OpenProject: Helm chart and application config
Change-Id: Ic3e963e72ed4fd7f3d8550feb55ed468dc561884
diff --git a/charts/openproject/.helmignore b/charts/openproject/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/charts/openproject/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/openproject/Chart.lock b/charts/openproject/Chart.lock
new file mode 100644
index 0000000..ca4abbb
--- /dev/null
+++ b/charts/openproject/Chart.lock
@@ -0,0 +1,12 @@
+dependencies:
+- name: postgresql
+ repository: https://charts.bitnami.com/bitnami
+ version: 12.12.10
+- name: memcached
+ repository: https://charts.bitnami.com/bitnami
+ version: 6.14.0
+- name: common
+ repository: https://charts.bitnami.com/bitnami
+ version: 2.19.1
+digest: sha256:0fde10adb357d4399cdda67e384bea2e34dcc16121ffa0e2d8d4dadd184346e1
+generated: "2024-03-28T12:35:19.4267304Z"
diff --git a/charts/openproject/Chart.yaml b/charts/openproject/Chart.yaml
new file mode 100644
index 0000000..09edf7b
--- /dev/null
+++ b/charts/openproject/Chart.yaml
@@ -0,0 +1,35 @@
+annotations:
+ artifacthub.io/license: GPL-3.0-only
+ artifacthub.io/links: |
+ - name: Homepage
+ url: https://www.openproject.org/
+ - name: OpenProject Community
+ url: https://community.openproject.org
+ - name: support
+ url: https://www.openproject.org/docs/development/report-a-bug/
+ artifacthub.io/signKey: |
+ fingerprint: CB1CA0488A75B7471EA1B087CF56DD6A0AE260E5
+ url: https://keys.openpgp.org/vks/v1/by-fingerprint/CB1CA0488A75B7471EA1B087CF56DD6A0AE260E5
+apiVersion: v2
+appVersion: "13"
+dependencies:
+- condition: postgresql.bundled
+ name: postgresql
+ repository: https://charts.bitnami.com/bitnami
+ version: ^12.1.6
+- condition: memcached.bundled
+ name: memcached
+ repository: https://charts.bitnami.com/bitnami
+ version: ^6.3.2
+- name: common
+ repository: https://charts.bitnami.com/bitnami
+ version: ^2.2.2
+description: A Helm chart for running OpenProject via Kubernetes
+home: https://www.openproject.org/
+icon: https://charts.openproject.org/logo.svg
+maintainers:
+- name: OpenProject
+ url: https://github.com/opf/helm-charts
+name: openproject
+type: application
+version: 5.1.3
diff --git a/charts/openproject/README.md b/charts/openproject/README.md
new file mode 100644
index 0000000..7d5d8b0
--- /dev/null
+++ b/charts/openproject/README.md
@@ -0,0 +1,365 @@
+# Helm chart for OpenProject
+
+This is the chart for OpenProject itself. It bootstraps an OpenProject instance, optionally with a PostgreSQL database and Memcached.
+
+## Prerequisites
+
+- Kubernetes 1.16+
+- Helm 3.0.0+
+- PV provisioner support in the underlying infrastructure
+
+
+## Helm chart Provenance and Integrity
+
+We sign our chart using the [Helm Provenance and Integrity](https://helm.sh/docs/topics/provenance/) functionality. You can find the used public key here
+
+- https://github.com/opf/helm-charts/blob/main/signing.key
+- https://keys.openpgp.org/vks/v1/by-fingerprint/CB1CA0488A75B7471EA1B087CF56DD6A0AE260E5
+
+We recommend using the [Helm GnuPG plugin](https://github.com/technosophos/helm-gpg). With it you can manually verify the signature like this:
+
+```bash
+helm repo add openproject https://charts.openproject.org
+helm fetch --prov openproject/openproject
+helm gpg verify openproject-*.tgz
+```
+
+## Installation
+
+### Quick start
+
+```shell
+helm repo add openproject https://charts.openproject.org
+helm upgrade --create-namespace --namespace openproject --install my-openproject openproject/openproject
+```
+
+You can also install the chart with the release name `my-openproject` in its own namespace like this:
+
+```shell
+helm upgrade --create-namespace --namespace openproject --install my-openproject openproject/openproject
+```
+
+The namespace is optional, but we recommend it as it does make it easier to manage the resources created for OpenProject.
+
+## Configuration
+
+Configuration of the chart takes place through defined values, and a catch-all entry `environment` to provide all possible variables through ENV that OpenProject supports. To get more information about the possible values, please see [our guide on environment variables](https://www.openproject.org/docs/installation-and-operations/configuration/environment/).
+
+
+
+### Available OpenProject specific helm values
+
+We try to map the most common options to chart values directly for ease of use. The most common ones are listed here, feel free to extend available values [through a pull request](https://github.com/opf/helm-charts/).
+
+
+
+**OpenProject image and version**
+
+By default, the helm chart will target the latest stable major release. You can define a custom [supported docker tag](https://hub.docker.com/r/openproject/community/) using `image.tag`. Override container registry and repository using `image.registry` and `image.repository`, respectively.
+
+Please make sure to use the `-slim` variant of OpenProject, as the all-in-one container is adding unnecessary services and will not work as expected with default options such as operating as a non-root user.
+
+
+
+**HTTPS mode**
+
+Regardless of the TLS mode of ingress, OpenProject needs to be told whether it's expected to run and return HTTPS responses (or generate correct links in mails, background jobs, etc.). If you're not running https, then set `openproject.https=false`.
+
+
+
+**Seed locale** (13.0+)
+
+By default, demo data and global names for types, statuses, etc. will be in English. If you wish to set a custom locale, set `openproject.seed_locale=XX`, where XX can be a two-character ISO code. For currently supported values, see the `OPENPROJECT_AVAILABLE__LANGUAGES` default value in the [environment guide](https://www.openproject.org/docs/installation-and-operations/configuration/environment/).
+
+
+
+**Admin user** (13.0+)
+
+By default, OpenProject generates an admin user with password `admin` which is required to change after first interactive login.
+If you're operating an automated deployment with fresh databases for testing, this default approach might not be desirable.
+
+You can customize the password as well as name, email, and whether a password change is enforced on first login with these variables:
+
+```ruby
+openproject.admin_user.password="my-secure-password"
+openproject.admin_user.password_reset="false"
+openproject.admin_user.name="Firstname Lastname"
+openproject.admin_user.mail="admin@example.com"
+```
+
+
+
+### ReadWriteMany volumes
+
+By default and when using filesystem-based attachments, OpenProject requires the Kubernetes cluster to support `ReadWriteMany` (rwx) volumes. This is due to the fact that multiple container instances need access to write to the attachment storage.
+
+To avoid using ReadWriteMany, you will need to configure an S3 compatible object storage instead which is shown in the [advanced configuration guide](https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage).
+
+```
+persistence:
+ enabled: false
+
+s3:
+ enabled: true
+ accessKeyId:
+ # host:
+ # port:
+```
+
+
+
+### Updating the configuration
+
+The OpenProject configuration can be changed through environment variables.
+You can use `helm upgrade` to set individual values.
+
+For instance:
+
+```shell
+helm upgrade --reuse-values --namespace openproject my-openproject --set environment.OPENPROJECT_IMPRESSUM__LINK=https://www.openproject.org/legal/imprint/ --set environment.OPENPROJECT_APP__TITLE='My OpenProject'
+```
+
+Find out more about the [configuration through environment variables](https://www.openproject.org/docs/installation-and-operations/configuration/environment/) section.
+
+
+
+## Uninstalling the Chart
+
+To uninstall the release with the name my-openproject do the following:
+
+```shell
+helm uninstall --namespace openproject my-openproject
+```
+
+
+
+> **Note**: This will not remove the persistent volumes created while installing.
+> The easiest way to ensure all PVCs are deleted as well is to delete the openproject namespace
+> (`kubectl delete namespace openproject`). If you installed OpenProject into the default
+> namespace, you can delete the volumes manually one by one.
+
+
+
+## Troubleshooting
+
+### Web deployment stuck in `CrashLoopBackoff`
+
+Describing the pod may yield an error like the following:
+
+```
+65s) kubelet Error: failed to start container "openproject": Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error setting cgroup config for procHooks process: failed to write "400000": write /sys/fs/cgroup/cpu,cpuacct/kubepods/burstable/pod990fa25e-dbf0-4fb7-9b31-9d7106473813/openproject/cpu.cfs_quota_us: invalid argument: unknown
+```
+
+This can happen when using **minikube**. By default, it initialises the cluster with 2 CPUs only.
+
+Either increase the cluster's resources to have at least 4 CPUs or install the OpenProject helm chart with a reduced CPU limit by adding the following option to the install command:
+
+```shell
+--set resources.limits.cpu=2
+```
+
+## Development
+
+To install or update from this directory run the following command.
+
+```bash
+bin/install-dev
+```
+
+This will install the chart with `--set develop=true` which is recommended
+on local clusters such as **minikube** or **kind**.
+
+This will also set `OPENPROJECT_HTTPS` to false so no TLS certificate is required
+to access it.
+
+You can set other options just like when installing via `--set`
+(e.g. `bin/install-dev --set persistence.enabled=false`).
+
+### Debugging
+
+Changes to the chart can be debugged using the following.
+
+```bash
+bin/debug
+```
+
+This will try to render the templates and show any errors.
+You can set values just like when installing via `--set`
+(e.g. `bin/debug --set persistence.enabled=false`).
+
+## TLS
+
+Create a TLS certificate, e.g. using [mkcert](https://github.com/FiloSottile/mkcert).
+
+```
+mkcert helm-example.openproject-dev.com
+```
+
+Create the tls secret in kubernetes.
+
+```
+kubectl -n openproject create secret tls openproject-tls \
+ --key="helm-example.openproject-dev.com-key.pem" \
+ --cert="helm-example.openproject-dev.com.pem"
+```
+
+Set the tls secret value during installation or an upgrade by adding the following.
+
+```
+--set ingress.tls.enabled=true --set tls.secretName=openproject-tls
+```
+
+### Root CA
+
+If you want to add your own root CA for outgoing TLS connection, do the following.
+
+1. Put the certificate into a config map.
+
+```
+kubectl -n openproject-dev create configmap ca-pemstore --from-file=/path/to/rootCA.pem
+```
+
+To make OpenProject use this CA for outgoing TLS connection, set the following options.
+
+```
+ --set egress.tls.rootCA.configMap=ca-pemstore \
+ --set egress.tls.rootCA.fileName=rootCA.pem
+```
+
+## Secrets
+
+There are various sensitive credentials used by the chart.
+While they can be provided directly in the values (e.g. `--set postgresql.auth.password`),
+it is recommended to store them in secrets instead.
+
+You can create a new secret like this:
+
+```
+kubectl -n openproject create secret generic <name>
+```
+
+You can then edit the secret to add the credentials via the following.
+
+```
+kubectl -n openproject edit secret <name>
+```
+
+The newly created secret will look something like this:
+
+```
+apiVersion: v1
+kind: Secret
+metadata:
+ creationTimestamp: "2024-01-10T09:36:09Z"
+ name: <name>
+ namespace: openproject
+ resourceVersion: "1074377"
+ uid: ff6538cd-f8cb-418f-8cee-bd1e20d96d24
+type: Opaque
+```
+
+To add the actual content, you can simply add `stringData:` to the end of it and save it.
+
+The keys which are looked up inside the secret data can be changed from their defaults in the values as well. This is the same in all cases where next to `existingSecret` you can also set `secretKeys`.
+
+In the following sections we give examples for what this may look like using the default keys for the credentials used by OpenProject.
+
+### PostgreSQL
+
+```yaml
+stringData:
+ postgres-password: postgresPassword
+ password: userPassword
+```
+
+If you have an existing secret where the keys are not `postgres-password` and `password`, you can customize the used keys as mentioned above.
+
+For instance:
+
+```bash
+helm upgrade --create-namespace --namespace openproject --install openproject \
+ --set postgresql.auth.existingSecret=mysecret \
+ --set postgresql.auth.secretKeys.adminPasswordKey=adminpw \
+ --set postgresql.auth.secretKeys.userPasswordKey=userpw
+```
+
+This can be customized for the the credentials in the following sections too in the same fashion.
+You can look up the respective options in the [`values.yaml`](./values.yaml) file.
+
+#### Default passwords
+
+If you provide neither an existing secret nor passwords directly in the `values.yaml` file,
+the postgres chart will generate a secret automatically.
+
+This secret will contain both the user and admin passwords.
+You can print the base64 encoded passwords as follows.
+
+```
+kubectl get secret -n <namespace> openproject-postgresql -o yaml | grep password
+```
+
+### OIDC (OpenID Connect)
+
+```yaml
+stringData:
+ clientId: 7c6cc104-1d07-4a9f-b3fb-017da8577cec
+ clientSecret: Sf78Q~H14O7F2_EOS4NsLoxu-ayOm42i~MljMb44
+```
+
+
+
+**Sealed secrets**
+
+```bash
+kubectl create secret generic openproject-oidc-secret-sealed --from-literal=OPENPROJECT_OPENID__CONNECT_PROVIDERHERE_IDENTIFIER=xxxxx --from-literal=OPENPROJECT_OPENID__CONNECT_PROVIDERHERE_SECRET=xxxxx --dry-run=client -o yaml | kubeseal ...
+```
+
+Set `openproject.oidc.extraOidcSealedSecret="openproject-oidc-secret-sealed"` in your values.
+
+### S3
+
+```yaml
+stringData:
+ accessKeyId: AKIAXDF2JNZRBFQIRTKA
+ secretAccessKey: zwH7t0H3bJQf/TvlQpE7/Y59k9hD+nYNRlKUBpuq
+```
+
+## OpenShift
+
+For OpenProject to work in OpenShift without further adjustments,
+you need to use the following pod and container security context.
+
+```
+podSecurityContext:
+ supplementalGroups: [1000]
+ fsGroup: null
+
+containerSecurityContext:
+ runAsUser: null
+ runAsGroup: null
+```
+
+By default OpenProject requests `fsGroup: 1000` in the pod security context, and also `1000` for both `runAsUser` and `runAsGroup` in the container security context.
+You have to allow this using a custom SCC (Security Context Constraint) in the cluster. In this case you do not have to adjust the security contexts.
+But the easiest way is the use of the security contexts as shown above.
+
+Due to the default restrictions in OpenShift there may also be issues running
+PostgreSQL and memcached. Again, you may have to create an SCC to fix this
+or adjust the policies in the subcharts accordingly.
+
+Assuming no further options for both, simply disabling the security context values to use the default works as well.
+
+```
+postgresql:
+ primary:
+ containerSecurityContext:
+ enabled: false
+ podSecurityContext:
+ enabled: false
+
+memcached:
+ containerSecurityContext:
+ enabled: false
+ podSecurityContext:
+ enabled: false
+```
diff --git a/charts/openproject/RELEASE-NOTES.md b/charts/openproject/RELEASE-NOTES.md
new file mode 100644
index 0000000..d5da084
--- /dev/null
+++ b/charts/openproject/RELEASE-NOTES.md
@@ -0,0 +1,6 @@
+
+
+### Patch Changes
+
+- 35aba8b: fix(secret_s3): add quote around port
+
diff --git a/charts/openproject/bin/debug b/charts/openproject/bin/debug
new file mode 100644
index 0000000..0190310
--- /dev/null
+++ b/charts/openproject/bin/debug
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# Outputs the generated helm configurations after templating.
+
+yaml_output=/tmp/op-hc-yaml-output.txt
+error_output=/tmp/op-hc-error-output.txt
+section_output=/tmp/op-hc-section-output.yml
+vimrc=/tmp/op-hc-vim-rc
+
+rm $yaml_output $error_output $section_output $vimrc &>/dev/null
+
+helm template --debug "$@" . 1> $yaml_output 2> $error_output
+
+if [ $? -gt 0 ]; then
+ section=`cat $error_output | grep 'Error: YAML parse error on' | cut -d: -f2 | cut -d' ' -f6-`
+
+ if [ -n "$section" ]; then
+ cat $yaml_output | sed -e "0,/\# Source: ${section//\//\\/}/d" | tail -n+2 | sed -e '/---/,$d' > $section_output
+
+ line=`cat $error_output | grep line | head -n1 | perl -nle 'm/line (\d+)/; print $1'`
+
+ if [ -n "$line" ]; then
+ echo "autocmd VimEnter * echo '`cat $error_output | grep line | head -n1`'" > $vimrc
+ vim +$line -u $vimrc $section_output
+ else
+ echo
+ echo "Template error: "
+ echo
+ echo ---
+ cat $section_output
+ cat $error_output
+ fi
+ else
+ echo
+ echo "Template error: "
+ echo
+ echo ---
+ cat $yaml_output
+ cat $error_output
+ fi
+else
+ cat $yaml_output
+
+ echo
+ echo "Syntax ok"
+fi
diff --git a/charts/openproject/bin/install-dev b/charts/openproject/bin/install-dev
new file mode 100644
index 0000000..b38d542
--- /dev/null
+++ b/charts/openproject/bin/install-dev
@@ -0,0 +1,6 @@
+# !/bin/bash
+
+# Install OpenProject in development mode, that is without https and allowing writes
+# to the container file system.
+
+helm upgrade --create-namespace --namespace openproject --install openproject --set develop=true "$@" .
diff --git a/charts/openproject/charts/common/.helmignore b/charts/openproject/charts/common/.helmignore
new file mode 100644
index 0000000..7c7c21d
--- /dev/null
+++ b/charts/openproject/charts/common/.helmignore
@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# img folder
+img/
diff --git a/charts/openproject/charts/common/Chart.yaml b/charts/openproject/charts/common/Chart.yaml
new file mode 100644
index 0000000..8d0e546
--- /dev/null
+++ b/charts/openproject/charts/common/Chart.yaml
@@ -0,0 +1,23 @@
+annotations:
+ category: Infrastructure
+ licenses: Apache-2.0
+apiVersion: v2
+appVersion: 2.19.1
+description: A Library Helm Chart for grouping common logic between bitnami charts.
+ This chart is not deployable by itself.
+home: https://bitnami.com
+icon: https://bitnami.com/downloads/logos/bitnami-mark.png
+keywords:
+- common
+- helper
+- template
+- function
+- bitnami
+maintainers:
+- name: VMware, Inc.
+ url: https://github.com/bitnami/charts
+name: common
+sources:
+- https://github.com/bitnami/charts
+type: library
+version: 2.19.1
diff --git a/charts/openproject/charts/common/README.md b/charts/openproject/charts/common/README.md
new file mode 100644
index 0000000..0d01a1e
--- /dev/null
+++ b/charts/openproject/charts/common/README.md
@@ -0,0 +1,235 @@
+# Bitnami Common Library Chart
+
+A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts.
+
+## TL;DR
+
+```yaml
+dependencies:
+ - name: common
+ version: 2.x.x
+ repository: oci://registry-1.docker.io/bitnamicharts
+```
+
+```console
+helm dependency update
+```
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.names.fullname" . }}
+data:
+ myvalue: "Hello World"
+```
+
+Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
+
+## Introduction
+
+This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
+
+Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
+
+## Prerequisites
+
+- Kubernetes 1.23+
+- Helm 3.8.0+
+
+## Parameters
+
+## Special input schemas
+
+### ImageRoot
+
+```yaml
+registry:
+ type: string
+ description: Docker registry where the image is located
+ example: docker.io
+
+repository:
+ type: string
+ description: Repository and image name
+ example: bitnami/nginx
+
+tag:
+ type: string
+ description: image tag
+ example: 1.16.1-debian-10-r63
+
+pullPolicy:
+ type: string
+ description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+
+pullSecrets:
+ type: array
+ items:
+ type: string
+ description: Optionally specify an array of imagePullSecrets (evaluated as templates).
+
+debug:
+ type: boolean
+ description: Set to true if you would like to see extra information on logs
+ example: false
+
+## An instance would be:
+# registry: docker.io
+# repository: bitnami/nginx
+# tag: 1.16.1-debian-10-r63
+# pullPolicy: IfNotPresent
+# debug: false
+```
+
+### Persistence
+
+```yaml
+enabled:
+ type: boolean
+ description: Whether enable persistence.
+ example: true
+
+storageClass:
+ type: string
+ description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning.
+ example: "-"
+
+accessMode:
+ type: string
+ description: Access mode for the Persistent Volume Storage.
+ example: ReadWriteOnce
+
+size:
+ type: string
+ description: Size the Persistent Volume Storage.
+ example: 8Gi
+
+path:
+ type: string
+ description: Path to be persisted.
+ example: /bitnami
+
+## An instance would be:
+# enabled: true
+# storageClass: "-"
+# accessMode: ReadWriteOnce
+# size: 8Gi
+# path: /bitnami
+```
+
+### ExistingSecret
+
+```yaml
+name:
+ type: string
+ description: Name of the existing secret.
+ example: mySecret
+keyMapping:
+ description: Mapping between the expected key name and the name of the key in the existing secret.
+ type: object
+
+## An instance would be:
+# name: mySecret
+# keyMapping:
+# password: myPasswordKey
+```
+
+#### Example of use
+
+When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets.
+
+```yaml
+# templates/secret.yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ labels:
+ app: {{ include "common.names.fullname" . }}
+type: Opaque
+data:
+ password: {{ .Values.password | b64enc | quote }}
+
+# templates/dpl.yaml
+---
+...
+ env:
+ - name: PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }}
+ key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }}
+...
+
+# values.yaml
+---
+name: mySecret
+keyMapping:
+ password: myPasswordKey
+```
+
+### ValidateValue
+
+#### NOTES.txt
+
+```console
+{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}}
+{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}}
+
+{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
+```
+
+If we force those values to be empty we will see some alerts
+
+```console
+helm install test mychart --set path.to.value00="",path.to.value01=""
+ 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value:
+
+ export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d)
+
+ 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value:
+
+ export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d)
+```
+
+## Upgrading
+
+### To 1.0.0
+
+[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
+
+#### What changes were introduced in this major version?
+
+- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
+- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information.
+- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
+
+#### Considerations when upgrading to this version
+
+- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues
+- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
+- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3
+
+#### Useful links
+
+- <https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/>
+- <https://helm.sh/docs/topics/v2_v3_migration/>
+- <https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/>
+
+## License
+
+Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+<http://www.apache.org/licenses/LICENSE-2.0>
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/charts/openproject/charts/common/templates/_affinities.tpl b/charts/openproject/charts/common/templates/_affinities.tpl
new file mode 100644
index 0000000..e85b1df
--- /dev/null
+++ b/charts/openproject/charts/common/templates/_affinities.tpl
@@ -0,0 +1,139 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return a soft nodeAffinity definition
+{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes.soft" -}}
+preferredDuringSchedulingIgnoredDuringExecution:
+ - preference:
+ matchExpressions:
+ - key: {{ .key }}
+ operator: In
+ values:
+ {{- range .values }}
+ - {{ . | quote }}
+ {{- end }}
+ weight: 1
+{{- end -}}
+
+{{/*
+Return a hard nodeAffinity definition
+{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes.hard" -}}
+requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: {{ .key }}
+ operator: In
+ values:
+ {{- range .values }}
+ - {{ . | quote }}
+ {{- end }}
+{{- end -}}
+
+{{/*
+Return a nodeAffinity definition
+{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes" -}}
+ {{- if eq .type "soft" }}
+ {{- include "common.affinities.nodes.soft" . -}}
+ {{- else if eq .type "hard" }}
+ {{- include "common.affinities.nodes.hard" . -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Return a topologyKey definition
+{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}}
+*/}}
+{{- define "common.affinities.topologyKey" -}}
+{{ .topologyKey | default "kubernetes.io/hostname" -}}
+{{- end -}}
+
+{{/*
+Return a soft podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
+*/}}
+{{- define "common.affinities.pods.soft" -}}
+{{- $component := default "" .component -}}
+{{- $customLabels := default (dict) .customLabels -}}
+{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
+{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
+preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := $extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ weight: 1
+ {{- range $extraPodAffinityTerms }}
+ - podAffinityTerm:
+ labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := .extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ weight: {{ .weight | default 1 -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Return a hard podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
+*/}}
+{{- define "common.affinities.pods.hard" -}}
+{{- $component := default "" .component -}}
+{{- $customLabels := default (dict) .customLabels -}}
+{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
+{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
+requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := $extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ {{- range $extraPodAffinityTerms }}
+ - labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := .extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Return a podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.pods" -}}
+ {{- if eq .type "soft" }}
+ {{- include "common.affinities.pods.soft" . -}}
+ {{- else if eq .type "hard" }}
+ {{- include "common.affinities.pods.hard" . -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/_capabilities.tpl b/charts/openproject/charts/common/templates/_capabilities.tpl
new file mode 100644
index 0000000..115674a
--- /dev/null
+++ b/charts/openproject/charts/common/templates/_capabilities.tpl
@@ -0,0 +1,229 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return the target Kubernetes version
+*/}}
+{{- define "common.capabilities.kubeVersion" -}}
+{{- if .Values.global }}
+ {{- if .Values.global.kubeVersion }}
+ {{- .Values.global.kubeVersion -}}
+ {{- else }}
+ {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
+ {{- end -}}
+{{- else }}
+{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for poddisruptionbudget.
+*/}}
+{{- define "common.capabilities.policy.apiVersion" -}}
+{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "policy/v1beta1" -}}
+{{- else -}}
+{{- print "policy/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for networkpolicy.
+*/}}
+{{- define "common.capabilities.networkPolicy.apiVersion" -}}
+{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for cronjob.
+*/}}
+{{- define "common.capabilities.cronjob.apiVersion" -}}
+{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "batch/v1beta1" -}}
+{{- else -}}
+{{- print "batch/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for daemonset.
+*/}}
+{{- define "common.capabilities.daemonset.apiVersion" -}}
+{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for deployment.
+*/}}
+{{- define "common.capabilities.deployment.apiVersion" -}}
+{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for statefulset.
+*/}}
+{{- define "common.capabilities.statefulset.apiVersion" -}}
+{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apps/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for ingress.
+*/}}
+{{- define "common.capabilities.ingress.apiVersion" -}}
+{{- if .Values.ingress -}}
+{{- if .Values.ingress.apiVersion -}}
+{{- .Values.ingress.apiVersion -}}
+{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "networking.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end }}
+{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "networking.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for RBAC resources.
+*/}}
+{{- define "common.capabilities.rbac.apiVersion" -}}
+{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "rbac.authorization.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "rbac.authorization.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for CRDs.
+*/}}
+{{- define "common.capabilities.crd.apiVersion" -}}
+{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apiextensions.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "apiextensions.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for APIService.
+*/}}
+{{- define "common.capabilities.apiService.apiVersion" -}}
+{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apiregistration.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "apiregistration.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for Horizontal Pod Autoscaler.
+*/}}
+{{- define "common.capabilities.hpa.apiVersion" -}}
+{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
+{{- if .beta2 -}}
+{{- print "autoscaling/v2beta2" -}}
+{{- else -}}
+{{- print "autoscaling/v2beta1" -}}
+{{- end -}}
+{{- else -}}
+{{- print "autoscaling/v2" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for Vertical Pod Autoscaler.
+*/}}
+{{- define "common.capabilities.vpa.apiVersion" -}}
+{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
+{{- if .beta2 -}}
+{{- print "autoscaling/v2beta2" -}}
+{{- else -}}
+{{- print "autoscaling/v2beta1" -}}
+{{- end -}}
+{{- else -}}
+{{- print "autoscaling/v2" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if PodSecurityPolicy is supported
+*/}}
+{{- define "common.capabilities.psp.supported" -}}
+{{- if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if AdmissionConfiguration is supported
+*/}}
+{{- define "common.capabilities.admissionConfiguration.supported" -}}
+{{- if semverCompare ">=1.23-0" (include "common.capabilities.kubeVersion" .) -}}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for AdmissionConfiguration.
+*/}}
+{{- define "common.capabilities.admissionConfiguration.apiVersion" -}}
+{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apiserver.config.k8s.io/v1alpha1" -}}
+{{- else if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apiserver.config.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "apiserver.config.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for PodSecurityConfiguration.
+*/}}
+{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}}
+{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}}
+{{- else if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "pod-security.admission.config.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "pod-security.admission.config.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if the used Helm version is 3.3+.
+A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure.
+This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error.
+**To be removed when the catalog's minimun Helm version is 3.3**
+*/}}
+{{- define "common.capabilities.supportsHelmVersion" -}}
+{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/_compatibility.tpl b/charts/openproject/charts/common/templates/_compatibility.tpl
new file mode 100644
index 0000000..17665d5
--- /dev/null
+++ b/charts/openproject/charts/common/templates/_compatibility.tpl
@@ -0,0 +1,39 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return true if the detected platform is Openshift
+Usage:
+{{- include "common.compatibility.isOpenshift" . -}}
+*/}}
+{{- define "common.compatibility.isOpenshift" -}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
+Usage:
+{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
+*/}}
+{{- define "common.compatibility.renderSecurityContext" -}}
+{{- $adaptedContext := .secContext -}}
+{{- if .context.Values.global.compatibility -}}
+ {{- if .context.Values.global.compatibility.openshift -}}
+ {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
+ {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
+ {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
+ {{- if not .secContext.seLinuxOptions -}}
+ {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
+ {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+{{- omit $adaptedContext "enabled" | toYaml -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/_errors.tpl b/charts/openproject/charts/common/templates/_errors.tpl
new file mode 100644
index 0000000..07ded6f
--- /dev/null
+++ b/charts/openproject/charts/common/templates/_errors.tpl
@@ -0,0 +1,28 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Through error when upgrading using empty passwords values that must not be empty.
+
+Usage:
+{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
+{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
+{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
+
+Required password params:
+ - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
+ - context - Context - Required. Parent context.
+*/}}
+{{- define "common.errors.upgrade.passwords.empty" -}}
+ {{- $validationErrors := join "" .validationErrors -}}
+ {{- if and $validationErrors .context.Release.IsUpgrade -}}
+ {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}}
+ {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}}
+ {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}}
+ {{- $errorString = print $errorString "\n%s" -}}
+ {{- printf $errorString $validationErrors | fail -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/_images.tpl b/charts/openproject/charts/common/templates/_images.tpl
new file mode 100644
index 0000000..1bcb779
--- /dev/null
+++ b/charts/openproject/charts/common/templates/_images.tpl
@@ -0,0 +1,117 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Return the proper image name
+{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }}
+*/}}
+{{- define "common.images.image" -}}
+{{- $registryName := .imageRoot.registry -}}
+{{- $repositoryName := .imageRoot.repository -}}
+{{- $separator := ":" -}}
+{{- $termination := .imageRoot.tag | toString -}}
+{{- if .global }}
+ {{- if .global.imageRegistry }}
+ {{- $registryName = .global.imageRegistry -}}
+ {{- end -}}
+{{- end -}}
+{{- if .imageRoot.digest }}
+ {{- $separator = "@" -}}
+ {{- $termination = .imageRoot.digest | toString -}}
+{{- end -}}
+{{- if $registryName }}
+ {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
+{{- else -}}
+ {{- printf "%s%s%s" $repositoryName $separator $termination -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead)
+{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
+*/}}
+{{- define "common.images.pullSecrets" -}}
+ {{- $pullSecrets := list }}
+
+ {{- if .global }}
+ {{- range .global.imagePullSecrets -}}
+ {{- if kindIs "map" . -}}
+ {{- $pullSecrets = append $pullSecrets .name -}}
+ {{- else -}}
+ {{- $pullSecrets = append $pullSecrets . -}}
+ {{- end }}
+ {{- end -}}
+ {{- end -}}
+
+ {{- range .images -}}
+ {{- range .pullSecrets -}}
+ {{- if kindIs "map" . -}}
+ {{- $pullSecrets = append $pullSecrets .name -}}
+ {{- else -}}
+ {{- $pullSecrets = append $pullSecrets . -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+ {{- range $pullSecrets | uniq }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names evaluating values as templates
+{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }}
+*/}}
+{{- define "common.images.renderPullSecrets" -}}
+ {{- $pullSecrets := list }}
+ {{- $context := .context }}
+
+ {{- if $context.Values.global }}
+ {{- range $context.Values.global.imagePullSecrets -}}
+ {{- if kindIs "map" . -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}}
+ {{- else -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- range .images -}}
+ {{- range .pullSecrets -}}
+ {{- if kindIs "map" . -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}}
+ {{- else -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+ {{- range $pullSecrets | uniq }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+{{- end -}}
+
+{{/*
+Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion)
+{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }}
+*/}}
+{{- define "common.images.version" -}}
+{{- $imageTag := .imageRoot.tag | toString -}}
+{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}}
+{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}}
+ {{- $version := semver $imageTag -}}
+ {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}}
+{{- else -}}
+ {{- print .chart.AppVersion -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/openproject/charts/common/templates/_ingress.tpl b/charts/openproject/charts/common/templates/_ingress.tpl
new file mode 100644
index 0000000..efa5b85
--- /dev/null
+++ b/charts/openproject/charts/common/templates/_ingress.tpl
@@ -0,0 +1,73 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Generate backend entry that is compatible with all Kubernetes API versions.
+
+Usage:
+{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}
+
+Params:
+ - serviceName - String. Name of an existing service backend
+ - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer.
+ - context - Dict - Required. The context for the template evaluation.
+*/}}
+{{- define "common.ingress.backend" -}}
+{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}}
+{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}}
+serviceName: {{ .serviceName }}
+servicePort: {{ .servicePort }}
+{{- else -}}
+service:
+ name: {{ .serviceName }}
+ port:
+ {{- if typeIs "string" .servicePort }}
+ name: {{ .servicePort }}
+ {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }}
+ number: {{ .servicePort | int }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Print "true" if the API pathType field is supported
+Usage:
+{{ include "common.ingress.supportsPathType" . }}
+*/}}
+{{- define "common.ingress.supportsPathType" -}}
+{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}}
+{{- print "false" -}}
+{{- else -}}
+{{- print "true" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if the ingressClassname field is supported
+Usage:
+{{ include "common.ingress.supportsIngressClassname" . }}
+*/}}
+{{- define "common.ingress.supportsIngressClassname" -}}
+{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "false" -}}
+{{- else -}}
+{{- print "true" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if cert-manager required annotations for TLS signed
+certificates are set in the Ingress annotations
+Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
+Usage:
+{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }}
+*/}}
+{{- define "common.ingress.certManagerRequest" -}}
+{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/_labels.tpl b/charts/openproject/charts/common/templates/_labels.tpl
new file mode 100644
index 0000000..d90a6cd
--- /dev/null
+++ b/charts/openproject/charts/common/templates/_labels.tpl
@@ -0,0 +1,46 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Kubernetes standard labels
+{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}}
+*/}}
+{{- define "common.labels.standard" -}}
+{{- if and (hasKey . "customLabels") (hasKey . "context") -}}
+{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}}
+{{- with .context.Chart.AppVersion -}}
+{{- $_ := set $default "app.kubernetes.io/version" . -}}
+{{- end -}}
+{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }}
+{{- else -}}
+app.kubernetes.io/name: {{ include "common.names.name" . }}
+helm.sh/chart: {{ include "common.names.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Chart.AppVersion }}
+app.kubernetes.io/version: {{ . | quote }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector
+{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}}
+
+We don't want to loop over custom labels appending them to the selector
+since it's very likely that it will break deployments, services, etc.
+However, it's important to overwrite the standard labels if the user
+overwrote them on metadata.labels fields.
+*/}}
+{{- define "common.labels.matchLabels" -}}
+{{- if and (hasKey . "customLabels") (hasKey . "context") -}}
+{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }}
+{{- else -}}
+app.kubernetes.io/name: {{ include "common.names.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/_names.tpl b/charts/openproject/charts/common/templates/_names.tpl
new file mode 100644
index 0000000..a222924
--- /dev/null
+++ b/charts/openproject/charts/common/templates/_names.tpl
@@ -0,0 +1,71 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "common.names.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "common.names.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "common.names.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified dependency name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+Usage:
+{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }}
+*/}}
+{{- define "common.names.dependency.fullname" -}}
+{{- if .chartValues.fullnameOverride -}}
+{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .chartName .chartValues.nameOverride -}}
+{{- if contains $name .context.Release.Name -}}
+{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts.
+*/}}
+{{- define "common.names.namespace" -}}
+{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a fully qualified app name adding the installation's namespace.
+*/}}
+{{- define "common.names.fullname.namespace" -}}
+{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/_resources.tpl b/charts/openproject/charts/common/templates/_resources.tpl
new file mode 100644
index 0000000..030fa1a
--- /dev/null
+++ b/charts/openproject/charts/common/templates/_resources.tpl
@@ -0,0 +1,50 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return a resource request/limit object based on a given preset.
+These presets are for basic testing and not meant to be used in production
+{{ include "common.resources.preset" (dict "type" "nano") -}}
+*/}}
+{{- define "common.resources.preset" -}}
+{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}}
+{{- $presets := dict
+ "nano" (dict
+ "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi")
+ )
+ "micro" (dict
+ "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi")
+ )
+ "small" (dict
+ "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi")
+ )
+ "medium" (dict
+ "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi")
+ )
+ "large" (dict
+ "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi")
+ )
+ "xlarge" (dict
+ "requests" (dict "cpu" "1.5" "memory" "4096Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi")
+ )
+ "2xlarge" (dict
+ "requests" (dict "cpu" "1.5" "memory" "4096Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi")
+ )
+ }}
+{{- if hasKey $presets .type -}}
+{{- index $presets .type | toYaml -}}
+{{- else -}}
+{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/_secrets.tpl b/charts/openproject/charts/common/templates/_secrets.tpl
new file mode 100644
index 0000000..84dbe38
--- /dev/null
+++ b/charts/openproject/charts/common/templates/_secrets.tpl
@@ -0,0 +1,182 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Generate secret name.
+
+Usage:
+{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
+
+Params:
+ - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
+ to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+ +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
+ - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
+ - context - Dict - Required. The context for the template evaluation.
+*/}}
+{{- define "common.secrets.name" -}}
+{{- $name := (include "common.names.fullname" .context) -}}
+
+{{- if .defaultNameSuffix -}}
+{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- with .existingSecret -}}
+{{- if not (typeIs "string" .) -}}
+{{- with .name -}}
+{{- $name = . -}}
+{{- end -}}
+{{- else -}}
+{{- $name = . -}}
+{{- end -}}
+{{- end -}}
+
+{{- printf "%s" $name -}}
+{{- end -}}
+
+{{/*
+Generate secret key.
+
+Usage:
+{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
+
+Params:
+ - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
+ to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+ +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
+ - key - String - Required. Name of the key in the secret.
+*/}}
+{{- define "common.secrets.key" -}}
+{{- $key := .key -}}
+
+{{- if .existingSecret -}}
+ {{- if not (typeIs "string" .existingSecret) -}}
+ {{- if .existingSecret.keyMapping -}}
+ {{- $key = index .existingSecret.keyMapping $.key -}}
+ {{- end -}}
+ {{- end }}
+{{- end -}}
+
+{{- printf "%s" $key -}}
+{{- end -}}
+
+{{/*
+Generate secret password or retrieve one if already created.
+
+Usage:
+{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }}
+
+Params:
+ - secret - String - Required - Name of the 'Secret' resource where the password is stored.
+ - key - String - Required - Name of the key in the secret.
+ - providedValues - List<String> - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
+ - length - int - Optional - Length of the generated random password.
+ - strong - Boolean - Optional - Whether to add symbols to the generated random password.
+ - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart.
+ - context - Context - Required - Parent context.
+ - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets.
+ - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted.
+ - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret.
+The order in which this function returns a secret password:
+ 1. Already existing 'Secret' resource
+ (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
+ 2. Password provided via the values.yaml
+ (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
+ 3. Randomly generated secret password
+ (A new random secret password with the length specified in the 'length' parameter will be generated and returned)
+
+*/}}
+{{- define "common.secrets.passwords.manage" -}}
+
+{{- $password := "" }}
+{{- $subchart := "" }}
+{{- $chartName := default "" .chartName }}
+{{- $passwordLength := default 10 .length }}
+{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }}
+{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }}
+{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }}
+{{- if $secretData }}
+ {{- if hasKey $secretData .key }}
+ {{- $password = index $secretData .key | b64dec }}
+ {{- else if not (eq .failOnNew false) }}
+ {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}}
+ {{- else if $providedPasswordValue }}
+ {{- $password = $providedPasswordValue | toString }}
+ {{- end -}}
+{{- else if $providedPasswordValue }}
+ {{- $password = $providedPasswordValue | toString }}
+{{- else }}
+
+ {{- if .context.Values.enabled }}
+ {{- $subchart = $chartName }}
+ {{- end -}}
+
+ {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
+ {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
+ {{- $passwordValidationErrors := list $requiredPasswordError -}}
+ {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
+
+ {{- if .strong }}
+ {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
+ {{- $password = randAscii $passwordLength }}
+ {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
+ {{- $password = printf "%s%s" $subStr $password | toString | shuffle }}
+ {{- else }}
+ {{- $password = randAlphaNum $passwordLength }}
+ {{- end }}
+{{- end -}}
+{{- if not .skipB64enc }}
+{{- $password = $password | b64enc }}
+{{- end -}}
+{{- if .skipQuote -}}
+{{- printf "%s" $password -}}
+{{- else -}}
+{{- printf "%s" $password | quote -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Reuses the value from an existing secret, otherwise sets its value to a default value.
+
+Usage:
+{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }}
+
+Params:
+ - secret - String - Required - Name of the 'Secret' resource where the password is stored.
+ - key - String - Required - Name of the key in the secret.
+ - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
+ - context - Context - Required - Parent context.
+
+*/}}
+{{- define "common.secrets.lookup" -}}
+{{- $value := "" -}}
+{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}}
+{{- if and $secretData (hasKey $secretData .key) -}}
+ {{- $value = index $secretData .key -}}
+{{- else if .defaultValue -}}
+ {{- $value = .defaultValue | toString | b64enc -}}
+{{- end -}}
+{{- if $value -}}
+{{- printf "%s" $value -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns whether a previous generated secret already exists
+
+Usage:
+{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }}
+
+Params:
+ - secret - String - Required - Name of the 'Secret' resource where the password is stored.
+ - context - Context - Required - Parent context.
+*/}}
+{{- define "common.secrets.exists" -}}
+{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }}
+{{- if $secret }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/_storage.tpl b/charts/openproject/charts/common/templates/_storage.tpl
new file mode 100644
index 0000000..16405a0
--- /dev/null
+++ b/charts/openproject/charts/common/templates/_storage.tpl
@@ -0,0 +1,28 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Return the proper Storage Class
+{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
+*/}}
+{{- define "common.storage.class" -}}
+
+{{- $storageClass := .persistence.storageClass -}}
+{{- if .global -}}
+ {{- if .global.storageClass -}}
+ {{- $storageClass = .global.storageClass -}}
+ {{- end -}}
+{{- end -}}
+
+{{- if $storageClass -}}
+ {{- if (eq "-" $storageClass) -}}
+ {{- printf "storageClassName: \"\"" -}}
+ {{- else }}
+ {{- printf "storageClassName: %s" $storageClass -}}
+ {{- end -}}
+{{- end -}}
+
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/_tplvalues.tpl b/charts/openproject/charts/common/templates/_tplvalues.tpl
new file mode 100644
index 0000000..a8ed763
--- /dev/null
+++ b/charts/openproject/charts/common/templates/_tplvalues.tpl
@@ -0,0 +1,38 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Renders a value that contains template perhaps with scope if the scope is present.
+Usage:
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }}
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }}
+*/}}
+{{- define "common.tplvalues.render" -}}
+{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }}
+{{- if contains "{{" (toJson .value) }}
+ {{- if .scope }}
+ {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }}
+ {{- else }}
+ {{- tpl $value .context }}
+ {{- end }}
+{{- else }}
+ {{- $value }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Merge a list of values that contains template after rendering them.
+Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge
+Usage:
+{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }}
+*/}}
+{{- define "common.tplvalues.merge" -}}
+{{- $dst := dict -}}
+{{- range .values -}}
+{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}}
+{{- end -}}
+{{ $dst | toYaml }}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/_utils.tpl b/charts/openproject/charts/common/templates/_utils.tpl
new file mode 100644
index 0000000..bfbddf0
--- /dev/null
+++ b/charts/openproject/charts/common/templates/_utils.tpl
@@ -0,0 +1,77 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Print instructions to get a secret value.
+Usage:
+{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }}
+*/}}
+{{- define "common.utils.secret.getvalue" -}}
+{{- $varname := include "common.utils.fieldToEnvVar" . -}}
+export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d)
+{{- end -}}
+
+{{/*
+Build env var name given a field
+Usage:
+{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }}
+*/}}
+{{- define "common.utils.fieldToEnvVar" -}}
+ {{- $fieldNameSplit := splitList "-" .field -}}
+ {{- $upperCaseFieldNameSplit := list -}}
+
+ {{- range $fieldNameSplit -}}
+ {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}}
+ {{- end -}}
+
+ {{ join "_" $upperCaseFieldNameSplit }}
+{{- end -}}
+
+{{/*
+Gets a value from .Values given
+Usage:
+{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }}
+*/}}
+{{- define "common.utils.getValueFromKey" -}}
+{{- $splitKey := splitList "." .key -}}
+{{- $value := "" -}}
+{{- $latestObj := $.context.Values -}}
+{{- range $splitKey -}}
+ {{- if not $latestObj -}}
+ {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}}
+ {{- end -}}
+ {{- $value = ( index $latestObj . ) -}}
+ {{- $latestObj = $value -}}
+{{- end -}}
+{{- printf "%v" (default "" $value) -}}
+{{- end -}}
+
+{{/*
+Returns first .Values key with a defined value or first of the list if all non-defined
+Usage:
+{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }}
+*/}}
+{{- define "common.utils.getKeyFromList" -}}
+{{- $key := first .keys -}}
+{{- $reverseKeys := reverse .keys }}
+{{- range $reverseKeys }}
+ {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }}
+ {{- if $value -}}
+ {{- $key = . }}
+ {{- end -}}
+{{- end -}}
+{{- printf "%s" $key -}}
+{{- end -}}
+
+{{/*
+Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376).
+Usage:
+{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }}
+*/}}
+{{- define "common.utils.checksumTemplate" -}}
+{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}}
+{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/_warnings.tpl b/charts/openproject/charts/common/templates/_warnings.tpl
new file mode 100644
index 0000000..0f763cd
--- /dev/null
+++ b/charts/openproject/charts/common/templates/_warnings.tpl
@@ -0,0 +1,82 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Warning about using rolling tag.
+Usage:
+{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }}
+*/}}
+{{- define "common.warnings.rollingTag" -}}
+
+{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
+WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
++info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers
+{{- end }}
+{{- end -}}
+
+{{/*
+Warning about not setting the resource object in all deployments.
+Usage:
+{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }}
+Example:
+{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }}
+The list in the example assumes that the following values exist:
+ - csiProvider.provider.resources
+ - server.resources
+ - volumePermissions.resources
+ - resources
+*/}}
+{{- define "common.warnings.resources" -}}
+{{- $values := .context.Values -}}
+{{- $printMessage := false -}}
+{{ $affectedSections := list -}}
+{{- range .sections -}}
+ {{- if eq . "" -}}
+ {{/* Case where the resources section is at the root (one main deployment in the chart) */}}
+ {{- if not (index $values "resources") -}}
+ {{- $affectedSections = append $affectedSections "resources" -}}
+ {{- $printMessage = true -}}
+ {{- end -}}
+ {{- else -}}
+ {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}}
+ {{- $keys := split "." . -}}
+ {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}}
+ {{- $section := $values -}}
+ {{- range $keys -}}
+ {{- $section = index $section . -}}
+ {{- end -}}
+ {{- if not (index $section "resources") -}}
+ {{/* If the section has enabled=false or replicaCount=0, do not include it */}}
+ {{- if and (hasKey $section "enabled") -}}
+ {{- if index $section "enabled" -}}
+ {{/* enabled=true */}}
+ {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
+ {{- $printMessage = true -}}
+ {{- end -}}
+ {{- else if and (hasKey $section "replicaCount") -}}
+ {{/* We need a casting to int because number 0 is not treated as an int by default */}}
+ {{- if (gt (index $section "replicaCount" | int) 0) -}}
+ {{/* replicaCount > 0 */}}
+ {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
+ {{- $printMessage = true -}}
+ {{- end -}}
+ {{- else -}}
+ {{/* Default case, add it to the affected sections */}}
+ {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
+ {{- $printMessage = true -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+{{- if $printMessage }}
+
+WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs:
+{{- range $affectedSections }}
+ - {{ . }}
+{{- end }}
++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/validations/_cassandra.tpl b/charts/openproject/charts/common/templates/validations/_cassandra.tpl
new file mode 100644
index 0000000..eda9aad
--- /dev/null
+++ b/charts/openproject/charts/common/templates/validations/_cassandra.tpl
@@ -0,0 +1,77 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate Cassandra required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret"
+ - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.cassandra.passwords" -}}
+ {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}}
+ {{- $enabled := include "common.cassandra.values.enabled" . -}}
+ {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}}
+ {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.cassandra.values.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
+*/}}
+{{- define "common.cassandra.values.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.cassandra.dbUser.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.dbUser.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled cassandra.
+
+Usage:
+{{ include "common.cassandra.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.cassandra.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.cassandra.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key dbUser
+
+Usage:
+{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
+*/}}
+{{- define "common.cassandra.values.key.dbUser" -}}
+ {{- if .subchart -}}
+ cassandra.dbUser
+ {{- else -}}
+ dbUser
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/validations/_mariadb.tpl b/charts/openproject/charts/common/templates/validations/_mariadb.tpl
new file mode 100644
index 0000000..17d83a2
--- /dev/null
+++ b/charts/openproject/charts/common/templates/validations/_mariadb.tpl
@@ -0,0 +1,108 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate MariaDB required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret"
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.mariadb.passwords" -}}
+ {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}}
+ {{- $enabled := include "common.mariadb.values.enabled" . -}}
+ {{- $architecture := include "common.mariadb.values.architecture" . -}}
+ {{- $authPrefix := include "common.mariadb.values.key.auth" . -}}
+ {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
+ {{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
+ {{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
+ {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
+
+ {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
+ {{- if not (empty $valueUsername) -}}
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+ {{- end -}}
+
+ {{- if (eq $architecture "replication") -}}
+ {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.mariadb.values.auth.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mariadb.auth.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.auth.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled mariadb.
+
+Usage:
+{{ include "common.mariadb.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.mariadb.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.mariadb.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for architecture
+
+Usage:
+{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.mariadb.values.architecture" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mariadb.architecture -}}
+ {{- else -}}
+ {{- .context.Values.architecture -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key auth
+
+Usage:
+{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.mariadb.values.key.auth" -}}
+ {{- if .subchart -}}
+ mariadb.auth
+ {{- else -}}
+ auth
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/validations/_mongodb.tpl b/charts/openproject/charts/common/templates/validations/_mongodb.tpl
new file mode 100644
index 0000000..bbb445b
--- /dev/null
+++ b/charts/openproject/charts/common/templates/validations/_mongodb.tpl
@@ -0,0 +1,113 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate MongoDB® required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret"
+ - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.mongodb.passwords" -}}
+ {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}}
+ {{- $enabled := include "common.mongodb.values.enabled" . -}}
+ {{- $authPrefix := include "common.mongodb.values.key.auth" . -}}
+ {{- $architecture := include "common.mongodb.values.architecture" . -}}
+ {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
+ {{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
+ {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}}
+ {{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
+ {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}}
+ {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}}
+
+ {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
+
+ {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
+ {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }}
+ {{- if and $valueUsername $valueDatabase -}}
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+ {{- end -}}
+
+ {{- if (eq $architecture "replicaset") -}}
+ {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false
+*/}}
+{{- define "common.mongodb.values.auth.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mongodb.auth.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.auth.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled mongodb.
+
+Usage:
+{{ include "common.mongodb.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.mongodb.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.mongodb.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key auth
+
+Usage:
+{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
+*/}}
+{{- define "common.mongodb.values.key.auth" -}}
+ {{- if .subchart -}}
+ mongodb.auth
+ {{- else -}}
+ auth
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for architecture
+
+Usage:
+{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
+*/}}
+{{- define "common.mongodb.values.architecture" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mongodb.architecture -}}
+ {{- else -}}
+ {{- .context.Values.architecture -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/validations/_mysql.tpl b/charts/openproject/charts/common/templates/validations/_mysql.tpl
new file mode 100644
index 0000000..ca3953f
--- /dev/null
+++ b/charts/openproject/charts/common/templates/validations/_mysql.tpl
@@ -0,0 +1,108 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate MySQL required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret"
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.mysql.passwords" -}}
+ {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}}
+ {{- $enabled := include "common.mysql.values.enabled" . -}}
+ {{- $architecture := include "common.mysql.values.architecture" . -}}
+ {{- $authPrefix := include "common.mysql.values.key.auth" . -}}
+ {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
+ {{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
+ {{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
+ {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
+
+ {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
+ {{- if not (empty $valueUsername) -}}
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+ {{- end -}}
+
+ {{- if (eq $architecture "replication") -}}
+ {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.mysql.values.auth.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mysql.auth.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.auth.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled mysql.
+
+Usage:
+{{ include "common.mysql.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.mysql.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.mysql.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for architecture
+
+Usage:
+{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.mysql.values.architecture" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mysql.architecture -}}
+ {{- else -}}
+ {{- .context.Values.architecture -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key auth
+
+Usage:
+{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.mysql.values.key.auth" -}}
+ {{- if .subchart -}}
+ mysql.auth
+ {{- else -}}
+ auth
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/validations/_postgresql.tpl b/charts/openproject/charts/common/templates/validations/_postgresql.tpl
new file mode 100644
index 0000000..8c9aa57
--- /dev/null
+++ b/charts/openproject/charts/common/templates/validations/_postgresql.tpl
@@ -0,0 +1,134 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate PostgreSQL required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret"
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.postgresql.passwords" -}}
+ {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}}
+ {{- $enabled := include "common.postgresql.values.enabled" . -}}
+ {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}}
+ {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}}
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+ {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}}
+
+ {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}}
+ {{- if (eq $enabledReplication "true") -}}
+ {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to decide whether evaluate global values.
+
+Usage:
+{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }}
+Params:
+ - key - String - Required. Field to be evaluated within global, e.g: "existingSecret"
+*/}}
+{{- define "common.postgresql.values.use.global" -}}
+ {{- if .context.Values.global -}}
+ {{- if .context.Values.global.postgresql -}}
+ {{- index .context.Values.global.postgresql .key | quote -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.postgresql.values.existingSecret" (dict "context" $) }}
+*/}}
+{{- define "common.postgresql.values.existingSecret" -}}
+ {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}}
+
+ {{- if .subchart -}}
+ {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}}
+ {{- else -}}
+ {{- default (.context.Values.existingSecret | quote) $globalValue -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled postgresql.
+
+Usage:
+{{ include "common.postgresql.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.postgresql.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.postgresql.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key postgressPassword.
+
+Usage:
+{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.key.postgressPassword" -}}
+ {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}}
+
+ {{- if not $globalValue -}}
+ {{- if .subchart -}}
+ postgresql.postgresqlPassword
+ {{- else -}}
+ postgresqlPassword
+ {{- end -}}
+ {{- else -}}
+ global.postgresql.postgresqlPassword
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled.replication.
+
+Usage:
+{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.enabled.replication" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.postgresql.replication.enabled -}}
+ {{- else -}}
+ {{- printf "%v" .context.Values.replication.enabled -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key replication.password.
+
+Usage:
+{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.key.replicationPassword" -}}
+ {{- if .subchart -}}
+ postgresql.replication.password
+ {{- else -}}
+ replication.password
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/validations/_redis.tpl b/charts/openproject/charts/common/templates/validations/_redis.tpl
new file mode 100644
index 0000000..fc0d208
--- /dev/null
+++ b/charts/openproject/charts/common/templates/validations/_redis.tpl
@@ -0,0 +1,81 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate Redis® required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret"
+ - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.redis.passwords" -}}
+ {{- $enabled := include "common.redis.values.enabled" . -}}
+ {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}}
+ {{- $standarizedVersion := include "common.redis.values.standarized.version" . }}
+
+ {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }}
+ {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }}
+
+ {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }}
+ {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}}
+ {{- if eq $useAuth "true" -}}
+ {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled redis.
+
+Usage:
+{{ include "common.redis.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.redis.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.redis.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right prefix path for the values
+
+Usage:
+{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
+*/}}
+{{- define "common.redis.values.keys.prefix" -}}
+ {{- if .subchart -}}redis.{{- else -}}{{- end -}}
+{{- end -}}
+
+{{/*
+Checks whether the redis chart's includes the standarizations (version >= 14)
+
+Usage:
+{{ include "common.redis.values.standarized.version" (dict "context" $) }}
+*/}}
+{{- define "common.redis.values.standarized.version" -}}
+
+ {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}}
+ {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }}
+
+ {{- if $standarizedAuthValues -}}
+ {{- true -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/templates/validations/_validations.tpl b/charts/openproject/charts/common/templates/validations/_validations.tpl
new file mode 100644
index 0000000..31ceda8
--- /dev/null
+++ b/charts/openproject/charts/common/templates/validations/_validations.tpl
@@ -0,0 +1,51 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate values must not be empty.
+
+Usage:
+{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}}
+{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}}
+{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
+
+Validate value params:
+ - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
+ - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
+ - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
+*/}}
+{{- define "common.validations.values.multiple.empty" -}}
+ {{- range .required -}}
+ {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Validate a value must not be empty.
+
+Usage:
+{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }}
+
+Validate value params:
+ - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
+ - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
+ - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
+ - subchart - String - Optional - Name of the subchart that the validated password is part of.
+*/}}
+{{- define "common.validations.values.single.empty" -}}
+ {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }}
+ {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }}
+
+ {{- if not $value -}}
+ {{- $varname := "my-value" -}}
+ {{- $getCurrentValue := "" -}}
+ {{- if and .secret .field -}}
+ {{- $varname = include "common.utils.fieldToEnvVar" . -}}
+ {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}}
+ {{- end -}}
+ {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/common/values.yaml b/charts/openproject/charts/common/values.yaml
new file mode 100644
index 0000000..9abe0e1
--- /dev/null
+++ b/charts/openproject/charts/common/values.yaml
@@ -0,0 +1,8 @@
+# Copyright VMware, Inc.
+# SPDX-License-Identifier: APACHE-2.0
+
+## bitnami/common
+## It is required by CI/CD tools and processes.
+## @skip exampleValue
+##
+exampleValue: common-chart
diff --git a/charts/openproject/charts/memcached/.helmignore b/charts/openproject/charts/memcached/.helmignore
new file mode 100644
index 0000000..fb56657
--- /dev/null
+++ b/charts/openproject/charts/memcached/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# img folder
+img/
diff --git a/charts/openproject/charts/memcached/Chart.lock b/charts/openproject/charts/memcached/Chart.lock
new file mode 100644
index 0000000..80a5f12
--- /dev/null
+++ b/charts/openproject/charts/memcached/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+ repository: oci://registry-1.docker.io/bitnamicharts
+ version: 2.18.0
+digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280
+generated: "2024-03-05T14:45:44.308851503+01:00"
diff --git a/charts/openproject/charts/memcached/Chart.yaml b/charts/openproject/charts/memcached/Chart.yaml
new file mode 100644
index 0000000..6872261
--- /dev/null
+++ b/charts/openproject/charts/memcached/Chart.yaml
@@ -0,0 +1,33 @@
+annotations:
+ category: Infrastructure
+ images: |
+ - name: memcached
+ image: docker.io/bitnami/memcached:1.6.24-debian-12-r0
+ - name: memcached-exporter
+ image: docker.io/bitnami/memcached-exporter:0.14.2-debian-12-r10
+ - name: os-shell
+ image: docker.io/bitnami/os-shell:12-debian-12-r16
+ licenses: Apache-2.0
+apiVersion: v2
+appVersion: 1.6.24
+dependencies:
+- name: common
+ repository: oci://registry-1.docker.io/bitnamicharts
+ tags:
+ - bitnami-common
+ version: 2.x.x
+description: Memcached is an high-performance, distributed memory object caching system,
+ generic in nature, but intended for use in speeding up dynamic web applications
+ by alleviating database load.
+home: https://bitnami.com
+icon: https://bitnami.com/assets/stacks/memcached/img/memcached-stack-220x234.png
+keywords:
+- memcached
+- cache
+maintainers:
+- name: VMware, Inc.
+ url: https://github.com/bitnami/charts
+name: memcached
+sources:
+- https://github.com/bitnami/charts/tree/main/bitnami/memcached
+version: 6.14.0
diff --git a/charts/openproject/charts/memcached/README.md b/charts/openproject/charts/memcached/README.md
new file mode 100644
index 0000000..a8ed875
--- /dev/null
+++ b/charts/openproject/charts/memcached/README.md
@@ -0,0 +1,452 @@
+<!--- app-name: Memcached -->
+
+# Bitnami package for Memcached
+
+Memcached is an high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.
+
+[Overview of Memcached](http://memcached.org)
+
+Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
+
+## TL;DR
+
+```console
+helm install my-release oci://registry-1.docker.io/bitnamicharts/memcached
+```
+
+Looking to use Memcached in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
+
+## Introduction
+
+This chart bootstraps a [Memcached](https://github.com/bitnami/containers/tree/main/bitnami/memcached) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
+
+## Prerequisites
+
+- Kubernetes 1.23+
+- Helm 3.8.0+
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```console
+helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/memcached
+```
+
+> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
+
+These commands deploy Memcached on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
+
+> **Tip**: List all releases using `helm list`
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```console
+helm delete my-release
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Parameters
+
+### Global parameters
+
+| Name | Description | Value |
+| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
+| `global.imageRegistry` | Global Docker image registry | `""` |
+| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
+| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
+| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
+
+### Common parameters
+
+| Name | Description | Value |
+| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- |
+| `kubeVersion` | Override Kubernetes version | `""` |
+| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` |
+| `fullnameOverride` | String to fully override common.names.fullname template | `""` |
+| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` |
+| `extraDeploy` | Extra objects to deploy (evaluated as a template) | `[]` |
+| `commonLabels` | Add labels to all the deployed resources | `{}` |
+| `commonAnnotations` | Add annotations to all the deployed resources | `{}` |
+| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
+| `diagnosticMode.command` | Command to override all containers in the deployment/statefulset | `["sleep"]` |
+| `diagnosticMode.args` | Args to override all containers in the deployment/statefulset | `["infinity"]` |
+
+### Memcached parameters
+
+| Name | Description | Value |
+| ----------------------------- | --------------------------------------------------------------------------------------------------------- | --------------------------- |
+| `image.registry` | Memcached image registry | `REGISTRY_NAME` |
+| `image.repository` | Memcached image repository | `REPOSITORY_NAME/memcached` |
+| `image.digest` | Memcached image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
+| `image.pullPolicy` | Memcached image pull policy | `IfNotPresent` |
+| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
+| `image.debug` | Specify if debug values should be set | `false` |
+| `architecture` | Memcached architecture. Allowed values: standalone or high-availability | `standalone` |
+| `auth.enabled` | Enable Memcached authentication | `false` |
+| `auth.username` | Memcached admin user | `""` |
+| `auth.password` | Memcached admin password | `""` |
+| `auth.existingPasswordSecret` | Existing secret with Memcached credentials (must contain a value for `memcached-password` key) | `""` |
+| `command` | Override default container command (useful when using custom images) | `[]` |
+| `args` | Override default container args (useful when using custom images) | `[]` |
+| `extraEnvVars` | Array with extra environment variables to add to Memcached nodes | `[]` |
+| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Memcached nodes | `""` |
+| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Memcached nodes | `""` |
+
+### Deployment/Statefulset parameters
+
+| Name | Description | Value |
+| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
+| `replicaCount` | Number of Memcached nodes | `1` |
+| `containerPorts.memcached` | Memcached container port | `11211` |
+| `livenessProbe.enabled` | Enable livenessProbe on Memcached containers | `true` |
+| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
+| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
+| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
+| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
+| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
+| `readinessProbe.enabled` | Enable readinessProbe on Memcached containers | `true` |
+| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
+| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
+| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
+| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
+| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
+| `startupProbe.enabled` | Enable startupProbe on Memcached containers | `false` |
+| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` |
+| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
+| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
+| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
+| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
+| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
+| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
+| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
+| `lifecycleHooks` | for the Memcached container(s) to automate configuration before or after startup | `{}` |
+| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` |
+| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
+| `podSecurityContext.enabled` | Enabled Memcached pods' Security Context | `true` |
+| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
+| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
+| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
+| `podSecurityContext.fsGroup` | Set Memcached pod's Security Context fsGroup | `1001` |
+| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
+| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
+| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
+| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
+| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
+| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
+| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
+| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
+| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
+| `automountServiceAccountToken` | Mount Service Account token in pod | `false` |
+| `hostAliases` | Add deployment host aliases | `[]` |
+| `podLabels` | Extra labels for Memcached pods | `{}` |
+| `podAnnotations` | Annotations for Memcached pods | `{}` |
+| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
+| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` |
+| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
+| `affinity` | Affinity for pod assignment | `{}` |
+| `nodeSelector` | Node labels for pod assignment | `{}` |
+| `tolerations` | Tolerations for pod assignment | `[]` |
+| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
+| `podManagementPolicy` | StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: `OrderedReady` and `Parallel` | `Parallel` |
+| `priorityClassName` | Name of the existing priority class to be used by Memcached pods, priority class needs to be created beforehand | `""` |
+| `schedulerName` | Kubernetes pod scheduler registry | `""` |
+| `terminationGracePeriodSeconds` | In seconds, time the given to the memcached pod needs to terminate gracefully | `""` |
+| `updateStrategy.type` | Memcached statefulset strategy type | `RollingUpdate` |
+| `updateStrategy.rollingUpdate` | Memcached statefulset rolling update configuration parameters | `{}` |
+| `extraVolumes` | Optionally specify extra list of additional volumes for the Memcached pod(s) | `[]` |
+| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Memcached container(s) | `[]` |
+| `sidecars` | Add additional sidecar containers to the Memcached pod(s) | `[]` |
+| `initContainers` | Add additional init containers to the Memcached pod(s) | `[]` |
+| `autoscaling.enabled` | Enable memcached statefulset autoscaling (requires architecture: "high-availability") | `false` |
+| `autoscaling.minReplicas` | memcached statefulset autoscaling minimum number of replicas | `3` |
+| `autoscaling.maxReplicas` | memcached statefulset autoscaling maximum number of replicas | `6` |
+| `autoscaling.targetCPU` | memcached statefulset autoscaling target CPU percentage | `50` |
+| `autoscaling.targetMemory` | memcached statefulset autoscaling target CPU memory | `50` |
+| `pdb.create` | Deploy a pdb object for the Memcached pod | `false` |
+| `pdb.minAvailable` | Minimum available Memcached replicas | `""` |
+| `pdb.maxUnavailable` | Maximum unavailable Memcached replicas | `1` |
+
+### Traffic Exposure parameters
+
+| Name | Description | Value |
+| --------------------------------------- | --------------------------------------------------------------------------------------- | ----------- |
+| `service.type` | Kubernetes Service type | `ClusterIP` |
+| `service.ports.memcached` | Memcached service port | `11211` |
+| `service.nodePorts.memcached` | Node port for Memcached | `""` |
+| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `""` |
+| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
+| `service.clusterIP` | Memcached service Cluster IP | `""` |
+| `service.loadBalancerIP` | Memcached service Load Balancer IP | `""` |
+| `service.loadBalancerSourceRanges` | Memcached service Load Balancer sources | `[]` |
+| `service.externalTrafficPolicy` | Memcached service external traffic policy | `Cluster` |
+| `service.annotations` | Additional custom annotations for Memcached service | `{}` |
+| `service.extraPorts` | Extra ports to expose in the Memcached service (normally used with the `sidecar` value) | `[]` |
+| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` |
+| `networkPolicy.allowExternal` | The Policy model to apply | `true` |
+| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
+| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
+| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
+| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
+| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
+
+### Other Parameters
+
+| Name | Description | Value |
+| --------------------------------------------- | ---------------------------------------------------------------------- | ------- |
+| `serviceAccount.create` | Enable creation of ServiceAccount for Memcached pod | `true` |
+| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
+| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
+| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
+
+### Persistence parameters
+
+| Name | Description | Value |
+| -------------------------- | ------------------------------------------------------------------------ | ------------------- |
+| `persistence.enabled` | Enable Memcached data persistence using PVC. If false, use emptyDir | `false` |
+| `persistence.storageClass` | PVC Storage Class for Memcached data volume | `""` |
+| `persistence.accessModes` | PVC Access modes | `["ReadWriteOnce"]` |
+| `persistence.size` | PVC Storage Request for Memcached data volume | `8Gi` |
+| `persistence.annotations` | Annotations for the PVC | `{}` |
+| `persistence.labels` | Labels for the PVC | `{}` |
+| `persistence.selector` | Selector to match an existing Persistent Volume for Memcached's data PVC | `{}` |
+
+### Volume Permissions parameters
+
+| Name | Description | Value |
+| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ |
+| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` |
+| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` |
+| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` |
+| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
+| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
+| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` |
+| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
+| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
+| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` |
+| `metrics.enabled` | Start a side-car prometheus exporter | `false` |
+| `metrics.image.registry` | Memcached exporter image registry | `REGISTRY_NAME` |
+| `metrics.image.repository` | Memcached exporter image repository | `REPOSITORY_NAME/memcached-exporter` |
+| `metrics.image.digest` | Memcached exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
+| `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` |
+| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
+| `metrics.containerPorts.metrics` | Memcached Prometheus Exporter container port | `9150` |
+| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` |
+| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
+| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
+| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
+| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
+| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
+| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
+| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
+| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
+| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
+| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
+| `metrics.livenessProbe.enabled` | Enable livenessProbe on Memcached Prometheus exporter containers | `true` |
+| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` |
+| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
+| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
+| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
+| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
+| `metrics.readinessProbe.enabled` | Enable readinessProbe on Memcached Prometheus exporter containers | `true` |
+| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
+| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
+| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
+| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
+| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
+| `metrics.startupProbe.enabled` | Enable startupProbe on Memcached Prometheus exporter containers | `false` |
+| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` |
+| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
+| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
+| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
+| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
+| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
+| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
+| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
+| `metrics.podAnnotations` | Memcached Prometheus exporter pod Annotation and Labels | `{}` |
+| `metrics.service.ports.metrics` | Prometheus metrics service port | `9150` |
+| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` |
+| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
+| `metrics.service.annotations` | Annotations for the Prometheus metrics service | `{}` |
+| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` |
+| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` |
+| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` |
+| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
+| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` |
+| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
+| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` |
+| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` |
+| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` |
+| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` |
+
+The above parameters map to the environment variables defined in the [bitnami/memcached](https://github.com/bitnami/containers/tree/main/bitnami/memcached) container image. For more information please refer to the [bitnami/memcached](https://github.com/bitnami/containers/tree/main/bitnami/memcached) container image documentation.
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+
+```console
+helm install my-release --set auth.username=user,auth.password=password oci://REGISTRY_NAME/REPOSITORY_NAME/memcached
+```
+
+> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
+
+The above command sets the Memcached admin account username and password to `user` and `password` respectively.
+
+> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available.
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
+
+```console
+helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/memcached
+```
+
+> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
+> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/memcached/values.yaml)
+
+## Configuration and installation details
+
+### Resource requests and limits
+
+Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
+
+To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
+
+### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers)
+
+It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
+
+Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
+
+### Use Sidecars and Init Containers
+
+If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter.
+
+```yaml
+sidecars:
+- name: your-image-name
+ image: your-image
+ imagePullPolicy: Always
+ ports:
+ - name: portname
+ containerPort: 1234
+```
+
+If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below:
+
+```yaml
+service:
+ extraPorts:
+ - name: extraPort
+ port: 11311
+ targetPort: 11311
+```
+
+> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers.
+
+If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example:
+
+```yaml
+initContainers:
+ - name: your-image-name
+ image: your-image
+ imagePullPolicy: Always
+ ports:
+ - name: portname
+ containerPort: 1234
+```
+
+Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/).
+
+### Set Pod affinity
+
+This chart allows you to set your custom affinity using the `affinity` parameter(s). Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
+
+As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters.
+
+## Persistence
+
+When using `architecture: "high-availability"` the [Bitnami Memcached](https://github.com/bitnami/containers/tree/main/bitnami/memcached) image stores the cache-state at the `/cache-state` path of the container if enabled.
+
+Persistent Volume Claims (PVCs) are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube.
+
+See the [Parameters](#parameters) section to configure the PVC or to disable persistence.
+
+If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/).
+
+## Troubleshooting
+
+Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
+
+## Upgrading
+
+### To 6.0.0
+
+This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository.
+
+Some affected values are:
+
+- `memcachedUsername` and `memcachedPassword` have regrouped under the `auth` map.
+- `arguments` has been renamed to `args`.
+- `extraEnv` has been renamed to `extraEnvVars`.
+- `service.port`, `service.internalPort` and `service.externalPort` have been regrouped under the `service.ports` map.
+- `metrics.kafka.service.port` has been regrouped under the `metrics.kafka.service.ports` map.
+- `metrics.jmx.service.port` has been regrouped under the `metrics.jmx.service.ports` map.
+- `updateStrategy` (string) and `rollingUpdatePartition` are regrouped under the `updateStrategy` map.
+
+### To 5.3.0
+
+This version introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/main/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade.
+
+### To 5.0.0
+
+[On November 13, 2020, Helm v2 support formally ended](https://github.com/helm/charts#status-of-the-project). This major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
+
+### To 4.0.0
+
+Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments.
+Use the workaround below to upgrade from versions previous to 4.0.0. The following example assumes that the release name is memcached:
+
+```console
+kubectl delete deployment memcached --cascade=false
+helm upgrade memcached oci://REGISTRY_NAME/REPOSITORY_NAME/memcached
+```
+
+> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
+
+### To 3.0.0
+
+This release uses the new bash based `bitnami/memcached` container which uses bash scripts for the start up logic of the container and is smaller in size.
+
+### To 1.0.0
+
+Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments.
+Use the workaround below to upgrade from versions previous to 1.0.0. The following example assumes that the release name is memcached:
+
+```console
+kubectl patch deployment memcached --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]'
+```
+
+## License
+
+Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+<http://www.apache.org/licenses/LICENSE-2.0>
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
\ No newline at end of file
diff --git a/charts/openproject/charts/memcached/charts/common/.helmignore b/charts/openproject/charts/memcached/charts/common/.helmignore
new file mode 100644
index 0000000..7c7c21d
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/.helmignore
@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# img folder
+img/
diff --git a/charts/openproject/charts/memcached/charts/common/Chart.yaml b/charts/openproject/charts/memcached/charts/common/Chart.yaml
new file mode 100644
index 0000000..2acf0cd
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/Chart.yaml
@@ -0,0 +1,23 @@
+annotations:
+ category: Infrastructure
+ licenses: Apache-2.0
+apiVersion: v2
+appVersion: 2.18.0
+description: A Library Helm Chart for grouping common logic between bitnami charts.
+ This chart is not deployable by itself.
+home: https://bitnami.com
+icon: https://bitnami.com/downloads/logos/bitnami-mark.png
+keywords:
+- common
+- helper
+- template
+- function
+- bitnami
+maintainers:
+- name: VMware, Inc.
+ url: https://github.com/bitnami/charts
+name: common
+sources:
+- https://github.com/bitnami/charts
+type: library
+version: 2.18.0
diff --git a/charts/openproject/charts/memcached/charts/common/README.md b/charts/openproject/charts/memcached/charts/common/README.md
new file mode 100644
index 0000000..0d01a1e
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/README.md
@@ -0,0 +1,235 @@
+# Bitnami Common Library Chart
+
+A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts.
+
+## TL;DR
+
+```yaml
+dependencies:
+ - name: common
+ version: 2.x.x
+ repository: oci://registry-1.docker.io/bitnamicharts
+```
+
+```console
+helm dependency update
+```
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.names.fullname" . }}
+data:
+ myvalue: "Hello World"
+```
+
+Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
+
+## Introduction
+
+This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
+
+Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
+
+## Prerequisites
+
+- Kubernetes 1.23+
+- Helm 3.8.0+
+
+## Parameters
+
+## Special input schemas
+
+### ImageRoot
+
+```yaml
+registry:
+ type: string
+ description: Docker registry where the image is located
+ example: docker.io
+
+repository:
+ type: string
+ description: Repository and image name
+ example: bitnami/nginx
+
+tag:
+ type: string
+ description: image tag
+ example: 1.16.1-debian-10-r63
+
+pullPolicy:
+ type: string
+ description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+
+pullSecrets:
+ type: array
+ items:
+ type: string
+ description: Optionally specify an array of imagePullSecrets (evaluated as templates).
+
+debug:
+ type: boolean
+ description: Set to true if you would like to see extra information on logs
+ example: false
+
+## An instance would be:
+# registry: docker.io
+# repository: bitnami/nginx
+# tag: 1.16.1-debian-10-r63
+# pullPolicy: IfNotPresent
+# debug: false
+```
+
+### Persistence
+
+```yaml
+enabled:
+ type: boolean
+ description: Whether enable persistence.
+ example: true
+
+storageClass:
+ type: string
+ description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning.
+ example: "-"
+
+accessMode:
+ type: string
+ description: Access mode for the Persistent Volume Storage.
+ example: ReadWriteOnce
+
+size:
+ type: string
+ description: Size the Persistent Volume Storage.
+ example: 8Gi
+
+path:
+ type: string
+ description: Path to be persisted.
+ example: /bitnami
+
+## An instance would be:
+# enabled: true
+# storageClass: "-"
+# accessMode: ReadWriteOnce
+# size: 8Gi
+# path: /bitnami
+```
+
+### ExistingSecret
+
+```yaml
+name:
+ type: string
+ description: Name of the existing secret.
+ example: mySecret
+keyMapping:
+ description: Mapping between the expected key name and the name of the key in the existing secret.
+ type: object
+
+## An instance would be:
+# name: mySecret
+# keyMapping:
+# password: myPasswordKey
+```
+
+#### Example of use
+
+When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets.
+
+```yaml
+# templates/secret.yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ labels:
+ app: {{ include "common.names.fullname" . }}
+type: Opaque
+data:
+ password: {{ .Values.password | b64enc | quote }}
+
+# templates/dpl.yaml
+---
+...
+ env:
+ - name: PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }}
+ key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }}
+...
+
+# values.yaml
+---
+name: mySecret
+keyMapping:
+ password: myPasswordKey
+```
+
+### ValidateValue
+
+#### NOTES.txt
+
+```console
+{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}}
+{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}}
+
+{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
+```
+
+If we force those values to be empty we will see some alerts
+
+```console
+helm install test mychart --set path.to.value00="",path.to.value01=""
+ 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value:
+
+ export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d)
+
+ 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value:
+
+ export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d)
+```
+
+## Upgrading
+
+### To 1.0.0
+
+[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
+
+#### What changes were introduced in this major version?
+
+- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
+- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information.
+- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
+
+#### Considerations when upgrading to this version
+
+- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues
+- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
+- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3
+
+#### Useful links
+
+- <https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/>
+- <https://helm.sh/docs/topics/v2_v3_migration/>
+- <https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/>
+
+## License
+
+Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+<http://www.apache.org/licenses/LICENSE-2.0>
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/charts/openproject/charts/memcached/charts/common/templates/_affinities.tpl b/charts/openproject/charts/memcached/charts/common/templates/_affinities.tpl
new file mode 100644
index 0000000..e85b1df
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/_affinities.tpl
@@ -0,0 +1,139 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return a soft nodeAffinity definition
+{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes.soft" -}}
+preferredDuringSchedulingIgnoredDuringExecution:
+ - preference:
+ matchExpressions:
+ - key: {{ .key }}
+ operator: In
+ values:
+ {{- range .values }}
+ - {{ . | quote }}
+ {{- end }}
+ weight: 1
+{{- end -}}
+
+{{/*
+Return a hard nodeAffinity definition
+{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes.hard" -}}
+requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: {{ .key }}
+ operator: In
+ values:
+ {{- range .values }}
+ - {{ . | quote }}
+ {{- end }}
+{{- end -}}
+
+{{/*
+Return a nodeAffinity definition
+{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes" -}}
+ {{- if eq .type "soft" }}
+ {{- include "common.affinities.nodes.soft" . -}}
+ {{- else if eq .type "hard" }}
+ {{- include "common.affinities.nodes.hard" . -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Return a topologyKey definition
+{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}}
+*/}}
+{{- define "common.affinities.topologyKey" -}}
+{{ .topologyKey | default "kubernetes.io/hostname" -}}
+{{- end -}}
+
+{{/*
+Return a soft podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
+*/}}
+{{- define "common.affinities.pods.soft" -}}
+{{- $component := default "" .component -}}
+{{- $customLabels := default (dict) .customLabels -}}
+{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
+{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
+preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := $extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ weight: 1
+ {{- range $extraPodAffinityTerms }}
+ - podAffinityTerm:
+ labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := .extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ weight: {{ .weight | default 1 -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Return a hard podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
+*/}}
+{{- define "common.affinities.pods.hard" -}}
+{{- $component := default "" .component -}}
+{{- $customLabels := default (dict) .customLabels -}}
+{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
+{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
+requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := $extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ {{- range $extraPodAffinityTerms }}
+ - labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := .extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Return a podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.pods" -}}
+ {{- if eq .type "soft" }}
+ {{- include "common.affinities.pods.soft" . -}}
+ {{- else if eq .type "hard" }}
+ {{- include "common.affinities.pods.hard" . -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/_capabilities.tpl b/charts/openproject/charts/memcached/charts/common/templates/_capabilities.tpl
new file mode 100644
index 0000000..115674a
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/_capabilities.tpl
@@ -0,0 +1,229 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return the target Kubernetes version
+*/}}
+{{- define "common.capabilities.kubeVersion" -}}
+{{- if .Values.global }}
+ {{- if .Values.global.kubeVersion }}
+ {{- .Values.global.kubeVersion -}}
+ {{- else }}
+ {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
+ {{- end -}}
+{{- else }}
+{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for poddisruptionbudget.
+*/}}
+{{- define "common.capabilities.policy.apiVersion" -}}
+{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "policy/v1beta1" -}}
+{{- else -}}
+{{- print "policy/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for networkpolicy.
+*/}}
+{{- define "common.capabilities.networkPolicy.apiVersion" -}}
+{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for cronjob.
+*/}}
+{{- define "common.capabilities.cronjob.apiVersion" -}}
+{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "batch/v1beta1" -}}
+{{- else -}}
+{{- print "batch/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for daemonset.
+*/}}
+{{- define "common.capabilities.daemonset.apiVersion" -}}
+{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for deployment.
+*/}}
+{{- define "common.capabilities.deployment.apiVersion" -}}
+{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for statefulset.
+*/}}
+{{- define "common.capabilities.statefulset.apiVersion" -}}
+{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apps/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for ingress.
+*/}}
+{{- define "common.capabilities.ingress.apiVersion" -}}
+{{- if .Values.ingress -}}
+{{- if .Values.ingress.apiVersion -}}
+{{- .Values.ingress.apiVersion -}}
+{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "networking.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end }}
+{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "networking.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for RBAC resources.
+*/}}
+{{- define "common.capabilities.rbac.apiVersion" -}}
+{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "rbac.authorization.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "rbac.authorization.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for CRDs.
+*/}}
+{{- define "common.capabilities.crd.apiVersion" -}}
+{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apiextensions.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "apiextensions.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for APIService.
+*/}}
+{{- define "common.capabilities.apiService.apiVersion" -}}
+{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apiregistration.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "apiregistration.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for Horizontal Pod Autoscaler.
+*/}}
+{{- define "common.capabilities.hpa.apiVersion" -}}
+{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
+{{- if .beta2 -}}
+{{- print "autoscaling/v2beta2" -}}
+{{- else -}}
+{{- print "autoscaling/v2beta1" -}}
+{{- end -}}
+{{- else -}}
+{{- print "autoscaling/v2" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for Vertical Pod Autoscaler.
+*/}}
+{{- define "common.capabilities.vpa.apiVersion" -}}
+{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
+{{- if .beta2 -}}
+{{- print "autoscaling/v2beta2" -}}
+{{- else -}}
+{{- print "autoscaling/v2beta1" -}}
+{{- end -}}
+{{- else -}}
+{{- print "autoscaling/v2" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if PodSecurityPolicy is supported
+*/}}
+{{- define "common.capabilities.psp.supported" -}}
+{{- if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if AdmissionConfiguration is supported
+*/}}
+{{- define "common.capabilities.admissionConfiguration.supported" -}}
+{{- if semverCompare ">=1.23-0" (include "common.capabilities.kubeVersion" .) -}}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for AdmissionConfiguration.
+*/}}
+{{- define "common.capabilities.admissionConfiguration.apiVersion" -}}
+{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apiserver.config.k8s.io/v1alpha1" -}}
+{{- else if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apiserver.config.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "apiserver.config.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for PodSecurityConfiguration.
+*/}}
+{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}}
+{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}}
+{{- else if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "pod-security.admission.config.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "pod-security.admission.config.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if the used Helm version is 3.3+.
+A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure.
+This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error.
+**To be removed when the catalog's minimun Helm version is 3.3**
+*/}}
+{{- define "common.capabilities.supportsHelmVersion" -}}
+{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/_compatibility.tpl b/charts/openproject/charts/memcached/charts/common/templates/_compatibility.tpl
new file mode 100644
index 0000000..c529f08
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/_compatibility.tpl
@@ -0,0 +1,35 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return true if the detected platform is Openshift
+Usage:
+{{- include "common.compatibility.isOpenshift" . -}}
+*/}}
+{{- define "common.compatibility.isOpenshift" -}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
+Usage:
+{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
+*/}}
+{{- define "common.compatibility.renderSecurityContext" -}}
+{{- $adaptedContext := .secContext -}}
+{{- if .context.Values.global.compatibility -}}
+ {{- if .context.Values.global.compatibility.openshift -}}
+ {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
+ {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
+ {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+{{- omit $adaptedContext "enabled" | toYaml -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/_errors.tpl b/charts/openproject/charts/memcached/charts/common/templates/_errors.tpl
new file mode 100644
index 0000000..07ded6f
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/_errors.tpl
@@ -0,0 +1,28 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Through error when upgrading using empty passwords values that must not be empty.
+
+Usage:
+{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
+{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
+{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
+
+Required password params:
+ - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
+ - context - Context - Required. Parent context.
+*/}}
+{{- define "common.errors.upgrade.passwords.empty" -}}
+ {{- $validationErrors := join "" .validationErrors -}}
+ {{- if and $validationErrors .context.Release.IsUpgrade -}}
+ {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}}
+ {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}}
+ {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}}
+ {{- $errorString = print $errorString "\n%s" -}}
+ {{- printf $errorString $validationErrors | fail -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/_images.tpl b/charts/openproject/charts/memcached/charts/common/templates/_images.tpl
new file mode 100644
index 0000000..1bcb779
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/_images.tpl
@@ -0,0 +1,117 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Return the proper image name
+{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }}
+*/}}
+{{- define "common.images.image" -}}
+{{- $registryName := .imageRoot.registry -}}
+{{- $repositoryName := .imageRoot.repository -}}
+{{- $separator := ":" -}}
+{{- $termination := .imageRoot.tag | toString -}}
+{{- if .global }}
+ {{- if .global.imageRegistry }}
+ {{- $registryName = .global.imageRegistry -}}
+ {{- end -}}
+{{- end -}}
+{{- if .imageRoot.digest }}
+ {{- $separator = "@" -}}
+ {{- $termination = .imageRoot.digest | toString -}}
+{{- end -}}
+{{- if $registryName }}
+ {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
+{{- else -}}
+ {{- printf "%s%s%s" $repositoryName $separator $termination -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead)
+{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
+*/}}
+{{- define "common.images.pullSecrets" -}}
+ {{- $pullSecrets := list }}
+
+ {{- if .global }}
+ {{- range .global.imagePullSecrets -}}
+ {{- if kindIs "map" . -}}
+ {{- $pullSecrets = append $pullSecrets .name -}}
+ {{- else -}}
+ {{- $pullSecrets = append $pullSecrets . -}}
+ {{- end }}
+ {{- end -}}
+ {{- end -}}
+
+ {{- range .images -}}
+ {{- range .pullSecrets -}}
+ {{- if kindIs "map" . -}}
+ {{- $pullSecrets = append $pullSecrets .name -}}
+ {{- else -}}
+ {{- $pullSecrets = append $pullSecrets . -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+ {{- range $pullSecrets | uniq }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names evaluating values as templates
+{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }}
+*/}}
+{{- define "common.images.renderPullSecrets" -}}
+ {{- $pullSecrets := list }}
+ {{- $context := .context }}
+
+ {{- if $context.Values.global }}
+ {{- range $context.Values.global.imagePullSecrets -}}
+ {{- if kindIs "map" . -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}}
+ {{- else -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- range .images -}}
+ {{- range .pullSecrets -}}
+ {{- if kindIs "map" . -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}}
+ {{- else -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+ {{- range $pullSecrets | uniq }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+{{- end -}}
+
+{{/*
+Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion)
+{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }}
+*/}}
+{{- define "common.images.version" -}}
+{{- $imageTag := .imageRoot.tag | toString -}}
+{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}}
+{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}}
+ {{- $version := semver $imageTag -}}
+ {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}}
+{{- else -}}
+ {{- print .chart.AppVersion -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/openproject/charts/memcached/charts/common/templates/_ingress.tpl b/charts/openproject/charts/memcached/charts/common/templates/_ingress.tpl
new file mode 100644
index 0000000..efa5b85
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/_ingress.tpl
@@ -0,0 +1,73 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Generate backend entry that is compatible with all Kubernetes API versions.
+
+Usage:
+{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}
+
+Params:
+ - serviceName - String. Name of an existing service backend
+ - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer.
+ - context - Dict - Required. The context for the template evaluation.
+*/}}
+{{- define "common.ingress.backend" -}}
+{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}}
+{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}}
+serviceName: {{ .serviceName }}
+servicePort: {{ .servicePort }}
+{{- else -}}
+service:
+ name: {{ .serviceName }}
+ port:
+ {{- if typeIs "string" .servicePort }}
+ name: {{ .servicePort }}
+ {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }}
+ number: {{ .servicePort | int }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Print "true" if the API pathType field is supported
+Usage:
+{{ include "common.ingress.supportsPathType" . }}
+*/}}
+{{- define "common.ingress.supportsPathType" -}}
+{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}}
+{{- print "false" -}}
+{{- else -}}
+{{- print "true" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if the ingressClassname field is supported
+Usage:
+{{ include "common.ingress.supportsIngressClassname" . }}
+*/}}
+{{- define "common.ingress.supportsIngressClassname" -}}
+{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "false" -}}
+{{- else -}}
+{{- print "true" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if cert-manager required annotations for TLS signed
+certificates are set in the Ingress annotations
+Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
+Usage:
+{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }}
+*/}}
+{{- define "common.ingress.certManagerRequest" -}}
+{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/_labels.tpl b/charts/openproject/charts/memcached/charts/common/templates/_labels.tpl
new file mode 100644
index 0000000..d90a6cd
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/_labels.tpl
@@ -0,0 +1,46 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Kubernetes standard labels
+{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}}
+*/}}
+{{- define "common.labels.standard" -}}
+{{- if and (hasKey . "customLabels") (hasKey . "context") -}}
+{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}}
+{{- with .context.Chart.AppVersion -}}
+{{- $_ := set $default "app.kubernetes.io/version" . -}}
+{{- end -}}
+{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }}
+{{- else -}}
+app.kubernetes.io/name: {{ include "common.names.name" . }}
+helm.sh/chart: {{ include "common.names.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Chart.AppVersion }}
+app.kubernetes.io/version: {{ . | quote }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector
+{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}}
+
+We don't want to loop over custom labels appending them to the selector
+since it's very likely that it will break deployments, services, etc.
+However, it's important to overwrite the standard labels if the user
+overwrote them on metadata.labels fields.
+*/}}
+{{- define "common.labels.matchLabels" -}}
+{{- if and (hasKey . "customLabels") (hasKey . "context") -}}
+{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }}
+{{- else -}}
+app.kubernetes.io/name: {{ include "common.names.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/_names.tpl b/charts/openproject/charts/memcached/charts/common/templates/_names.tpl
new file mode 100644
index 0000000..a222924
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/_names.tpl
@@ -0,0 +1,71 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "common.names.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "common.names.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "common.names.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified dependency name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+Usage:
+{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }}
+*/}}
+{{- define "common.names.dependency.fullname" -}}
+{{- if .chartValues.fullnameOverride -}}
+{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .chartName .chartValues.nameOverride -}}
+{{- if contains $name .context.Release.Name -}}
+{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts.
+*/}}
+{{- define "common.names.namespace" -}}
+{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a fully qualified app name adding the installation's namespace.
+*/}}
+{{- define "common.names.fullname.namespace" -}}
+{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/_resources.tpl b/charts/openproject/charts/memcached/charts/common/templates/_resources.tpl
new file mode 100644
index 0000000..d90f875
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/_resources.tpl
@@ -0,0 +1,50 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return a resource request/limit object based on a given preset.
+These presets are for basic testing and not meant to be used in production
+{{ include "common.resources.preset" (dict "type" "nano") -}}
+*/}}
+{{- define "common.resources.preset" -}}
+{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}}
+{{- $presets := dict
+ "nano" (dict
+ "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi")
+ )
+ "micro" (dict
+ "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi")
+ )
+ "small" (dict
+ "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi")
+ )
+ "medium" (dict
+ "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi")
+ )
+ "large" (dict
+ "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi")
+ )
+ "xlarge" (dict
+ "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi")
+ )
+ "2xlarge" (dict
+ "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi")
+ "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi")
+ )
+ }}
+{{- if hasKey $presets .type -}}
+{{- index $presets .type | toYaml -}}
+{{- else -}}
+{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/openproject/charts/memcached/charts/common/templates/_secrets.tpl b/charts/openproject/charts/memcached/charts/common/templates/_secrets.tpl
new file mode 100644
index 0000000..84dbe38
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/_secrets.tpl
@@ -0,0 +1,182 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Generate secret name.
+
+Usage:
+{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
+
+Params:
+ - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
+ to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+ +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
+ - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
+ - context - Dict - Required. The context for the template evaluation.
+*/}}
+{{- define "common.secrets.name" -}}
+{{- $name := (include "common.names.fullname" .context) -}}
+
+{{- if .defaultNameSuffix -}}
+{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- with .existingSecret -}}
+{{- if not (typeIs "string" .) -}}
+{{- with .name -}}
+{{- $name = . -}}
+{{- end -}}
+{{- else -}}
+{{- $name = . -}}
+{{- end -}}
+{{- end -}}
+
+{{- printf "%s" $name -}}
+{{- end -}}
+
+{{/*
+Generate secret key.
+
+Usage:
+{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
+
+Params:
+ - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
+ to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+ +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
+ - key - String - Required. Name of the key in the secret.
+*/}}
+{{- define "common.secrets.key" -}}
+{{- $key := .key -}}
+
+{{- if .existingSecret -}}
+ {{- if not (typeIs "string" .existingSecret) -}}
+ {{- if .existingSecret.keyMapping -}}
+ {{- $key = index .existingSecret.keyMapping $.key -}}
+ {{- end -}}
+ {{- end }}
+{{- end -}}
+
+{{- printf "%s" $key -}}
+{{- end -}}
+
+{{/*
+Generate secret password or retrieve one if already created.
+
+Usage:
+{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }}
+
+Params:
+ - secret - String - Required - Name of the 'Secret' resource where the password is stored.
+ - key - String - Required - Name of the key in the secret.
+ - providedValues - List<String> - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
+ - length - int - Optional - Length of the generated random password.
+ - strong - Boolean - Optional - Whether to add symbols to the generated random password.
+ - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart.
+ - context - Context - Required - Parent context.
+ - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets.
+ - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted.
+ - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret.
+The order in which this function returns a secret password:
+ 1. Already existing 'Secret' resource
+ (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
+ 2. Password provided via the values.yaml
+ (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
+ 3. Randomly generated secret password
+ (A new random secret password with the length specified in the 'length' parameter will be generated and returned)
+
+*/}}
+{{- define "common.secrets.passwords.manage" -}}
+
+{{- $password := "" }}
+{{- $subchart := "" }}
+{{- $chartName := default "" .chartName }}
+{{- $passwordLength := default 10 .length }}
+{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }}
+{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }}
+{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }}
+{{- if $secretData }}
+ {{- if hasKey $secretData .key }}
+ {{- $password = index $secretData .key | b64dec }}
+ {{- else if not (eq .failOnNew false) }}
+ {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}}
+ {{- else if $providedPasswordValue }}
+ {{- $password = $providedPasswordValue | toString }}
+ {{- end -}}
+{{- else if $providedPasswordValue }}
+ {{- $password = $providedPasswordValue | toString }}
+{{- else }}
+
+ {{- if .context.Values.enabled }}
+ {{- $subchart = $chartName }}
+ {{- end -}}
+
+ {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
+ {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
+ {{- $passwordValidationErrors := list $requiredPasswordError -}}
+ {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
+
+ {{- if .strong }}
+ {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
+ {{- $password = randAscii $passwordLength }}
+ {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
+ {{- $password = printf "%s%s" $subStr $password | toString | shuffle }}
+ {{- else }}
+ {{- $password = randAlphaNum $passwordLength }}
+ {{- end }}
+{{- end -}}
+{{- if not .skipB64enc }}
+{{- $password = $password | b64enc }}
+{{- end -}}
+{{- if .skipQuote -}}
+{{- printf "%s" $password -}}
+{{- else -}}
+{{- printf "%s" $password | quote -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Reuses the value from an existing secret, otherwise sets its value to a default value.
+
+Usage:
+{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }}
+
+Params:
+ - secret - String - Required - Name of the 'Secret' resource where the password is stored.
+ - key - String - Required - Name of the key in the secret.
+ - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
+ - context - Context - Required - Parent context.
+
+*/}}
+{{- define "common.secrets.lookup" -}}
+{{- $value := "" -}}
+{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}}
+{{- if and $secretData (hasKey $secretData .key) -}}
+ {{- $value = index $secretData .key -}}
+{{- else if .defaultValue -}}
+ {{- $value = .defaultValue | toString | b64enc -}}
+{{- end -}}
+{{- if $value -}}
+{{- printf "%s" $value -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns whether a previous generated secret already exists
+
+Usage:
+{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }}
+
+Params:
+ - secret - String - Required - Name of the 'Secret' resource where the password is stored.
+ - context - Context - Required - Parent context.
+*/}}
+{{- define "common.secrets.exists" -}}
+{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }}
+{{- if $secret }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/_storage.tpl b/charts/openproject/charts/memcached/charts/common/templates/_storage.tpl
new file mode 100644
index 0000000..16405a0
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/_storage.tpl
@@ -0,0 +1,28 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Return the proper Storage Class
+{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
+*/}}
+{{- define "common.storage.class" -}}
+
+{{- $storageClass := .persistence.storageClass -}}
+{{- if .global -}}
+ {{- if .global.storageClass -}}
+ {{- $storageClass = .global.storageClass -}}
+ {{- end -}}
+{{- end -}}
+
+{{- if $storageClass -}}
+ {{- if (eq "-" $storageClass) -}}
+ {{- printf "storageClassName: \"\"" -}}
+ {{- else }}
+ {{- printf "storageClassName: %s" $storageClass -}}
+ {{- end -}}
+{{- end -}}
+
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/_tplvalues.tpl b/charts/openproject/charts/memcached/charts/common/templates/_tplvalues.tpl
new file mode 100644
index 0000000..a8ed763
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/_tplvalues.tpl
@@ -0,0 +1,38 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Renders a value that contains template perhaps with scope if the scope is present.
+Usage:
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }}
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }}
+*/}}
+{{- define "common.tplvalues.render" -}}
+{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }}
+{{- if contains "{{" (toJson .value) }}
+ {{- if .scope }}
+ {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }}
+ {{- else }}
+ {{- tpl $value .context }}
+ {{- end }}
+{{- else }}
+ {{- $value }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Merge a list of values that contains template after rendering them.
+Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge
+Usage:
+{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }}
+*/}}
+{{- define "common.tplvalues.merge" -}}
+{{- $dst := dict -}}
+{{- range .values -}}
+{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}}
+{{- end -}}
+{{ $dst | toYaml }}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/_utils.tpl b/charts/openproject/charts/memcached/charts/common/templates/_utils.tpl
new file mode 100644
index 0000000..bfbddf0
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/_utils.tpl
@@ -0,0 +1,77 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Print instructions to get a secret value.
+Usage:
+{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }}
+*/}}
+{{- define "common.utils.secret.getvalue" -}}
+{{- $varname := include "common.utils.fieldToEnvVar" . -}}
+export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d)
+{{- end -}}
+
+{{/*
+Build env var name given a field
+Usage:
+{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }}
+*/}}
+{{- define "common.utils.fieldToEnvVar" -}}
+ {{- $fieldNameSplit := splitList "-" .field -}}
+ {{- $upperCaseFieldNameSplit := list -}}
+
+ {{- range $fieldNameSplit -}}
+ {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}}
+ {{- end -}}
+
+ {{ join "_" $upperCaseFieldNameSplit }}
+{{- end -}}
+
+{{/*
+Gets a value from .Values given
+Usage:
+{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }}
+*/}}
+{{- define "common.utils.getValueFromKey" -}}
+{{- $splitKey := splitList "." .key -}}
+{{- $value := "" -}}
+{{- $latestObj := $.context.Values -}}
+{{- range $splitKey -}}
+ {{- if not $latestObj -}}
+ {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}}
+ {{- end -}}
+ {{- $value = ( index $latestObj . ) -}}
+ {{- $latestObj = $value -}}
+{{- end -}}
+{{- printf "%v" (default "" $value) -}}
+{{- end -}}
+
+{{/*
+Returns first .Values key with a defined value or first of the list if all non-defined
+Usage:
+{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }}
+*/}}
+{{- define "common.utils.getKeyFromList" -}}
+{{- $key := first .keys -}}
+{{- $reverseKeys := reverse .keys }}
+{{- range $reverseKeys }}
+ {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }}
+ {{- if $value -}}
+ {{- $key = . }}
+ {{- end -}}
+{{- end -}}
+{{- printf "%s" $key -}}
+{{- end -}}
+
+{{/*
+Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376).
+Usage:
+{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }}
+*/}}
+{{- define "common.utils.checksumTemplate" -}}
+{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}}
+{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/_warnings.tpl b/charts/openproject/charts/memcached/charts/common/templates/_warnings.tpl
new file mode 100644
index 0000000..0f763cd
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/_warnings.tpl
@@ -0,0 +1,82 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Warning about using rolling tag.
+Usage:
+{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }}
+*/}}
+{{- define "common.warnings.rollingTag" -}}
+
+{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
+WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
++info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers
+{{- end }}
+{{- end -}}
+
+{{/*
+Warning about not setting the resource object in all deployments.
+Usage:
+{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }}
+Example:
+{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }}
+The list in the example assumes that the following values exist:
+ - csiProvider.provider.resources
+ - server.resources
+ - volumePermissions.resources
+ - resources
+*/}}
+{{- define "common.warnings.resources" -}}
+{{- $values := .context.Values -}}
+{{- $printMessage := false -}}
+{{ $affectedSections := list -}}
+{{- range .sections -}}
+ {{- if eq . "" -}}
+ {{/* Case where the resources section is at the root (one main deployment in the chart) */}}
+ {{- if not (index $values "resources") -}}
+ {{- $affectedSections = append $affectedSections "resources" -}}
+ {{- $printMessage = true -}}
+ {{- end -}}
+ {{- else -}}
+ {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}}
+ {{- $keys := split "." . -}}
+ {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}}
+ {{- $section := $values -}}
+ {{- range $keys -}}
+ {{- $section = index $section . -}}
+ {{- end -}}
+ {{- if not (index $section "resources") -}}
+ {{/* If the section has enabled=false or replicaCount=0, do not include it */}}
+ {{- if and (hasKey $section "enabled") -}}
+ {{- if index $section "enabled" -}}
+ {{/* enabled=true */}}
+ {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
+ {{- $printMessage = true -}}
+ {{- end -}}
+ {{- else if and (hasKey $section "replicaCount") -}}
+ {{/* We need a casting to int because number 0 is not treated as an int by default */}}
+ {{- if (gt (index $section "replicaCount" | int) 0) -}}
+ {{/* replicaCount > 0 */}}
+ {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
+ {{- $printMessage = true -}}
+ {{- end -}}
+ {{- else -}}
+ {{/* Default case, add it to the affected sections */}}
+ {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
+ {{- $printMessage = true -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+{{- if $printMessage }}
+
+WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs:
+{{- range $affectedSections }}
+ - {{ . }}
+{{- end }}
++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/validations/_cassandra.tpl b/charts/openproject/charts/memcached/charts/common/templates/validations/_cassandra.tpl
new file mode 100644
index 0000000..eda9aad
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/validations/_cassandra.tpl
@@ -0,0 +1,77 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate Cassandra required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret"
+ - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.cassandra.passwords" -}}
+ {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}}
+ {{- $enabled := include "common.cassandra.values.enabled" . -}}
+ {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}}
+ {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.cassandra.values.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
+*/}}
+{{- define "common.cassandra.values.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.cassandra.dbUser.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.dbUser.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled cassandra.
+
+Usage:
+{{ include "common.cassandra.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.cassandra.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.cassandra.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key dbUser
+
+Usage:
+{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
+*/}}
+{{- define "common.cassandra.values.key.dbUser" -}}
+ {{- if .subchart -}}
+ cassandra.dbUser
+ {{- else -}}
+ dbUser
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/validations/_mariadb.tpl b/charts/openproject/charts/memcached/charts/common/templates/validations/_mariadb.tpl
new file mode 100644
index 0000000..17d83a2
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/validations/_mariadb.tpl
@@ -0,0 +1,108 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate MariaDB required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret"
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.mariadb.passwords" -}}
+ {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}}
+ {{- $enabled := include "common.mariadb.values.enabled" . -}}
+ {{- $architecture := include "common.mariadb.values.architecture" . -}}
+ {{- $authPrefix := include "common.mariadb.values.key.auth" . -}}
+ {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
+ {{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
+ {{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
+ {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
+
+ {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
+ {{- if not (empty $valueUsername) -}}
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+ {{- end -}}
+
+ {{- if (eq $architecture "replication") -}}
+ {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.mariadb.values.auth.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mariadb.auth.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.auth.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled mariadb.
+
+Usage:
+{{ include "common.mariadb.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.mariadb.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.mariadb.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for architecture
+
+Usage:
+{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.mariadb.values.architecture" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mariadb.architecture -}}
+ {{- else -}}
+ {{- .context.Values.architecture -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key auth
+
+Usage:
+{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.mariadb.values.key.auth" -}}
+ {{- if .subchart -}}
+ mariadb.auth
+ {{- else -}}
+ auth
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/validations/_mongodb.tpl b/charts/openproject/charts/memcached/charts/common/templates/validations/_mongodb.tpl
new file mode 100644
index 0000000..bbb445b
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/validations/_mongodb.tpl
@@ -0,0 +1,113 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate MongoDB® required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret"
+ - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.mongodb.passwords" -}}
+ {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}}
+ {{- $enabled := include "common.mongodb.values.enabled" . -}}
+ {{- $authPrefix := include "common.mongodb.values.key.auth" . -}}
+ {{- $architecture := include "common.mongodb.values.architecture" . -}}
+ {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
+ {{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
+ {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}}
+ {{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
+ {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}}
+ {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}}
+
+ {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
+
+ {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
+ {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }}
+ {{- if and $valueUsername $valueDatabase -}}
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+ {{- end -}}
+
+ {{- if (eq $architecture "replicaset") -}}
+ {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false
+*/}}
+{{- define "common.mongodb.values.auth.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mongodb.auth.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.auth.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled mongodb.
+
+Usage:
+{{ include "common.mongodb.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.mongodb.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.mongodb.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key auth
+
+Usage:
+{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
+*/}}
+{{- define "common.mongodb.values.key.auth" -}}
+ {{- if .subchart -}}
+ mongodb.auth
+ {{- else -}}
+ auth
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for architecture
+
+Usage:
+{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
+*/}}
+{{- define "common.mongodb.values.architecture" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mongodb.architecture -}}
+ {{- else -}}
+ {{- .context.Values.architecture -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/validations/_mysql.tpl b/charts/openproject/charts/memcached/charts/common/templates/validations/_mysql.tpl
new file mode 100644
index 0000000..ca3953f
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/validations/_mysql.tpl
@@ -0,0 +1,108 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate MySQL required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret"
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.mysql.passwords" -}}
+ {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}}
+ {{- $enabled := include "common.mysql.values.enabled" . -}}
+ {{- $architecture := include "common.mysql.values.architecture" . -}}
+ {{- $authPrefix := include "common.mysql.values.key.auth" . -}}
+ {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
+ {{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
+ {{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
+ {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
+
+ {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
+ {{- if not (empty $valueUsername) -}}
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+ {{- end -}}
+
+ {{- if (eq $architecture "replication") -}}
+ {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.mysql.values.auth.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mysql.auth.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.auth.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled mysql.
+
+Usage:
+{{ include "common.mysql.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.mysql.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.mysql.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for architecture
+
+Usage:
+{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.mysql.values.architecture" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mysql.architecture -}}
+ {{- else -}}
+ {{- .context.Values.architecture -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key auth
+
+Usage:
+{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.mysql.values.key.auth" -}}
+ {{- if .subchart -}}
+ mysql.auth
+ {{- else -}}
+ auth
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/validations/_postgresql.tpl b/charts/openproject/charts/memcached/charts/common/templates/validations/_postgresql.tpl
new file mode 100644
index 0000000..8c9aa57
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/validations/_postgresql.tpl
@@ -0,0 +1,134 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate PostgreSQL required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret"
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.postgresql.passwords" -}}
+ {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}}
+ {{- $enabled := include "common.postgresql.values.enabled" . -}}
+ {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}}
+ {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}}
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+ {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}}
+
+ {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}}
+ {{- if (eq $enabledReplication "true") -}}
+ {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to decide whether evaluate global values.
+
+Usage:
+{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }}
+Params:
+ - key - String - Required. Field to be evaluated within global, e.g: "existingSecret"
+*/}}
+{{- define "common.postgresql.values.use.global" -}}
+ {{- if .context.Values.global -}}
+ {{- if .context.Values.global.postgresql -}}
+ {{- index .context.Values.global.postgresql .key | quote -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.postgresql.values.existingSecret" (dict "context" $) }}
+*/}}
+{{- define "common.postgresql.values.existingSecret" -}}
+ {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}}
+
+ {{- if .subchart -}}
+ {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}}
+ {{- else -}}
+ {{- default (.context.Values.existingSecret | quote) $globalValue -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled postgresql.
+
+Usage:
+{{ include "common.postgresql.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.postgresql.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.postgresql.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key postgressPassword.
+
+Usage:
+{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.key.postgressPassword" -}}
+ {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}}
+
+ {{- if not $globalValue -}}
+ {{- if .subchart -}}
+ postgresql.postgresqlPassword
+ {{- else -}}
+ postgresqlPassword
+ {{- end -}}
+ {{- else -}}
+ global.postgresql.postgresqlPassword
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled.replication.
+
+Usage:
+{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.enabled.replication" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.postgresql.replication.enabled -}}
+ {{- else -}}
+ {{- printf "%v" .context.Values.replication.enabled -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key replication.password.
+
+Usage:
+{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.key.replicationPassword" -}}
+ {{- if .subchart -}}
+ postgresql.replication.password
+ {{- else -}}
+ replication.password
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/validations/_redis.tpl b/charts/openproject/charts/memcached/charts/common/templates/validations/_redis.tpl
new file mode 100644
index 0000000..fc0d208
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/validations/_redis.tpl
@@ -0,0 +1,81 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate Redis® required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret"
+ - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.redis.passwords" -}}
+ {{- $enabled := include "common.redis.values.enabled" . -}}
+ {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}}
+ {{- $standarizedVersion := include "common.redis.values.standarized.version" . }}
+
+ {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }}
+ {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }}
+
+ {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }}
+ {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}}
+ {{- if eq $useAuth "true" -}}
+ {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled redis.
+
+Usage:
+{{ include "common.redis.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.redis.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.redis.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right prefix path for the values
+
+Usage:
+{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
+*/}}
+{{- define "common.redis.values.keys.prefix" -}}
+ {{- if .subchart -}}redis.{{- else -}}{{- end -}}
+{{- end -}}
+
+{{/*
+Checks whether the redis chart's includes the standarizations (version >= 14)
+
+Usage:
+{{ include "common.redis.values.standarized.version" (dict "context" $) }}
+*/}}
+{{- define "common.redis.values.standarized.version" -}}
+
+ {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}}
+ {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }}
+
+ {{- if $standarizedAuthValues -}}
+ {{- true -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/templates/validations/_validations.tpl b/charts/openproject/charts/memcached/charts/common/templates/validations/_validations.tpl
new file mode 100644
index 0000000..31ceda8
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/templates/validations/_validations.tpl
@@ -0,0 +1,51 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate values must not be empty.
+
+Usage:
+{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}}
+{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}}
+{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
+
+Validate value params:
+ - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
+ - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
+ - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
+*/}}
+{{- define "common.validations.values.multiple.empty" -}}
+ {{- range .required -}}
+ {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Validate a value must not be empty.
+
+Usage:
+{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }}
+
+Validate value params:
+ - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
+ - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
+ - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
+ - subchart - String - Optional - Name of the subchart that the validated password is part of.
+*/}}
+{{- define "common.validations.values.single.empty" -}}
+ {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }}
+ {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }}
+
+ {{- if not $value -}}
+ {{- $varname := "my-value" -}}
+ {{- $getCurrentValue := "" -}}
+ {{- if and .secret .field -}}
+ {{- $varname = include "common.utils.fieldToEnvVar" . -}}
+ {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}}
+ {{- end -}}
+ {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/charts/common/values.yaml b/charts/openproject/charts/memcached/charts/common/values.yaml
new file mode 100644
index 0000000..9abe0e1
--- /dev/null
+++ b/charts/openproject/charts/memcached/charts/common/values.yaml
@@ -0,0 +1,8 @@
+# Copyright VMware, Inc.
+# SPDX-License-Identifier: APACHE-2.0
+
+## bitnami/common
+## It is required by CI/CD tools and processes.
+## @skip exampleValue
+##
+exampleValue: common-chart
diff --git a/charts/openproject/charts/memcached/templates/NOTES.txt b/charts/openproject/charts/memcached/templates/NOTES.txt
new file mode 100644
index 0000000..626d0da
--- /dev/null
+++ b/charts/openproject/charts/memcached/templates/NOTES.txt
@@ -0,0 +1,44 @@
+CHART NAME: {{ .Chart.Name }}
+CHART VERSION: {{ .Chart.Version }}
+APP VERSION: {{ .Chart.AppVersion }}
+
+{{- if and (not .Values.auth.enabled) (contains .Values.service.type "LoadBalancer") }}
+-------------------------------------------------------------------------------
+ WARNING
+
+ By specifying "serviceType=LoadBalancer" and not specifying "auth.enabled=true"
+ you have most likely exposed the Memcached service externally without any
+ authentication mechanism.
+
+ For security reasons, we strongly suggest that you switch to "ClusterIP" or
+ "NodePort". As alternative, you can also specify valid credentials using the
+ "auth.username" and "auth.password" parameters.
+
+-------------------------------------------------------------------------------
+{{- end }}
+
+** Please be patient while the chart is being deployed **
+
+Memcached can be accessed via port {{ .Values.service.ports.memcached }} on the following DNS name from within your cluster:
+
+ {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
+
+{{- if eq .Values.architecture "high-availability" }}
+
+Please see https://github.com/memcached/memcached/wiki/ConfiguringClient to understand the Memcached model and need for client-based consistent hashing.
+You might also want to consider more advanced routing/replication approaches with mcrouter: https://github.com/facebook/mcrouter/wiki/Replicated-pools-setup
+
+{{- end }}
+
+{{- if .Values.metrics.enabled }}
+
+To access the Memcached Prometheus metrics from outside the cluster execute the following commands:
+
+ kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ printf "%s-metrics" (include "common.names.fullname" .) }} {{ .Values.metrics.service.ports.metrics }}:{{ .Values.metrics.service.ports.metrics }} &
+ curl http://127.0.0.1:{{ .Values.metrics.service.ports.metrics }}/metrics
+
+{{- end }}
+
+{{- include "memcached.validateValues" . }}
+{{- include "memcached.checkRollingTags" . }}
+{{- include "common.warnings.resources" (dict "sections" (list "metrics" "" "volumePermissions") "context" $) }}
diff --git a/charts/openproject/charts/memcached/templates/_helpers.tpl b/charts/openproject/charts/memcached/templates/_helpers.tpl
new file mode 100644
index 0000000..1614397
--- /dev/null
+++ b/charts/openproject/charts/memcached/templates/_helpers.tpl
@@ -0,0 +1,121 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return the proper Memcached image name
+*/}}
+{{- define "memcached.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Return the proper image name (for the metrics image)
+*/}}
+{{- define "memcached.metrics.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }}
+{{- end -}}
+
+
+{{/*
+Return the proper image name (for the init container volume-permissions image)
+*/}}
+{{- define "memcached.volumePermissions.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names
+*/}}
+{{- define "memcached.imagePullSecrets" -}}
+{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) -}}
+{{- end -}}
+
+{{/*
+ Create the name of the service account to use
+ */}}
+{{- define "memcached.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+ {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+ {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Check if there are rolling tags in the images
+*/}}
+{{- define "memcached.checkRollingTags" -}}
+{{- include "common.warnings.rollingTag" .Values.image }}
+{{- include "common.warnings.rollingTag" .Values.metrics.image }}
+{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
+{{- end -}}
+
+{{/*
+Compile all warnings into a single message, and call fail.
+*/}}
+{{- define "memcached.validateValues" -}}
+{{- $messages := list -}}
+{{- $messages := append $messages (include "memcached.validateValues.architecture" .) -}}
+{{- $messages := append $messages (include "memcached.validateValues.replicaCount" .) -}}
+{{- $messages := append $messages (include "memcached.validateValues.auth" .) -}}
+{{- $messages := append $messages (include "memcached.validateValues.readOnlyRootFilesystem" .) -}}
+{{- $messages := without $messages "" -}}
+{{- $message := join "\n" $messages -}}
+
+{{- if $message -}}
+{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
+{{- end -}}
+{{- end -}}
+
+{{/* Validate values of Memcached - must provide a valid architecture */}}
+{{- define "memcached.validateValues.architecture" -}}
+{{- if and (ne .Values.architecture "standalone") (ne .Values.architecture "high-availability") -}}
+memcached: architecture
+ Invalid architecture selected. Valid values are "standalone" and
+ "high-availability". Please set a valid architecture (--set architecture="xxxx")
+{{- end -}}
+{{- end -}}
+
+{{/* Validate values of Memcached - number of replicas */}}
+{{- define "memcached.validateValues.replicaCount" -}}
+{{- $replicaCount := int .Values.replicaCount }}
+{{- if and (eq .Values.architecture "standalone") (gt $replicaCount 1) -}}
+memcached: replicaCount
+ The standalone architecture doesn't allow to run more than 1 replica.
+ Please set a valid number of replicas (--set memcached.replicaCount=1) or
+ use the "high-availability" architecture (--set architecture="high-availability")
+{{- end -}}
+{{- end -}}
+
+{{/* Validate values of Memcached - authentication */}}
+{{- define "memcached.validateValues.auth" -}}
+{{- if and .Values.auth.enabled (empty .Values.auth.username) -}}
+memcached: auth.username
+ Enabling authentication requires setting a valid admin username.
+ Please set a valid username (--set auth.username="xxxx")
+{{- end -}}
+{{- end -}}
+
+{{/* Validate values of Memcached - containerSecurityContext.readOnlyRootFilesystem */}}
+{{- define "memcached.validateValues.readOnlyRootFilesystem" -}}
+{{- if and .Values.containerSecurityContext.enabled .Values.containerSecurityContext.readOnlyRootFilesystem .Values.auth.enabled -}}
+memcached: containerSecurityContext.readOnlyRootFilesystem
+ Enabling authentication is not compatible with using a read-only filesystem.
+ Please disable it (--set containerSecurityContext.readOnlyRootFilesystem=false)
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the password secret.
+*/}}
+{{- define "memcached.secretPasswordName" -}}
+ {{- if .Values.auth.existingPasswordSecret -}}
+ {{- printf "%s" (tpl .Values.auth.existingPasswordSecret $) -}}
+ {{- else -}}
+ {{- printf "%s" (include "common.names.fullname" .) -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/memcached/templates/deployment.yaml b/charts/openproject/charts/memcached/templates/deployment.yaml
new file mode 100644
index 0000000..33ea05b
--- /dev/null
+++ b/charts/openproject/charts/memcached/templates/deployment.yaml
@@ -0,0 +1,221 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if eq .Values.architecture "standalone" }}
+apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
+kind: Deployment
+metadata:
+ name: {{ template "common.names.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
+ selector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+ replicas: {{ .Values.replicaCount }}
+ {{- if .Values.updateStrategy }}
+ strategy: {{- toYaml .Values.updateStrategy | nindent 4 }}
+ {{- end }}
+ template:
+ metadata:
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
+ annotations:
+ {{- if .Values.auth.enabled }}
+ checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
+ {{- end }}
+ {{- if .Values.podAnnotations }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.metrics.podAnnotations "context" $) | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- include "memcached.imagePullSecrets" . | nindent 6 }}
+ automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
+ {{- if .Values.hostAliases }}
+ hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.affinity }}
+ affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }}
+ {{- else }}
+ affinity:
+ podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
+ podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
+ nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
+ {{- end }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.tolerations }}
+ tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.topologySpreadConstraints }}
+ topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.priorityClassName }}
+ priorityClassName: {{ .Values.priorityClassName }}
+ {{- end }}
+ {{- if .Values.schedulerName }}
+ schedulerName: {{ .Values.schedulerName }}
+ {{- end }}
+ {{- if .Values.podSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.terminationGracePeriodSeconds }}
+ terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+ {{- end }}
+ serviceAccountName: {{ template "memcached.serviceAccountName" . }}
+ {{- if .Values.initContainers }}
+ initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
+ {{- end }}
+ containers:
+ - name: memcached
+ image: {{ template "memcached.image" . }}
+ imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+ {{- if .Values.containerSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
+ {{- else if .Values.command }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
+ {{- else if .Values.args }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }}
+ {{- end }}
+ env:
+ - name: BITNAMI_DEBUG
+ value: {{ ternary "true" "false" .Values.image.debug | quote }}
+ - name: MEMCACHED_PORT_NUMBER
+ value: {{ .Values.containerPorts.memcached | quote }}
+ {{- if .Values.auth.enabled }}
+ - name: MEMCACHED_USERNAME
+ value: {{ .Values.auth.username | quote }}
+ - name: MEMCACHED_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "memcached.secretPasswordName" . }}
+ key: memcached-password
+ {{- end }}
+ {{- if .Values.extraEnvVars }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }}
+ envFrom:
+ {{- if .Values.extraEnvVarsCM }}
+ - configMapRef:
+ name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
+ {{- end }}
+ {{- if .Values.extraEnvVarsSecret }}
+ - secretRef:
+ name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
+ {{- end }}
+ {{- end }}
+ ports:
+ - name: memcache
+ containerPort: {{ .Values.containerPorts.memcached }}
+ {{- if not .Values.diagnosticMode.enabled }}
+ {{- if .Values.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.livenessProbe.enabled }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }}
+ tcpSocket:
+ port: memcache
+ {{- end }}
+ {{- if .Values.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.readinessProbe.enabled }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }}
+ tcpSocket:
+ port: memcache
+ {{- end }}
+ {{- if .Values.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.startupProbe.enabled }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }}
+ tcpSocket:
+ port: memcache
+ {{- end }}
+ {{- end }}
+ {{- if .Values.lifecycleHooks }}
+ lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.resources }}
+ resources: {{- toYaml .Values.resources | nindent 12 }}
+ {{- else if ne .Values.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ - name: empty-dir
+ mountPath: /opt/bitnami/memcached/conf
+ subPath: app-conf-dir
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ {{- if .Values.extraVolumeMounts }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.metrics.enabled }}
+ - name: metrics
+ image: {{ template "memcached.metrics.image" . }}
+ imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
+ {{- if .Values.metrics.containerSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
+ {{- end }}
+ ports:
+ - name: metrics
+ containerPort: {{ .Values.metrics.containerPorts.metrics }}
+ {{- if not .Values.diagnosticMode.enabled }}
+ {{- if .Values.metrics.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.livenessProbe.enabled }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }}
+ httpGet:
+ path: /metrics
+ port: {{ .Values.metrics.containerPorts.metrics }}
+ {{- end }}
+ {{- if .Values.metrics.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.readinessProbe.enabled }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }}
+ httpGet:
+ path: /metrics
+ port: {{ .Values.metrics.containerPorts.metrics }}
+ {{- end }}
+ {{- if .Values.metrics.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.startupProbe.enabled }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }}
+ port: memcache
+ {{- end }}
+ {{- end }}
+ {{- if .Values.metrics.resources }}
+ resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
+ {{- else if ne .Values.metrics.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ {{- if .Values.metrics.extraVolumeMounts }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.sidecars }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
+ {{- end }}
+ volumes:
+ - name: empty-dir
+ emptyDir: {}
+ {{- if .Values.extraVolumes }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/openproject/charts/memcached/templates/extra-list.yaml b/charts/openproject/charts/memcached/templates/extra-list.yaml
new file mode 100644
index 0000000..2d35a58
--- /dev/null
+++ b/charts/openproject/charts/memcached/templates/extra-list.yaml
@@ -0,0 +1,9 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- range .Values.extraDeploy }}
+---
+{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
+{{- end }}
diff --git a/charts/openproject/charts/memcached/templates/hpa.yaml b/charts/openproject/charts/memcached/templates/hpa.yaml
new file mode 100644
index 0000000..16f1e3b
--- /dev/null
+++ b/charts/openproject/charts/memcached/templates/hpa.yaml
@@ -0,0 +1,48 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.autoscaling.enabled (eq .Values.architecture "high-availability") }}
+apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }}
+kind: HorizontalPodAutoscaler
+metadata:
+ name: {{ template "common.names.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ scaleTargetRef:
+ apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
+ kind: StatefulSet
+ name: {{ template "common.names.fullname" . }}
+ minReplicas: {{ .Values.autoscaling.minReplicas }}
+ maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+ metrics:
+ {{- if .Values.autoscaling.targetMemory }}
+ - type: Resource
+ resource:
+ name: memory
+ {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }}
+ targetAverageUtilization: {{ .Values.autoscaling.targetMemory }}
+ {{- else }}
+ target:
+ type: Utilization
+ averageUtilization: {{ .Values.autoscaling.targetMemory }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.autoscaling.targetCPU }}
+ - type: Resource
+ resource:
+ name: cpu
+ {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }}
+ targetAverageUtilization: {{ .Values.autoscaling.targetCPU }}
+ {{- else }}
+ target:
+ type: Utilization
+ averageUtilization: {{ .Values.autoscaling.targetCPU }}
+ {{- end }}
+ {{- end }}
+{{- end }}
diff --git a/charts/openproject/charts/memcached/templates/metrics-svc.yaml b/charts/openproject/charts/memcached/templates/metrics-svc.yaml
new file mode 100644
index 0000000..f0db234
--- /dev/null
+++ b/charts/openproject/charts/memcached/templates/metrics-svc.yaml
@@ -0,0 +1,30 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.metrics.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ printf "%s-metrics" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
+ namespace: {{ .Release.Namespace }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: metrics
+ {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+spec:
+ type: ClusterIP
+ sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
+ {{- if .Values.metrics.service.clusterIP }}
+ clusterIP: {{ .Values.metrics.service.clusterIP }}
+ {{- end }}
+ ports:
+ - name: metrics
+ port: {{ .Values.metrics.service.ports.metrics }}
+ targetPort: metrics
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
+ selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
+{{- end }}
diff --git a/charts/openproject/charts/memcached/templates/networkpolicy.yaml b/charts/openproject/charts/memcached/templates/networkpolicy.yaml
new file mode 100644
index 0000000..879c63f
--- /dev/null
+++ b/charts/openproject/charts/memcached/templates/networkpolicy.yaml
@@ -0,0 +1,74 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ template "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+ name: {{ template "common.names.fullname" . }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ podSelector:
+ matchLabels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
+ policyTypes:
+ - Ingress
+ - Egress
+ {{- if .Values.networkPolicy.allowExternalEgress }}
+ egress:
+ - {}
+ {{- else }}
+ egress:
+ # Allow dns resolution
+ - ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ # Allow connection to other cluster pods
+ - ports:
+ - port: {{ .Values.containerPorts.memcached }}
+ to:
+ - podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+ {{- if .Values.networkPolicy.extraEgress }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- end }}
+ ingress:
+ - ports:
+ - port: {{ .Values.containerPorts.memcached }}
+ {{- if .Values.metrics.enabled }}
+ - port: {{ .Values.metrics.containerPorts.metrics }}
+ {{- end }}
+ {{- if not .Values.networkPolicy.allowExternal }}
+ from:
+ - podSelector:
+ matchLabels:
+ {{ template "common.names.fullname" . }}-client: "true"
+ - podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+ {{- if .Values.networkPolicy.ingressNSMatchLabels }}
+ - namespaceSelector:
+ matchLabels:
+ {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
+ {{ $key | quote }}: {{ $value | quote }}
+ {{- end }}
+ {{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
+ podSelector:
+ matchLabels:
+ {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
+ {{ $key | quote }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.networkPolicy.extraIngress }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/openproject/charts/memcached/templates/pdb.yaml b/charts/openproject/charts/memcached/templates/pdb.yaml
new file mode 100644
index 0000000..f2d7bed
--- /dev/null
+++ b/charts/openproject/charts/memcached/templates/pdb.yaml
@@ -0,0 +1,26 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.pdb.create (eq .Values.architecture "high-availability") }}
+apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- if .Values.pdb.minAvailable }}
+ minAvailable: {{ .Values.pdb.minAvailable }}
+ {{- end }}
+ {{- if .Values.pdb.maxUnavailable }}
+ maxUnavailable: {{ .Values.pdb.maxUnavailable }}
+ {{- end }}
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
+ selector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+{{- end }}
diff --git a/charts/openproject/charts/memcached/templates/secrets.yaml b/charts/openproject/charts/memcached/templates/secrets.yaml
new file mode 100644
index 0000000..d989dab
--- /dev/null
+++ b/charts/openproject/charts/memcached/templates/secrets.yaml
@@ -0,0 +1,19 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and (.Values.auth.enabled) (not .Values.auth.existingPasswordSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "common.names.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+type: Opaque
+data:
+ memcached-password: {{ default (randAlphaNum 10) .Values.auth.password | b64enc | quote }}
+{{- end }}
diff --git a/charts/openproject/charts/memcached/templates/service.yaml b/charts/openproject/charts/memcached/templates/service.yaml
new file mode 100644
index 0000000..d131219
--- /dev/null
+++ b/charts/openproject/charts/memcached/templates/service.yaml
@@ -0,0 +1,49 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if or .Values.service.annotations .Values.commonAnnotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+spec:
+ type: {{ .Values.service.type }}
+ {{- if .Values.service.sessionAffinity }}
+ sessionAffinity: {{ .Values.service.sessionAffinity }}
+ {{- end }}
+ {{- if .Values.service.sessionAffinityConfig }}
+ sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }}
+ {{- end }}
+ {{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }}
+ clusterIP: {{ .Values.service.clusterIP }}
+ {{- end }}
+ {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }}
+ externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }}
+ {{- end }}
+ {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerSourceRanges)) }}
+ loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }}
+ {{- end }}
+ {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }}
+ loadBalancerIP: {{ .Values.service.loadBalancerIP }}
+ {{- end }}
+ ports:
+ - name: memcache
+ port: {{ .Values.service.ports.memcached }}
+ targetPort: memcache
+ {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.memcached)) }}
+ nodePort: {{ .Values.service.nodePorts.memcached }}
+ {{- else if eq .Values.service.type "ClusterIP" }}
+ nodePort: null
+ {{- end }}
+ {{- if .Values.service.extraPorts }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }}
+ {{- end }}
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
+ selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
diff --git a/charts/openproject/charts/memcached/templates/serviceaccount.yaml b/charts/openproject/charts/memcached/templates/serviceaccount.yaml
new file mode 100644
index 0000000..c865d8e
--- /dev/null
+++ b/charts/openproject/charts/memcached/templates/serviceaccount.yaml
@@ -0,0 +1,18 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+metadata:
+ name: {{ template "memcached.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/openproject/charts/memcached/templates/servicemonitor.yaml b/charts/openproject/charts/memcached/templates/servicemonitor.yaml
new file mode 100644
index 0000000..cb0d197
--- /dev/null
+++ b/charts/openproject/charts/memcached/templates/servicemonitor.yaml
@@ -0,0 +1,48 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: {{ template "common.names.fullname" . }}
+ namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations:
+ {{- end }}
+spec:
+ {{- if .Values.metrics.serviceMonitor.jobLabel }}
+ jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
+ {{- end }}
+ selector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
+ {{- if .Values.metrics.serviceMonitor.selector }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
+ {{- end }}
+ app.kubernetes.io/component: metrics
+ endpoints:
+ - port: metrics
+ path: /metrics
+ {{- if .Values.metrics.serviceMonitor.interval }}
+ interval: {{ .Values.metrics.serviceMonitor.interval }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
+ scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.honorLabels }}
+ honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.metricRelabelings }}
+ metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.relabelings }}
+ relabelings: {{- toYaml .Values.metrics.serviceMonitor.relabelings | nindent 6 }}
+ {{- end }}
+ namespaceSelector:
+ matchNames:
+ - {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/openproject/charts/memcached/templates/statefulset.yaml b/charts/openproject/charts/memcached/templates/statefulset.yaml
new file mode 100644
index 0000000..d5f3d54
--- /dev/null
+++ b/charts/openproject/charts/memcached/templates/statefulset.yaml
@@ -0,0 +1,291 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if eq .Values.architecture "high-availability" }}
+apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
+kind: StatefulSet
+metadata:
+ name: {{ template "common.names.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
+ selector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+ {{- if not (and .Values.autoscaling.enabled (eq .Values.architecture "high-availability")) }}
+ replicas: {{ .Values.replicaCount }}
+ {{- end }}
+ {{- if .Values.podManagementPolicy }}
+ podManagementPolicy: {{ .Values.podManagementPolicy | quote }}
+ {{- end }}
+ serviceName: {{ template "common.names.fullname" . }}
+ {{- if .Values.updateStrategy }}
+ updateStrategy: {{- toYaml .Values.updateStrategy | nindent 4 }}
+ {{- end }}
+ template:
+ metadata:
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
+ annotations:
+ {{- if .Values.auth.enabled }}
+ checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
+ {{- end }}
+ {{- if .Values.podAnnotations }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.metrics.podAnnotations "context" $) | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- include "memcached.imagePullSecrets" . | nindent 6 }}
+ automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
+ {{- if .Values.hostAliases }}
+ hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.affinity }}
+ affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }}
+ {{- else }}
+ affinity:
+ podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
+ podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
+ nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
+ {{- end }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.tolerations }}
+ tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.topologySpreadConstraints }}
+ topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.priorityClassName }}
+ priorityClassName: {{ .Values.priorityClassName }}
+ {{- end }}
+ {{- if .Values.schedulerName }}
+ schedulerName: {{ .Values.schedulerName }}
+ {{- end }}
+ {{- if .Values.podSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.terminationGracePeriodSeconds }}
+ terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+ {{- end }}
+ serviceAccountName: {{ template "memcached.serviceAccountName" . }}
+ {{- if or .Values.persistence.enabled .Values.initContainers }}
+ initContainers:
+ {{- if and .Values.persistence.enabled .Values.volumePermissions.enabled }}
+ - name: volume-permissions
+ image: {{ include "memcached.volumePermissions.image" . }}
+ imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
+ command:
+ - /bin/bash
+ args:
+ - -ec
+ - |
+ mkdir -p /cache-state
+ touch /cache-state/memory_file
+ find /cache-state -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}
+ securityContext:
+ runAsUser: {{ .Values.volumePermissions.containerSecurityContext.runAsUser }}
+ {{- if .Values.volumePermissions.resources }}
+ resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
+ {{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ - name: data
+ mountPath: /cache-state
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ {{- end }}
+ {{- if .Values.initContainers }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ containers:
+ - name: memcached
+ image: {{ template "memcached.image" . }}
+ imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+ {{- if .Values.containerSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
+ {{- else if .Values.command }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
+ {{- else if .Values.args }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }}
+ {{- else if .Values.persistence.enabled }}
+ args:
+ - /run.sh
+ - --memory-file=/cache-state/memory_file
+ {{- end }}
+ env:
+ - name: BITNAMI_DEBUG
+ value: {{ ternary "true" "false" .Values.image.debug | quote }}
+ - name: MEMCACHED_PORT_NUMBER
+ value: {{ .Values.containerPorts.memcached | quote }}
+ {{- if .Values.auth.enabled }}
+ - name: MEMCACHED_USERNAME
+ value: {{ .Values.auth.username | quote }}
+ - name: MEMCACHED_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "memcached.secretPasswordName" . }}
+ key: memcached-password
+ {{- end }}
+ {{- if .Values.extraEnvVars }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }}
+ envFrom:
+ {{- if .Values.extraEnvVarsCM }}
+ - configMapRef:
+ name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
+ {{- end }}
+ {{- if .Values.extraEnvVarsSecret }}
+ - secretRef:
+ name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
+ {{- end }}
+ {{- end }}
+ ports:
+ - name: memcache
+ containerPort: {{ .Values.containerPorts.memcached }}
+ {{- if not .Values.diagnosticMode.enabled }}
+ {{- if .Values.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.livenessProbe.enabled }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }}
+ tcpSocket:
+ port: memcache
+ {{- end }}
+ {{- if .Values.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.readinessProbe.enabled }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }}
+ tcpSocket:
+ port: memcache
+ {{- end }}
+ {{- if .Values.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.startupProbe.enabled }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }}
+ tcpSocket:
+ port: memcache
+ {{- end }}
+ {{- end }}
+ {{- if .Values.lifecycleHooks }}
+ lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
+ {{- else if .Values.persistence.enabled }}
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /bin/bash
+ - -ec
+ - |
+ /usr/bin/pkill -10 memcached
+ sleep 60s
+ {{- end }}
+ {{- if .Values.resources }}
+ resources: {{- toYaml .Values.resources | nindent 12 }}
+ {{- else if ne .Values.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ {{- if .Values.persistence.enabled }}
+ - name: data
+ mountPath: /cache-state
+ {{- end }}
+ - name: empty-dir
+ mountPath: /opt/bitnami/memcached/conf
+ subPath: app-conf-dir
+ - name: empty-dir
+ mountPath: /tmp
+ subPath: tmp-dir
+ {{- if .Values.extraVolumeMounts }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.metrics.enabled }}
+ - name: metrics
+ image: {{ template "memcached.metrics.image" . }}
+ imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
+ {{- if .Values.metrics.containerSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
+ {{- end }}
+ ports:
+ - name: metrics
+ containerPort: {{ .Values.metrics.containerPorts.metrics }}
+ {{- if not .Values.diagnosticMode.enabled }}
+ {{- if .Values.metrics.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.livenessProbe.enabled }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }}
+ httpGet:
+ path: /metrics
+ port: {{ .Values.metrics.containerPorts.metrics }}
+ {{- end }}
+ {{- if .Values.metrics.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.readinessProbe.enabled }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }}
+ httpGet:
+ path: /metrics
+ port: {{ .Values.metrics.containerPorts.metrics }}
+ {{- end }}
+ {{- if .Values.metrics.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.startupProbe.enabled }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }}
+ tcpSocket:
+ port: metrics
+ {{- end }}
+ {{- end }}
+ {{- if .Values.metrics.resources }}
+ resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
+ {{- else if ne .Values.metrics.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.sidecars }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $ ) | nindent 8 }}
+ {{- end }}
+ volumes:
+ - name: empty-dir
+ emptyDir: {}
+ {{- if .Values.extraVolumes }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.persistence.enabled }}
+ volumeClaimTemplates:
+ - metadata:
+ name: data
+ {{- $claimLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.persistence.labels .Values.commonLabels ) "context" . ) }}
+ labels: {{- include "common.labels.matchLabels" ( dict "customLabels" $claimLabels "context" $ ) | nindent 10 }}
+ {{- if or .Values.persistence.annotations .Values.commonAnnotations }}
+ {{- $claimAnnotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.persistence.annotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $claimAnnotations "context" $) | nindent 10 }}
+ {{- end }}
+ spec:
+ accessModes:
+ {{- range .Values.persistence.accessModes }}
+ - {{ . | quote }}
+ {{- end }}
+ resources:
+ requests:
+ storage: {{ .Values.persistence.size | quote }}
+ {{- if .Values.persistence.selector }}
+ selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }}
+ {{- end }}
+ {{- include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) | nindent 8 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/openproject/charts/memcached/values.yaml b/charts/openproject/charts/memcached/values.yaml
new file mode 100644
index 0000000..c61da0e
--- /dev/null
+++ b/charts/openproject/charts/memcached/values.yaml
@@ -0,0 +1,831 @@
+# Copyright VMware, Inc.
+# SPDX-License-Identifier: APACHE-2.0
+
+## @section Global parameters
+## Global Docker image parameters
+## Please, note that this will override the image parameters, including dependencies, configured to use the global value
+## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
+
+## @param global.imageRegistry Global Docker image registry
+## @param global.imagePullSecrets Global Docker registry secret names as an array
+## @param global.storageClass Global StorageClass for Persistent Volume(s)
+##
+global:
+ imageRegistry: ""
+ ## E.g.
+ ## imagePullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ imagePullSecrets: []
+ storageClass: ""
+ ## Compatibility adaptations for Kubernetes platforms
+ ##
+ compatibility:
+ ## Compatibility adaptations for Openshift
+ ##
+ openshift:
+ ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
+ ##
+ adaptSecurityContext: disabled
+## @section Common parameters
+
+## @param kubeVersion Override Kubernetes version
+##
+kubeVersion: ""
+## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
+##
+nameOverride: ""
+## @param fullnameOverride String to fully override common.names.fullname template
+##
+fullnameOverride: ""
+## @param clusterDomain Kubernetes Cluster Domain
+##
+clusterDomain: cluster.local
+## @param extraDeploy Extra objects to deploy (evaluated as a template)
+##
+extraDeploy: []
+## @param commonLabels Add labels to all the deployed resources
+##
+commonLabels: {}
+## @param commonAnnotations Add annotations to all the deployed resources
+##
+commonAnnotations: {}
+## Enable diagnostic mode in the deployment/statefulset
+##
+diagnosticMode:
+ ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
+ ##
+ enabled: false
+ ## @param diagnosticMode.command Command to override all containers in the deployment/statefulset
+ ##
+ command:
+ - sleep
+ ## @param diagnosticMode.args Args to override all containers in the deployment/statefulset
+ ##
+ args:
+ - infinity
+## @section Memcached parameters
+
+## Bitnami Memcached image version
+## ref: https://hub.docker.com/r/bitnami/memcached/tags/
+## @param image.registry [default: REGISTRY_NAME] Memcached image registry
+## @param image.repository [default: REPOSITORY_NAME/memcached] Memcached image repository
+## @skip image.tag Memcached image tag (immutable tags are recommended)
+## @param image.digest Memcached image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
+## @param image.pullPolicy Memcached image pull policy
+## @param image.pullSecrets Specify docker-registry secret names as an array
+## @param image.debug Specify if debug values should be set
+##
+image:
+ registry: docker.io
+ repository: bitnami/memcached
+ tag: 1.6.24-debian-12-r0
+ digest: ""
+ ## Specify a imagePullPolicy
+ ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+ ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
+ ##
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ## e.g:
+ ## pullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ pullSecrets: []
+ ## Set to true if you would like to see extra information on logs
+ ##
+ debug: false
+## @param architecture Memcached architecture. Allowed values: standalone or high-availability
+##
+architecture: standalone
+## Authentication parameters
+## ref: https://github.com/bitnami/containers/tree/main/bitnami/memcached#creating-the-memcached-admin-user
+##
+auth:
+ ## @param auth.enabled Enable Memcached authentication
+ ##
+ enabled: false
+ ## @param auth.username Memcached admin user
+ ##
+ username: ""
+ ## @param auth.password Memcached admin password
+ ##
+ password: ""
+ ## @param auth.existingPasswordSecret Existing secret with Memcached credentials (must contain a value for `memcached-password` key)
+ ##
+ existingPasswordSecret: ""
+## @param command Override default container command (useful when using custom images)
+##
+command: []
+## @param args Override default container args (useful when using custom images)
+## e.g:
+## args:
+## - /run.sh
+## - -m <maxMemoryLimit>
+## - -I <maxItemSize>
+## - -vv
+##
+args: []
+## @param extraEnvVars Array with extra environment variables to add to Memcached nodes
+## e.g:
+## extraEnvVars:
+## - name: FOO
+## value: "bar"
+##
+extraEnvVars: []
+## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Memcached nodes
+##
+extraEnvVarsCM: ""
+## @param extraEnvVarsSecret Name of existing Secret containing extra env vars for Memcached nodes
+##
+extraEnvVarsSecret: ""
+## @section Deployment/Statefulset parameters
+
+## @param replicaCount Number of Memcached nodes
+##
+replicaCount: 1
+## @param containerPorts.memcached Memcached container port
+##
+containerPorts:
+ memcached: 11211
+## Configure extra options for Memcached containers' liveness, readiness and startup probes
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+## @param livenessProbe.enabled Enable livenessProbe on Memcached containers
+## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
+## @param livenessProbe.periodSeconds Period seconds for livenessProbe
+## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
+## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
+## @param livenessProbe.successThreshold Success threshold for livenessProbe
+##
+livenessProbe:
+ enabled: true
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+## @param readinessProbe.enabled Enable readinessProbe on Memcached containers
+## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
+## @param readinessProbe.periodSeconds Period seconds for readinessProbe
+## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
+## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
+## @param readinessProbe.successThreshold Success threshold for readinessProbe
+##
+readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 3
+ failureThreshold: 6
+ successThreshold: 1
+## @param startupProbe.enabled Enable startupProbe on Memcached containers
+## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
+## @param startupProbe.periodSeconds Period seconds for startupProbe
+## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
+## @param startupProbe.failureThreshold Failure threshold for startupProbe
+## @param startupProbe.successThreshold Success threshold for startupProbe
+##
+startupProbe:
+ enabled: false
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 1
+ failureThreshold: 15
+ successThreshold: 1
+## @param customLivenessProbe Custom livenessProbe that overrides the default one
+##
+customLivenessProbe: {}
+## @param customReadinessProbe Custom readinessProbe that overrides the default one
+##
+customReadinessProbe: {}
+## @param customStartupProbe Custom startupProbe that overrides the default one
+##
+customStartupProbe: {}
+## @param lifecycleHooks for the Memcached container(s) to automate configuration before or after startup
+##
+lifecycleHooks: {}
+## Memcached resource requests and limits
+## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
+## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
+##
+resourcesPreset: "none"
+## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+## Example:
+## resources:
+## requests:
+## cpu: 2
+## memory: 512Mi
+## limits:
+## cpu: 3
+## memory: 1024Mi
+##
+resources: {}
+## Configure Pods Security Context
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+## @param podSecurityContext.enabled Enabled Memcached pods' Security Context
+## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
+## @param podSecurityContext.supplementalGroups Set filesystem extra groups
+## @param podSecurityContext.fsGroup Set Memcached pod's Security Context fsGroup
+##
+podSecurityContext:
+ enabled: true
+ fsGroupChangePolicy: Always
+ sysctls: []
+ supplementalGroups: []
+ fsGroup: 1001
+## Configure Container Security Context
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+## @param containerSecurityContext.enabled Enabled containers' Security Context
+## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
+## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
+## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
+## @param containerSecurityContext.privileged Set container's Security Context privileged
+## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
+## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
+## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+##
+containerSecurityContext:
+ enabled: true
+ seLinuxOptions: null
+ runAsUser: 1001
+ runAsGroup: 1001
+ runAsNonRoot: true
+ privileged: false
+ readOnlyRootFilesystem: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ seccompProfile:
+ type: "RuntimeDefault"
+## @param automountServiceAccountToken Mount Service Account token in pod
+##
+automountServiceAccountToken: false
+## @param hostAliases Add deployment host aliases
+## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
+##
+hostAliases: []
+## @param podLabels Extra labels for Memcached pods
+## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+##
+podLabels: {}
+## @param podAnnotations Annotations for Memcached pods
+## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+##
+podAnnotations: {}
+## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
+## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+##
+podAffinityPreset: ""
+## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
+## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+##
+podAntiAffinityPreset: soft
+## Node affinity preset
+## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
+##
+nodeAffinityPreset:
+ ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
+ ##
+ type: ""
+ ## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
+ ## E.g.
+ ## key: "kubernetes.io/e2e-az-name"
+ ##
+ key: ""
+ ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
+ ## E.g.
+ ## values:
+ ## - e2e-az1
+ ## - e2e-az2
+ ##
+ values: []
+## @param affinity Affinity for pod assignment
+## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
+##
+affinity: {}
+## @param nodeSelector Node labels for pod assignment
+## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
+##
+nodeSelector: {}
+## @param tolerations Tolerations for pod assignment
+## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+##
+tolerations: []
+## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
+## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
+##
+topologySpreadConstraints: []
+## @param podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: `OrderedReady` and `Parallel`
+## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
+##
+podManagementPolicy: Parallel
+## @param priorityClassName Name of the existing priority class to be used by Memcached pods, priority class needs to be created beforehand
+## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+##
+priorityClassName: ""
+## @param schedulerName Kubernetes pod scheduler registry
+## https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+##
+schedulerName: ""
+## @param terminationGracePeriodSeconds In seconds, time the given to the memcached pod needs to terminate gracefully
+## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
+##
+terminationGracePeriodSeconds: ""
+## @param updateStrategy.type Memcached statefulset strategy type
+## @param updateStrategy.rollingUpdate Memcached statefulset rolling update configuration parameters
+## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
+##
+updateStrategy:
+ type: RollingUpdate
+ rollingUpdate: {}
+## @param extraVolumes Optionally specify extra list of additional volumes for the Memcached pod(s)
+## Example Use Case: mount certificates to enable TLS
+## e.g:
+## extraVolumes:
+## - name: zookeeper-keystore
+## secret:
+## defaultMode: 288
+## secretName: zookeeper-keystore
+## - name: zookeeper-truststore
+## secret:
+## defaultMode: 288
+## secretName: zookeeper-truststore
+##
+extraVolumes: []
+## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Memcached container(s)
+## Example Use Case: mount certificates to enable TLS
+## e.g:
+## extraVolumeMounts:
+## - name: zookeeper-keystore
+## mountPath: /certs/keystore
+## readOnly: true
+## - name: zookeeper-truststore
+## mountPath: /certs/truststore
+## readOnly: true
+##
+extraVolumeMounts: []
+## @param sidecars Add additional sidecar containers to the Memcached pod(s)
+## e.g:
+## sidecars:
+## - name: your-image-name
+## image: your-image
+## imagePullPolicy: Always
+## ports:
+## - name: portname
+## containerPort: 1234
+##
+sidecars: []
+## @param initContainers Add additional init containers to the Memcached pod(s)
+## Example:
+## initContainers:
+## - name: your-image-name
+## image: your-image
+## imagePullPolicy: Always
+## ports:
+## - name: portname
+## containerPort: 1234
+##
+initContainers: []
+## Memcached Autoscaling
+## @param autoscaling.enabled Enable memcached statefulset autoscaling (requires architecture: "high-availability")
+## @param autoscaling.minReplicas memcached statefulset autoscaling minimum number of replicas
+## @param autoscaling.maxReplicas memcached statefulset autoscaling maximum number of replicas
+## @param autoscaling.targetCPU memcached statefulset autoscaling target CPU percentage
+## @param autoscaling.targetMemory memcached statefulset autoscaling target CPU memory
+##
+autoscaling:
+ enabled: false
+ minReplicas: 3
+ maxReplicas: 6
+ targetCPU: 50
+ targetMemory: 50
+## Memcached Pod Disruption Budget
+## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+## @param pdb.create Deploy a pdb object for the Memcached pod
+## @param pdb.minAvailable Minimum available Memcached replicas
+## @param pdb.maxUnavailable Maximum unavailable Memcached replicas
+##
+pdb:
+ create: false
+ minAvailable: ""
+ maxUnavailable: 1
+## @section Traffic Exposure parameters
+service:
+ ## @param service.type Kubernetes Service type
+ ##
+ type: ClusterIP
+ ## @param service.ports.memcached Memcached service port
+ ##
+ ports:
+ memcached: 11211
+ ## Node ports to expose
+ ## NOTE: choose port between <30000-32767>
+ ## @param service.nodePorts.memcached Node port for Memcached
+ ##
+ nodePorts:
+ memcached: ""
+ ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
+ ## Values: ClientIP or None
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/
+ ##
+ sessionAffinity: ""
+ ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
+ ## sessionAffinityConfig:
+ ## clientIP:
+ ## timeoutSeconds: 300
+ ##
+ sessionAffinityConfig: {}
+ ## @param service.clusterIP Memcached service Cluster IP
+ ## e.g.:
+ ## clusterIP: None
+ ##
+ clusterIP: ""
+ ## @param service.loadBalancerIP Memcached service Load Balancer IP
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
+ ##
+ loadBalancerIP: ""
+ ## @param service.loadBalancerSourceRanges Memcached service Load Balancer sources
+ ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
+ ## e.g:
+ ## loadBalancerSourceRanges:
+ ## - 10.10.10.0/24
+ ##
+ loadBalancerSourceRanges: []
+ ## @param service.externalTrafficPolicy Memcached service external traffic policy
+ ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+ ##
+ externalTrafficPolicy: Cluster
+ ## @param service.annotations Additional custom annotations for Memcached service
+ ##
+ annotations: {}
+ ## @param service.extraPorts Extra ports to expose in the Memcached service (normally used with the `sidecar` value)
+ ##
+ extraPorts: []
+## Network Policy configuration
+## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+##
+networkPolicy:
+ ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources
+ ##
+ enabled: true
+ ## @param networkPolicy.allowExternal The Policy model to apply
+ ## When set to false, only pods with the correct client label will have network access to the ports Keycloak is
+ ## listening on. When true, Keycloak will accept connections from any source (with the correct destination port).
+ ##
+ allowExternal: true
+ ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
+ ##
+ allowExternalEgress: true
+ ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraIngress:
+ ## - ports:
+ ## - port: 1234
+ ## from:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ ##
+ extraIngress: []
+ ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
+ ## e.g:
+ ## extraEgress:
+ ## - ports:
+ ## - port: 1234
+ ## to:
+ ## - podSelector:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - podSelector:
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ ##
+ extraEgress: []
+ ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
+ ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
+ ##
+ ingressNSMatchLabels: {}
+ ingressNSPodMatchLabels: {}
+## @section Other Parameters
+
+## Service account for Memcached to use.
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+##
+serviceAccount:
+ ## @param serviceAccount.create Enable creation of ServiceAccount for Memcached pod
+ ##
+ create: true
+ ## @param serviceAccount.name The name of the ServiceAccount to use.
+ ## If not set and create is true, a name is generated using the common.names.fullname template
+ ##
+ name: ""
+ ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
+ ## Can be set to false if pods using this serviceAccount do not need to use K8s API
+ ##
+ automountServiceAccountToken: false
+ ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
+ ##
+ annotations: {}
+## @section Persistence parameters
+
+## Enable persistence using Persistent Volume Claims
+## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
+##
+persistence:
+ ## @param persistence.enabled Enable Memcached data persistence using PVC. If false, use emptyDir
+ ##
+ enabled: false
+ ## @param persistence.storageClass PVC Storage Class for Memcached data volume
+ ## If defined, storageClassName: <storageClass>
+ ## If set to "-", storageClassName: "", which disables dynamic provisioning
+ ## If undefined (the default) or set to null, no storageClassName spec is
+ ## set, choosing the default provisioner. (gp2 on AWS, standard on
+ ## GKE, AWS & OpenStack)
+ ##
+ storageClass: ""
+ ## @param persistence.accessModes PVC Access modes
+ ##
+ accessModes:
+ - ReadWriteOnce
+ ## @param persistence.size PVC Storage Request for Memcached data volume
+ ##
+ size: 8Gi
+ ## @param persistence.annotations Annotations for the PVC
+ ##
+ annotations: {}
+ ## @param persistence.labels Labels for the PVC
+ ##
+ labels: {}
+ ## @param persistence.selector Selector to match an existing Persistent Volume for Memcached's data PVC
+ ## If set, the PVC can't have a PV dynamically provisioned for it
+ ## E.g.
+ ## selector:
+ ## matchLabels:
+ ## app: my-app
+ ##
+ selector: {}
+## @section Volume Permissions parameters
+##
+
+## Init containers parameters:
+## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node
+##
+volumePermissions:
+ ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume
+ ##
+ enabled: false
+ ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry
+ ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository
+ ## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended)
+ ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
+ ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
+ ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets
+ ##
+ image:
+ registry: docker.io
+ repository: bitnami/os-shell
+ tag: 12-debian-12-r16
+ digest: ""
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ## Example:
+ ## pullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ pullSecrets: []
+ ## Init container resource requests and limits
+ ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
+ ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
+ ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
+ ##
+ resourcesPreset: "none"
+ ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+ ## Example:
+ ## resources:
+ ## requests:
+ ## cpu: 2
+ ## memory: 512Mi
+ ## limits:
+ ## cpu: 3
+ ## memory: 1024Mi
+ ##
+ resources: {}
+ ## Init container' Security Context
+ ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
+ ## and not the below volumePermissions.containerSecurityContext.runAsUser
+ ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+ ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container
+ ##
+ containerSecurityContext:
+ seLinuxOptions: null
+ runAsUser: 0
+## Prometheus Exporter / Metrics
+##
+metrics:
+ ## @param metrics.enabled Start a side-car prometheus exporter
+ ##
+ enabled: false
+ ## Bitnami Memcached Prometheus Exporter image
+ ## ref: https://hub.docker.com/r/bitnami/memcached-exporter/tags/
+ ## @param metrics.image.registry [default: REGISTRY_NAME] Memcached exporter image registry
+ ## @param metrics.image.repository [default: REPOSITORY_NAME/memcached-exporter] Memcached exporter image repository
+ ## @skip metrics.image.tag Memcached exporter image tag (immutable tags are recommended)
+ ## @param metrics.image.digest Memcached exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
+ ## @param metrics.image.pullPolicy Image pull policy
+ ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array
+ ##
+ image:
+ registry: docker.io
+ repository: bitnami/memcached-exporter
+ tag: 0.14.2-debian-12-r10
+ digest: ""
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ## e.g:
+ ## pullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ pullSecrets: []
+ ## @param metrics.containerPorts.metrics Memcached Prometheus Exporter container port
+ ##
+ containerPorts:
+ metrics: 9150
+ ## Memcached Prometheus exporter container resource requests and limits
+ ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
+ ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production).
+ ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
+ ##
+ resourcesPreset: "none"
+ ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+ ## Example:
+ ## resources:
+ ## requests:
+ ## cpu: 2
+ ## memory: 512Mi
+ ## limits:
+ ## cpu: 3
+ ## memory: 1024Mi
+ ##
+ resources: {}
+ ## Configure Metrics Container Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+ ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context
+ ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+ ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
+ ## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
+ ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
+ ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged
+ ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+ ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
+ ## @param metrics.containerSecurityContext.capabilities.drop List of capabilities to be dropped
+ ## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+ ##
+ containerSecurityContext:
+ enabled: true
+ seLinuxOptions: null
+ runAsUser: 1001
+ runAsGroup: 1001
+ runAsNonRoot: true
+ privileged: false
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ seccompProfile:
+ type: "RuntimeDefault"
+ ## Configure extra options for Memcached Prometheus exporter containers' liveness, readiness and startup probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+ ## @param metrics.livenessProbe.enabled Enable livenessProbe on Memcached Prometheus exporter containers
+ ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
+ ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe
+ ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
+ ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe
+ ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 15
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 3
+ successThreshold: 1
+ ## @param metrics.readinessProbe.enabled Enable readinessProbe on Memcached Prometheus exporter containers
+ ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
+ ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe
+ ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
+ ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe
+ ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe
+ ##
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 3
+ failureThreshold: 3
+ successThreshold: 1
+ ## @param metrics.startupProbe.enabled Enable startupProbe on Memcached Prometheus exporter containers
+ ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
+ ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe
+ ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe
+ ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe
+ ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe
+ ##
+ startupProbe:
+ enabled: false
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 1
+ failureThreshold: 15
+ successThreshold: 1
+ ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one
+ ##
+ customLivenessProbe: {}
+ ## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one
+ ##
+ customReadinessProbe: {}
+ ## @param metrics.customStartupProbe Custom startupProbe that overrides the default one
+ ##
+ customStartupProbe: {}
+ ## @param metrics.podAnnotations [object] Memcached Prometheus exporter pod Annotation and Labels
+ ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+ ##
+ podAnnotations:
+ prometheus.io/scrape: "true"
+ prometheus.io/port: "{{ .Values.metrics.containerPorts.metrics }}"
+ ## Service configuration
+ ##
+ service:
+ ## @param metrics.service.ports.metrics Prometheus metrics service port
+ ##
+ ports:
+ metrics: 9150
+ ## @param metrics.service.clusterIP Static clusterIP or None for headless services
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
+ ##
+ clusterIP: ""
+ ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin
+ ## Values: ClientIP or None
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/
+ ##
+ sessionAffinity: None
+ ## @param metrics.service.annotations [object] Annotations for the Prometheus metrics service
+ ##
+ annotations:
+ prometheus.io/scrape: "true"
+ prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}"
+ ## Prometheus Operator ServiceMonitor configuration
+ ##
+ serviceMonitor:
+ ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator
+ ##
+ enabled: false
+ ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace)
+ ##
+ namespace: ""
+ ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped.
+ ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+ ##
+ interval: ""
+ ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
+ ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+ ##
+ scrapeTimeout: ""
+ ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
+ ##
+ labels: {}
+ ## @param metrics.serviceMonitor.selector Prometheus instance selector labels
+ ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration
+ ##
+ selector: {}
+ ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
+ ##
+ relabelings: []
+ ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
+ ##
+ metricRelabelings: []
+ ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
+ ##
+ honorLabels: false
+ ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
+ ##
+ jobLabel: ""
diff --git a/charts/openproject/charts/postgresql/.helmignore b/charts/openproject/charts/postgresql/.helmignore
new file mode 100644
index 0000000..f0c1319
--- /dev/null
+++ b/charts/openproject/charts/postgresql/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/charts/openproject/charts/postgresql/Chart.lock b/charts/openproject/charts/postgresql/Chart.lock
new file mode 100644
index 0000000..65b5f10
--- /dev/null
+++ b/charts/openproject/charts/postgresql/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+ repository: oci://registry-1.docker.io/bitnamicharts
+ version: 2.12.0
+digest: sha256:bee62139700f032539621dd38fa1d7285f277b91577c55ea26045254d33825ed
+generated: "2023-09-22T17:01:50.438576915Z"
diff --git a/charts/openproject/charts/postgresql/Chart.yaml b/charts/openproject/charts/postgresql/Chart.yaml
new file mode 100644
index 0000000..fccc345
--- /dev/null
+++ b/charts/openproject/charts/postgresql/Chart.yaml
@@ -0,0 +1,37 @@
+annotations:
+ category: Database
+ images: |
+ - name: os-shell
+ image: docker.io/bitnami/os-shell:11-debian-11-r77
+ - name: postgres-exporter
+ image: docker.io/bitnami/postgres-exporter:0.14.0-debian-11-r2
+ - name: postgresql
+ image: docker.io/bitnami/postgresql:15.4.0-debian-11-r45
+ licenses: Apache-2.0
+apiVersion: v2
+appVersion: 15.4.0
+dependencies:
+- name: common
+ repository: oci://registry-1.docker.io/bitnamicharts
+ tags:
+ - bitnami-common
+ version: 2.x.x
+description: PostgreSQL (Postgres) is an open source object-relational database known
+ for reliability and data integrity. ACID-compliant, it supports foreign keys, joins,
+ views, triggers and stored procedures.
+home: https://bitnami.com
+icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png
+keywords:
+- postgresql
+- postgres
+- database
+- sql
+- replication
+- cluster
+maintainers:
+- name: VMware, Inc.
+ url: https://github.com/bitnami/charts
+name: postgresql
+sources:
+- https://github.com/bitnami/charts/tree/main/bitnami/postgresql
+version: 12.12.10
diff --git a/charts/openproject/charts/postgresql/README.md b/charts/openproject/charts/postgresql/README.md
new file mode 100644
index 0000000..09cf3fb
--- /dev/null
+++ b/charts/openproject/charts/postgresql/README.md
@@ -0,0 +1,743 @@
+<!--- app-name: PostgreSQL -->
+
+# PostgreSQL packaged by Bitnami
+
+PostgreSQL (Postgres) is an open source object-relational database known for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, views, triggers and stored procedures.
+
+[Overview of PostgreSQL](http://www.postgresql.org)
+
+Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
+
+## TL;DR
+
+```console
+helm install my-release oci://registry-1.docker.io/bitnamicharts/postgresql
+```
+
+## Introduction
+
+This chart bootstraps a [PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+For HA, please see [this repo](https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha)
+
+Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
+
+Looking to use PostgreSQL in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
+
+## Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3.2.0+
+- PV provisioner support in the underlying infrastructure
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```console
+helm install my-release oci://registry-1.docker.io/bitnamicharts/postgresql
+```
+
+The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
+
+> **Tip**: List all releases using `helm list`
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```console
+helm delete my-release
+```
+
+The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release.
+
+To delete the PVC's associated with `my-release`:
+
+```console
+kubectl delete pvc -l release=my-release
+```
+
+> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it.
+
+## Parameters
+
+### Global parameters
+
+| Name | Description | Value |
+| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- |
+| `global.imageRegistry` | Global Docker image registry | `""` |
+| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
+| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
+| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` |
+| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` |
+| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` |
+| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` |
+| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` |
+| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
+| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
+| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
+| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` |
+
+### Common parameters
+
+| Name | Description | Value |
+| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- |
+| `kubeVersion` | Override Kubernetes version | `""` |
+| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` |
+| `fullnameOverride` | String to fully override common.names.fullname template | `""` |
+| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` |
+| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` |
+| `commonLabels` | Add labels to all the deployed resources | `{}` |
+| `commonAnnotations` | Add annotations to all the deployed resources | `{}` |
+| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
+| `diagnosticMode.command` | Command to override all containers in the statefulset | `["sleep"]` |
+| `diagnosticMode.args` | Args to override all containers in the statefulset | `["infinity"]` |
+
+### PostgreSQL common parameters
+
+| Name | Description | Value |
+| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
+| `image.registry` | PostgreSQL image registry | `docker.io` |
+| `image.repository` | PostgreSQL image repository | `bitnami/postgresql` |
+| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.4.0-debian-11-r45` |
+| `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
+| `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` |
+| `image.pullSecrets` | Specify image pull secrets | `[]` |
+| `image.debug` | Specify if debug values should be set | `false` |
+| `auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `true` |
+| `auth.postgresPassword` | Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided | `""` |
+| `auth.username` | Name for a custom user to create | `""` |
+| `auth.password` | Password for the custom user to create. Ignored if `auth.existingSecret` is provided | `""` |
+| `auth.database` | Name for a custom database to create | `""` |
+| `auth.replicationUsername` | Name of the replication user | `repl_user` |
+| `auth.replicationPassword` | Password for the replication user. Ignored if `auth.existingSecret` is provided | `""` |
+| `auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. | `""` |
+| `auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `postgres-password` |
+| `auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `password` |
+| `auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `replication-password` |
+| `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `false` |
+| `architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
+| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` |
+| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. | `0` |
+| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` |
+| `containerPorts.postgresql` | PostgreSQL container port | `5432` |
+| `audit.logHostname` | Log client hostnames | `false` |
+| `audit.logConnections` | Add client log-in operations to the log file | `false` |
+| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` |
+| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `""` |
+| `audit.pgAuditLogCatalog` | Log catalog using pgAudit | `off` |
+| `audit.clientMinMessages` | Message log level to share with the user | `error` |
+| `audit.logLinePrefix` | Template for log line prefix (default if not set) | `""` |
+| `audit.logTimezone` | Timezone for the log timestamps | `""` |
+| `ldap.enabled` | Enable LDAP support | `false` |
+| `ldap.server` | IP address or name of the LDAP server. | `""` |
+| `ldap.port` | Port number on the LDAP server to connect to | `""` |
+| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `""` |
+| `ldap.suffix` | String to append to the user name when forming the DN to bind | `""` |
+| `ldap.basedn` | Root DN to begin the search for the user in | `""` |
+| `ldap.binddn` | DN of user to bind to LDAP | `""` |
+| `ldap.bindpw` | Password for the user to bind to LDAP | `""` |
+| `ldap.searchAttribute` | Attribute to match against the user name in the search | `""` |
+| `ldap.searchFilter` | The search filter to use when doing search+bind authentication | `""` |
+| `ldap.scheme` | Set to `ldaps` to use LDAPS | `""` |
+| `ldap.tls.enabled` | Se to true to enable TLS encryption | `false` |
+| `ldap.uri` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. | `""` |
+| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql/data` |
+| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` |
+| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) | `true` |
+| `shmVolume.sizeLimit` | Set this to enable a size limit on the shm tmpfs | `""` |
+| `tls.enabled` | Enable TLS traffic support | `false` |
+| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` |
+| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` |
+| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `""` |
+| `tls.certFilename` | Certificate filename | `""` |
+| `tls.certKeyFilename` | Certificate key filename | `""` |
+| `tls.certCAFilename` | CA Certificate filename | `""` |
+| `tls.crlFilename` | File containing a Certificate Revocation List | `""` |
+
+### PostgreSQL Primary parameters
+
+| Name | Description | Value |
+| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- |
+| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` |
+| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` |
+| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` |
+| `primary.existingConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary configuration | `""` |
+| `primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `""` |
+| `primary.existingExtendedConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary extended configuration | `""` |
+| `primary.initdb.args` | PostgreSQL initdb extra arguments | `""` |
+| `primary.initdb.postgresqlWalDir` | Specify a custom location for the PostgreSQL transaction log | `""` |
+| `primary.initdb.scripts` | Dictionary of initdb scripts | `{}` |
+| `primary.initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot | `""` |
+| `primary.initdb.scriptsSecret` | Secret with scripts to be run at first boot (in case it contains sensitive information) | `""` |
+| `primary.initdb.user` | Specify the PostgreSQL username to execute the initdb scripts | `""` |
+| `primary.initdb.password` | Specify the PostgreSQL password to execute the initdb scripts | `""` |
+| `primary.standby.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not | `false` |
+| `primary.standby.primaryHost` | The Host of replication primary in the other cluster | `""` |
+| `primary.standby.primaryPort` | The Port of replication primary in the other cluster | `""` |
+| `primary.extraEnvVars` | Array with extra environment variables to add to PostgreSQL Primary nodes | `[]` |
+| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes | `""` |
+| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL Primary nodes | `""` |
+| `primary.command` | Override default container command (useful when using custom images) | `[]` |
+| `primary.args` | Override default container args (useful when using custom images) | `[]` |
+| `primary.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Primary containers | `true` |
+| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
+| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
+| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
+| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
+| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
+| `primary.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Primary containers | `true` |
+| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
+| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
+| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
+| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
+| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
+| `primary.startupProbe.enabled` | Enable startupProbe on PostgreSQL Primary containers | `false` |
+| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` |
+| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
+| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
+| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
+| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
+| `primary.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
+| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
+| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
+| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` |
+| `primary.resources.limits` | The resources limits for the PostgreSQL Primary containers | `{}` |
+| `primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `256Mi` |
+| `primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `250m` |
+| `primary.podSecurityContext.enabled` | Enable security context | `true` |
+| `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` |
+| `primary.containerSecurityContext.enabled` | Enable container security context | `true` |
+| `primary.containerSecurityContext.runAsUser` | User ID for the container | `1001` |
+| `primary.containerSecurityContext.runAsGroup` | Group ID for the container | `0` |
+| `primary.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot for the container | `true` |
+| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation for the container | `false` |
+| `primary.containerSecurityContext.seccompProfile.type` | Set seccompProfile.type for the container | `RuntimeDefault` |
+| `primary.containerSecurityContext.capabilities.drop` | Set capabilities.drop for the container | `["ALL"]` |
+| `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` |
+| `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` |
+| `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` |
+| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` |
+| `primary.annotations` | Annotations for PostgreSQL primary pods | `{}` |
+| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` |
+| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` |
+| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
+| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` |
+| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` |
+| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` |
+| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` |
+| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` |
+| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
+| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `""` |
+| `primary.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
+| `primary.terminationGracePeriodSeconds` | Seconds PostgreSQL primary pod needs to terminate gracefully | `""` |
+| `primary.updateStrategy.type` | PostgreSQL Primary statefulset strategy type | `RollingUpdate` |
+| `primary.updateStrategy.rollingUpdate` | PostgreSQL Primary statefulset rolling update configuration parameters | `{}` |
+| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) | `[]` |
+| `primary.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) | `[]` |
+| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` |
+| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` |
+| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` |
+| `primary.service.type` | Kubernetes Service type | `ClusterIP` |
+| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` |
+| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` |
+| `primary.service.clusterIP` | Static clusterIP or None for headless services | `""` |
+| `primary.service.annotations` | Annotations for PostgreSQL primary service | `{}` |
+| `primary.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` |
+| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
+| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` |
+| `primary.service.extraPorts` | Extra ports to expose in the PostgreSQL primary service | `[]` |
+| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
+| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
+| `primary.service.headless.annotations` | Additional custom annotations for headless PostgreSQL primary service | `{}` |
+| `primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` |
+| `primary.persistence.existingClaim` | Name of an existing PVC to use | `""` |
+| `primary.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` |
+| `primary.persistence.subPath` | The subdirectory of the volume to mount to | `""` |
+| `primary.persistence.storageClass` | PVC Storage Class for PostgreSQL Primary data volume | `""` |
+| `primary.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` |
+| `primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
+| `primary.persistence.annotations` | Annotations for the PVC | `{}` |
+| `primary.persistence.labels` | Labels for the PVC | `{}` |
+| `primary.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` |
+| `primary.persistence.dataSource` | Custom PVC data source | `{}` |
+| `primary.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for Primary Statefulset | `false` |
+| `primary.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` |
+| `primary.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` |
+
+### PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`)
+
+| Name | Description | Value |
+| ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- |
+| `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` |
+| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` |
+| `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` |
+| `readReplicas.extraEnvVars` | Array with extra environment variables to add to PostgreSQL read only nodes | `[]` |
+| `readReplicas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes | `""` |
+| `readReplicas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL read only nodes | `""` |
+| `readReplicas.command` | Override default container command (useful when using custom images) | `[]` |
+| `readReplicas.args` | Override default container args (useful when using custom images) | `[]` |
+| `readReplicas.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL read only containers | `true` |
+| `readReplicas.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
+| `readReplicas.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
+| `readReplicas.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
+| `readReplicas.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
+| `readReplicas.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
+| `readReplicas.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL read only containers | `true` |
+| `readReplicas.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
+| `readReplicas.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
+| `readReplicas.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
+| `readReplicas.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
+| `readReplicas.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
+| `readReplicas.startupProbe.enabled` | Enable startupProbe on PostgreSQL read only containers | `false` |
+| `readReplicas.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` |
+| `readReplicas.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
+| `readReplicas.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
+| `readReplicas.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
+| `readReplicas.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
+| `readReplicas.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
+| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
+| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
+| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` |
+| `readReplicas.resources.limits` | The resources limits for the PostgreSQL read only containers | `{}` |
+| `readReplicas.resources.requests.memory` | The requested memory for the PostgreSQL read only containers | `256Mi` |
+| `readReplicas.resources.requests.cpu` | The requested cpu for the PostgreSQL read only containers | `250m` |
+| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` |
+| `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` |
+| `readReplicas.containerSecurityContext.enabled` | Enable container security context | `true` |
+| `readReplicas.containerSecurityContext.runAsUser` | User ID for the container | `1001` |
+| `readReplicas.containerSecurityContext.runAsGroup` | Group ID for the container | `0` |
+| `readReplicas.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot for the container | `true` |
+| `readReplicas.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation for the container | `false` |
+| `readReplicas.containerSecurityContext.seccompProfile.type` | Set seccompProfile.type for the container | `RuntimeDefault` |
+| `readReplicas.containerSecurityContext.capabilities.drop` | Set capabilities.drop for the container | `["ALL"]` |
+| `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` |
+| `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` |
+| `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` |
+| `readReplicas.labels` | Map of labels to add to the statefulset (PostgreSQL read only) | `{}` |
+| `readReplicas.annotations` | Annotations for PostgreSQL read only pods | `{}` |
+| `readReplicas.podLabels` | Map of labels to add to the pods (PostgreSQL read only) | `{}` |
+| `readReplicas.podAnnotations` | Map of annotations to add to the pods (PostgreSQL read only) | `{}` |
+| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
+| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
+| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` |
+| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` |
+| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` |
+| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` |
+| `readReplicas.tolerations` | Tolerations for PostgreSQL read only pods assignment | `[]` |
+| `readReplicas.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
+| `readReplicas.priorityClassName` | Priority Class to use for each pod (PostgreSQL read only) | `""` |
+| `readReplicas.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
+| `readReplicas.terminationGracePeriodSeconds` | Seconds PostgreSQL read only pod needs to terminate gracefully | `""` |
+| `readReplicas.updateStrategy.type` | PostgreSQL read only statefulset strategy type | `RollingUpdate` |
+| `readReplicas.updateStrategy.rollingUpdate` | PostgreSQL read only statefulset rolling update configuration parameters | `{}` |
+| `readReplicas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) | `[]` |
+| `readReplicas.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) | `[]` |
+| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` |
+| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` |
+| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` |
+| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` |
+| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` |
+| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` |
+| `readReplicas.service.clusterIP` | Static clusterIP or None for headless services | `""` |
+| `readReplicas.service.annotations` | Annotations for PostgreSQL read only service | `{}` |
+| `readReplicas.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` |
+| `readReplicas.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
+| `readReplicas.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` |
+| `readReplicas.service.extraPorts` | Extra ports to expose in the PostgreSQL read only service | `[]` |
+| `readReplicas.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
+| `readReplicas.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
+| `readReplicas.service.headless.annotations` | Additional custom annotations for headless PostgreSQL read only service | `{}` |
+| `readReplicas.persistence.enabled` | Enable PostgreSQL read only data persistence using PVC | `true` |
+| `readReplicas.persistence.existingClaim` | Name of an existing PVC to use | `""` |
+| `readReplicas.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` |
+| `readReplicas.persistence.subPath` | The subdirectory of the volume to mount to | `""` |
+| `readReplicas.persistence.storageClass` | PVC Storage Class for PostgreSQL read only data volume | `""` |
+| `readReplicas.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` |
+| `readReplicas.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
+| `readReplicas.persistence.annotations` | Annotations for the PVC | `{}` |
+| `readReplicas.persistence.labels` | Labels for the PVC | `{}` |
+| `readReplicas.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` |
+| `readReplicas.persistence.dataSource` | Custom PVC data source | `{}` |
+| `readReplicas.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for read only Statefulset | `false` |
+| `readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` |
+| `readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` |
+
+### Backup parameters
+
+| Name | Description | Value |
+| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` |
+| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` |
+| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` |
+| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` |
+| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` |
+| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` |
+| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` |
+| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` |
+| `backup.cronjob.podSecurityContext.enabled` | Enable PodSecurityContext for CronJob/Backup | `true` |
+| `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` |
+| `backup.cronjob.containerSecurityContext.runAsUser` | User ID for the backup container | `1001` |
+| `backup.cronjob.containerSecurityContext.runAsGroup` | Group ID for the backup container | `0` |
+| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set backup container's Security Context runAsNonRoot | `true` |
+| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Is the container itself readonly | `true` |
+| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate backup pod(s) privileges | `false` |
+| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set backup container's Security Context seccompProfile type | `RuntimeDefault` |
+| `backup.cronjob.containerSecurityContext.capabilities.drop` | Set backup container's Security Context capabilities to drop | `["ALL"]` |
+| `backup.cronjob.command` | Set backup container's command to run | `["/bin/sh","-c","pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"]` |
+| `backup.cronjob.labels` | Set the cronjob labels | `{}` |
+| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` |
+| `backup.cronjob.nodeSelector` | Node labels for PostgreSQL backup CronJob pod assignment | `{}` |
+| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` |
+| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` |
+| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` |
+| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` |
+| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` |
+| `backup.cronjob.storage.annotations` | PVC annotations | `{}` |
+| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/pgdump` |
+| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` |
+| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` |
+
+### NetworkPolicy parameters
+
+| Name | Description | Value |
+| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `networkPolicy.enabled` | Enable network policies | `false` |
+| `networkPolicy.metrics.enabled` | Enable network policies for metrics (prometheus) | `false` |
+| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` |
+| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` |
+| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. | `false` |
+| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). | `{}` |
+| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). | `{}` |
+| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL primary node. | `[]` |
+| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. | `false` |
+| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). | `{}` |
+| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). | `{}` |
+| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL read-only nodes. | `[]` |
+| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` |
+| `networkPolicy.egressRules.customRules` | Custom network policy rule | `[]` |
+
+### Volume Permissions parameters
+
+| Name | Description | Value |
+| ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
+| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` |
+| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
+| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/os-shell` |
+| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r77` |
+| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
+| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
+| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` |
+| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` |
+| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` |
+| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` |
+| `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` |
+| `volumePermissions.containerSecurityContext.runAsNonRoot` | runAsNonRoot for the init container | `false` |
+| `volumePermissions.containerSecurityContext.seccompProfile.type` | seccompProfile.type for the init container | `RuntimeDefault` |
+
+### Other Parameters
+
+| Name | Description | Value |
+| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` |
+| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `false` |
+| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
+| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` |
+| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
+| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` |
+| `rbac.rules` | Custom RBAC rules to set | `[]` |
+| `psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
+
+### Metrics Parameters
+
+| Name | Description | Value |
+| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------------------- |
+| `metrics.enabled` | Start a prometheus exporter | `false` |
+| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `docker.io` |
+| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `bitnami/postgres-exporter` |
+| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.14.0-debian-11-r2` |
+| `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
+| `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` |
+| `metrics.image.pullSecrets` | Specify image pull secrets | `[]` |
+| `metrics.customMetrics` | Define additional custom metrics | `{}` |
+| `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` |
+| `metrics.containerSecurityContext.enabled` | Enable PostgreSQL Prometheus exporter containers' Security Context | `true` |
+| `metrics.containerSecurityContext.runAsUser` | Set PostgreSQL Prometheus exporter containers' Security Context runAsUser | `1001` |
+| `metrics.containerSecurityContext.runAsGroup` | Set PostgreSQL Prometheus exporter containers' Security Context runAsGroup | `0` |
+| `metrics.containerSecurityContext.runAsNonRoot` | Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot | `true` |
+| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set PostgreSQL Prometheus exporter containers' Security Context allowPrivilegeEscalation | `false` |
+| `metrics.containerSecurityContext.seccompProfile.type` | Set PostgreSQL Prometheus exporter containers' Security Context seccompProfile.type | `RuntimeDefault` |
+| `metrics.containerSecurityContext.capabilities.drop` | Set PostgreSQL Prometheus exporter containers' Security Context capabilities.drop | `["ALL"]` |
+| `metrics.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Prometheus exporter containers | `true` |
+| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
+| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
+| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
+| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
+| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
+| `metrics.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Prometheus exporter containers | `true` |
+| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
+| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
+| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
+| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
+| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
+| `metrics.startupProbe.enabled` | Enable startupProbe on PostgreSQL Prometheus exporter containers | `false` |
+| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` |
+| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
+| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
+| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
+| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
+| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
+| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
+| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
+| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` |
+| `metrics.resources.limits` | The resources limits for the PostgreSQL Prometheus exporter container | `{}` |
+| `metrics.resources.requests` | The requested resources for the PostgreSQL Prometheus exporter container | `{}` |
+| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` |
+| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` |
+| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
+| `metrics.service.annotations` | Annotations for Prometheus to auto-discover the metrics endpoint | `{}` |
+| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` |
+| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` |
+| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` |
+| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
+| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` |
+| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
+| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` |
+| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` |
+| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` |
+| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` |
+| `metrics.prometheusRule.enabled` | Create a PrometheusRule for Prometheus Operator | `false` |
+| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` |
+| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` |
+| `metrics.prometheusRule.rules` | PrometheusRule definitions | `[]` |
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+
+```console
+helm install my-release \
+ --set auth.postgresPassword=secretpassword
+ oci://registry-1.docker.io/bitnamicharts/postgresql
+```
+
+The above command sets the PostgreSQL `postgres` account password to `secretpassword`.
+
+> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available.
+> **Warning** Setting a password will be ignored on new installation in case when previous PostgreSQL release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. Refer to [issue 2061](https://github.com/bitnami/charts/issues/2061) for more details
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
+
+```console
+helm install my-release -f values.yaml oci://registry-1.docker.io/bitnamicharts/postgresql
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
+
+## Configuration and installation details
+
+### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
+
+It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
+
+Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
+
+### Customizing primary and read replica services in a replicated configuration
+
+At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object.
+
+### Use a different PostgreSQL version
+
+To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/configuration/change-image-version/).
+
+### postgresql.conf / pg_hba.conf files as configMap
+
+This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`.
+
+You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter.
+
+In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options.
+
+### Initialize a fresh instance
+
+The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string.
+
+In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter.
+
+The allowed extensions are `.sh`, `.sql` and `.sql.gz`.
+
+### Securing traffic using TLS
+
+TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart:
+
+- `tls.enabled`: Enable TLS support. Defaults to `false`
+- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults.
+- `tls.certFilename`: Certificate filename. No defaults.
+- `tls.certKeyFilename`: Certificate key filename. No defaults.
+
+For example:
+
+- First, create the secret with the cetificates files:
+
+ ```console
+ kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt
+ ```
+
+- Then, use the following parameters:
+
+ ```console
+ volumePermissions.enabled=true
+ tls.enabled=true
+ tls.certificatesSecret="certificates-tls-secret"
+ tls.certFilename="cert.crt"
+ tls.certKeyFilename="cert.key"
+ ```
+
+ > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected.
+
+### Sidecars
+
+If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
+
+```yaml
+# For the PostgreSQL primary
+primary:
+ sidecars:
+ - name: your-image-name
+ image: your-image
+ imagePullPolicy: Always
+ ports:
+ - name: portname
+ containerPort: 1234
+# For the PostgreSQL replicas
+readReplicas:
+ sidecars:
+ - name: your-image-name
+ image: your-image
+ imagePullPolicy: Always
+ ports:
+ - name: portname
+ containerPort: 1234
+```
+
+### Metrics
+
+The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml).
+
+The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details.
+
+### Use of global variables
+
+In more complex scenarios, we may have the following tree of dependencies
+
+```text
+ +--------------+
+ | |
+ +------------+ Chart 1 +-----------+
+ | | | |
+ | --------+------+ |
+ | | |
+ | | |
+ | | |
+ | | |
+ v v v
++-------+------+ +--------+------+ +--------+------+
+| | | | | |
+| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 |
+| | | | | |
++--------------+ +---------------+ +---------------+
+```
+
+The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters:
+
+```text
+postgresql.auth.username=testuser
+subchart1.postgresql.auth.username=testuser
+subchart2.postgresql.auth.username=testuser
+postgresql.auth.password=testpass
+subchart1.postgresql.auth.password=testpass
+subchart2.postgresql.auth.password=testpass
+postgresql.auth.database=testdb
+subchart1.postgresql.auth.database=testdb
+subchart2.postgresql.auth.database=testdb
+```
+
+If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows:
+
+```text
+global.postgresql.auth.username=testuser
+global.postgresql.auth.password=testpass
+global.postgresql.auth.database=testdb
+```
+
+This way, the credentials will be available in all of the subcharts.
+
+## Persistence
+
+The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container.
+
+Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube.
+See the [Parameters](#parameters) section to configure the PVC or to disable persistence.
+
+If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished.
+
+## NetworkPolicy
+
+To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`.
+
+For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace:
+
+```console
+kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
+```
+
+With NetworkPolicy enabled, traffic will be limited to just port 5432.
+
+For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL.
+This label will be displayed in the output of a successful install.
+
+## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image
+
+- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image.
+- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift.
+- For OpenShift up to 4.10, let set the volume permissions, security context, runAsUser and fsGroup automatically by OpenShift and disable the predefined settings of the helm chart: primary.securityContext.enabled=false,primary.containerSecurityContext.enabled=false,volumePermissions.enabled=false,shmVolume.enabled=false
+- For OpenShift 4.11 and higher, let set OpenShift the runAsUser and fsGroup automatically. Configure the pod and container security context to restrictive defaults and disable the volume permissions setup: primary.
+ podSecurityContext.fsGroup=null,primary.podSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.runAsUser=null,primary.containerSecurityContext.allowPrivilegeEscalation=false,primary.containerSecurityContext.runAsNonRoot=true,primary.containerSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.capabilities.drop=['ALL'],volumePermissions.enabled=false,shmVolume.enabled=false
+
+### Setting Pod's affinity
+
+This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
+
+As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters.
+
+## Troubleshooting
+
+Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
+
+## Upgrading
+
+### To 12.0.0
+
+This major version changes the default PostgreSQL image from 14.x to 15.x. Follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html) to upgrade to 15.x.
+
+### To any previous version
+
+Refer to the [chart documentation for more information about how to upgrade from previous releases](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/).
+
+## License
+
+Copyright © 2023 VMware, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+<http://www.apache.org/licenses/LICENSE-2.0>
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
\ No newline at end of file
diff --git a/charts/openproject/charts/postgresql/charts/common/.helmignore b/charts/openproject/charts/postgresql/charts/common/.helmignore
new file mode 100644
index 0000000..50af031
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/openproject/charts/postgresql/charts/common/Chart.yaml b/charts/openproject/charts/postgresql/charts/common/Chart.yaml
new file mode 100644
index 0000000..662a6d7
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/Chart.yaml
@@ -0,0 +1,23 @@
+annotations:
+ category: Infrastructure
+ licenses: Apache-2.0
+apiVersion: v2
+appVersion: 2.12.0
+description: A Library Helm Chart for grouping common logic between bitnami charts.
+ This chart is not deployable by itself.
+home: https://bitnami.com
+icon: https://bitnami.com/downloads/logos/bitnami-mark.png
+keywords:
+- common
+- helper
+- template
+- function
+- bitnami
+maintainers:
+- name: VMware, Inc.
+ url: https://github.com/bitnami/charts
+name: common
+sources:
+- https://github.com/bitnami/charts
+type: library
+version: 2.12.0
diff --git a/charts/openproject/charts/postgresql/charts/common/README.md b/charts/openproject/charts/postgresql/charts/common/README.md
new file mode 100644
index 0000000..fe6a010
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/README.md
@@ -0,0 +1,235 @@
+# Bitnami Common Library Chart
+
+A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts.
+
+## TL;DR
+
+```yaml
+dependencies:
+ - name: common
+ version: 2.x.x
+ repository: oci://registry-1.docker.io/bitnamicharts
+```
+
+```console
+helm dependency update
+```
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.names.fullname" . }}
+data:
+ myvalue: "Hello World"
+```
+
+## Introduction
+
+This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
+
+Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
+
+Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
+
+## Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3.2.0+
+
+## Parameters
+
+## Special input schemas
+
+### ImageRoot
+
+```yaml
+registry:
+ type: string
+ description: Docker registry where the image is located
+ example: docker.io
+
+repository:
+ type: string
+ description: Repository and image name
+ example: bitnami/nginx
+
+tag:
+ type: string
+ description: image tag
+ example: 1.16.1-debian-10-r63
+
+pullPolicy:
+ type: string
+ description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+
+pullSecrets:
+ type: array
+ items:
+ type: string
+ description: Optionally specify an array of imagePullSecrets (evaluated as templates).
+
+debug:
+ type: boolean
+ description: Set to true if you would like to see extra information on logs
+ example: false
+
+## An instance would be:
+# registry: docker.io
+# repository: bitnami/nginx
+# tag: 1.16.1-debian-10-r63
+# pullPolicy: IfNotPresent
+# debug: false
+```
+
+### Persistence
+
+```yaml
+enabled:
+ type: boolean
+ description: Whether enable persistence.
+ example: true
+
+storageClass:
+ type: string
+ description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning.
+ example: "-"
+
+accessMode:
+ type: string
+ description: Access mode for the Persistent Volume Storage.
+ example: ReadWriteOnce
+
+size:
+ type: string
+ description: Size the Persistent Volume Storage.
+ example: 8Gi
+
+path:
+ type: string
+ description: Path to be persisted.
+ example: /bitnami
+
+## An instance would be:
+# enabled: true
+# storageClass: "-"
+# accessMode: ReadWriteOnce
+# size: 8Gi
+# path: /bitnami
+```
+
+### ExistingSecret
+
+```yaml
+name:
+ type: string
+ description: Name of the existing secret.
+ example: mySecret
+keyMapping:
+ description: Mapping between the expected key name and the name of the key in the existing secret.
+ type: object
+
+## An instance would be:
+# name: mySecret
+# keyMapping:
+# password: myPasswordKey
+```
+
+#### Example of use
+
+When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets.
+
+```yaml
+# templates/secret.yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ labels:
+ app: {{ include "common.names.fullname" . }}
+type: Opaque
+data:
+ password: {{ .Values.password | b64enc | quote }}
+
+# templates/dpl.yaml
+---
+...
+ env:
+ - name: PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }}
+ key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }}
+...
+
+# values.yaml
+---
+name: mySecret
+keyMapping:
+ password: myPasswordKey
+```
+
+### ValidateValue
+
+#### NOTES.txt
+
+```console
+{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}}
+{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}}
+
+{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
+```
+
+If we force those values to be empty we will see some alerts
+
+```console
+helm install test mychart --set path.to.value00="",path.to.value01=""
+ 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value:
+
+ export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d)
+
+ 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value:
+
+ export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d)
+```
+
+## Upgrading
+
+### To 1.0.0
+
+[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
+
+#### What changes were introduced in this major version?
+
+- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
+- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information.
+- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
+
+#### Considerations when upgrading to this version
+
+- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues
+- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
+- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3
+
+#### Useful links
+
+- <https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/>
+- <https://helm.sh/docs/topics/v2_v3_migration/>
+- <https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/>
+
+## License
+
+Copyright © 2023 VMware, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+<http://www.apache.org/licenses/LICENSE-2.0>
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/_affinities.tpl b/charts/openproject/charts/postgresql/charts/common/templates/_affinities.tpl
new file mode 100644
index 0000000..e85b1df
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/_affinities.tpl
@@ -0,0 +1,139 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return a soft nodeAffinity definition
+{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes.soft" -}}
+preferredDuringSchedulingIgnoredDuringExecution:
+ - preference:
+ matchExpressions:
+ - key: {{ .key }}
+ operator: In
+ values:
+ {{- range .values }}
+ - {{ . | quote }}
+ {{- end }}
+ weight: 1
+{{- end -}}
+
+{{/*
+Return a hard nodeAffinity definition
+{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes.hard" -}}
+requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: {{ .key }}
+ operator: In
+ values:
+ {{- range .values }}
+ - {{ . | quote }}
+ {{- end }}
+{{- end -}}
+
+{{/*
+Return a nodeAffinity definition
+{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes" -}}
+ {{- if eq .type "soft" }}
+ {{- include "common.affinities.nodes.soft" . -}}
+ {{- else if eq .type "hard" }}
+ {{- include "common.affinities.nodes.hard" . -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Return a topologyKey definition
+{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}}
+*/}}
+{{- define "common.affinities.topologyKey" -}}
+{{ .topologyKey | default "kubernetes.io/hostname" -}}
+{{- end -}}
+
+{{/*
+Return a soft podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
+*/}}
+{{- define "common.affinities.pods.soft" -}}
+{{- $component := default "" .component -}}
+{{- $customLabels := default (dict) .customLabels -}}
+{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
+{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
+preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := $extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ weight: 1
+ {{- range $extraPodAffinityTerms }}
+ - podAffinityTerm:
+ labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := .extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ weight: {{ .weight | default 1 -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Return a hard podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
+*/}}
+{{- define "common.affinities.pods.hard" -}}
+{{- $component := default "" .component -}}
+{{- $customLabels := default (dict) .customLabels -}}
+{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
+{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
+requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := $extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ {{- range $extraPodAffinityTerms }}
+ - labelSelector:
+ matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }}
+ {{- if not (empty $component) }}
+ {{ printf "app.kubernetes.io/component: %s" $component }}
+ {{- end }}
+ {{- range $key, $value := .extraMatchLabels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Return a podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.pods" -}}
+ {{- if eq .type "soft" }}
+ {{- include "common.affinities.pods.soft" . -}}
+ {{- else if eq .type "hard" }}
+ {{- include "common.affinities.pods.hard" . -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/_capabilities.tpl b/charts/openproject/charts/postgresql/charts/common/templates/_capabilities.tpl
new file mode 100644
index 0000000..c6d115f
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/_capabilities.tpl
@@ -0,0 +1,185 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return the target Kubernetes version
+*/}}
+{{- define "common.capabilities.kubeVersion" -}}
+{{- if .Values.global }}
+ {{- if .Values.global.kubeVersion }}
+ {{- .Values.global.kubeVersion -}}
+ {{- else }}
+ {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
+ {{- end -}}
+{{- else }}
+{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for poddisruptionbudget.
+*/}}
+{{- define "common.capabilities.policy.apiVersion" -}}
+{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "policy/v1beta1" -}}
+{{- else -}}
+{{- print "policy/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for networkpolicy.
+*/}}
+{{- define "common.capabilities.networkPolicy.apiVersion" -}}
+{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for cronjob.
+*/}}
+{{- define "common.capabilities.cronjob.apiVersion" -}}
+{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "batch/v1beta1" -}}
+{{- else -}}
+{{- print "batch/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for daemonset.
+*/}}
+{{- define "common.capabilities.daemonset.apiVersion" -}}
+{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for deployment.
+*/}}
+{{- define "common.capabilities.deployment.apiVersion" -}}
+{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for statefulset.
+*/}}
+{{- define "common.capabilities.statefulset.apiVersion" -}}
+{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apps/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for ingress.
+*/}}
+{{- define "common.capabilities.ingress.apiVersion" -}}
+{{- if .Values.ingress -}}
+{{- if .Values.ingress.apiVersion -}}
+{{- .Values.ingress.apiVersion -}}
+{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "networking.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end }}
+{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "networking.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for RBAC resources.
+*/}}
+{{- define "common.capabilities.rbac.apiVersion" -}}
+{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "rbac.authorization.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "rbac.authorization.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for CRDs.
+*/}}
+{{- define "common.capabilities.crd.apiVersion" -}}
+{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apiextensions.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "apiextensions.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for APIService.
+*/}}
+{{- define "common.capabilities.apiService.apiVersion" -}}
+{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "apiregistration.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "apiregistration.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for Horizontal Pod Autoscaler.
+*/}}
+{{- define "common.capabilities.hpa.apiVersion" -}}
+{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
+{{- if .beta2 -}}
+{{- print "autoscaling/v2beta2" -}}
+{{- else -}}
+{{- print "autoscaling/v2beta1" -}}
+{{- end -}}
+{{- else -}}
+{{- print "autoscaling/v2" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for Vertical Pod Autoscaler.
+*/}}
+{{- define "common.capabilities.vpa.apiVersion" -}}
+{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
+{{- if .beta2 -}}
+{{- print "autoscaling/v2beta2" -}}
+{{- else -}}
+{{- print "autoscaling/v2beta1" -}}
+{{- end -}}
+{{- else -}}
+{{- print "autoscaling/v2" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if the used Helm version is 3.3+.
+A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure.
+This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error.
+**To be removed when the catalog's minimun Helm version is 3.3**
+*/}}
+{{- define "common.capabilities.supportsHelmVersion" -}}
+{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/_errors.tpl b/charts/openproject/charts/postgresql/charts/common/templates/_errors.tpl
new file mode 100644
index 0000000..07ded6f
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/_errors.tpl
@@ -0,0 +1,28 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Through error when upgrading using empty passwords values that must not be empty.
+
+Usage:
+{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
+{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
+{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
+
+Required password params:
+ - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
+ - context - Context - Required. Parent context.
+*/}}
+{{- define "common.errors.upgrade.passwords.empty" -}}
+ {{- $validationErrors := join "" .validationErrors -}}
+ {{- if and $validationErrors .context.Release.IsUpgrade -}}
+ {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}}
+ {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}}
+ {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}}
+ {{- $errorString = print $errorString "\n%s" -}}
+ {{- printf $errorString $validationErrors | fail -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/_images.tpl b/charts/openproject/charts/postgresql/charts/common/templates/_images.tpl
new file mode 100644
index 0000000..e248d6d
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/_images.tpl
@@ -0,0 +1,101 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Return the proper image name
+{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }}
+*/}}
+{{- define "common.images.image" -}}
+{{- $registryName := .imageRoot.registry -}}
+{{- $repositoryName := .imageRoot.repository -}}
+{{- $separator := ":" -}}
+{{- $termination := .imageRoot.tag | toString -}}
+{{- if .global }}
+ {{- if .global.imageRegistry }}
+ {{- $registryName = .global.imageRegistry -}}
+ {{- end -}}
+{{- end -}}
+{{- if .imageRoot.digest }}
+ {{- $separator = "@" -}}
+ {{- $termination = .imageRoot.digest | toString -}}
+{{- end -}}
+{{- if $registryName }}
+ {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
+{{- else -}}
+ {{- printf "%s%s%s" $repositoryName $separator $termination -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead)
+{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
+*/}}
+{{- define "common.images.pullSecrets" -}}
+ {{- $pullSecrets := list }}
+
+ {{- if .global }}
+ {{- range .global.imagePullSecrets -}}
+ {{- $pullSecrets = append $pullSecrets . -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- range .images -}}
+ {{- range .pullSecrets -}}
+ {{- $pullSecrets = append $pullSecrets . -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+ {{- range $pullSecrets | uniq }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names evaluating values as templates
+{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }}
+*/}}
+{{- define "common.images.renderPullSecrets" -}}
+ {{- $pullSecrets := list }}
+ {{- $context := .context }}
+
+ {{- if $context.Values.global }}
+ {{- range $context.Values.global.imagePullSecrets -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- range .images -}}
+ {{- range .pullSecrets -}}
+ {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+ {{- range $pullSecrets | uniq }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+{{- end -}}
+
+{{/*
+Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion)
+{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }}
+*/}}
+{{- define "common.images.version" -}}
+{{- $imageTag := .imageRoot.tag | toString -}}
+{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}}
+{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}}
+ {{- $version := semver $imageTag -}}
+ {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}}
+{{- else -}}
+ {{- print .chart.AppVersion -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/_ingress.tpl b/charts/openproject/charts/postgresql/charts/common/templates/_ingress.tpl
new file mode 100644
index 0000000..efa5b85
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/_ingress.tpl
@@ -0,0 +1,73 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Generate backend entry that is compatible with all Kubernetes API versions.
+
+Usage:
+{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}
+
+Params:
+ - serviceName - String. Name of an existing service backend
+ - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer.
+ - context - Dict - Required. The context for the template evaluation.
+*/}}
+{{- define "common.ingress.backend" -}}
+{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}}
+{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}}
+serviceName: {{ .serviceName }}
+servicePort: {{ .servicePort }}
+{{- else -}}
+service:
+ name: {{ .serviceName }}
+ port:
+ {{- if typeIs "string" .servicePort }}
+ name: {{ .servicePort }}
+ {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }}
+ number: {{ .servicePort | int }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Print "true" if the API pathType field is supported
+Usage:
+{{ include "common.ingress.supportsPathType" . }}
+*/}}
+{{- define "common.ingress.supportsPathType" -}}
+{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}}
+{{- print "false" -}}
+{{- else -}}
+{{- print "true" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if the ingressClassname field is supported
+Usage:
+{{ include "common.ingress.supportsIngressClassname" . }}
+*/}}
+{{- define "common.ingress.supportsIngressClassname" -}}
+{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}}
+{{- print "false" -}}
+{{- else -}}
+{{- print "true" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if cert-manager required annotations for TLS signed
+certificates are set in the Ingress annotations
+Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
+Usage:
+{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }}
+*/}}
+{{- define "common.ingress.certManagerRequest" -}}
+{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/_labels.tpl b/charts/openproject/charts/postgresql/charts/common/templates/_labels.tpl
new file mode 100644
index 0000000..a3cdc2b
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/_labels.tpl
@@ -0,0 +1,40 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Kubernetes standard labels
+{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}}
+*/}}
+{{- define "common.labels.standard" -}}
+{{- if and (hasKey . "customLabels") (hasKey . "context") -}}
+{{ merge (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) (dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service "app.kubernetes.io/version" .context.Chart.AppVersion) | toYaml }}
+{{- else -}}
+app.kubernetes.io/name: {{ include "common.names.name" . }}
+helm.sh/chart: {{ include "common.names.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector
+{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}}
+
+We don't want to loop over custom labels appending them to the selector
+since it's very likely that it will break deployments, services, etc.
+However, it's important to overwrite the standard labels if the user
+overwrote them on metadata.labels fields.
+*/}}
+{{- define "common.labels.matchLabels" -}}
+{{- if and (hasKey . "customLabels") (hasKey . "context") -}}
+{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }}
+{{- else -}}
+app.kubernetes.io/name: {{ include "common.names.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/_names.tpl b/charts/openproject/charts/postgresql/charts/common/templates/_names.tpl
new file mode 100644
index 0000000..a222924
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/_names.tpl
@@ -0,0 +1,71 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "common.names.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "common.names.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "common.names.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified dependency name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+Usage:
+{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }}
+*/}}
+{{- define "common.names.dependency.fullname" -}}
+{{- if .chartValues.fullnameOverride -}}
+{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .chartName .chartValues.nameOverride -}}
+{{- if contains $name .context.Release.Name -}}
+{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts.
+*/}}
+{{- define "common.names.namespace" -}}
+{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a fully qualified app name adding the installation's namespace.
+*/}}
+{{- define "common.names.fullname.namespace" -}}
+{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/_secrets.tpl b/charts/openproject/charts/postgresql/charts/common/templates/_secrets.tpl
new file mode 100644
index 0000000..a193c46
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/_secrets.tpl
@@ -0,0 +1,172 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Generate secret name.
+
+Usage:
+{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
+
+Params:
+ - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
+ to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+ +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
+ - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
+ - context - Dict - Required. The context for the template evaluation.
+*/}}
+{{- define "common.secrets.name" -}}
+{{- $name := (include "common.names.fullname" .context) -}}
+
+{{- if .defaultNameSuffix -}}
+{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- with .existingSecret -}}
+{{- if not (typeIs "string" .) -}}
+{{- with .name -}}
+{{- $name = . -}}
+{{- end -}}
+{{- else -}}
+{{- $name = . -}}
+{{- end -}}
+{{- end -}}
+
+{{- printf "%s" $name -}}
+{{- end -}}
+
+{{/*
+Generate secret key.
+
+Usage:
+{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
+
+Params:
+ - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
+ to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+ +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
+ - key - String - Required. Name of the key in the secret.
+*/}}
+{{- define "common.secrets.key" -}}
+{{- $key := .key -}}
+
+{{- if .existingSecret -}}
+ {{- if not (typeIs "string" .existingSecret) -}}
+ {{- if .existingSecret.keyMapping -}}
+ {{- $key = index .existingSecret.keyMapping $.key -}}
+ {{- end -}}
+ {{- end }}
+{{- end -}}
+
+{{- printf "%s" $key -}}
+{{- end -}}
+
+{{/*
+Generate secret password or retrieve one if already created.
+
+Usage:
+{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }}
+
+Params:
+ - secret - String - Required - Name of the 'Secret' resource where the password is stored.
+ - key - String - Required - Name of the key in the secret.
+ - providedValues - List<String> - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
+ - length - int - Optional - Length of the generated random password.
+ - strong - Boolean - Optional - Whether to add symbols to the generated random password.
+ - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart.
+ - context - Context - Required - Parent context.
+ - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets.
+The order in which this function returns a secret password:
+ 1. Already existing 'Secret' resource
+ (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
+ 2. Password provided via the values.yaml
+ (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
+ 3. Randomly generated secret password
+ (A new random secret password with the length specified in the 'length' parameter will be generated and returned)
+
+*/}}
+{{- define "common.secrets.passwords.manage" -}}
+
+{{- $password := "" }}
+{{- $subchart := "" }}
+{{- $failOnNew := default true .failOnNew }}
+{{- $chartName := default "" .chartName }}
+{{- $passwordLength := default 10 .length }}
+{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }}
+{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }}
+{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }}
+{{- if $secretData }}
+ {{- if hasKey $secretData .key }}
+ {{- $password = index $secretData .key | quote }}
+ {{- else if $failOnNew }}
+ {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}}
+ {{- end -}}
+{{- else if $providedPasswordValue }}
+ {{- $password = $providedPasswordValue | toString | b64enc | quote }}
+{{- else }}
+
+ {{- if .context.Values.enabled }}
+ {{- $subchart = $chartName }}
+ {{- end -}}
+
+ {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
+ {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
+ {{- $passwordValidationErrors := list $requiredPasswordError -}}
+ {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
+
+ {{- if .strong }}
+ {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
+ {{- $password = randAscii $passwordLength }}
+ {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
+ {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }}
+ {{- else }}
+ {{- $password = randAlphaNum $passwordLength | b64enc | quote }}
+ {{- end }}
+{{- end -}}
+{{- printf "%s" $password -}}
+{{- end -}}
+
+{{/*
+Reuses the value from an existing secret, otherwise sets its value to a default value.
+
+Usage:
+{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }}
+
+Params:
+ - secret - String - Required - Name of the 'Secret' resource where the password is stored.
+ - key - String - Required - Name of the key in the secret.
+ - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
+ - context - Context - Required - Parent context.
+
+*/}}
+{{- define "common.secrets.lookup" -}}
+{{- $value := "" -}}
+{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}}
+{{- if and $secretData (hasKey $secretData .key) -}}
+ {{- $value = index $secretData .key -}}
+{{- else if .defaultValue -}}
+ {{- $value = .defaultValue | toString | b64enc -}}
+{{- end -}}
+{{- if $value -}}
+{{- printf "%s" $value -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns whether a previous generated secret already exists
+
+Usage:
+{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }}
+
+Params:
+ - secret - String - Required - Name of the 'Secret' resource where the password is stored.
+ - context - Context - Required - Parent context.
+*/}}
+{{- define "common.secrets.exists" -}}
+{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }}
+{{- if $secret }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/_storage.tpl b/charts/openproject/charts/postgresql/charts/common/templates/_storage.tpl
new file mode 100644
index 0000000..16405a0
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/_storage.tpl
@@ -0,0 +1,28 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Return the proper Storage Class
+{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
+*/}}
+{{- define "common.storage.class" -}}
+
+{{- $storageClass := .persistence.storageClass -}}
+{{- if .global -}}
+ {{- if .global.storageClass -}}
+ {{- $storageClass = .global.storageClass -}}
+ {{- end -}}
+{{- end -}}
+
+{{- if $storageClass -}}
+ {{- if (eq "-" $storageClass) -}}
+ {{- printf "storageClassName: \"\"" -}}
+ {{- else }}
+ {{- printf "storageClassName: %s" $storageClass -}}
+ {{- end -}}
+{{- end -}}
+
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/_tplvalues.tpl b/charts/openproject/charts/postgresql/charts/common/templates/_tplvalues.tpl
new file mode 100644
index 0000000..a8ed763
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/_tplvalues.tpl
@@ -0,0 +1,38 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Renders a value that contains template perhaps with scope if the scope is present.
+Usage:
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }}
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }}
+*/}}
+{{- define "common.tplvalues.render" -}}
+{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }}
+{{- if contains "{{" (toJson .value) }}
+ {{- if .scope }}
+ {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }}
+ {{- else }}
+ {{- tpl $value .context }}
+ {{- end }}
+{{- else }}
+ {{- $value }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Merge a list of values that contains template after rendering them.
+Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge
+Usage:
+{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }}
+*/}}
+{{- define "common.tplvalues.merge" -}}
+{{- $dst := dict -}}
+{{- range .values -}}
+{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}}
+{{- end -}}
+{{ $dst | toYaml }}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/_utils.tpl b/charts/openproject/charts/postgresql/charts/common/templates/_utils.tpl
new file mode 100644
index 0000000..bfbddf0
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/_utils.tpl
@@ -0,0 +1,77 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Print instructions to get a secret value.
+Usage:
+{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }}
+*/}}
+{{- define "common.utils.secret.getvalue" -}}
+{{- $varname := include "common.utils.fieldToEnvVar" . -}}
+export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d)
+{{- end -}}
+
+{{/*
+Build env var name given a field
+Usage:
+{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }}
+*/}}
+{{- define "common.utils.fieldToEnvVar" -}}
+ {{- $fieldNameSplit := splitList "-" .field -}}
+ {{- $upperCaseFieldNameSplit := list -}}
+
+ {{- range $fieldNameSplit -}}
+ {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}}
+ {{- end -}}
+
+ {{ join "_" $upperCaseFieldNameSplit }}
+{{- end -}}
+
+{{/*
+Gets a value from .Values given
+Usage:
+{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }}
+*/}}
+{{- define "common.utils.getValueFromKey" -}}
+{{- $splitKey := splitList "." .key -}}
+{{- $value := "" -}}
+{{- $latestObj := $.context.Values -}}
+{{- range $splitKey -}}
+ {{- if not $latestObj -}}
+ {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}}
+ {{- end -}}
+ {{- $value = ( index $latestObj . ) -}}
+ {{- $latestObj = $value -}}
+{{- end -}}
+{{- printf "%v" (default "" $value) -}}
+{{- end -}}
+
+{{/*
+Returns first .Values key with a defined value or first of the list if all non-defined
+Usage:
+{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }}
+*/}}
+{{- define "common.utils.getKeyFromList" -}}
+{{- $key := first .keys -}}
+{{- $reverseKeys := reverse .keys }}
+{{- range $reverseKeys }}
+ {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }}
+ {{- if $value -}}
+ {{- $key = . }}
+ {{- end -}}
+{{- end -}}
+{{- printf "%s" $key -}}
+{{- end -}}
+
+{{/*
+Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376).
+Usage:
+{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }}
+*/}}
+{{- define "common.utils.checksumTemplate" -}}
+{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}}
+{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/_warnings.tpl b/charts/openproject/charts/postgresql/charts/common/templates/_warnings.tpl
new file mode 100644
index 0000000..66dffc1
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/_warnings.tpl
@@ -0,0 +1,19 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Warning about using rolling tag.
+Usage:
+{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }}
+*/}}
+{{- define "common.warnings.rollingTag" -}}
+
+{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
+WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
+{{- end }}
+
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/validations/_cassandra.tpl b/charts/openproject/charts/postgresql/charts/common/templates/validations/_cassandra.tpl
new file mode 100644
index 0000000..eda9aad
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/validations/_cassandra.tpl
@@ -0,0 +1,77 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate Cassandra required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret"
+ - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.cassandra.passwords" -}}
+ {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}}
+ {{- $enabled := include "common.cassandra.values.enabled" . -}}
+ {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}}
+ {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.cassandra.values.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
+*/}}
+{{- define "common.cassandra.values.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.cassandra.dbUser.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.dbUser.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled cassandra.
+
+Usage:
+{{ include "common.cassandra.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.cassandra.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.cassandra.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key dbUser
+
+Usage:
+{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
+*/}}
+{{- define "common.cassandra.values.key.dbUser" -}}
+ {{- if .subchart -}}
+ cassandra.dbUser
+ {{- else -}}
+ dbUser
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/validations/_mariadb.tpl b/charts/openproject/charts/postgresql/charts/common/templates/validations/_mariadb.tpl
new file mode 100644
index 0000000..17d83a2
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/validations/_mariadb.tpl
@@ -0,0 +1,108 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate MariaDB required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret"
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.mariadb.passwords" -}}
+ {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}}
+ {{- $enabled := include "common.mariadb.values.enabled" . -}}
+ {{- $architecture := include "common.mariadb.values.architecture" . -}}
+ {{- $authPrefix := include "common.mariadb.values.key.auth" . -}}
+ {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
+ {{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
+ {{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
+ {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
+
+ {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
+ {{- if not (empty $valueUsername) -}}
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+ {{- end -}}
+
+ {{- if (eq $architecture "replication") -}}
+ {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.mariadb.values.auth.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mariadb.auth.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.auth.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled mariadb.
+
+Usage:
+{{ include "common.mariadb.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.mariadb.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.mariadb.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for architecture
+
+Usage:
+{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.mariadb.values.architecture" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mariadb.architecture -}}
+ {{- else -}}
+ {{- .context.Values.architecture -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key auth
+
+Usage:
+{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false
+*/}}
+{{- define "common.mariadb.values.key.auth" -}}
+ {{- if .subchart -}}
+ mariadb.auth
+ {{- else -}}
+ auth
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/validations/_mongodb.tpl b/charts/openproject/charts/postgresql/charts/common/templates/validations/_mongodb.tpl
new file mode 100644
index 0000000..bbb445b
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/validations/_mongodb.tpl
@@ -0,0 +1,113 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate MongoDB® required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret"
+ - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.mongodb.passwords" -}}
+ {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}}
+ {{- $enabled := include "common.mongodb.values.enabled" . -}}
+ {{- $authPrefix := include "common.mongodb.values.key.auth" . -}}
+ {{- $architecture := include "common.mongodb.values.architecture" . -}}
+ {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
+ {{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
+ {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}}
+ {{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
+ {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}}
+ {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}}
+
+ {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
+
+ {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
+ {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }}
+ {{- if and $valueUsername $valueDatabase -}}
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+ {{- end -}}
+
+ {{- if (eq $architecture "replicaset") -}}
+ {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false
+*/}}
+{{- define "common.mongodb.values.auth.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mongodb.auth.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.auth.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled mongodb.
+
+Usage:
+{{ include "common.mongodb.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.mongodb.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.mongodb.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key auth
+
+Usage:
+{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
+*/}}
+{{- define "common.mongodb.values.key.auth" -}}
+ {{- if .subchart -}}
+ mongodb.auth
+ {{- else -}}
+ auth
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for architecture
+
+Usage:
+{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false
+*/}}
+{{- define "common.mongodb.values.architecture" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mongodb.architecture -}}
+ {{- else -}}
+ {{- .context.Values.architecture -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/validations/_mysql.tpl b/charts/openproject/charts/postgresql/charts/common/templates/validations/_mysql.tpl
new file mode 100644
index 0000000..ca3953f
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/validations/_mysql.tpl
@@ -0,0 +1,108 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate MySQL required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret"
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.mysql.passwords" -}}
+ {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}}
+ {{- $enabled := include "common.mysql.values.enabled" . -}}
+ {{- $architecture := include "common.mysql.values.architecture" . -}}
+ {{- $authPrefix := include "common.mysql.values.key.auth" . -}}
+ {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
+ {{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
+ {{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
+ {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
+
+ {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
+ {{- if not (empty $valueUsername) -}}
+ {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+ {{- end -}}
+
+ {{- if (eq $architecture "replication") -}}
+ {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.mysql.values.auth.existingSecret" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mysql.auth.existingSecret | quote -}}
+ {{- else -}}
+ {{- .context.Values.auth.existingSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled mysql.
+
+Usage:
+{{ include "common.mysql.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.mysql.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.mysql.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for architecture
+
+Usage:
+{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.mysql.values.architecture" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.mysql.architecture -}}
+ {{- else -}}
+ {{- .context.Values.architecture -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key auth
+
+Usage:
+{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
+*/}}
+{{- define "common.mysql.values.key.auth" -}}
+ {{- if .subchart -}}
+ mysql.auth
+ {{- else -}}
+ auth
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/validations/_postgresql.tpl b/charts/openproject/charts/postgresql/charts/common/templates/validations/_postgresql.tpl
new file mode 100644
index 0000000..8c9aa57
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/validations/_postgresql.tpl
@@ -0,0 +1,134 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate PostgreSQL required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret"
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.postgresql.passwords" -}}
+ {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}}
+ {{- $enabled := include "common.postgresql.values.enabled" . -}}
+ {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}}
+ {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}}
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+ {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}}
+
+ {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}}
+ {{- if (eq $enabledReplication "true") -}}
+ {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to decide whether evaluate global values.
+
+Usage:
+{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }}
+Params:
+ - key - String - Required. Field to be evaluated within global, e.g: "existingSecret"
+*/}}
+{{- define "common.postgresql.values.use.global" -}}
+ {{- if .context.Values.global -}}
+ {{- if .context.Values.global.postgresql -}}
+ {{- index .context.Values.global.postgresql .key | quote -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.postgresql.values.existingSecret" (dict "context" $) }}
+*/}}
+{{- define "common.postgresql.values.existingSecret" -}}
+ {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}}
+
+ {{- if .subchart -}}
+ {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}}
+ {{- else -}}
+ {{- default (.context.Values.existingSecret | quote) $globalValue -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled postgresql.
+
+Usage:
+{{ include "common.postgresql.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.postgresql.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.postgresql.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key postgressPassword.
+
+Usage:
+{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.key.postgressPassword" -}}
+ {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}}
+
+ {{- if not $globalValue -}}
+ {{- if .subchart -}}
+ postgresql.postgresqlPassword
+ {{- else -}}
+ postgresqlPassword
+ {{- end -}}
+ {{- else -}}
+ global.postgresql.postgresqlPassword
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled.replication.
+
+Usage:
+{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.enabled.replication" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.postgresql.replication.enabled -}}
+ {{- else -}}
+ {{- printf "%v" .context.Values.replication.enabled -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key replication.password.
+
+Usage:
+{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.key.replicationPassword" -}}
+ {{- if .subchart -}}
+ postgresql.replication.password
+ {{- else -}}
+ replication.password
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/validations/_redis.tpl b/charts/openproject/charts/postgresql/charts/common/templates/validations/_redis.tpl
new file mode 100644
index 0000000..fc0d208
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/validations/_redis.tpl
@@ -0,0 +1,81 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate Redis® required passwords are not empty.
+
+Usage:
+{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret"
+ - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.redis.passwords" -}}
+ {{- $enabled := include "common.redis.values.enabled" . -}}
+ {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}}
+ {{- $standarizedVersion := include "common.redis.values.standarized.version" . }}
+
+ {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }}
+ {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }}
+
+ {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }}
+ {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }}
+
+ {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}}
+ {{- if eq $useAuth "true" -}}
+ {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled redis.
+
+Usage:
+{{ include "common.redis.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.redis.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- printf "%v" .context.Values.redis.enabled -}}
+ {{- else -}}
+ {{- printf "%v" (not .context.Values.enabled) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right prefix path for the values
+
+Usage:
+{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
+*/}}
+{{- define "common.redis.values.keys.prefix" -}}
+ {{- if .subchart -}}redis.{{- else -}}{{- end -}}
+{{- end -}}
+
+{{/*
+Checks whether the redis chart's includes the standarizations (version >= 14)
+
+Usage:
+{{ include "common.redis.values.standarized.version" (dict "context" $) }}
+*/}}
+{{- define "common.redis.values.standarized.version" -}}
+
+ {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}}
+ {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }}
+
+ {{- if $standarizedAuthValues -}}
+ {{- true -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/templates/validations/_validations.tpl b/charts/openproject/charts/postgresql/charts/common/templates/validations/_validations.tpl
new file mode 100644
index 0000000..31ceda8
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/templates/validations/_validations.tpl
@@ -0,0 +1,51 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate values must not be empty.
+
+Usage:
+{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}}
+{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}}
+{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
+
+Validate value params:
+ - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
+ - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
+ - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
+*/}}
+{{- define "common.validations.values.multiple.empty" -}}
+ {{- range .required -}}
+ {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Validate a value must not be empty.
+
+Usage:
+{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }}
+
+Validate value params:
+ - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
+ - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
+ - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
+ - subchart - String - Optional - Name of the subchart that the validated password is part of.
+*/}}
+{{- define "common.validations.values.single.empty" -}}
+ {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }}
+ {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }}
+
+ {{- if not $value -}}
+ {{- $varname := "my-value" -}}
+ {{- $getCurrentValue := "" -}}
+ {{- if and .secret .field -}}
+ {{- $varname = include "common.utils.fieldToEnvVar" . -}}
+ {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}}
+ {{- end -}}
+ {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/charts/common/values.yaml b/charts/openproject/charts/postgresql/charts/common/values.yaml
new file mode 100644
index 0000000..9abe0e1
--- /dev/null
+++ b/charts/openproject/charts/postgresql/charts/common/values.yaml
@@ -0,0 +1,8 @@
+# Copyright VMware, Inc.
+# SPDX-License-Identifier: APACHE-2.0
+
+## bitnami/common
+## It is required by CI/CD tools and processes.
+## @skip exampleValue
+##
+exampleValue: common-chart
diff --git a/charts/openproject/charts/postgresql/templates/NOTES.txt b/charts/openproject/charts/postgresql/templates/NOTES.txt
new file mode 100644
index 0000000..73c4a34
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/NOTES.txt
@@ -0,0 +1,115 @@
+CHART NAME: {{ .Chart.Name }}
+CHART VERSION: {{ .Chart.Version }}
+APP VERSION: {{ .Chart.AppVersion }}
+
+** Please be patient while the chart is being deployed **
+
+{{- if .Values.diagnosticMode.enabled }}
+The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with:
+
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }}
+
+Get the list of pods by executing:
+
+ kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
+
+Access the pod you want to debug by executing
+
+ kubectl exec --namespace {{ .Release.Namespace }} -ti <NAME OF THE POD> -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash
+
+In order to replicate the container startup scripts execute this command:
+
+ /opt/bitnami/scripts/postgresql/entrypoint.sh /opt/bitnami/scripts/postgresql/run.sh
+
+{{- else }}
+
+{{- $customUser := include "postgresql.v1.username" . }}
+{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary .Values.auth.postgresPassword .Values.auth.password (eq $customUser "postgres")) "context" $) -}}
+{{- $authEnabled := and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
+{{- if not $authEnabled }}
+
+WARNING: PostgreSQL has been configured without authentication, this is not recommended for production environments.
+{{- end }}
+
+PostgreSQL can be accessed via port {{ include "postgresql.v1.service.port" . }} on the following DNS names from within your cluster:
+
+ {{ include "postgresql.v1.primary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection
+
+{{- if eq .Values.architecture "replication" }}
+
+ {{ include "postgresql.v1.readReplica.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read only connection
+
+{{- end }}
+
+{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
+{{- if .Values.auth.enablePostgresUser }}
+
+To get the password for "postgres" run:
+
+ export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{include "postgresql.v1.adminPasswordKey" .}}}" | base64 -d)
+{{- end }}
+
+To get the password for "{{ $customUser }}" run:
+
+ export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{include "postgresql.v1.userPasswordKey" .}}}" | base64 -d)
+{{- else }}
+{{- if .Values.auth.enablePostgresUser }}
+
+To get the password for "{{ default "postgres" $customUser }}" run:
+
+ export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{ ternary "password" (include "postgresql.v1.adminPasswordKey" .) (and (not (empty $customUser)) (ne $customUser "postgres")) }}}" | base64 -d)
+{{- end }}
+{{- end }}
+
+To connect to your database run the following command:
+ {{- if $authEnabled }}
+
+ kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.v1.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" \
+ --command -- psql --host {{ include "postgresql.v1.primary.fullname" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
+ {{- else }}
+
+ kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.v1.image" . }} \
+ --command -- psql --host {{ include "postgresql.v1.primary.fullname" . }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
+ {{- end }}
+
+ > NOTE: If you access the container using bash, make sure that you execute "/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash" in order to avoid the error "psql: local user with ID {{ .Values.primary.containerSecurityContext.runAsUser }}} does not exist"
+
+To connect to your database from outside the cluster execute the following commands:
+
+{{- if contains "NodePort" .Values.primary.service.type }}
+
+ export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+ export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "postgresql.v1.primary.fullname" . }})
+ {{- if $authEnabled }}
+ PGPASSWORD="$POSTGRES_PASSWORD" psql --host $NODE_IP --port $NODE_PORT -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
+ {{- else }}
+ psql --host $NODE_IP --port $NODE_PORT -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
+ {{- end }}
+{{- else if contains "LoadBalancer" .Values.primary.service.type }}
+
+ NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+ Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "postgresql.v1.primary.fullname" . }}'
+
+ export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "postgresql.v1.primary.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
+ {{- if $authEnabled }}
+ PGPASSWORD="$POSTGRES_PASSWORD" psql --host $SERVICE_IP --port {{ include "postgresql.v1.service.port" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
+ {{- else }}
+ psql --host $SERVICE_IP --port {{ include "postgresql.v1.service.port" . }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }}
+ {{- end }}
+{{- else if contains "ClusterIP" .Values.primary.service.type }}
+
+ kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "postgresql.v1.primary.fullname" . }} {{ include "postgresql.v1.service.port" . }}:{{ include "postgresql.v1.service.port" . }} &
+ {{- if $authEnabled }}
+ PGPASSWORD="$POSTGRES_PASSWORD" psql --host 127.0.0.1 -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
+ {{- else }}
+ psql --host 127.0.0.1 -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }}
+ {{- end }}
+{{- end }}
+{{- end }}
+
+WARNING: The configured password will be ignored on new installation in case when previous PostgreSQL release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue.
+
+{{- include "postgresql.v1.validateValues" . -}}
+{{- include "common.warnings.rollingTag" .Values.image -}}
+{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
diff --git a/charts/openproject/charts/postgresql/templates/_helpers.tpl b/charts/openproject/charts/postgresql/templates/_helpers.tpl
new file mode 100644
index 0000000..2c5c7f9
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/_helpers.tpl
@@ -0,0 +1,406 @@
+{{/*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Create a default fully qualified app name for PostgreSQL Primary objects
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "postgresql.v1.primary.fullname" -}}
+{{- if eq .Values.architecture "replication" -}}
+ {{- printf "%s-%s" (include "common.names.fullname" .) .Values.primary.name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+ {{- include "common.names.fullname" . -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name for PostgreSQL read-only replicas objects
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "postgresql.v1.readReplica.fullname" -}}
+{{- printf "%s-%s" (include "common.names.fullname" .) .Values.readReplicas.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the default FQDN for PostgreSQL primary headless service
+We truncate at 63 chars because of the DNS naming spec.
+*/}}
+{{- define "postgresql.v1.primary.svc.headless" -}}
+{{- printf "%s-hl" (include "postgresql.v1.primary.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the default FQDN for PostgreSQL read-only replicas headless service
+We truncate at 63 chars because of the DNS naming spec.
+*/}}
+{{- define "postgresql.v1.readReplica.svc.headless" -}}
+{{- printf "%s-hl" (include "postgresql.v1.readReplica.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Return the proper PostgreSQL image name
+*/}}
+{{- define "postgresql.v1.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Return the proper PostgreSQL metrics image name
+*/}}
+{{- define "postgresql.v1.metrics.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Return the proper image name (for the init container volume-permissions image)
+*/}}
+{{- define "postgresql.v1.volumePermissions.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names
+*/}}
+{{- define "postgresql.v1.imagePullSecrets" -}}
+{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Return the name for a custom user to create
+*/}}
+{{- define "postgresql.v1.username" -}}
+{{- if .Values.global.postgresql.auth.username -}}
+ {{- .Values.global.postgresql.auth.username -}}
+{{- else -}}
+ {{- .Values.auth.username -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the name for a custom database to create
+*/}}
+{{- define "postgresql.v1.database" -}}
+{{- if .Values.global.postgresql.auth.database -}}
+ {{- printf "%s" (tpl .Values.global.postgresql.auth.database $) -}}
+{{- else if .Values.auth.database -}}
+ {{- printf "%s" (tpl .Values.auth.database $) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the password secret.
+*/}}
+{{- define "postgresql.v1.secretName" -}}
+{{- if .Values.global.postgresql.auth.existingSecret -}}
+ {{- printf "%s" (tpl .Values.global.postgresql.auth.existingSecret $) -}}
+{{- else if .Values.auth.existingSecret -}}
+ {{- printf "%s" (tpl .Values.auth.existingSecret $) -}}
+{{- else -}}
+ {{- printf "%s" (include "common.names.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the replication-password key.
+*/}}
+{{- define "postgresql.v1.replicationPasswordKey" -}}
+{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
+ {{- if .Values.global.postgresql.auth.secretKeys.replicationPasswordKey -}}
+ {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.replicationPasswordKey $) -}}
+ {{- else if .Values.auth.secretKeys.replicationPasswordKey -}}
+ {{- printf "%s" (tpl .Values.auth.secretKeys.replicationPasswordKey $) -}}
+ {{- else -}}
+ {{- "replication-password" -}}
+ {{- end -}}
+{{- else -}}
+ {{- "replication-password" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the admin-password key.
+*/}}
+{{- define "postgresql.v1.adminPasswordKey" -}}
+{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
+ {{- if .Values.global.postgresql.auth.secretKeys.adminPasswordKey -}}
+ {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.adminPasswordKey $) -}}
+ {{- else if .Values.auth.secretKeys.adminPasswordKey -}}
+ {{- printf "%s" (tpl .Values.auth.secretKeys.adminPasswordKey $) -}}
+ {{- end -}}
+{{- else -}}
+ {{- "postgres-password" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the user-password key.
+*/}}
+{{- define "postgresql.v1.userPasswordKey" -}}
+{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
+ {{- if or (empty (include "postgresql.v1.username" .)) (eq (include "postgresql.v1.username" .) "postgres") -}}
+ {{- printf "%s" (include "postgresql.v1.adminPasswordKey" .) -}}
+ {{- else -}}
+ {{- if .Values.global.postgresql.auth.secretKeys.userPasswordKey -}}
+ {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.userPasswordKey $) -}}
+ {{- else if .Values.auth.secretKeys.userPasswordKey -}}
+ {{- printf "%s" (tpl .Values.auth.secretKeys.userPasswordKey $) -}}
+ {{- end -}}
+ {{- end -}}
+{{- else -}}
+ {{- "password" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a secret object should be created
+*/}}
+{{- define "postgresql.v1.createSecret" -}}
+{{- $customUser := include "postgresql.v1.username" . -}}
+{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword .Values.global.postgresql.auth.password .Values.auth.password) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) -}}
+{{- if and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres")) (eq .Values.architecture "replication") (and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw))) -}}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL service port
+*/}}
+{{- define "postgresql.v1.service.port" -}}
+{{- if .Values.global.postgresql.service.ports.postgresql -}}
+ {{- .Values.global.postgresql.service.ports.postgresql -}}
+{{- else -}}
+ {{- .Values.primary.service.ports.postgresql -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL service port
+*/}}
+{{- define "postgresql.v1.readReplica.service.port" -}}
+{{- if .Values.global.postgresql.service.ports.postgresql -}}
+ {{- .Values.global.postgresql.service.ports.postgresql -}}
+{{- else -}}
+ {{- .Values.readReplicas.service.ports.postgresql -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the PostgreSQL primary configuration ConfigMap name.
+*/}}
+{{- define "postgresql.v1.primary.configmapName" -}}
+{{- if .Values.primary.existingConfigmap -}}
+ {{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}}
+{{- else -}}
+ {{- printf "%s-configuration" (include "postgresql.v1.primary.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a configmap object should be created for PostgreSQL primary with the configuration
+*/}}
+{{- define "postgresql.v1.primary.createConfigmap" -}}
+{{- if and (or .Values.primary.configuration .Values.primary.pgHbaConfiguration) (not .Values.primary.existingConfigmap) -}}
+ {{- true -}}
+{{- else -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the PostgreSQL primary extended configuration ConfigMap name.
+*/}}
+{{- define "postgresql.v1.primary.extendedConfigmapName" -}}
+{{- if .Values.primary.existingExtendedConfigmap -}}
+ {{- printf "%s" (tpl .Values.primary.existingExtendedConfigmap $) -}}
+{{- else -}}
+ {{- printf "%s-extended-configuration" (include "postgresql.v1.primary.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the PostgreSQL read replica extended configuration ConfigMap name.
+*/}}
+{{- define "postgresql.v1.readReplicas.extendedConfigmapName" -}}
+ {{- printf "%s-extended-configuration" (include "postgresql.v1.readReplica.fullname" .) -}}
+{{- end -}}
+
+{{/*
+Return true if a configmap object should be created for PostgreSQL primary with the extended configuration
+*/}}
+{{- define "postgresql.v1.primary.createExtendedConfigmap" -}}
+{{- if and .Values.primary.extendedConfiguration (not .Values.primary.existingExtendedConfigmap) -}}
+ {{- true -}}
+{{- else -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a configmap object should be created for PostgreSQL read replica with the extended configuration
+*/}}
+{{- define "postgresql.v1.readReplicas.createExtendedConfigmap" -}}
+{{- if .Values.readReplicas.extendedConfiguration -}}
+ {{- true -}}
+{{- else -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+ Create the name of the service account to use
+ */}}
+{{- define "postgresql.v1.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+ {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+ {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a configmap should be mounted with PostgreSQL configuration
+*/}}
+{{- define "postgresql.v1.mountConfigurationCM" -}}
+{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap -}}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the initialization scripts ConfigMap name.
+*/}}
+{{- define "postgresql.v1.initdb.scriptsCM" -}}
+{{- if .Values.primary.initdb.scriptsConfigMap -}}
+ {{- printf "%s" (tpl .Values.primary.initdb.scriptsConfigMap $) -}}
+{{- else -}}
+ {{- printf "%s-init-scripts" (include "postgresql.v1.primary.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if TLS is enabled for LDAP connection
+*/}}
+{{- define "postgresql.v1.ldap.tls.enabled" -}}
+{{- if and (kindIs "string" .Values.ldap.tls) (not (empty .Values.ldap.tls)) -}}
+ {{- true -}}
+{{- else if and (kindIs "map" .Values.ldap.tls) .Values.ldap.tls.enabled -}}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the readiness probe command
+*/}}
+{{- define "postgresql.v1.readinessProbeCommand" -}}
+{{- $customUser := include "postgresql.v1.username" . -}}
+- |
+{{- if (include "postgresql.v1.database" .) }}
+ exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if .Values.tls.enabled }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+{{- else }}
+ exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if .Values.tls.enabled }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+{{- end }}
+{{- if contains "bitnami/" .Values.image.repository }}
+ [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
+{{- end }}
+{{- end -}}
+
+{{/*
+Compile all warnings into a single message, and call fail.
+*/}}
+{{- define "postgresql.v1.validateValues" -}}
+{{- $messages := list -}}
+{{- $messages := append $messages (include "postgresql.v1.validateValues.ldapConfigurationMethod" .) -}}
+{{- $messages := append $messages (include "postgresql.v1.validateValues.psp" .) -}}
+{{- $messages := without $messages "" -}}
+{{- $message := join "\n" $messages -}}
+
+{{- if $message -}}
+{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap
+*/}}
+{{- define "postgresql.v1.validateValues.ldapConfigurationMethod" -}}
+{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) -}}
+postgresql: ldap.url, ldap.server
+ You cannot set both `ldap.url` and `ldap.server` at the same time.
+ Please provide a unique way to configure LDAP.
+ More info at https://www.postgresql.org/docs/current/auth-ldap.html
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validate values of Postgresql - If PSP is enabled RBAC should be enabled too
+*/}}
+{{- define "postgresql.v1.validateValues.psp" -}}
+{{- if and .Values.psp.create (not .Values.rbac.create) -}}
+postgresql: psp.create, rbac.create
+ RBAC should be enabled if PSP is enabled in order for PSP to work.
+ More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the path to the cert file.
+*/}}
+{{- define "postgresql.v1.tlsCert" -}}
+{{- if .Values.tls.autoGenerated -}}
+ {{- printf "/opt/bitnami/postgresql/certs/tls.crt" -}}
+{{- else -}}
+ {{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the path to the cert key file.
+*/}}
+{{- define "postgresql.v1.tlsCertKey" -}}
+{{- if .Values.tls.autoGenerated -}}
+ {{- printf "/opt/bitnami/postgresql/certs/tls.key" -}}
+{{- else -}}
+{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the path to the CA cert file.
+*/}}
+{{- define "postgresql.v1.tlsCACert" -}}
+{{- if .Values.tls.autoGenerated -}}
+ {{- printf "/opt/bitnami/postgresql/certs/ca.crt" -}}
+{{- else -}}
+ {{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the path to the CRL file.
+*/}}
+{{- define "postgresql.v1.tlsCRL" -}}
+{{- if .Values.tls.crlFilename -}}
+{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a TLS credentials secret object should be created
+*/}}
+{{- define "postgresql.v1.createTlsSecret" -}}
+{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) -}}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the path to the CA cert file.
+*/}}
+{{- define "postgresql.v1.tlsSecretName" -}}
+{{- if .Values.tls.autoGenerated -}}
+ {{- printf "%s-crt" (include "common.names.fullname" .) -}}
+{{- else -}}
+ {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/openproject/charts/postgresql/templates/backup/cronjob.yaml b/charts/openproject/charts/postgresql/templates/backup/cronjob.yaml
new file mode 100644
index 0000000..72d1bf2
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/backup/cronjob.yaml
@@ -0,0 +1,113 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.backup.enabled }}
+{{- $customUser := include "postgresql.v1.username" . }}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+ name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
+ namespace: {{ .Release.Namespace | quote }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.labels .Values.commonLabels ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: pg_dumpall
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.annotations .Values.commonAnnotations ) "context" . ) }}
+ {{- if $annotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+spec:
+ schedule: {{ quote .Values.backup.cronjob.schedule }}
+ concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }}
+ failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }}
+ successfulJobsHistoryLimit: {{ .Values.backup.cronjob.successfulJobsHistoryLimit }}
+ {{- if .Values.backup.cronjob.startingDeadlineSeconds }}
+ startingDeadlineSeconds: {{ .Values.backup.cronjob.startingDeadlineSeconds }}
+ {{- end }}
+ jobTemplate:
+ spec:
+ {{- if .Values.backup.cronjob.ttlSecondsAfterFinished }}
+ ttlSecondsAfterFinished: {{ .Values.backup.cronjob.ttlSecondsAfterFinished }}
+ {{- end }}
+ template:
+ metadata:
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 12 }}
+ app.kubernetes.io/component: pg_dumpall
+ {{- if $annotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 12 }}
+ {{- end }}
+ spec:
+ {{- include "postgresql.v1.imagePullSecrets" . | nindent 10 }}
+ {{- if .Values.backup.cronjob.nodeSelector }}
+ nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.nodeSelector "context" $) | nindent 12 }}
+ {{- end }}
+ containers:
+ - name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
+ image: {{ include "postgresql.v1.image" . }}
+ imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+ env:
+ - name: PGUSER
+ {{- if .Values.auth.enablePostgresUser }}
+ value: postgres
+ {{- else }}
+ value: {{ $customUser | quote }}
+ {{- end }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: PGPASSFILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
+ {{- else }}
+ - name: PGPASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.v1.secretName" . }}
+ key: {{ include "postgresql.v1.adminPasswordKey" . }}
+ {{- end }}
+ - name: PGHOST
+ value: {{ include "postgresql.v1.primary.fullname" . }}
+ - name: PGPORT
+ value: {{ include "postgresql.v1.service.port" . | quote }}
+ - name: PGDUMP_DIR
+ value: {{ .Values.backup.cronjob.storage.mountPath }}
+ {{- if .Values.tls.enabled }}
+ - name: PGSSLROOTCERT
+ {{- if .Values.tls.autoGenerated -}}
+ value: /tmp/certs/ca.crt
+ {{- else }}
+ value: {{- printf "/tmp/certs/%s" .Values.tls.certCAFilename -}}
+ {{- end }}
+ {{- end }}
+ command:
+ {{- range .Values.backup.cronjob.command }}
+ - {{ . }}
+ {{- end }}
+ volumeMounts:
+ {{- if .Values.tls.enabled }}
+ - name: certs
+ mountPath: /certs
+ {{- end }}
+ - name: datadir
+ mountPath: {{ .Values.backup.cronjob.storage.mountPath }}
+ subPath: {{ .Values.backup.cronjob.storage.subPath }}
+ securityContext:
+ {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.containerSecurityContext "context" $) | nindent 14 }}
+ restartPolicy: {{ .Values.backup.cronjob.restartPolicy }}
+ {{- if .Values.backup.cronjob.podSecurityContext.enabled }}
+ securityContext:
+ fsGroup: {{ .Values.backup.cronjob.podSecurityContext.fsGroup }}
+ {{- end }}
+ volumes:
+ {{- if .Values.tls.enabled }}
+ - name: raw-certificates
+ emptyDir: /tmp/certs
+ {{- end }}
+ {{- if .Values.backup.cronjob.storage.existingClaim }}
+ - name: datadir
+ persistentVolumeClaim:
+ claimName: {{ printf "%s" (tpl .Values.backup.cronjob.storage.existingClaim .) }}
+ {{- else }}
+ - name: datadir
+ persistentVolumeClaim:
+ claimName: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
+ {{- end }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/backup/pvc.yaml b/charts/openproject/charts/postgresql/templates/backup/pvc.yaml
new file mode 100644
index 0000000..6fe9cbf
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/backup/pvc.yaml
@@ -0,0 +1,34 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.backup.enabled (not .Values.backup.cronjob.storage.existingClaim) -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall
+ namespace: {{ .Release.Namespace | quote }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.labels .Values.commonLabels ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: pg_dumpall
+ {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations .Values.backup.cronjob.storage.resourcePolicy }}
+ annotations:
+ {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.annotations .Values.commonAnnotations ) "context" . ) }}
+ {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.backup.cronjob.storage.resourcePolicy }}
+ helm.sh/resource-policy: {{ .Values.backup.cronjob.storage.resourcePolicy | quote }}
+ {{- end }}
+ {{- end }}
+spec:
+ accessModes:
+ {{- range .Values.backup.cronjob.storage.accessModes }}
+ - {{ . | quote }}
+ {{- end }}
+ resources:
+ requests:
+ storage: {{ .Values.backup.cronjob.storage.size | quote }}
+ {{ include "common.storage.class" (dict "persistence" .Values.backup.cronjob.storage "global" .Values.global) }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/extra-list.yaml b/charts/openproject/charts/postgresql/templates/extra-list.yaml
new file mode 100644
index 0000000..2d35a58
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/extra-list.yaml
@@ -0,0 +1,9 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- range .Values.extraDeploy }}
+---
+{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/networkpolicy-egress.yaml b/charts/openproject/charts/postgresql/templates/networkpolicy-egress.yaml
new file mode 100644
index 0000000..b67817c
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/networkpolicy-egress.yaml
@@ -0,0 +1,34 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }}
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+kind: NetworkPolicy
+metadata:
+ name: {{ printf "%s-egress" (include "common.names.fullname" .) }}
+ namespace: {{ .Release.Namespace }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
+ policyTypes:
+ - Egress
+ egress:
+ {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }}
+ - ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ - to:
+ - namespaceSelector: {}
+ {{- end }}
+ {{- if .Values.networkPolicy.egressRules.customRules }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/primary/configmap.yaml b/charts/openproject/charts/postgresql/templates/primary/configmap.yaml
new file mode 100644
index 0000000..7bb8b7f
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/primary/configmap.yaml
@@ -0,0 +1,26 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if (include "postgresql.v1.primary.createConfigmap" .) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ printf "%s-configuration" (include "postgresql.v1.primary.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: primary
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+data:
+ {{- if .Values.primary.configuration }}
+ postgresql.conf: |-
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.primary.pgHbaConfiguration }}
+ pg_hba.conf: |
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.pgHbaConfiguration "context" $ ) | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/primary/extended-configmap.yaml b/charts/openproject/charts/postgresql/templates/primary/extended-configmap.yaml
new file mode 100644
index 0000000..456f8ee
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/primary/extended-configmap.yaml
@@ -0,0 +1,20 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if (include "postgresql.v1.primary.createExtendedConfigmap" .) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ printf "%s-extended-configuration" (include "postgresql.v1.primary.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: primary
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+data:
+ override.conf: |-
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extendedConfiguration "context" $ ) | nindent 4 }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/primary/initialization-configmap.yaml b/charts/openproject/charts/postgresql/templates/primary/initialization-configmap.yaml
new file mode 100644
index 0000000..80d804a
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/primary/initialization-configmap.yaml
@@ -0,0 +1,17 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.primary.initdb.scripts (not .Values.primary.initdb.scriptsConfigMap) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ printf "%s-init-scripts" (include "postgresql.v1.primary.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.initdb.scripts "context" .) | nindent 2 }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/primary/metrics-configmap.yaml b/charts/openproject/charts/postgresql/templates/primary/metrics-configmap.yaml
new file mode 100644
index 0000000..7da2bcd
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/primary/metrics-configmap.yaml
@@ -0,0 +1,18 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+data:
+ custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/primary/metrics-svc.yaml b/charts/openproject/charts/postgresql/templates/primary/metrics-svc.yaml
new file mode 100644
index 0000000..3d94510
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/primary/metrics-svc.yaml
@@ -0,0 +1,31 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.metrics.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: metrics
+ {{- if or .Values.commonAnnotations .Values.metrics.service.annotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+spec:
+ type: ClusterIP
+ sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
+ {{- if .Values.metrics.service.clusterIP }}
+ clusterIP: {{ .Values.metrics.service.clusterIP }}
+ {{- end }}
+ ports:
+ - name: http-metrics
+ port: {{ .Values.metrics.service.ports.metrics }}
+ targetPort: http-metrics
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
+ selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: primary
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/primary/networkpolicy.yaml b/charts/openproject/charts/postgresql/templates/primary/networkpolicy.yaml
new file mode 100644
index 0000000..9da3fb4
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/primary/networkpolicy.yaml
@@ -0,0 +1,61 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }}
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+kind: NetworkPolicy
+metadata:
+ name: {{ printf "%s-ingress" (include "postgresql.v1.primary.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: primary
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- $primaryPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
+ podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $primaryPodLabels "context" $ ) | nindent 6 }}
+ app.kubernetes.io/component: primary
+ ingress:
+ {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }}
+ - from:
+ {{- if .Values.networkPolicy.metrics.namespaceSelector }}
+ - namespaceSelector:
+ matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }}
+ {{- end }}
+ {{- if .Values.networkPolicy.metrics.podSelector }}
+ - podSelector:
+ matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }}
+ {{- end }}
+ ports:
+ - port: {{ .Values.metrics.containerPorts.metrics }}
+ {{- end }}
+ {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }}
+ - from:
+ {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }}
+ - namespaceSelector:
+ matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }}
+ {{- end }}
+ {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }}
+ - podSelector:
+ matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }}
+ {{- end }}
+ ports:
+ - port: {{ .Values.containerPorts.postgresql }}
+ {{- end }}
+ {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }}
+ - from:
+ {{- $readPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
+ - podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $readPodLabels "context" $ ) | nindent 14 }}
+ app.kubernetes.io/component: read
+ ports:
+ - port: {{ .Values.containerPorts.postgresql }}
+ {{- end }}
+ {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/primary/servicemonitor.yaml b/charts/openproject/charts/postgresql/templates/primary/servicemonitor.yaml
new file mode 100644
index 0000000..05d54f3
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/primary/servicemonitor.yaml
@@ -0,0 +1,46 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: {{ include "postgresql.v1.primary.fullname" . }}
+ namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: metrics
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- if .Values.metrics.serviceMonitor.jobLabel }}
+ jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
+ {{- end }}
+ selector:
+ {{- $svcLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.selector .Values.commonLabels ) "context" . ) }}
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $svcLabels "context" $ ) | nindent 6 }}
+ app.kubernetes.io/component: metrics
+ endpoints:
+ - port: http-metrics
+ {{- if .Values.metrics.serviceMonitor.interval }}
+ interval: {{ .Values.metrics.serviceMonitor.interval }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
+ scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.relabelings }}
+ relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.metricRelabelings }}
+ metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.honorLabels }}
+ honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
+ {{- end }}
+ namespaceSelector:
+ matchNames:
+ - {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/primary/statefulset.yaml b/charts/openproject/charts/postgresql/templates/primary/statefulset.yaml
new file mode 100644
index 0000000..8f8d56d
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/primary/statefulset.yaml
@@ -0,0 +1,653 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- $customUser := include "postgresql.v1.username" . }}
+apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
+kind: StatefulSet
+metadata:
+ name: {{ include "postgresql.v1.primary.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.labels .Values.commonLabels ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: primary
+ {{- if or .Values.commonAnnotations .Values.primary.annotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.annotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+spec:
+ replicas: 1
+ serviceName: {{ include "postgresql.v1.primary.svc.headless" . }}
+ {{- if .Values.primary.updateStrategy }}
+ updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }}
+ {{- end }}
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
+ selector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+ app.kubernetes.io/component: primary
+ template:
+ metadata:
+ name: {{ include "postgresql.v1.primary.fullname" . }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
+ app.kubernetes.io/component: primary
+ {{- if or (include "postgresql.v1.primary.createConfigmap" .) (include "postgresql.v1.primary.createExtendedConfigmap" .) .Values.primary.podAnnotations }}
+ annotations:
+ {{- if (include "postgresql.v1.primary.createConfigmap" .) }}
+ checksum/configuration: {{ pick (include (print $.Template.BasePath "/primary/configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
+ {{- end }}
+ {{- if (include "postgresql.v1.primary.createExtendedConfigmap" .) }}
+ checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
+ {{- end }}
+ {{- if .Values.primary.podAnnotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podAnnotations "context" $ ) | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ spec:
+ {{- if .Values.primary.extraPodSpec }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }}
+ {{- end }}
+ serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }}
+ {{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }}
+ {{- if .Values.primary.hostAliases }}
+ hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.primary.affinity }}
+ affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }}
+ {{- else }}
+ affinity:
+ podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }}
+ podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }}
+ nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }}
+ {{- end }}
+ {{- if .Values.primary.nodeSelector }}
+ nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.primary.tolerations }}
+ tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.primary.topologySpreadConstraints }}
+ topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" .) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.primary.priorityClassName }}
+ priorityClassName: {{ .Values.primary.priorityClassName }}
+ {{- end }}
+ {{- if .Values.primary.schedulerName }}
+ schedulerName: {{ .Values.primary.schedulerName | quote }}
+ {{- end }}
+ {{- if .Values.primary.terminationGracePeriodSeconds }}
+ terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }}
+ {{- end }}
+ {{- if .Values.primary.podSecurityContext.enabled }}
+ securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }}
+ {{- end }}
+ hostNetwork: {{ .Values.primary.hostNetwork }}
+ hostIPC: {{ .Values.primary.hostIPC }}
+ {{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled)) .Values.primary.initContainers }}
+ initContainers:
+ {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
+ - name: copy-certs
+ image: {{ include "postgresql.v1.volumePermissions.image" . }}
+ imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
+ {{- if .Values.primary.resources }}
+ resources: {{- toYaml .Values.primary.resources | nindent 12 }}
+ {{- end }}
+ # We don't require a privileged container in this case
+ {{- if .Values.primary.containerSecurityContext.enabled }}
+ securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ {{- end }}
+ command:
+ - /bin/sh
+ - -ec
+ - |
+ cp /tmp/certs/* /opt/bitnami/postgresql/certs/
+ chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
+ volumeMounts:
+ - name: raw-certificates
+ mountPath: /tmp/certs
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ {{- else if and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled) }}
+ - name: init-chmod-data
+ image: {{ include "postgresql.v1.volumePermissions.image" . }}
+ imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
+ {{- if .Values.volumePermissions.resources }}
+ resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
+ {{- end }}
+ command:
+ - /bin/sh
+ - -ec
+ - |
+ {{- if .Values.primary.persistence.enabled }}
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.primary.persistence.mountPath }}
+ {{- else }}
+ chown {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} {{ .Values.primary.persistence.mountPath }}
+ {{- end }}
+ mkdir -p {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }}
+ chmod 700 {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }}
+ find {{ .Values.primary.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.v1.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ xargs -r chown -R `id -u`:`id -G | cut -d " " -f2`
+ {{- else }}
+ xargs -r chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ chmod -R 777 /dev/shm
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ cp /tmp/certs/* /opt/bitnami/postgresql/certs/
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
+ {{- else }}
+ chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/
+ {{- end }}
+ chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
+ {{- end }}
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
+ {{- else }}
+ securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ {{- if .Values.primary.persistence.enabled }}
+ - name: data
+ mountPath: {{ .Values.primary.persistence.mountPath }}
+ {{- if .Values.primary.persistence.subPath }}
+ subPath: {{ .Values.primary.persistence.subPath }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ mountPath: /dev/shm
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: raw-certificates
+ mountPath: /tmp/certs
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ {{- end }}
+ {{- end }}
+ {{- if .Values.primary.initContainers }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.initContainers "context" $ ) | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ containers:
+ - name: postgresql
+ image: {{ include "postgresql.v1.image" . }}
+ imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+ {{- if .Values.primary.containerSecurityContext.enabled }}
+ securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
+ {{- else if .Values.primary.command }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
+ {{- else if .Values.primary.args }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }}
+ {{- end }}
+ env:
+ - name: BITNAMI_DEBUG
+ value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
+ - name: POSTGRESQL_PORT_NUMBER
+ value: {{ .Values.containerPorts.postgresql | quote }}
+ - name: POSTGRESQL_VOLUME_DIR
+ value: {{ .Values.primary.persistence.mountPath | quote }}
+ {{- if .Values.primary.persistence.mountPath }}
+ - name: PGDATA
+ value: {{ .Values.postgresqlDataDir | quote }}
+ {{- end }}
+ # Authentication
+ {{- if or (eq $customUser "postgres") (empty $customUser) }}
+ {{- if .Values.auth.enablePostgresUser }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: POSTGRES_PASSWORD_FILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
+ {{- else }}
+ - name: POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.v1.secretName" . }}
+ key: {{ include "postgresql.v1.adminPasswordKey" . }}
+ {{- end }}
+ {{- else }}
+ - name: ALLOW_EMPTY_PASSWORD
+ value: "true"
+ {{- end }}
+ {{- else }}
+ - name: POSTGRES_USER
+ value: {{ $customUser | quote }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: POSTGRES_PASSWORD_FILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }}
+ {{- else }}
+ - name: POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.v1.secretName" . }}
+ key: {{ include "postgresql.v1.userPasswordKey" . }}
+ {{- end }}
+ {{- if .Values.auth.enablePostgresUser }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: POSTGRES_POSTGRES_PASSWORD_FILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
+ {{- else }}
+ - name: POSTGRES_POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.v1.secretName" . }}
+ key: {{ include "postgresql.v1.adminPasswordKey" . }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if (include "postgresql.v1.database" .) }}
+ - name: POSTGRES_DATABASE
+ value: {{ (include "postgresql.v1.database" .) | quote }}
+ {{- end }}
+ # Replication
+ {{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }}
+ - name: POSTGRES_REPLICATION_MODE
+ value: {{ ternary "slave" "master" .Values.primary.standby.enabled | quote }}
+ - name: POSTGRES_REPLICATION_USER
+ value: {{ .Values.auth.replicationUsername | quote }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: POSTGRES_REPLICATION_PASSWORD_FILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.replicationPasswordKey" .) }}
+ {{- else }}
+ - name: POSTGRES_REPLICATION_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.v1.secretName" . }}
+ key: {{ include "postgresql.v1.replicationPasswordKey" . }}
+ {{- end }}
+ {{- if ne .Values.replication.synchronousCommit "off" }}
+ - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE
+ value: {{ .Values.replication.synchronousCommit | quote }}
+ - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS
+ value: {{ .Values.replication.numSynchronousReplicas | quote }}
+ {{- end }}
+ - name: POSTGRES_CLUSTER_APP_NAME
+ value: {{ .Values.replication.applicationName }}
+ {{- end }}
+ # Initdb
+ {{- if .Values.primary.initdb.args }}
+ - name: POSTGRES_INITDB_ARGS
+ value: {{ .Values.primary.initdb.args | quote }}
+ {{- end }}
+ {{- if .Values.primary.initdb.postgresqlWalDir }}
+ - name: POSTGRES_INITDB_WALDIR
+ value: {{ .Values.primary.initdb.postgresqlWalDir | quote }}
+ {{- end }}
+ {{- if .Values.primary.initdb.user }}
+ - name: POSTGRES_INITSCRIPTS_USERNAME
+ value: {{ .Values.primary.initdb.user }}
+ {{- end }}
+ {{- if .Values.primary.initdb.password }}
+ - name: POSTGRES_INITSCRIPTS_PASSWORD
+ value: {{ .Values.primary.initdb.password | quote }}
+ {{- end }}
+ # Standby
+ {{- if .Values.primary.standby.enabled }}
+ - name: POSTGRES_MASTER_HOST
+ value: {{ .Values.primary.standby.primaryHost }}
+ - name: POSTGRES_MASTER_PORT_NUMBER
+ value: {{ .Values.primary.standby.primaryPort | quote }}
+ {{- end }}
+ # LDAP
+ - name: POSTGRESQL_ENABLE_LDAP
+ value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }}
+ {{- if .Values.ldap.enabled }}
+ {{- if or .Values.ldap.url .Values.ldap.uri }}
+ - name: POSTGRESQL_LDAP_URL
+ value: {{ coalesce .Values.ldap.url .Values.ldap.uri }}
+ {{- else }}
+ - name: POSTGRESQL_LDAP_SERVER
+ value: {{ .Values.ldap.server }}
+ - name: POSTGRESQL_LDAP_PORT
+ value: {{ .Values.ldap.port | quote }}
+ - name: POSTGRESQL_LDAP_SCHEME
+ value: {{ .Values.ldap.scheme }}
+ {{- if (include "postgresql.v1.ldap.tls.enabled" .) }}
+ - name: POSTGRESQL_LDAP_TLS
+ value: "1"
+ {{- end }}
+ - name: POSTGRESQL_LDAP_PREFIX
+ value: {{ .Values.ldap.prefix | quote }}
+ - name: POSTGRESQL_LDAP_SUFFIX
+ value: {{ .Values.ldap.suffix | quote }}
+ - name: POSTGRESQL_LDAP_BASE_DN
+ value: {{ coalesce .Values.ldap.baseDN .Values.ldap.basedn }}
+ - name: POSTGRESQL_LDAP_BIND_DN
+ value: {{ coalesce .Values.ldap.bindDN .Values.ldap.binddn}}
+ {{- if or (not (empty .Values.ldap.bind_password)) (not (empty .Values.ldap.bindpw)) }}
+ - name: POSTGRESQL_LDAP_BIND_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.v1.secretName" . }}
+ key: ldap-password
+ {{- end }}
+ - name: POSTGRESQL_LDAP_SEARCH_ATTR
+ value: {{ coalesce .Values.ldap.search_attr .Values.ldap.searchAttribute }}
+ - name: POSTGRESQL_LDAP_SEARCH_FILTER
+ value: {{ coalesce .Values.ldap.search_filter .Values.ldap.searchFilter }}
+ {{- end }}
+ {{- end }}
+ # TLS
+ - name: POSTGRESQL_ENABLE_TLS
+ value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
+ {{- if .Values.tls.enabled }}
+ - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
+ value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
+ - name: POSTGRESQL_TLS_CERT_FILE
+ value: {{ include "postgresql.v1.tlsCert" . }}
+ - name: POSTGRESQL_TLS_KEY_FILE
+ value: {{ include "postgresql.v1.tlsCertKey" . }}
+ {{- if .Values.tls.certCAFilename }}
+ - name: POSTGRESQL_TLS_CA_FILE
+ value: {{ include "postgresql.v1.tlsCACert" . }}
+ {{- end }}
+ {{- if .Values.tls.crlFilename }}
+ - name: POSTGRESQL_TLS_CRL_FILE
+ value: {{ include "postgresql.v1.tlsCRL" . }}
+ {{- end }}
+ {{- end }}
+ # Audit
+ - name: POSTGRESQL_LOG_HOSTNAME
+ value: {{ .Values.audit.logHostname | quote }}
+ - name: POSTGRESQL_LOG_CONNECTIONS
+ value: {{ .Values.audit.logConnections | quote }}
+ - name: POSTGRESQL_LOG_DISCONNECTIONS
+ value: {{ .Values.audit.logDisconnections | quote }}
+ {{- if .Values.audit.logLinePrefix }}
+ - name: POSTGRESQL_LOG_LINE_PREFIX
+ value: {{ .Values.audit.logLinePrefix | quote }}
+ {{- end }}
+ {{- if .Values.audit.logTimezone }}
+ - name: POSTGRESQL_LOG_TIMEZONE
+ value: {{ .Values.audit.logTimezone | quote }}
+ {{- end }}
+ {{- if .Values.audit.pgAuditLog }}
+ - name: POSTGRESQL_PGAUDIT_LOG
+ value: {{ .Values.audit.pgAuditLog | quote }}
+ {{- end }}
+ - name: POSTGRESQL_PGAUDIT_LOG_CATALOG
+ value: {{ .Values.audit.pgAuditLogCatalog | quote }}
+ # Others
+ - name: POSTGRESQL_CLIENT_MIN_MESSAGES
+ value: {{ .Values.audit.clientMinMessages | quote }}
+ - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
+ value: {{ .Values.postgresqlSharedPreloadLibraries | quote }}
+ {{- if .Values.primary.extraEnvVars }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }}
+ envFrom:
+ {{- if .Values.primary.extraEnvVarsCM }}
+ - configMapRef:
+ name: {{ .Values.primary.extraEnvVarsCM }}
+ {{- end }}
+ {{- if .Values.primary.extraEnvVarsSecret }}
+ - secretRef:
+ name: {{ .Values.primary.extraEnvVarsSecret }}
+ {{- end }}
+ {{- end }}
+ ports:
+ - name: tcp-postgresql
+ containerPort: {{ .Values.containerPorts.postgresql }}
+ {{- if not .Values.diagnosticMode.enabled }}
+ {{- if .Values.primary.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.primary.startupProbe.enabled }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.startupProbe "enabled") "context" $) | nindent 12 }}
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ {{- if (include "postgresql.v1.database" .) }}
+ - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- else }}
+ - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.primary.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.primary.livenessProbe.enabled }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.livenessProbe "enabled") "context" $) | nindent 12 }}
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ {{- if (include "postgresql.v1.database" .) }}
+ - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- else }}
+ - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.primary.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.primary.readinessProbe.enabled }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.readinessProbe "enabled") "context" $) | nindent 12 }}
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - -e
+ {{- include "postgresql.v1.readinessProbeCommand" . | nindent 16 }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.primary.resources }}
+ resources: {{- toYaml .Values.primary.resources | nindent 12 }}
+ {{- end }}
+ {{- if .Values.primary.lifecycleHooks }}
+ lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }}
+ - name: custom-init-scripts
+ mountPath: /docker-entrypoint-initdb.d/
+ {{- end }}
+ {{- if .Values.primary.initdb.scriptsSecret }}
+ - name: custom-init-scripts-secret
+ mountPath: /docker-entrypoint-initdb.d/secret
+ {{- end }}
+ {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }}
+ - name: postgresql-extended-config
+ mountPath: {{ .Values.primary.persistence.mountPath }}/conf/conf.d/
+ {{- end }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: postgresql-password
+ mountPath: /opt/bitnami/postgresql/secrets/
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ readOnly: true
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ mountPath: /dev/shm
+ {{- end }}
+ {{- if .Values.primary.persistence.enabled }}
+ - name: data
+ mountPath: {{ .Values.primary.persistence.mountPath }}
+ {{- if .Values.primary.persistence.subPath }}
+ subPath: {{ .Values.primary.persistence.subPath }}
+ {{- end }}
+ {{- end }}
+ {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
+ - name: postgresql-config
+ mountPath: {{ .Values.primary.persistence.mountPath }}/conf
+ {{- end }}
+ {{- if .Values.primary.extraVolumeMounts }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.metrics.enabled }}
+ - name: metrics
+ image: {{ include "postgresql.v1.metrics.image" . }}
+ imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
+ {{- if .Values.metrics.containerSecurityContext.enabled }}
+ securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.customMetrics }}
+ args: ["--extend.query-path", "/conf/custom-metrics.yaml"]
+ {{- end }}
+ env:
+ {{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.v1.database" .) }}
+ - name: DATA_SOURCE_URI
+ value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.v1.service.port" .)) $database }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: DATA_SOURCE_PASS_FILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }}
+ {{- else }}
+ - name: DATA_SOURCE_PASS
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.v1.secretName" . }}
+ key: {{ include "postgresql.v1.userPasswordKey" . }}
+ {{- end }}
+ - name: DATA_SOURCE_USER
+ value: {{ default "postgres" $customUser | quote }}
+ {{- if .Values.metrics.extraEnvVars }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
+ {{- end }}
+ ports:
+ - name: http-metrics
+ containerPort: {{ .Values.metrics.containerPorts.metrics }}
+ {{- if not .Values.diagnosticMode.enabled }}
+ {{- if .Values.metrics.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.startupProbe.enabled }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }}
+ tcpSocket:
+ port: http-metrics
+ {{- end }}
+ {{- if .Values.metrics.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.livenessProbe.enabled }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }}
+ httpGet:
+ path: /
+ port: http-metrics
+ {{- end }}
+ {{- if .Values.metrics.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.readinessProbe.enabled }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }}
+ httpGet:
+ path: /
+ port: http-metrics
+ {{- end }}
+ {{- end }}
+ volumeMounts:
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: postgresql-password
+ mountPath: /opt/bitnami/postgresql/secrets/
+ {{- end }}
+ {{- if .Values.metrics.customMetrics }}
+ - name: custom-metrics
+ mountPath: /conf
+ readOnly: true
+ {{- end }}
+ {{- if .Values.metrics.resources }}
+ resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.primary.sidecars }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }}
+ {{- end }}
+ volumes:
+ {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
+ - name: postgresql-config
+ configMap:
+ name: {{ include "postgresql.v1.primary.configmapName" . }}
+ {{- end }}
+ {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }}
+ - name: postgresql-extended-config
+ configMap:
+ name: {{ include "postgresql.v1.primary.extendedConfigmapName" . }}
+ {{- end }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: postgresql-password
+ secret:
+ secretName: {{ include "postgresql.v1.secretName" . }}
+ {{- end }}
+ {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }}
+ - name: custom-init-scripts
+ configMap:
+ name: {{ include "postgresql.v1.initdb.scriptsCM" . }}
+ {{- end }}
+ {{- if .Values.primary.initdb.scriptsSecret }}
+ - name: custom-init-scripts-secret
+ secret:
+ secretName: {{ tpl .Values.primary.initdb.scriptsSecret $ }}
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: raw-certificates
+ secret:
+ secretName: {{ include "postgresql.v1.tlsSecretName" . }}
+ - name: postgresql-certificates
+ emptyDir: {}
+ {{- end }}
+ {{- if .Values.primary.extraVolumes }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraVolumes "context" $ ) | nindent 8 }}
+ {{- end }}
+ {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
+ - name: custom-metrics
+ configMap:
+ name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }}
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ emptyDir:
+ medium: Memory
+ {{- if .Values.shmVolume.sizeLimit }}
+ sizeLimit: {{ .Values.shmVolume.sizeLimit }}
+ {{- end }}
+ {{- end }}
+ {{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }}
+ - name: data
+ persistentVolumeClaim:
+ claimName: {{ tpl .Values.primary.persistence.existingClaim $ }}
+ {{- else if not .Values.primary.persistence.enabled }}
+ - name: data
+ emptyDir: {}
+ {{- else }}
+ {{- if .Values.primary.persistentVolumeClaimRetentionPolicy.enabled }}
+ persistentVolumeClaimRetentionPolicy:
+ whenDeleted: {{ .Values.primary.persistentVolumeClaimRetentionPolicy.whenDeleted }}
+ whenScaled: {{ .Values.primary.persistentVolumeClaimRetentionPolicy.whenScaled }}
+ {{- end }}
+ volumeClaimTemplates:
+ - apiVersion: v1
+ kind: PersistentVolumeClaim
+ metadata:
+ name: data
+ {{- if .Values.primary.persistence.annotations }}
+ annotations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.annotations "context" $) | nindent 10 }}
+ {{- end }}
+ {{- if .Values.primary.persistence.labels }}
+ labels: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.labels "context" $) | nindent 10 }}
+ {{- end }}
+ spec:
+ accessModes:
+ {{- range .Values.primary.persistence.accessModes }}
+ - {{ . | quote }}
+ {{- end }}
+ {{- if .Values.primary.persistence.dataSource }}
+ dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.dataSource "context" $) | nindent 10 }}
+ {{- end }}
+ resources:
+ requests:
+ storage: {{ .Values.primary.persistence.size | quote }}
+ {{- if .Values.primary.persistence.selector }}
+ selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }}
+ {{- end }}
+ {{- include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) | nindent 8 }}
+ {{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/primary/svc-headless.yaml b/charts/openproject/charts/postgresql/templates/primary/svc-headless.yaml
new file mode 100644
index 0000000..b18565a
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/primary/svc-headless.yaml
@@ -0,0 +1,36 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "postgresql.v1.primary.svc.headless" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: primary
+ annotations:
+ {{- if or .Values.primary.service.headless.annotations .Values.commonAnnotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.headless.annotations .Values.commonAnnotations ) "context" . ) }}
+ {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+ # Use this annotation in addition to the actual publishNotReadyAddresses
+ # field below because the annotation will stop being respected soon but the
+ # field is broken in some versions of Kubernetes:
+ # https://github.com/kubernetes/kubernetes/issues/58662
+ service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+spec:
+ type: ClusterIP
+ clusterIP: None
+ # We want all pods in the StatefulSet to have their addresses published for
+ # the sake of the other Postgresql pods even before they're ready, since they
+ # have to be able to talk to each other in order to become ready.
+ publishNotReadyAddresses: true
+ ports:
+ - name: tcp-postgresql
+ port: {{ template "postgresql.v1.service.port" . }}
+ targetPort: tcp-postgresql
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
+ selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: primary
diff --git a/charts/openproject/charts/postgresql/templates/primary/svc.yaml b/charts/openproject/charts/postgresql/templates/primary/svc.yaml
new file mode 100644
index 0000000..90f7e46
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/primary/svc.yaml
@@ -0,0 +1,51 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "postgresql.v1.primary.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: primary
+ {{- if or .Values.commonAnnotations .Values.primary.service.annotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.annotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+spec:
+ type: {{ .Values.primary.service.type }}
+ {{- if or (eq .Values.primary.service.type "LoadBalancer") (eq .Values.primary.service.type "NodePort") }}
+ externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }}
+ {{- end }}
+ {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerSourceRanges)) }}
+ loadBalancerSourceRanges: {{ .Values.primary.service.loadBalancerSourceRanges | toJson}}
+ {{- end }}
+ {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerIP)) }}
+ loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }}
+ {{- end }}
+ {{- if and .Values.primary.service.clusterIP (eq .Values.primary.service.type "ClusterIP") }}
+ clusterIP: {{ .Values.primary.service.clusterIP }}
+ {{- end }}
+ {{- if .Values.primary.service.sessionAffinity }}
+ sessionAffinity: {{ .Values.primary.service.sessionAffinity }}
+ {{- end }}
+ {{- if .Values.primary.service.sessionAffinityConfig }}
+ sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.sessionAffinityConfig "context" $) | nindent 4 }}
+ {{- end }}
+ ports:
+ - name: tcp-postgresql
+ port: {{ template "postgresql.v1.service.port" . }}
+ targetPort: tcp-postgresql
+ {{- if and (or (eq .Values.primary.service.type "NodePort") (eq .Values.primary.service.type "LoadBalancer")) (not (empty .Values.primary.service.nodePorts.postgresql)) }}
+ nodePort: {{ .Values.primary.service.nodePorts.postgresql }}
+ {{- else if eq .Values.primary.service.type "ClusterIP" }}
+ nodePort: null
+ {{- end }}
+ {{- if .Values.primary.service.extraPorts }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }}
+ {{- end }}
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }}
+ selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: primary
diff --git a/charts/openproject/charts/postgresql/templates/prometheusrule.yaml b/charts/openproject/charts/postgresql/templates/prometheusrule.yaml
new file mode 100644
index 0000000..6cdb087
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/prometheusrule.yaml
@@ -0,0 +1,22 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.prometheusRule.labels .Values.commonLabels ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: metrics
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ groups:
+ - name: {{ include "common.names.fullname" . }}
+ rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/psp.yaml b/charts/openproject/charts/postgresql/templates/psp.yaml
new file mode 100644
index 0000000..f6bf59f
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/psp.yaml
@@ -0,0 +1,43 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}}
+{{- if and $pspAvailable .Values.psp.create }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ privileged: false
+ volumes:
+ - 'configMap'
+ - 'secret'
+ - 'persistentVolumeClaim'
+ - 'emptyDir'
+ - 'projected'
+ hostNetwork: false
+ hostIPC: false
+ hostPID: false
+ runAsUser:
+ rule: 'RunAsAny'
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'MustRunAs'
+ ranges:
+ - min: 1
+ max: 65535
+ fsGroup:
+ rule: 'MustRunAs'
+ ranges:
+ - min: 1
+ max: 65535
+ readOnlyRootFilesystem: false
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/read/extended-configmap.yaml b/charts/openproject/charts/postgresql/templates/read/extended-configmap.yaml
new file mode 100644
index 0000000..efa87bb
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/read/extended-configmap.yaml
@@ -0,0 +1,20 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ printf "%s-extended-configuration" (include "postgresql.v1.readReplica.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: read
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+data:
+ override.conf: |-
+ {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extendedConfiguration "context" $ ) | nindent 4 }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/read/metrics-configmap.yaml b/charts/openproject/charts/postgresql/templates/read/metrics-configmap.yaml
new file mode 100644
index 0000000..a1e06bf
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/read/metrics-configmap.yaml
@@ -0,0 +1,18 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.metrics.enabled .Values.metrics.customMetrics (eq .Values.architecture "replication") }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+data:
+ custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/read/metrics-svc.yaml b/charts/openproject/charts/postgresql/templates/read/metrics-svc.yaml
new file mode 100644
index 0000000..e9f13e0
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/read/metrics-svc.yaml
@@ -0,0 +1,31 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.metrics.enabled (eq .Values.architecture "replication") }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: metrics-read
+ {{- if or .Values.commonAnnotations .Values.metrics.service.annotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+spec:
+ type: ClusterIP
+ sessionAffinity: {{ .Values.metrics.service.sessionAffinity }}
+ {{- if .Values.metrics.service.clusterIP }}
+ clusterIP: {{ .Values.metrics.service.clusterIP }}
+ {{- end }}
+ ports:
+ - name: http-metrics
+ port: {{ .Values.metrics.service.ports.metrics }}
+ targetPort: http-metrics
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
+ selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: read
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/read/networkpolicy.yaml b/charts/openproject/charts/postgresql/templates/read/networkpolicy.yaml
new file mode 100644
index 0000000..79d3a5a
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/read/networkpolicy.yaml
@@ -0,0 +1,39 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled }}
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+kind: NetworkPolicy
+metadata:
+ name: {{ printf "%s-ingress" (include "postgresql.v1.readReplica.fullname" .) }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: read
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
+ podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+ app.kubernetes.io/component: read
+ ingress:
+ {{- if and .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector) }}
+ - from:
+ {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector }}
+ - namespaceSelector:
+ matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }}
+ {{- end }}
+ {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector }}
+ - podSelector:
+ matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector "context" $) | nindent 14 }}
+ {{- end }}
+ ports:
+ - port: {{ .Values.containerPorts.postgresql }}
+ {{- end }}
+ {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules "context" $) | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/read/servicemonitor.yaml b/charts/openproject/charts/postgresql/templates/read/servicemonitor.yaml
new file mode 100644
index 0000000..845734b
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/read/servicemonitor.yaml
@@ -0,0 +1,46 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled (eq .Values.architecture "replication") }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: {{ include "postgresql.v1.readReplica.fullname" . }}
+ namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: metrics-read
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ {{- if .Values.metrics.serviceMonitor.jobLabel }}
+ jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
+ {{- end }}
+ selector:
+ {{- $svcLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.selector .Values.commonLabels ) "context" . ) }}
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $svcLabels "context" $ ) | nindent 6 }}
+ app.kubernetes.io/component: metrics-read
+ endpoints:
+ - port: http-metrics
+ {{- if .Values.metrics.serviceMonitor.interval }}
+ interval: {{ .Values.metrics.serviceMonitor.interval }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
+ scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.relabelings }}
+ relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.metricRelabelings }}
+ metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }}
+ {{- end }}
+ {{- if .Values.metrics.serviceMonitor.honorLabels }}
+ honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
+ {{- end }}
+ namespaceSelector:
+ matchNames:
+ - {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/read/statefulset.yaml b/charts/openproject/charts/postgresql/templates/read/statefulset.yaml
new file mode 100644
index 0000000..8268700
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/read/statefulset.yaml
@@ -0,0 +1,552 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if eq .Values.architecture "replication" }}
+{{- $customUser := include "postgresql.v1.username" . }}
+apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
+kind: StatefulSet
+metadata:
+ name: {{ include "postgresql.v1.readReplica.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.labels .Values.commonLabels ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: read
+ {{- if or .Values.commonAnnotations .Values.readReplicas.annotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.annotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+spec:
+ replicas: {{ .Values.readReplicas.replicaCount }}
+ serviceName: {{ include "postgresql.v1.readReplica.svc.headless" . }}
+ {{- if .Values.readReplicas.updateStrategy }}
+ updateStrategy: {{- toYaml .Values.readReplicas.updateStrategy | nindent 4 }}
+ {{- end }}
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
+ selector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+ app.kubernetes.io/component: read
+ template:
+ metadata:
+ name: {{ include "postgresql.v1.readReplica.fullname" . }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
+ app.kubernetes.io/component: read
+ {{- if or (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) .Values.readReplicas.podAnnotations }}
+ annotations:
+ {{- if (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) }}
+ checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
+ {{- end }}
+ {{- if .Values.readReplicas.podAnnotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podAnnotations "context" $ ) | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ spec:
+ {{- if .Values.readReplicas.extraPodSpec }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraPodSpec "context" $) | nindent 6 }}
+ {{- end }}
+ serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }}
+ {{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }}
+ {{- if .Values.readReplicas.hostAliases }}
+ hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.hostAliases "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.readReplicas.affinity }}
+ affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }}
+ {{- else }}
+ affinity:
+ podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "customLabels" $podLabels "context" $) | nindent 10 }}
+ podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "customLabels" $podLabels "context" $) | nindent 10 }}
+ nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }}
+ {{- end }}
+ {{- if .Values.readReplicas.nodeSelector }}
+ nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.readReplicas.tolerations }}
+ tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.readReplicas.topologySpreadConstraints }}
+ topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.topologySpreadConstraints "context" $) | nindent 8 }}
+ {{- end }}
+ {{- if .Values.readReplicas.priorityClassName }}
+ priorityClassName: {{ .Values.readReplicas.priorityClassName }}
+ {{- end }}
+ {{- if .Values.readReplicas.schedulerName }}
+ schedulerName: {{ .Values.readReplicas.schedulerName | quote }}
+ {{- end }}
+ {{- if .Values.readReplicas.terminationGracePeriodSeconds }}
+ terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }}
+ {{- end }}
+ {{- if .Values.readReplicas.podSecurityContext.enabled }}
+ securityContext: {{- omit .Values.readReplicas.podSecurityContext "enabled" | toYaml | nindent 8 }}
+ {{- end }}
+ hostNetwork: {{ .Values.readReplicas.hostNetwork }}
+ hostIPC: {{ .Values.readReplicas.hostIPC }}
+ {{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled)) .Values.readReplicas.initContainers }}
+ initContainers:
+ {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
+ - name: copy-certs
+ image: {{ include "postgresql.v1.volumePermissions.image" . }}
+ imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
+ {{- if .Values.readReplicas.resources }}
+ resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
+ {{- end }}
+ # We don't require a privileged container in this case
+ {{- if .Values.readReplicas.containerSecurityContext.enabled }}
+ securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ {{- end }}
+ command:
+ - /bin/sh
+ - -ec
+ - |
+ cp /tmp/certs/* /opt/bitnami/postgresql/certs/
+ chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
+ volumeMounts:
+ - name: raw-certificates
+ mountPath: /tmp/certs
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ {{- else if and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled) }}
+ - name: init-chmod-data
+ image: {{ include "postgresql.v1.volumePermissions.image" . }}
+ imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
+ {{- if .Values.readReplicas.resources }}
+ resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
+ {{- end }}
+ command:
+ - /bin/sh
+ - -ec
+ - |
+ {{- if .Values.readReplicas.persistence.enabled }}
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.readReplicas.persistence.mountPath }}
+ {{- else }}
+ chown {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} {{ .Values.readReplicas.persistence.mountPath }}
+ {{- end }}
+ mkdir -p {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }}
+ chmod 700 {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }}
+ find {{ .Values.readReplicas.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.v1.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ xargs -r chown -R `id -u`:`id -G | cut -d " " -f2`
+ {{- else }}
+ xargs -r chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ chmod -R 777 /dev/shm
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ cp /tmp/certs/* /opt/bitnami/postgresql/certs/
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
+ {{- else }}
+ chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/
+ {{- end }}
+ chmod 600 {{ include "postgresql.v1.tlsCertKey" . }}
+ {{- end }}
+ {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
+ securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }}
+ {{- else }}
+ securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ {{ if .Values.readReplicas.persistence.enabled }}
+ - name: data
+ mountPath: {{ .Values.readReplicas.persistence.mountPath }}
+ {{- if .Values.readReplicas.persistence.subPath }}
+ subPath: {{ .Values.readReplicas.persistence.subPath }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ mountPath: /dev/shm
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: raw-certificates
+ mountPath: /tmp/certs
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ {{- end }}
+ {{- end }}
+ {{- if .Values.readReplicas.initContainers }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.initContainers "context" $ ) | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ containers:
+ - name: postgresql
+ image: {{ include "postgresql.v1.image" . }}
+ imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+ {{- if .Values.readReplicas.containerSecurityContext.enabled }}
+ securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
+ {{- else if .Values.readReplicas.command }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.command "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
+ {{- else if .Values.readReplicas.args }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.args "context" $) | nindent 12 }}
+ {{- end }}
+ env:
+ - name: BITNAMI_DEBUG
+ value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }}
+ - name: POSTGRESQL_PORT_NUMBER
+ value: {{ .Values.containerPorts.postgresql | quote }}
+ - name: POSTGRESQL_VOLUME_DIR
+ value: {{ .Values.readReplicas.persistence.mountPath | quote }}
+ {{- if .Values.readReplicas.persistence.mountPath }}
+ - name: PGDATA
+ value: {{ .Values.postgresqlDataDir | quote }}
+ {{- end }}
+ # Authentication
+ {{- if or (eq $customUser "postgres") (empty $customUser) }}
+ {{- if .Values.auth.enablePostgresUser }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: POSTGRES_PASSWORD_FILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
+ {{- else }}
+ - name: POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.v1.secretName" . }}
+ key: {{ include "postgresql.v1.adminPasswordKey" . }}
+ {{- end }}
+ {{- else }}
+ - name: ALLOW_EMPTY_PASSWORD
+ value: "true"
+ {{- end }}
+ {{- else }}
+ - name: POSTGRES_USER
+ value: {{ $customUser | quote }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: POSTGRES_PASSWORD_FILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }}
+ {{- else }}
+ - name: POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.v1.secretName" . }}
+ key: {{ include "postgresql.v1.userPasswordKey" . }}
+ {{- end }}
+ {{- if .Values.auth.enablePostgresUser }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: POSTGRES_POSTGRES_PASSWORD_FILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
+ {{- else }}
+ - name: POSTGRES_POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.v1.secretName" . }}
+ key: {{ include "postgresql.v1.adminPasswordKey" . }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ # Replication
+ - name: POSTGRES_REPLICATION_MODE
+ value: "slave"
+ - name: POSTGRES_REPLICATION_USER
+ value: {{ .Values.auth.replicationUsername | quote }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: POSTGRES_REPLICATION_PASSWORD_FILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.replicationPasswordKey" .) }}
+ {{- else }}
+ - name: POSTGRES_REPLICATION_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.v1.secretName" . }}
+ key: {{ include "postgresql.v1.replicationPasswordKey" . }}
+ {{- end }}
+ - name: POSTGRES_CLUSTER_APP_NAME
+ value: {{ .Values.replication.applicationName }}
+ - name: POSTGRES_MASTER_HOST
+ value: {{ include "postgresql.v1.primary.fullname" . }}
+ - name: POSTGRES_MASTER_PORT_NUMBER
+ value: {{ include "postgresql.v1.service.port" . | quote }}
+ # TLS
+ - name: POSTGRESQL_ENABLE_TLS
+ value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
+ {{- if .Values.tls.enabled }}
+ - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
+ value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
+ - name: POSTGRESQL_TLS_CERT_FILE
+ value: {{ include "postgresql.v1.tlsCert" . }}
+ - name: POSTGRESQL_TLS_KEY_FILE
+ value: {{ include "postgresql.v1.tlsCertKey" . }}
+ {{- if .Values.tls.certCAFilename }}
+ - name: POSTGRESQL_TLS_CA_FILE
+ value: {{ include "postgresql.v1.tlsCACert" . }}
+ {{- end }}
+ {{- if .Values.tls.crlFilename }}
+ - name: POSTGRESQL_TLS_CRL_FILE
+ value: {{ include "postgresql.v1.tlsCRL" . }}
+ {{- end }}
+ {{- end }}
+ # Audit
+ - name: POSTGRESQL_LOG_HOSTNAME
+ value: {{ .Values.audit.logHostname | quote }}
+ - name: POSTGRESQL_LOG_CONNECTIONS
+ value: {{ .Values.audit.logConnections | quote }}
+ - name: POSTGRESQL_LOG_DISCONNECTIONS
+ value: {{ .Values.audit.logDisconnections | quote }}
+ {{- if .Values.audit.logLinePrefix }}
+ - name: POSTGRESQL_LOG_LINE_PREFIX
+ value: {{ .Values.audit.logLinePrefix | quote }}
+ {{- end }}
+ {{- if .Values.audit.logTimezone }}
+ - name: POSTGRESQL_LOG_TIMEZONE
+ value: {{ .Values.audit.logTimezone | quote }}
+ {{- end }}
+ {{- if .Values.audit.pgAuditLog }}
+ - name: POSTGRESQL_PGAUDIT_LOG
+ value: {{ .Values.audit.pgAuditLog | quote }}
+ {{- end }}
+ - name: POSTGRESQL_PGAUDIT_LOG_CATALOG
+ value: {{ .Values.audit.pgAuditLogCatalog | quote }}
+ # Others
+ - name: POSTGRESQL_CLIENT_MIN_MESSAGES
+ value: {{ .Values.audit.clientMinMessages | quote }}
+ - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
+ value: {{ .Values.postgresqlSharedPreloadLibraries | quote }}
+ {{- if .Values.readReplicas.extraEnvVars }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraEnvVars "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if or .Values.readReplicas.extraEnvVarsCM .Values.readReplicas.extraEnvVarsSecret }}
+ envFrom:
+ {{- if .Values.readReplicas.extraEnvVarsCM }}
+ - configMapRef:
+ name: {{ .Values.readReplicas.extraEnvVarsCM }}
+ {{- end }}
+ {{- if .Values.readReplicas.extraEnvVarsSecret }}
+ - secretRef:
+ name: {{ .Values.readReplicas.extraEnvVarsSecret }}
+ {{- end }}
+ {{- end }}
+ ports:
+ - name: tcp-postgresql
+ containerPort: {{ .Values.containerPorts.postgresql }}
+ {{- if not .Values.diagnosticMode.enabled }}
+ {{- if .Values.readReplicas.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.readReplicas.startupProbe.enabled }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.startupProbe "enabled") "context" $) | nindent 12 }}
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ {{- if (include "postgresql.v1.database" .) }}
+ - exec pg_isready -U {{ default "postgres" $customUser| quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- else }}
+ - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.readReplicas.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.readReplicas.livenessProbe.enabled }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.livenessProbe "enabled") "context" $) | nindent 12 }}
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ {{- if (include "postgresql.v1.database" .) }}
+ - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- else }}
+ - exec pg_isready -U {{default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.readReplicas.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.readReplicas.readinessProbe.enabled }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.readinessProbe "enabled") "context" $) | nindent 12 }}
+ exec:
+ command:
+ - /bin/sh
+ - -c
+ - -e
+ {{- include "postgresql.v1.readinessProbeCommand" . | nindent 16 }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.readReplicas.resources }}
+ resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
+ {{- end }}
+ {{- if .Values.readReplicas.lifecycleHooks }}
+ lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: postgresql-password
+ mountPath: /opt/bitnami/postgresql/secrets/
+ {{- end }}
+ {{- if .Values.readReplicas.extendedConfiguration }}
+ - name: postgresql-extended-config
+ mountPath: {{ .Values.readReplicas.persistence.mountPath }}/conf/conf.d/
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ readOnly: true
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ mountPath: /dev/shm
+ {{- end }}
+ {{- if .Values.readReplicas.persistence.enabled }}
+ - name: data
+ mountPath: {{ .Values.readReplicas.persistence.mountPath }}
+ {{- if .Values.readReplicas.persistence.subPath }}
+ subPath: {{ .Values.readReplicas.persistence.subPath }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.readReplicas.extraVolumeMounts }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraVolumeMounts "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.metrics.enabled }}
+ - name: metrics
+ image: {{ include "postgresql.v1.metrics.image" . }}
+ imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
+ {{- if .Values.metrics.containerSecurityContext.enabled }}
+ securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+ {{- end }}
+ {{- if .Values.diagnosticMode.enabled }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
+ args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.customMetrics }}
+ args: [ "--extend.query-path", "/conf/custom-metrics.yaml" ]
+ {{- end }}
+ env:
+ {{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.v1.database" .) }}
+ - name: DATA_SOURCE_URI
+ value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.v1.service.port" .)) $database }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: DATA_SOURCE_PASS_FILE
+ value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }}
+ {{- else }}
+ - name: DATA_SOURCE_PASS
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "postgresql.v1.secretName" . }}
+ key: {{ include "postgresql.v1.userPasswordKey" . }}
+ {{- end }}
+ - name: DATA_SOURCE_USER
+ value: {{ default "postgres" $customUser | quote }}
+ {{- if .Values.metrics.extraEnvVars }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
+ {{- end }}
+ ports:
+ - name: http-metrics
+ containerPort: {{ .Values.metrics.containerPorts.metrics }}
+ {{- if not .Values.diagnosticMode.enabled }}
+ {{- if .Values.metrics.customStartupProbe }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.startupProbe.enabled }}
+ startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }}
+ tcpSocket:
+ port: http-metrics
+ {{- end }}
+ {{- if .Values.metrics.customLivenessProbe }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.livenessProbe.enabled }}
+ livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }}
+ httpGet:
+ path: /
+ port: http-metrics
+ {{- end }}
+ {{- if .Values.metrics.customReadinessProbe }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }}
+ {{- else if .Values.metrics.readinessProbe.enabled }}
+ readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }}
+ httpGet:
+ path: /
+ port: http-metrics
+ {{- end }}
+ {{- end }}
+ volumeMounts:
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: postgresql-password
+ mountPath: /opt/bitnami/postgresql/secrets/
+ {{- end }}
+ {{- if .Values.metrics.customMetrics }}
+ - name: custom-metrics
+ mountPath: /conf
+ readOnly: true
+ {{- end }}
+ {{- if .Values.metrics.resources }}
+ resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.readReplicas.sidecars }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }}
+ {{- end }}
+ volumes:
+ {{- if .Values.readReplicas.extendedConfiguration }}
+ - name: postgresql-extended-config
+ configMap:
+ name: {{ include "postgresql.v1.readReplicas.extendedConfigmapName" . }}
+ {{- end }}
+ {{- if .Values.auth.usePasswordFiles }}
+ - name: postgresql-password
+ secret:
+ secretName: {{ include "postgresql.v1.secretName" . }}
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: raw-certificates
+ secret:
+ secretName: {{ include "postgresql.v1.tlsSecretName" . }}
+ - name: postgresql-certificates
+ emptyDir: {}
+ {{- end }}
+ {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
+ - name: custom-metrics
+ configMap:
+ name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }}
+ {{- end }}
+ {{- if .Values.shmVolume.enabled }}
+ - name: dshm
+ emptyDir:
+ medium: Memory
+ {{- if .Values.shmVolume.sizeLimit }}
+ sizeLimit: {{ .Values.shmVolume.sizeLimit }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.readReplicas.extraVolumes }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }}
+ {{- end }}
+ {{- if and .Values.readReplicas.persistence.enabled .Values.readReplicas.persistence.existingClaim }}
+ - name: data
+ persistentVolumeClaim:
+ claimName: {{ tpl .Values.readReplicas.persistence.existingClaim $ }}
+ {{- else if not .Values.readReplicas.persistence.enabled }}
+ - name: data
+ emptyDir: {}
+ {{- else }}
+ {{- if .Values.readReplicas.persistentVolumeClaimRetentionPolicy.enabled }}
+ persistentVolumeClaimRetentionPolicy:
+ whenDeleted: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted }}
+ whenScaled: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled }}
+ {{- end }}
+ volumeClaimTemplates:
+ - metadata:
+ name: data
+ {{- if .Values.readReplicas.persistence.annotations }}
+ annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }}
+ {{- end }}
+ {{- if .Values.readReplicas.persistence.labels }}
+ labels: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.labels "context" $) | nindent 10 }}
+ {{- end }}
+ spec:
+ accessModes:
+ {{- range .Values.readReplicas.persistence.accessModes }}
+ - {{ . | quote }}
+ {{- end }}
+ {{- if .Values.readReplicas.persistence.dataSource }}
+ dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.dataSource "context" $) | nindent 10 }}
+ {{- end }}
+ resources:
+ requests:
+ storage: {{ .Values.readReplicas.persistence.size | quote }}
+ {{- if .Values.readReplicas.persistence.selector }}
+ selector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.selector "context" $) | nindent 10 }}
+ {{- end -}}
+ {{- include "common.storage.class" (dict "persistence" .Values.readReplicas.persistence "global" .Values.global) | nindent 8 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/read/svc-headless.yaml b/charts/openproject/charts/postgresql/templates/read/svc-headless.yaml
new file mode 100644
index 0000000..249af5f
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/read/svc-headless.yaml
@@ -0,0 +1,38 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if eq .Values.architecture "replication" }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "postgresql.v1.readReplica.svc.headless" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: read
+ annotations:
+ {{- if or .Values.readReplicas.service.headless.annotations .Values.commonAnnotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.service.headless.annotations .Values.commonAnnotations ) "context" . ) }}
+ {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+ # Use this annotation in addition to the actual publishNotReadyAddresses
+ # field below because the annotation will stop being respected soon but the
+ # field is broken in some versions of Kubernetes:
+ # https://github.com/kubernetes/kubernetes/issues/58662
+ service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+spec:
+ type: ClusterIP
+ clusterIP: None
+ # We want all pods in the StatefulSet to have their addresses published for
+ # the sake of the other Postgresql pods even before they're ready, since they
+ # have to be able to talk to each other in order to become ready.
+ publishNotReadyAddresses: true
+ ports:
+ - name: tcp-postgresql
+ port: {{ include "postgresql.v1.readReplica.service.port" . }}
+ targetPort: tcp-postgresql
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
+ selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: read
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/read/svc.yaml b/charts/openproject/charts/postgresql/templates/read/svc.yaml
new file mode 100644
index 0000000..d92c523
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/read/svc.yaml
@@ -0,0 +1,53 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if eq .Values.architecture "replication" }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "postgresql.v1.readReplica.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: read
+ {{- if or .Values.commonAnnotations .Values.readReplicas.service.annotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.service.annotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+spec:
+ type: {{ .Values.readReplicas.service.type }}
+ {{- if or (eq .Values.readReplicas.service.type "LoadBalancer") (eq .Values.readReplicas.service.type "NodePort") }}
+ externalTrafficPolicy: {{ .Values.readReplicas.service.externalTrafficPolicy | quote }}
+ {{- end }}
+ {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerSourceRanges)) }}
+ loadBalancerSourceRanges: {{ .Values.readReplicas.service.loadBalancerSourceRanges }}
+ {{- end }}
+ {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerIP)) }}
+ loadBalancerIP: {{ .Values.readReplicas.service.loadBalancerIP }}
+ {{- end }}
+ {{- if and .Values.readReplicas.service.clusterIP (eq .Values.readReplicas.service.type "ClusterIP") }}
+ clusterIP: {{ .Values.readReplicas.service.clusterIP }}
+ {{- end }}
+ {{- if .Values.readReplicas.service.sessionAffinity }}
+ sessionAffinity: {{ .Values.readReplicas.service.sessionAffinity }}
+ {{- end }}
+ {{- if .Values.readReplicas.service.sessionAffinityConfig }}
+ sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.sessionAffinityConfig "context" $) | nindent 4 }}
+ {{- end }}
+ ports:
+ - name: tcp-postgresql
+ port: {{ include "postgresql.v1.readReplica.service.port" . }}
+ targetPort: tcp-postgresql
+ {{- if and (or (eq .Values.readReplicas.service.type "NodePort") (eq .Values.readReplicas.service.type "LoadBalancer")) (not (empty .Values.readReplicas.service.nodePorts.postgresql)) }}
+ nodePort: {{ .Values.readReplicas.service.nodePorts.postgresql }}
+ {{- else if eq .Values.readReplicas.service.type "ClusterIP" }}
+ nodePort: null
+ {{- end }}
+ {{- if .Values.readReplicas.service.extraPorts }}
+ {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.extraPorts "context" $) | nindent 4 }}
+ {{- end }}
+ {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }}
+ selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: read
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/role.yaml b/charts/openproject/charts/postgresql/templates/role.yaml
new file mode 100644
index 0000000..a05805e
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/role.yaml
@@ -0,0 +1,33 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.rbac.create }}
+kind: Role
+apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+# yamllint disable rule:indentation
+rules:
+ {{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}}
+ {{- if and $pspAvailable .Values.psp.create }}
+ - apiGroups:
+ - 'policy'
+ resources:
+ - 'podsecuritypolicies'
+ verbs:
+ - 'use'
+ resourceNames:
+ - {{ include "common.names.fullname" . }}
+ {{- end }}
+ {{- if .Values.rbac.rules }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
+ {{- end }}
+# yamllint enable rule:indentation
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/rolebinding.yaml b/charts/openproject/charts/postgresql/templates/rolebinding.yaml
new file mode 100644
index 0000000..04323a0
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/rolebinding.yaml
@@ -0,0 +1,24 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+roleRef:
+ kind: Role
+ name: {{ include "common.names.fullname" . }}
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "postgresql.v1.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/secrets.yaml b/charts/openproject/charts/postgresql/templates/secrets.yaml
new file mode 100644
index 0000000..b4267ab
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/secrets.yaml
@@ -0,0 +1,99 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- $host := include "postgresql.v1.primary.fullname" . }}
+{{- $port := include "postgresql.v1.service.port" . }}
+{{- $customUser := include "postgresql.v1.username" . }}
+{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.adminPasswordKey .Values.auth.secretKeys.adminPasswordKey) "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.password .Values.auth.password .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) | trimAll "\"" | b64dec }}
+{{- if and (not $postgresPassword) .Values.auth.enablePostgresUser }}
+{{- $postgresPassword = randAlphaNum 10 }}
+{{- end }}
+{{- $replicationPassword := "" }}
+{{- if eq .Values.architecture "replication" }}
+{{- $replicationPassword = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.replicationPasswordKey .Values.auth.secretKeys.replicationPasswordKey) "providedValues" (list "auth.replicationPassword") "context" $) | trimAll "\"" | b64dec }}
+{{- end }}
+{{- $ldapPassword := "" }}
+{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }}
+{{- $ldapPassword = coalesce .Values.ldap.bind_password .Values.ldap.bindpw }}
+{{- end }}
+{{- $password := "" }}
+{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
+{{- $password = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.userPasswordKey .Values.auth.secretKeys.userPasswordKey) "providedValues" (list "global.postgresql.auth.password" "auth.password") "context" $) | trimAll "\"" | b64dec }}
+{{- end }}
+{{- $database := include "postgresql.v1.database" . }}
+{{- if (include "postgresql.v1.createSecret" .) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+type: Opaque
+data:
+ {{- if $postgresPassword }}
+ postgres-password: {{ $postgresPassword | b64enc | quote }}
+ {{- end }}
+ {{- if $password }}
+ password: {{ $password | b64enc | quote }}
+ {{- end }}
+ {{- if $replicationPassword }}
+ replication-password: {{ $replicationPassword | b64enc | quote }}
+ {{- end }}
+ # We don't auto-generate LDAP password when it's not provided as we do for other passwords
+ {{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }}
+ ldap-password: {{ $ldapPassword | b64enc | quote }}
+ {{- end }}
+{{- end }}
+{{- if .Values.serviceBindings.enabled }}
+{{- if $postgresPassword }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "common.names.fullname" . }}-svcbind-postgres
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+type: servicebinding.io/postgresql
+data:
+ provider: {{ print "bitnami" | b64enc | quote }}
+ type: {{ print "postgresql" | b64enc | quote }}
+ host: {{ $host | b64enc | quote }}
+ port: {{ $port | b64enc | quote }}
+ username: {{ print "postgres" | b64enc | quote }}
+ database: {{ print "postgres" | b64enc | quote }}
+ password: {{ $postgresPassword | b64enc | quote }}
+ uri: {{ printf "postgresql://postgres:%s@%s:%s/postgres" $postgresPassword $host $port | b64enc | quote }}
+{{- end }}
+{{- if $password }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "common.names.fullname" . }}-svcbind-custom-user
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+type: servicebinding.io/postgresql
+data:
+ provider: {{ print "bitnami" | b64enc | quote }}
+ type: {{ print "postgresql" | b64enc | quote }}
+ host: {{ $host | b64enc | quote }}
+ port: {{ $port | b64enc | quote }}
+ username: {{ $customUser | b64enc | quote }}
+ password: {{ $password | b64enc | quote }}
+ {{- if $database }}
+ database: {{ $database | b64enc | quote }}
+ {{- end }}
+ uri: {{ printf "postgresql://%s:%s@%s:%s/%s" $customUser $password $host $port $database | b64enc | quote }}
+{{- end }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/serviceaccount.yaml b/charts/openproject/charts/postgresql/templates/serviceaccount.yaml
new file mode 100644
index 0000000..8886bff
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/serviceaccount.yaml
@@ -0,0 +1,18 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "postgresql.v1.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/templates/tls-secrets.yaml b/charts/openproject/charts/postgresql/templates/tls-secrets.yaml
new file mode 100644
index 0000000..7e44a43
--- /dev/null
+++ b/charts/openproject/charts/postgresql/templates/tls-secrets.yaml
@@ -0,0 +1,30 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if (include "postgresql.v1.createTlsSecret" . ) }}
+{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }}
+{{- $ca := genCA "postgresql-ca" 365 }}
+{{- $fullname := include "common.names.fullname" . }}
+{{- $releaseNamespace := .Release.Namespace }}
+{{- $clusterDomain := .Values.clusterDomain }}
+{{- $primaryHeadlessServiceName := include "postgresql.v1.primary.svc.headless" . }}
+{{- $readHeadlessServiceName := include "postgresql.v1.readReplica.svc.headless" . }}
+{{- $altNames := list (printf "*.%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) $fullname }}
+{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+type: kubernetes.io/tls
+data:
+ tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
+ tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
+ ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
+{{- end }}
diff --git a/charts/openproject/charts/postgresql/values.schema.json b/charts/openproject/charts/postgresql/values.schema.json
new file mode 100644
index 0000000..fc41483
--- /dev/null
+++ b/charts/openproject/charts/postgresql/values.schema.json
@@ -0,0 +1,156 @@
+{
+ "$schema": "http://json-schema.org/schema#",
+ "type": "object",
+ "properties": {
+ "architecture": {
+ "type": "string",
+ "title": "PostgreSQL architecture",
+ "form": true,
+ "description": "Allowed values: `standalone` or `replication`"
+ },
+ "auth": {
+ "type": "object",
+ "title": "Authentication configuration",
+ "form": true,
+ "properties": {
+ "enablePostgresUser": {
+ "type": "boolean",
+ "title": "Enable \"postgres\" admin user",
+ "description": "Assign a password to the \"postgres\" admin user. Otherwise, remote access will be blocked for this user",
+ "form": true
+ },
+ "postgresPassword": {
+ "type": "string",
+ "title": "Password for the \"postgres\" admin user",
+ "description": "Defaults to a random 10-character alphanumeric string if not set",
+ "form": true
+ },
+ "database": {
+ "type": "string",
+ "title": "PostgreSQL custom database",
+ "description": "Name of the custom database to be created during the 1st initialization of PostgreSQL",
+ "form": true
+ },
+ "username": {
+ "type": "string",
+ "title": "PostgreSQL custom user",
+ "description": "Name of the custom user to be created during the 1st initialization of PostgreSQL. This user only has permissions on the PostgreSQL custom database",
+ "form": true
+ },
+ "password": {
+ "type": "string",
+ "title": "Password for the custom user to create",
+ "description": "Defaults to a random 10-character alphanumeric string if not set",
+ "form": true
+ },
+ "replicationUsername": {
+ "type": "string",
+ "title": "PostgreSQL replication user",
+ "description": "Name of user used to manage replication.",
+ "form": true,
+ "hidden": {
+ "value": "standalone",
+ "path": "architecture"
+ }
+ },
+ "replicationPassword": {
+ "type": "string",
+ "title": "Password for PostgreSQL replication user",
+ "description": "Defaults to a random 10-character alphanumeric string if not set",
+ "form": true,
+ "hidden": {
+ "value": "standalone",
+ "path": "architecture"
+ }
+ }
+ }
+ },
+ "persistence": {
+ "type": "object",
+ "properties": {
+ "size": {
+ "type": "string",
+ "title": "Persistent Volume Size",
+ "form": true,
+ "render": "slider",
+ "sliderMin": 1,
+ "sliderMax": 100,
+ "sliderUnit": "Gi"
+ }
+ }
+ },
+ "resources": {
+ "type": "object",
+ "title": "Required Resources",
+ "description": "Configure resource requests",
+ "form": true,
+ "properties": {
+ "requests": {
+ "type": "object",
+ "properties": {
+ "memory": {
+ "type": "string",
+ "form": true,
+ "render": "slider",
+ "title": "Memory Request",
+ "sliderMin": 10,
+ "sliderMax": 2048,
+ "sliderUnit": "Mi"
+ },
+ "cpu": {
+ "type": "string",
+ "form": true,
+ "render": "slider",
+ "title": "CPU Request",
+ "sliderMin": 10,
+ "sliderMax": 2000,
+ "sliderUnit": "m"
+ }
+ }
+ }
+ }
+ },
+ "replication": {
+ "type": "object",
+ "form": true,
+ "title": "Replication Details",
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "title": "Enable Replication",
+ "form": true
+ },
+ "readReplicas": {
+ "type": "integer",
+ "title": "read Replicas",
+ "form": true,
+ "hidden": {
+ "value": "standalone",
+ "path": "architecture"
+ }
+ }
+ }
+ },
+ "volumePermissions": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "form": true,
+ "title": "Enable Init Containers",
+ "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup"
+ }
+ }
+ },
+ "metrics": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "title": "Configure metrics exporter",
+ "form": true
+ }
+ }
+ }
+ }
+}
diff --git a/charts/openproject/charts/postgresql/values.yaml b/charts/openproject/charts/postgresql/values.yaml
new file mode 100644
index 0000000..d0c6279
--- /dev/null
+++ b/charts/openproject/charts/postgresql/values.yaml
@@ -0,0 +1,1601 @@
+# Copyright VMware, Inc.
+# SPDX-License-Identifier: APACHE-2.0
+
+## @section Global parameters
+## Please, note that this will override the parameters, including dependencies, configured to use the global value
+##
+global:
+ ## @param global.imageRegistry Global Docker image registry
+ ##
+ imageRegistry: ""
+ ## @param global.imagePullSecrets Global Docker registry secret names as an array
+ ## e.g.
+ ## imagePullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ imagePullSecrets: []
+ ## @param global.storageClass Global StorageClass for Persistent Volume(s)
+ ##
+ storageClass: ""
+ postgresql:
+ ## @param global.postgresql.auth.postgresPassword Password for the "postgres" admin user (overrides `auth.postgresPassword`)
+ ## @param global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`)
+ ## @param global.postgresql.auth.password Password for the custom user to create (overrides `auth.password`)
+ ## @param global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`)
+ ## @param global.postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`).
+ ## @param global.postgresql.auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set.
+ ## @param global.postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set.
+ ## @param global.postgresql.auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set.
+ ##
+ auth:
+ postgresPassword: ""
+ username: ""
+ password: ""
+ database: ""
+ existingSecret: ""
+ secretKeys:
+ adminPasswordKey: ""
+ userPasswordKey: ""
+ replicationPasswordKey: ""
+ ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
+ ##
+ service:
+ ports:
+ postgresql: ""
+
+## @section Common parameters
+##
+
+## @param kubeVersion Override Kubernetes version
+##
+kubeVersion: ""
+## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
+##
+nameOverride: ""
+## @param fullnameOverride String to fully override common.names.fullname template
+##
+fullnameOverride: ""
+## @param clusterDomain Kubernetes Cluster Domain
+##
+clusterDomain: cluster.local
+## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template)
+##
+extraDeploy: []
+## @param commonLabels Add labels to all the deployed resources
+##
+commonLabels: {}
+## @param commonAnnotations Add annotations to all the deployed resources
+##
+commonAnnotations: {}
+## Enable diagnostic mode in the statefulset
+##
+diagnosticMode:
+ ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
+ ##
+ enabled: false
+ ## @param diagnosticMode.command Command to override all containers in the statefulset
+ ##
+ command:
+ - sleep
+ ## @param diagnosticMode.args Args to override all containers in the statefulset
+ ##
+ args:
+ - infinity
+
+## @section PostgreSQL common parameters
+##
+
+## Bitnami PostgreSQL image version
+## ref: https://hub.docker.com/r/bitnami/postgresql/tags/
+## @param image.registry PostgreSQL image registry
+## @param image.repository PostgreSQL image repository
+## @param image.tag PostgreSQL image tag (immutable tags are recommended)
+## @param image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
+## @param image.pullPolicy PostgreSQL image pull policy
+## @param image.pullSecrets Specify image pull secrets
+## @param image.debug Specify if debug values should be set
+##
+image:
+ registry: docker.io
+ repository: bitnami/postgresql
+ tag: 15.4.0-debian-11-r45
+ digest: ""
+ ## Specify a imagePullPolicy
+ ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+ ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ##
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ## Example:
+ ## pullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ pullSecrets: []
+ ## Set to true if you would like to see extra information on logs
+ ##
+ debug: false
+## Authentication parameters
+## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#setting-the-root-password-on-first-run
+## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-on-first-run
+## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-user-on-first-run
+##
+auth:
+ ## @param auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user
+ ##
+ enablePostgresUser: true
+ ## @param auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided
+ ##
+ postgresPassword: ""
+ ## @param auth.username Name for a custom user to create
+ ##
+ username: ""
+ ## @param auth.password Password for the custom user to create. Ignored if `auth.existingSecret` is provided
+ ##
+ password: ""
+ ## @param auth.database Name for a custom database to create
+ ##
+ database: ""
+ ## @param auth.replicationUsername Name of the replication user
+ ##
+ replicationUsername: repl_user
+ ## @param auth.replicationPassword Password for the replication user. Ignored if `auth.existingSecret` is provided
+ ##
+ replicationPassword: ""
+ ## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case.
+ ##
+ existingSecret: ""
+ ## @param auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
+ ## @param auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
+ ## @param auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
+ ##
+ secretKeys:
+ adminPasswordKey: postgres-password
+ userPasswordKey: password
+ replicationPasswordKey: replication-password
+ ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable
+ ##
+ usePasswordFiles: false
+## @param architecture PostgreSQL architecture (`standalone` or `replication`)
+##
+architecture: standalone
+## Replication configuration
+## Ignored if `architecture` is `standalone`
+##
+replication:
+ ## @param replication.synchronousCommit Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off`
+ ## @param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`.
+ ## ref: https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT
+ ##
+ synchronousCommit: "off"
+ numSynchronousReplicas: 0
+ ## @param replication.applicationName Cluster application name. Useful for advanced replication settings
+ ##
+ applicationName: my_application
+## @param containerPorts.postgresql PostgreSQL container port
+##
+containerPorts:
+ postgresql: 5432
+## Audit settings
+## https://github.com/bitnami/containers/tree/main/bitnami/postgresql#auditing
+## @param audit.logHostname Log client hostnames
+## @param audit.logConnections Add client log-in operations to the log file
+## @param audit.logDisconnections Add client log-outs operations to the log file
+## @param audit.pgAuditLog Add operations to log using the pgAudit extension
+## @param audit.pgAuditLogCatalog Log catalog using pgAudit
+## @param audit.clientMinMessages Message log level to share with the user
+## @param audit.logLinePrefix Template for log line prefix (default if not set)
+## @param audit.logTimezone Timezone for the log timestamps
+##
+audit:
+ logHostname: false
+ logConnections: false
+ logDisconnections: false
+ pgAuditLog: ""
+ pgAuditLogCatalog: "off"
+ clientMinMessages: error
+ logLinePrefix: ""
+ logTimezone: ""
+## LDAP configuration
+## @param ldap.enabled Enable LDAP support
+## DEPRECATED ldap.url It will removed in a future, please use 'ldap.uri' instead
+## @param ldap.server IP address or name of the LDAP server.
+## @param ldap.port Port number on the LDAP server to connect to
+## @param ldap.prefix String to prepend to the user name when forming the DN to bind
+## @param ldap.suffix String to append to the user name when forming the DN to bind
+## DEPRECATED ldap.baseDN It will removed in a future, please use 'ldap.basedn' instead
+## DEPRECATED ldap.bindDN It will removed in a future, please use 'ldap.binddn' instead
+## DEPRECATED ldap.bind_password It will removed in a future, please use 'ldap.bindpw' instead
+## @param ldap.basedn Root DN to begin the search for the user in
+## @param ldap.binddn DN of user to bind to LDAP
+## @param ldap.bindpw Password for the user to bind to LDAP
+## DEPRECATED ldap.search_attr It will removed in a future, please use 'ldap.searchAttribute' instead
+## DEPRECATED ldap.search_filter It will removed in a future, please use 'ldap.searchFilter' instead
+## @param ldap.searchAttribute Attribute to match against the user name in the search
+## @param ldap.searchFilter The search filter to use when doing search+bind authentication
+## @param ldap.scheme Set to `ldaps` to use LDAPS
+## DEPRECATED ldap.tls as string is deprecated,please use 'ldap.tls.enabled' instead
+## @param ldap.tls.enabled Se to true to enable TLS encryption
+##
+ldap:
+ enabled: false
+ server: ""
+ port: ""
+ prefix: ""
+ suffix: ""
+ basedn: ""
+ binddn: ""
+ bindpw: ""
+ searchAttribute: ""
+ searchFilter: ""
+ scheme: ""
+ tls:
+ enabled: false
+ ## @param ldap.uri LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored.
+ ## Ref: https://www.postgresql.org/docs/current/auth-ldap.html
+ ##
+ uri: ""
+## @param postgresqlDataDir PostgreSQL data dir folder
+##
+postgresqlDataDir: /bitnami/postgresql/data
+## @param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list)
+##
+postgresqlSharedPreloadLibraries: "pgaudit"
+## Start PostgreSQL pod(s) without limitations on shm memory.
+## By default docker and containerd (and possibly other container runtimes) limit `/dev/shm` to `64M`
+## ref: https://github.com/docker-library/postgres/issues/416
+## ref: https://github.com/containerd/containerd/issues/3654
+##
+shmVolume:
+ ## @param shmVolume.enabled Enable emptyDir volume for /dev/shm for PostgreSQL pod(s)
+ ##
+ enabled: true
+ ## @param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs
+ ## Note: the size of the tmpfs counts against container's memory limit
+ ## e.g:
+ ## sizeLimit: 1Gi
+ ##
+ sizeLimit: ""
+## TLS configuration
+##
+tls:
+ ## @param tls.enabled Enable TLS traffic support
+ ##
+ enabled: false
+ ## @param tls.autoGenerated Generate automatically self-signed TLS certificates
+ ##
+ autoGenerated: false
+ ## @param tls.preferServerCiphers Whether to use the server's TLS cipher preferences rather than the client's
+ ##
+ preferServerCiphers: true
+ ## @param tls.certificatesSecret Name of an existing secret that contains the certificates
+ ##
+ certificatesSecret: ""
+ ## @param tls.certFilename Certificate filename
+ ##
+ certFilename: ""
+ ## @param tls.certKeyFilename Certificate key filename
+ ##
+ certKeyFilename: ""
+ ## @param tls.certCAFilename CA Certificate filename
+ ## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate
+ ## ref: https://www.postgresql.org/docs/9.6/auth-methods.html
+ ##
+ certCAFilename: ""
+ ## @param tls.crlFilename File containing a Certificate Revocation List
+ ##
+ crlFilename: ""
+
+## @section PostgreSQL Primary parameters
+##
+primary:
+ ## @param primary.name Name of the primary database (eg primary, master, leader, ...)
+ ##
+ name: primary
+ ## @param primary.configuration PostgreSQL Primary main configuration to be injected as ConfigMap
+ ## ref: https://www.postgresql.org/docs/current/static/runtime-config.html
+ ##
+ configuration: ""
+ ## @param primary.pgHbaConfiguration PostgreSQL Primary client authentication configuration
+ ## ref: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
+ ## e.g:#
+ ## pgHbaConfiguration: |-
+ ## local all all trust
+ ## host all all localhost trust
+ ## host mydatabase mysuser 192.168.0.0/24 md5
+ ##
+ pgHbaConfiguration: ""
+ ## @param primary.existingConfigmap Name of an existing ConfigMap with PostgreSQL Primary configuration
+ ## NOTE: `primary.configuration` and `primary.pgHbaConfiguration` will be ignored
+ ##
+ existingConfigmap: ""
+ ## @param primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration)
+ ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf
+ ##
+ extendedConfiguration: ""
+ ## @param primary.existingExtendedConfigmap Name of an existing ConfigMap with PostgreSQL Primary extended configuration
+ ## NOTE: `primary.extendedConfiguration` will be ignored
+ ##
+ existingExtendedConfigmap: ""
+ ## Initdb configuration
+ ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#specifying-initdb-arguments
+ ##
+ initdb:
+ ## @param primary.initdb.args PostgreSQL initdb extra arguments
+ ##
+ args: ""
+ ## @param primary.initdb.postgresqlWalDir Specify a custom location for the PostgreSQL transaction log
+ ##
+ postgresqlWalDir: ""
+ ## @param primary.initdb.scripts Dictionary of initdb scripts
+ ## Specify dictionary of scripts to be run at first boot
+ ## e.g:
+ ## scripts:
+ ## my_init_script.sh: |
+ ## #!/bin/sh
+ ## echo "Do something."
+ ##
+ scripts: {}
+ ## @param primary.initdb.scriptsConfigMap ConfigMap with scripts to be run at first boot
+ ## NOTE: This will override `primary.initdb.scripts`
+ ##
+ scriptsConfigMap: ""
+ ## @param primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information)
+ ## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap`
+ ##
+ scriptsSecret: ""
+ ## @param primary.initdb.user Specify the PostgreSQL username to execute the initdb scripts
+ ##
+ user: ""
+ ## @param primary.initdb.password Specify the PostgreSQL password to execute the initdb scripts
+ ##
+ password: ""
+ ## Configure current cluster's primary server to be the standby server in other cluster.
+ ## This will allow cross cluster replication and provide cross cluster high availability.
+ ## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled.
+ ## @param primary.standby.enabled Whether to enable current cluster's primary as standby server of another cluster or not
+ ## @param primary.standby.primaryHost The Host of replication primary in the other cluster
+ ## @param primary.standby.primaryPort The Port of replication primary in the other cluster
+ ##
+ standby:
+ enabled: false
+ primaryHost: ""
+ primaryPort: ""
+ ## @param primary.extraEnvVars Array with extra environment variables to add to PostgreSQL Primary nodes
+ ## e.g:
+ ## extraEnvVars:
+ ## - name: FOO
+ ## value: "bar"
+ ##
+ extraEnvVars: []
+ ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes
+ ##
+ extraEnvVarsCM: ""
+ ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL Primary nodes
+ ##
+ extraEnvVarsSecret: ""
+ ## @param primary.command Override default container command (useful when using custom images)
+ ##
+ command: []
+ ## @param primary.args Override default container args (useful when using custom images)
+ ##
+ args: []
+ ## Configure extra options for PostgreSQL Primary containers' liveness, readiness and startup probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+ ## @param primary.livenessProbe.enabled Enable livenessProbe on PostgreSQL Primary containers
+ ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
+ ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe
+ ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
+ ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe
+ ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+ ## @param primary.readinessProbe.enabled Enable readinessProbe on PostgreSQL Primary containers
+ ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
+ ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe
+ ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
+ ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe
+ ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe
+ ##
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+ ## @param primary.startupProbe.enabled Enable startupProbe on PostgreSQL Primary containers
+ ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
+ ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe
+ ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe
+ ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe
+ ## @param primary.startupProbe.successThreshold Success threshold for startupProbe
+ ##
+ startupProbe:
+ enabled: false
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 1
+ failureThreshold: 15
+ successThreshold: 1
+ ## @param primary.customLivenessProbe Custom livenessProbe that overrides the default one
+ ##
+ customLivenessProbe: {}
+ ## @param primary.customReadinessProbe Custom readinessProbe that overrides the default one
+ ##
+ customReadinessProbe: {}
+ ## @param primary.customStartupProbe Custom startupProbe that overrides the default one
+ ##
+ customStartupProbe: {}
+ ## @param primary.lifecycleHooks for the PostgreSQL Primary container to automate configuration before or after startup
+ ##
+ lifecycleHooks: {}
+ ## PostgreSQL Primary resource requests and limits
+ ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ ## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers
+ ## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers
+ ## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers
+ ##
+ resources:
+ limits: {}
+ requests:
+ memory: 256Mi
+ cpu: 250m
+ ## Pod Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ ## @param primary.podSecurityContext.enabled Enable security context
+ ## @param primary.podSecurityContext.fsGroup Group ID for the pod
+ ##
+ podSecurityContext:
+ enabled: true
+ fsGroup: 1001
+ ## Container Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ ## @param primary.containerSecurityContext.enabled Enable container security context
+ ## @param primary.containerSecurityContext.runAsUser User ID for the container
+ ## @param primary.containerSecurityContext.runAsGroup Group ID for the container
+ ## @param primary.containerSecurityContext.runAsNonRoot Set runAsNonRoot for the container
+ ## @param primary.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation for the container
+ ## @param primary.containerSecurityContext.seccompProfile.type Set seccompProfile.type for the container
+ ## @param primary.containerSecurityContext.capabilities.drop Set capabilities.drop for the container
+ ##
+ containerSecurityContext:
+ enabled: true
+ runAsUser: 1001
+ runAsGroup: 0
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ ## @param primary.hostAliases PostgreSQL primary pods host aliases
+ ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
+ ##
+ hostAliases: []
+ ## @param primary.hostNetwork Specify if host network should be enabled for PostgreSQL pod (postgresql primary)
+ ##
+ hostNetwork: false
+ ## @param primary.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary)
+ ##
+ hostIPC: false
+ ## @param primary.labels Map of labels to add to the statefulset (postgresql primary)
+ ##
+ labels: {}
+ ## @param primary.annotations Annotations for PostgreSQL primary pods
+ ##
+ annotations: {}
+ ## @param primary.podLabels Map of labels to add to the pods (postgresql primary)
+ ##
+ podLabels: {}
+ ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary)
+ ##
+ podAnnotations: {}
+ ## @param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
+ ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ ##
+ podAffinityPreset: ""
+ ## @param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
+ ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ ##
+ podAntiAffinityPreset: soft
+ ## PostgreSQL Primary node affinity preset
+ ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
+ ##
+ nodeAffinityPreset:
+ ## @param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
+ ##
+ type: ""
+ ## @param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if `primary.affinity` is set.
+ ## E.g.
+ ## key: "kubernetes.io/e2e-az-name"
+ ##
+ key: ""
+ ## @param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set.
+ ## E.g.
+ ## values:
+ ## - e2e-az1
+ ## - e2e-az2
+ ##
+ values: []
+ ## @param primary.affinity Affinity for PostgreSQL primary pods assignment
+ ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+ ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set
+ ##
+ affinity: {}
+ ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment
+ ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+ ##
+ nodeSelector: {}
+ ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment
+ ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ ##
+ tolerations: []
+ ## @param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
+ ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
+ ##
+ topologySpreadConstraints: []
+ ## @param primary.priorityClassName Priority Class to use for each pod (postgresql primary)
+ ##
+ priorityClassName: ""
+ ## @param primary.schedulerName Use an alternate scheduler, e.g. "stork".
+ ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+ ##
+ schedulerName: ""
+ ## @param primary.terminationGracePeriodSeconds Seconds PostgreSQL primary pod needs to terminate gracefully
+ ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
+ ##
+ terminationGracePeriodSeconds: ""
+ ## @param primary.updateStrategy.type PostgreSQL Primary statefulset strategy type
+ ## @param primary.updateStrategy.rollingUpdate PostgreSQL Primary statefulset rolling update configuration parameters
+ ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
+ ##
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate: {}
+ ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s)
+ ##
+ extraVolumeMounts: []
+ ## @param primary.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s)
+ ##
+ extraVolumes: []
+ ## @param primary.sidecars Add additional sidecar containers to the PostgreSQL Primary pod(s)
+ ## For example:
+ ## sidecars:
+ ## - name: your-image-name
+ ## image: your-image
+ ## imagePullPolicy: Always
+ ## ports:
+ ## - name: portname
+ ## containerPort: 1234
+ ##
+ sidecars: []
+ ## @param primary.initContainers Add additional init containers to the PostgreSQL Primary pod(s)
+ ## Example
+ ##
+ ## initContainers:
+ ## - name: do-something
+ ## image: busybox
+ ## command: ['do', 'something']
+ ##
+ initContainers: []
+ ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s)
+ ##
+ extraPodSpec: {}
+ ## PostgreSQL Primary service configuration
+ ##
+ service:
+ ## @param primary.service.type Kubernetes Service type
+ ##
+ type: ClusterIP
+ ## @param primary.service.ports.postgresql PostgreSQL service port
+ ##
+ ports:
+ postgresql: 5432
+ ## Node ports to expose
+ ## NOTE: choose port between <30000-32767>
+ ## @param primary.service.nodePorts.postgresql Node port for PostgreSQL
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+ ##
+ nodePorts:
+ postgresql: ""
+ ## @param primary.service.clusterIP Static clusterIP or None for headless services
+ ## e.g:
+ ## clusterIP: None
+ ##
+ clusterIP: ""
+ ## @param primary.service.annotations Annotations for PostgreSQL primary service
+ ##
+ annotations: {}
+ ## @param primary.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer`
+ ## Set the LoadBalancer service type to internal only
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+ ##
+ loadBalancerIP: ""
+ ## @param primary.service.externalTrafficPolicy Enable client source IP preservation
+ ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+ ##
+ externalTrafficPolicy: Cluster
+ ## @param primary.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer
+ ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
+ ##
+ ## loadBalancerSourceRanges:
+ ## - 10.10.10.0/24
+ ##
+ loadBalancerSourceRanges: []
+ ## @param primary.service.extraPorts Extra ports to expose in the PostgreSQL primary service
+ ##
+ extraPorts: []
+ ## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
+ ## If "ClientIP", consecutive client requests will be directed to the same Pod
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+ ##
+ sessionAffinity: None
+ ## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity
+ ## sessionAffinityConfig:
+ ## clientIP:
+ ## timeoutSeconds: 300
+ ##
+ sessionAffinityConfig: {}
+ ## Headless service properties
+ ##
+ headless:
+ ## @param primary.service.headless.annotations Additional custom annotations for headless PostgreSQL primary service
+ ##
+ annotations: {}
+ ## PostgreSQL Primary persistence configuration
+ ##
+ persistence:
+ ## @param primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC
+ ##
+ enabled: true
+ ## @param primary.persistence.existingClaim Name of an existing PVC to use
+ ##
+ existingClaim: ""
+ ## @param primary.persistence.mountPath The path the volume will be mounted at
+ ## Note: useful when using custom PostgreSQL images
+ ##
+ mountPath: /bitnami/postgresql
+ ## @param primary.persistence.subPath The subdirectory of the volume to mount to
+ ## Useful in dev environments and one PV for multiple services
+ ##
+ subPath: ""
+ ## @param primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume
+ ## If defined, storageClassName: <storageClass>
+ ## If set to "-", storageClassName: "", which disables dynamic provisioning
+ ## If undefined (the default) or set to null, no storageClassName spec is
+ ## set, choosing the default provisioner. (gp2 on AWS, standard on
+ ## GKE, AWS & OpenStack)
+ ##
+ storageClass: ""
+ ## @param primary.persistence.accessModes PVC Access Mode for PostgreSQL volume
+ ##
+ accessModes:
+ - ReadWriteOnce
+ ## @param primary.persistence.size PVC Storage Request for PostgreSQL volume
+ ##
+ size: 8Gi
+ ## @param primary.persistence.annotations Annotations for the PVC
+ ##
+ annotations: {}
+ ## @param primary.persistence.labels Labels for the PVC
+ ##
+ labels: {}
+ ## @param primary.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template)
+ ## selector:
+ ## matchLabels:
+ ## app: my-app
+ ##
+ selector: {}
+ ## @param primary.persistence.dataSource Custom PVC data source
+ ##
+ dataSource: {}
+ ## PostgreSQL Primary Persistent Volume Claim Retention Policy
+ ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
+ ##
+ persistentVolumeClaimRetentionPolicy:
+ ## @param primary.persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for Primary Statefulset
+ ##
+ enabled: false
+ ## @param primary.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced
+ ##
+ whenScaled: Retain
+ ## @param primary.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
+ ##
+ whenDeleted: Retain
+
+## @section PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`)
+##
+readReplicas:
+ ## @param readReplicas.name Name of the read replicas database (eg secondary, slave, ...)
+ ##
+ name: read
+ ## @param readReplicas.replicaCount Number of PostgreSQL read only replicas
+ ##
+ replicaCount: 1
+ ## @param readReplicas.extendedConfiguration Extended PostgreSQL read only replicas configuration (appended to main or default configuration)
+ ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf
+ ##
+ extendedConfiguration: ""
+ ## @param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes
+ ## e.g:
+ ## extraEnvVars:
+ ## - name: FOO
+ ## value: "bar"
+ ##
+ extraEnvVars: []
+ ## @param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes
+ ##
+ extraEnvVarsCM: ""
+ ## @param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes
+ ##
+ extraEnvVarsSecret: ""
+ ## @param readReplicas.command Override default container command (useful when using custom images)
+ ##
+ command: []
+ ## @param readReplicas.args Override default container args (useful when using custom images)
+ ##
+ args: []
+ ## Configure extra options for PostgreSQL read only containers' liveness, readiness and startup probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+ ## @param readReplicas.livenessProbe.enabled Enable livenessProbe on PostgreSQL read only containers
+ ## @param readReplicas.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
+ ## @param readReplicas.livenessProbe.periodSeconds Period seconds for livenessProbe
+ ## @param readReplicas.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
+ ## @param readReplicas.livenessProbe.failureThreshold Failure threshold for livenessProbe
+ ## @param readReplicas.livenessProbe.successThreshold Success threshold for livenessProbe
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+ ## @param readReplicas.readinessProbe.enabled Enable readinessProbe on PostgreSQL read only containers
+ ## @param readReplicas.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
+ ## @param readReplicas.readinessProbe.periodSeconds Period seconds for readinessProbe
+ ## @param readReplicas.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
+ ## @param readReplicas.readinessProbe.failureThreshold Failure threshold for readinessProbe
+ ## @param readReplicas.readinessProbe.successThreshold Success threshold for readinessProbe
+ ##
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+ ## @param readReplicas.startupProbe.enabled Enable startupProbe on PostgreSQL read only containers
+ ## @param readReplicas.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
+ ## @param readReplicas.startupProbe.periodSeconds Period seconds for startupProbe
+ ## @param readReplicas.startupProbe.timeoutSeconds Timeout seconds for startupProbe
+ ## @param readReplicas.startupProbe.failureThreshold Failure threshold for startupProbe
+ ## @param readReplicas.startupProbe.successThreshold Success threshold for startupProbe
+ ##
+ startupProbe:
+ enabled: false
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 1
+ failureThreshold: 15
+ successThreshold: 1
+ ## @param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one
+ ##
+ customLivenessProbe: {}
+ ## @param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one
+ ##
+ customReadinessProbe: {}
+ ## @param readReplicas.customStartupProbe Custom startupProbe that overrides the default one
+ ##
+ customStartupProbe: {}
+ ## @param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup
+ ##
+ lifecycleHooks: {}
+ ## PostgreSQL read only resource requests and limits
+ ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ ## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers
+ ## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers
+ ## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers
+ ##
+ resources:
+ limits: {}
+ requests:
+ memory: 256Mi
+ cpu: 250m
+ ## Pod Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ ## @param readReplicas.podSecurityContext.enabled Enable security context
+ ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod
+ ##
+ podSecurityContext:
+ enabled: true
+ fsGroup: 1001
+ ## Container Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ ## @param readReplicas.containerSecurityContext.enabled Enable container security context
+ ## @param readReplicas.containerSecurityContext.runAsUser User ID for the container
+ ## @param readReplicas.containerSecurityContext.runAsGroup Group ID for the container
+ ## @param readReplicas.containerSecurityContext.runAsNonRoot Set runAsNonRoot for the container
+ ## @param readReplicas.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation for the container
+ ## @param readReplicas.containerSecurityContext.seccompProfile.type Set seccompProfile.type for the container
+ ## @param readReplicas.containerSecurityContext.capabilities.drop Set capabilities.drop for the container
+ ##
+ containerSecurityContext:
+ enabled: true
+ runAsUser: 1001
+ runAsGroup: 0
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases
+ ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
+ ##
+ hostAliases: []
+ ## @param readReplicas.hostNetwork Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only)
+ ##
+ hostNetwork: false
+ ## @param readReplicas.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary)
+ ##
+ hostIPC: false
+ ## @param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only)
+ ##
+ labels: {}
+ ## @param readReplicas.annotations Annotations for PostgreSQL read only pods
+ ##
+ annotations: {}
+ ## @param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only)
+ ##
+ podLabels: {}
+ ## @param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only)
+ ##
+ podAnnotations: {}
+ ## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
+ ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ ##
+ podAffinityPreset: ""
+ ## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
+ ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ ##
+ podAntiAffinityPreset: soft
+ ## PostgreSQL read only node affinity preset
+ ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
+ ##
+ nodeAffinityPreset:
+ ## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
+ ##
+ type: ""
+ ## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set.
+ ## E.g.
+ ## key: "kubernetes.io/e2e-az-name"
+ ##
+ key: ""
+ ## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set.
+ ## E.g.
+ ## values:
+ ## - e2e-az1
+ ## - e2e-az2
+ ##
+ values: []
+ ## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment
+ ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+ ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set
+ ##
+ affinity: {}
+ ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment
+ ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+ ##
+ nodeSelector: {}
+ ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment
+ ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ ##
+ tolerations: []
+ ## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
+ ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
+ ##
+ topologySpreadConstraints: []
+ ## @param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only)
+ ##
+ priorityClassName: ""
+ ## @param readReplicas.schedulerName Use an alternate scheduler, e.g. "stork".
+ ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+ ##
+ schedulerName: ""
+ ## @param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully
+ ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
+ ##
+ terminationGracePeriodSeconds: ""
+ ## @param readReplicas.updateStrategy.type PostgreSQL read only statefulset strategy type
+ ## @param readReplicas.updateStrategy.rollingUpdate PostgreSQL read only statefulset rolling update configuration parameters
+ ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
+ ##
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate: {}
+ ## @param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s)
+ ##
+ extraVolumeMounts: []
+ ## @param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s)
+ ##
+ extraVolumes: []
+ ## @param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s)
+ ## For example:
+ ## sidecars:
+ ## - name: your-image-name
+ ## image: your-image
+ ## imagePullPolicy: Always
+ ## ports:
+ ## - name: portname
+ ## containerPort: 1234
+ ##
+ sidecars: []
+ ## @param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s)
+ ## Example
+ ##
+ ## initContainers:
+ ## - name: do-something
+ ## image: busybox
+ ## command: ['do', 'something']
+ ##
+ initContainers: []
+ ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s)
+ ##
+ extraPodSpec: {}
+ ## PostgreSQL read only service configuration
+ ##
+ service:
+ ## @param readReplicas.service.type Kubernetes Service type
+ ##
+ type: ClusterIP
+ ## @param readReplicas.service.ports.postgresql PostgreSQL service port
+ ##
+ ports:
+ postgresql: 5432
+ ## Node ports to expose
+ ## NOTE: choose port between <30000-32767>
+ ## @param readReplicas.service.nodePorts.postgresql Node port for PostgreSQL
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+ ##
+ nodePorts:
+ postgresql: ""
+ ## @param readReplicas.service.clusterIP Static clusterIP or None for headless services
+ ## e.g:
+ ## clusterIP: None
+ ##
+ clusterIP: ""
+ ## @param readReplicas.service.annotations Annotations for PostgreSQL read only service
+ ##
+ annotations: {}
+ ## @param readReplicas.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer`
+ ## Set the LoadBalancer service type to internal only
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+ ##
+ loadBalancerIP: ""
+ ## @param readReplicas.service.externalTrafficPolicy Enable client source IP preservation
+ ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+ ##
+ externalTrafficPolicy: Cluster
+ ## @param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer
+ ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
+ ##
+ ## loadBalancerSourceRanges:
+ ## - 10.10.10.0/24
+ ##
+ loadBalancerSourceRanges: []
+ ## @param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service
+ ##
+ extraPorts: []
+ ## @param readReplicas.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
+ ## If "ClientIP", consecutive client requests will be directed to the same Pod
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+ ##
+ sessionAffinity: None
+ ## @param readReplicas.service.sessionAffinityConfig Additional settings for the sessionAffinity
+ ## sessionAffinityConfig:
+ ## clientIP:
+ ## timeoutSeconds: 300
+ ##
+ sessionAffinityConfig: {}
+ ## Headless service properties
+ ##
+ headless:
+ ## @param readReplicas.service.headless.annotations Additional custom annotations for headless PostgreSQL read only service
+ ##
+ annotations: {}
+ ## PostgreSQL read only persistence configuration
+ ##
+ persistence:
+ ## @param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC
+ ##
+ enabled: true
+ ## @param readReplicas.persistence.existingClaim Name of an existing PVC to use
+ ##
+ existingClaim: ""
+ ## @param readReplicas.persistence.mountPath The path the volume will be mounted at
+ ## Note: useful when using custom PostgreSQL images
+ ##
+ mountPath: /bitnami/postgresql
+ ## @param readReplicas.persistence.subPath The subdirectory of the volume to mount to
+ ## Useful in dev environments and one PV for multiple services
+ ##
+ subPath: ""
+ ## @param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume
+ ## If defined, storageClassName: <storageClass>
+ ## If set to "-", storageClassName: "", which disables dynamic provisioning
+ ## If undefined (the default) or set to null, no storageClassName spec is
+ ## set, choosing the default provisioner. (gp2 on AWS, standard on
+ ## GKE, AWS & OpenStack)
+ ##
+ storageClass: ""
+ ## @param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume
+ ##
+ accessModes:
+ - ReadWriteOnce
+ ## @param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume
+ ##
+ size: 8Gi
+ ## @param readReplicas.persistence.annotations Annotations for the PVC
+ ##
+ annotations: {}
+ ## @param readReplicas.persistence.labels Labels for the PVC
+ ##
+ labels: {}
+ ## @param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template)
+ ## selector:
+ ## matchLabels:
+ ## app: my-app
+ ##
+ selector: {}
+ ## @param readReplicas.persistence.dataSource Custom PVC data source
+ ##
+ dataSource: {}
+ ## PostgreSQL Read only Persistent Volume Claim Retention Policy
+ ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
+ ##
+ persistentVolumeClaimRetentionPolicy:
+ ## @param readReplicas.persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for read only Statefulset
+ ##
+ enabled: false
+ ## @param readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced
+ ##
+ whenScaled: Retain
+ ## @param readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
+ ##
+ whenDeleted: Retain
+
+
+## @section Backup parameters
+## This section implements a trivial logical dump cronjob of the database.
+## This only comes with the consistency guarantees of the dump program.
+## This is not a snapshot based roll forward/backward recovery backup.
+## ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
+backup:
+ ## @param backup.enabled Enable the logical dump of the database "regularly"
+ enabled: false
+ cronjob:
+ ## @param backup.cronjob.schedule Set the cronjob parameter schedule
+ schedule: "@daily"
+ ## @param backup.cronjob.concurrencyPolicy Set the cronjob parameter concurrencyPolicy
+ concurrencyPolicy: Allow
+ ## @param backup.cronjob.failedJobsHistoryLimit Set the cronjob parameter failedJobsHistoryLimit
+ failedJobsHistoryLimit: 1
+ ## @param backup.cronjob.successfulJobsHistoryLimit Set the cronjob parameter successfulJobsHistoryLimit
+ successfulJobsHistoryLimit: 3
+ ## @param backup.cronjob.startingDeadlineSeconds Set the cronjob parameter startingDeadlineSeconds
+ startingDeadlineSeconds: ""
+ ## @param backup.cronjob.ttlSecondsAfterFinished Set the cronjob parameter ttlSecondsAfterFinished
+ ttlSecondsAfterFinished: ""
+ ## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy
+ restartPolicy: OnFailure
+ ## @param backup.cronjob.podSecurityContext.enabled Enable PodSecurityContext for CronJob/Backup
+ ## @param backup.cronjob.podSecurityContext.fsGroup Group ID for the CronJob
+ podSecurityContext:
+ enabled: true
+ fsGroup: 1001
+ ## backup container's Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+ ## @param backup.cronjob.containerSecurityContext.runAsUser User ID for the backup container
+ ## @param backup.cronjob.containerSecurityContext.runAsGroup Group ID for the backup container
+ ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set backup container's Security Context runAsNonRoot
+ ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Is the container itself readonly
+ ## @param backup.cronjob.containerSecurityContext.allowPrivilegeEscalation Is it possible to escalate backup pod(s) privileges
+ ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set backup container's Security Context seccompProfile type
+ ## @param backup.cronjob.containerSecurityContext.capabilities.drop Set backup container's Security Context capabilities to drop
+ containerSecurityContext:
+ runAsUser: 1001
+ runAsGroup: 0
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ ## @param backup.cronjob.command Set backup container's command to run
+ command:
+ - /bin/sh
+ - -c
+ - "pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"
+
+ ## @param backup.cronjob.labels Set the cronjob labels
+ labels: {}
+ ## @param backup.cronjob.annotations Set the cronjob annotations
+ annotations: {}
+ ## @param backup.cronjob.nodeSelector Node labels for PostgreSQL backup CronJob pod assignment
+ ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+ ##
+ nodeSelector: {}
+ storage:
+ ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`)
+ ## If defined, PVC must be created manually before volume will be bound
+ ##
+ existingClaim: ""
+ ## @param backup.cronjob.storage.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted
+ ##
+ resourcePolicy: ""
+ ## @param backup.cronjob.storage.storageClass PVC Storage Class for the backup data volume
+ ## If defined, storageClassName: <storageClass>
+ ## If set to "-", storageClassName: "", which disables dynamic provisioning
+ ## If undefined (the default) or set to null, no storageClassName spec is
+ ## set, choosing the default provisioner.
+ ##
+ storageClass: ""
+ ## @param backup.cronjob.storage.accessModes PV Access Mode
+ ##
+ accessModes:
+ - ReadWriteOnce
+ ## @param backup.cronjob.storage.size PVC Storage Request for the backup data volume
+ ##
+ size: 8Gi
+ ## @param backup.cronjob.storage.annotations PVC annotations
+ ##
+ annotations: {}
+ ## @param backup.cronjob.storage.mountPath Path to mount the volume at
+ ##
+ mountPath: /backup/pgdump
+ ## @param backup.cronjob.storage.subPath Subdirectory of the volume to mount at
+ ## and one PV for multiple services.
+ ##
+ subPath: ""
+ ## Fine tuning for volumeClaimTemplates
+ ##
+ volumeClaimTemplates:
+ ## @param backup.cronjob.storage.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes)
+ ## A label query over volumes to consider for binding (e.g. when using local volumes)
+ ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details
+ ##
+ selector: {}
+
+## @section NetworkPolicy parameters
+##
+
+## Add networkpolicies
+##
+networkPolicy:
+ ## @param networkPolicy.enabled Enable network policies
+ ##
+ enabled: false
+ ## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus)
+ ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace.
+ ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods.
+ ##
+ metrics:
+ enabled: false
+ ## e.g:
+ ## namespaceSelector:
+ ## label: monitoring
+ ##
+ namespaceSelector: {}
+ ## e.g:
+ ## podSelector:
+ ## label: monitoring
+ ##
+ podSelector: {}
+ ## Ingress Rules
+ ##
+ ingressRules:
+ ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin.
+ ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s).
+ ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s).
+ ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules Custom network policy for the PostgreSQL primary node.
+ ##
+ primaryAccessOnlyFrom:
+ enabled: false
+ ## e.g:
+ ## namespaceSelector:
+ ## label: ingress
+ ##
+ namespaceSelector: {}
+ ## e.g:
+ ## podSelector:
+ ## label: access
+ ##
+ podSelector: {}
+ ## custom ingress rules
+ ## e.g:
+ ## customRules:
+ ## - from:
+ ## - namespaceSelector:
+ ## matchLabels:
+ ## label: example
+ ##
+ customRules: []
+ ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin.
+ ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s).
+ ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s).
+ ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules Custom network policy for the PostgreSQL read-only nodes.
+ ##
+ readReplicasAccessOnlyFrom:
+ enabled: false
+ ## e.g:
+ ## namespaceSelector:
+ ## label: ingress
+ ##
+ namespaceSelector: {}
+ ## e.g:
+ ## podSelector:
+ ## label: access
+ ##
+ podSelector: {}
+ ## custom ingress rules
+ ## e.g:
+ ## CustomRules:
+ ## - from:
+ ## - namespaceSelector:
+ ## matchLabels:
+ ## label: example
+ ##
+ customRules: []
+ ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53).
+ ## @param networkPolicy.egressRules.customRules Custom network policy rule
+ ##
+ egressRules:
+ # Deny connections to external. This is not compatible with an external database.
+ denyConnectionsToExternal: false
+ ## Additional custom egress rules
+ ## e.g:
+ ## customRules:
+ ## - to:
+ ## - namespaceSelector:
+ ## matchLabels:
+ ## label: example
+ ##
+ customRules: []
+
+## @section Volume Permissions parameters
+##
+
+## Init containers parameters:
+## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node
+##
+volumePermissions:
+ ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume
+ ##
+ enabled: false
+ ## @param volumePermissions.image.registry Init container volume-permissions image registry
+ ## @param volumePermissions.image.repository Init container volume-permissions image repository
+ ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended)
+ ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
+ ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
+ ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets
+ ##
+ image:
+ registry: docker.io
+ repository: bitnami/os-shell
+ tag: 11-debian-11-r77
+ digest: ""
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ## Example:
+ ## pullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ pullSecrets: []
+ ## Init container resource requests and limits
+ ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ ## @param volumePermissions.resources.limits Init container volume-permissions resource limits
+ ## @param volumePermissions.resources.requests Init container volume-permissions resource requests
+ ##
+ resources:
+ limits: {}
+ requests: {}
+ ## Init container' Security Context
+ ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
+ ## and not the below volumePermissions.containerSecurityContext.runAsUser
+ ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container
+ ## @param volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container
+ ## @param volumePermissions.containerSecurityContext.runAsNonRoot runAsNonRoot for the init container
+ ## @param volumePermissions.containerSecurityContext.seccompProfile.type seccompProfile.type for the init container
+ ##
+ containerSecurityContext:
+ runAsUser: 0
+ runAsGroup: 0
+ runAsNonRoot: false
+ seccompProfile:
+ type: RuntimeDefault
+## @section Other Parameters
+##
+
+## @param serviceBindings.enabled Create secret for service binding (Experimental)
+## Ref: https://servicebinding.io/service-provider/
+##
+serviceBindings:
+ enabled: false
+
+## Service account for PostgreSQL to use.
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+##
+serviceAccount:
+ ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod
+ ##
+ create: false
+ ## @param serviceAccount.name The name of the ServiceAccount to use.
+ ## If not set and create is true, a name is generated using the common.names.fullname template
+ ##
+ name: ""
+ ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
+ ## Can be set to false if pods using this serviceAccount do not need to use K8s API
+ ##
+ automountServiceAccountToken: true
+ ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
+ ##
+ annotations: {}
+## Creates role for ServiceAccount
+## @param rbac.create Create Role and RoleBinding (required for PSP to work)
+##
+rbac:
+ create: false
+ ## @param rbac.rules Custom RBAC rules to set
+ ## e.g:
+ ## rules:
+ ## - apiGroups:
+ ## - ""
+ ## resources:
+ ## - pods
+ ## verbs:
+ ## - get
+ ## - list
+ ##
+ rules: []
+## Pod Security Policy
+## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later
+##
+psp:
+ create: false
+
+## @section Metrics Parameters
+##
+
+metrics:
+ ## @param metrics.enabled Start a prometheus exporter
+ ##
+ enabled: false
+ ## @param metrics.image.registry PostgreSQL Prometheus Exporter image registry
+ ## @param metrics.image.repository PostgreSQL Prometheus Exporter image repository
+ ## @param metrics.image.tag PostgreSQL Prometheus Exporter image tag (immutable tags are recommended)
+ ## @param metrics.image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
+ ## @param metrics.image.pullPolicy PostgreSQL Prometheus Exporter image pull policy
+ ## @param metrics.image.pullSecrets Specify image pull secrets
+ ##
+ image:
+ registry: docker.io
+ repository: bitnami/postgres-exporter
+ tag: 0.14.0-debian-11-r2
+ digest: ""
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ## Example:
+ ## pullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ pullSecrets: []
+ ## @param metrics.customMetrics Define additional custom metrics
+ ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file
+ ## customMetrics:
+ ## pg_database:
+ ## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')"
+ ## metrics:
+ ## - name:
+ ## usage: "LABEL"
+ ## description: "Name of the database"
+ ## - size_bytes:
+ ## usage: "GAUGE"
+ ## description: "Size of the database in bytes"
+ ##
+ customMetrics: {}
+ ## @param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter
+ ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables
+ ## For example:
+ ## extraEnvVars:
+ ## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS
+ ## value: "true"
+ ##
+ extraEnvVars: []
+ ## PostgreSQL Prometheus exporter containers' Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+ ## @param metrics.containerSecurityContext.enabled Enable PostgreSQL Prometheus exporter containers' Security Context
+ ## @param metrics.containerSecurityContext.runAsUser Set PostgreSQL Prometheus exporter containers' Security Context runAsUser
+ ## @param metrics.containerSecurityContext.runAsGroup Set PostgreSQL Prometheus exporter containers' Security Context runAsGroup
+ ## @param metrics.containerSecurityContext.runAsNonRoot Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot
+ ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set PostgreSQL Prometheus exporter containers' Security Context allowPrivilegeEscalation
+ ## @param metrics.containerSecurityContext.seccompProfile.type Set PostgreSQL Prometheus exporter containers' Security Context seccompProfile.type
+ ## @param metrics.containerSecurityContext.capabilities.drop Set PostgreSQL Prometheus exporter containers' Security Context capabilities.drop
+ ##
+ containerSecurityContext:
+ enabled: true
+ runAsUser: 1001
+ runAsGroup: 0
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ ## Configure extra options for PostgreSQL Prometheus exporter containers' liveness, readiness and startup probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+ ## @param metrics.livenessProbe.enabled Enable livenessProbe on PostgreSQL Prometheus exporter containers
+ ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
+ ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe
+ ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
+ ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe
+ ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+ ## @param metrics.readinessProbe.enabled Enable readinessProbe on PostgreSQL Prometheus exporter containers
+ ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
+ ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe
+ ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
+ ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe
+ ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe
+ ##
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 6
+ successThreshold: 1
+ ## @param metrics.startupProbe.enabled Enable startupProbe on PostgreSQL Prometheus exporter containers
+ ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
+ ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe
+ ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe
+ ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe
+ ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe
+ ##
+ startupProbe:
+ enabled: false
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 1
+ failureThreshold: 15
+ successThreshold: 1
+ ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one
+ ##
+ customLivenessProbe: {}
+ ## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one
+ ##
+ customReadinessProbe: {}
+ ## @param metrics.customStartupProbe Custom startupProbe that overrides the default one
+ ##
+ customStartupProbe: {}
+ ## @param metrics.containerPorts.metrics PostgreSQL Prometheus exporter metrics container port
+ ##
+ containerPorts:
+ metrics: 9187
+ ## PostgreSQL Prometheus exporter resource requests and limits
+ ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ ## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container
+ ## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container
+ ##
+ resources:
+ limits: {}
+ requests: {}
+ ## Service configuration
+ ##
+ service:
+ ## @param metrics.service.ports.metrics PostgreSQL Prometheus Exporter service port
+ ##
+ ports:
+ metrics: 9187
+ ## @param metrics.service.clusterIP Static clusterIP or None for headless services
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
+ ##
+ clusterIP: ""
+ ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin
+ ## Values: ClientIP or None
+ ## ref: https://kubernetes.io/docs/user-guide/services/
+ ##
+ sessionAffinity: None
+ ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint
+ ##
+ annotations:
+ prometheus.io/scrape: "true"
+ prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}"
+ ## Prometheus Operator ServiceMonitor configuration
+ ##
+ serviceMonitor:
+ ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator
+ ##
+ enabled: false
+ ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace)
+ ##
+ namespace: ""
+ ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped.
+ ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+ ##
+ interval: ""
+ ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
+ ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+ ##
+ scrapeTimeout: ""
+ ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
+ ##
+ labels: {}
+ ## @param metrics.serviceMonitor.selector Prometheus instance selector labels
+ ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration
+ ##
+ selector: {}
+ ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
+ ##
+ relabelings: []
+ ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
+ ##
+ metricRelabelings: []
+ ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
+ ##
+ honorLabels: false
+ ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
+ ##
+ jobLabel: ""
+ ## Custom PrometheusRule to be defined
+ ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
+ ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
+ ##
+ prometheusRule:
+ ## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator
+ ##
+ enabled: false
+ ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace)
+ ##
+ namespace: ""
+ ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
+ ##
+ labels: {}
+ ## @param metrics.prometheusRule.rules PrometheusRule definitions
+ ## Make sure to constraint the rules to the current postgresql service.
+ ## rules:
+ ## - alert: HugeReplicationLag
+ ## expr: pg_replication_lag{service="{{ printf "%s-metrics" (include "common.names.fullname" .) }}"} / 3600 > 1
+ ## for: 1m
+ ## labels:
+ ## severity: critical
+ ## annotations:
+ ## description: replication for {{ include "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s).
+ ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s).
+ ##
+ rules: []
diff --git a/charts/openproject/templates/NOTES.txt b/charts/openproject/templates/NOTES.txt
new file mode 100644
index 0000000..bae4286
--- /dev/null
+++ b/charts/openproject/templates/NOTES.txt
@@ -0,0 +1,11 @@
+Thank you for installing OpenProject 🎉
+
+{{- if .Values.ingress.enabled }}
+You can access it via http{{ if .Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.host }}{{ .Values.ingress.path }}
+{{- end }}
+
+Summary:
+--------
+OpenProject: {{ .Values.image.tag }}
+PostgreSQL: {{ if .Values.postgresql.bundled }}{{ .Values.postgresql.image.tag }}{{ else }}external{{ end }}
+Memcached: {{ if .Values.memcached.bundled }}{{ .Values.memcached.image.tag }}{{ else }}external{{ end }}
diff --git a/charts/openproject/templates/_helpers.tpl b/charts/openproject/templates/_helpers.tpl
new file mode 100644
index 0000000..0a6e284
--- /dev/null
+++ b/charts/openproject/templates/_helpers.tpl
@@ -0,0 +1,152 @@
+{{/*
+Returns the OpenProject image to be used including the respective registry and image tag.
+*/}}
+{{- define "openproject.image" -}}
+{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}
+{{- end -}}
+
+{{/*
+Returns the OpenProject image pull secrets, if any are defined
+*/}}
+{{- define "openproject.imagePullSecrets" -}}
+{{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }}
+imagePullSecrets:
+ {{- range (coalesce .Values.imagePullSecrets .Values.global.imagePullSecrets) }}
+ - name: "{{ . }}"
+ {{- end }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Yields the configured container security context if enabled.
+
+Allows writing to the container file system in development mode
+This way the OpenProject container works without mounted tmp volumes
+which may not work correctly in local development clusters.
+*/}}
+{{- define "openproject.containerSecurityContext" }}
+{{- if .Values.containerSecurityContext.enabled }}
+securityContext:
+ {{-
+ mergeOverwrite
+ (omit .Values.containerSecurityContext "enabled" | deepCopy)
+ (dict "readOnlyRootFilesystem" (and
+ (not .Values.develop)
+ (get .Values.containerSecurityContext "readOnlyRootFilesystem")
+ ))
+ | toYaml
+ | nindent 2
+ }}
+{{- end }}
+{{- end }}
+
+{{/* Yields the configured pod security context if enabled. */}}
+{{- define "openproject.podSecurityContext" }}
+{{- if .Values.podSecurityContext.enabled }}
+securityContext:
+ {{ omit .Values.podSecurityContext "enabled" | toYaml | nindent 2 | trim }}
+{{- end }}
+{{- end }}
+
+
+{{- define "openproject.useTmpVolumes" -}}
+{{- if ne .Values.openproject.useTmpVolumes nil -}}
+ {{- .Values.openproject.useTmpVolumes -}}
+{{- else -}}
+ {{- (not .Values.develop) -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "openproject.tmpVolumeMounts" -}}
+{{- if eq (include "openproject.useTmpVolumes" .) "true" }}
+- mountPath: /tmp
+ name: tmp
+- mountPath: /app/tmp
+ name: app-tmp
+{{- end }}
+{{- end -}}
+
+{{- define "openproject.tmpVolumeSpec" -}}
+{{- if eq (include "openproject.useTmpVolumes" .) "true" }}
+- name: tmp
+ # we can't use emptyDir due to the sticky bit issue
+ # see: https://github.com/kubernetes/kubernetes/issues/110835
+ ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes: ["ReadWriteOnce"]
+ resources:
+ requests:
+ storage: {{ .Values.openproject.tmpVolumesStorage }}
+- name: app-tmp
+ # we can't use emptyDir due to the sticky bit / world writable issue
+ # see: https://github.com/kubernetes/kubernetes/issues/110835
+ ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes: ["ReadWriteOnce"]
+ resources:
+ requests:
+ storage: {{ .Values.openproject.tmpVolumesStorage }}
+{{- end }}
+{{- end -}}
+
+{{- define "openproject.envFrom" -}}
+- secretRef:
+ name: {{ include "common.names.fullname" . }}-core
+{{- if .Values.openproject.oidc.enabled }}
+- secretRef:
+ name: {{ include "common.names.fullname" . }}-oidc
+{{- end }}
+{{- if .Values.s3.enabled }}
+- secretRef:
+ name: {{ include "common.names.fullname" . }}-s3
+{{- end }}
+{{- if eq .Values.openproject.cache.store "memcache" }}
+- secretRef:
+ name: {{ include "common.names.fullname" . }}-memcached
+{{- end }}
+{{- if .Values.environment }}
+- secretRef:
+ name: {{ include "common.names.fullname" . }}-environment
+{{- end }}
+{{- if .Values.openproject.extraEnvVarsSecret }}
+- secretRef:
+ name: {{ .Values.openproject.extraEnvVarsSecret }}
+{{- end }}
+{{- if .Values.openproject.oidc.extraOidcSealedSecret }}
+- secretRef:
+ name: {{ .Values.openproject.oidc.extraOidcSealedSecret }}
+{{- end }}
+{{- end }}
+
+{{- define "openproject.env" -}}
+{{- if .Values.egress.tls.rootCA.fileName }}
+- name: SSL_CERT_FILE
+ value: "/etc/ssl/certs/custom-ca.pem"
+{{- end }}
+{{- if .Values.postgresql.auth.existingSecret }}
+- name: OPENPROJECT_DB_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.postgresql.auth.existingSecret }}
+ key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey }}
+{{- else if .Values.postgresql.auth.password }}
+- name: OPENPROJECT_DB_PASSWORD
+ value: {{ .Values.postgresql.auth.password }}
+{{- else }}
+- name: OPENPROJECT_DB_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "common.names.dependency.fullname" (dict "chartName" "postgresql" "chartValues" .Values.postgresql "context" $) }}
+ key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey }}
+{{- end }}
+{{- end }}
+
+{{- define "openproject.envChecksums" }}
+# annotate pods with env value checksums so changes trigger re-deployments
+{{/* If I knew how to map and reduce a range in helm I would do that and use a single checksum. But here we are. */}}
+{{- range $suffix := list "core" "memcached" "oidc" "s3" "environment" }}
+checksum/env-{{ $suffix }}: {{ include (print $.Template.BasePath "/secret_" $suffix ".yaml") $ | sha256sum }}
+{{- end }}
+{{- end }}
diff --git a/charts/openproject/templates/ingress.yaml b/charts/openproject/templates/ingress.yaml
new file mode 100644
index 0000000..6695da0
--- /dev/null
+++ b/charts/openproject/templates/ingress.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.ingress.enabled -}}
+---
+apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
+kind: Ingress
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- with .Values.ingress.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ {{- if .Values.ingress.ingressClassName }}
+ ingressClassName: {{ .Values.ingress.ingressClassName }}
+ {{- end }}
+ {{- if .Values.ingress.tls.enabled }}
+ tls:
+ - hosts:
+ - {{ .Values.ingress.host | quote }}
+ secretName: "{{ .Values.ingress.tls.secretName }}"
+ {{- end }}
+ rules:
+ - host: {{ .Values.ingress.host | quote }}
+ http:
+ paths:
+ - path: {{ .Values.ingress.path }}
+ {{- if eq "true" (include "common.ingress.supportsPathType" .) }}
+ pathType: {{ .Values.ingress.pathType }}
+ {{- end }}
+ backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $) | nindent 14 }}
+...
+{{- end }}
diff --git a/charts/openproject/templates/persistentvolumeclaim.yaml b/charts/openproject/templates/persistentvolumeclaim.yaml
new file mode 100644
index 0000000..8350d20
--- /dev/null
+++ b/charts/openproject/templates/persistentvolumeclaim.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.persistence.enabled }}
+{{- if not .Values.persistence.existingClaim }}
+---
+apiVersion: "v1"
+kind: "PersistentVolumeClaim"
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- with .Values.persistence.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ accessModes: {{ .Values.persistence.accessModes }}
+ {{- if .Values.persistence.storageClassName }}
+ storageClassName: {{ .Values.persistence.storageClassName }}
+ {{- end }}
+ resources:
+ requests:
+ storage: {{ .Values.persistence.size | quote }}
+...
+{{- end }}
+{{- end }}
diff --git a/charts/openproject/templates/secret_core.yaml b/charts/openproject/templates/secret_core.yaml
new file mode 100644
index 0000000..d9eb32a
--- /dev/null
+++ b/charts/openproject/templates/secret_core.yaml
@@ -0,0 +1,31 @@
+---
+apiVersion: "v1"
+kind: "Secret"
+metadata:
+ name: "{{ include "common.names.fullname" . }}-core"
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+stringData:
+ {{- if .Values.postgresql.bundled }}
+ DATABASE_HOST: {{ printf "%s-postgresql.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain | quote }}
+ DATABASE_PORT: "{{ .Values.postgresql.primary.service.ports.postgresql }}"
+ DATABASE_URL: "postgresql://{{ .Values.postgresql.auth.username }}@{{ include "common.names.dependency.fullname" (dict "chartName" "postgresql" "chartValues" .Values.postgresql "context" $) }}:{{ .Values.postgresql.primary.service.ports.postgresql }}/{{ .Values.postgresql.auth.database }}"
+ {{- else }}
+ DATABASE_HOST: "{{ .Values.postgresql.connection.host }}"
+ DATABASE_PORT: "{{ .Values.postgresql.connection.port }}"
+ DATABASE_URL: "postgresql://{{ .Values.postgresql.auth.username }}@{{ .Values.postgresql.connection.host }}:{{ .Values.postgresql.connection.port }}/{{ .Values.postgresql.auth.database }}"
+ {{- end }}
+ OPENPROJECT_SEED_ADMIN_USER_PASSWORD: {{ .Values.openproject.admin_user.password | quote }}
+ OPENPROJECT_SEED_ADMIN_USER_PASSWORD_RESET: {{ .Values.openproject.admin_user.password_reset | quote }}
+ OPENPROJECT_SEED_ADMIN_USER_NAME: {{ .Values.openproject.admin_user.name | quote }}
+ OPENPROJECT_SEED_ADMIN_USER_MAIL: {{ .Values.openproject.admin_user.mail | quote }}
+ OPENPROJECT_HTTPS: {{ (.Values.develop | ternary "false" .Values.openproject.https) | quote }}
+ OPENPROJECT_SEED_LOCALE: {{ .Values.openproject.seed_locale | quote }}
+ {{- if .Values.ingress.enabled }}
+ OPENPROJECT_HOST__NAME: {{ .Values.openproject.host | default .Values.ingress.host | quote }}
+ {{- end }}
+ OPENPROJECT_HSTS: {{ .Values.openproject.hsts | quote }}
+ OPENPROJECT_RAILS__CACHE__STORE: {{ .Values.openproject.cache.store | quote }}
+ OPENPROJECT_RAILS__RELATIVE__URL__ROOT: {{ .Values.openproject.railsRelativeUrlRoot | default "" | quote }}
+ POSTGRES_STATEMENT_TIMEOUT: {{ .Values.openproject.postgresStatementTimeout | quote }}
+...
diff --git a/charts/openproject/templates/secret_environment.yaml b/charts/openproject/templates/secret_environment.yaml
new file mode 100644
index 0000000..ab08a67
--- /dev/null
+++ b/charts/openproject/templates/secret_environment.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.environment }}
+---
+apiVersion: "v1"
+kind: "Secret"
+metadata:
+ name: "{{ include "common.names.fullname" . }}-environment"
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+stringData:
+ # Additional environment variables
+ {{- range $key, $value := .Values.environment }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+...
+{{- end }}
diff --git a/charts/openproject/templates/secret_memcached.yaml b/charts/openproject/templates/secret_memcached.yaml
new file mode 100644
index 0000000..a6a7dc6
--- /dev/null
+++ b/charts/openproject/templates/secret_memcached.yaml
@@ -0,0 +1,16 @@
+{{- if eq .Values.openproject.cache.store "memcache" }}
+---
+apiVersion: "v1"
+kind: "Secret"
+metadata:
+ name: "{{ include "common.names.fullname" . }}-memcached"
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+stringData:
+ {{- if .Values.memcached.bundled }}
+ OPENPROJECT_CACHE__MEMCACHE__SERVER: "{{ .Release.Name }}-memcached:11211"
+ {{- else }}
+ OPENPROJECT_CACHE__MEMCACHE__SERVER: "{{ .Values.memcached.connection.host }}:{{.Values.memcached.connection.port }}"
+ {{- end }}
+...
+{{- end }}
diff --git a/charts/openproject/templates/secret_oidc.yaml b/charts/openproject/templates/secret_oidc.yaml
new file mode 100644
index 0000000..03a16a8
--- /dev/null
+++ b/charts/openproject/templates/secret_oidc.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.openproject.oidc.enabled }}
+---
+apiVersion: "v1"
+kind: "Secret"
+metadata:
+ name: "{{ include "common.names.fullname" . }}-oidc"
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+stringData:
+ # OpenID Connect settings
+ {{ $oidc_prefix := printf "OPENPROJECT_OPENID__CONNECT_%s" (upper .Values.openproject.oidc.provider) }}
+ {{ $oidc_prefix }}_DISPLAY__NAME: {{ .Values.openproject.oidc.displayName | quote }}
+ {{ $oidc_prefix }}_HOST: {{ .Values.openproject.oidc.host | quote }}
+ {{/* Fall back to '_' as secret name if the name is not given. This way `lookup` will return null (since secrets with this name will and cannot exist) which it doesn't with an empty string. */}}
+ {{ $secret := (lookup "v1" "Secret" .Release.Namespace (default "_" .Values.openproject.oidc.existingSecret)) | default (dict "data" dict) -}}
+ {{ $oidc_prefix }}_IDENTIFIER: {{
+ default .Values.openproject.oidc.identifier (get $secret.data .Values.openproject.oidc.secretKeys.identifier | b64dec) | quote
+ }}
+ {{ $oidc_prefix }}_SECRET: {{
+ default .Values.openproject.oidc.secret (get $secret.data .Values.openproject.oidc.secretKeys.secret | b64dec) | quote
+ }}
+ {{ $oidc_prefix }}_AUTHORIZATION__ENDPOINT: {{ .Values.openproject.oidc.authorizationEndpoint | quote }}
+ {{ $oidc_prefix }}_TOKEN__ENDPOINT: {{ .Values.openproject.oidc.tokenEndpoint | quote }}
+ {{ $oidc_prefix }}_USERINFO__ENDPOINT: {{ .Values.openproject.oidc.userinfoEndpoint | quote }}
+ {{ $oidc_prefix }}_END__SESSION__ENDPOINT: {{ .Values.openproject.oidc.endSessionEndpoint | quote }}
+ {{ $oidc_prefix }}_SCOPE: {{ .Values.openproject.oidc.scope | quote }}
+ {{- range $key, $value := .Values.openproject.oidc.attribute_map }}
+ {{ $mapping_key := printf "%s_ATTRIBUTE__MAP_%s" $oidc_prefix (upper $key) }}
+ {{ $mapping_key }}: {{ $value | quote }}
+ {{- end }}
+...
+{{- end }}
diff --git a/charts/openproject/templates/secret_s3.yaml b/charts/openproject/templates/secret_s3.yaml
new file mode 100644
index 0000000..354b01e
--- /dev/null
+++ b/charts/openproject/templates/secret_s3.yaml
@@ -0,0 +1,38 @@
+{{- if .Values.s3.enabled }}
+---
+apiVersion: "v1"
+kind: "Secret"
+metadata:
+ name: "{{ include "common.names.fullname" . }}-s3"
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+stringData:
+ OPENPROJECT_ATTACHMENTS__STORAGE: fog
+ OPENPROJECT_FOG_CREDENTIALS_PROVIDER: AWS
+ {{/* Fall back to '_' as secret name if the name is not given. This way `lookup` will return null (since secrets with this name will and cannot exist) which it doesn't with an empty string. */}}
+ {{ $secret := (lookup "v1" "Secret" .Release.Namespace (default "_" .Values.s3.auth.existingSecret)) | default (dict "data" dict) -}}
+ OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: {{
+ default .Values.s3.auth.accessKeyId (get $secret.data .Values.s3.auth.secretKeys.accessKeyId | b64dec) | quote
+ }}
+ OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{
+ default .Values.s3.auth.secretAccessKey (get $secret.data .Values.s3.auth.secretKeys.secretAccessKey | b64dec) | quote
+ }}
+ {{ if .Values.s3.endpoint -}}
+ OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: {{ .Values.s3.endpoint }}
+ {{- end }}
+ {{ if .Values.s3.host -}}
+ OPENPROJECT_FOG_CREDENTIALS_HOST: {{ .Values.s3.host }}
+ {{- end }}
+ {{ if .Values.s3.port -}}
+ OPENPROJECT_FOG_CREDENTIALS_PORT: "{{ .Values.s3.port }}"
+ {{- end }}
+ OPENPROJECT_FOG_DIRECTORY: {{ .Values.s3.bucketName }}
+ OPENPROJECT_FOG_CREDENTIALS_REGION: {{ .Values.s3.region }}
+ OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "{{ .Values.s3.pathStyle }}"
+ OPENPROJECT_FOG_CREDENTIALS_AWS__SIGNATURE__VERSION: "{{ .Values.s3.signatureVersion }}"
+ # remove use_iam_profile fallback after some point
+ OPENPROJECT_FOG_CREDENTIALS_USE__IAM__PROFILE: {{ if or .Values.s3.use_iam_profile .Values.s3.useIamProfile }}"true"{{else}}"false"{{end}}
+ OPENPROJECT_FOG_CREDENTIALS_ENABLE__SIGNATURE__V4__STREAMING: {{ if .Values.s3.enableSignatureV4Streaming }}"true"{{else}}"false"{{end}}
+ OPENPROJECT_DIRECT__UPLOADS: {{ if .Values.s3.directUploads }}"true"{{else}}"false"{{end}}
+...
+{{- end }}
diff --git a/charts/openproject/templates/seeder-job.yaml b/charts/openproject/templates/seeder-job.yaml
new file mode 100644
index 0000000..84c0bc7
--- /dev/null
+++ b/charts/openproject/templates/seeder-job.yaml
@@ -0,0 +1,70 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ include "common.names.fullname" . }}-seeder-{{ now | date "20060102150405" }}
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- with .Values.seederJob.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ ttlSecondsAfterFinished: 6000
+ template:
+ metadata:
+ labels:
+ {{- include "common.labels.standard" . | nindent 8 }}
+ openproject/process: seeder
+ {{- with .Values.seederJob.annotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- include "openproject.imagePullSecrets" . | indent 6 }}
+ {{- include "openproject.podSecurityContext" . | indent 6 }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{ toYaml . | nindent 8 | trim }}
+ {{- end }}
+ volumes:
+ {{- include "openproject.tmpVolumeSpec" . | indent 8 }}
+ {{- if .Values.persistence.enabled }}
+ - name: "data"
+ persistentVolumeClaim:
+ claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ include "common.names.fullname" . }}{{- end }}
+ {{- end }}
+ initContainers:
+ - name: check-db-ready
+ image: "{{ .Values.initdb.image.registry }}/{{ .Values.initdb.image.repository }}:{{ .Values.initdb.image.tag }}"
+ imagePullPolicy: {{ .Values.initdb.image.imagePullPolicy }}
+ command: [
+ 'sh',
+ '-c',
+ 'until pg_isready -h $DATABASE_HOST -p $DATABASE_PORT -U {{ .Values.postgresql.auth.username }}; do echo "waiting for database $DATABASE_HOST:$DATABASE_PORT"; sleep 2; done;'
+ ]
+ envFrom:
+ {{- include "openproject.envFrom" . | nindent 12 }}
+ env:
+ {{- include "openproject.env" . | nindent 12 }}
+ resources:
+ {{- toYaml .Values.initdb.resources | nindent 12 }}
+ {{- include "openproject.containerSecurityContext" . | indent 10 }}
+ containers:
+ - name: seeder
+ image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}{{ if .Values.image.sha256 }}@sha256:{{ .Values.image.sha256 }}{{ else }}:{{ .Values.image.tag }}{{ end }}"
+ imagePullPolicy: {{ .Values.image.imagePullPolicy }}
+ args:
+ - bash
+ - /app/docker/prod/seeder
+ envFrom:
+ {{- include "openproject.envFrom" . | nindent 12 }}
+ env:
+ {{- include "openproject.env" . | nindent 12 }}
+ volumeMounts:
+ {{- include "openproject.tmpVolumeMounts" . | indent 12 }}
+ {{- if .Values.persistence.enabled }}
+ - name: "data"
+ mountPath: "/var/openproject/assets"
+ {{- end }}
+ {{- include "openproject.containerSecurityContext" . | indent 10 }}
+ restartPolicy: OnFailure
diff --git a/charts/openproject/templates/service.yaml b/charts/openproject/templates/service.yaml
new file mode 100644
index 0000000..ac23b71
--- /dev/null
+++ b/charts/openproject/templates/service.yaml
@@ -0,0 +1,31 @@
+---
+{{- if or .Values.service.enabled .Values.ingress.enabled }}
+apiVersion: "v1"
+kind: "Service"
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+spec:
+ type: {{ .Values.service.type }}
+ {{- if .Values.service.sessionAffinity.enabled }}
+ sessionAffinity: "ClientIP"
+ sessionAffinityConfig:
+ clientIP:
+ timeoutSeconds: {{ .Values.service.sessionAffinity.timeoutSeconds }}
+ {{- end }}
+ ports:
+ {{- range $key, $value := .Values.service.ports }}
+ - port: {{ $value.port }}
+ targetPort: {{ $key }}
+ protocol: {{ $value.protocol }}
+ name: {{ $key }}
+ {{- if and (eq $.Values.service.type "NodePort") $value.nodePort }}
+ nodePort: {{ $value.nodePort }}
+ {{- end }}
+ {{- end }}
+ selector:
+ {{- include "common.labels.matchLabels" . | nindent 4 }}
+ openproject/process: web
+{{- end }}
+...
diff --git a/charts/openproject/templates/serviceaccount.yaml b/charts/openproject/templates/serviceaccount.yaml
new file mode 100644
index 0000000..046ad71
--- /dev/null
+++ b/charts/openproject/templates/serviceaccount.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.serviceAccount.create -}}
+---
+apiVersion: "v1"
+kind: "ServiceAccount"
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+...
+{{- end }}
diff --git a/charts/openproject/templates/tests/test-connection.yaml b/charts/openproject/templates/tests/test-connection.yaml
new file mode 100644
index 0000000..bd63462
--- /dev/null
+++ b/charts/openproject/templates/tests/test-connection.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: "v1"
+kind: "Pod"
+metadata:
+ name: "{{ include "common.names.fullname" . }}-test-connection"
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+ annotations:
+ "helm.sh/hook": test
+spec:
+ containers:
+ - name: "wget"
+ image: "busybox"
+ command: ['wget']
+ args:
+ - '--no-verbose'
+ - '--tries=1'
+ - '--spider'
+ - '{{ include "common.names.fullname" . }}:{{ .Values.service.ports.http.port }}/health_check'
+ restartPolicy: "Never"
+...
diff --git a/charts/openproject/templates/web-deployment.yaml b/charts/openproject/templates/web-deployment.yaml
new file mode 100644
index 0000000..4918558
--- /dev/null
+++ b/charts/openproject/templates/web-deployment.yaml
@@ -0,0 +1,128 @@
+---
+apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
+kind: Deployment
+metadata:
+ name: {{ include "common.names.fullname" . }}-web
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+ openproject/process: web
+spec:
+ replicas: {{ .Values.replicaCount }}
+ strategy:
+ type: {{ .Values.strategy.type }}
+ selector:
+ matchLabels:
+ {{- include "common.labels.matchLabels" . | nindent 6 }}
+ openproject/process: web
+ template:
+ metadata:
+ annotations:
+ {{- range $key, $val := .Values.podAnnotations }}
+ {{ $key }}: {{ $val | quote }}
+ {{- end }}
+ {{- include "openproject.envChecksums" . | nindent 8 }}
+ labels:
+ {{- include "common.labels.standard" . | nindent 8 }}
+ openproject/process: web
+ spec:
+ {{- include "openproject.imagePullSecrets" . | indent 6 }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{ toYaml . | nindent 8 | trim }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{ toYaml . | nindent 8 | trim }}
+ {{- end }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{ toYaml . | nindent 8 | trim }}
+ {{- end }}
+ {{- include "openproject.podSecurityContext" . | indent 6 }}
+ serviceAccountName: {{ include "common.names.fullname" . }}
+ volumes:
+ {{- include "openproject.tmpVolumeSpec" . | indent 8 }}
+ {{- if .Values.egress.tls.rootCA.fileName }}
+ - name: ca-pemstore
+ configMap:
+ name: "{{- .Values.egress.tls.rootCA.configMap }}"
+ {{- end }}
+ {{- if .Values.persistence.enabled }}
+ - name: "data"
+ persistentVolumeClaim:
+ claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ include "common.names.fullname" . }}{{- end }}
+ {{- end }}
+ initContainers:
+ - name: wait-for-db
+ {{- include "openproject.containerSecurityContext" . | indent 10 }}
+ image: {{ include "openproject.image" . }}
+ imagePullPolicy: {{ .Values.image.imagePullPolicy }}
+ envFrom:
+ {{- include "openproject.envFrom" . | nindent 12 }}
+ env:
+ {{- include "openproject.env" . | nindent 12 }}
+ command:
+ - bash
+ - /app/docker/prod/wait-for-db
+ containers:
+ - name: "openproject"
+ {{- include "openproject.containerSecurityContext" . | indent 10 }}
+ image: {{ include "openproject.image" . }}
+ imagePullPolicy: {{ .Values.image.imagePullPolicy }}
+ envFrom:
+ {{- include "openproject.envFrom" . | nindent 12 }}
+ env:
+ {{- include "openproject.env" . | nindent 12 }}
+ command:
+ - bash
+ - /app/docker/prod/web
+ volumeMounts:
+ {{- include "openproject.tmpVolumeMounts" . | indent 12 }}
+ {{- if .Values.persistence.enabled }}
+ - name: "data"
+ mountPath: "/var/openproject/assets"
+ {{- end }}
+ {{- if .Values.egress.tls.rootCA.fileName }}
+ - name: ca-pemstore
+ mountPath: /etc/ssl/certs/custom-ca.pem
+ subPath: {{ .Values.egress.tls.rootCA.fileName }}
+ readOnly: false
+ {{- end }}
+ ports:
+ {{- range $key, $value := .Values.service.ports }}
+ - name: {{ $key }}
+ containerPort: {{ $value.containerPort }}
+ protocol: {{ $value.protocol }}
+ {{- end }}
+ {{- if .Values.probes.liveness.enabled }}
+ livenessProbe:
+ httpGet:
+ path: "{{ .Values.openproject.railsRelativeUrlRoot | default "" }}/health_checks/default"
+ port: 8080
+ httpHeaders:
+ # required otherwise health check will return 404 because health check is done using the Pod IP, which may cause issues with downstream variants
+ - name: Host
+ value: localhost
+ initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
+ timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }}
+ periodSeconds: {{ .Values.probes.liveness.periodSeconds }}
+ failureThreshold: {{ .Values.probes.liveness.failureThreshold }}
+ successThreshold: {{ .Values.probes.liveness.successThreshold }}
+ {{- end }}
+ {{- if .Values.probes.readiness.enabled }}
+ readinessProbe:
+ httpGet:
+ path: "{{ .Values.openproject.railsRelativeUrlRoot | default "" }}/health_checks/default"
+ port: 8080
+ httpHeaders:
+ # required otherwise health check will return 404 because health check is done using the Pod IP, which may cause issues with downstream variants
+ - name: Host
+ value: localhost
+ initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }}
+ timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }}
+ periodSeconds: {{ .Values.probes.readiness.periodSeconds }}
+ failureThreshold: {{ .Values.probes.readiness.failureThreshold }}
+ successThreshold: {{ .Values.probes.readiness.successThreshold }}
+ {{- end }}
+ resources:
+ {{- toYaml .Values.resources | nindent 12 }}
diff --git a/charts/openproject/templates/worker-deployment.yaml b/charts/openproject/templates/worker-deployment.yaml
new file mode 100644
index 0000000..3d28d3d
--- /dev/null
+++ b/charts/openproject/templates/worker-deployment.yaml
@@ -0,0 +1,98 @@
+{{- range $workerName, $workerValues := .Values.workers }}
+{{- with $ -}}
+---
+apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
+kind: Deployment
+metadata:
+ name: {{ include "common.names.fullname" . }}-worker-{{ $workerName }}
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+ openproject/process: worker-{{ $workerName }}
+spec:
+ replicas: {{( kindIs "invalid" $workerValues.replicaCount) | ternary .Values.backgroundReplicaCount $workerValues.replicaCount }}
+ strategy:
+ {{ coalesce $workerValues.strategy .Values.strategy | toYaml | nindent 4 }}
+ selector:
+ matchLabels:
+ {{- include "common.labels.matchLabels" . | nindent 6 }}
+ openproject/process: worker-{{ $workerName }}
+ template:
+ metadata:
+ annotations:
+ {{- range $key, $val := .Values.podAnnotations }}
+ {{ $key }}: {{ $val | quote }}
+ {{- end }}
+ {{- include "openproject.envChecksums" . | nindent 8 }}
+ labels:
+ {{- include "common.labels.standard" . | nindent 8 }}
+ openproject/process: worker-{{ $workerName }}
+ spec:
+ {{- include "openproject.imagePullSecrets" . | indent 6 }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{ toYaml . | nindent 8 | trim }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{ toYaml . | nindent 8 | trim }}
+ {{- end }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{ toYaml . | nindent 8 | trim }}
+ {{- end }}
+ {{- include "openproject.podSecurityContext" . | indent 6 }}
+ serviceAccountName: {{ include "common.names.fullname" . }}
+ volumes:
+ {{- include "openproject.tmpVolumeSpec" . | indent 8 }}
+ {{- if .Values.egress.tls.rootCA.fileName }}
+ - name: ca-pemstore
+ configMap:
+ name: "{{- .Values.egress.tls.rootCA.configMap }}"
+ {{- end }}
+ {{- if .Values.persistence.enabled }}
+ - name: "data"
+ persistentVolumeClaim:
+ claimName: {{ include "common.names.fullname" . }}
+ {{- end }}
+ initContainers:
+ - name: wait-for-db
+ {{- include "openproject.containerSecurityContext" . | indent 10 }}
+ image: {{ include "openproject.image" . }}
+ imagePullPolicy: {{ .Values.image.imagePullPolicy }}
+ envFrom:
+ {{- include "openproject.envFrom" . | nindent 12 }}
+ env:
+ {{- include "openproject.env" . | nindent 12 }}
+ command:
+ - bash
+ - /app/docker/prod/wait-for-db
+ containers:
+ - name: "openproject"
+ {{- include "openproject.containerSecurityContext" . | indent 10 }}
+ image: {{ include "openproject.image" . }}
+ imagePullPolicy: {{ .Values.image.imagePullPolicy }}
+ envFrom:
+ {{- include "openproject.envFrom" . | nindent 12 }}
+ command:
+ - bash
+ - /app/docker/prod/worker
+ env:
+ {{- include "openproject.env" . | nindent 12 }}
+ - name: "QUEUE"
+ value: "{{ $workerValues.queues }}"
+ volumeMounts:
+ {{- include "openproject.tmpVolumeMounts" . | indent 12 }}
+ {{- if .Values.persistence.enabled }}
+ - name: "data"
+ mountPath: "/var/openproject/assets"
+ {{- end }}
+ {{- if .Values.egress.tls.rootCA.fileName }}
+ - name: ca-pemstore
+ mountPath: /etc/ssl/certs/custom-ca.pem
+ subPath: {{ .Values.egress.tls.rootCA.fileName }}
+ readOnly: false
+ {{- end }}
+ resources:
+ {{- coalesce $workerValues.resources .Values.resources | toYaml | nindent 12 }}
+{{- end }}
+{{ end }}
\ No newline at end of file
diff --git a/charts/openproject/values.yaml b/charts/openproject/values.yaml
new file mode 100644
index 0000000..d650bfe
--- /dev/null
+++ b/charts/openproject/values.yaml
@@ -0,0 +1,705 @@
+# Default values for openproject.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+## Enable development mode.
+##
+## Set this to true if you want are working on the charts locally using
+## local clusters such as minikube or kind.
+##
+## This will set `OPENPROJECT_HTTPS` to `false` and avoid using volumes for
+## tmp folders as (permissions for) these don't work correctly in local clusters.
+develop: false
+
+global:
+ ## Credentials to fetch images from private registry.
+ ##
+ ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ ## imagePullSecrets:
+ ## - myRegistryKeySecretName
+ #
+ imagePullSecrets: []
+
+## Affinity for pod assignment.
+##
+## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+#
+affinity: {}
+
+## Define additional environment variables.
+##
+## You can get a list of all environment variables when executing:
+## "RAILS_ENV=production bundle exec rake setting:available_envs"
+##
+## environment:
+## OPENPROJECT_ATTACHMENT__MAX__SIZE: 5120
+#
+environment: {}
+
+## Provide a name to substitute for the full names of resources.
+#
+fullnameOverride: ""
+
+##
+# Override the cluster domain name used in templating
+clusterDomain: "cluster.local"
+
+## Define settings for wait-for-db init-container
+#
+initdb:
+ image:
+ ## Define docker registry address.
+ #
+ registry: "docker.io"
+
+ ## Define repository string.
+ #
+ repository: "postgres"
+
+ # Postgres version to use
+ tag: 13
+
+ ## Define a imagePullPolicy.
+ ##
+ ## Ref.: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+ ##
+ ## "IfNotPresent" => The image is pulled only if it is not already present locally.
+ ## "Always" => Every time the kubelet launches a container, the kubelet queries the container image registry to
+ ## resolve the name to an image digest. If the kubelet has a container image with that exact digest cached
+ ## locally, the kubelet uses its cached image; otherwise, the kubelet pulls the image with the resolved
+ ## digest, and uses that image to launch the container.
+ ## "Never" => The kubelet does not try fetching the image. If the image is somehow already present locally, the
+ ## kubelet attempts to start the container; otherwise, startup fails
+ #
+ imagePullPolicy: "Always"
+
+ resources:
+ limits:
+ memory: "200Mi"
+ requests:
+ memory: "200Mi"
+
+## Define and create Kubernetes Service.
+##
+## Ref.: https://kubernetes.io/docs/concepts/services-networking/ingress/
+#
+ingress:
+ ## Whether to enable session affinity or not. It is required by ingress.
+ #
+ enabled: true
+
+ ## Define the name of the ingress class.
+ ##
+ ## If left empty, the cluster default is used.
+ ## Set this if you need a specific class, for instance `nginx`.
+ #
+ ingressClassName:
+
+ ## Define custom ingress annotations:
+ ##
+ ## Example:
+ ## annotations:
+ ## nginx.ingress.kubernetes.io/rewrite-target: /
+ annotations: {}
+
+ ## Define the Fully Qualified Domain Name (FQDN) where OpenProject should be reachable.
+ #
+ host: "openproject.example.com"
+
+ ## Define the path for OpenProject on your host.
+ #
+ path: /
+
+ ## Each path in an Ingress is required to have a corresponding path type. Paths that do not include an explicit
+ ## pathType will fail validation. There are three supported path types:
+ ##
+ ## "ImplementationSpecific" => With this path type, matching is up to the IngressClass. Implementations can treat this
+ ## as a separate pathType or treat it identically to Prefix or Exact path types.
+ ## "Exact" => Matches the URL path exactly and with case sensitivity.
+ ## "Prefix" => Matches based on a URL path prefix split by /.
+ ##
+ ## Ref.: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
+ #
+ pathType: "Prefix"
+
+ ## You can secure an Ingress by specifying a Secret that contains a TLS private key and certificate.
+ ##
+ ## Ref.: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
+ #
+ tls:
+ ## Whether to enable tls or not.
+ #
+ enabled: true
+
+ ## The name of the kubernetes secret which contains a TLS private key and certificate.
+ ## Hint: This secret is not created by this chart and must be provided.
+ ##
+ #
+ secretName: ""
+
+egress:
+ tls:
+ rootCA:
+ configMap: ""
+ fileName: ""
+
+## Define image setting
+#
+image:
+ ## Define docker registry address.
+ #
+ registry: "docker.io"
+
+ ## Define repository string.
+ #
+ repository: "openproject/community"
+
+ ## Define a imagePullPolicy.
+ ##
+ ## Ref.: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+ ##
+ ## "IfNotPresent" => The image is pulled only if it is not already present locally.
+ ## "Always" => Every time the kubelet launches a container, the kubelet queries the container image registry to
+ ## resolve the name to an image digest. If the kubelet has a container image with that exact digest cached
+ ## locally, the kubelet uses its cached image; otherwise, the kubelet pulls the image with the resolved
+ ## digest, and uses that image to launch the container.
+ ## "Never" => The kubelet does not try fetching the image. If the image is somehow already present locally, the
+ ## kubelet attempts to start the container; otherwise, startup fails
+ #
+ imagePullPolicy: "Always"
+
+ ## Define image tag.
+ ## For the helm chart, use the `-slim` variants as the all-in-one container is not compatible
+ ## with some of the options (non-root execution, password splitting, etc.) and is inefficient for using in helm
+ ## due to embedded a number of services.
+ tag: "13-slim"
+
+ ## Define image sha256 - mutual exclusive with image tag.
+ ## The sha256 has a higher precedence than
+ # sha256:
+
+## Credentials to fetch images from private registry.
+##
+## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+##
+## imagePullSecrets:
+## - myRegistryKeySecretName
+#
+imagePullSecrets: []
+
+## Configure memcached settings.
+#
+memcached:
+ ## When set to true, a memcached will be deployed into current namespace, when false you have to provide your own
+ ## memcached instance.
+ #
+ bundled: true
+
+ global:
+ containerSecurityContext:
+ enabled: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+
+ ## When "bundled" is set to false, you need to define the memcached connection details.
+ #
+ connection:
+ host:
+ port:
+
+## String to partially override release name.
+#
+nameOverride: ""
+
+## Node labels for pod assignment.
+##
+## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+#
+nodeSelector: {}
+
+## Deployment strategy
+##
+## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+#
+strategy:
+ ## Re-create pod during deployments by default since a writable volume is mounted.
+ ## Should your cluster support WriteMany volumes, you can change this
+ ## to `RollingUpdate`.
+ type: "Recreate"
+
+# Define the workers to run, their queues, replicas, strategy, and resources
+workers:
+ default:
+ queues: ""
+ replicas: 1
+ strategy:
+ type: "Recreate"
+ resources:
+ requests:
+ memory: "512Mi"
+ cpu: "250m"
+ limits:
+ memory: "4Gi"
+ cpu: "4"
+
+## OpenProject related settings.
+##
+## Ref.: https://www.openproject.org/docs/installation-and-operations/configuration/environment/#supported-environment-variables
+#
+openproject:
+ ## Enable https in backend response.
+ #
+ https: true
+
+ ## Define the host, defaults to value of "ingress.host".
+ #
+ host:
+
+ ## Enable HSTS.
+ #
+ hsts: true
+
+ ## Define Cache settings.
+ #
+ cache:
+ store: "memcache"
+
+ extraEnvVarsSecret: ""
+
+ ## Define the language to seed the instance in
+ #
+ seed_locale: "en"
+
+ ##
+ # Let OpenProject run in a subdirectory,
+ # e.g., https://exameple.com/openproject
+ # specify with leading slash, but without trailing slash
+ # e.g., /openproject
+ railsRelativeUrlRoot:
+
+ ## Define admin user details
+ # only applicable on first installation
+ # Note: Only applicable for versions >= 13.0
+ admin_user:
+ password: "admin"
+ password_reset: "true"
+ name: "OpenProject Admin"
+ mail: "admin@example.net"
+
+ ## Define OpenID Connect providers
+ oidc:
+ enabled: false
+ provider: "Keycloak"
+ displayName: "Keycloak"
+ host: ""
+ identifier: ""
+ secret: ""
+ authorizationEndpoint: ""
+ tokenEndpoint: ""
+ userinfoEndpoint: ""
+ endSessionEndpoint: ""
+ scope: "[openid]"
+
+ # Optional attribute mappings from the id token
+ attribute_map: {}
+
+ ## To avoid having sensitive credentials in your values.yaml, the preferred way is to
+ ## use an existing secret containing the OIDC compatible access credentials.
+ ## Specify the name of this existing secret here.
+ existingSecret:
+
+ ## In case your secret does not use the default keys in the secret, you can adjust them here.
+ secretKeys:
+ identifier: "clientId"
+ secret: "clientSecret"
+
+ # Allows usage of sealed-secret for `identifier` and `secret` values.
+ # Special use case for use in setups where heml template `lookup` function is not available.
+ # Ref: https://github.com/argoproj/argo-cd/issues/5202
+ #
+ extraOidcSealedSecret:
+
+ ## Modify PostgreSQL statement timout.
+ ## Increase in case you get errors such as "ERROR: canceling statement due to statement timeout".
+ ##
+ ## Ref.: https://www.openproject.org/docs/installation-and-operations/configuration/environment/#postgresql-statement_timeout
+ #
+ postgresStatementTimeout: 120s
+
+ ## Whether or not to use ephemeral volumes for /app/tmp and /tmp.
+ ## Falls back to a sensible default if undefined.
+ #
+ useTmpVolumes:
+
+ ## customize the tmp storage mount sizes
+ tmpVolumesStorage: "5Gi"
+
+## Whether to allocate persistent volume disk for the data directory.
+## In case of node failure, the node data directory will still persist.
+##
+## Ref.: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
+#
+persistence:
+ enabled: true
+
+ ## Define the volume access modes:
+ ##
+ ## "ReadWriteOnce" => The volume can be mounted as read-write by a single node. ReadWriteOnce access mode still can
+ ## allow multiple pods to access the volume when the pods are running on the same node.
+ ## "ReadOnlyMany" => The volume can be mounted as read-only by many nodes.
+ ## "ReadWriteMany" => The volume can be mounted as read-write by many nodes.
+ ## "ReadWriteOncePod" => The volume can be mounted as read-write by a single Pod. Use ReadWriteOncePod access mode if
+ ## you want to ensure that only one pod across whole cluster can read that PVC or write to it.
+ #
+ accessModes:
+ - "ReadWriteMany"
+
+ ## Define custom storage (PVC) annotations:
+ ##
+ annotations: {}
+
+ ## Define the volume size.
+ #
+ size: "1Gi"
+
+ ## Define the class of PV.
+ storageClassName:
+
+## Whether to use an S3-compatible object storage to store OpenProject attachments.
+## If this is enabled, files will NOT be stored in the mounted volume configured in `persistence` above.
+## The volume will not be used at all, so it `persistence.enabled` should be set to `false` in this case.
+##
+## Ref.: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
+#
+s3:
+ enabled: false
+
+ auth:
+ # Provide the accessKeyId and secret in plain values
+ # We recommend to use the existing
+ Secret option instead
+ accessKeyId:
+ secretAccessKey:
+
+ ## To avoid having sensitive credentials in your values.yaml, the preferred way is to
+ ## use an existing secret containing the S3 compatible access credentials.
+ ## Specify the name of this existing secret here.
+ existingSecret:
+
+ ## In case your secret does not use the default keys in the secret, you can adjust them here.
+ secretKeys:
+ accessKeyId: "accessKeyId"
+ secretAccessKey: "secretAccessKey"
+
+ region:
+ bucketName:
+
+ ## Remove or leave empty to use default AWS S3 endpoint
+ #
+ endpoint:
+ host:
+ port:
+ pathStyle: false
+ signatureVersion: 4
+ useIamProfile: false
+ # Some providers do not properly support signature v4 streaming (e.g. Scaleway)
+ enableSignatureV4Streaming: true
+
+ ## If enabled, upload files directly to S3 from the browser instead of going through OpenProject.
+ ## May not be supported by providers other than AWS S3 itself.
+ ##
+ ## Ref.: https://www.openproject.org/docs/installation-and-operations/configuration/#direct-uploads
+ #
+ directUploads: true
+
+ ## You can always override these options via the environment, for instance:
+ ##
+ ## environment:
+ ## OPENPROJECT_FOG_CREDENTIALS_REGION: 'us-east-1'
+ ##
+ ## Ref.: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
+
+## Define custom pod annotations.
+#
+podAnnotations: {}
+
+## Pod Security Context.
+##
+## We use the default value of `1000` for `fsGroup` since that
+## is the app user's group ID and if the user wants to be able to
+## write to `/var/openproject/assets` the mounted folder needs to
+## have a matching gid.
+##
+## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+#
+podSecurityContext:
+ enabled: true
+ fsGroup: 1000
+
+## Container security context using as a default best practice values
+## granting minimum privileges.
+##
+## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+#
+containerSecurityContext:
+ enabled: true
+ runAsUser: 1000
+ runAsGroup: 1000
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+
+## Configure PostgreSQL settings.
+#
+postgresql:
+ ## When set to true, a postgres server will be deployed into current namespace, when false you have to provide your
+ ## own database instance.
+ #
+ bundled: true
+
+ global:
+ containerSecurityContext:
+ enabled: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ seccompProfile:
+ type: "RuntimeDefault"
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+
+ ## When "bundled" is set to false, you need to define the database connection details.
+ #
+ connection:
+ host:
+ port:
+
+ ## Database auth details.
+ #
+ auth:
+ ## To avoid having sensitive credentials in your values.yaml, the preferred way to provide a password
+ ## is to use an existing secret containing the PostgreSQL credentials.
+ ## Specify the name of this existing secret here.
+ ##
+ ## If neither an existing secret nor passwords are defined, a secret is generated automatically.
+ ##
+ ## The postgresql chart will create this secret (the name of which ends with `-postgresql` by default)
+ ## with generated user and admin passwords.
+ ## If you want to see the base64 encoded passwords you can output the secret like this:
+ ##
+ ## ```
+ ## kubectl get secret -n <namespace> openproject-postgresql -o yaml | grep password
+ ## ```
+ #
+ existingSecret: ""
+
+ ## In case your secret does not use the default keys in the secret, you can adjust them here.
+ ##
+ ## secretKeys:
+ ## adminPasswordKey: "postgres-password"
+ ## userPasswordKey: "password"
+
+ ## Database username.
+ #
+ username: "openproject"
+
+ ## Database name.
+ #
+ database: "openproject"
+
+ ## If you are not using a Kubernetes secret to store your postgresql credentials,
+ ## you can specify them here if you really must. Please handle with care!
+
+ ## Database password.
+ #
+ password: ""
+
+ ## Database root password.
+ #
+ postgresPassword: ""
+
+ ## When using the "bundled" postgresql chart, you can configure the storageClass and other settings similar to this
+ ## Ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml
+ #
+ # global:
+ # storageClass: my-storage-class-name
+
+## Configure liveness and readiness probes.
+##
+## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+#
+probes:
+ ## Configure liveness probe.
+ ##
+ ## If the liveness probe fails, the container will be restarted.
+ #
+ liveness:
+ ## Whether to enable liveness probes.
+ #
+ enabled: true
+
+ ## Number of seconds after the container has started before startup, liveness or readiness probes are initiated.
+ ## Defaults to 0 seconds. Minimum value is 0.
+ #
+ initialDelaySeconds: 120
+
+ ## Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1.
+ #
+ timeoutSeconds: 3
+
+ ## How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
+ #
+ periodSeconds: 30
+
+ ## When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness
+ ## probe means restarting the container. In case of readiness probe the Pod will be marked Unready. Defaults to 3.
+ ## Minimum value is 1.
+ #
+ failureThreshold: 3
+
+ ## Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1.
+ ## Must be 1 for liveness and startup Probes. Minimum value is 1.
+ #
+ successThreshold: 1
+
+ ## Configure readiness probe.
+ ##
+ ## If the readiness probe failes, no traffic will be routed to the container.
+ #
+ readiness:
+ ## Whether to enable liveness probes.
+ #
+ enabled: true
+
+ ## Number of seconds after the container has started before startup, liveness or readiness probes are initiated.
+ ## Defaults to 0 seconds. Minimum value is 0.
+ #
+ initialDelaySeconds: 30
+
+ ## Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1.
+ #
+ timeoutSeconds: 3
+
+ ## How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.
+ #
+ periodSeconds: 15
+
+ ## When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness
+ ## probe means restarting the container. In case of readiness probe the Pod will be marked Unready. Defaults to 3.
+ ## Minimum value is 1.
+ #
+ failureThreshold: 30
+
+ ## Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1.
+ ## Must be 1 for liveness and startup Probes. Minimum value is 1.
+ #
+ successThreshold: 1
+
+## Number of OpenProject web process replicas.
+#
+replicaCount: 1
+
+## Number of OpenProject background worker process replicas.
+#
+backgroundReplicaCount: 1
+
+## Configure resource requests and limits.
+##
+## http://kubernetes.io/docs/user-guide/compute-resources/
+#
+resources:
+ requests:
+ memory: "512Mi"
+ cpu: "250m"
+ limits:
+ memory: "4Gi"
+ cpu: "4"
+
+## Define and create Kubernetes Service.
+##
+## Ref.: https://kubernetes.io/docs/concepts/services-networking/service
+#
+service:
+ ## Whether to enable session affinity or not. It is required by ingress.
+ #
+ enabled: true
+
+ ## Choose the kind of Service:
+ ##
+ ## "ClusterIP" => Exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable
+ ## from within the cluster. This is the default that is used if you don't explicitly specify a type for
+ ## a Service.
+ ## "NodePort" => Exposes the Service on each Node's IP at a static port (the NodePort). To make the node port
+ ## available, Kubernetes sets up a cluster IP address, the same as if you had requested a Service of
+ ## type: ClusterIP.
+ ## "LoadBalancer" => Exposes the Service externally using a cloud provider's load balancer.
+ ##
+ ## Ref.: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+ #
+ type: "ClusterIP"
+
+ ## Define the ports of Service.
+ ## You can set the port value to an arbitrary value, it will map the container port by name.
+ ##
+ ## Custom NodePort example:
+ ## ports:
+ ## http:
+ ## port: 8080
+ ## protocol: "TCP"
+ ## nodePort: "38080"
+ #
+ ports:
+ http:
+ containerPort: 8080
+ port: 8080
+ protocol: "TCP"
+
+ ## Configure session affinity for to hit the same backend for the period specified in `timeoutSeconds`.
+ ##
+ ## Ref.: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
+ #
+ sessionAffinity:
+ ## Whether to enable session affinity or not.
+ #
+ enabled: false
+ ## The session duration in seconds.
+ #
+ timeoutSeconds: 10800
+
+## Define Service Accounts for Pods.
+##
+## Ref.: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+#
+serviceAccount:
+ ## Whether to create service account.
+ #
+ create: true
+
+ ## Define custom service account annotations.
+ #
+ annotations: {}
+
+# Options for the seeder job
+seederJob:
+ ## Define custom seeder job annotations.
+ #
+ annotations: {}
+
+## Tolerations for pod assignment.
+##
+## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+#
+tolerations: []