ghp/helm-charts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GHP publish

Browse Source
This commit is contained in:
ace 2021-01-17 04:09:41 +03:00
commit 9fe2c2adf2
No known key found for this signature in database
GPG Key ID: 32989872B72276A0
457 changed files with 40068 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md Normal file
View File

@ -0,0 +1,7 @@
## Helm charts repository
Used for Geek Home Platform deployment
## Usage
helm repo add ghp https://charts.geekhome.org

24
adguard-home/.helmignore Normal file
View File

@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# OWNERS file for Kubernetes
OWNERS

15
adguard-home/Chart.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v2
appVersion: v0.102.0
description: DNS proxy as ad-blocker for local network
home: https://github.com/k8s-at-home/charts/tree/master/charts/adguard-home
icon: https://avatars3.githubusercontent.com/u/8361145?s=200&v=4?sanitize=true
keywords:
- adguard-home
- adguard
- dns
maintainers:
- name: billimek
name: adguard-home
sources:
- https://github.com/AdguardTeam/AdGuardHome
version: 2.2.1

64
adguard-home/README.md Normal file
View File

@ -0,0 +1,64 @@
# DNS proxy as ad-blocker for local network
This is an opinionated helm chart for [adguard-home](https://github.com/AdguardTeam/AdGuardHome)
The default values and container images used in this chart will allow for running in a multi-arch cluster (amd64, arm, arm64)
## TL;DR
```shell
helm repo add k8s-at-home https://k8s-at-home.com/charts/
helm install k8s-at-home/adguard-home
```
## Installing the Chart
To install the chart with the release name `my-release`:
```console
helm install --name adguard-home k8s-at-home/adguard-home
```
## Uninstalling the Chart
To uninstall/delete the `adguard-home` deployment:
```console
helm delete adguard-home --purge
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Configuration
Read through the [values.yaml](https://github.com/k8s-at-home/charts/blob/master/charts/adguard-home/values.yaml) file. It has several commented out suggested values.
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
helm install --name adguard-home \
--set timeZone="America/New York" \
k8s-at-home/adguard-home
```
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
```console
helm install --name adguard-home -f values.yaml k8s-at-home/adguard-home
```
#### Helm force upgrade
```sh
helm upgrade --force
```
#### Delete the existing `adguard-home` services prior to upgrading
```sh
kubectl delete svc/adguard-home
```
#### Remove the existing adguard-home chart first
This is the 'easiest' approach, but will incur downtime which can be problematic if you rely on adguard-home for DNS

15
adguard-home/templates/NOTES.txt Normal file
View File

@ -0,0 +1,15 @@
1. Get the application URL by running these commands:
{{- if contains "NodePort" .Values.serviceUDP.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "adguard-home.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.serviceUDP.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ include "adguard-home.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "adguard-home.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.serviceUDP.port }}
{{- else if contains "ClusterIP" .Values.serviceUDP.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "adguard-home.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:3000
{{- end }}

32
adguard-home/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "adguard-home.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "adguard-home.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "adguard-home.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

29
adguard-home/templates/config-pvc.yaml Normal file
View File

@ -0,0 +1,29 @@
{{- if and .Values.persistence.config.enabled (not .Values.persistence.config.existingClaim) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "adguard-home.fullname" . }}-config
{{- if .Values.persistence.config.skipuninstall }}
annotations:
"helm.sh/resource-policy": keep
{{- end }}
labels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
helm.sh/chart: {{ include "adguard-home.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
accessModes:
- {{ .Values.persistence.config.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.config.size | quote }}
{{- if .Values.persistence.config.storageClass }}
{{- if (eq "-" .Values.persistence.config.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.config.storageClass }}"
{{- end }}
{{- end }}
{{- end -}}

14
adguard-home/templates/configmap.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if .Values.configAsCode.enabled }}
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ include "adguard-home.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
helm.sh/chart: {{ include "adguard-home.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
AdGuardHome.yaml: |
{{- toYaml .Values.configAsCode.config | nindent 4 }}
{{- end }}

201
adguard-home/templates/deployment.yaml Normal file
View File

@ -0,0 +1,201 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "adguard-home.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
helm.sh/chart: {{ include "adguard-home.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
replicas: 1
strategy:
type: {{ .Values.strategyType }}
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
annotations:
{{- with .Values.podAnnotations }}
{{ toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.configAsCode.enabled }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
spec:
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- if or .Values.configAsCode.enabled .Values.securityContext.runAsUser }}
initContainers:
{{- if .Values.configAsCode.enabled }}
- name: "config"
securityContext:
readOnlyRootFilesystem: true
image: "{{ .Values.configAsCode.image.repository }}:{{ .Values.configAsCode.image.tag }}"
imagePullPolicy: {{ .Values.configAsCode.image.pullPolicy }}
command: ["sh", "-c", "cat /configmap/AdGuardHome.yaml > /opt/adguardhome/conf/AdGuardHome.yaml"]
resources: {{- toYaml .Values.configAsCode.resources | nindent 12 }}
volumeMounts:
- name: configmap
mountPath: /configmap
- name: config
mountPath: /opt/adguardhome/conf
readOnly: false
{{- end }}
{{- if .Values.securityContext.runAsUser }}
- name: "volume-permissions"
securityContext:
readOnlyRootFilesystem: true
image: "{{ .Values.volumePermissions.image.repository }}:{{ .Values.volumePermissions.image.tag }}"
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy }}
command: ["/bin/chown", "-R", "{{ .Values.securityContext.runAsUser }}:", "/opt/adguardhome/work", "/opt/adguardhome/conf"]
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
volumeMounts:
- name: work
mountPath: /opt/adguardhome/work
readOnly: false
- name: config
mountPath: /opt/adguardhome/conf
readOnly: false
{{- end }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
{{- if .Values.timezone }}
- name: TZ
value: {{ .Values.timezone | quote }}
{{- end }}
volumeMounts:
- name: work
mountPath: /opt/adguardhome/work
readOnly: false
- name: config
mountPath: /opt/adguardhome/conf
readOnly: false
{{- if .Values.tlsSecretName }}
- name: certs
mountPath: /certs
readOnly: false
{{- end }}
ports:
- name: http
{{- if .Values.configAsCode.enabled }}
containerPort: {{ .Values.configAsCode.config.bind_port | default 3000 }}
{{- else }}
containerPort: 3000
{{- end }}
- name: dns
{{- if .Values.configAsCode.enabled }}
containerPort: {{ .Values.configAsCode.config.dns.port | default 53 }}
{{- else }}
containerPort: 53
{{- end }}
protocol: TCP
- name: dns-udp
{{- if .Values.configAsCode.enabled }}
containerPort: {{ .Values.configAsCode.config.dns.port | default 53 }}
{{- else }}
containerPort: 53
{{- end }}
protocol: UDP
{{- if .Values.serviceDHCP.enabled }}
- name: dhcp-server-udp
containerPort: 67
protocol: UDP
- name: dhcp-client-tcp
containerPort: 68
protocol: TCP
- name: dhcp-client-udp
containerPort: 68
protocol: UDP
{{- end }}
{{- if .Values.serviceDNSOverTLS.enabled }}
- name: dns-over-tls
containerPort: 853
protocol: TCP
{{- end }}
{{- if .Values.serviceDNSOverHTTPS.enabled }}
- name: dns-over-https
containerPort: 443
protocol: TCP
{{- end }}
{{- if .Values.probes.liveness.enabled }}
livenessProbe:
httpGet:
path: /login.html
port: http
scheme: HTTP
initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
failureThreshold: {{ .Values.probes.liveness.failureThreshold }}
periodSeconds: {{ .Values.probes.liveness.periodSeconds }}
{{- end }}
{{- if .Values.probes.readiness.enabled }}
readinessProbe:
httpGet:
path: /login.html
port: http
scheme: HTTP
initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }}
failureThreshold: {{ .Values.probes.readiness.failureThreshold }}
periodSeconds: {{ .Values.probes.readiness.periodSeconds }}
{{- end }}
{{- if .Values.probes.startup.enabled }}
startupProbe:
httpGet:
path: /login.html
port: http
scheme: HTTP
initialDelaySeconds: {{ .Values.probes.startup.initialDelaySeconds }}
failureThreshold: {{ .Values.probes.startup.failureThreshold }}
periodSeconds: {{ .Values.probes.startup.periodSeconds }}
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
{{- if .Values.tlsSecretName }}
- name: certs
secret:
secretName: {{ .Values.tlsSecretName }}
{{- end }}
{{- if .Values.configAsCode.enabled }}
- name: configmap
configMap:
name: {{ include "adguard-home.fullname" . }}
{{- end }}
- name: config
{{- if .Values.persistence.config.enabled }}
persistentVolumeClaim:
claimName: {{ if .Values.persistence.config.existingClaim }}{{ .Values.persistence.config.existingClaim }}{{- else }}{{ template "adguard-home.fullname" . }}-config{{- end }}
{{- else }}
emptyDir: {}
{{- end }}
- name: work
{{- if .Values.persistence.work.enabled }}
persistentVolumeClaim:
claimName: {{ if .Values.persistence.work.existingClaim }}{{ .Values.persistence.work.existingClaim }}{{- else }}{{ template "adguard-home.fullname" . }}-work{{- end }}
{{- else }}
emptyDir: {}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

38
adguard-home/templates/ingress.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "adguard-home.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
helm.sh/chart: {{ include "adguard-home.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ . | quote }}
http:
paths:
- path: {{ $ingressPath }}
backend:
serviceName: {{ $fullName }}
servicePort: http
{{- end }}
{{- end }}

45
adguard-home/templates/service-dhcp.yaml Normal file
View File

@ -0,0 +1,45 @@
{{- if .Values.serviceDHCP.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "adguard-home.fullname" . }}-dhcp
labels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
helm.sh/chart: {{ include "adguard-home.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.serviceDHCP.annotations }}
annotations:
{{ toYaml .Values.serviceDHCP.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.serviceDHCP.type }}
{{- if .Values.serviceDHCP.loadBalancerIP }}
loadBalancerIP: {{ .Values.serviceDHCP.loadBalancerIP }}
{{- end }}
{{- if .Values.serviceDHCP.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml .Values.serviceDHCP.loadBalancerSourceRanges | indent 4 }}
{{- end -}}
{{- if .Values.serviceDHCP.externalIPs }}
externalIPs:
{{ toYaml .Values.serviceDHCP.externalIPs | indent 4 }}
{{- end }}
externalTrafficPolicy: {{ .Values.serviceDHCP.externalTrafficPolicy }}
ports:
- port: 67
targetPort: dhcp-server-udp
protocol: UDP
name: dhcp-server-udp
- port: 68
targetPort: dhcp-client-tcp
protocol: TCP
name: dhcp-client-tcp
- port: 68
targetPort: dhcp-client-udp
protocol: UDP
name: dhcp-client-udp
selector:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

37
adguard-home/templates/service-dns-over-https.yaml Normal file
View File

@ -0,0 +1,37 @@
{{- if .Values.serviceDNSOverHTTPS.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "adguard-home.fullname" . }}-dns-over-https
labels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
helm.sh/chart: {{ include "adguard-home.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.serviceDNSOverHTTPS.annotations }}
annotations:
{{ toYaml .Values.serviceDNSOverHTTPS.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.serviceDNSOverHTTPS.type }}
{{- if .Values.serviceDNSOverHTTPS.loadBalancerIP }}
loadBalancerIP: {{ .Values.serviceDNSOverHTTPS.loadBalancerIP }}
{{- end }}
{{- if .Values.serviceDNSOverHTTPS.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml .Values.serviceDNSOverHTTPS.loadBalancerSourceRanges | indent 4 }}
{{- end -}}
{{- if .Values.serviceDNSOverHTTPS.externalIPs }}
externalIPs:
{{ toYaml .Values.serviceDNSOverHTTPS.externalIPs | indent 4 }}
{{- end }}
externalTrafficPolicy: {{ .Values.serviceDNSOverHTTPS.externalTrafficPolicy }}
ports:
- port: 443
targetPort: dns-over-https
protocol: TCP
name: dns-over-https
selector:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

37
adguard-home/templates/service-dns-over-tls.yaml Normal file
View File

@ -0,0 +1,37 @@
{{- if .Values.serviceDNSOverTLS.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "adguard-home.fullname" . }}-dns-over-tls
labels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
helm.sh/chart: {{ include "adguard-home.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.serviceDNSOverTLS.annotations }}
annotations:
{{ toYaml .Values.serviceDNSOverTLS.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.serviceDNSOverTLS.type }}
{{- if .Values.serviceDNSOverTLS.loadBalancerIP }}
loadBalancerIP: {{ .Values.serviceDNSOverTLS.loadBalancerIP }}
{{- end }}
{{- if .Values.serviceDNSOverTLS.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml .Values.serviceDNSOverTLS.loadBalancerSourceRanges | indent 4 }}
{{- end -}}
{{- if .Values.serviceDNSOverTLS.externalIPs }}
externalIPs:
{{ toYaml .Values.serviceDNSOverTLS.externalIPs | indent 4 }}
{{- end }}
externalTrafficPolicy: {{ .Values.serviceDNSOverTLS.externalTrafficPolicy }}
ports:
- port: 853
targetPort: dns-over-tls
protocol: TCP
name: dns-over-tls
selector:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

37
adguard-home/templates/service-tcp.yaml Normal file
View File

@ -0,0 +1,37 @@
{{- if .Values.serviceTCP.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "adguard-home.fullname" . }}-tcp
labels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
helm.sh/chart: {{ include "adguard-home.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.serviceTCP.annotations }}
annotations:
{{ toYaml .Values.serviceTCP.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.serviceTCP.type }}
{{- if .Values.serviceTCP.loadBalancerIP }}
loadBalancerIP: {{ .Values.serviceTCP.loadBalancerIP }}
{{- end }}
{{- if .Values.serviceTCP.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml .Values.serviceTCP.loadBalancerSourceRanges | indent 4 }}
{{- end -}}
{{- if .Values.serviceTCP.externalIPs }}
externalIPs:
{{ toYaml .Values.serviceTCP.externalIPs | indent 4 }}
{{- end }}
externalTrafficPolicy: {{ .Values.serviceTCP.externalTrafficPolicy }}
ports:
- port: 53
targetPort: dns
protocol: TCP
name: dns
selector:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

37
adguard-home/templates/service-udp.yaml Normal file
View File

@ -0,0 +1,37 @@
{{- if .Values.serviceUDP.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "adguard-home.fullname" . }}-udp
labels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
helm.sh/chart: {{ include "adguard-home.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.serviceUDP.annotations }}
annotations:
{{ toYaml .Values.serviceUDP.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.serviceUDP.type }}
{{- if .Values.serviceUDP.loadBalancerIP }}
loadBalancerIP: {{ .Values.serviceUDP.loadBalancerIP }}
{{- end }}
{{- if .Values.serviceUDP.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml .Values.serviceUDP.loadBalancerSourceRanges | indent 4 }}
{{- end -}}
{{- if .Values.serviceUDP.externalIPs }}
externalIPs:
{{ toYaml .Values.serviceUDP.externalIPs | indent 4 }}
{{- end }}
externalTrafficPolicy: {{ .Values.serviceUDP.externalTrafficPolicy }}
ports:
- port: 53
targetPort: dns-udp
protocol: UDP
name: dns-udp
selector:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

35
adguard-home/templates/service.yaml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "adguard-home.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
helm.sh/chart: {{ include "adguard-home.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }}
{{- end -}}
{{- if .Values.service.externalIPs }}
externalIPs:
{{ toYaml .Values.service.externalIPs | indent 4 }}
{{- end }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
ports:
- port: 3000
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}

23
adguard-home/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "adguard-home.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ include "adguard-home.chart" . }}
{{- with .Values.serviceMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
endpoints:
- port: http
interval: 30s
path: /
{{- end }}

29
adguard-home/templates/work-pvc.yaml Normal file
View File

@ -0,0 +1,29 @@
{{- if and .Values.persistence.work.enabled (not .Values.persistence.work.existingClaim) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "adguard-home.fullname" . }}-work
{{- if .Values.persistence.work.skipuninstall }}
annotations:
"helm.sh/resource-policy": keep
{{- end }}
labels:
app.kubernetes.io/name: {{ include "adguard-home.name" . }}
helm.sh/chart: {{ include "adguard-home.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
accessModes:
- {{ .Values.persistence.work.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.work.size | quote }}
{{- if .Values.persistence.work.storageClass }}
{{- if (eq "-" .Values.persistence.work.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.work.storageClass }}"
{{- end }}
{{- end }}
{{- end -}}

376
adguard-home/values.yaml Normal file
View File

@ -0,0 +1,376 @@
# upgrade strategy type (e.g. Recreate or RollingUpdate)
strategyType: Recreate
configAsCode:
enabled: false
resources: {}
# requests:
# memory: 128Mi
# cpu: 100m
image:
repository: busybox
tag: latest
pullPolicy: Always
config:
bind_host: 0.0.0.0
bind_port: 3000
users: []
# - name: admin
# password: $2y$05$mV4GSa5Dymk4Hjg3NCscBuCYSckCGfc2mbS57SNkBkBAfvqfOdFfm
http_proxy: ""
language: "en"
rlimit_nofile: 0
debug_pprof: false
web_session_ttl: 720
dns:
bind_host: 0.0.0.0
port: 53
statistics_interval: 1
querylog_enabled: true
querylog_interval: 90
querylog_size_memory: 1000
anonymize_client_ip: false
protection_enabled: true
blocking_mode: default
blocking_ipv4: ""
blocking_ipv6: ""
blocked_response_ttl: 10
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
ratelimit: 0
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- https://dns10.quad9.net/dns-query
bootstrap_dns:
- 9.9.9.10
- 149.112.112.10
- 2620:fe::10
- 2620:fe::fe:10
all_servers: false
fastest_addr: false
allowed_clients: []
# - 10.0.0.1
# - 10.0.1.1/24
disallowed_clients: []
# - 10.0.1.1
# - 10.0.11.1/24
blocked_hosts: []
# - example.org
# - '*.example.org'
# - '||example.org^'
cache_size: 4194304
cache_ttl_min: 0
cache_ttl_max: 0
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: false
edns_client_subnet: false
filtering_enabled: true
filters_update_interval: 24
parental_enabled: false
safesearch_enabled: false
safebrowsing_enabled: false
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
rewrites: []
# - domain: example.org
# answer: 127.0.0.1
# - domain: '*.example.org'
# answer: 127.0.0.1
blocked_services: []
# - facebook
# - origin
# - twitter
# - snapchat
# - skype
# - whatsapp
# - instagram
# - youtube
# - netflix
# - twitch
# - discord
# - amazon
# - ebay
# - cloudflare
# - steam
# - epic_games
# - reddit
# - ok
# - vk
# - mail_ru
# - tiktok
tls:
enabled: false
server_name: ""
force_https: false
port_https: 443
port_dns_over_tls: 853
allow_unencrypted_doh: false
strict_sni_check: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard DNS filter
id: 1
- enabled: false
url: https://adaway.org/hosts.txt
name: AdAway
id: 2
- enabled: false
url: https://www.malwaredomainlist.com/hostslist/hosts.txt
name: MalwareDomainList.com Hosts List
id: 4
whitelist_filters: []
# - enabled: true
# url: https://easylist-downloads.adblockplus.org/exceptionrules.txt
# name: Allow nonintrusive advertising
# id: 1595760241
user_rules: []
# - '||example.org^'
# - '@@||example.org^'
# - 127.0.0.1 example.org
# - '! Here goes a comment'
# - '# Also a comment'
dhcp:
enabled: false
interface_name: ""
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
clients: []
# - name: myuser
# tags:
# - user_admin
# ids:
# - 192.168.91.1
# use_global_settings: true
# filtering_enabled: false
# parental_enabled: false
# safesearch_enabled: false
# safebrowsing_enabled: false
# use_global_blocked_services: true
# blocked_services: []
# upstreams: []
log_file: ""
verbose: false
schema_version: 6
tlsSecretName: ""
# name of the secret that contains the tls cert and key.
# this secret will be mounted inside the adguard container /certs path. e.g. works with cert-manager
image:
repository: adguard/adguardhome
# Image tag is set via charts appVersion. If you want to override the tag, specify it here
# tag: vX.Y.Z
pullPolicy: IfNotPresent
nameOverride: ""
fullnameOverride: ""
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# add:
# - NET_BIND_SERVICE
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
timezone: "UTC"
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
path: /
hosts:
- chart-example.local
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
# Probes configuration
probes:
liveness:
enabled: true
initialDelaySeconds: 5
failureThreshold: 5
periodSeconds: 10
readiness:
enabled: false
initialDelaySeconds: 5
failureThreshold: 5
periodSeconds: 10
startup:
enabled: false
initialDelaySeconds: 5
failureThreshold: 30
periodSeconds: 10
service:
type: ClusterIP
# externalTrafficPolicy: Local
# externalIPs: []
# loadBalancerIP: ""
# a fixed LoadBalancer IP
# loadBalancerSourceRanges: []
annotations: {}
# metallb.universe.tf/address-pool: network-services
# metallb.universe.tf/allow-shared-ip: adguard-home-svc
serviceTCP:
enabled: false
type: NodePort
# externalTrafficPolicy: Local
# externalIPs: []
loadBalancerIP: ""
# a fixed LoadBalancer IP
# loadBalancerSourceRanges: []
annotations: {}
# metallb.universe.tf/address-pool: network-services
# metallb.universe.tf/allow-shared-ip: adguard-home-svc
serviceUDP:
enabled: true
type: NodePort
# externalTrafficPolicy: Local
# externalIPs: []
loadBalancerIP: ""
# a fixed LoadBalancer IP
# loadBalancerSourceRanges: []
annotations: {}
# metallb.universe.tf/address-pool: network-services
# metallb.universe.tf/allow-shared-ip: adguard-home-svc
serviceDNSOverTLS:
enabled: false
## Enable if you use AdGuard as a DNS over TLS/HTTPS server
type: NodePort
# externalTrafficPolicy: Local
# externalIPs: []
loadBalancerIP: ""
# a fixed LoadBalancer IP
# loadBalancerSourceRanges: []
annotations: {}
# metallb.universe.tf/address-pool: network-services
# metallb.universe.tf/allow-shared-ip: adguard-home-svc
serviceDNSOverHTTPS:
enabled: false
## Enable if you use AdGuard as a DNS over TLS/HTTPS server
type: NodePort
# externalTrafficPolicy: Local
# externalIPs: []
loadBalancerIP: ""
# a fixed LoadBalancer IP
# loadBalancerSourceRanges: []
annotations: {}
# metallb.universe.tf/address-pool: network-services
# metallb.universe.tf/allow-shared-ip: adguard-home-svc
serviceDHCP:
enabled: false
## Enable if you use AdGuard as a DHCP Server
type: NodePort
# externalTrafficPolicy: Local
# externalIPs: []
loadBalancerIP: ""
# a fixed LoadBalancer IP
annotations: {}
# metallb.universe.tf/address-pool: network-services
# metallb.universe.tf/allow-shared-ip: adguard-home-svc
# external-dns.alpha.kubernetes.io/hostname: dns.example.com
serviceMonitor:
enabled: false
additionalLabels: {}
## Pod Annotations
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "api"
persistence:
config:
enabled: true
## adguard-home configuration data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
##
## If you want to reuse an existing claim, you can pass the name of the PVC using
## the existingClaim variable
# existingClaim: your-claim
# subPath: some-subpath
accessMode: ReadWriteOnce
size: 20Mi
## Do not delete the pvc upon helm uninstall
skipuninstall: false
work:
enabled: true
## adguard-home work volume configuration
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
##
## If you want to reuse an existing claim, you can pass the name of the PVC using
## the existingClaim variable
# existingClaim: your-claim
# subPath: some-subpath
accessMode: ReadWriteOnce
size: 10Gi
## Do not delete the pvc upon helm uninstall
skipuninstall: false
volumePermissions:
image:
repository: busybox
tag: latest
pullPolicy: Always
resources: {}
# requests:
# memory: 128Mi
# cpu: 100m
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# memory: 500Mi
# requests:
# cpu: 50m
# memory: 275Mi
nodeSelector: {}
tolerations: []
affinity: {}

21
bitwarden/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

14
bitwarden/Chart.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
appVersion: "1.0"
description: A Bitwarden Helm chart for Kubernetes
name: bitwarden
version: 0.1.6
home: https://github.com/dani-garcia/bitwarden_rs
icon: https://raw.githubusercontent.com/bitwarden/brand/master/icons/icon.svg
sources:
- https://github.com/dani-garcia/bitwarden_rs
- https://github.com/cdwv/bitwarden-k8s
maintainers:
- name: CodeWave
email: hello@codewave.eu
url: https://codewave.eu

19
bitwarden/templates/NOTES.txt Normal file
View File

@ -0,0 +1,19 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bitwarden.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ include "bitwarden.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bitwarden.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "bitwarden.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:80
{{- end }}

32
bitwarden/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "bitwarden.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "bitwarden.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "bitwarden.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

81
bitwarden/templates/deployment.yaml Normal file
View File

@ -0,0 +1,81 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "bitwarden.fullname" . }}
{{- if .Values.deploymentAnnotations }}
annotations:
{{- range $key, $value := .Values.deploymentAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "bitwarden.name" . }}
helm.sh/chart: {{ include "bitwarden.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "bitwarden.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "bitwarden.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
annotations:
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
spec:
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{ toYaml .Values.resources | indent 12 }}
env:
{{- range $key, $val := .Values.env }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end}}
ports:
- name: http
containerPort: 80
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
volumeMounts:
- name: data
mountPath: /data
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
- name: {{ .Values.image.pullSecrets }}
{{- end }}
volumes:
- name: data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ template "bitwarden.fullname" . }}{{- end }}
{{- else }}
emptyDir: {}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}

38
bitwarden/templates/ingress.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "bitwarden.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
app.kubernetes.io/name: {{ include "bitwarden.name" . }}
helm.sh/chart: {{ include "bitwarden.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ . | quote }}
http:
paths:
- path: {{ $ingressPath }}
backend:
serviceName: {{ $fullName }}
servicePort: http
{{- end }}
{{- end }}

24
bitwarden/templates/persistent-volume-claim.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.persistence.enabled }}
{{- if not .Values.persistence.existingClaim -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "bitwarden.fullname" . }}
labels:
app: {{ template "bitwarden.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
{{- if .Values.persistence.storageClass }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- else }}
storageClassName: ""
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- end -}}
{{- end }}

22
bitwarden/templates/service.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "bitwarden.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "bitwarden.name" . }}
helm.sh/chart: {{ include "bitwarden.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: {{ include "bitwarden.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}

86
bitwarden/values.yaml Normal file
View File

@ -0,0 +1,86 @@
# Default values for bitwarden.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: bitwardenrs/server
tag: 1.18.0
pullPolicy: IfNotPresent
# imagePullSecrets for accessing private registries
# pullSecrets: regcred
env:
SIGNUPS_ALLOWED: true
INVITATIONS_ALLOWED: true
# SERVER_ADMIN_EMAIL
# DOMAIN
# YUBICO_CLIENT_ID
# YUBICO_SECRET_KEY
# DATA_FOLDER
# DATABASE_URL
# ATTACHMENTS_FOLDER
# ICON_CACHE_FOLDER
# ROCKET_LIMITS
# ROCKET_WORKERS
# SMTP_HOST
# SMTP_FROM
# SMTP_PORT
# SMTP_SSL
# SMTP_EXPLICIT_TLS
# SMTP_USERNAME
# SMTP_PASSWORD
# SHOW_PASSWORD_HINT
# WEB_VAULT_ENABLED
nameOverride: ""
fullnameOverride: ""
service:
type: ClusterIP
port: 80
loadBalancerIP: ""
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
path: /
hosts:
- bitwarden.example
tls:
- secretName: bitwarden-tls
hosts:
- bitwarden.example
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
deploymentAnnotations: {}
## Persist data to a persitent volume
persistence:
enabled: false
accessMode: ReadWriteOnce
size: 800Mi
#storageClass:
#existingClaim: "bitwarden-pvc"

23
chartmuseum/.helmignore Executable file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# OWNERS file for Kubernetes
OWNERS

12
chartmuseum/Chart.yaml Executable file
View File

@ -0,0 +1,12 @@
apiVersion: v1
appVersion: 0.12.0
deprecated: true
description: DEPRECATED Host your own Helm Chart Repository
home: https://github.com/helm/chartmuseum
icon: https://raw.githubusercontent.com/helm/chartmuseum/master/logo2.png
keywords:
- chartmuseum
- helm
- charts repo
name: chartmuseum
version: 2.14.2

749
chartmuseum/README.md Executable file
View File

@ -0,0 +1,749 @@
# ⚠️ Repo Archive Notice
As of Nov 13, 2020, charts in this repo will no longer be updated.
For more information, see the Helm Charts [Deprecation and Archive Notice](https://github.com/helm/charts#%EF%B8%8F-deprecation-and-archive-notice), and [Update](https://helm.sh/blog/charts-repo-deprecation/).
# ChartMuseum Helm Chart
Deploy your own private ChartMuseum.
Please also see https://github.com/kubernetes-helm/chartmuseum
## DEPRECATION NOTICE
This chart is deprecated and no longer supported.
## Table of Content
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
- [ChartMuseum Helm Chart](#chartmuseum-helm-chart)
- [Table of Content](#table-of-content)
- [Prerequisites](#prerequisites)
- [Configuration](#configuration)
- [Installation](#installation)
- [Using with Amazon S3](#using-with-amazon-s3)
- [permissions grant with access keys](#permissions-grant-with-access-keys)
- [permissions grant with IAM instance profile](#permissions-grant-with-iam-instance-profile)
- [permissions grant with IAM assumed role](#permissions-grant-with-iam-assumed-role)
- [permissions grant with IAM Roles for Service Accounts](#permissions-grant-with-iam-roles-for-service-accounts)
- [Using with Google Cloud Storage](#using-with-google-cloud-storage)
- [Using with Google Cloud Storage and a Google Service Account](#using-with-google-cloud-storage-and-a-google-service-account)
- [Using with Microsoft Azure Blob Storage](#using-with-microsoft-azure-blob-storage)
- [Using with Alibaba Cloud OSS Storage](#using-with-alibaba-cloud-oss-storage)
- [Using with Openstack Object Storage](#using-with-openstack-object-storage)
- [Using with Oracle Object Storage](#using-with-oracle-object-storage)
- [Using an existing secret](#using-an-existing-secret)
- [Using with local filesystem storage](#using-with-local-filesystem-storage)
- [Setting local storage permissions with initContainers](#setting-local-storage-permissions-with-initcontainers)
- [Example storage class](#example-storage-class)
- [Authentication](#authentication)
- [Basic Authentication](#basic-authentication)
- [Bearer/Token auth](#bearertoken-auth)
- [Ingress](#ingress)
- [Hosts](#hosts)
- [Extra Paths](#extra-paths)
- [Annotations](#annotations)
- [Example Ingress configuration](#example-ingress-configuration)
- [Uninstall](#uninstall)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
## Prerequisites
* [If enabled] A persistent storage resource and RW access to it
* [If enabled] Kubernetes StorageClass for dynamic provisioning
## Configuration
By default this chart will not have persistent storage, and the API service
will be *DISABLED*. This protects against unauthorized access to the API
with default configuration values.
In addition, by default, pod `securityContext.fsGroup` is set to `1000`. This
is the user/group that the ChartMuseum container runs as, and is used to
enable local persitant storage. If your cluster has DenySecurityContext enabled,
you can set `securityContext` to `{}` and still use this chart with one of
the cloud storage options.
For a more robust solution supply helm install with a custom values.yaml
You are also required to create the StorageClass resource ahead of time:
```
kubectl create -f /path/to/storage_class.yaml
```
The following table lists common configurable parameters of the chart and
their default values. See values.yaml for all available options.
| Parameter | Description | Default |
| --------------------------------------- | --------------------------------------------------------------------------- | ------------------------------------ |
| `image.pullPolicy` | Container pull policy | `IfNotPresent` |
| `image.repository` | Container image to use | `chartmuseum/chartmuseum` |
| `image.tag` | Container image tag to deploy | `v0.12.0` |
| `persistence.accessMode` | Access mode to use for PVC | `ReadWriteOnce` |
| `persistence.enabled` | Whether to use a PVC for persistent storage | `false` |
| `persistence.path` | PV mount path | `/storage` |
| `persistence.size` | Amount of space to claim for PVC | `8Gi` |
| `persistence.labels` | Additional labels for PVC | `{}` |
| `persistence.storageClass` | Storage Class to use for PVC | `-` |
| `persistence.volumeName` | Volume to use for PVC | `` |
| `persistence.pv.enabled` | Whether to use a PV for persistent storage | `false` |
| `persistence.pv.capacity.storage` | Storage size to use for PV | `8Gi` |
| `persistence.pv.accessMode` | Access mode to use for PV | `ReadWriteOnce` |
| `persistence.pv.nfs.server` | NFS server for PV | `` |
| `persistence.pv.nfs.path` | Storage Path | `` |
| `persistence.pv.pvname` | Custom name for private volume | `` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` |
| `replicaCount` | k8s replicas | `1` |
| `resources.limits.cpu` | Container maximum CPU | `100m` |
| `resources.limits.memory` | Container maximum memory | `128Mi` |
| `resources.requests.cpu` | Container requested CPU | `80m` |
| `resources.requests.memory` | Container requested memory | `64Mi` |
| `secret.labels` | Additional labels for secret | `false` |
| `serviceAccount.create` | If true, create the service account | `false` |
| `serviceAccount.name` | Name of the serviceAccount to create or use | `{{ chartmuseum.fullname }}` |
| `serviceAccount.annotations` | Additional Service Account annotations | `{}` |
| `securityContext.enabled` | Enable securityContext | `true` |
| `securityContext.fsGroup` | Group ID for the container | `1000` |
| `securityContext.runAsNonRoot` | Running Pods as non-root | `` |
| `securityContext.supplementalGroups` | Control which group IDs containers add | `` |
| `containerSecurityContext` | Additional Container securityContext (ex. allowPrivilegeEscalation) | `{}` |
| `priorityClassName ` | priorityClassName | `""` |
| `nodeSelector` | Map of node labels for pod assignment | `{}` |
| `tolerations` | List of node taints to tolerate | `[]` |
| `affinity` | Map of node/pod affinities | `{}` |
| `schedulerName` | Kubernetes scheduler to use | `default` |
| `env.open.STORAGE` | Storage Backend to use | `local` |
| `env.open.STORAGE_ALIBABA_BUCKET` | Bucket to store charts in for Alibaba | `` |
| `env.open.STORAGE_ALIBABA_PREFIX` | Prefix to store charts under for Alibaba | `` |
| `env.open.STORAGE_ALIBABA_ENDPOINT` | Alternative Alibaba endpoint | `` |
| `env.open.STORAGE_ALIBABA_SSE` | Server side encryption algorithm to use | `` |
| `env.open.STORAGE_AMAZON_BUCKET` | Bucket to store charts in for AWS | `` |
| `env.open.STORAGE_AMAZON_ENDPOINT` | Alternative AWS endpoint | `` |
| `env.open.STORAGE_AMAZON_PREFIX` | Prefix to store charts under for AWS | `` |
| `env.open.STORAGE_AMAZON_REGION` | Region to use for bucket access for AWS | `` |
| `env.open.STORAGE_AMAZON_SSE` | Server side encryption algorithm to use | `` |
| `env.open.STORAGE_GOOGLE_BUCKET` | Bucket to store charts in for GCP | `` |
| `env.open.STORAGE_GOOGLE_PREFIX` | Prefix to store charts under for GCP | `` |
| `env.open.STORAGE_MICROSOFT_CONTAINER` | Container to store charts under for MS | `` |
| `env.open.STORAGE_MICROSOFT_PREFIX` | Prefix to store charts under for MS | `` |
| `env.open.STORAGE_OPENSTACK_CONTAINER` | Container to store charts for openstack | `` |
| `env.open.STORAGE_OPENSTACK_PREFIX` | Prefix to store charts for openstack | `` |
| `env.open.STORAGE_OPENSTACK_REGION` | Region of openstack container | `` |
| `env.open.STORAGE_OPENSTACK_CACERT` | Path to a CA cert bundle for openstack | `` |
| `env.open.STORAGE_ORACLE_COMPARTMENTID` | Compartment ID for Oracle Object Store | `` |
| `env.open.STORAGE_ORACLE_BUCKET` | Bucket to store charts in Oracle Object Store | `` |
| `env.open.STORAGE_ORACLE_PREFIX` | Prefix to store charts for Oracle object Store | `` |
| `env.open.CHART_POST_FORM_FIELD_NAME` | Form field to query for chart file content | `` |
| `env.open.PROV_POST_FORM_FIELD_NAME` | Form field to query for chart provenance | `` |
| `env.open.DEPTH` | levels of nested repos for multitenancy. | `0` |
| `env.open.DEBUG` | Show debug messages | `false` |
| `env.open.LOG_JSON` | Output structured logs in JSON | `true` |
| `env.open.DISABLE_STATEFILES` | Disable use of index-cache.yaml | `false` |
| `env.open.DISABLE_METRICS` | Disable Prometheus metrics | `true` |
| `env.open.DISABLE_API` | Disable all routes prefixed with /api | `true` |
| `env.open.ALLOW_OVERWRITE` | Allow chart versions to be re-uploaded | `false` |
| `env.open.CHART_URL` | Absolute url for .tgzs in index.yaml | `` |
| `env.open.AUTH_ANONYMOUS_GET` | Allow anon GET operations when auth is used | `false` |
| `env.open.CONTEXT_PATH` | Set the base context path | `` |
| `env.open.INDEX_LIMIT` | Parallel scan limit for the repo indexer | `` |
| `env.open.CACHE` | Cache store, can be one of: redis | `` |
| `env.open.CACHE_REDIS_ADDR` | Address of Redis service (host:port) | `` |
| `env.open.CACHE_REDIS_DB` | Redis database to be selected after connect | `0` |
| `env.open.BEARER_AUTH` | Enable bearer auth | `false` |
| `env.open.AUTH_REALM` | Realm used for bearer authentication | `` |
| `env.open.AUTH_SERVICE` | Service used for bearer authentication | `` |
| `env.field` | Expose pod information to containers through environment variables | `` |
| `env.existingSecret` | Name of the existing secret use values | `` |
| `env.existingSecret.BASIC_AUTH_USER` | Key name in the secret for the Username | `` |
| `env.existingSecret.BASIC_AUTH_PASS` | Key name in the secret for the Password | `` |
| `env.secret.BASIC_AUTH_USER` | Username for basic HTTP authentication | `` |
| `env.secret.BASIC_AUTH_PASS` | Password for basic HTTP authentication | `` |
| `env.secret.CACHE_REDIS_PASSWORD` | Redis requirepass server configuration | `` |
| `extraArgs` | Pass extra arguments to the chartmuseum binary | `` |
| `gcp.secret.enabled` | Flag for the GCP service account | `false` |
| `gcp.secret.name` | Secret name for the GCP json file | `` |
| `gcp.secret.key` | Secret key for te GCP json file | `credentials.json` |
| `oracle.secret.enabled` | Flag for Oracle OCI account | `false` |
| `oracle.secret.name` | Secret name for OCI config and key | `` |
| `oracle.secret.config` | Secret key that holds the OCI config | `config` |
| `oracle.secret.key_file` | Secret key that holds the OCI private key | `key_file` |
| `bearerAuth.secret.enabled` | Flag for bearer auth public key secret | `` |
| `bearerAuth.secret.publicKey` | The name of the secret with the public key | `` |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.clusterIP` | Static clusterIP or None for headless services | `nil` |
| `service.externalTrafficPolicy` | Source IP preservation (only for Service type NodePort and LoadBalancer) | `Local` |
| `service.loadBalancerSourceRanges` | Restricts access for LoadBalancer (only for Service type LoadBalancer) | `[]` |
| `service.servicename` | Custom name for service | `` |
| `service.labels` | Additional labels for service | `{}` |
| `serviceMonitor.enabled` | Enable the ServiceMontor resource to be deployed | `false` |
| `serviceMonitor.labels` | Labels for the servicemonitor used by the Prometheus Operator | `{}` |
| `serviceMonitor.namespace` | Namespace of the ServiceMonitor resource | `{{ .Release.Namespace }}` |
| `serviceMonitor.metricsPath` | Path to the Chartmuseum metrics path | `/metrics` |
| `serviceMonitor.interval` | Scrape interval, If not set, the Prometheus default scrape interval is used | `nil` |
| `serviceMonitor.timeout` | Scrape request timeout. If not set, the Prometheus default timeout is used | `nil` |
| `deployment.labels` | Additional labels for deployment | `{}` |
| `deployment.matchlabes` | Match labels for deployment selector | `{}` |
| `ingress.enabled` | Enable ingress controller resource | `false` |
| `ingress.annotations` | Ingress annotations | `[]` |
| `ingress.labels` | Ingress labels | `[]` |
| `ingress.hosts[0].name` | Hostname for the ingress | `` |
| `ingress.hosts[0].path` | Path within the url structure | `` |
| `ingress.hosts[0].tls ` | Enable TLS on the ingress host | `false` |
| `ingress.hosts[0].tlsSecret` | TLS secret to use (must be manually created) | `` |
| `ingress.hosts[0].serviceName` | The name of the service to route traffic to. | `{{ .Values.service.externalPort }}` |
| `ingress.hosts[0].servicePort` | The port of the service to route traffic to. | `{{ .chartmuseum. }}` |
| `ingress.extraPaths[0].path` | Path within the url structure. | `` |
| `ingress.extraPaths[0].service` | The name of the service to route traffic to. | `` |
| `ingress.extraPaths[0].port` | The port of the service to route traffic to. | `` |
Specify each parameter using the `--set key=value[,key=value]` argument to
`helm install`.
## Installation
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using with Amazon S3
Make sure your environment is properly setup to access `my-s3-bucket`
You need at least the following permissions inside your IAM Policy
```yaml
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListObjects",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::my-s3-bucket"
},
{
"Sid": "AllowObjectsCRUD",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-s3-bucket/*"
}
]
}
```
You can grant it to `chartmuseum` by several ways:
#### permissions grant with access keys
Grant permissions to `special user` and us it's access keys for auth on aws
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: amazon
STORAGE_AMAZON_BUCKET: my-s3-bucket
STORAGE_AMAZON_PREFIX:
STORAGE_AMAZON_REGION: us-east-1
secret:
AWS_ACCESS_KEY_ID: "********" ## aws access key id value
AWS_SECRET_ACCESS_KEY: "********" ## aws access key secret value
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
#### permissions grant with IAM instance profile
You can grant permissions to k8s node IAM instance profile.
For more information read this [article](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html)
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: amazon
STORAGE_AMAZON_BUCKET: my-s3-bucket
STORAGE_AMAZON_PREFIX:
STORAGE_AMAZON_REGION: us-east-1
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
#### permissions grant with IAM assumed role
To provide access with assumed role you need to install [kube2iam](https://github.com/kubernetes/charts/tree/master/stable/kube2iam)
and create role with granded permissions.
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: amazon
STORAGE_AMAZON_BUCKET: my-s3-bucket
STORAGE_AMAZON_PREFIX:
STORAGE_AMAZON_REGION: us-east-1
replica:
annotations:
iam.amazonaws.com/role: "{assumed role name}"
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
#### permissions grant with IAM Roles for Service Accounts
For Amazon EKS clusters, access can be provided with a service account using [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: amazon
STORAGE_AMAZON_BUCKET: my-s3-bucket
STORAGE_AMAZON_PREFIX:
STORAGE_AMAZON_REGION: us-east-1
serviceAccount:
create: true
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::{aws account ID}:role/{assumed role name}"
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using with Google Cloud Storage
Make sure your environment is properly setup to access `my-gcs-bucket`
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: google
STORAGE_GOOGLE_BUCKET: my-gcs-bucket
STORAGE_GOOGLE_PREFIX:
```
### Using with Google Cloud Storage and a Google Service Account
A Google service account credentials are stored in a json file. There are two approaches here. Ideally you don't want to send your secrets to tiller. In that case, before installing this chart, you should create a secret with those credentials:
```shell
kubectl create secret generic chartmuseum-secret --from-file=credentials.json="my-project-45e35d85a593.json"
```
Then you can either use a `VALUES` yaml with your values or set those values in the command line:
```shell
helm install stable/chartmuseum --debug --set gcp.secret.enabled=true,env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum,gcp.secret.name=chartmuseum-secret
```
If you prefer to use a yaml file:
```yaml
env:
open:
STORAGE: google
STORAGE_GOOGLE_BUCKET: my-gcs-bucket
STORAGE_GOOGLE_PREFIX:
gcp:
secret:
enabled: true
name: chartmuseum-secret
key: credentials.json
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
In case that you don't mind adding your secret to tiller (you shouldn't do it), this are the commands
```yaml
env:
open:
STORAGE: google
STORAGE_GOOGLE_BUCKET: my-gcs-bucket
STORAGE_GOOGLE_PREFIX:
secret:
GOOGLE_CREDENTIALS_JSON: my-json-file-base64-encoded
gcp:
secret:
enabled: true
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
To set the values directly in the command line, use the following command. Note that we have to base64 encode the json file because we cannot pass a multi-line text as a value.
```shell
export JSONKEY=$(cat my-project-77e35d85a593.json | base64)
helm install stable/chartmuseum --debug --set gcp.secret.enabled=true,env.secret.GOOGLE_CREDENTIALS_JSON=${JSONKEY},env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum
```
### Using with Microsoft Azure Blob Storage
Make sure your environment is properly setup to access `mycontainer`.
To do so, you must set the following env vars:
- `AZURE_STORAGE_ACCOUNT`
- `AZURE_STORAGE_ACCESS_KEY`
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: microsoft
STORAGE_MICROSOFT_CONTAINER: mycontainer
# prefix to store charts for microsoft storage backend
STORAGE_MICROSOFT_PREFIX:
secret:
AZURE_STORAGE_ACCOUNT: "********" ## azure storage account
AZURE_STORAGE_ACCESS_KEY: "********" ## azure storage account access key
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using with Alibaba Cloud OSS Storage
Make sure your environment is properly setup to access `my-oss-bucket`.
To do so, you must set the following env vars:
- `ALIBABA_CLOUD_ACCESS_KEY_ID`
- `ALIBABA_CLOUD_ACCESS_KEY_SECRET`
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: alibaba
STORAGE_ALIBABA_BUCKET: my-oss-bucket
STORAGE_ALIBABA_PREFIX:
STORAGE_ALIBABA_ENDPOINT: oss-cn-beijing.aliyuncs.com
secret:
ALIBABA_CLOUD_ACCESS_KEY_ID: "********" ## alibaba OSS access key id
ALIBABA_CLOUD_ACCESS_KEY_SECRET: "********" ## alibaba OSS access key secret
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using with Openstack Object Storage
Make sure your environment is properly setup to access `mycontainer`.
To do so, you must set the following env vars (depending on your openstack version):
- `OS_AUTH_URL`
- either `OS_PROJECT_NAME` or `OS_TENANT_NAME` or `OS_PROJECT_ID` or `OS_TENANT_ID`
- either `OS_DOMAIN_NAME` or `OS_DOMAIN_ID`
- either `OS_USERNAME` or `OS_USERID`
- `OS_PASSWORD`
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: openstack
STORAGE_OPENSTACK_CONTAINER: mycontainer
STORAGE_OPENSTACK_PREFIX:
STORAGE_OPENSTACK_REGION: YOURREGION
secret:
OS_AUTH_URL: https://myauth.url.com/v2.0/
OS_TENANT_ID: yourtenantid
OS_USERNAME: yourusername
OS_PASSWORD: yourpassword
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using with Oracle Object Storage
Oracle (OCI) configuration and private key need to be added to a secret and are mounted at /home/chartmuseum/.oci. Your OCI config needs to be under [DEFAULT] and your `key_file` needs to be /home/chartmuseum/.oci/oci.key. See https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm
```shell
kubectl create secret generic chartmuseum-secret --from-file=config=".oci/config" --from-file=key_file=".oci/oci.key"
```
Then you can either use a `VALUES` yaml with your values or set those values in the command line:
```shell
helm install stable/chartmuseum --debug --set env.open.STORAGE=oracle,env.open.STORAGE_ORACLE_COMPARTMENTID=ocid1.compartment.oc1..abc123,env.open.STORAGE_ORACLE_BUCKET=myocibucket,env.open.STORAGE_ORACLE_PREFIX=chartmuseum,oracle.secret.enabled=true,oracle.secret.name=chartmuseum-secret
```
If you prefer to use a yaml file:
```yaml
env:
open:
STORAGE: oracle
STORAGE_ORACLE_COMPARTMENTID: ocid1.compartment.oc1..abc123
STORAGE_ORACLE_BUCKET: myocibucket
STORAGE_ORACLE_PREFIX: chartmuseum
oracle:
secret:
enabled: enabled
name: chartmuseum-secret
config: config
key_file: key_file
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using an existing secret
It is possible to pre-create a secret in kubernetes and get this chart to use that
Given you are for example using the above AWS example
You could create a Secret like this
```shell
kubectl create secret generic chartmuseum-secret --from-literal="aws-access-key=myaccesskey" --from-literal="aws-secret-access-key=mysecretaccesskey" --from-literal="basic-auth-user=curator" --from-literal="basic-auth-pass=mypassword"
```
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: amazonexistingSecret
STORAGE_AMAZON_BUCKET: my-s3-bucket
STORAGE_AMAZON_PREFIX:
STORAGE_AMAZON_REGION: us-east-1
existingSecret: chartmuseum-secret
existingSecretMappings:
AWS_ACCESS_KEY_ID: aws-access-key
AWS_SECRET_ACCESS_KEY: aws-secret-access-key
BASIC_AUTH_USER: basic-auth-user
BASIC_AUTH_PASS: basic-auth-pass
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using with local filesystem storage
By default chartmuseum uses local filesystem storage.
But on pod recreation it will lose all charts, to prevent that enable persistent storage.
```yaml
env:
open:
STORAGE: local
persistence:
enabled: true
accessMode: ReadWriteOnce
size: 8Gi
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
# existingClaim:
## Chartmuseum data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Setting local storage permissions with initContainers
Some clusters do not allow using securityContext to set permissions for persistent volumes. Instead, an initContainer can be created to run `chown` on the mounted volume. To enable it, set `securityContext.enabled` to `false`.
#### Example storage class
Example storage-class.yaml provided here for use with a Ceph cluster.
```
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: storage-volume
provisioner: kubernetes.io/rbd
parameters:
monitors: "10.11.12.13:4567,10.11.12.14:4567"
adminId: admin
adminSecretName: thesecret
adminSecretNamespace: default
pool: chartstore
userId: user
userSecretName: thesecret
```
### Authentication
By default this chart does not have any authentication configured and allows anyone to fetch or upload (assuming the API is enabled) charts there are two supported methods of authentication
#### Basic Authentication
This allows all API routes to be protected by HTTP basic auth, this is configured either as plain text in the values that gets stored as a secret in the kubernetes cluster by setting:
```yaml
env:
secret:
BASIC_AUTH_USER: curator
BASIC_AUTH_PASS: mypassword
```
Or by using values from an existing secret in the cluster that can be created using:
```shell
kubectl create secret generic chartmuseum-secret --from-literal="basic-auth-user=curator" --from-literal="basic-auth-pass=mypassword"
```
This secret can be used in the values file as follows:
```yaml
env:
existingSecret: chartmuseum-secret
existingSecretMappings:
BASIC_AUTH_USER: basic-auth-user
BASIC_AUTH_PASS: basic-auth-pass
```
#### Bearer/Token auth
When using this ChartMuseum is configured with a public key, and will accept RS256 JWT tokens signed by the associated private key, passed in the Authorization header. You can use the [chartmuseum/auth](https://github.com/chartmuseum/auth) Go library to generate valid JWT tokens. For more information about how this works, please see [chartmuseum/auth-server-example](https://github.com/chartmuseum/auth-server-example)
To use this the public key should be stored in a secret this can be done with
```shell
kubectl create secret generic chartmuseum-public-key --from-file=public-key.pem
```
And Bearer/Token auth can be configured using the following values
```yaml
env:
open:
BEARER_AUTH: true
AUTH_REALM: <realm>
AUTH_SERVICE: <service>
bearerAuth:
secret:
enabled: true
publicKeySecret: chartmuseum-public-key
```
### Ingress
This chart provides support for ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress](https://hub.kubeapps.com/charts/stable/nginx-ingress) or [traefik](https://hub.kubeapps.com/charts/stable/traefik) you can utilize the ingress controller to expose Kubeapps.
To enable ingress integration, please set `ingress.enabled` to `true`
#### Hosts
Most likely you will only want to have one hostname that maps to this Chartmuseum installation, however, it is possible to have more than one host. To facilitate this, the `ingress.hosts` object is an array. TLS secrets referenced in the ingress host configuration must be manually created in the namespace.
In most cases, you should not specify values for `ingress.hosts[0].serviceName` and `ingress.hosts[0].servicePort`. However, some ingress controllers support advanced scenarios requiring you to specify these values. For example, [setting up an SSL redirect using the AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/tasks/ssl_redirect/).
#### Extra Paths
Specifying extra paths to prepend to every host configuration is especially useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions).
```shell
helm install --name my-chartmuseum stable/chartmuseum \
--set ingress.enabled=true \
--set ingress.hosts[0].name=chartmuseum.domain.com \
--set ingress.extraPaths[0].service=ssl-redirect \
--set ingress.extraPaths[0].port=use-annotation \
```
#### Annotations
For annotations, please see [this document for nginx](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) and [this document for Traefik](https://docs.traefik.io/configuration/backends/kubernetes/#general-annotations). Not all annotations are supported by all ingress controllers, but this document does a good job of indicating which annotation is supported by many popular ingress controllers. Annotations can be set using `ingress.annotations`.
#### Example Ingress configuration
```shell
helm install --name my-chartmuseum stable/chartmuseum \
--set ingress.enabled=true \
--set ingress.hosts[0].name=chartmuseum.domain.com \
--set ingress.hosts[0].path=/
--set ingress.hosts[0].tls=true
--set ingress.hosts[0].tlsSecret=chartmuseum.tls-secret
```
## Uninstall
By default, a deliberate uninstall will result in the persistent volume
claim being deleted.
```shell
helm delete my-chartmuseum
```
To delete the deployment and its history:
```shell
helm delete --purge my-chartmuseum
```

9
chartmuseum/ci/ingress-values.yaml Executable file
View File

@ -0,0 +1,9 @@
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
hosts:
- name: chartmuseum.domain1.com
path: /
tls: false

30
chartmuseum/templates/NOTES.txt Executable file
View File

@ -0,0 +1,30 @@
** Please be patient while the chart is being deployed **
Get the ChartMuseum URL by running:
{{- if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "chartmuseum.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT{{ .Values.env.open.CONTEXT_PATH }}/
{{- else if contains "LoadBalancer" .Values.service.type }}
** Please ensure an external IP is associated to the {{ template "chartmuseum.fullname" . }} service before proceeding **
** Watch the status using: kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "chartmuseum.fullname" . }} **
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "chartmuseum.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.externalPort }}{{ .Values.env.open.CONTEXT_PATH }}/
OR
export SERVICE_HOST=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "chartmuseum.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
echo http://$SERVICE_HOST:{{ .Values.service.externalPort }}{{ .Values.env.open.CONTEXT_PATH }}/
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "chartmuseum.name" . }}" -l "release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo http://127.0.0.1:8080{{ .Values.env.open.CONTEXT_PATH }}/
kubectl port-forward $POD_NAME 8080:8080 --namespace {{ .Release.Namespace }}
{{- end }}

142
chartmuseum/templates/_helpers.tpl Executable file
View File

@ -0,0 +1,142 @@
{{- /*
name defines a template for the name of the chartmuseum chart.
The prevailing wisdom is that names should only contain a-z, 0-9 plus dot (.) and dash (-), and should
not exceed 63 characters.
Parameters:
- .Values.nameOverride: Replaces the computed name with this given name
- .Values.namePrefix: Prefix
- .Values.global.namePrefix: Global prefix
- .Values.nameSuffix: Suffix
- .Values.global.nameSuffix: Global suffix
The applied order is: "global prefix + prefix + name + suffix + global suffix"
Usage: 'name: "{{- template "chartmuseum.name" . -}}"'
*/ -}}
{{- define "chartmuseum.name"}}
{{- $global := default (dict) .Values.global -}}
{{- $base := default .Chart.Name .Values.nameOverride -}}
{{- $gpre := default "" $global.namePrefix -}}
{{- $pre := default "" .Values.namePrefix -}}
{{- $suf := default "" .Values.nameSuffix -}}
{{- $gsuf := default "" $global.nameSuffix -}}
{{- $name := print $gpre $pre $base $suf $gsuf -}}
{{- $name | lower | trunc 54 | trimSuffix "-" -}}
{{- end -}}
{{- /*
fullname defines a suitably unique name for a resource by combining
the release name and the chartmuseum chart name.
The prevailing wisdom is that names should only contain a-z, 0-9 plus dot (.) and dash (-), and should
not exceed 63 characters.
Parameters:
- .Values.fullnameOverride: Replaces the computed name with this given name
- .Values.fullnamePrefix: Prefix
- .Values.global.fullnamePrefix: Global prefix
- .Values.fullnameSuffix: Suffix
- .Values.global.fullnameSuffix: Global suffix
The applied order is: "global prefix + prefix + name + suffix + global suffix"
Usage: 'name: "{{- template "chartmuseum.fullname" . -}}"'
*/ -}}
{{- define "chartmuseum.fullname"}}
{{- $global := default (dict) .Values.global -}}
{{- $base := default (printf "%s-%s" .Release.Name .Chart.Name) .Values.fullnameOverride -}}
{{- $gpre := default "" $global.fullnamePrefix -}}
{{- $pre := default "" .Values.fullnamePrefix -}}
{{- $suf := default "" .Values.fullnameSuffix -}}
{{- $gsuf := default "" $global.fullnameSuffix -}}
{{- $name := print $gpre $pre $base $suf $gsuf -}}
{{- $name | lower | trunc 54 | trimSuffix "-" -}}
{{- end -}}
{{- /*
chartmuseum.labels.standard prints the standard chartmuseum Helm labels.
The standard labels are frequently used in metadata.
*/ -}}
{{- define "chartmuseum.labels.standard" -}}
app: {{ template "chartmuseum.name" . }}
chart: {{ template "chartmuseum.chartref" . }}
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
{{- end -}}
{{- /*
chartmuseum.chartref prints a chart name and version.
It does minimal escaping for use in Kubernetes labels.
Example output:
chartmuseum-0.4.5
*/ -}}
{{- define "chartmuseum.chartref" -}}
{{- replace "+" "_" .Chart.Version | printf "%s-%s" .Chart.Name -}}
{{- end -}}
{{/*
Return the proper image name to change the volume permissions
*/}}
{{- define "chartmuseum.volumePermissions.image" -}}
{{- $registryName := .Values.volumePermissions.image.registry -}}
{{- $repositoryName := .Values.volumePermissions.image.repository -}}
{{- $tag := .Values.volumePermissions.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "chartmuseum.imagePullSecrets" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
Also, we can not use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- else if or .Values.image.pullSecrets .Values.volumePermissions.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.volumePermissions.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- else if or .Values.image.pullSecrets .Values.volumePermissions.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.volumePermissions.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- end -}}

220
chartmuseum/templates/deployment.yaml Executable file
View File

@ -0,0 +1,220 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "chartmuseum.fullname" . }}
annotations:
{{ toYaml .Values.deployment.annotations | indent 4 }}
labels:
{{ include "chartmuseum.labels.standard" . | indent 4 }}
{{- if .Values.deployment.labels }}
{{ toYaml .Values.deployment.labels | indent 4 }}
{{- end }}
spec:
selector:
matchLabels:
app: {{ template "chartmuseum.name" . }}
release: {{ .Release.Name | quote }}
{{- if .Values.deployment.labels }}
{{ toYaml .Values.deployment.labels | indent 6 }}
{{- end }}
replicas: {{ .Values.replicaCount }}
strategy:
{{ toYaml .Values.strategy | indent 4 }}
revisionHistoryLimit: 10
{{- if .Values.deployment.matchlabes }}
selector:
matchLabels:
{{ toYaml .Values.deployment.matchlabels | indent 6 }}
{{- end }}
template:
metadata:
name: {{ include "chartmuseum.fullname" . }}
annotations:
{{ toYaml .Values.replica.annotations | indent 8 }}
labels:
app: {{ template "chartmuseum.name" . }}
release: {{ .Release.Name | quote }}
{{- if .Values.deployment.labels }}
{{ toYaml .Values.deployment.labels | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- if .Values.securityContext.runAsNonRoot }}
runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
{{- end }}
{{- if .Values.securityContext.supplementalGroups }}
supplementalGroups: {{ .Values.securityContext.supplementalGroups }}
{{- end }}
{{- else if .Values.persistence.enabled }}
initContainers:
- name: volume-permissions
image: {{ template "chartmuseum.volumePermissions.image" . }}
imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}"
securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 10 }}
command: ['sh', '-c', 'chown -R {{ .Values.securityContext.fsGroup }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.path }}']
volumeMounts:
- mountPath: {{ .Values.persistence.path }}
name: storage-volume
{{- end }}
{{- include "chartmuseum.imagePullSecrets" . | indent 6 }}
containers:
- name: {{ .Chart.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- range $name, $value := .Values.env.open }}
{{- if not (empty $value) }}
- name: {{ $name | quote }}
value: {{ $value | quote }}
{{- end }}
{{- end }}
{{- range $name, $value := .Values.env.field }}
{{- if not ( empty $value) }}
- name: {{ $name | quote }}
valueFrom:
fieldRef:
fieldPath: {{ $value | quote }}
{{- end }}
{{- end }}
{{- if .Values.gcp.secret.enabled }}
- name: GOOGLE_APPLICATION_CREDENTIALS
value: "/etc/secrets/google/credentials.json"
{{- end }}
{{- if .Values.env.existingSecret }}
{{- $secret_name := .Values.env.existingSecret }}
{{- range $name, $key := .Values.env.existingSecretMappings }}
{{- if not ( empty $key) }}
- name: {{ $name | quote }}
valueFrom:
secretKeyRef:
name: {{ $secret_name | quote }}
key: {{ $key | quote }}
{{- end }}
{{- end }}
{{- else }}
{{- $secret_name := include "chartmuseum.fullname" . }}
{{- range $name, $value := .Values.env.secret }}
{{- if not ( empty $value) }}
- name: {{ $name | quote }}
valueFrom:
secretKeyRef:
name: {{ $secret_name }}
key: {{ $name | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.bearerAuth.secret.enabled }}
- name: AUTH_CERT_PATH
value: /var/keys/public-key.pem
{{ end }}
args:
- --port=8080
{{- if eq .Values.env.open.STORAGE "local" }}
- --storage-local-rootdir={{ .Values.persistence.path }}
{{- end }}
{{- if .Values.extraArgs }}
{{ toYaml .Values.extraArgs | indent 8 }}
{{- end }}
ports:
- name: http
containerPort: 8080
livenessProbe:
httpGet:
path: {{ .Values.env.open.CONTEXT_PATH }}/health
port: http
{{ toYaml .Values.probes.liveness | indent 10 }}
readinessProbe:
httpGet:
path: {{ .Values.env.open.CONTEXT_PATH }}/health
port: http
{{ toYaml .Values.probes.readiness | indent 10 }}
volumeMounts:
{{- if eq .Values.env.open.STORAGE "local" }}
- mountPath: {{ .Values.persistence.path }}
name: storage-volume
{{- end }}
{{- if .Values.gcp.secret.enabled }}
- mountPath: /etc/secrets/google
name: {{ include "chartmuseum.fullname" . }}-gcp
{{- end }}
{{- if .Values.oracle.secret.enabled }}
- mountPath: /home/chartmuseum/.oci
name: {{ include "chartmuseum.fullname" . }}-oracle
{{- end }}
{{- if .Values.bearerAuth.secret.enabled }}
- name: public-key
mountPath: /var/keys
readOnly: true
{{- end }}
{{- with .Values.resources }}
resources:
{{ toYaml . | indent 10 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.deployment.schedulerName }}
schedulerName: {{ .Values.deployment.schedulerName }}
{{- end -}}
{{- if and .Values.serviceAccount.create .Values.serviceAccount.name }}
serviceAccountName: {{ .Values.serviceAccount.name }}
{{- else if .Values.serviceAccount.create }}
serviceAccountName: {{ include "chartmuseum.fullname" . }}
{{- else if .Values.serviceAccount.name }}
serviceAccountName: {{ .Values.serviceAccount.name }}
{{- end }}
volumes:
- name: storage-volume
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "chartmuseum.fullname" .) }}
{{- else }}
emptyDir: {}
{{- end -}}
{{ if .Values.gcp.secret.enabled }}
- name: {{ include "chartmuseum.fullname" . }}-gcp
secret:
{{ if .Values.env.secret.GOOGLE_CREDENTIALS_JSON }}
secretName: {{ include "chartmuseum.fullname" . }}
items:
- key: GOOGLE_CREDENTIALS_JSON
path: credentials.json
{{ else }}
secretName: {{ .Values.gcp.secret.name }}
items:
- key: {{ .Values.gcp.secret.key }}
path: credentials.json
{{ end }}
{{ end }}
{{ if .Values.oracle.secret.enabled }}
- name: {{ include "chartmuseum.fullname" . }}-oracle
secret:
secretName: {{ .Values.oracle.secret.name }}
items:
- key: {{ .Values.oracle.secret.config }}
path: config
- key: {{ .Values.oracle.secret.key_file }}
path: oci.key
{{ end }}
{{- if .Values.bearerAuth.secret.enabled }}
- name: public-key
secret:
secretName: {{ .Values.bearerAuth.secret.publicKeySecret }}
{{- end }}

54
chartmuseum/templates/ingress.yaml Executable file
View File

@ -0,0 +1,54 @@
{{- if .Values.ingress.enabled }}
{{- $servicePort := .Values.service.externalPort -}}
{{- $serviceName := include "chartmuseum.fullname" . -}}
{{- $ingressExtraPaths := .Values.ingress.extraPaths -}}
---
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }}
apiVersion: networking.k8s.io/v1beta1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ include "chartmuseum.fullname" . }}
annotations:
{{ toYaml .Values.ingress.annotations | indent 4 }}
labels:
{{- if .Values.ingress.labels }}
{{ toYaml .Values.ingress.labels | indent 4 }}
{{- end }}
{{ include "chartmuseum.labels.standard" . | indent 4 }}
spec:
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .name }}
http:
paths:
{{- range $ingressExtraPaths }}
- path: {{ default "/" .path | quote }}
backend:
{{- if $.Values.service.servicename }}
serviceName: {{ $.Values.service.servicename }}
{{- else }}
serviceName: {{ default $serviceName .service }}
{{- end }}
servicePort: {{ default $servicePort .port }}
{{- end }}
- path: {{ default "/" .path | quote }}
backend:
{{- if $.Values.service.servicename }}
serviceName: {{ $.Values.service.servicename }}
{{- else }}
serviceName: {{ default $serviceName .service }}
{{- end }}
servicePort: {{ default $servicePort .servicePort }}
{{- end }}
tls:
{{- range .Values.ingress.hosts }}
{{- if .tls }}
- hosts:
- {{ .name }}
secretName: {{ .tlsSecret }}
{{- end }}
{{- end }}
{{- end -}}

21
chartmuseum/templates/pv.yaml Executable file
View File

@ -0,0 +1,21 @@
{{- if .Values.persistence.pv.enabled -}}
apiVersion: v1
kind: PersistentVolume
metadata:
{{- if .Values.persistence.pv.pvname }}
name: {{ .Values.persistence.pv.pvname }}
{{- else }}
name: {{ include "chartmuseum.fullname" . }}
{{- end }}
labels:
app: {{ include "chartmuseum.fullname" . }}
release: {{ .Release.Name | quote }}
spec:
capacity:
storage: {{ .Values.persistence.pv.capacity.storage }}
accessModes:
- {{ .Values.persistence.pv.accessMode | quote }}
nfs:
server: {{ .Values.persistence.pv.nfs.server }}
path: {{ .Values.persistence.pv.nfs.path | quote }}
{{- end }}

27
chartmuseum/templates/pvc.yaml Executable file
View File

@ -0,0 +1,27 @@
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ include "chartmuseum.fullname" . }}
labels:
app: {{ include "chartmuseum.fullname" . }}
release: {{ .Release.Name | quote }}
{{- if .Values.persistence.labels }}
{{ toYaml .Values.persistence.labels | indent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- else if and .Values.persistence.volumeName (.Values.persistence.pv.enabled) }}
volumeName: "{{ .Values.persistence.volumeName }}"
{{- end }}
{{- end }}

22
chartmuseum/templates/secret.yaml Executable file
View File

@ -0,0 +1,22 @@
{{- if not .Values.env.existingSecret -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "chartmuseum.fullname" . }}
labels:
{{- if .Values.secret.labels }}
{{ toYaml .Values.secret.labels | indent 4 }}
{{- end }}
{{ include "chartmuseum.labels.standard" . | indent 4 }}
type: Opaque
data:
{{- range $name, $value := .Values.env.secret }}
{{- if not (empty $value) }}
{{- if eq $name "GOOGLE_CREDENTIALS_JSON" }}
{{ $name }}: {{ $value }}
{{- else }}
{{ $name }}: {{ $value | b64enc }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

45
chartmuseum/templates/service.yaml Executable file
View File

@ -0,0 +1,45 @@
apiVersion: v1
kind: Service
metadata:
{{- if .Values.service.servicename }}
name: {{ .Values.service.servicename }}
{{- else }}
name: {{ include "chartmuseum.fullname" . }}
{{- end }}
labels:
{{ include "chartmuseum.labels.standard" . | indent 4 }}
{{- if .Values.service.labels }}
{{ toYaml .Values.service.labels | indent 4 }}
{{- end }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if (or (eq .Values.service.type "LoadBalancer") (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)))) }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
{{- end }}
{{- if (and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges) }}
loadBalancerSourceRanges:
{{- with .Values.service.loadBalancerSourceRanges }}
{{ toYaml . | indent 2 }}
{{- end }}
{{- end }}
{{- if eq .Values.service.type "ClusterIP" }}
{{- if .Values.service.clusterIP }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.externalPort }}
{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
nodePort: {{.Values.service.nodePort}}
{{- else }}
targetPort: http
{{- end }}
protocol: TCP
name: http
selector:
app: {{ template "chartmuseum.name" . }}
release: {{ .Release.Name | quote }}

17
chartmuseum/templates/serviceaccount.yaml Executable file
View File

@ -0,0 +1,17 @@
{{- if .Values.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
{{- if .Values.serviceAccount.name }}
name: {{ .Values.serviceAccount.name }}
{{- else }}
name: {{ include "chartmuseum.fullname" . }}
{{- end }}
labels:
{{ include "chartmuseum.labels.standard" . | indent 4 }}
{{- if .Values.serviceAccount.annotations }}
annotations:
{{ toYaml .Values.serviceAccount.annotations | nindent 4 }}
{{- end }}
{{- end -}}

34
chartmuseum/templates/servicemonitor.yaml Executable file
View File

@ -0,0 +1,34 @@
{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) ( .Values.serviceMonitor.enabled ) }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
{{- if .Values.serviceMonitor.labels }}
labels:
{{ toYaml .Values.serviceMonitor.labels | indent 4 }}
{{- end }}
name: {{ template "chartmuseum.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- if .Values.serviceMonitor.namespace }}
namespace: {{ .Values.serviceMonitor.namespace }}
{{- end }}
spec:
endpoints:
- targetPort: 8080
{{- if .Values.serviceMonitor.interval }}
interval: {{ .Values.serviceMonitor.interval }}
{{- end }}
{{- if .Values.serviceMonitor.metricsPath }}
path: {{ .Values.serviceMonitor.metricsPath }}
{{- end }}
{{- if .Values.serviceMonitor.timeout }}
scrapeTimeout: {{ .Values.serviceMonitor.timeout }}
{{- end }}
jobLabel: {{ template "chartmuseum.fullname" . }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
app: {{ template "chartmuseum.name" . }}
release: {{ .Release.Name }}
{{- end }}

306
chartmuseum/values.yaml Executable file
View File

@ -0,0 +1,306 @@
extraArgs:
# - --storage-timestamp-tolerance 1s
replicaCount: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
image:
repository: chartmuseum/chartmuseum
tag: v0.12.0
pullPolicy: IfNotPresent
secret:
labels: {}
env:
open:
# storage backend, can be one of: local, alibaba, amazon, google, microsoft, oracle
STORAGE: local
# oss bucket to store charts for alibaba storage backend
STORAGE_ALIBABA_BUCKET:
# prefix to store charts for alibaba storage backend
STORAGE_ALIBABA_PREFIX:
# oss endpoint to store charts for alibaba storage backend
STORAGE_ALIBABA_ENDPOINT:
# server side encryption algorithm for alibaba storage backend, can be one
# of: AES256 or KMS
STORAGE_ALIBABA_SSE:
# s3 bucket to store charts for amazon storage backend
STORAGE_AMAZON_BUCKET:
# prefix to store charts for amazon storage backend
STORAGE_AMAZON_PREFIX:
# region of s3 bucket to store charts
STORAGE_AMAZON_REGION:
# alternative s3 endpoint
STORAGE_AMAZON_ENDPOINT:
# server side encryption algorithm
STORAGE_AMAZON_SSE:
# gcs bucket to store charts for google storage backend
STORAGE_GOOGLE_BUCKET:
# prefix to store charts for google storage backend
STORAGE_GOOGLE_PREFIX:
# container to store charts for microsoft storage backend
STORAGE_MICROSOFT_CONTAINER:
# prefix to store charts for microsoft storage backend
STORAGE_MICROSOFT_PREFIX:
# container to store charts for openstack storage backend
STORAGE_OPENSTACK_CONTAINER:
# prefix to store charts for openstack storage backend
STORAGE_OPENSTACK_PREFIX:
# region of openstack container
STORAGE_OPENSTACK_REGION:
# path to a CA cert bundle for your openstack endpoint
STORAGE_OPENSTACK_CACERT:
# compartment id for for oracle storage backend
STORAGE_ORACLE_COMPARTMENTID:
# oci bucket to store charts for oracle storage backend
STORAGE_ORACLE_BUCKET:
# prefix to store charts for oracle storage backend
STORAGE_ORACLE_PREFIX:
# form field which will be queried for the chart file content
CHART_POST_FORM_FIELD_NAME: chart
# form field which will be queried for the provenance file content
PROV_POST_FORM_FIELD_NAME: prov
# levels of nested repos for multitenancy. The default depth is 0 (singletenant server)
DEPTH: 0
# show debug messages
DEBUG: false
# output structured logs as json
LOG_JSON: true
# disable use of index-cache.yaml
DISABLE_STATEFILES: false
# disable Prometheus metrics
DISABLE_METRICS: true
# disable all routes prefixed with /api
DISABLE_API: true
# allow chart versions to be re-uploaded
ALLOW_OVERWRITE: false
# absolute url for .tgzs in index.yaml
CHART_URL:
# allow anonymous GET operations when auth is used
AUTH_ANONYMOUS_GET: false
# sets the base context path
CONTEXT_PATH:
# parallel scan limit for the repo indexer
INDEX_LIMIT: 0
# cache store, can be one of: redis (leave blank for inmemory cache)
CACHE:
# address of Redis service (host:port)
CACHE_REDIS_ADDR:
# Redis database to be selected after connect
CACHE_REDIS_DB: 0
# enable bearer auth
BEARER_AUTH: false
# auth realm used for bearer auth
AUTH_REALM:
# auth service used for bearer auth
AUTH_SERVICE:
field:
# POD_IP: status.podIP
secret:
# username for basic http authentication
BASIC_AUTH_USER:
# password for basic http authentication
BASIC_AUTH_PASS:
# GCP service account json file
GOOGLE_CREDENTIALS_JSON:
# Redis requirepass server configuration
CACHE_REDIS_PASSWORD:
# Name of an existing secret to get the secret values ftom
existingSecret:
# Stores Enviromnt Variable to secret key name mappings
existingSecretMappings:
# username for basic http authentication
BASIC_AUTH_USER:
# password for basic http authentication
BASIC_AUTH_PASS:
# GCP service account json file
GOOGLE_CREDENTIALS_JSON:
# Redis requirepass server configuration
CACHE_REDIS_PASSWORD:
deployment:
# Define scheduler name. Use of 'default' if empty
schedulerName: ""
## Chartmuseum Deployment annotations
annotations: {}
# name: value
labels: {}
# name: value
matchlabels: {}
# name: value
replica:
## Chartmuseum Replicas annotations
annotations: {}
## Read more about kube2iam to provide access to s3 https://github.com/jtblin/kube2iam
# iam.amazonaws.com/role: role-arn
service:
servicename:
type: ClusterIP
externalTrafficPolicy: Local
## Limits which cidr blocks can connect to service's load balancer
## Only valid if service.type: LoadBalancer
loadBalancerSourceRanges: []
# clusterIP: None
externalPort: 8080
nodePort:
annotations: {}
labels: {}
serviceMonitor:
enabled: false
# namespace: prometheus
labels: {}
metricsPath: "/metrics"
# timeout: 60
# interval: 60
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 80m
# memory: 64Mi
probes:
liveness:
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readiness:
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
serviceAccount:
create: false
# name:
## Annotations for the Service Account
annotations: {}
# UID/GID 1000 is the default user "chartmuseum" used in
# the container image starting in v0.8.0 and above. This
# is required for local persistent storage. If your cluster
# does not allow this, try setting securityContext: {}
securityContext:
enabled: true
fsGroup: 1000
## Optionally, specify supplementalGroups and/or
## runAsNonRoot for security purposes
# runAsNonRoot: true
# supplementalGroups: [1000]
containerSecurityContext: {}
priorityClassName: ""
nodeSelector: {}
tolerations: []
affinity: {}
persistence:
enabled: false
accessMode: ReadWriteOnce
size: 8Gi
labels: {}
path: /storage
# name: value
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
# existingClaim:
## Chartmuseum data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
# volumeName:
pv:
enabled: false
pvname:
capacity:
storage: 8Gi
accessMode: ReadWriteOnce
nfs:
server:
path:
## Init containers parameters:
## volumePermissions: Change the owner of the persistent volume mountpoint to RunAsUser:fsGroup
##
volumePermissions:
image:
registry: docker.io
repository: bitnami/minideb
tag: buster
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Ingress for load balancer
ingress:
enabled: false
## Chartmuseum Ingress labels
##
# labels:
# dns: "route53"
## Chartmuseum Ingress annotations
##
# annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
## Chartmuseum Ingress hostnames
## Must be provided if Ingress is enabled
##
# hosts:
# - name: chartmuseum.domain1.com
# path: /
# tls: false
# - name: chartmuseum.domain2.com
# path: /
#
# ## Set this to true in order to enable TLS on the ingress record
# tls: true
#
# ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS
# ## Secrets must be added manually to the namespace
# tlsSecret: chartmuseum.domain2-tls
# Adding secrets to tiller is not a great option, so If you want to use an existing
# secret that contains the json file, you can use the following entries
gcp:
secret:
enabled: false
# Name of the secret that contains the encoded json
name:
# Secret key that holds the json value.
key: credentials.json
oracle:
secret:
enabled: false
# Name of the secret that contains the encoded config and key
name:
# Secret key that holds the oci config
config: config
# Secret key that holds the oci private key
key_file: key_file
bearerAuth:
secret:
enabled: false
publicKeySecret: chartmuseum-public-key

21
docker-registry/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

10
docker-registry/Chart.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: v1
description: DEPRECATED A Helm chart for Docker Registry
name: docker-registry
version: 1.9.6
appVersion: 2.7.1
home: https://hub.docker.com/_/registry/
icon: https://hub.docker.com/public/images/logos/mini-logo.svg
sources:
- https://github.com/docker/distribution-library-image
deprecated: true

95
docker-registry/README.md Normal file
View File

@ -0,0 +1,95 @@
# ⚠️ Repo Archive Notice
As of Nov 13, 2020, charts in this repo will no longer be updated.
For more information, see the Helm Charts [Deprecation and Archive Notice](https://github.com/helm/charts#%EF%B8%8F-deprecation-and-archive-notice), and [Update](https://helm.sh/blog/charts-repo-deprecation/).
# Docker Registry Helm Chart
This directory contains a Kubernetes chart to deploy a private Docker Registry.
## DEPRECATION NOTICE
This chart is deprecated and no longer supported.
## Prerequisites Details
* PV support on underlying infrastructure (if persistence is required)
## Chart Details
This chart will do the following:
* Implement a Docker registry deployment
## Installing the Chart
To install the chart, use the following:
```console
$ helm install stable/docker-registry
```
## Configuration
The following table lists the configurable parameters of the docker-registry chart and
their default values.
| Parameter | Description | Default |
|:----------------------------|:-------------------------------------------------------------------------------------------|:----------------|
| `image.pullPolicy` | Container pull policy | `IfNotPresent` |
| `image.repository` | Container image to use | `registry` |
| `image.tag` | Container image tag to deploy | `2.7.1` |
| `imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) |
| `persistence.accessMode` | Access mode to use for PVC | `ReadWriteOnce` |
| `persistence.enabled` | Whether to use a PVC for the Docker storage | `false` |
| `persistence.deleteEnabled` | Enable the deletion of image blobs and manifests by digest | `nil` |
| `persistence.size` | Amount of space to claim for PVC | `10Gi` |
| `persistence.storageClass` | Storage Class to use for PVC | `-` |
| `persistence.existingClaim` | Name of an existing PVC to use for config | `nil` |
| `service.port` | TCP port on which the service is exposed | `5000` |
| `service.type` | service type | `ClusterIP` |
| `service.clusterIP` | if `service.type` is `ClusterIP` and this is non-empty, sets the cluster IP of the service | `nil` |
| `service.nodePort` | if `service.type` is `NodePort` and this is non-empty, sets the node port of the service | `nil` |
| `service.loadBalancerIP | if `service.type` is `LoadBalancer` and this is non-empty, sets the loadBalancerIP of the service | `nil` |
| `service.loadBalancerSourceRanges`| if `service.type` is `LoadBalancer` and this is non-empty, sets the loadBalancerSourceRanges of the service | `nil` |
| `replicaCount` | k8s replicas | `1` |
| `updateStrategy` | update strategy for deployment | `{}` |
| `podAnnotations` | Annotations for pod | `{}` |
| `podLabels` | Labels for pod | `{}` |
| `podDisruptionBudget` | Pod disruption budget | `{}` |
| `resources.limits.cpu` | Container requested CPU | `nil` |
| `resources.limits.memory` | Container requested memory | `nil` |
| `priorityClassName ` | priorityClassName | `""` |
| `storage` | Storage system to use | `filesystem` |
| `tlsSecretName` | Name of secret for TLS certs | `nil` |
| `secrets.htpasswd` | Htpasswd authentication | `nil` |
| `secrets.s3.accessKey` | Access Key for S3 configuration | `nil` |
| `secrets.s3.secretKey` | Secret Key for S3 configuration | `nil` |
| `secrets.swift.username` | Username for Swift configuration | `nil` |
| `secrets.swift.password` | Password for Swift configuration | `nil` |
| `haSharedSecret` | Shared secret for Registry | `nil` |
| `configData` | Configuration hash for docker | `nil` |
| `s3.region` | S3 region | `nil` |
| `s3.regionEndpoint` | S3 region endpoint | `nil` |
| `s3.bucket` | S3 bucket name | `nil` |
| `s3.encrypt` | Store images in encrypted format | `nil` |
| `s3.secure` | Use HTTPS | `nil` |
| `swift.authurl` | Swift authurl | `nil` |
| `swift.container` | Swift container | `nil` |
| `nodeSelector` | node labels for pod assignment | `{}` |
| `affinity` | affinity settings | `{}` |
| `tolerations` | pod tolerations | `[]` |
| `ingress.enabled` | If true, Ingress will be created | `false` |
| `ingress.annotations` | Ingress annotations | `{}` |
| `ingress.labels` | Ingress labels | `{}` |
| `ingress.path` | Ingress service path | `/` |
| `ingress.hosts` | Ingress hostnames | `[]` |
| `ingress.tls` | Ingress TLS configuration (YAML) | `[]` |
| `extraVolumeMounts` | Additional volumeMounts to the registry container | `[]` |
| `extraVolumes` | Additional volumes to the pod | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to
`helm install`.
To generate htpasswd file, run this docker command:
`docker run --entrypoint htpasswd registry:2 -Bbn user password > ./htpasswd`.

19
docker-registry/templates/NOTES.txt Normal file
View File

@ -0,0 +1,19 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "docker-registry.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ template "docker-registry.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "docker-registry.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "docker-registry.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME 8080:5000
{{- end }}

24
docker-registry/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,24 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "docker-registry.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "docker-registry.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

12
docker-registry/templates/configmap.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "docker-registry.fullname" . }}-config
labels:
app: {{ template "docker-registry.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
config.yml: |-
{{ toYaml .Values.configData | indent 4 }}

221
docker-registry/templates/deployment.yaml Normal file
View File

@ -0,0 +1,221 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "docker-registry.fullname" . }}
labels:
app: {{ template "docker-registry.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
selector:
matchLabels:
app: {{ template "docker-registry.name" . }}
release: {{ .Release.Name }}
replicas: {{ .Values.replicaCount }}
{{- if .Values.updateStrategy }}
strategy:
{{ toYaml .Values.updateStrategy | indent 4 }}
{{- end }}
minReadySeconds: 5
template:
metadata:
labels:
app: {{ template "docker-registry.name" . }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- if $.Values.podAnnotations }}
{{ toYaml $.Values.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /bin/registry
- serve
- /etc/docker/registry/config.yml
ports:
- containerPort: 5000
livenessProbe:
httpGet:
{{- if .Values.tlsSecretName }}
scheme: HTTPS
{{- end }}
path: /
port: 5000
readinessProbe:
httpGet:
{{- if .Values.tlsSecretName }}
scheme: HTTPS
{{- end }}
path: /
port: 5000
resources:
{{ toYaml .Values.resources | indent 12 }}
env:
{{- if .Values.secrets.htpasswd }}
- name: REGISTRY_AUTH
value: "htpasswd"
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: "Registry Realm"
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: "/auth/htpasswd"
{{- end }}
- name: REGISTRY_HTTP_SECRET
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: haSharedSecret
{{- if .Values.tlsSecretName }}
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: /etc/ssl/docker/tls.crt
- name: REGISTRY_HTTP_TLS_KEY
value: /etc/ssl/docker/tls.key
{{- end }}
{{- if eq .Values.storage "filesystem" }}
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
value: "/var/lib/registry"
{{- else if eq .Values.storage "azure" }}
- name: REGISTRY_STORAGE_AZURE_ACCOUNTNAME
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: azureAccountName
- name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: azureAccountKey
- name: REGISTRY_STORAGE_AZURE_CONTAINER
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: azureContainer
{{- else if eq .Values.storage "s3" }}
{{- if and .Values.secrets.s3.secretKey .Values.secrets.s3.accessKey }}
- name: REGISTRY_STORAGE_S3_ACCESSKEY
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: s3AccessKey
- name: REGISTRY_STORAGE_S3_SECRETKEY
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: s3SecretKey
{{- end }}
- name: REGISTRY_STORAGE_S3_REGION
value: {{ required ".Values.s3.region is required" .Values.s3.region }}
{{- if .Values.s3.regionEndpoint }}
- name: REGISTRY_STORAGE_S3_REGIONENDPOINT
value: {{ .Values.s3.regionEndpoint }}
{{- end }}
- name: REGISTRY_STORAGE_S3_BUCKET
value: {{ required ".Values.s3.bucket is required" .Values.s3.bucket }}
{{- if .Values.s3.encrypt }}
- name: REGISTRY_STORAGE_S3_ENCRYPT
value: {{ .Values.s3.encrypt | quote }}
{{- end }}
{{- if .Values.s3.secure }}
- name: REGISTRY_STORAGE_S3_SECURE
value: {{ .Values.s3.secure | quote }}
{{- end }}
{{- else if eq .Values.storage "swift" }}
- name: REGISTRY_STORAGE_SWIFT_AUTHURL
value: {{ required ".Values.swift.authurl is required" .Values.swift.authurl }}
- name: REGISTRY_STORAGE_SWIFT_USERNAME
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: swiftUsername
- name: REGISTRY_STORAGE_SWIFT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "docker-registry.fullname" . }}-secret
key: swiftPassword
- name: REGISTRY_STORAGE_SWIFT_CONTAINER
value: {{ required ".Values.swift.container is required" .Values.swift.container }}
{{- end }}
{{- if .Values.persistence.deleteEnabled }}
- name: REGISTRY_STORAGE_DELETE_ENABLED
value: "true"
{{- end }}
volumeMounts:
{{- if .Values.secrets.htpasswd }}
- name: auth
mountPath: /auth
readOnly: true
{{- end }}
{{- if eq .Values.storage "filesystem" }}
- name: data
mountPath: /var/lib/registry/
{{- end }}
- name: "{{ template "docker-registry.fullname" . }}-config"
mountPath: "/etc/docker/registry"
{{- if .Values.tlsSecretName }}
- mountPath: /etc/ssl/docker
name: tls-cert
readOnly: true
{{- end }}
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
volumes:
{{- if .Values.secrets.htpasswd }}
- name: auth
secret:
secretName: {{ template "docker-registry.fullname" . }}-secret
items:
- key: htpasswd
path: htpasswd
{{- end }}
{{- if eq .Values.storage "filesystem" }}
- name: data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ template "docker-registry.fullname" . }}{{- end }}
{{- else }}
emptyDir: {}
{{- end -}}
{{- end }}
- name: {{ template "docker-registry.fullname" . }}-config
configMap:
name: {{ template "docker-registry.fullname" . }}-config
{{- if .Values.tlsSecretName }}
- name: tls-cert
secret:
secretName: {{ .Values.tlsSecretName }}
{{- end }}
{{- with .Values.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}

36
docker-registry/templates/ingress.yaml Normal file
View File

@ -0,0 +1,36 @@
{{- if .Values.ingress.enabled -}}
{{- $serviceName := include "docker-registry.fullname" . -}}
{{- $servicePort := .Values.service.port -}}
{{- $path := .Values.ingress.path -}}
apiVersion: {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} networking.k8s.io/v1beta1 {{- else }} extensions/v1beta1 {{- end }}
kind: Ingress
metadata:
name: {{ template "docker-registry.fullname" . }}
labels:
app: {{ template "docker-registry.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.ingress.labels }}
{{ toYaml .Values.ingress.labels | indent 4 }}
{{- end }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path: {{ $path }}
backend:
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end -}}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}

17
docker-registry/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.podDisruptionBudget -}}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ template "docker-registry.fullname" . }}
labels:
app: {{ template "docker-registry.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
selector:
matchLabels:
app: {{ template "docker-registry.name" . }}
release: {{ .Release.Name }}
{{ toYaml .Values.podDisruptionBudget | indent 2 }}
{{- end -}}

26
docker-registry/templates/pvc.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if .Values.persistence.enabled }}
{{- if not .Values.persistence.existingClaim -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "docker-registry.fullname" . }}
labels:
app: {{ template "docker-registry.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- end }}
{{- end -}}

37
docker-registry/templates/secret.yaml Normal file
View File

@ -0,0 +1,37 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ template "docker-registry.fullname" . }}-secret
labels:
app: {{ template "docker-registry.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
type: Opaque
data:
{{- if .Values.secrets.htpasswd }}
htpasswd: {{ .Values.secrets.htpasswd | b64enc }}
{{- end }}
{{- if .Values.secrets.haSharedSecret }}
haSharedSecret: {{ .Values.secrets.haSharedSecret | b64enc | quote }}
{{- else }}
haSharedSecret: {{ randAlphaNum 16 | b64enc | quote }}
{{- end }}
{{- if eq .Values.storage "azure" }}
{{- if and .Values.secrets.azure.accountName .Values.secrets.azure.accountKey .Values.secrets.azure.container }}
azureAccountName: {{ .Values.secrets.azure.accountName | b64enc | quote }}
azureAccountKey: {{ .Values.secrets.azure.accountKey | b64enc | quote }}
azureContainer: {{ .Values.secrets.azure.container | b64enc | quote }}
{{- end }}
{{- else if eq .Values.storage "s3" }}
{{- if and .Values.secrets.s3.secretKey .Values.secrets.s3.accessKey }}
s3AccessKey: {{ .Values.secrets.s3.accessKey | b64enc | quote }}
s3SecretKey: {{ .Values.secrets.s3.secretKey | b64enc | quote }}
{{- end }}
{{- else if eq .Values.storage "swift" }}
{{- if and .Values.secrets.swift.username .Values.secrets.swift.password }}
swiftUsername: {{ .Values.secrets.swift.username | b64enc | quote }}
swiftPassword: {{ .Values.secrets.swift.password | b64enc | quote }}
{{- end }}
{{- end }}

35
docker-registry/templates/service.yaml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "docker-registry.fullname" . }}
labels:
app: {{ template "docker-registry.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if (and (eq .Values.service.type "ClusterIP") (not (empty .Values.service.clusterIP))) }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
{{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerSourceRanges))) }}
loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }}
{{- end }}
ports:
- port: {{ .Values.service.port }}
protocol: TCP
name: {{ .Values.service.name }}
targetPort: 5000
{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
selector:
app: {{ template "docker-registry.name" . }}
release: {{ .Release.Name }}

147
docker-registry/values.yaml Normal file
View File

@ -0,0 +1,147 @@
# Default values for docker-registry.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
updateStrategy:
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 1
# maxUnavailable: 0
podAnnotations: {}
podLabels: {}
image:
repository: registry
tag: 2.7.1
pullPolicy: IfNotPresent
# imagePullSecrets:
# - name: docker
service:
name: registry
type: ClusterIP
# clusterIP:
port: 5000
# nodePort:
# loadBalancerIP:
# loadBalancerSourceRanges:
annotations: {}
# foo.io/bar: "true"
ingress:
enabled: false
path: /
# Used to create an Ingress record.
hosts:
- chart-example.local
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
labels: {}
tls:
# Secrets must be manually created in the namespace.
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
persistence:
accessMode: 'ReadWriteOnce'
enabled: false
size: 10Gi
# storageClass: '-'
# set the type of filesystem to use: filesystem, s3
storage: filesystem
# Set this to name of secret for tls certs
# tlsSecretName: registry.docker.example.com
secrets:
haSharedSecret: ""
htpasswd: ""
# Secrets for Azure
# azure:
# accountName: ""
# accountKey: ""
# container: ""
# Secrets for S3 access and secret keys
# s3:
# accessKey: ""
# secretKey: ""
# Secrets for Swift username and password
# swift:
# username: ""
# password: ""
# Options for s3 storage type:
# s3:
# region: us-east-1
# regionEndpoint: s3.us-east-1.amazonaws.com
# bucket: my-bucket
# encrypt: false
# secure: true
# Options for swift storage type:
# swift:
# authurl: http://swift.example.com/
# container: my-container
configData:
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
securityContext:
enabled: true
runAsUser: 1000
fsGroup: 1000
priorityClassName: ""
podDisruptionBudget: {}
# maxUnavailable: 1
# minAvailable: 2
nodeSelector: {}
affinity: {}
tolerations: []
extraVolumeMounts: []
## Additional volumeMounts to the registry container.
# - mountPath: /secret-data
# name: cloudfront-pem-secret
# readOnly: true
extraVolumes: []
## Additional volumes to the pod.
# - name: cloudfront-pem-secret
# secret:
# secretName: cloudfront-credentials
# items:
# - key: cloudfront.pem
# path: cloudfront.pem
# mode: 511

23
dovecot/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

21
dovecot/Chart.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: v2
name: dovecot
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: 0.1.2
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.
appVersion: 2.3.8

15
dovecot/templates/NOTES.txt Normal file
View File

@ -0,0 +1,15 @@
1. Get the application URL by running these commands:
{{- if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "dovecot.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "dovecot.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "dovecot.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "dovecot.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
{{- end }}

63
dovecot/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,63 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "dovecot.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "dovecot.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "dovecot.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "dovecot.labels" -}}
helm.sh/chart: {{ include "dovecot.chart" . }}
{{ include "dovecot.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Selector labels
*/}}
{{- define "dovecot.selectorLabels" -}}
app.kubernetes.io/name: {{ include "dovecot.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "dovecot.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "dovecot.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

21
dovecot/templates/configmap.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- range $key, $val := .Values.dovecot.configmaps.dovecot }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: dovecot-{{ $key }}
data:
{{ $key | indent 2 }}: |
{{ $val | indent 4 }}
{{- end }}
{{- range $key, $val := .Values.dovecot.configmaps.confd }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: dovecot-confd-{{ $key }}
data:
{{ $key | indent 2 }}: |
{{ $val | indent 4 }}
{{- end }}

106
dovecot/templates/deployment.yaml Normal file
View File

@ -0,0 +1,106 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "dovecot.fullname" . }}
labels:
{{- include "dovecot.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "dovecot.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "dovecot.selectorLabels" . | nindent 8 }}
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "dovecot.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: dovecot
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.dovecot.image.repository }}:{{ .Values.dovecot.image.tag }}"
imagePullPolicy: {{ .Values.dovecot.image.pullPolicy }}
ports:
- name: lmtp
containerPort: 24
protocol: TCP
- name: pop3
containerPort: 1110
protocol: TCP
- name: imap
containerPort: 1109
protocol: TCP
- name: sieve
containerPort: 4190
protocol: TCP
- name: imaps
containerPort: 10993
protocol: TCP
- name: pop3s
containerPort: 10995
protocol: TCP
- name: auth
containerPort: 12345
protocol: TCP
volumeMounts:
- name: data
mountPath: /home/vmail
- mountPath: /tls
name: tls
{{- range $key, $val := .Values.dovecot.configmaps.dovecot }}
- name: dovecot-{{ $key }}
mountPath: "/etc/dovecot/{{ $key }}.conf"
subPath: {{ $key }}
{{- end }}
{{- range $key, $val := .Values.dovecot.configmaps.confd }}
- name: dovecot-confd-{{ $key }}
mountPath: "/etc/dovecot/conf.d/{{ $key }}.conf"
subPath: {{ $key }}
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
- name: data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- end }}
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.tls.enabled }}
- name: tls
secret:
defaultMode: 420
secretName: {{ if .Values.tls.existingSecret }}{{ .Values.tls.existingSecret }}{{- end }}
{{- end }}
{{- range $key, $val := .Values.dovecot.configmaps.dovecot }}
- name: dovecot-{{ $key }}
configMap:
name: dovecot-{{ $key }}
{{- end }}
{{- range $key, $val := .Values.dovecot.configmaps.confd }}
- name: dovecot-confd-{{ $key }}
configMap:
name: dovecot-confd-{{ $key }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

24
dovecot/templates/persistent-volume-claim.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.persistence.enabled }}
{{- if not .Values.persistence.existingClaim -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ default "mailboxes" .Values.persistence.volumeName }}
labels:
app: {{ template "dovecot.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
{{- if .Values.persistence.storageClass }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- else }}
storageClassName: ""
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- end -}}
{{- end }}

42
dovecot/templates/service.yaml Normal file
View File

@ -0,0 +1,42 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "dovecot.fullname" . }}
labels:
{{- include "dovecot.labels" . | nindent 4 }}
spec:
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP | quote }}
{{- end }}
type: {{ .Values.service.type }}
ports:
- port: 24
targetPort: 24
protocol: TCP
name: lmtp
- port: 1110
targetPort: 1110
protocol: TCP
name: pop3
- port: 1109
targetPort: 1109
protocol: TCP
name: imap
- port: 4190
targetPort: 4190
protocol: TCP
name: sieve
- port: 10993
targetPort: 10993
protocol: TCP
name: imaps
- port: 10995
targetPort: 10995
protocol: TCP
name: pop3s
- port: 12345
targetPort: 12345
protocol: TCP
name: auth
selector:
{{- include "dovecot.selectorLabels" . | nindent 4 }}

12
dovecot/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "dovecot.serviceAccountName" . }}
labels:
{{- include "dovecot.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

212
dovecot/values.yaml Normal file
View File

@ -0,0 +1,212 @@
# Default values for dovecot.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
persistence:
enabled: true
existingClaim: mailboxes
tls:
enabled: true
existingSecret: mail.example.com-secret
dovecot:
image:
repository: registry.geekhome.org/dovecot
tag: 2.3.8
pullPolicy: Always
configmaps:
dovecot:
dovecot: |
mail_max_userip_connections = 100
haproxy_trusted_networks = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
haproxy_timeout = 30s
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf
ldap: |
uris = ldaps://openldap.example.com
dn = uid=ldapbind,ou=services,dc=example,dc=com
dnpass = HARD_PASSWORD
auth_bind = yes
auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
tls = no
ldap_version = 3
base = ou=users,dc=example,dc=com
deref = never
scope = subtree
user_filter = (&(objectClass=posixAccount)(mail=%u))
user_attrs = cn=home=/home/vmail/%$
pass_filter = (&(objectClass=posixAccount)(mail=%u))
pass_attrs = uid=user,userPassword=password
confd:
auth-ldap: |
passdb {
driver = ldap
# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
args = /etc/dovecot/ldap.conf
}
userdb {
driver = ldap
args = /etc/dovecot/ldap.conf
}
10-auth: |
auth_default_realm = example.com
auth_username_format = %Lu
auth_mechanisms = plain login
10-mail: |
mail_location = maildir:%h
namespace inbox {
inbox = yes
}
mail_uid = vmail
mail_gid = vmail
first_valid_uid = 1000
last_valid_uid = 1000
first_valid_gid = 1000
last_valid_gid = 1000
protocol !indexer-worker {
}
mbox_write_locks = fcntl
10-master: |
service imap-login {
inet_listener imap {
#port = 143
}
inet_listener imaps {
#port = 993
#ssl = yes
}
inet_listener imap_haproxy {
port = 1109
haproxy = yes
}
inet_listener imaps_haproxy {
port = 10993
ssl = yes
haproxy = yes
}
}
service pop3-login {
inet_listener pop3 {
#port = 110
}
inet_listener pop3s {
#port = 995
#ssl = yes
}
}
service lmtp {
inet_listener lmtp {
port = 24
}
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
group = postfix
user = postfix
}
user = vmail
}
service imap {
}
service pop3 {
}
service auth {
inet_listener {
port = 12345
}
unix_listener auth-userdb {
mode = 0660
user = vmail
#group =
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
service auth-worker {
}
service dict {
unix_listener dict {
}
}
10-ssl: |
ssl = required
ssl_cert = </tls/tls.crt
ssl_key = </tls/tls.key
10-logging: |
log_path = /dev/stderr
info_log_path = /dev/stdout
debug_log_path = /dev/stdout
service:
type: LoadBalancer
loadBalancerIP: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}

23
gitea/Chart.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: v2
appVersion: 1.13.1
dependencies:
- condition: mariadb.enabled
name: mariadb
repository: https://charts.bitnami.com
tags:
- mariadb
version: 9.1.4
description: Git with a cup of tea
icon: https://docs.gitea.io/images/gitea.png
keywords:
- git
- issue tracker
- code review
- wiki
- gitea
- gogs
name: gitea
sources:
- https://github.com/go-gitea/gitea
- https://hub.docker.com/r/gitea/gitea/
version: 1.4.1

21
gitea/LICENSE Normal file
View File

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2018 John Felten
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

188
gitea/README.md Normal file
View File

@ -0,0 +1,188 @@
# Gitea
[Gitea](https://gitea.com/) is a lightweight GitHub clone. This is for those who wish to self host their own git repos on kubernetes.
This chart is based upon the work done by [@jfelten](https://github.com/jfelten/gitea-helm-chart)
## TLDR
```sh
helm repo add k8s-land https://charts.k8s.land
helm install gitea k8s-land/gitea
```
## Introduction
This chart bootstraps both [Gitea](http://gitea.com) and MariaDB.
In this chart, the following are ran:
- Gitea
- Memcached
- Mariadb
## Prerequisites
- Kubernetes 1.12+
- Helm 3.0+
- PV provisioner for persistent data support
## Installing the Chart
By default, we use ingress to expose the service.
To install WITHOUT persistent storage / development:
```bash
helm repo add k8s-land https://charts.k8s.land
helm install gitea k8s-land/gitea
```
For production / installing with persistent data:
```sh
helm show values k8s-land/gitea > values.yaml
vim values.yaml # Edit to enable persistent storage
helm install gitea k8s-land/gitea -f values.yaml
```
### Database Configuration
By default, we will launch a Mariadb database:
```yaml
mariadb:
enabled: true
```
To use an external database, disable the in-pod database and fill in the "externalDB" values:
```yaml
mariadb:
enabled: false
#Connect to an external database
externalDB:
dbUser: "postgres"
dbPassword: "<MY_PASSWORD>"
dbHost: "db-service-name.namespace.svc.cluster.local" # or some external host
dbPort: "5432"
dbDatabase: "gitea"
```
## Persistent Data
By default, persistent data is not enabled and thus you'll have to enable it from within the `values.yaml`.
Unless otherwise set to true, data will be deleted when the Pod is restarted.
To prevent data loss, we will enable persistent data.
First, enable persistency:
```yaml
persistence:
enabled: true
```
If you wish for helm **NOT** to replace data when re-deploying (updating the chart), add the `resource-policy` annotation:
```yaml
persistence:
annotations:
"helm.sh/resource-policy": keep
```
To use a previously created PVC / volume, use the following:
```yaml
existingGiteaClaim: gitea-gitea
```
## Ingress And External Host/Ports
Gitea requires ports to be exposed for accessibility. The recommended way is using **ingress**, however, you can supply `LoadBalancer` to your values alternatively.
By default, we expose via an ingress:
To expose via an ingress:
```yaml
ingress:
enabled: true
```
To expose the web application this chart will generate an ingress using the ingress controller of choice if specified. If an ingress is enabled services.http.externalHost must be specified. To expose SSH services it relies on either a LoadBalancer or NodePort.
## Upgrading
When upgrading, make sure you have the following enabled:
- Persistency for both mariadb + Gitea
- Using `existingGiteaClaim`
- Due to using the [bitnami/mariadb](https://github.com/helm/charts/tree/master/stable/mariadb) chart, make sure to HARDCODE your passwords within `values.yaml`. Or else you'll be unable to update mariadb
## Configuration
Refer to [values.yaml](values.yaml) for the full run-down on defaults.
The following table lists the configurable parameters of this chart and their default values.
| Parameter | Description | Default |
|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------|---------------------------|
| `images.gitea` | `gitea` image | `gitea/gitea:1.9.3` |
| `images.memcached` | `memcached` image | `memcached:1.5.19-alpine` |
| `images.pullPolicy` | Image pull policy | `IfNotPresent` |
| `images.pullSecrets` | Specify an array of pull secrets | `[]` |
| `memcached.maxItemMemory` | Max item memory | `64` |
| `memcached.verbosity` | Verbosity | `v` |
| `memcached.extendedOptions` | Extended options for memcached | `modern` |
| `ingress.enabled` | Switch to create ingress for this chart deployment | `true` |
| `ingress.hostname ` | Hostname to be used for the ingress | `gitea.local` |
| `ingress.certManager` | Asks if we want to use cert-manager or not (let's encrypt, etc.) | `true` |
| `ingress.annotations` | Annotations used by the ingress | `[]` |
| `ingress.hosts ` | Additional hosts to be used by the ingress | `[]` |
| `ingress.tls ` | TLS secret keys to be used with Gitea | `[]` |
| `service.http.serviceType` | type of kubernetes services used for http i.e. ClusterIP, NodePort or LoadBalancer | `ClusterIP` |
| `service.http.port` | http port for web traffic | `3000` |
| `service.http.NodePort` | Manual NodePort for web traffic | `nil` |
| `service.http.externalPort` | Port exposed on the internet by a load balancer or firewall that redirects to the ingress or NodePort | `8280` |
| `service.http.externalHost` | IP or DNS name exposed on the internet by a load balancer or firewall that redirects to the ingress or Node for http traffic | `gitea.local` |
| `service.ssh.serviceType` | type of kubernetes services used for ssh i.e. ClusterIP, NodePort or LoadBalancer | `ClusterIP` |
| `service.ssh.port` | http port for web traffic | `22` |
| `service.ssh.NodePort` | Manual NodePort for ssh traffic | `nil` |
| `service.ssh.externalPort` | Port exposed on the internet by a load balancer or firewall that redirects to the ingress or NodePort | `nil` |
| `service.ssh.externalHost` | IP or DNS name exposed on the internet by a load balancer or firewall that redirects to the ingress or Node for http traffic | `gitea.local` |
| `resources.gitea.requests.memory` | gitea container memory request | `500Mi` |
| `resources.gitea.requests.cpu` | gitea container request cpu | `1000m` |
| `resources.gitea.limits.memory` | gitea container memory limits | `2Gi` |
| `resources.gitea.limits.cpu` | gitea container CPU/Memory resource requests/limits | `1` |
| `resources.memcached.requests.memory` | memcached container memory request | `64Mi` |
| `resources.memcached.requests.cpu` | memcached container request cpu | `50m` |
| `persistence.enabled` | Create PVCs to store gitea data | `false` |
| `persistence.existingGiteaClaim` | Already existing PVC that should be used for gitea data. | `nil` |
| `persistence.giteaSize` | Size of gitea pvc to create | `10Gi` |
| `persistence.annotations` | Annotations to set on created PVCs | `nil` |
| `persistence.storageClass` | NStorageClass to use for dynamic provision if not 'default' | `nil` |
| `mariadb.enabled` | Enable or diable mariadb | `true` |
| `mariadb.replication.enabled` | Enable or diable replication | `false` |
| `mariadb.db.name` | Default name | `gitea` |
| `mariadb.db.user` | Default user | `gitea` |
| `mariadb.persistence.enabled` | Enable or diable persistence | `true` |
| `mariadb.persistence.accessMode` | What access mode to use | `ReadWriteOnce` |
| `mariadb.persistence.size` | What size of database to use | `8Gi` |
| `externalDB.dbUser` | external db user | ` unset` |
| `externalDB.dbPassword` | external db password | ` unset` |
| `externalDB.dbHost` | external db host | ` unset` |
| `externalDB.dbPort` | external db port | ` unset` |
| `externalDB.dbDatabase` | external db database name | ` unset` |
| `config.disableInstaller` | Disable the installer | `false` |
| `config.offlineMode` | Sets Gitea's Offline Mode. Values are `true` or `false`. | `false` |
| `config.requireSignin` | Require Gitea user to be signed in to see any pages. Values are `true` or `false`. | `false` |
| `config.disableRegistration` | Disable Gitea's user registration. Values are `true` or `false`. | `false` |
| `config.openidSignin` | Allow login with OpenID. Values are `true` or `false`. | `true` |
| `nodeSelector` | Node to be selected | `{}` |
| `affinity` | Affinity settings for pod assignment | `{}` |
| `tolerations` | Toleration labels for pod assignment | `[]` |
| `deploymentAnnotations` | Deployment annotations to be used | `{}` |
| `podAnnotations` | Pod deployment annotations to be used | `{}` |

21
gitea/charts/mariadb/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

6
gitea/charts/mariadb/Chart.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
version: 1.1.2
digest: sha256:e96477f37f86a4595dce9057f8d04f903f761f340440986129e53cc55f3d63ee
generated: "2020-12-11T12:21:32.262474+01:00"

30
gitea/charts/mariadb/Chart.yaml Normal file
View File

@ -0,0 +1,30 @@
annotations:
category: Database
apiVersion: v2
appVersion: 10.5.8
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
tags:
- bitnami-common
version: 1.x.x
description: Fast, reliable, scalable, and easy to use open-source relational database
system. MariaDB Server is intended for mission-critical, heavy-load production systems
as well as for embedding into mass-deployed software. Highly available MariaDB cluster.
home: https://github.com/bitnami/charts/tree/master/bitnami/mariadb
icon: https://bitnami.com/assets/stacks/mariadb/img/mariadb-stack-220x234.png
keywords:
- mariadb
- mysql
- database
- sql
- prometheus
maintainers:
- email: containers@bitnami.com
name: Bitnami
name: mariadb
sources:
- https://github.com/bitnami/bitnami-docker-mariadb
- https://github.com/prometheus/mysqld_exporter
- https://mariadb.org
version: 9.1.4

465
gitea/charts/mariadb/README.md Normal file
View File

@ -0,0 +1,465 @@
# MariaDB
[MariaDB](https://mariadb.org) is one of the most popular database servers in the world. Its made by the original developers of MySQL and guaranteed to stay open source. Notable users include Wikipedia, Facebook and Google.
MariaDB is developed as open source software and as a relational database it provides an SQL interface for accessing data. The latest versions of MariaDB also include GIS and JSON features.
## TL;DR
```bash
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/mariadb
```
## Introduction
This chart bootstraps a [MariaDB](https://github.com/bitnami/bitnami-docker-mariadb) replication cluster deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/).
## Prerequisites
- Kubernetes 1.12+
- Helm 3.0-beta3+
- PV provisioner support in the underlying infrastructure
## Installing the Chart
To install the chart with the release name `my-release`:
```bash
$ helm install my-release bitnami/mariadb
```
The command deploys MariaDB on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```bash
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Parameters
The following table lists the configurable parameters of the MariaDB chart and their default values.
| Parameter | Description | Default |
|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
| `global.imageRegistry` | Global Docker Image registry | `nil` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `global.storageClass` | Global storage class for dynamic provisioning | `nil` |
### Common parameters
| Parameter | Description | Default |
|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
| `nameOverride` | String to partially override mariadb.fullname | `nil` |
| `fullnameOverride` | String to fully override mariadb.fullname | `nil` |
| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` |
| `commonLabels` | Labels to add to all deployed objects | `nil` |
| `commonAnnotations` | Annotations to add to all deployed objects | `[]` |
| `schedulerName` | Name of the scheduler (other than default) to dispatch pods | `nil` |
| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `nil` |
### MariaDB common parameters
| Parameter | Description | Default |
|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
| `image.registry` | MariaDB image registry | `docker.io` |
| `image.repository` | MariaDB image name | `bitnami/mariadb` |
| `image.tag` | MariaDB image tag | `{TAG_NAME}` |
| `image.pullPolicy` | MariaDB image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `image.debug` | Specify if debug logs should be enabled | `false` |
| `architecture` | MariaDB architecture (`standalone` or `replication`) | `standalone` |
| `auth.rootPassword` | Password for the `root` user. Ignored if existing secret is provided. | _random 10 character alphanumeric string_ |
| `auth.database` | Name for a custom database to create | `my_database` |
| `auth.username` | Name for a custom user to create | `""` |
| `auth.password` | Password for the new user. Ignored if existing secret is provided | _random 10 character long alphanumeric string_ |
| `auth.replicationUser` | MariaDB replication user | `nil` |
| `auth.replicationPassword` | MariaDB replication user password. Ignored if existing secret is provided | _random 10 character long alphanumeric string_ |
| `auth.forcePassword` | Force users to specify required passwords | `false` |
| `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `false` |
| `auth.customPasswordFiles` | Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` | `{}` |
| `auth.existingSecret` | Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` | `nil` |
| `initdbScripts` | Dictionary of initdb scripts | `nil` |
| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `nil` |
### MariaDB Primary parameters
| Parameter | Description | Default |
|----------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
| `primary.command` | Override default container command on MariaDB Primary container(s) (useful when using custom images) | `nil` |
| `primary.args` | Override default container args on MariaDB Primary container(s) (useful when using custom images) | `nil` |
| `primary.configuration` | MariaDB Primary configuration to be injected as ConfigMap | Check `values.yaml` file |
| `primary.existingConfigmap` | Name of existing ConfigMap with MariaDB Primary configuration | `nil` |
| `primary.updateStrategy` | Update strategy type for the MariaDB primary statefulset | `RollingUpdate` |
| `primary.podAnnotations` | Additional pod annotations for MariaDB primary pods | `{}` (evaluated as a template) |
| `primary.podLabels` | Additional pod labels for MariaDB primary pods | `{}` (evaluated as a template) |
| `primary.podAffinityPreset` | MariaDB primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `primary.podAntiAffinityPreset` | MariaDB primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `primary.nodeAffinityPreset.type` | MariaDB primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `primary.nodeAffinityPreset.key` | MariaDB primary node label key to match Ignored if `primary.affinity` is set. | `""` |
| `primary.nodeAffinityPreset.values` | MariaDB primary node label values to match. Ignored if `primary.affinity` is set. | `[]` |
| `primary.affinity` | Affinity for MariaDB primary pods assignment | `{}` (evaluated as a template) |
| `primary.nodeSelector` | Node labels for MariaDB primary pods assignment | `{}` (evaluated as a template) |
| `primary.tolerations` | Tolerations for MariaDB primary pods assignment | `[]` (evaluated as a template) |
| `primary.podSecurityContext.enabled` | Enable security context for MariaDB primary pods | `true` |
| `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` |
| `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` |
| `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` |
| `primary.livenessProbe` | Liveness probe configuration for MariaDB primary containers | Check `values.yaml` file |
| `primary.readinessProbe` | Readiness probe configuration for MariaDB primary containers | Check `values.yaml` file |
| `primary.customLivenessProbe` | Override default liveness probe for MariaDB primary containers | `nil` |
| `primary.customReadinessProbe` | Override default readiness probe for MariaDB primary containers | `nil` |
| `primary.resources.limits` | The resources limits for MariaDB primary containers | `{}` |
| `primary.resources.requests` | The requested resources for MariaDB primary containers | `{}` |
| `primary.extraEnvVars` | Extra environment variables to be set on MariaDB primary containers | `{}` |
| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB primary containers | `nil` |
| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB primary containers | `nil` |
| `primary.extraFlags` | MariaDB primary additional command line flags | `nil` |
| `primary.persistence.enabled` | Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim` | `true` |
| `primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas | `nil` |
| `primary.persistence.annotations` | MariaDB primary persistent volume claim annotations | `{}` (evaluated as a template) |
| `primary.persistence.storageClass` | MariaDB primary persistent volume storage Class | `nil` |
| `primary.persistence.accessModes` | MariaDB primary persistent volume access Modes | `[ReadWriteOnce]` |
| `primary.persistence.size` | MariaDB primary persistent volume size | `8Gi` |
| `primary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` (evaluated as a template) |
| `primary.initContainers` | Add additional init containers for the MariaDB Primary pod(s) | `{}` (evaluated as a template) |
| `primary.sidecars` | Add additional sidecar containers for the MariaDB Primary pod(s) | `{}` (evaluated as a template) |
| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB Primary container(s) | `{}` |
| `primary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB Primary pod(s) | `{}` |
| `primary.service.type` | MariaDB Primary K8s service type | `ClusterIP` |
| `primary.service.clusterIP` | MariaDB Primary K8s service clusterIP IP | `nil` |
| `primary.service.port` | MariaDB Primary K8s service port | `3306` |
| `primary.service.nodePort` | MariaDB Primary K8s service node port | `nil` |
| `primary.service.loadBalancerIP` | MariaDB Primary loadBalancerIP if service type is `LoadBalancer` | `nil` |
| `primary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB Primary service is LoadBalancer | `[]` |
| `primary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB primary pods | `false` |
| `primary.pdb.minAvailable` | Minimum number/percentage of MariaDB primary pods that should remain scheduled | `1` |
| `primary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB primary pods that may be made unavailable | `nil` |
### MariaDB Secondary parameters
| Parameter | Description | Default |
|------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
| `secondary.command` | Override default container command on MariaDB Secondary container(s) (useful when using custom images) | `nil` |
| `secondary.args` | Override default container args on MariaDB Secondary container(s) (useful when using custom images) | `nil` |
| `secondary.configuration` | MariaDB Secondary configuration to be injected as ConfigMap | Check `values.yaml` file |
| `secondary.existingConfigmap` | Name of existing ConfigMap with MariaDB Secondary configuration | `nil` |
| `secondary.replicaCount` | Number of MariaDB secondary replicas | `1` |
| `secondary.updateStrategy` | Update strategy type for the MariaDB secondary statefulset | `RollingUpdate` |
| `secondary.podAnnotations` | Additional pod annotations for MariaDB secondary pods | `{}` (evaluated as a template) |
| `secondary.podLabels` | Additional pod labels for MariaDB secondary pods | `{}` (evaluated as a template) |
| `secondary.podAffinityPreset` | MariaDB secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `secondary.podAntiAffinityPreset` | MariaDB secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `secondary.nodeAffinityPreset.type` | MariaDB secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `secondary.nodeAffinityPreset.key` | MariaDB secondary node label key to match Ignored if `secondary.affinity` is set. | `""` |
| `secondary.nodeAffinityPreset.values` | MariaDB secondary node label values to match. Ignored if `secondary.affinity` is set. | `[]` |
| `secondary.affinity` | Affinity for MariaDB secondary pods assignment | `{}` (evaluated as a template) |
| `secondary.nodeSelector` | Node labels for MariaDB secondary pods assignment | `{}` (evaluated as a template) |
| `secondary.tolerations` | Tolerations for MariaDB secondary pods assignment | `[]` (evaluated as a template) |
| `secondary.podSecurityContext.enabled` | Enable security context for MariaDB secondary pods | `true` |
| `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` |
| `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` |
| `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` |
| `secondary.livenessProbe` | Liveness probe configuration for MariaDB secondary containers | Check `values.yaml` file |
| `secondary.readinessProbe` | Readiness probe configuration for MariaDB secondary containers | Check `values.yaml` file |
| `secondary.customLivenessProbe` | Override default liveness probe for MariaDB secondary containers | `nil` |
| `secondary.customReadinessProbe` | Override default readiness probe for MariaDB secondary containers | `nil` |
| `secondary.resources.limits` | The resources limits for MariaDB secondary containers | `{}` |
| `secondary.resources.requests` | The requested resources for MariaDB secondary containers | `{}` |
| `secondary.extraEnvVars` | Extra environment variables to be set on MariaDB secondary containers | `{}` |
| `secondary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MariaDB secondary containers | `nil` |
| `secondary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MariaDB secondary containers | `nil` |
| `secondary.extraFlags` | MariaDB secondary additional command line flags | `nil` |
| `secondary.extraFlags` | MariaDB secondary additional command line flags | `nil` |
| `secondary.persistence.enabled` | Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` | `true` |
| `secondary.persistence.annotations` | MariaDB secondary persistent volume claim annotations | `{}` (evaluated as a template) |
| `secondary.persistence.storageClass` | MariaDB secondary persistent volume storage Class | `nil` |
| `secondary.persistence.accessModes` | MariaDB secondary persistent volume access Modes | `[ReadWriteOnce]` |
| `secondary.persistence.size` | MariaDB secondary persistent volume size | `8Gi` |
| `secondary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` (evaluated as a template) |
| `secondary.initContainers` | Add additional init containers for the MariaDB secondary pod(s) | `{}` (evaluated as a template) |
| `secondary.sidecars` | Add additional sidecar containers for the MariaDB secondary pod(s) | `{}` (evaluated as a template) |
| `secondary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB secondary container(s) | `{}` |
| `secondary.extraVolumes` | Optionally specify extra list of additional volumes to the MariaDB secondary pod(s) | `{}` |
| `secondary.service.type` | MariaDB secondary K8s service type | `ClusterIP` |
| `secondary.service.clusterIP` | MariaDB secondary K8s service clusterIP IP | `nil` |
| `secondary.service.port` | MariaDB secondary K8s service port | `3306` |
| `secondary.service.nodePort` | MariaDB secondary K8s service node port | `nil` |
| `secondary.service.loadBalancerIP` | MariaDB secondary loadBalancerIP if service type is `LoadBalancer` | `nil` |
| `secondary.service.loadBalancerSourceRanges` | Address that are allowed when MariaDB secondary service is LoadBalancer | `[]` |
| `secondary.pdb.create` | Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods | `false` |
| `secondary.pdb.minAvailable` | Minimum number/percentage of MariaDB secondary pods that should remain scheduled | `1` |
| `secondary.pdb.maxUnavailable` | Maximum number/percentage of MariaDB secondary pods that may be made unavailable | `nil` |
### RBAC parameters
| Parameter | Description | Default |
|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
| `serviceAccount.create` | Enable the creation of a ServiceAccount for MariaDB pods | `true` |
| `serviceAccount.name` | Name of the created ServiceAccount | Generated using the `mariadb.fullname` template |
| `serviceAccount.annotations` | Annotations for MariaDB Service Account | `{}` (evaluated as a template) |
| `rbac.create` | Weather to create & use RBAC resources or not | `false` |
### Volume Permissions parameters
| Parameter | Description | Default |
|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` |
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` |
| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` |
### Metrics parameters
| Parameter | Description | Default |
|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
| `metrics.enabled` | Start a side-car prometheus exporter | `false` |
| `metrics.image.registry` | Exporter image registry | `docker.io` |
| `metrics.image.repository` | Exporter image name | `bitnami/mysqld-exporter` |
| `metrics.image.tag` | Exporter image tag | `{TAG_NAME}` |
| `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` |
| `metrics.extraArgs.primary` | Extra args to be passed to mysqld_exporter on Primary pods | `[]` |
| `metrics.extraArgs.secondary` | Extra args to be passed to mysqld_exporter on Secondary pods | `[]` |
| `metrics.resources.limits` | The resources limits for MariaDB prometheus exporter containers | `{}` |
| `metrics.resources.requests` | The requested resources for MariaDB prometheus exporter containers | `{}` |
| `metrics.livenessProbe` | Liveness probe configuration for MariaDB prometheus exporter containers | Check `values.yaml` file |
| `metrics.readinessProbe` | Readiness probe configuration for MariaDB prometheus exporter containers | Check `values.yaml` file |
| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` |
| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `nil` |
| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` |
| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `nil` |
| `metrics.serviceMonitor.relabellings` | Specify Metric Relabellings to add to the scrape endpoint | `nil` |
| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels. | `false` |
| `metrics.serviceMonitor.additionalLabels` | Used to pass Labels that are required by the Installed Prometheus Operator | `{}` |
| `metrics.serviceMonitor.release` | Used to pass Labels release that sometimes should be custom for Prometheus Operator | `nil` |
The above parameters map to the env variables defined in [bitnami/mariadb](http://github.com/bitnami/bitnami-docker-mariadb). For more information please refer to the [bitnami/mariadb](http://github.com/bitnami/bitnami-docker-mariadb) image documentation.
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```bash
$ helm install my-release \
--set auth.rootPassword=secretpassword,auth.database=app_database \
bitnami/mariadb
```
The above command sets the MariaDB `root` account password to `secretpassword`. Additionally it creates a database named `my_database`.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```bash
$ helm install my-release -f values.yaml bitnami/mariadb
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Configuration and installation details
### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Production configuration
This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one.
- Force users to specify a password and mount secrets as volumes instead of using environment variables:
```diff
- auth.forcePassword: false
+ auth.forcePassword: true
- auth.usePasswordFiles: false
+ auth.usePasswordFiles: true
```
- Use "replication" architecture:
```diff
- architecture: standalone
+ architecture: replication
```
- Desired number of secondary replicas:
```diff
- secondary.replicaCount: 1
+ secondary.replicaCount: 2
```
- Start a side-car prometheus exporter:
```diff
- metrics.enabled: false
+ metrics.enabled: true
```
### Change MariaDB version
To modify the MariaDB version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/mariadb/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters.
### Initialize a fresh instance
The [Bitnami MariaDB](https://github.com/bitnami/bitnami-docker-mariadb) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `initdbScripts` parameter as dict.
In addition to this option, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the previous option.
The allowed extensions are `.sh`, `.sql` and `.sql.gz`.
Take into account those scripts are treated differently depending on the extension. While the `.sh` scripts are executed in all the nodes; the `.sql` and `.sql.gz` scripts are only executed in the primary nodes. The reason behind this differentiation is that the `.sh` scripts allow adding conditions to determine what is the node running the script, while these conditions can't be set using `.sql` nor `sql.gz` files. This way it is possible to cover different use cases depending on their needs.
If using a `.sh` script you want to do a "one-time" action like creating a database, you need to add a condition in your `.sh` script to be executed only in one of the nodes, such as
```yaml
initdbScripts:
my_init_script.sh: |
#!/bin/sh
if [[ $(hostname) == *primary* ]]; then
echo "Primary node"
mysql -P 3306 -uroot -prandompassword -e "create database new_database";
else
echo "No primary node"
fi
```
### Sidecars and Init Containers
If you have a need for additional containers to run within the same pod as MariaDB, you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
```yaml
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
Similarly, you can add extra init containers using the `initContainers` parameter.
```yaml
initContainers:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
## Persistence
The [Bitnami MariaDB](https://github.com/bitnami/bitnami-docker-mariadb) image stores the MariaDB data and configurations at the `/bitnami/mariadb` path of the container.
The chart mounts a [Persistent Volume](https://kubernetes.io/docs/user-guide/persistent-volumes/) volume at this location. The volume is created using dynamic volume provisioning, by default. An existing PersistentVolumeClaim can be defined.
### Adjust permissions of persistent volume mountpoint
As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it.
By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions.
As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination.
You can enable this initContainer by setting `volumePermissions.enabled` to `true`.
## Troubleshooting
Find more information about how to deal with common errors related to Bitnamis Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
## Upgrading
It's necessary to set the `auth.rootPassword` parameter when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Administrator credentials' section. Please note down the password and run the command below to upgrade your chart:
```bash
$ helm upgrade my-release bitnami/mariadb --set auth.rootPassword=[ROOT_PASSWORD]
```
| Note: you need to substitute the placeholder _[ROOT_PASSWORD]_ with the value obtained in the installation notes.
### To 9.0.0
[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
**What changes were introduced in this major version?**
- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
- Move dependency information from the *requirements.yaml* to the *Chart.yaml*
- After running `helm dependency update`, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock*
- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
**Considerations when upgrading to this version**
- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues
- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3
**Useful links**
- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/
- https://helm.sh/docs/topics/v2_v3_migration/
- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/
### To 8.0.0
- Several parameters were renamed or disappeared in favor of new ones on this major version:
- The terms *master* and *slave* have been replaced by the terms *primary* and *secondary*. Therefore, parameters prefixed with `master` or `slave` are now prefixed with `primary` or `secondary`, respectively.
- `securityContext.*` is deprecated in favor of `primary.podSecurityContext`, `primary.containerSecurityContext`, `secondary.podSecurityContext`, and `secondary.containerSecurityContext`.
- Credentials parameter are reorganized under the `auth` parameter.
- `replication.enabled` parameter is deprecated in favor of `architecture` parameter that accepts two values: `standalone` and `replication`.
- The default MariaDB version was updated from 10.3 to 10.5. According to the official documentation, upgrading from 10.3 should be painless. However, there are some things that have changed which could affect an upgrade:
- [Incompatible changes upgrading from MariaDB 10.3 to MariaDB 10.4](https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/#incompatible-changes-between-103-and-104).
- [Incompatible changes upgrading from MariaDB 10.4 to MariaDB 10.5](https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/#incompatible-changes-between-104-and-105).
- Chart labels were adapted to follow the [Helm charts standard labels](https://helm.sh/docs/chart_best_practices/labels/#standard-labels).
- This version also introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/master/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade.
Consequences:
Backwards compatibility is not guaranteed. To upgrade to `8.0.0`, install a new release of the MariaDB chart, and migrate the data from your previous release. You have 2 alternatives to do so:
- Create a backup of the database, and restore it on the new release using tools such as [mysqldump](https://mariadb.com/kb/en/mysqldump/).
- Reuse the PVC used to hold the master data on your previous release. To do so, use the `primary.persistence.existingClaim` parameter. The following example assumes that the release name is `mariadb`:
```bash
$ helm install mariadb bitnami/mariadb --set auth.rootPassword=[ROOT_PASSWORD] --set primary.persistence.existingClaim=[EXISTING_PVC]
```
| Note: you need to substitute the placeholder _[EXISTING_PVC]_ with the name of the PVC used on your previous release, and _[ROOT_PASSWORD]_ with the root password used in your previous release.
### To 7.0.0
Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec.
In https://github.com/helm/charts/pull/17308 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage.
This major version bump signifies this change.
### To 6.0.0
MariaDB version was updated from 10.1 to 10.3, there are no changes in the chart itself. According to the official documentation, upgrading from 10.1 should be painless. However, there are some things that have changed which could affect an upgrade:
- [Incompatible changes upgrading from MariaDB 10.1 to MariaDB 10.2](https://mariadb.com/kb/en/library/upgrading-from-mariadb-101-to-mariadb-102//#incompatible-changes-between-101-and-102)
- [Incompatible changes upgrading from MariaDB 10.2 to MariaDB 10.3](https://mariadb.com/kb/en/library/upgrading-from-mariadb-102-to-mariadb-103/#incompatible-changes-between-102-and-103)
### To 5.0.0
Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments.
Use the workaround below to upgrade from versions previous to 5.0.0. The following example assumes that the release name is mariadb:
```console
$ kubectl delete statefulset opencart-mariadb --cascade=false
```

22
gitea/charts/mariadb/charts/common/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

23
gitea/charts/mariadb/charts/common/Chart.yaml Normal file
View File

@ -0,0 +1,23 @@
annotations:
category: Infrastructure
apiVersion: v2
appVersion: 1.1.1
description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself.
home: https://github.com/bitnami/charts/tree/master/bitnami/common
icon: https://bitnami.com/downloads/logos/bitnami-mark.png
keywords:
- common
- helper
- template
- function
- bitnami
maintainers:
- email: containers@bitnami.com
name: Bitnami
name: common
sources:
- https://github.com/bitnami/charts
- http://www.bitnami.com/
type: library
version: 1.1.2

309
gitea/charts/mariadb/charts/common/README.md Normal file
View File

@ -0,0 +1,309 @@
# Bitnami Common Library Chart
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts.
## TL;DR
```yaml
dependencies:
- name: common
version: 0.x.x
repository: https://charts.bitnami.com/bitnami
```
```bash
$ helm dependency update
```
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "common.names.fullname" . }}
data:
myvalue: "Hello World"
```
## Introduction
This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.
## Prerequisites
- Kubernetes 1.12+
- Helm 3.0-beta3+
## Parameters
The following table lists the helpers available in the library which are scoped in different sections.
### Affinities
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
| `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
### Capabilities
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context |
| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context |
| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context |
### Errors
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` |
### Images
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. |
| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` |
### Labels
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context |
| `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context |
### Names
| Helper identifier | Description | Expected Inpput |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context |
| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context |
| `common.names.chart` | Chart name plus version | `.` Chart context |
### Secrets
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. |
| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. |
### Storage
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. |
### TplValues
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frecuently is the chart context `$` or `.` |
### Utils
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` |
| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` |
| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` |
### Validations
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "context" $` secret and field are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) |
| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) |
| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. |
| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. |
| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. |
| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. |
| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. |
### Warnings
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
## Special input schemas
### ImageRoot
```yaml
registry:
type: string
description: Docker registry where the image is located
example: docker.io
repository:
type: string
description: Repository and image name
example: bitnami/nginx
tag:
type: string
description: image tag
example: 1.16.1-debian-10-r63
pullPolicy:
type: string
description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
pullSecrets:
type: array
items:
type: string
description: Optionally specify an array of imagePullSecrets.
debug:
type: boolean
description: Set to true if you would like to see extra information on logs
example: false
## An instance would be:
# registry: docker.io
# repository: bitnami/nginx
# tag: 1.16.1-debian-10-r63
# pullPolicy: IfNotPresent
# debug: false
```
### Persistence
```yaml
enabled:
type: boolean
description: Whether enable persistence.
example: true
storageClass:
type: string
description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning.
example: "-"
accessMode:
type: string
description: Access mode for the Persistent Volume Storage.
example: ReadWriteOnce
size:
type: string
description: Size the Persistent Volume Storage.
example: 8Gi
path:
type: string
description: Path to be persisted.
example: /bitnami
## An instance would be:
# enabled: true
# storageClass: "-"
# accessMode: ReadWriteOnce
# size: 8Gi
# path: /bitnami
```
### ExistingSecret
```yaml
name:
type: string
description: Name of the existing secret.
example: mySecret
keyMapping:
description: Mapping between the expected key name and the name of the key in the existing secret.
type: object
## An instance would be:
# name: mySecret
# keyMapping:
# password: myPasswordKey
```
#### Example of use
When we store sensitive data for a deployment in a secret, some times we want to give to users the possiblity of using theirs existing secrets.
```yaml
# templates/secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}
labels:
app: {{ include "common.names.fullname" . }}
type: Opaque
data:
password: {{ .Values.password | b64enc | quote }}
# templates/dpl.yaml
---
...
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }}
...
# values.yaml
---
name: mySecret
keyMapping:
password: myPasswordKey
```
### ValidateValue
#### NOTES.txt
```console
{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}}
{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}}
{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
```
If we force those values to be empty we will see some alerts
```console
$ helm install test mychart --set path.to.value00="",path.to.value01=""
'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value:
export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode)
'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value:
export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode)
```
## Upgrading
### To 1.0.0
[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
**What changes were introduced in this major version?**
- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information.
- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
**Considerations when upgrading to this version**
- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues
- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3
**Useful links**
- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/
- https://helm.sh/docs/topics/v2_v3_migration/
- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/

94
gitea/charts/mariadb/charts/common/templates/_affinities.tpl Normal file
View File

@ -0,0 +1,94 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return a soft nodeAffinity definition
{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes.soft" -}}
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: {{ .key }}
operator: In
values:
{{- range .values }}
- {{ . }}
{{- end }}
weight: 1
{{- end -}}
{{/*
Return a hard nodeAffinity definition
{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes.hard" -}}
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: {{ .key }}
operator: In
values:
{{- range .values }}
- {{ . }}
{{- end }}
{{- end -}}
{{/*
Return a nodeAffinity definition
{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.nodes" -}}
{{- if eq .type "soft" }}
{{- include "common.affinities.nodes.soft" . -}}
{{- else if eq .type "hard" }}
{{- include "common.affinities.nodes.hard" . -}}
{{- end -}}
{{- end -}}
{{/*
Return a soft podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods.soft" (dict "component" "FOO" "context" $) -}}
*/}}
{{- define "common.affinities.pods.soft" -}}
{{- $component := default "" .component -}}
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
namespaces:
- {{ .context.Release.Namespace }}
topologyKey: kubernetes.io/hostname
weight: 1
{{- end -}}
{{/*
Return a hard podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods.hard" (dict "component" "FOO" "context" $) -}}
*/}}
{{- define "common.affinities.pods.hard" -}}
{{- $component := default "" .component -}}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
namespaces:
- {{ .context.Release.Namespace }}
topologyKey: kubernetes.io/hostname
{{- end -}}
{{/*
Return a podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
*/}}
{{- define "common.affinities.pods" -}}
{{- if eq .type "soft" }}
{{- include "common.affinities.pods.soft" . -}}
{{- else if eq .type "hard" }}
{{- include "common.affinities.pods.hard" . -}}
{{- end -}}
{{- end -}}

33
gitea/charts/mariadb/charts/common/templates/_capabilities.tpl Normal file
View File

@ -0,0 +1,33 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "common.capabilities.deployment.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "common.capabilities.statefulset.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "apps/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "common.capabilities.ingress.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- end -}}
{{- end -}}

20
gitea/charts/mariadb/charts/common/templates/_errors.tpl Normal file
View File

@ -0,0 +1,20 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Through error when upgrading using empty passwords values that must not be empty.
Usage:
{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
Required password params:
- validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
- context - Context - Required. Parent context.
*/}}
{{- define "common.errors.upgrade.passwords.empty" -}}
{{- $validationErrors := join "" .validationErrors -}}
{{- if and $validationErrors .context.Release.IsUpgrade -}}
{{- $errorString := "\nPASSWORDS ERROR: you must provide your current passwords when upgrade the release%s" -}}
{{- printf $errorString $validationErrors | fail -}}
{{- end -}}
{{- end -}}

43
gitea/charts/mariadb/charts/common/templates/_images.tpl Normal file
View File

@ -0,0 +1,43 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper image name
{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }}
*/}}
{{- define "common.images.image" -}}
{{- $registryName := .imageRoot.registry -}}
{{- $repositoryName := .imageRoot.repository -}}
{{- $tag := .imageRoot.tag | toString -}}
{{- if .global }}
{{- if .global.imageRegistry }}
{{- $registryName = .global.imageRegistry -}}
{{- end -}}
{{- end -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
*/}}
{{- define "common.images.pullSecrets" -}}
{{- $pullSecrets := list }}
{{- if .global }}
{{- range .global.imagePullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}
{{- range .images -}}
{{- range .pullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}
{{- if (not (empty $pullSecrets)) }}
imagePullSecrets:
{{- range $pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end -}}

18
gitea/charts/mariadb/charts/common/templates/_labels.tpl Normal file
View File

@ -0,0 +1,18 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Kubernetes standard labels
*/}}
{{- define "common.labels.standard" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
helm.sh/chart: {{ include "common.names.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
*/}}
{{- define "common.labels.matchLabels" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}

32
gitea/charts/mariadb/charts/common/templates/_names.tpl Normal file
View File

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "common.names.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "common.names.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "common.names.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

57
gitea/charts/mariadb/charts/common/templates/_secrets.tpl Normal file
View File

@ -0,0 +1,57 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Generate secret name.
Usage:
{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
Params:
- existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
- defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
- context - Dict - Required. The context for the template evaluation.
*/}}
{{- define "common.secrets.name" -}}
{{- $name := (include "common.names.fullname" .context) -}}
{{- if .defaultNameSuffix -}}
{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- with .existingSecret -}}
{{- if not (typeIs "string" .) -}}
{{- $name = .name -}}
{{- else -}}
{{- $name = . -}}
{{- end -}}
{{- end -}}
{{- printf "%s" $name -}}
{{- end -}}
{{/*
Generate secret key.
Usage:
{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
Params:
- existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
- key - String - Required. Name of the key in the secret.
*/}}
{{- define "common.secrets.key" -}}
{{- $key := .key -}}
{{- if .existingSecret -}}
{{- if not (typeIs "string" .existingSecret) -}}
{{- if .existingSecret.keyMapping -}}
{{- $key = index .existingSecret.keyMapping $.key -}}
{{- end -}}
{{- end }}
{{- end -}}
{{- printf "%s" $key -}}
{{- end -}}

23
gitea/charts/mariadb/charts/common/templates/_storage.tpl Normal file
View File

@ -0,0 +1,23 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper Storage Class
{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
*/}}
{{- define "common.storage.class" -}}
{{- $storageClass := .persistence.storageClass -}}
{{- if .global -}}
{{- if .global.storageClass -}}
{{- $storageClass = .global.storageClass -}}
{{- end -}}
{{- end -}}
{{- if $storageClass -}}
{{- if (eq "-" $storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" $storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}

13
gitea/charts/mariadb/charts/common/templates/_tplvalues.tpl Normal file
View File

@ -0,0 +1,13 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Renders a value that contains template.
Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "common.tplvalues.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}

45
gitea/charts/mariadb/charts/common/templates/_utils.tpl Normal file
View File

@ -0,0 +1,45 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Print instructions to get a secret value.
Usage:
{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }}
*/}}
{{- define "common.utils.secret.getvalue" -}}
{{- $varname := include "common.utils.fieldToEnvVar" . -}}
export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode)
{{- end -}}
{{/*
Build env var name given a field
Usage:
{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }}
*/}}
{{- define "common.utils.fieldToEnvVar" -}}
{{- $fieldNameSplit := splitList "-" .field -}}
{{- $upperCaseFieldNameSplit := list -}}
{{- range $fieldNameSplit -}}
{{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}}
{{- end -}}
{{ join "_" $upperCaseFieldNameSplit }}
{{- end -}}
{{/*
Gets a value from .Values given
Usage:
{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }}
*/}}
{{- define "common.utils.getValueFromKey" -}}
{{- $splitKey := splitList "." .key -}}
{{- $value := "" -}}
{{- $latestObj := $.context.Values -}}
{{- range $splitKey -}}
{{- if not $latestObj -}}
{{- printf "please review the entire path of '%s' exists in values" $.key | fail -}}
{{- end -}}
{{- $value = ( index $latestObj . ) -}}
{{- $latestObj = $value -}}
{{- end -}}
{{- printf "%v" (default "" $value) -}}
{{- end -}}

14
gitea/charts/mariadb/charts/common/templates/_warnings.tpl Normal file
View File

@ -0,0 +1,14 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Warning about using rolling tag.
Usage:
{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }}
*/}}
{{- define "common.warnings.rollingTag" -}}
{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- end -}}

72
gitea/charts/mariadb/charts/common/templates/validations/_cassandra.tpl Normal file
View File

@ -0,0 +1,72 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate Cassandra required passwords are not empty.
Usage:
{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret"
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.cassandra.passwords" -}}
{{- $existingSecret := include "common.cassandra.values.existingSecret" . -}}
{{- $enabled := include "common.cassandra.values.enabled" . -}}
{{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}}
{{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}}
{{- if and (not $existingSecret) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for existingSecret.
Usage:
{{ include "common.cassandra.values.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
*/}}
{{- define "common.cassandra.values.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.cassandra.dbUser.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.dbUser.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for enabled cassandra.
Usage:
{{ include "common.cassandra.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.cassandra.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.cassandra.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for the key dbUser
Usage:
{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
*/}}
{{- define "common.cassandra.values.key.dbUser" -}}
{{- if .subchart -}}
cassandra.dbUser
{{- else -}}
dbUser
{{- end -}}
{{- end -}}

103
gitea/charts/mariadb/charts/common/templates/validations/_mariadb.tpl Normal file
View File

@ -0,0 +1,103 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MariaDB required passwords are not empty.
Usage:
{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret"
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.mariadb.passwords" -}}
{{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}}
{{- $enabled := include "common.mariadb.values.enabled" . -}}
{{- $architecture := include "common.mariadb.values.architecture" . -}}
{{- $authPrefix := include "common.mariadb.values.key.auth" . -}}
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
{{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
{{- if and (not $existingSecret) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
{{- if not (empty $valueUsername) -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- end -}}
{{- if (eq $architecture "replication") -}}
{{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for existingSecret.
Usage:
{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.auth.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.mariadb.auth.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.auth.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for enabled mariadb.
Usage:
{{ include "common.mariadb.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.mariadb.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.mariadb.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for architecture
Usage:
{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.architecture" -}}
{{- if .subchart -}}
{{- .context.Values.mariadb.architecture -}}
{{- else -}}
{{- .context.Values.architecture -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for the key auth
Usage:
{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mariadb.values.key.auth" -}}
{{- if .subchart -}}
mariadb.auth
{{- else -}}
auth
{{- end -}}
{{- end -}}

108
gitea/charts/mariadb/charts/common/templates/validations/_mongodb.tpl Normal file
View File

@ -0,0 +1,108 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MongoDB required passwords are not empty.
Usage:
{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where MongoDB values are stored, e.g: "mongodb-passwords-secret"
- subchart - Boolean - Optional. Whether MongoDB is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.mongodb.passwords" -}}
{{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}}
{{- $enabled := include "common.mongodb.values.enabled" . -}}
{{- $authPrefix := include "common.mongodb.values.key.auth" . -}}
{{- $architecture := include "common.mongodb.values.architecture" . -}}
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
{{- $valueKeyDatabase := printf "%s.database" $authPrefix -}}
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
{{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}}
{{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}}
{{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}}
{{- if and (not $existingSecret) (eq $enabled "true") (eq $authEnabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
{{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }}
{{- if and $valueUsername $valueDatabase -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- end -}}
{{- if (eq $architecture "replicaset") -}}
{{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for existingSecret.
Usage:
{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false
*/}}
{{- define "common.mongodb.values.auth.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.mongodb.auth.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.auth.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for enabled mongodb.
Usage:
{{ include "common.mongodb.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.mongodb.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.mongodb.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for the key auth
Usage:
{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MongoDB is used as subchart or not. Default: false
*/}}
{{- define "common.mongodb.values.key.auth" -}}
{{- if .subchart -}}
mongodb.auth
{{- else -}}
auth
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for architecture
Usage:
{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
*/}}
{{- define "common.mongodb.values.architecture" -}}
{{- if .subchart -}}
{{- .context.Values.mongodb.architecture -}}
{{- else -}}
{{- .context.Values.architecture -}}
{{- end -}}
{{- end -}}

131
gitea/charts/mariadb/charts/common/templates/validations/_postgresql.tpl Normal file
View File

@ -0,0 +1,131 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate PostgreSQL required passwords are not empty.
Usage:
{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret"
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.postgresql.passwords" -}}
{{- $existingSecret := include "common.postgresql.values.existingSecret" . -}}
{{- $enabled := include "common.postgresql.values.enabled" . -}}
{{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}}
{{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}}
{{- if and (not $existingSecret) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}}
{{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}}
{{- if (eq $enabledReplication "true") -}}
{{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to decide whether evaluate global values.
Usage:
{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }}
Params:
- key - String - Required. Field to be evaluated within global, e.g: "existingSecret"
*/}}
{{- define "common.postgresql.values.use.global" -}}
{{- if .context.Values.global -}}
{{- if .context.Values.global.postgresql -}}
{{- index .context.Values.global.postgresql .key | quote -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for existingSecret.
Usage:
{{ include "common.postgresql.values.existingSecret" (dict "context" $) }}
*/}}
{{- define "common.postgresql.values.existingSecret" -}}
{{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}}
{{- if .subchart -}}
{{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}}
{{- else -}}
{{- default (.context.Values.existingSecret | quote) $globalValue -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for enabled postgresql.
Usage:
{{ include "common.postgresql.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.postgresql.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.postgresql.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for the key postgressPassword.
Usage:
{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.key.postgressPassword" -}}
{{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}}
{{- if not $globalValue -}}
{{- if .subchart -}}
postgresql.postgresqlPassword
{{- else -}}
postgresqlPassword
{{- end -}}
{{- else -}}
global.postgresql.postgresqlPassword
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for enabled.replication.
Usage:
{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.enabled.replication" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.postgresql.replication.enabled -}}
{{- else -}}
{{- printf "%v" .context.Values.replication.enabled -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for the key replication.password.
Usage:
{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
*/}}
{{- define "common.postgresql.values.key.replicationPassword" -}}
{{- if .subchart -}}
postgresql.replication.password
{{- else -}}
replication.password
{{- end -}}
{{- end -}}

72
gitea/charts/mariadb/charts/common/templates/validations/_redis.tpl Normal file
View File

@ -0,0 +1,72 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate Redis required passwords are not empty.
Usage:
{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret"
- subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.redis.passwords" -}}
{{- $existingSecret := include "common.redis.values.existingSecret" . -}}
{{- $enabled := include "common.redis.values.enabled" . -}}
{{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}}
{{- $valueKeyRedisPassword := printf "%s%s" $valueKeyPrefix "password" -}}
{{- $valueKeyRedisUsePassword := printf "%s%s" $valueKeyPrefix "usePassword" -}}
{{- if and (not $existingSecret) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $usePassword := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUsePassword "context" .context) -}}
{{- if eq $usePassword "true" -}}
{{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Redis Auxiliar function to get the right value for existingSecret.
Usage:
{{ include "common.redis.values.existingSecret" (dict "context" $) }}
Params:
- subchart - Boolean - Optional. Whether Redis is used as subchart or not. Default: false
*/}}
{{- define "common.redis.values.existingSecret" -}}
{{- if .subchart -}}
{{- .context.Values.redis.existingSecret | quote -}}
{{- else -}}
{{- .context.Values.existingSecret | quote -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right value for enabled redis.
Usage:
{{ include "common.redis.values.enabled" (dict "context" $) }}
*/}}
{{- define "common.redis.values.enabled" -}}
{{- if .subchart -}}
{{- printf "%v" .context.Values.redis.enabled -}}
{{- else -}}
{{- printf "%v" (not .context.Values.enabled) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliar function to get the right prefix path for the values
Usage:
{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }}
Params:
- subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
*/}}
{{- define "common.redis.values.keys.prefix" -}}
{{- if .subchart -}}redis.{{- else -}}{{- end -}}
{{- end -}}

44
gitea/charts/mariadb/charts/common/templates/validations/_validations.tpl Normal file
View File

@ -0,0 +1,44 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate values must not be empty.
Usage:
{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}}
{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}}
{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
Validate value params:
- valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
- secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
- field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
*/}}
{{- define "common.validations.values.multiple.empty" -}}
{{- range .required -}}
{{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}}
{{- end -}}
{{- end -}}
{{/*
Validate a value must not be empty.
Usage:
{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "context" $) }}
Validate value params:
- valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
- secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
- field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
*/}}
{{- define "common.validations.values.single.empty" -}}
{{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }}
{{- if not $value -}}
{{- $varname := "my-value" -}}
{{- $getCurrentValue := "" -}}
{{- if and .secret .field -}}
{{- $varname = include "common.utils.fieldToEnvVar" . -}}
{{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}}
{{- end -}}
{{- printf "\n '%s' must not be empty, please add '--set %s=$%s' to the command.%s" .valueKey .valueKey $varname $getCurrentValue -}}
{{- end -}}
{{- end -}}

3
gitea/charts/mariadb/charts/common/values.yaml Normal file
View File

@ -0,0 +1,3 @@
## bitnami/common
## It is required by CI/CD tools and processes.
exampleValue: common-chart

33
gitea/charts/mariadb/ci/values-production-with-rbac-and-metrics.yaml Normal file
View File

@ -0,0 +1,33 @@
# Test values file for generating all of the yaml and check that
# the rendering is correct
architecture: replication
auth:
usePasswordFiles: true
primary:
extraEnvVars:
- name: TEST
value: "3"
extraEnvVarsSecret: example-secret
extraEnvVarsCM: example-cm
podDisruptionBudget:
create: true
secondary:
replicaCount: 2
extraEnvVars:
- name: TEST
value: "2"
extraEnvVarsSecret: example-secret-2
extraEnvVarsCM: example-cm-2
podDisruptionBudget:
create: true
serviceAccount:
create: true
name: mariadb-service-account
rbac:
create: true
metrics:
enabled: true

50
gitea/charts/mariadb/templates/NOTES.txt Normal file
View File

@ -0,0 +1,50 @@
Please be patient while the chart is being deployed
Tip:
Watch the deployment status using the command: kubectl get pods -w --namespace {{ .Release.Namespace }} -l release={{ .Release.Name }}
Services:
echo Primary: {{ include "mariadb.primary.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.primary.service.port }}
{{- if eq .Values.architecture "replication" }}
echo Secondary: {{ include "mariadb.secondary.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.secondary.service.port }}
{{- end }}
Administrator credentials:
Username: root
Password : $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "mariadb.secretName" . }} -o jsonpath="{.data.mariadb-root-password}" | base64 --decode)
To connect to your database:
1. Run a pod that you can use as a client:
kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --image {{ template "mariadb.image" . }} --namespace {{ .Release.Namespace }} --command -- bash
2. To connect to primary service (read/write):
mysql -h {{ include "mariadb.primary.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} -uroot -p {{ .Values.auth.database }}
{{- if eq .Values.architecture "replication" }}
3. To connect to secondary service (read-only):
mysql -h {{ include "mariadb.secondary.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} -uroot -p {{ .Values.auth.database }}
{{- end }}
To upgrade this helm chart:
1. Obtain the password as described on the 'Administrator credentials' section and set the 'auth.rootPassword' parameter as shown below:
ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "mariadb.secretName" . }} -o jsonpath="{.data.mariadb-root-password}" | base64 --decode)
helm upgrade {{ .Release.Name }} bitnami/mariadb --set auth.rootPassword=$ROOT_PASSWORD
{{- include "common.warnings.rollingTag" .Values.image }}
{{- include "common.warnings.rollingTag" .Values.metrics.image }}
{{- include "mariadb.validateValues" . }}
{{- if not .Values.auth.customPasswordFiles -}}
{{- $passwordValidationErrors := include "common.validations.values.mariadb.passwords" (dict "secret" (include "common.names.fullname" .) "context" $) -}}
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}}
{{- end }}

150
gitea/charts/mariadb/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,150 @@
{{/* vim: set filetype=mustache: */}}
{{- define "mariadb.primary.fullname" -}}
{{- if eq .Values.architecture "replication" }}
{{- printf "%s-%s" (include "common.names.fullname" .) "primary" | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- include "common.names.fullname" . -}}
{{- end -}}
{{- end -}}
{{- define "mariadb.secondary.fullname" -}}
{{- printf "%s-%s" (include "common.names.fullname" .) "secondary" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the proper MariaDB image name
*/}}
{{- define "mariadb.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper metrics image name
*/}}
{{- define "mariadb.metrics.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper image name (for the init container volume-permissions image)
*/}}
{{- define "mariadb.volumePermissions.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "mariadb.imagePullSecrets" -}}
{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }}
{{- end -}}
{{ template "mariadb.initdbScriptsCM" . }}
{{/*
Get the initialization scripts ConfigMap name.
*/}}
{{- define "mariadb.initdbScriptsCM" -}}
{{- if .Values.initdbScriptsConfigMap -}}
{{- printf "%s" .Values.initdbScriptsConfigMap -}}
{{- else -}}
{{- printf "%s-init-scripts" (include "mariadb.primary.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "mariadb.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the configmap with the MariaDB Primary configuration
*/}}
{{- define "mariadb.primary.configmapName" -}}
{{- if .Values.primary.existingConfigmap -}}
{{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}}
{{- else -}}
{{- printf "%s" (include "mariadb.primary.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap object should be created for MariaDB Secondary
*/}}
{{- define "mariadb.primary.createConfigmap" -}}
{{- if and .Values.primary.configuration (not .Values.primary.existingConfigmap) }}
{{- true -}}
{{- else -}}
{{- end -}}
{{- end -}}
{{/*
Return the configmap with the MariaDB Primary configuration
*/}}
{{- define "mariadb.secondary.configmapName" -}}
{{- if .Values.secondary.existingConfigmap -}}
{{- printf "%s" (tpl .Values.secondary.existingConfigmap $) -}}
{{- else -}}
{{- printf "%s" (include "mariadb.secondary.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap object should be created for MariaDB Secondary
*/}}
{{- define "mariadb.secondary.createConfigmap" -}}
{{- if and (eq .Values.architecture "replication") .Values.secondary.configuration (not .Values.secondary.existingConfigmap) }}
{{- true -}}
{{- else -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret with MariaDB credentials
*/}}
{{- define "mariadb.secretName" -}}
{{- if .Values.auth.existingSecret -}}
{{- printf "%s" .Values.auth.existingSecret -}}
{{- else -}}
{{- printf "%s" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a secret object should be created for MariaDB
*/}}
{{- define "mariadb.createSecret" -}}
{{- if and (not .Values.auth.existingSecret) (not .Values.auth.customPasswordFiles) }}
{{- true -}}
{{- else -}}
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message, and call fail.
*/}}
{{- define "mariadb.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "mariadb.validateValues.architecture" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/* Validate values of MariaDB - must provide a valid architecture */}}
{{- define "mariadb.validateValues.architecture" -}}
{{- if and (ne .Values.architecture "standalone") (ne .Values.architecture "replication") -}}
mariadb: architecture
Invalid architecture selected. Valid values are "standalone" and
"replication". Please set a valid architecture (--set architecture="xxxx")
{{- end -}}
{{- end -}}

18
gitea/charts/mariadb/templates/primary/configmap.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if (include "mariadb.primary.createConfigmap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "mariadb.primary.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: primary
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
my.cnf: |-
{{ .Values.primary.configuration | indent 4 }}
{{- end -}}

11
gitea/charts/mariadb/templates/primary/initialization-configmap.yaml Normal file
View File

@ -0,0 +1,11 @@
{{- if and .Values.initdbScripts (not .Values.initdbScriptsConfigMap) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-init-scripts" (include "mariadb.primary.fullname" .) }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: primary
data:
{{- include "common.tplvalues.render" (dict "value" .Values.initdbScripts "context" .) | nindent 2 }}
{{ end }}

25
gitea/charts/mariadb/templates/primary/pdb.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if .Values.primary.pdb.enabled }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ include "mariadb.primary.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: primary
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.primary.pdb.minAvailable }}
minAvailable: {{ .Values.primary.pdb.minAvailable }}
{{- end }}
{{- if .Values.primary.pdb.maxUnavailable }}
maxUnavailable: {{ .Values.primary.pdb.maxUnavailable }}
{{- end }}
selector:
matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: primary
{{- end }}

Some files were not shown because too many files have changed in this diff Show More