Metrics parameters
## Prometheus Exporter / Metrics
##
metrics:
## @param metrics.enabled Start a side-car prometheus exporter
##
enabled: false
## @param metrics.image.registry [default: REGISTRY_NAME] Apache exporter image registry
## @param metrics.image.repository [default: REPOSITORY_NAME/apache-exporter] Apache exporter image repository
## @skip metrics.image.tag Apache exporter image tag (immutable tags are recommended)
## @param metrics.image.digest Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param metrics.image.pullPolicy Image pull policy
## @param metrics.image.pullSecrets Specify docker-registry secret names as an array
##
image:
registry: docker.io
repository: bitnami/apache-exporter
tag: 1.0.8-debian-12-r9
digest: ""
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "nano"
## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
##
resources: {}
## Prometheus Exporter service configuration
##
service:
## @param metrics.service.type Prometheus metrics service type
##
type: ClusterIP
## @param metrics.service.port Prometheus metrics service port
##
port: 9117
## @param metrics.service.annotations [object] Annotations for Prometheus metrics service
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.metrics.service.port }}"
## @param metrics.service.clusterIP phpmyadmin service Cluster IP
## e.g.:
## clusterIP: None
##
clusterIP: ""
## @param metrics.service.loadBalancerIP Load Balancer IP if the Prometheus metrics server type is `LoadBalancer`
## Use serviceLoadBalancerIP to request a specific static IP, otherwise leave blank
##
loadBalancerIP: ""
## @param metrics.service.loadBalancerSourceRanges phpmyadmin service Load Balancer sources
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## e.g:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## @param metrics.service.externalTrafficPolicy phpmyadmin service external traffic policy
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
##
externalTrafficPolicy: Cluster
## @param metrics.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
## If "ClientIP", consecutive client requests will be directed to the same Pod
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
##
sessionAffinity: None
## @param metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity
## sessionAffinityConfig:
## clientIP:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
## Prometheus Service Monitor
## ref: https://github.com/coreos/prometheus-operator
## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
##
serviceMonitor:
## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
##
enabled: false
## @param metrics.serviceMonitor.namespace Specify the namespace in which the serviceMonitor resource will be created
##
namespace: ""
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
##
jobLabel: ""
## @param metrics.serviceMonitor.interval Specify the interval at which metrics should be scraped
##
interval: 30s
## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
## e.g:
## scrapeTimeout: 30s
##
scrapeTimeout: ""
## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
##
relabelings: []
## @param metrics.serviceMonitor.metricRelabelings Specify Metric Relabelings to add to the scrape endpoint
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
##
metricRelabelings: []
## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
##
labels: {}
## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
##
honorLabels: false
## @param metrics.serviceMonitor.selector ServiceMonitor selector labels
## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration
##
## selector:
## prometheus: my-prometheus
##
selector: {}
## @section NetworkPolicy parameters
## Network Policy configuration
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
##
enabled: true
## @param networkPolicy.allowExternal Don't require server label for connections
## The Policy model to apply. When set to false, only pods with the correct
## server label will have network access to the ports server is listening
## on. When true, server will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraIngress:
## - ports:
## - port: 1234
## from:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
extraIngress: []
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraEgress:
## - ports:
## - port: 1234
## to:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
extraEgress: []
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}

6
charts/phpmyadmin/values-overrides.yaml Normal file
View File

@ -0,0 +1,6 @@
fullnameOverride: phpmyadmin
db:
allowArbitraryServer: false
port: 3306
host: "mariadb.futureporn.svc.cluster.local"
bundleTestDB: false

1370
charts/traefik/traefik/Changelog.md
View File

File diff suppressed because it is too large Load Diff

20
charts/traefik/traefik/Chart.yaml
View File

@ -1,8 +1,20 @@
annotations: annotations:
artifacthub.io/changes: "- \"fix(Traefik Hub): missing RBACs for Traefik Hub\"\n- artifacthub.io/changes: "- \"fix: \U0001F41B http3 with internal service\"\n- \"fix:
\"chore(release): \U0001F680 publish v30.0.2\"\n" use correct children indentation for logs.access.filters\"\n- \"fix(schema): :bug:
targetPort can also be a string\"\n- \"fix(certificateResolvers)!: :boom: :bug:
use same syntax in Chart and in Traefik\"\n- \"fix(Traefik)!: :boom: set 8080
as default port for `traefik` entrypoint\"\n- \"fix(Traefik Hub): RBAC for distributedAcme\"\n-
\"fix(Kubernetes Ingress)!: :boom: :sparkles: enable publishedService by default\"\n-
\"fix(Gateway API): :bug: add missing required RBAC for v3.2 with experimental
Channel\"\n- \"fix(Env Variables)!: allow extending env without overwrite\"\n-
\"feat(deps): update traefik docker tag to v3.2.0\"\n- \"feat(deps): update traefik
docker tag to v3.1.6\"\n- \"feat(Traefik): ✨ support Gateway API statusAddress\"\n-
\"feat(Traefik Proxy): CRDs for v3.2+\"\n- \"feat(Gateway API): :sparkles: standard
install CRD v1.2.0\"\n- \"feat(Gateway API): :sparkles: add infrastructure in
the values\"\n- \"chore: allow TRACE log level\"\n- \"chore(release): \U0001F680
publish v33.0.0\"\n- \"Update topology spread constraints comments\"\n"
apiVersion: v2 apiVersion: v2
appVersion: v3.1.0 appVersion: v3.2.0
description: A Traefik based Kubernetes ingress controller description: A Traefik based Kubernetes ingress controller
home: https://traefik.io/ home: https://traefik.io/
icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png
@ -24,4 +36,4 @@ sources:
- https://github.com/traefik/traefik - https://github.com/traefik/traefik
- https://github.com/traefik/traefik-helm-chart - https://github.com/traefik/traefik-helm-chart
type: application type: application
version: 30.0.2 version: 33.0.0

58
charts/traefik/traefik/EXAMPLES.md
View File

@ -97,10 +97,10 @@ ingressRoute:
The traefik admin port can be forwarded locally: The traefik admin port can be forwarded locally:
```bash ```bash
kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000 kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 8080:8080
``` ```
This command makes the dashboard accessible on the url: http://127.0.0.1:9000/dashboard/ This command makes the dashboard accessible on the url: http://127.0.0.1:8080/dashboard/
# Publish and protect Traefik Dashboard with basic Auth # Publish and protect Traefik Dashboard with basic Auth
@ -173,7 +173,7 @@ extraObjects:
ports: ports:
- port: 8080 - port: 8080
name: traefik name: traefik
targetPort: 9000 targetPort: 8080
protocol: TCP protocol: TCP
- apiVersion: v1 - apiVersion: v1
@ -305,7 +305,7 @@ extraObjects:
config: config:
type: HTTP type: HTTP
httpHealthCheck: httpHealthCheck:
port: 9000 port: 8080
requestPath: /ping requestPath: /ping
targetRef: targetRef:
group: "" group: ""
@ -331,14 +331,15 @@ Here is a more complete example, using also native Let's encrypt feature of Trae
persistence: persistence:
enabled: true enabled: true
size: 128Mi size: 128Mi
certResolvers: certificatesResolvers:
letsencrypt: letsencrypt:
email: "{{ letsencrypt_email }}" acme:
#caServer: https://acme-v02.api.letsencrypt.org/directory # Production server email: "{{ letsencrypt_email }}"
caServer: https://acme-staging-v02.api.letsencrypt.org/directory # Staging server #caServer: https://acme-v02.api.letsencrypt.org/directory # Production server
dnsChallenge: caServer: https://acme-staging-v02.api.letsencrypt.org/directory # Staging server
provider: azuredns dnsChallenge:
storage: /data/acme.json provider: azuredns
storage: /data/acme.json
env: env:
- name: AZURE_CLIENT_ID - name: AZURE_CLIENT_ID
value: "{{ azure_dns_challenge_application_id }}" value: "{{ azure_dns_challenge_application_id }}"
@ -416,6 +417,17 @@ ports:
enabled: true enabled: true
``` ```
You can also create two `Service`, one for TCP and one for UDP:
```yaml
ports:
websecure:
http3:
enabled: true
service:
single: false
```
# Use PROXY protocol on Digital Ocean # Use PROXY protocol on Digital Ocean
PROXY protocol is a protocol for sending client connection information, such as origin IP addresses and port numbers, to the final backend server, rather than discarding it at the load balancer. PROXY protocol is a protocol for sending client connection information, such as origin IP addresses and port numbers, to the final backend server, rather than discarding it at the load balancer.
@ -480,7 +492,7 @@ See [#396](https://github.com/traefik/traefik-helm-chart/issues/396) for more de
Once the provider is ready, it can be used in an `IngressRoute`: Once the provider is ready, it can be used in an `IngressRoute`:
```yaml ```yaml
apiVersion: traefik.containo.us/v1alpha1 apiVersion: traefik.io/v1alpha1
kind: IngressRoute kind: IngressRoute
metadata: metadata:
name: [...] name: [...]
@ -491,6 +503,8 @@ spec:
certResolver: letsencrypt certResolver: letsencrypt
``` ```
:information_source: Change `apiVersion` to `traefik.containo.us/v1alpha1` for charts prior to v28.0.0
See [the list of supported providers](https://doc.traefik.io/traefik/https/acme/#providers) for others. See [the list of supported providers](https://doc.traefik.io/traefik/https/acme/#providers) for others.
## Example with CloudFlare ## Example with CloudFlare
@ -516,11 +530,12 @@ stringData:
persistence: persistence:
enabled: true enabled: true
storageClass: xxx storageClass: xxx
certResolvers: certificatesResolvers:
letsencrypt: letsencrypt:
dnsChallenge: acme:
provider: cloudflare dnsChallenge:
storage: /data/acme.json provider: cloudflare
storage: /data/acme.json
env: env:
- name: CF_DNS_API_TOKEN - name: CF_DNS_API_TOKEN
valueFrom: valueFrom:
@ -540,6 +555,9 @@ podSecurityContext:
fsGroupChangePolicy: "OnRootMismatch" fsGroupChangePolicy: "OnRootMismatch"
``` ```
>[!NOTE]
> With [Traefik Hub](https://traefik.io/traefik-hub/), certificates can be stored as a `Secret` on Kubernetes with `distributedAcme` resolver.
# Provide default certificate with cert-manager and CloudFlare DNS # Provide default certificate with cert-manager and CloudFlare DNS
Setup: Setup:
@ -683,7 +701,7 @@ spec:
app.kubernetes.io/name: traefik app.kubernetes.io/name: traefik
app.kubernetes.io/instance: traefik-traefik app.kubernetes.io/instance: traefik-traefik
ports: ports:
- port: 9000 - port: 8080
name: "traefik" name: "traefik"
targetPort: traefik targetPort: traefik
protocol: TCP protocol: TCP
@ -822,8 +840,6 @@ metrics:
One can use the new stable kubernetes gateway API provider setting the following _values_: One can use the new stable kubernetes gateway API provider setting the following _values_:
```yaml ```yaml
image:
tag: v3.1.0-rc3
providers: providers:
kubernetesGateway: kubernetesGateway:
enabled: true enabled: true
@ -891,6 +907,8 @@ Once it's applied, whoami should be accessible on http://whoami.docker.localhost
</details> </details>
:information_source: In this example, `Deployment` and `HTTPRoute` should be deployed in the same namespace as the Traefik Gateway: Chart namespace.
# Use Kubernetes Gateway API with cert-manager # Use Kubernetes Gateway API with cert-manager
One can use the new stable kubernetes gateway API provider with automatic TLS certificates delivery (with cert-manager) setting the following _values_: One can use the new stable kubernetes gateway API provider with automatic TLS certificates delivery (with cert-manager) setting the following _values_:
@ -906,6 +924,8 @@ gateway:
listeners: listeners:
websecure: websecure:
hostname: whoami.docker.localhost hostname: whoami.docker.localhost
port: 8443
protocol: HTTPS
certificateRefs: certificateRefs:
- name: whoami-tls - name: whoami-tls
``` ```

Some files were not shown because too many files have changed in this diff Show More