diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 00000000..163b48a0 --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,21 @@ +name: Build +on: + push: + branches: + - staging/QA + - master + pull_request: + types: [opened, synchronize, reopened] +jobs: + sonarcloud: + name: SonarCloud + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + - name: SonarCloud Scan + uses: SonarSource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/pr-notification.yaml b/.github/workflows/pr-notification.yaml new file mode 100644 index 00000000..26484def --- /dev/null +++ b/.github/workflows/pr-notification.yaml @@ -0,0 +1,75 @@ +name: PR Notification to Google Chat + +on: + pull_request_target: + types: [opened, synchronize, closed] + branches: + - master + - staging/QA + +jobs: + notify: + runs-on: ubuntu-latest + if: github.event.pull_request.base.repo.full_name == 'AOT-Technologies/forms-flow-ai-charts' || github.event.pull_request.head.repo.full_name == 'AOT-Technologies/forms-flow-ai-charts' + + steps: + - name: Determine PR Status + id: pr_status + run: | + if [[ "${{ github.event.action }}" == "opened" ]]; then + echo "status=🟢 Open" >> $GITHUB_ENV + elif [[ "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true" ]]; then + echo "status=🟣 Merged" >> $GITHUB_ENV + elif [[ "${{ github.event.action }}" == "closed" ]]; then + echo "status=🔴 Closed" >> $GITHUB_ENV + else + echo "status=🟢 Open" >> $GITHUB_ENV + fi + + - name: Send notification to Google Chat + uses: fjogeleit/http-request-action@v1.16.0 + with: + url: ${{ secrets.PR_NOTIFICATION }} + method: POST + contentType: application/json + data: | + { + "cards": [ + { + "header": { + "title": "Open source: Pull Request Opened by ${{ github.event.pull_request.user.login }}", + "subtitle": "Pull Request #${{ github.event.pull_request.number }}: ${{ github.event.pull_request.title }}" + }, + "sections": [ + { + "widgets": [ + { + "textParagraph": { + "text": "Repository: ${{ github.repository }}" + } + }, + { + "textParagraph": { + "text": "Status: ${{ env.status }}" + } + }, + { + "buttons": [ + { + "textButton": { + "text": "View Pull Request", + "onClick": { + "openLink": { + "url": "${{ github.event.pull_request.html_url }}" + } + } + } + } + ] + } + ] + } + ] + } + ] + } \ No newline at end of file diff --git a/Notes.md b/Notes.md index cfe76765..a23daacc 100644 --- a/Notes.md +++ b/Notes.md @@ -1,8 +1,8 @@ -# 🚨 Important Notice: Upgrade Impact on forms-flow-ai-charts (Helm) v7.1.2 +# 🚨 Important Notice: Upgrade Impact on forms-flow-ai-charts (Helm) v8.0.0 ## Key Points: -1. **Database Backup**: The latest upgrade (v7.1.2) will affect existing data. Please ensure you backup your database before proceeding with the upgrade. +1. **Database Backup**: The latest upgrade (v8.0.0) will affect existing data. Please ensure you backup your database before proceeding with the upgrade. 2. **Environment Changes**: Changes to the environment variables will not affect the deployment unless there are modifications to the database. diff --git a/README.md b/README.md new file mode 100644 index 00000000..fb175ba2 --- /dev/null +++ b/README.md @@ -0,0 +1,65 @@ +
+
+ + +[**formsflow.ai**](https://formsflow.ai/) is a Free, Open-Source, Low Code Development Platform for rapidly building powerful business applications. [**formsflow.ai**](https://formsflow.ai/) combines leading Open-Source applications including [form.io](https://form.io) forms, Camunda’s workflow engine, Keycloak’s security, and Redash’s data analytics into a seamless, integrated platform. + + +## Before you begin + +### Prerequisites + +- Kubernetes 1.23+ +- Helm 3.8.0+ + +### Setup a Kubernetes Cluster + +The quickest way to set up a Kubernetes cluster to install [formsflow.ai](https://formsflow.ai/) Charts is by following the "[formsflow.ai](https://formsflow.ai/) Get Started" guides for the different services: + +- [Get Started with Formsflow Charts using the Amazon Elastic Container Service for Kubernetes (EKS)](https://aot-technologies.github.io/forms-flow-installation-eks/docs/intro/) + +### Install Helm + +Helm is a tool for managing Kubernetes charts. Charts are packages of pre-configured Kubernetes resources. + +To install Helm, refer to the [Helm install guide](https://github.com/helm/helm#install) and ensure that the `helm` binary is in the `PATH` of your shell. + +### Using Helm + +Once you have installed the Helm client, you can deploy a Bitnami Helm Chart into a Kubernetes cluster. + +Please refer to the [Quick Start guide](https://helm.sh/docs/intro/quickstart/) if you wish to get running in just a few commands, otherwise, the [Using Helm Guide](https://helm.sh/docs/intro/using_helm/) provides detailed instructions on how to use the Helm client to manage packages on your Kubernetes cluster. + +## License + +Copyright 2020 AppsOnTime-Technologies 2020 + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +## Chart Versions + +The versions of Helm charts available in this repository are as follows: + +| Formsflow Version | Chart Name | Chart Version | +|---------------------------|---------------------------|---------------------------| +| 7.0.0 | forms-flow-ai | v8.0.0 | +| 6.0.2 | forms-flow-ai | v7.1.2 | +| 6.0.1 | forms-flow-ai | v7.1.1 | +| 6.0.0 | forms-flow-ai | v6.0.0 | +| 5.3.1 | forms-flow-ai | v5.3.1 | +| 5.3.0 | forms-flow-ai | v5.3.0 | +| 5.2.2 | forms-flow-ai | v5.2.2 | +| 5.2.1 | forms-flow-ai | v5.2.1 | +| 5.2.0 | forms-flow-ai | v5.2.0 | +| 5.1.1 | forms-flow-ai | v5.1.1 | +| 5.1.0 | forms-flow-ai | v5.1.0 | \ No newline at end of file diff --git a/charts/forms-flow-admin/.helmignore b/charts/forms-flow-admin/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/forms-flow-admin/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/forms-flow-admin/Chart.yaml b/charts/forms-flow-admin/Chart.yaml index 1bbcbdae..0a63c67f 100644 --- a/charts/forms-flow-admin/Chart.yaml +++ b/charts/forms-flow-admin/Chart.yaml @@ -1,6 +1,13 @@ ---- apiVersion: v2 name: forms-flow-admin -tags: forms-flow-admin +description: forms-flow-admin is a component for managing apis provided by formsflow. icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" -version: v7.1.2 \ No newline at end of file +version: v8.0.0 +type: application +appVersion: "8.0.0" +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x diff --git a/charts/forms-flow-admin/README.md b/charts/forms-flow-admin/README.md new file mode 100644 index 00000000..c662bfb2 --- /dev/null +++ b/charts/forms-flow-admin/README.md @@ -0,0 +1,191 @@ +# Formsflow Admin API + +Formsflow Admin API is a Python REST API to provision tenants in a multi tenanted environment. + + +## Introduction + +This chart bootstraps a forms-flow-admin deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + + +## Installing the Chart + +To install the chart with the release name `forms-flow-admin`: + +```console +helm install forms-flow-admin forms-flow-admin +``` + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install forms-flow-admin forms-flow-admin --set ingress.ingressClassName=INGRESS_CLASS --set ingress.hostname=HOSTNAME +``` + +> Note: You need to substitute the placeholders `INGRESS_CLASS` and `HOSTNAME` with a reference to your Helm chart registry and repository. For example, in the case of Formsflow, you need to use`INGRESS_CLASS=nginx` + +These commands deploy Forms-flow-admin on the Kubernetes cluster + +> **Tip**: List all releases using `helm list` + +### Resource requests and limits + +Forms-flow-admin charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +```yaml +resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi +``` + +### Change Forms-flow-admin version + +To modify the Forms-flow-admin version used in this chart you can specify a [valid image tag](https://hub.docker.com/repository/docker/formsflow/forms-flow-ai-admin) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +```yaml +image: + registry: docker.io + repository: formsflow/forms-flow-ai-admin + tag: X.Y.Z +``` + +## Persistence + +The `formsflow-admin` image stores the application logs at the `/opt/app-root/logs` path of the container. + + +## Sidecar Configuration + +To add a sidecar to your `Forms-flow-admin` deployment, you can use the following configuration. In this case, the sidecar container is an Nginx container used for configuration management. + +### Example Sidecar Configuration + +```yaml +sidecars: + - name: nginx + image: nginx:latest + ports: + - containerPort: 80 + volumeMounts: + - name: nginx-config-volume + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf +``` + +## API Path Update +The `Forms-flow-admin` can now be accessed at the `/admin` route. Ensure that all configurations and requests reference this updated path. + +For example: + +``` +https:///admin +``` + +## Parameters + +| Parameter | Description | Default Value | +|------------------------------------|-----------------------------------------------------|------------------------------------| +| `replicaCount` | Number of replicas | `1` | +| `image.registry` | Docker registry for the image | `docker.io` | +| `image.repository` | Repository for the image | `formsflow/forms-flow-ai-admin` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.tag` | Image tag | `v7.0.0` | +| `image.pullSecrets` | Array of image pull secrets | `forms-flow-ai-auth` | +| `nameOverride` | String to partially override common.names.fullname | `""` | +| `fullnameOverride` | String to fully override common.names.fullname | `""` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `priorityClassName` | Pod priority | `""` | +| `schedulerName` | Name of the k8s scheduler | `""` | +| `terminationGracePeriodSeconds` | Time given to the pod to terminate gracefully | `""` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `diagnosticMode.enabled` | Enable diagnostic mode | `false` | +| `diagnosticMode.command` | Command to override all containers in deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in deployment | `["infinity"]` | +| `hostAliases` | Deployment host aliases | `[]` | +| `serviceAccount.create` | Whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations for the service account | `{}` | +| `serviceAccount.name` | Name of the service account | `""` | +| `serviceAccount.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `podAnnotations` | Pod annotations | `{}` | +| `podLabels` | Extra labels for pods | `{}` | +| `podAffinityPreset` | Pod affinity preset | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type | `""` | +| `nodeAffinityPreset.key` | Node label key to match | `""` | +| `nodeAffinityPreset.values` | Node label values to match | `[]` | +| `podSecurityContext.enabled` | Enable security context for pods | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.fsGroup` | Pod's Security Context fsGroup | `1001` | +| `containerSecurityContext.enabled` | Enable containers' Security Context | `true` | +| `containerSecurityContext.runAsUser` | Containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Containers' Security Context runAsGroup | `1001` | +| `containerSecurityContext.runAsNonRoot` | Container's Security Context runAsNonRoot | `false` | +| `command` | Override default container command | `[]` | +| `args` | Override default container args | `[]` | +| `lifecycleHooks` | Lifecycle hooks for containers | `{}` | +| `extraEnvVars` | Extra environment variables for containers | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars| `""` | +| `extraVolumes` | Array to add extra volumes | `{}` | +| `extraVolumeMounts` | Array to add extra mounts | `{}` | +| `existingSecret` | Existing secret containing database credentials | `""` | +| `updateStrategy.type` | Update strategy for installation | `RollingUpdate` | +| `rbac.create` | Whether to create and use RBAC resources | `false` | +| `pdb.create` | If true, create a pod disruption budget | `true` | +| `autoscaling.enabled` | Enable autoscaling for forms-flow-admin | `false` | +| `formsflow.configmap` | Name of the formsflow.ai ConfigMap | `forms-flow-ai` | +| `formsflow.secret` | Name of the formsflow.ai secret | `forms-flow-ai` | +| `formsflow.analytics` | Name of the analytics component | `forms-flow-analytics` | + +## Ingress Parameters + +| Parameter | Description | Default Value | +|------------------------------------|-----------------------------------------------------|------------------------------------| +| `ingress.enabled` | Enable ingress record generation | `true` | +| `ingress.ingressClassName` | Ingress class used to implement Ingress | `""` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.controller` | Ingress controller type | `default` | +| `ingress.hostname` | Default host for the ingress record | `forms-flow-admin.local` | +| `ingress.path` | Default path for the ingress record | `"/admin"` | +| `ingress.servicePort` | Backend service port to use | `5000` | +| `ingress.tls` | Enable TLS configuration | `true` | +| `ingress.selfSigned` | Create a TLS secret using self-signed certificates | `false` | + +## Service Parameters + +| Parameter | Description | Default Value | +|------------------------------------|-----------------------------------------------------|------------------------------------| +| `service.type` | Kubernetes service type (`ClusterIP`, `NodePort`, or `LoadBalancer`) | `ClusterIP` | +| `service.ports` | Forms-flow-admin service ports | `[{name: http, port: 5000, protocol: TCP}]` | + +## Resource Parameters + +| Parameter | Description | Default Value | +|------------------------------------|-----------------------------------------------------|------------------------------------| +| `resourcesPreset` | Set container resources according to preset | `small` | +| `resources.limits.cpu` | CPU limit | `500m` | +| `resources.limits.memory` | Memory limit | `1Gi` | +| `resources.requests.cpu` | CPU request | `250m` | +| `resources.requests.memory` | Memory request | `512Mi` | + +## Database Parameters + +| Parameter | Description | Default Value | +|------------------------------------|-----------------------------------------------------|------------------------------------| +| `postgresql.databasename` | Database name for PostgreSQL | `forms-flow-admin` | +| `postgresql.username` | PostgreSQL username | `postgres` | +| `postgresql.password` | PostgreSQL password | `postgres` | +| `postgresql.host` | PostgreSQL host | `forms-flow-ai-postgresql-ha-pgpool` | +| `ExternalDatabase.ExistingDatabaseNameKey` | Key for the existing database name | `""` | +| `ExternalDatabase.ExistingDatabaseUserNameKey` | Key for the existing database username | `""` | +| `ExternalDatabase.ExistingDatabasePasswordKey` | Key for the existing database password | `""` | +| `ExternalDatabase.ExistingDatabaseHostKey` | Key for the existing database host | `""` | +| `ExternalDatabase.ExistingDatabasePortKey` | Key for the existing database port | `""` | +| `ExternalDatabase.ExistingSecretName` | Name of the existing secret | `""` | diff --git a/charts/forms-flow-admin/templates/_helpers.tpl b/charts/forms-flow-admin/templates/_helpers.tpl new file mode 100644 index 00000000..bdac49a1 --- /dev/null +++ b/charts/forms-flow-admin/templates/_helpers.tpl @@ -0,0 +1,102 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "forms-flow-admin.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "forms-flow-admin.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "forms-flow-admin.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "forms-flow-admin.labels" -}} +helm.sh/chart: {{ include "forms-flow-admin.chart" . }} +{{ include "forms-flow-admin.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "forms-flow-admin.selectorLabels" -}} +app.kubernetes.io/name: {{ include "forms-flow-admin.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "forms-flow-admin.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "forms-flow-admin.imagePullSecrets" -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) -}} +{{- end -}} + +{{/* +Return the forms-flow-admin configuration configmap +*/}} +{{- define "forms-flow-admin.configmapName" -}} +{{- if .Values.existingConfigmap -}} + {{- printf "%s" (tpl .Values.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-configuration" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created +*/}} +{{- define "forms-flow-admin.createConfigmap" -}} +{{- if and .Values.configuration (not .Values.existingConfigmap) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* + Return the proper forms-flow-admin image name +*/}} +{{- define "forms-flow-admin.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} +{{/* +Return the proper forms-flow-admin side car nginx image name +*/}} +{{- define "forms-flow-admin.nginx.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.ExtraContainer.image "global" .Values.global) }} +{{- end -}} \ No newline at end of file diff --git a/charts/forms-flow-admin/templates/configmap.yaml b/charts/forms-flow-admin/templates/configmap.yaml index db3b4ac8..2c442058 100644 --- a/charts/forms-flow-admin/templates/configmap.yaml +++ b/charts/forms-flow-admin/templates/configmap.yaml @@ -1,34 +1,12 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} -data: - DATABASE_URL: "{{tpl .Values.postgresql.url .}}" - DATABASE_PORT: "{{ .Values.postgresql.port }}" ---- -{{- if .Values.elastic_search.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Chart.Name }}-fb-config -data: - "filebeat.yml": |- - filebeat.inputs: - - type: log - enabled: true - paths: - - /opt/app-root/logs/* - output.elasticsearch: - hosts: "${ELASTIC_SERVER}" - index: "forms-flow-admin-api-%{+yyyy.MM.dd}" - setup.template.name: "forms-flow-admin-api" - setup.template.pattern: "forms-flow-admin-api-*" - setup.template.overwrite: true - setup.template.enabled: false - setup.template.settings: - index.number_of_shards: 1 - setup.ilm.enabled: false -{{- end}} \ No newline at end of file +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-admin + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + DATABASE_PORT: "{{ .Values.postgresql.port }}" \ No newline at end of file diff --git a/charts/forms-flow-admin/templates/deployment.yaml b/charts/forms-flow-admin/templates/deployment.yaml index 1448f550..326ee051 100644 --- a/charts/forms-flow-admin/templates/deployment.yaml +++ b/charts/forms-flow-admin/templates/deployment.yaml @@ -1,235 +1,267 @@ --- -apiVersion: apps/v1 +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: - labels: - app: "{{ .Chart.Name }}" - name: "{{ .Chart.Name }}" + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: - replicas: {{ .Values.replicas }} + replicas: {{ .Values.replicaCount }} + strategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: - app: "{{ .Chart.Name }}" - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% - type: RollingUpdate + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} template: metadata: - labels: - app: "{{ .Chart.Name }}" + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + annotations: + {{- if not .Values.existingSecret }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + {{- end }} + {{- if (include "forms-flow-admin.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} spec: + {{- include "forms-flow-admin.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ template "forms-flow-admin.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} + {{- end }} containers: - {{- if .Values.elastic_search.enabled }} - - name: filebeat-admin - image: docker.elastic.co/beats/filebeat:7.14.0 - env: - - name: ELASTIC_SERVER + - name: forms-flow-admin + image: {{ include "forms-flow-admin.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + {{- $secretName := .Values.ExternalDatabase.ExistingSecretName | default .Chart.Name }} + {{- $configmapName := .Values.ExternalDatabase.ExistingConfigmapName | default .Chart.Name }} + {{- with .Values.ExternalDatabase }} + - name: DATABASE_NAME + valueFrom: + secretKeyRef: + key: {{ .ExistingDatabaseNameKey | default "DATABASE_NAME" }} + name: "{{ $secretName }}" + - name: DATABASE_USERNAME + valueFrom: + secretKeyRef: + key: {{ .ExistingDatabaseUserNameKey | default "DATABASE_USERNAME" }} + name: "{{ $secretName }}" + - name: DATABASE_PASSWORD + valueFrom: + secretKeyRef: + key: {{ .ExistingDatabasePasswordKey | default "DATABASE_PASSWORD" }} + name: "{{ $secretName }}" + - name: DATABASE_PORT valueFrom: configMapKeyRef: - key: ELASTIC_SERVER + key: {{ .ExistingDatabasePortKey | default "DATABASE_PORT" }} + name: "{{ $configmapName }}" + - name: DATABASE_HOST + valueFrom: + secretKeyRef: + key: {{ .ExistingDatabaseHostKey | default "DATABASE_HOST" }} + name: "{{ $secretName }}" + {{- end }} + - name: JWT_OIDC_ALGORITHMS + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_ALGORITHMS name: "{{ .Values.formsflow.configmap }}" - volumeMounts: - - name: admin-logs - mountPath: /opt/app-root/logs - - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - name: admin-filebeat - {{- end}} - - env: - {{- if .Values.ExternalDatabase.ExistingDatabaseNameKey }} - - name: DATABASE_NAME - valueFrom: - secretKeyRef: - key: {{ .Values.ExternalDatabase.ExistingDatabaseNameKey }} - name: "{{ .Values.ExternalDatabase.ExistingSecretName }}" - {{- end }} - {{- if not .Values.ExternalDatabase.ExistingDatabaseNameKey }} - - name: DATABASE_NAME - valueFrom: - secretKeyRef: - key: DATABASE_NAME - name: "{{ .Chart.Name }}" - {{- end }} - {{- if .Values.ExternalDatabase.ExistingDatabaseUserNameKey }} - - name: DATABASE_USERNAME - valueFrom: - secretKeyRef: - key: {{ .Values.ExternalDatabase.ExistingDatabaseUserNameKey }} - name: "{{ .Values.ExternalDatabase.ExistingSecretName }}" - {{- end }} - {{- if not .Values.ExternalDatabase.ExistingDatabaseUserNameKey }} - - name: DATABASE_USERNAME - valueFrom: - secretKeyRef: - key: DATABASE_USERNAME - name: "{{ .Chart.Name }}" - {{- end }} - {{- if .Values.ExternalDatabase.ExistingDatabasePasswordKey }} - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - key: {{ .Values.ExternalDatabase.ExistingDatabasePasswordKey }} - name: "{{ .Values.ExternalDatabase.ExistingSecretName }}" - {{- end }} - {{- if not .Values.ExternalDatabase.ExistingDatabasePasswordKey }} - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - key: DATABASE_PASSWORD - name: "{{ .Chart.Name }}" - {{- end }} - - name: DATABASE_PORT - valueFrom: - configMapKeyRef: - key: DATABASE_PORT - name: "{{ .Chart.Name }}" - {{- if .Values.ExternalDatabase.ExistingDatabaseHostKey }} - - name: DATABASE_HOST - valueFrom: - secretKeyRef: - key: {{ .Values.ExternalDatabase.ExistingDatabaseHostKey }} - name: "{{ .Values.ExternalDatabase.ExistingSecretName }}" - {{- end }} - {{- if not .Values.ExternalDatabase.ExistingDatabaseHostKey }} - - name: DATABASE_HOST - valueFrom: - secretKeyRef: - key: DATABASE_HOST - name: "{{ .Chart.Name }}" - {{- end }} - - name: DATABASE_URL - valueFrom: - configMapKeyRef: - key: DATABASE_URL - name: "{{ .Chart.Name }}" - - name: JWT_OIDC_ALGORITHMS - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_ALGORITHMS - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_AUDIENCE - valueFrom: - secretKeyRef: - key: ADMIN_WEB_CLIENTID - name: "{{ .Values.formsflow.secret }}" - - name: JWT_OIDC_CACHING_ENABLED - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_CACHING_ENABLED - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_ISSUER - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_ISSUER - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_JWKS_CACHE_TIMEOUT - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_JWKS_CACHE_TIMEOUT - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_JWKS_URI - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_JWKS_URI - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_WELL_KNOWN_CONFIG - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_CONFIG - name: "{{ .Values.formsflow.configmap }}" - - name: KEYCLOAK_URL - valueFrom: - configMapKeyRef: - key: KEYCLOAK_URL - name: "{{ .Values.formsflow.configmap }}" - - name: FORMSFLOW_WEB_URL - valueFrom: - configMapKeyRef: - key: FORMSFLOW_WEB_URL - name: "{{ .Values.formsflow.configmap }}" - - name: KEYCLOAK_URL_REALM - valueFrom: - configMapKeyRef: - key: KEYCLOAK_URL_REALM - name: "{{ .Values.formsflow.configmap }}" - - name: INSIGHT_API_URL - valueFrom: - configMapKeyRef: - key: INSIGHT_API_URL - name: "{{ .Values.formsflow.configmap }}" - - name: INSIGHT_API_KEY - valueFrom: - secretKeyRef: - key: INSIGHT_API_KEY - name: "{{ .Values.formsflow.secret }}" - - name: BPM_API_URL - valueFrom: - configMapKeyRef: - key: BPM_API_URL - name: "{{ .Values.formsflow.configmap }}" - - name: KEYCLOAK_ADMIN_CLIENT - valueFrom: - secretKeyRef: - key: KEYCLOAK_CLIENTID - name: "{{ .Values.formsflow.secret }}" - - name: KEYCLOAK_ADMIN_SECRET - valueFrom: - secretKeyRef: - key: KEYCLOAK_CLIENTSECRET - name: "{{ .Values.formsflow.secret }}" - - name: FORMIO_ROOT_EMAIL - valueFrom: - secretKeyRef: - key: FORMIO_ROOT_EMAIL - name: "{{ .Values.formsflow.secret }}" - - name: FORMIO_ROOT_PASSWORD - valueFrom: - secretKeyRef: - key: FORMIO_ROOT_PASSWORD - name: "{{ .Values.formsflow.secret }}" - - name: FORMIO_URL - valueFrom: - configMapKeyRef: - key: FORMIO_URL - name: "{{ .Values.formsflow.configmap }}" - - name: FORMIO_JWT_SECRET - valueFrom: - secretKeyRef: - key: FORMIO_JWT_SECRET - name: "{{ .Values.formsflow.secret }}" - - name: BPM_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: KEYCLOAK_CLIENTSECRET - name: "{{ .Values.formsflow.secret }}" - - name: FORMSFLOW_ADMIN_API_CORS_ORIGINS - value: '*' - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" - name: "{{ .Chart.Name }}" - imagePullPolicy: Always - ports: - - containerPort: {{ .Values.ingress.port }} - resources: - limits: - cpu: "{{ .Values.resources.limits.cpu }}" - memory: "{{ .Values.resources.limits.memory }}" - requests: - cpu: "{{ .Values.resources.requests.cpu }}" - memory: "{{ .Values.resources.requests.memory }}" - stdin: true - tty: true - {{- if .Values.elastic_search.enabled }} - volumeMounts: - - name: admin-logs - mountPath: /opt/app-root/logs + - name: JWT_OIDC_AUDIENCE + valueFrom: + secretKeyRef: + key: ADMIN_WEB_CLIENTID + name: "{{ .Values.formsflow.secret }}" + - name: JWT_OIDC_CACHING_ENABLED + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_CACHING_ENABLED + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_ISSUER + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_ISSUER + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_JWKS_CACHE_TIMEOUT + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_JWKS_CACHE_TIMEOUT + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_JWKS_URI + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_JWKS_URI + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_WELL_KNOWN_CONFIG + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_CONFIG + name: "{{ .Values.formsflow.configmap }}" + - name: KEYCLOAK_URL + valueFrom: + configMapKeyRef: + key: KEYCLOAK_URL + name: "{{ .Values.formsflow.configmap }}" + - name: FORMSFLOW_WEB_URL + valueFrom: + configMapKeyRef: + key: FORMSFLOW_WEB_URL + name: "{{ .Values.formsflow.configmap }}" + - name: KEYCLOAK_URL_REALM + valueFrom: + configMapKeyRef: + key: KEYCLOAK_URL_REALM + name: "{{ .Values.formsflow.configmap }}" + - name: INSIGHT_API_URL + valueFrom: + configMapKeyRef: + key: INSIGHT_API_URL + name: "{{ .Values.formsflow.configmap }}" + - name: INSIGHT_API_KEY + valueFrom: + secretKeyRef: + key: INSIGHT_API_KEY + name: "{{ .Values.formsflow.secret }}" + - name: BPM_API_URL + valueFrom: + configMapKeyRef: + key: BPM_API_URL + name: "{{ .Values.formsflow.configmap }}" + - name: KEYCLOAK_ADMIN_CLIENT + valueFrom: + secretKeyRef: + key: KEYCLOAK_CLIENTID + name: "{{ .Values.formsflow.secret }}" + - name: KEYCLOAK_ADMIN_SECRET + valueFrom: + secretKeyRef: + key: KEYCLOAK_CLIENTSECRET + name: "{{ .Values.formsflow.secret }}" + - name: FORMIO_ROOT_EMAIL + valueFrom: + secretKeyRef: + key: FORMIO_ROOT_EMAIL + name: "{{ .Values.formsflow.secret }}" + - name: FORMIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + key: FORMIO_ROOT_PASSWORD + name: "{{ .Values.formsflow.secret }}" + - name: FORMIO_URL + valueFrom: + configMapKeyRef: + key: FORMIO_URL + name: "{{ .Values.formsflow.configmap }}" + - name: FORMIO_JWT_SECRET + valueFrom: + secretKeyRef: + key: FORMIO_JWT_SECRET + name: "{{ .Values.formsflow.secret }}" + - name: BPM_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: KEYCLOAK_CLIENTSECRET + name: "{{ .Values.formsflow.secret }}" + - name: FORMSFLOW_ADMIN_API_CORS_ORIGINS + value: '*' + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 8 }} + {{- end }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.containerPorts.http }} + protocol: TCP + stdin: true + tty: true + volumeMounts: + - name: admin-logs + mountPath: /opt/app-root/logs + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + - name: nginx + image: {{ include "forms-flow-admin.nginx.image" . }} + ports: + - containerPort: {{ .Values.ingress.servicePort }} + volumeMounts: + - name: nginx-config-volume + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf volumes: - name: admin-logs - - name: admin-filebeat + emptyDir: {} + - name: nginx-config-volume configMap: - name: "{{ .Chart.Name }}-fb-config" - {{- end}} - restartPolicy: Always - imagePullSecrets: - - name: "{{ .Values.formsflow.auth }}" + name: forms-flow-admin-nginx-config + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + restartPolicy: Always \ No newline at end of file diff --git a/charts/forms-flow-admin/templates/hpa.yaml b/charts/forms-flow-admin/templates/hpa.yaml new file mode 100644 index 00000000..f59e9696 --- /dev/null +++ b/charts/forms-flow-admin/templates/hpa.yaml @@ -0,0 +1,61 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-admin + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} + kind: StatefulSet + name: {{ template "common.names.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPU }} + - type: Resource + resource: + name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- end }} + {{- end }} + {{- if .Values.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- end }} + {{- end }} + {{- if or .Values.autoscaling.behavior.scaleDown.policies .Values.autoscaling.behavior.scaleUp.policies }} + behavior: + {{- if .Values.autoscaling.behavior.scaleDown.policies }} + scaleDown: + stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleDown.stabilizationWindowSeconds }} + selectPolicy: {{ .Values.autoscaling.behavior.scaleDown.selectPolicy }} + policies: + {{- toYaml .Values.autoscaling.behavior.scaleDown.policies | nindent 8 }} + {{- end }} + {{- if .Values.autoscaling.behavior.scaleUp.policies }} + scaleUp: + stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleUp.stabilizationWindowSeconds }} + selectPolicy: {{ .Values.autoscaling.behavior.scaleUp.selectPolicy }} + policies: + {{- toYaml .Values.autoscaling.behavior.scaleUp.policies | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-admin/templates/ingress.yaml b/charts/forms-flow-admin/templates/ingress.yaml index d62d2459..95ed5c05 100644 --- a/charts/forms-flow-admin/templates/ingress.yaml +++ b/charts/forms-flow-admin/templates/ingress.yaml @@ -1,35 +1,56 @@ -apiVersion: networking.k8s.io/v1 +{{- if .Values.ingress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} - annotations: -{{ toYaml .Values.ingress.annotations | indent 4 }} + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-admin + {{- if or .Values.ingress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: - ingressClassName: {{ .Values.ingress.ingressClassName }} - {{- if or (and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.ingress.hostname }} + - host: {{ (tpl .Values.ingress.hostname .) | quote }} + http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ include "common.tplvalues.render" ( dict "value" .Values.ingress.path "context" $) }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ (tpl .name $) }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} tls: - {{- if and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.secrets .Values.ingress.selfSigned) }} + {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.secrets .Values.ingress.selfSigned) }} - hosts: - {{ (tpl .Values.ingress.hostname .) | quote }} secretName: {{ printf "%s-tls" (tpl .Values.ingress.hostname .) }} - {{- else }} - - {} - {{- end}} - {{- else }} - tls: - - {} - {{- end}} - rules: - - - host: "{{ tpl .Values.ingress.hostname .}}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ .Chart.Name }} - port: - number: {{ .Values.ingress.port }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-admin/templates/pdb.yaml b/charts/forms-flow-admin/templates/pdb.yaml new file mode 100644 index 00000000..3e5a4c28 --- /dev/null +++ b/charts/forms-flow-admin/templates/pdb.yaml @@ -0,0 +1,21 @@ +{{- if .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-admin/templates/proxy-config.yaml b/charts/forms-flow-admin/templates/proxy-config.yaml new file mode 100644 index 00000000..d350f7fa --- /dev/null +++ b/charts/forms-flow-admin/templates/proxy-config.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }}-nginx-config + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-api + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + nginx.conf: | + events { worker_connections 1024; } + http { + server { + listen {{ .Values.ingress.servicePort }}; + location /admin { + sub_filter ="/ ="/admin/; + sub_filter ="/api/v1/swagger.json ="/admin/api/v1/swagger.json; + sub_filter_once off; + sub_filter_types application/javascript text/css text/xml text/javascript application/json text/plain; + rewrite ^/admin/(.*)$ /$1 break; + proxy_set_header Host $http_host; + proxy_set_header Authorization $http_authorization; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Content-Type application/json; + proxy_pass http://localhost:{{ .Values.containerPorts.http }}; + } + } + } + pid /tmp/nginx.pid; \ No newline at end of file diff --git a/charts/forms-flow-admin/templates/role.yaml b/charts/forms-flow-admin/templates/role.yaml new file mode 100644 index 00000000..10f8e635 --- /dev/null +++ b/charts/forms-flow-admin/templates/role.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +kind: Role +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: keycloak + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + {{- if .Values.rbac.rules }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} + {{- end }} + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-admin/templates/rolebinding.yaml b/charts/forms-flow-admin/templates/rolebinding.yaml new file mode 100644 index 00000000..a7ee6b22 --- /dev/null +++ b/charts/forms-flow-admin/templates/rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +kind: RoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: keycloak + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "common.names.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "keycloak.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-admin/templates/secret.yaml b/charts/forms-flow-admin/templates/secret.yaml deleted file mode 100644 index a721ff6c..00000000 --- a/charts/forms-flow-admin/templates/secret.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - labels: - app: "{{ .Chart.Name }}" - name: "{{ .Chart.Name }}" -stringData: - DATABASE_USERNAME: "{{ .Values.postgresql.username }}" - DATABASE_NAME: "{{ .Values.postgresql.databasename }}" - DATABASE_PASSWORD: "{{ .Values.postgresql.password }}" - DATABASE_HOST: "{{ .Values.postgresql.host }}" \ No newline at end of file diff --git a/charts/forms-flow-admin/templates/secrets.yaml b/charts/forms-flow-admin/templates/secrets.yaml new file mode 100644 index 00000000..82362974 --- /dev/null +++ b/charts/forms-flow-admin/templates/secrets.yaml @@ -0,0 +1,18 @@ +{{- if not .Values.existingSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }} + app.kubernetes.io/component: forms-flow-admin + {{- if or .Values.annotations .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.merge" (dict "values" (list .Values.annotations .Values.commonAnnotations) "context" $) | nindent 4 }} + {{- end }} +type: Opaque +stringData: + DATABASE_USERNAME: "{{ .Values.postgresql.username }}" + DATABASE_NAME: "{{ .Values.postgresql.databasename }}" + DATABASE_PASSWORD: "{{ .Values.postgresql.password }}" + DATABASE_HOST: "{{ .Values.postgresql.host }}" +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-admin/templates/service.yaml b/charts/forms-flow-admin/templates/service.yaml index c627b2f8..18897c86 100644 --- a/charts/forms-flow-admin/templates/service.yaml +++ b/charts/forms-flow-admin/templates/service.yaml @@ -1,12 +1,34 @@ apiVersion: v1 kind: Service metadata: - name: "{{ .Chart.Name }}" + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} ports: - - name: "{{ .Chart.Name }}" - port: {{ .Values.ingress.port }} - protocol: TCP - targetPort: {{ .Values.ingress.port }} - selector: - app: "{{ .Chart.Name }}" + {{- include "common.tplvalues.render" (dict "value" .Values.service.ports "context" $) | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} diff --git a/charts/forms-flow-admin/templates/serviceaccount.yaml b/charts/forms-flow-admin/templates/serviceaccount.yaml new file mode 100644 index 00000000..75268235 --- /dev/null +++ b/charts/forms-flow-admin/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "forms-flow-admin.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} \ No newline at end of file diff --git a/charts/forms-flow-admin/values.yaml b/charts/forms-flow-admin/values.yaml index abb9225a..c4d1a45c 100644 --- a/charts/forms-flow-admin/values.yaml +++ b/charts/forms-flow-admin/values.yaml @@ -1,49 +1,567 @@ ---- -Domain: # -replicas: 1 +replicaCount: 1 +image: + registry: docker.io + repository: formsflow/forms-flow-ai-admin + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "v7.0.0" + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: + - forms-flow-ai-auth +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} + +nodeSelector: {} +## @param tolerations Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param nodeSelector Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param priorityClassName Pod priority +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param terminationGracePeriodSeconds In seconds, time the given to the forms-flow-admin pod needs to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +terminationGracePeriodSeconds: "" +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] + +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +## @param hostAliases Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + ## @param automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false +## @param podAnnotations Pod annotations +## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podLabels Extra labels for forms-flow-admin pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + +## K8s Security Context for forms-flow-admin pods +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled forms-flow-admin pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Set forms-flow-admin pod's Security Context fsGroup +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 +## Configure Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: false + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param lifecycleHooks for the forms-flow-admin container(s) to automate configuration before or after startup +## +lifecycleHooks: {} +automountServiceAccountToken: true +## @param extraEnvVars Extra environment variables to be set on formsfloe bpm container +## Example: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraVolumes Array to add extra volumes (evaluated as a template) +## extraVolumes: +## - name: myvolume +## configMap: +## name: myconfigmap +## +extraVolumes: {} +## @param extraVolumeMounts Array to add extra mounts (normally used with extraVolumes, evaluated as a template) +## extraVolumeMounts: +## - mountPath: /opt/bitnami/desired-path +## name: myvolume +## readOnly: true +## +extraVolumeMounts: {} + +## @param auth.existingSecret Existing secret containing password,username,dbname and + ## +existingSecret: "" + + +## @param updateStrategy.type Set up update strategy for forms-flow-admin installation. +## Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods is destroyed first. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## Example: +## updateStrategy: +## type: RollingUpdate +## rollingUpdate: +## maxSurge: 25% +## maxUnavailable: 25% +## +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + + +## forms-flow-admin ingress parameters +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress record generation for forms-flow-admin + ## + enabled: true + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.controller The ingress controller type. Currently supports `default` and `gce` + ## leave as `default` for most ingress controllers. + ## set to `gce` if using the GCE ingress controller + ## + controller: default + ## @param ingress.hostname Default host for the ingress record (evaluated as template) + ## + hostname: forms-flow-admin.local + ## @param ingress.path [string] Default path for the ingress record (evaluated as template) + ## + path: "/admin" + ## @param ingress.servicePort Backend service port to use + ## Default is http. Alternative is https. + ## + servicePort: 8080 + ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.labels Additional labels for the Ingress resource. + ## e.g: + ## labels: + ## app: forms-flow-admin + ## + labels: {} + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: true + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: forms-flow-admin.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - forms-flow-admin.local + ## secretName: forms-flow-admin.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## - name: forms-flow-admin.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: airflow.local + ## http: + ## path: / + ## backend: + ## service: + ## name: airflow-svc + ## port: + ## name: http + ## + extraRules: [] +## forms-flow-admin admin ingress parameters +## ref: https://kubernetes.io/docs/user-guide/ingress/ +## + +## Specifies whether RBAC resources should be created +## +rbac: + ## @param rbac.create Whether to create and use RBAC resources or not + ## + create: false + ## @param rbac.rules Custom RBAC rules + ## Example: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] + +## Pod disruption budget configuration +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +## @param pdb.create If true, create a pod disruption budget for pods. +## @param pdb.minAvailable Minimum number / percentage of pods that should remain scheduled +## @param pdb.maxUnavailable Maximum number / percentage of pods that may be made unavailable +## +pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## forms-flow-admin containers' resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "small" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi +## @param customStartupProbe Custom startup probe for the Web component +## + +## @param customStartupProbe Custom startup probe for the Web component +## +customStartupProbe: {} +## @param customLivenessProbe Custom liveness probe for the Web component +## +customLivenessProbe: {} +## @param customReadinessProbe Custom readiness probe for the Web component +## +customReadinessProbe: {} +## Service parameters +## +service: + ## @param service.type Kubernetes service type (`ClusterIP`, `NodePort`, or `LoadBalancer`) + ## + type: ClusterIP + ## @param service.ports [array] forms-flow-admin service ports (evaluated as a template) + ## + ports: + - name: http + port: 5000 + targetPort: http + protocol: TCP + - name: nginx + port: 8080 + targetPort: 8080 + protocol: TCP + ## - name: system + ## port: 1764 + ## + ## @param service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy External traffic policy, configure to Local to preserve client source IP when using an external loadBalancer + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: "" + ## @param service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.annotations Annotations for forms-flow-admin service + ## + annotations: {} + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## + annotations: {} + +containerPorts: + http: 5000 + +## @param sidecars Add additional sidecar containers to the forms-flow-admin pod + ## Example: + ## sidecars: + ## - name: filebeat-admin + ## image: docker.elastic.co/beats/filebeat:7.14.0 + ## env: + ## - name: ELASTIC_SERVER + ## valueFrom: + ## configMapKeyRef: + ## key: ELASTIC_SERVER + ## name: "{{ .Values.formsflow.configmap }}" + ## volumeMounts: + ## - name: admin-logs + ## mountPath: /opt/app-root/logs + ## - mountPath: /usr/share/filebeat/filebeat.yml + ## subPath: filebeat.yml + ## name: admin-filebeat +## sidecars configuration +sidecars: {} +ExtraContainer: + ## nginx configuration for sidecar + image: + registry: docker.io + repository: nginxinc/nginx-unprivileged + pullPolicy: IfNotPresent + tag: "latest" + +configuration: [] + +## forms-flow-admin Autoscaling configuration +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +## @param autoscaling.enabled Enable autoscaling for forms-flow-admin +## @param autoscaling.minReplicas Minimum number of forms-flow-admin replicas +## @param autoscaling.maxReplicas Maximum number of forms-flow-admin replicas +## @param autoscaling.targetCPU Target CPU utilization percentage +## @param autoscaling.targetMemory Target Memory utilization percentage +## +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPU: "" + targetMemory: "" + ## HPA Scaling Behavior + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + ## + behavior: + ## HPA behavior when scaling up + ## @param autoscaling.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up + ## @param autoscaling.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up + ## @param autoscaling.behavior.scaleUp.policies [array] HPA scaling policies when scaling up + ## e.g: + ## Policy to scale 20% of the pod in 60s + ## - type: Percent + ## value: 20 + ## periodSeconds: 60 + ## + scaleUp: + stabilizationWindowSeconds: 120 + selectPolicy: Max + policies: [] + ## HPA behavior when scaling down + ## @param autoscaling.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down + ## @param autoscaling.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down + ## @param autoscaling.behavior.scaleDown.policies [array] HPA scaling policies when scaling down + ## e.g: + ## Policy to scale one pod in 300s + ## - type: Pods + ## value: 1 + ## periodSeconds: 300 + ## + scaleDown: + stabilizationWindowSeconds: 300 + selectPolicy: Max + policies: + - type: Pods + value: 1 + periodSeconds: 300 + postgresql: databasename: "forms-flow-admin" username: "postgres" password: "postgres" port: 5432 host: "forms-flow-ai-postgresql-ha-pgpool" - url: "postgresql://{{.Values.postgresql.username}}:{{.Values.postgresql.password}}@{{.Values.postgresql.host}}:{{.Values.postgresql.port}}/{{.Chart.Name}}" ExternalDatabase: ExistingDatabaseNameKey: "" ExistingDatabaseUserNameKey: "" ExistingDatabasePasswordKey: "" ExistingDatabaseHostKey: "" + ExistingDatabasePortKey: "" ExistingSecretName: "" #name of the existing secret -resources: - limits: - cpu: 500m - memory: 1Gi - requests: - cpu: 250m - memory: 512Mi - formsflow: configmap: forms-flow-ai # name of formsflow.ai configmap secret: forms-flow-ai #name of formsflow.ai secret - analytics: forms-flow-analytics #name of analytics component - auth: forms-flow-ai-auth - - -ingress: - ingressClassName: "" - annotations: - enabled: true # create an ingress for this component - hostname: "{{.Chart.Name}}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}" - port: 5000 - tls: true - selfSigned: false - extraTls: - - {} - path: / - -image: - registry: docker.io - repository: formsflow/forms-flow-ai-admin - tag: v6.0.0 #The image tag to pull from -elastic_search: - enabled: false + analytics: forms-flow-analytics #name of analytics component \ No newline at end of file diff --git a/charts/forms-flow-ai/.helmignore b/charts/forms-flow-ai/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/forms-flow-ai/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/forms-flow-ai/Chart.yaml b/charts/forms-flow-ai/Chart.yaml index a8f101e6..2e7eff7e 100644 --- a/charts/forms-flow-ai/Chart.yaml +++ b/charts/forms-flow-ai/Chart.yaml @@ -1,17 +1,16 @@ ---- apiVersion: v2 name: forms-flow-ai dependencies: - name: postgresql-ha condition: postgresql-ha.enabled - repository: https://charts.bitnami.com/bitnami - version: 14.2.16 - - name: mongodb - condition: mongodb.enabled - repository: https://charts.bitnami.com/bitnami - version: 15.6.18 + repository: oci://registry-1.docker.io/bitnamicharts + version: 15.x.x - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.x.x -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file + - name: mongodb + condition: mongodb.enabled + repository: oci://registry-1.docker.io/bitnamicharts + version: 16.x.x +version: v8.0.0 +icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" diff --git a/charts/forms-flow-ai/README.md b/charts/forms-flow-ai/README.md new file mode 100644 index 00000000..f9c48ef7 --- /dev/null +++ b/charts/forms-flow-ai/README.md @@ -0,0 +1,290 @@ +# Formsflow.ai +The forms-flow-ai chart integrates components such as PostgreSQL, MongoDB, and Redis to manage version control effectively. + +## Introduction + +This chart bootstraps a forms-flow-ai deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + + +## Installing the Chart + +To install the chart with the release name `forms-flow-ai`: + +```console +helm install forms-flow-ai forms-flow-ai +``` + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + + +```console +helm upgrade --install forms-flow-ai forms-flow-ai --set Domain=DOMAIN_NAME --set postgresql-ha.postgresql.podSecurityContext.enabled=true --set mongodb.podSecurityContext.enabled=true --set insight_api_key=INSIGHT_API_KEY +``` +To deploy the enterprise version, provide Docker image credentials using the `imageCredentials.username` and `imageCredentials.password` settings. + +> Note: You need to substitute the placeholders `DOMAIN_NAME`, and `INSIGHT_API_KEY` with your specific values. For example, in the case of Formsflow, you might use `DOMAIN_NAME=example.com` and `INSIGHT_API_KEY=your_insight_api_key` for Enterprise edition use, `--set imageCredentials.username=DOCKER_USERNAME` and` --set imageCredentials.password=DOCKER_PASSWORD` + +**Important:** Both the Docker username `(DOCKER_USERNAME)` and password `(DOCKER_PASSWORD)` should be provided by the Formsflow.ai team. Ensure you receive these credentials before proceeding with the setup. + +These commands deploy Forms-flow-ai chart on the Kubernetes cluster + +> **Tip**: List all releases using `helm list` + +### Use an external database + +Sometimes, you may want to have connect to an external PostgreSQL and MongoDB database rather than a database within your cluster - for example, when using a managed database service, or when running a single database server for all your applications. To do this, + +For PostgreSQL database, + set the `postgresql.enabled` parameter to `false` and specify the credentials for the external database using the `formsflowdb.postgresql.fullnameOverride` parameters. Here is an example: + +```text +postgresql-ha.enabled=false +formsflowdb.postgresql.fullnameOverride=myexternalhost +``` +```yaml +postgresql-ha: + enabled: false +formsflowdb: + postgresql: + fullnameOverride: myexternalhost + +``` + +For MongoDB, +```text +mongodb.enabled=false +mongodb.service.nameOverride=mongodburl +mongodb.auth.databases=database +mongodb.auth.usernames=myuser +mongodb.auth.passwords=mypassword +``` +```yaml +mongodb: + enabled: false + auth: + databases: + - formsflow + passwords: + - changeme + usernames: + - mongodb + service: + nameOverride: "mongodb_url" +``` + +### Use an External Keycloak + +If you are having an External Keycloak and you wish to integrate with formsflow then you need to update the following parameters of formsflow-ai in values.yaml. To do this, + +First Set the `forms-flow-idm.keycloak.ingress.hostname` parameter to corresponding keycloak domain name, secondly set the `forms-flow-idm.realm` parameter value with realm name in existing keycloak and finally set `forms-flow-bpm.clientsecret` parameter with exsting forms-flow-bpm client's secret. For example: + + +```text +forms-flow-idm.keycloak.ingress.hostname=external_keycloak_hostname +forms-flow-idm.realm=external_keycloak_realm_name +forms-flow-bpm.clientsecret=extisting_bpm_clientsecret + +``` +```yaml +forms-flow-bpm: + clientsecret: "client_secret" +forms-flow-idm: + keycloak: + ingress: + hostname: my_keycloak_hostname + realm: my_keycloak_realm_name + +``` + + +## Parameters + +| Parameter | Description | Default Value | +|-----------------|-----------------------------------------------|---------------| +| `Domain` | Define the domain for the application. | `#` | +| `formsflowdb.postgresql.fullnameOverride`| Custom name for the PostgreSQL service. | `forms-flow-ai-postgresql-ha-pgpool` | +| `formsflowdb.postgresql.enabled` | Enable or disable the PostgreSQL database. | `true` | +| `formsflowdb.postgresql.database` | Name of the database to create or use. | `postgres` | +| `formsflowdb.service.ports.postgresql` | Port for the PostgreSQL service. | `5432` | +| `imageCredentials.registry` | Container registry for the images. | `quay.io` | +| `imageCredentials.username` | Username for the container registry. | `someone` | +| `imageCredentials.password` | Password for the container registry. | `test` | +| `imageCredentials.email` | Email for the container registry. | `someone@host.com` | +| `websocket_encrypt_key` | Key used for WebSocket encryption. | `FormsFlow.AI` | +| `insight_api_key` | API key for insights. | `""` | +| `redis_host` | Hostname for Redis server. | `""` | +| `redis_port` | Port for Redis server. | `""` | +| `EnableRedis` | Enable or disable Redis support. | `false` | +| `EnableChatBot` | Enable or disable chatbot feature. | `false` | +| `redis_pass_code` | Password for Redis. | `""` | +| `draft_enabled` | Enable or disable draft feature. | `true` | +| `export_pdf_enabled` | Enable or disable PDF export feature. | `false` | +| `elastic_server` | Address for the Elastic server. | `forms-flow-elastic:9200` | +| `redis_url` | URL for Redis connection. | `redis://redis-exporter:6379/1` | +| `ipaas.embedded_api_key` | API key for embedded iPaaS. | `""` | +| `ipaas.jwt_private_key` | JWT private key for iPaaS. | `""` | +| `ipaas.embed_base_url` | Base URL for embedded services. | `""` | +| `ipaas.api_base_url` | Base URL for API services. | `""` | +| `configure_logs` | Enable or disable logging configuration. | `true` | +| `custom_submission_url` | Base URL for form adapter | `""` | +| `custom_submission_enabled` | Enable or disable form adapter | `false` | + +## Forms Flow Component Parameters + +| Parameter | Description | Default Value | +|-------------------------------------------|-------------------------------------------------------------|------------------------------| +| `formsflowdb.postgresql.fullnameOverride`| Custom name for the PostgreSQL service. | `forms-flow-ai-postgresql-ha-pgpool` | +| `formsflowdb.postgresql.enabled` | Enable or disable the PostgreSQL database. | `true` | +| `formsflowdb.postgresql.database` | Name of the database to create or use. | `postgres` | +| `formsflowdb.service.ports.postgresql` | Port for the PostgreSQL service. | `5432` | +| `forms-flow-forms.admin.email` | Admin email for Forms Flow Forms. | `me@defineme.com` | +| `forms-flow-forms.admin.password` | Admin password for Forms Flow Forms. | `admin` | +| `forms-flow-idm.keycloak.EnableKeycloakClientAuth` | Enable or disable Keycloak client authentication. | `false` | +| `forms-flow-idm.keycloak.ingress.hostname` | Hostname for the Forms Flow IDM ingress. | `forms-flow-idm-{{.Release.Namespace}}.{{tpl (.Values.Domain) .}}` | +| `forms-flow-idm.realm` | Keycloak realm for the application. | `forms-flow-ai` | +| `forms-flow-idm.context-path` | Context path for Keycloak authentication. | `/auth` | +| `forms-flow-web.EnableMultitenant` | Enable or disable multitenancy for the Forms Flow Web application. | `false` | +| `forms-flow-web.clientid` | Client ID for the Forms Flow Web application. | `forms-flow-web` | +| `forms-flow-web.ingress.hostname` | Hostname for the Forms Flow Web ingress. | `forms-flow-web-{{.Release.Namespace}}.{{tpl (.Values.Domain) .}}` | + +## Database Parameters +### MongoDB + +| Parameter | Description | Default Value | +|--------------------------------------------------|--------------------------------------------------------------|----------------------------------| +| `mongodb.image.tag` | Docker image tag for MongoDB. | `7.0.12-debian-12-r5` | +| `mongodb.image.pullSecrets` | Secrets for pulling the Docker image. | `forms-flow-auth` | +| `mongodb.enabled` | Enable or disable MongoDB deployment. | `true` | +| `mongodb.fullnameOverride` | Custom name for the MongoDB service. | `forms-flow-ai-mongodb` | +| `mongodb.clusterDomain` | Domain for the MongoDB cluster. | `cluster.local` | +| `mongodb.architecture` | Architecture type (replica set or standalone). | `replicaset` | +| `mongodb.useStatefulSet` | Use StatefulSet for MongoDB pods. | `true` | +| `mongodb.auth.enabled` | Enable or disable authentication for MongoDB. | `true` | +| `mongodb.auth.databases` | List of databases to create. | `formsflow` | +| `mongodb.auth.passwords` | List of passwords for the databases. | `changeme` | +| `mongodb.auth.usernames` | List of usernames for the databases. | `mongodb` | +| `mongodb.replicaSetName` | Name of the replica set. | `rs0` | +| `mongodb.replicaSetHostnames` | Enable replica set hostnames. | `true` | +| `mongodb.directoryPerDB` | Use separate directories for each database. | `false` | +| `mongodb.replicaCount` | Number of replicas to create. | `3` | +| `mongodb.podSecurityContext.enabled` | Enable pod security context for MongoDB pods. | `false` | +| `mongodb.podSecurityContext.fsGroup` | File system group ID for the MongoDB pod. | `1001` | +| `mongodb.containerSecurityContext.enabled` | Enable container security context. | `false` | +| `mongodb.containerSecurityContext.runAsUser` | User ID to run MongoDB container as. | `1001` | +| `mongodb.containerSecurityContext.runAsNonRoot` | Ensure MongoDB container runs as a non-root user. | `true` | +| `mongodb.containerPorts.mongodb` | Port for MongoDB service. | `27017` | +| `mongodb.service.nameOverride` | Custom name for the MongoDB service. | `forms-flow-ai-mongodb` | +| `mongodb.service.type` | Type of Kubernetes service (ClusterIP, NodePort, LoadBalancer). | `ClusterIP` | +| `mongodb.service.portName` | Name of the port for the MongoDB service. | `mongodb` | +| `mongodb.service.ports.mongodb` | Port number for MongoDB service. | `27017` | +| `mongodb.persistence.enabled` | Enable or disable persistence for MongoDB. | `true` | +| `mongodb.persistence.accessModes` | Access modes for the persistent volume. | `ReadWriteOnce` | +| `mongodb.persistence.size` | Size of the persistent volume. | `8Gi` | +| `mongodb.persistence.mountPath` | Mount path for the persistent volume. | `/bitnami/mongodb` | +| `mongodb.serviceAccount.create` | Create a service account for MongoDB. | `true` | +| `mongodb.arbiter.enabled` | Enable or disable arbiter for the replica set. | `false` | +| `mongodb.arbiter.podSecurityContext.enabled` | Enable pod security context for arbiter pod. | `false` | +| `mongodb.arbiter.podSecurityContext.fsGroup` | File system group ID for the arbiter pod. | `1001` | +| `mongodb.arbiter.containerSecurityContext.enabled`| Enable container security context for arbiter. | `false` | +| `mongodb.arbiter.containerSecurityContext.runAsUser` | User ID for arbiter container. | `1001` | + +### PostgreSQL + +| Parameter | Description | Default Value | +|-------------------------------------------------|--------------------------------------------------------------|--------------------------------| +| `postgresql-ha.enabled` | Enable or disable PostgreSQL High Availability deployment. | `true` | +| `postgresql.image.registry` | Docker image registry for PostgreSQL. | `docker.io` | +| `postgresql.image.repository` | Docker image repository for PostgreSQL. | `bitnami/postgresql-repmgr` | +| `postgresql.image.tag` | Docker image tag for PostgreSQL. | `16.3.0-debian-12-r20` | +| `postgresql.image.pullPolicy` | Image pull policy. | `IfNotPresent` | +| `postgresql.image.pullSecrets` | Secrets for pulling the Docker image. | `forms-flow-auth` | +| `postgresql.replicaCount` | Number of PostgreSQL replicas. | `3` | +| `postgresql.containerPorts.postgresql` | Port for PostgreSQL service. | `5432` | +| `postgresql.podSecurityContext.enabled` | Enable pod security context for PostgreSQL pods. | `false` | +| `postgresql.podSecurityContext.fsGroup` | File system group ID for the PostgreSQL pod. | `1001` | +| `postgresql.containerSecurityContext.enabled` | Enable container security context. | `false` | +| `postgresql.containerSecurityContext.runAsUser` | User ID to run PostgreSQL container as. | `1001` | +| `postgresql.containerSecurityContext.runAsNonRoot` | Ensure PostgreSQL container runs as a non-root user. | `true` | +| `postgresql.livenessProbe.enabled` | Enable liveness probe for PostgreSQL. | `false` | +| `postgresql.livenessProbe.initialDelaySeconds` | Initial delay for liveness probe. | `30` | +| `postgresql.livenessProbe.periodSeconds` | Period for liveness probe checks. | `10` | +| `postgresql.username` | Username for PostgreSQL database. | `postgres` | +| `postgresql.password` | Password for PostgreSQL user. | `postgres` | +| `postgresql.database` | Default database to create. | `forms-flow-ai` | +| `postgresql.postgresPassword` | PostgreSQL password. | `changeme` | +| `postgresql.repmgrUsername` | Username for repmgr database. | `repmgr` | +| `postgresql.repmgrPassword` | Password for repmgr user. | `changeme` | +| `postgresql.repmgrDatabase` | Database used by repmgr. | `repmgr` | +| `postgresql.initdbScripts.init_script.sql` | SQL script for initializing databases. | See below | + +### Pgpool + +| Parameter | Description | Default Value | +|--------------------------------------------------|--------------------------------------------------------------|--------------------------------| +| `pgpool.image.registry` | Docker image registry for Pgpool. | `docker.io` | +| `pgpool.image.repository` | Docker image repository for Pgpool. | `bitnami/pgpool` | +| `pgpool.image.tag` | Docker image tag for Pgpool. | `4.5.2-debian-12-r5` | +| `pgpool.image.pullPolicy` | Image pull policy. | `IfNotPresent` | +| `pgpool.image.pullSecrets` | Secrets for pulling the Docker image. | `forms-flow-auth` | +| `pgpool.replicaCount` | Number of Pgpool replicas. | `1` | +| `pgpool.containerPorts.postgresql` | Port for Pgpool service. | `5432` | +| `pgpool.podSecurityContext.enabled` | Enable pod security context for Pgpool pods. | `false` | +| `pgpool.podSecurityContext.fsGroup` | File system group ID for the Pgpool pod. | `1001` | +| `pgpool.containerSecurityContext.enabled` | Enable container security context. | `false` | +| `pgpool.containerSecurityContext.runAsUser` | User ID to run Pgpool container as. | `1001` | +| `pgpool.containerSecurityContext.runAsNonRoot` | Ensure Pgpool container runs as a non-root user. | `true` | +| `pgpool.livenessProbe.enabled` | Enable liveness probe for Pgpool. | `false` | +| `pgpool.livenessProbe.initialDelaySeconds` | Initial delay for liveness probe. | `30` | +| `pgpool.livenessProbe.periodSeconds` | Period for liveness probe checks. | `10` | +| `pgpool.adminUsername` | Username for Pgpool admin. | `admin` | +| `pgpool.adminPassword` | Password for Pgpool admin. | `changeme` | +| `pgpool.persistence.enabled` | Enable or disable persistence for Pgpool. | `true` | +| `pgpool.persistence.storageClass` | Storage class for persistent volume claims. | `""` | +| `pgpool.persistence.mountPath` | Mount path for persistent storage. | `/bitnami/postgresql` | +| `pgpool.persistence.accessModes` | Access modes for persistent storage. | `ReadWriteOnce` | +| `pgpool.persistence.size` | Size of the persistent volume. | `8Gi` | +| `pgpool.service.type` | Service type for Pgpool. | `ClusterIP` | +| `pgpool.service.ports.postgresql` | Port for Pgpool service. | `5432` | +| `pgpool.service.portName` | Port name for the Pgpool service. | `postgresql` | +| `pgpool.service.nodePorts.postgresql` | Node port for Pgpool service. | `""` | + +### Redis + +| Parameter | Description | Default Value | +|--------------------------------------------------|--------------------------------------------------------------|--------------------------------| +| `redisExporter.replicaCounts` | Number of Redis Exporter replicas. | `1` | +| `redisExporter.service.type` | Service type for Redis Exporter. | `ClusterIP` | +| `redisExporter.service.portNames.redis` | Port name for Redis client. | `client` | +| `redisExporter.service.portNames.redis2` | Port name for Redis gossip. | `gossip` | +| `redisExporter.service.ports.redis` | Port for Redis client. | `6379` | +| `redisExporter.service.ports.redis2` | Port for Redis gossip. | `16379` | +| `redisExporter.service.externalTrafficPolicy` | External traffic policy for the service. | `Cluster` | +| `redisExporter.service.sessionAffinity` | Session affinity for the service. | `None` | +| `redisExporter.service.annotations` | Annotations for the service. | `{}` | +| `redisExporter.podLabels` | Labels for Redis Exporter pods. | `{}` | +| `redisExporter.extraEnvVarsCM` | Additional environment variable config map. | `{}` | +| `redisExporter.extraEnvVars` | Additional environment variables. | `{}` | +| `redisExporter.extraEnvVarsSecret` | Additional secret environment variables. | `{}` | +| `redisExporter.redis.configMap.redis_conf` | Redis configuration settings. | See below for detailed config | +| `redisExporter.image.registry` | Docker image registry for Redis. | `docker.io` | +| `redisExporter.image.repository` | Docker image repository for Redis. | `redis` | +| `redisExporter.image.tag` | Docker image tag for Redis. | `7.2.4-alpine` | +| `redisExporter.image.pullPolicy` | Image pull policy. | `IfNotPresent` | +| `redisExporter.image.pullSecrets` | Secrets for pulling the Docker image. | `[]` | +| `redisExporter.livenessProbe.enabled` | Enable liveness probe for Redis Exporter. | `true` | +| `redisExporter.livenessProbe.initialDelaySeconds`| Initial delay for liveness probe. | `30` | +| `redisExporter.livenessProbe.periodSeconds` | Period for liveness probe checks. | `5` | +| `redisExporter.readinessProbe.enabled` | Enable readiness probe for Redis Exporter. | `true` | +| `redisExporter.readinessProbe.initialDelaySeconds`| Initial delay for readiness probe. | `10` | +| `redisExporter.readinessProbe.periodSeconds` | Period for readiness probe checks. | `3` | +| `redisExporter.containerPorts.client` | Client port for Redis Exporter. | `6379` | +| `redisExporter.containerPorts.gossip` | Gossip port for Redis Exporter. | `16379` | +| `redisExporter.resources.limits.cpu` | CPU limit for Redis Exporter. | `60m` | +| `redisExporter.resources.limits.memory` | Memory limit for Redis Exporter. | `512Mi` | +| `redisExporter.resources.requests.cpu` | CPU request for Redis Exporter. | `50m` | +| `redisExporter.resources.requests.memory` | Memory request for Redis Exporter. | `256Mi` | +| `redisExporter.persistence.enabled` | Enable or disable persistence for Redis Exporter. | `true` | +| `redisExporter.persistence.storageClass` | Storage class for persistent volume claims. | `""` | +| `redisExporter.persistence.mountPath` | Mount path for persistent storage. | `""` | +| `redisExporter.persistence.accessModes` | Access modes for persistent storage. | `ReadWriteOnce` | +| `redisExporter.persistence.size` | Size of the persistent volume. | `2Gi` | diff --git a/charts/forms-flow-ai/templates/_helpers.tpl b/charts/forms-flow-ai/templates/_helpers.tpl new file mode 100644 index 00000000..c4525566 --- /dev/null +++ b/charts/forms-flow-ai/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "forms-flow-ai.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "forms-flow-ai.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "forms-flow-ai.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "forms-flow-ai.labels" -}} +helm.sh/chart: {{ include "forms-flow-ai.chart" . }} +{{ include "forms-flow-ai.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "forms-flow-ai.selectorLabels" -}} +app.kubernetes.io/name: {{ include "forms-flow-ai.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + + +{{/* Fullname suffixed with redis-exporter */}} +{{- define "forms-flow-ai.redisExporter.fullname" -}} +{{- printf "redis-exporter" + -}} +{{- end -}} + +{{/* +Return the proper redisExporter image name +*/}} +{{- define "forms-flow-ai.redisExporter.image" -}} +{{- include "common.images.image" ( dict "imageRoot" .Values.redisExporter.image "global" .Values.global ) -}} +{{- end -}} +{{/* +Labels for redis-exporter +*/}} +{{- define "forms-flow-ai.redisExporter.labels" -}} +{{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) }} +app.kubernetes.io/component: redis-exporter +{{- end -}} + +{{- define "imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.imageCredentials.registry (printf "%s:%s" .Values.imageCredentials.username .Values.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + + + diff --git a/charts/forms-flow-ai/templates/configmap.yaml b/charts/forms-flow-ai/templates/configmap.yaml index 91741271..e6776365 100644 --- a/charts/forms-flow-ai/templates/configmap.yaml +++ b/charts/forms-flow-ai/templates/configmap.yaml @@ -1,57 +1,62 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Chart.Name }} -data: - DATABASE_NAME: {{ ternary (tpl .Values.formsflowdb.postgresql.database .) "" .Values.formsflowdb.postgresql.enabled | quote }} - DATABASE_PORT: {{ ternary .Values.formsflowdb.service.ports.postgresql "" .Values.formsflowdb.postgresql.enabled | quote }} - DATABASE_SERVICE_NAME: {{ ternary (tpl .Values.formsflowdb.postgresql.fullnameOverride .) "" .Values.formsflowdb.postgresql.enabled | quote }} - BPM_API_URL: https://{{tpl (index .Values "forms-flow-bpm" "ingress" "hostname") .}}/camunda - KEYCLOAK_JWT_OIDC_ALGORITHMS: "RS256" - KEYCLOAK_JWT_OIDC_CACHING_ENABLED: "True" - KEYCLOAK_JWT_OIDC_JWKS_CACHE_TIMEOUT: "300" - KEYCLOAK_JWT_OIDC_CONFIG: https://{{tpl (index .Values "forms-flow-idm" "keycloak" "ingress" "hostname" ) .}}/auth/realms/{{ index .Values "forms-flow-idm" "realm" }}/.well-known/openid-configuration - KEYCLOAK_JWT_OIDC_ISSUER: https://{{ tpl (index .Values "forms-flow-idm" "keycloak" "ingress" "hostname") . }}/auth/realms/{{ index .Values "forms-flow-idm" "realm" }} - KEYCLOAK_JWT_OIDC_JWKS_URI: https://{{ tpl (index .Values "forms-flow-idm" "keycloak" "ingress" "hostname") . }}/auth/realms/{{ index .Values "forms-flow-idm" "realm" }}/protocol/openid-connect/certs - KEYCLOAK_TOKEN_URL: https://{{ tpl (index .Values "forms-flow-idm" "keycloak" "ingress" "hostname") . }}/auth/realms/{{ index .Values "forms-flow-idm" "realm" }}/protocol/openid-connect/token - KEYCLOAK_URL: https://{{ tpl (index .Values "forms-flow-idm" "keycloak" "ingress" "hostname") . }} - KEYCLOAK_URL_REALM: {{ index .Values "forms-flow-idm" "realm" }} - FORMIO_URL: https://{{tpl (index .Values "forms-flow-forms" "ingress" "hostname") .}} - FORMIO_DOMAIN: https://{{tpl (index .Values "forms-flow-forms" "ingress" "hostname") .}} - WEB_API_URL: https://{{tpl (index .Values "forms-flow-api" "ingress" "hostname") .}} - {{- if .Values.mongodb.enabled }} - NODE_CONFIG: '{"mongo":"mongodb://{{ .Values.mongodb.auth.usernames | first }}:{{ .Values.mongodb.auth.passwords | first }}@{{ .Values.mongodb.service.nameOverride }}:{{ .Values.mongodb.service.ports.mongodb }}/{{ .Values.mongodb.auth.databases | first }}"}' - MONGODB_URI: {{ ternary (tpl "mongodb://{{ .Values.mongodb.auth.usernames | first }}:{{ .Values.mongodb.auth.passwords | first }}@{{ .Values.mongodb.service.nameOverride }}:{{ .Values.mongodb.service.ports.mongodb }}/{{ .Values.mongodb.auth.databases | first }}" .) "" .Values.mongodb.enabled | quote }} - {{- else }} - MONGODB_URI: {{ ternary (tpl "mongodb+srv://{{ .Values.mongodb.auth.usernames | first }}:{{ .Values.mongodb.auth.passwords | first }}@{{ .Values.mongodb.service.nameOverride }}/{{ .Values.mongodb.auth.databases | first }}" .) "" .Values.mongodb.enabled | quote }} - NODE_CONFIG: '{"mongo":"mongodb+srv://{{ .Values.mongodb.auth.usernames | first }}:{{ .Values.mongodb.auth.passwords | first }}@{{ .Values.mongodb.service.nameOverride }}/{{ .Values.mongodb.auth.databases | first }}"}' - {{- end }} - FORMSFLOW_WEB_URL: https://{{tpl (index .Values "forms-flow-web" "ingress" "hostname") .}} - FORMSFLOW_ADMIN_URL: https://{{tpl (index .Values "forms-flow-admin" "ingress" "hostname") .}}/api/v1 - FORMSFLOW_ADMIN_BASE: https://{{tpl (index .Values "forms-flow-admin" "ingress" "hostname") .}}/api - MODEL_ID: "Seethal/sentiment_analysis_generic_dataset" - INSIGHT_API_URL: https://{{tpl (index .Values "forms-flow-analytics" "ingress" "hostname") .}} - KEYCLOAK_ENABLE_CLIENT_AUTH: "false" - MULTI_TENANCY_ENABLED: "false" - DATA_ANALYSIS_URL: https://{{tpl (index .Values "forms-flow-data-analysis" "ingress" "hostname") .}} - NODE_ENV: "production" - CUSTOM_SUBMISSION_URL: "" - CUSTOM_SUBMISSION_ENABLED: "false" - FORMSFLOW_DOC_API_URL: https://{{tpl (index .Values "forms-flow-documents-api" "ingress" "hostname") .}} - DRAFT_ENABLED: "{{.Values.draft_enabled}}" - DRAFT_POLLING_RATE: "15000" - EXPORT_PDF_ENABLED: "{{.Values.export_pdf_enabled}}" - REDIS_HOST: "{{.Values.redis_host}}" - REDIS_PORT: "{{.Values.redis_port}}" - REDIS_ENABLED: "false" - CHROME_DRIVER_PATH: "/usr/local/bin/chromedriver" - ENABLE_CHATBOT: "false" - CHATBOT_URL: "https://{{tpl (index .Values "forms-flow-data-analysis" "ingress" "hostname") .}}/conversations" - ENABLE_LOW_CODE_DESIGNER: "false" - ELASTIC_SERVER: "{{.Values.elastic_server}}" - REDIS_URL: "{{.Values.redis_url}}" - IPAAS_EMBED_BASE_URL: "{{ .Values.ipaas.embed_base_url }}" - IPAAS_API_BASE_URL: "{{ .Values.ipaas.api_base_url }}" - CONFIGURE_LOGS: "{{.Values.configure_logs}}" - KEYCLOAK_URL_HTTP_RELATIVE_PATH: {{ index .Values "forms-flow-idm" "context-path" }} \ No newline at end of file +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-ai + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + DATABASE_NAME: {{ ternary (tpl .Values.formsflowdb.postgresql.database .) "" .Values.formsflowdb.postgresql.enabled | quote }} + DATABASE_PORT: {{ ternary .Values.formsflowdb.service.ports.postgresql "" .Values.formsflowdb.postgresql.enabled | quote }} + DATABASE_SERVICE_NAME: {{ ternary (tpl .Values.formsflowdb.postgresql.fullnameOverride .) "" .Values.formsflowdb.postgresql.enabled | quote }} + BPM_API_URL: https://{{ tpl (index .Values "forms-flow-web" "ingress" "hostname") . }}/camunda + KEYCLOAK_JWT_OIDC_ALGORITHMS: "RS256" + KEYCLOAK_JWT_OIDC_CACHING_ENABLED: "True" + KEYCLOAK_JWT_OIDC_JWKS_CACHE_TIMEOUT: "300" + KEYCLOAK_JWT_OIDC_CONFIG: https://{{ tpl (index .Values "forms-flow-idm" "keycloak" "ingress" "hostname" ) .}}/auth/realms/{{ index .Values "forms-flow-idm" "realm" }}/.well-known/openid-configuration + KEYCLOAK_JWT_OIDC_ISSUER: https://{{ tpl (index .Values "forms-flow-idm" "keycloak" "ingress" "hostname") . }}/auth/realms/{{ index .Values "forms-flow-idm" "realm" }} + KEYCLOAK_JWT_OIDC_JWKS_URI: https://{{ tpl (index .Values "forms-flow-idm" "keycloak" "ingress" "hostname") . }}/auth/realms/{{ index .Values "forms-flow-idm" "realm" }}/protocol/openid-connect/certs + KEYCLOAK_TOKEN_URL: https://{{ tpl (index .Values "forms-flow-idm" "keycloak" "ingress" "hostname") . }}/auth/realms/{{ index .Values "forms-flow-idm" "realm" }}/protocol/openid-connect/token + KEYCLOAK_URL: https://{{ tpl (index .Values "forms-flow-idm" "keycloak" "ingress" "hostname") . }} + KEYCLOAK_URL_REALM: {{ index .Values "forms-flow-idm" "realm" }} + FORMIO_URL: https://{{ tpl (index .Values "forms-flow-web" "ingress" "hostname") . }}/formio + FORMIO_DOMAIN: https://{{ tpl (index .Values "forms-flow-web" "ingress" "hostname") . }}/formio + WEB_API_URL: https://{{ tpl (index .Values "forms-flow-web" "ingress" "hostname") . }}/webapi + {{- if .Values.mongodb.enabled }} + NODE_CONFIG: '{"mongo":"mongodb://{{ .Values.mongodb.auth.usernames | first }}:{{ .Values.mongodb.auth.passwords | first }}@{{ .Values.mongodb.service.nameOverride }}:{{ .Values.mongodb.service.ports.mongodb }}/{{ .Values.mongodb.auth.databases | first }}"}' + MONGODB_URI: {{ ternary (tpl "mongodb://{{ .Values.mongodb.auth.usernames | first }}:{{ .Values.mongodb.auth.passwords | first }}@{{ .Values.mongodb.service.nameOverride }}:{{ .Values.mongodb.service.ports.mongodb }}/{{ .Values.mongodb.auth.databases | first }}" .) "" .Values.mongodb.enabled | quote }} + {{- else }} + MONGODB_URI: {{ ternary (tpl "mongodb+srv://{{ .Values.mongodb.auth.usernames | first }}:{{ .Values.mongodb.auth.passwords | first }}@{{ .Values.mongodb.service.nameOverride }}/{{ .Values.mongodb.auth.databases | first }}" .) "" .Values.mongodb.enabled | quote }} + NODE_CONFIG: '{"mongo":"mongodb+srv://{{ .Values.mongodb.auth.usernames | first }}:{{ .Values.mongodb.auth.passwords | first }}@{{ .Values.mongodb.service.nameOverride }}/{{ .Values.mongodb.auth.databases | first }}"}' + {{- end }} + FORMSFLOW_WEB_URL: https://{{ tpl (index .Values "forms-flow-web" "ingress" "hostname") . }} + FORMSFLOW_ADMIN_URL: https://{{ tpl (index .Values "forms-flow-web" "ingress" "hostname") . }}/admin/api/v1 + FORMSFLOW_ADMIN_BASE: https://{{ tpl (index .Values "forms-flow-web" "ingress" "hostname") . }}/admin/api + MODEL_ID: "Seethal/sentiment_analysis_generic_dataset" + INSIGHT_API_URL: https://{{ tpl (index .Values "forms-flow-web" "ingress" "hostname") . }}/redash + KEYCLOAK_ENABLE_CLIENT_AUTH: "{{ index .Values "forms-flow-idm" "keycloak" "EnableKeycloakClientAuth" }}" + MULTI_TENANCY_ENABLED: "{{ index .Values "forms-flow-web" "EnableMultitenant" }}" + DATA_ANALYSIS_URL: https://{{ tpl (index .Values "forms-flow-web" "ingress" "hostname") . }}/analysis + NODE_ENV: "production" + CUSTOM_SUBMISSION_URL: "{{ .Values.custom_submission_url }}" + CUSTOM_SUBMISSION_ENABLED: "{{ .Values.custom_submission_enabled }}" + FORMSFLOW_DOC_API_URL: https://{{ tpl (index .Values "forms-flow-web" "ingress" "hostname") . }}/docapi + DRAFT_ENABLED: "{{ .Values.draft_enabled }}" + DRAFT_POLLING_RATE: "15000" + EXPORT_PDF_ENABLED: "{{ .Values.export_pdf_enabled }}" + REDIS_HOST: "{{ .Values.redis_host }}" + REDIS_PORT: "{{ .Values.redis_port }}" + REDIS_ENABLED: "{{ .Values.EnableRedis }}" + CHROME_DRIVER_PATH: "/usr/local/bin/chromedriver" + ENABLE_CHATBOT: "{{ .Values.EnableChatBot }}" + CHATBOT_URL: https://{{ tpl (index .Values "forms-flow-web" "ingress" "hostname") . }}/analysis/conversations + ENABLE_LOW_CODE_DESIGNER: "false" + ELASTIC_SERVER: "{{ .Values.elastic_server }}" + REDIS_URL: "{{ .Values.redis_url }}" + IPAAS_EMBED_BASE_URL: "{{ .Values.ipaas.embed_base_url }}" + IPAAS_API_BASE_URL: "{{ .Values.ipaas.api_base_url }}" + CONFIGURE_LOGS: "{{ .Values.configure_logs }}" + KEYCLOAK_URL_HTTP_RELATIVE_PATH: {{ index .Values "forms-flow-idm" "context-path" }} \ No newline at end of file diff --git a/charts/forms-flow-ai/templates/redis-exporter/configmap.yaml b/charts/forms-flow-ai/templates/redis-exporter/configmap.yaml index 0a4acaa6..b7f0f9f4 100644 --- a/charts/forms-flow-ai/templates/redis-exporter/configmap.yaml +++ b/charts/forms-flow-ai/templates/redis-exporter/configmap.yaml @@ -1,25 +1,28 @@ -apiVersion: v1 -data: - redis.conf: {{ .Values.redisExporter.redis.configMap.redis_conf | quote }} - update-node.sh: | - #!/bin/sh - CLUSTER_CONFIG="/data/nodes.conf" - echo "creating nodes" - if [ -f ${CLUSTER_CONFIG} ]; then - echo "[ INFO ]File:${CLUSTER_CONFIG} is Found" - else - touch $CLUSTER_CONFIG - fi - if [ -z "${POD_IP}" ]; then - echo "Unable to determine Pod IP address!" - exit 1 - fi - echo "Updating my IP to ${POD_IP} in ${CLUSTER_CONFIG}" - sed -i.bak -e "/myself/ s/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/${POD_IP}/" ${CLUSTER_CONFIG} - echo "done" - exec "$@" -kind: ConfigMap -metadata: - labels: - app: redis-exporter - name: redis-exporter \ No newline at end of file +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "forms-flow-ai.redisExporter.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "forms-flow-ai.redisExporter.labels" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + redis.conf: {{ .Values.redisExporter.redis.configMap.redis_conf | quote }} + update-node.sh: | + #!/bin/sh + CLUSTER_CONFIG="/data/nodes.conf" + echo "creating nodes" + if [ -f ${CLUSTER_CONFIG} ]; then + echo "[ INFO ]File:${CLUSTER_CONFIG} is Found" + else + touch $CLUSTER_CONFIG + fi + if [ -z "${POD_IP}" ]; then + echo "Unable to determine Pod IP address!" + exit 1 + fi + echo "Updating my IP to ${POD_IP} in ${CLUSTER_CONFIG}" + sed -i.bak -e "/myself/ s/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/${POD_IP}/" ${CLUSTER_CONFIG} + echo "done" + exec "$@" diff --git a/charts/forms-flow-ai/templates/redis-exporter/service.yaml b/charts/forms-flow-ai/templates/redis-exporter/service.yaml index d1287eff..8279b2ef 100644 --- a/charts/forms-flow-ai/templates/redis-exporter/service.yaml +++ b/charts/forms-flow-ai/templates/redis-exporter/service.yaml @@ -1,17 +1,60 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: redis-exporter - name: redis-exporter -spec: - ports: - - name: client - port: 6379 - targetPort: 6379 - - name: gossip - port: 16379 - targetPort: 16379 - selector: - app: redis-exporter - type: ClusterIP +apiVersion: v1 +kind: Service +metadata: + name: {{ include "forms-flow-ai.redisExporter.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.redisExporter.image "chart" .Chart ) ) }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.redisExporter.serviceLabels .Values.commonLabels $versionLabel ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/name: redis-exporter + {{- if .Values.redisExporter.serviceAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.redisExporter.serviceAnnotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.redisExporter.service.type }} + {{- if or (eq .Values.redisExporter.service.type "LoadBalancer") (eq .Values.redisExporter.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.redisExporter.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if (semverCompare ">=1.22-0" (include "common.capabilities.kubeVersion" .)) }} + internalTrafficPolicy: {{ .Values.redisExporter.service.internalTrafficPolicy }} + {{- end }} + {{- if and (eq .Values.redisExporter.service.type "LoadBalancer") (not (empty .Values.redisExporter.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.redisExporter.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.redisExporter.service.type "LoadBalancer") .Values.redisExporter.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.redisExporter.service.loadBalancerClass }} + {{- end }} + {{- if and (eq .Values.redisExporter.service.type "LoadBalancer") (not (empty .Values.redisExporter.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ toYaml .Values.redisExporter.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and .Values.redisExporter.service.clusterIP (eq .Values.redisExporter.service.type "ClusterIP") }} + clusterIP: {{ .Values.redisExporter.service.clusterIP }} + {{- end }} + {{- if .Values.redisExporter.service.sessionAffinity }} + sessionAffinity: {{ .Values.redisExporter.service.sessionAffinity }} + {{- end }} + {{- if .Values.redisExporter.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.redisExporter.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.redisExporter.service.externalIPs }} + externalIPs: {{- include "common.tplvalues.render" (dict "value" .Values.redisExporter.service.externalIPs "context" $) | nindent 4 }} + {{- end }} + ports: + - name: {{ .Values.redisExporter.service.portNames.redis }} + port: {{ .Values.redisExporter.service.ports.redis }} + targetPort: 6379 + - name: {{ .Values.redisExporter.service.portNames.redis2 }} + port: {{ .Values.redisExporter.service.ports.redis2 }} + targetPort: 16379 + {{- if and (or (eq .Values.redisExporter.service.type "NodePort") (eq .Values.redisExporter.service.type "LoadBalancer")) .Values.redisExporter.service.nodePorts.redis}} + nodePort: {{ .Values.redisExporter.service.nodePorts.redis}} + {{- else if eq .Values.redisExporter.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.redisExporter.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.redisExporter.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.redisExporter.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/name: redis-exporter diff --git a/charts/forms-flow-ai/templates/redis-exporter/statefulset.yaml b/charts/forms-flow-ai/templates/redis-exporter/statefulset.yaml index 4e48b259..7f571062 100644 --- a/charts/forms-flow-ai/templates/redis-exporter/statefulset.yaml +++ b/charts/forms-flow-ai/templates/redis-exporter/statefulset.yaml @@ -1,77 +1,128 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - app: redis-exporter - name: redis-exporter -spec: - replicas: {{ .Values.redisExporter.replica }} - selector: - matchLabels: - app: redis-exporter - serviceName: redis-exporter - template: - metadata: - labels: - app: redis-exporter - spec: - containers: - - name: redis - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - image: "{{ .Values.redisExporter.redis.image.registry }}/{{ .Values.redisExporter.redis.image.repository }}:{{ .Values.redisExporter.redis.image.tag }}" - command: ["/conf/update-node.sh", "redis-server", "/conf/redis.conf"] - livenessProbe: - failureThreshold: 5 - initialDelaySeconds: 30 - periodSeconds: 5 - successThreshold: 1 - tcpSocket: - port: client - timeoutSeconds: 5 - ports: - - containerPort: 6379 - name: client - - containerPort: 16379 - name: gossip - readinessProbe: - exec: - command: - - redis-cli - - ping - initialDelaySeconds: 10 - periodSeconds: 3 - timeoutSeconds: 5 - resources: - limits: - cpu: "{{ .Values.redisExporter.resources.limits.cpu }}" - memory: "{{ .Values.redisExporter.resources.limits.memory }}" - requests: - cpu: "{{ .Values.redisExporter.resources.requests.cpu }}" - memory: "{{ .Values.redisExporter.resources.requests.memory }}" - volumeMounts: - - mountPath: /conf - name: conf - readOnly: true - - mountPath: /data - name: redis-data - readOnly: false - volumes: - - configMap: - defaultMode: 0555 - name: redis-exporter - name: conf - - volumeClaimTemplates: - - metadata: - name: redis-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ .Values.redisExporter.persistentVolumeClaim.size }} - storageClassName: {{ .Values.redisExporter.persistentVolumeClaim.storageClass }} \ No newline at end of file +--- +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ template "forms-flow-ai.redisExporter.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/name: redis-exporter + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "forms-flow-ai.redisExporter.fullname" . }} + replicas: {{ .Values.replicaCount }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/name: redis-exporter + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/name: redis-exporter + spec: + containers: + - name: redis + image: {{ include "forms-flow-ai.redisExporter.image" . }} + imagePullPolicy: {{ .Values.redisExporter.image.pullPolicy | quote }} + command: ["/conf/update-node.sh", "redis-server", "/conf/redis.conf"] + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.redisExporter.extraEnvVars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.redisExporter.extraEnvVars "context" $ ) | nindent 10 }} + {{- end }} + {{- if or .Values.redisExporter.extraEnvVarsCM .Values.redisExporter.extraEnvVarsSecret }} + envFrom: + {{- if .Values.redisExporter.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" ( dict "value" .Values.redisExporter.extraEnvVarsCM "context" $ ) }} + {{- end }} + {{- if .Values.redisExporter.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" ( dict "value" .Values.redisExporter.extraEnvVarsSecret "context" $ ) }} + {{- end }} + {{- end }} + ports: + - containerPort: {{ .Values.redisExporter.containerPorts.client }} + name: client + - containerPort: {{ .Values.redisExporter.containerPorts.gossip }} + name: gossip + {{- if .Values.redisExporter.resources }} + resources: + {{- toYaml .Values.redisExporter.resources | nindent 12 }} + {{- else if ne .Values.redisExporter.resourcesPreset "none" }} + resources: + {{- include "common.resources.preset" (dict "type" .Values.redisExporter.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.redisExporter.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.redisExporter.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.redisExporter.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.redisExporter.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.redisExporter.livenessProbe.periodSeconds }} + timeoutSeconds: {{ add1 .Values.redisExporter.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.redisExporter.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.redisExporter.livenessProbe.failureThreshold }} + tcpSocket: + port: client + {{- end }} + {{- if .Values.redisExporter.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.redisExporter.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.redisExporter.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.redisExporter.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.redisExporter.readinessProbe.periodSeconds }} + timeoutSeconds: {{ add1 .Values.redisExporter.readinessProbe.timeoutSeconds }} + exec: + command: + - redis-cli + - ping + {{- end }} + volumeMounts: + - mountPath: /conf + name: conf + readOnly: true + - mountPath: /data + name: redis-data + readOnly: false + {{- if .Values.redisExporter.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.redisExporter.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.redisExporter.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.redisExporter.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - configMap: + defaultMode: 0555 + name: redis-exporter + name: conf + {{- if .Values.redisExporter.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.redisExporter.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.redisExporter.persistence.enabled }} + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: redis-data + labels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 10 }} + app.kubernetes.io/component: redis-exporter + {{- if .Values.redisExporter.persistence.annotations }} + annotations: {{- toYaml .Values.redisExporter.persistence.annotations | nindent 10 }} + {{- end }} + spec: + storageClassName: {{ .Values.redisExporter.persistence.storageClass }} + accessModes: + {{- range .Values.redisExporter.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.redisExporter.persistence.size | quote }} + {{- if .Values.redisExporter.persistence.selector }} + selector: {{- include "common.tplvalues.render" ( dict "value" .Values.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- end }} diff --git a/charts/forms-flow-ai/templates/secrets-extra.yaml b/charts/forms-flow-ai/templates/secrets-extra.yaml new file mode 100644 index 00000000..8a41653d --- /dev/null +++ b/charts/forms-flow-ai/templates/secrets-extra.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-auth" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "imagePullSecret" . }} \ No newline at end of file diff --git a/charts/forms-flow-ai/templates/secret.yaml b/charts/forms-flow-ai/templates/secrets.yaml similarity index 53% rename from charts/forms-flow-ai/templates/secret.yaml rename to charts/forms-flow-ai/templates/secrets.yaml index 77d24815..788593a5 100644 --- a/charts/forms-flow-ai/templates/secret.yaml +++ b/charts/forms-flow-ai/templates/secrets.yaml @@ -1,29 +1,19 @@ -apiVersion: v1 -kind: Secret -metadata: - labels: - app: "{{ .Chart.Name }}" - name: "{{ .Chart.Name }}" -stringData: - FORMIO_ROOT_EMAIL: {{ index .Values "forms-flow-forms" "admin" "email" }} - FORMIO_ROOT_PASSWORD: {{ index .Values "forms-flow-forms" "admin" "password" }} - FORMIO_JWT_SECRET: "{{ .Release.Namespace }}-jwt-secret" - KEYCLOAK_CLIENTID: {{ index .Values "forms-flow-bpm" "clientid" }} - KEYCLOAK_CLIENTSECRET: {{ index .Values "forms-flow-bpm" "clientsecret" }} - WEB_CLIENTID: {{ index .Values "forms-flow-web" "clientid"}} - WEBSOCKET_ENCRYPT_KEY: "{{.Values.websocket_encrypt_key}}" - ADMIN_WEB_CLIENTID: {{ index .Values "forms-flow-web" "clientid"}} - INSIGHT_API_KEY: "{{.Values.insight_api_key}}" - REDIS_PASSCODE: "{{.Values.redis_pass_code}}" - IPAAS_EMBEDDED_API_KEY: "{{ .Values.ipaas.embedded_api_key }}" - IPAAS_JWT_PRIVATE_KEY: "{{ .Values.ipaas.jwt_private_key }}" ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - app: {{ .Chart.Name }}-auth - name: {{ .Chart.Name }}-auth -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: {{ index .Values "forms-flow-auth" "imagesecret" }} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: "{{ .Chart.Name }}" + name: "{{ .Chart.Name }}" +stringData: + FORMIO_ROOT_EMAIL: {{ index .Values "forms-flow-forms" "admin" "email" }} + FORMIO_ROOT_PASSWORD: {{ index .Values "forms-flow-forms" "admin" "password" }} + FORMIO_JWT_SECRET: "{{ .Release.Namespace }}-jwt-secret" + KEYCLOAK_CLIENTID: {{ index .Values "forms-flow-bpm" "clientid" }} + KEYCLOAK_CLIENTSECRET: {{ index .Values "forms-flow-bpm" "clientsecret" }} + WEB_CLIENTID: {{ index .Values "forms-flow-web" "clientid" }} + WEBSOCKET_ENCRYPT_KEY: "{{ .Values.websocket_encrypt_key }}" + ADMIN_WEB_CLIENTID: {{ index .Values "forms-flow-web" "clientid" }} + INSIGHT_API_KEY: "{{ .Values.insight_api_key }}" + REDIS_PASSCODE: "{{ .Values.redis_pass_code }}" + IPAAS_EMBEDDED_API_KEY: "{{ .Values.ipaas.embedded_api_key }}" + IPAAS_JWT_PRIVATE_KEY: "{{ .Values.ipaas.jwt_private_key }}" \ No newline at end of file diff --git a/charts/forms-flow-ai/values.yaml b/charts/forms-flow-ai/values.yaml index c1c391af..e69e8034 100644 --- a/charts/forms-flow-ai/values.yaml +++ b/charts/forms-flow-ai/values.yaml @@ -1,3 +1,4 @@ + --- Domain: # formsflowdb: @@ -10,63 +11,88 @@ formsflowdb: postgresql: 5432 forms-flow-bpm: clientid: "forms-flow-bpm" - clientsecret: "786001d6-68a8-4519-903c-bc5b5a870d68" - ingress: - hostname: forms-flow-bpm-{{.Release.Namespace}}.{{tpl (.Values.Domain) .}} + clientsecret: "e4bdbd25-1467-4f7f-b993-bc4b1944c943" forms-flow-forms: admin: email: "me@defineme.com" password: "admin" - ingress: - hostname: forms-flow-forms-{{.Release.Namespace}}.{{tpl (.Values.Domain) .}} -forms-flow-api: - ingress: - hostname: forms-flow-api-{{.Release.Namespace}}.{{tpl (.Values.Domain) .}} -forms-flow-admin: - ingress: - hostname: forms-flow-admin-{{.Release.Namespace}}.{{tpl (.Values.Domain) .}} -forms-flow-documents-api: - ingress: - hostname: forms-flow-documents-api-{{.Release.Namespace}}.{{tpl (.Values.Domain) .}} -forms-flow-data-analysis: - ingress: - hostname: forms-flow-data-analysis-{{.Release.Namespace}}.{{tpl (.Values.Domain) .}} -forms-flow-analytics: - ingress: - hostname: forms-flow-analytics-{{.Release.Namespace}}.{{tpl (.Values.Domain) .}} + service: + name: forms-flow-forms + port: "3001" forms-flow-idm: keycloak: + EnableKeycloakClientAuth: false ingress: hostname: forms-flow-idm-{{.Release.Namespace}}.{{tpl (.Values.Domain) .}} realm: forms-flow-ai context-path: /auth forms-flow-web: + EnableMultitenant: false clientid: forms-flow-web ingress: hostname: forms-flow-web-{{.Release.Namespace}}.{{tpl (.Values.Domain) .}} -forms-flow-auth: - imagesecret: "#DEFINE_ME" +imageCredentials: + registry: quay.io + username: "someone" + password: "test" + email: "someone@host.com" +## @param image.registry [default: REGISTRY_NAME] MongoDB(®) image registry +## @param image.repository [default: REPOSITORY_NAME/mongodb] MongoDB(®) image registry +## @skip image.tag MongoDB(®) image tag (immutable tags are recommended) +## @param image.digest MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy MongoDB(®) image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Set to true if you would like to see extra information on logs +## mongodb: image: - tag: 7.0.12-debian-12-r5 #4.2.21-debian-10-r8 + tag: 8.0.3-debian-12-r0 #4.2.21-debian-10-r8 + pullSecrets: + - forms-flow-auth enabled: true + ## @param fullnameOverride String to fully override mongodb.fullname template + ## fullnameOverride: "forms-flow-ai-mongodb" + ## @param clusterDomain Default Kubernetes cluster domain + ## clusterDomain: cluster.local + ## @param architecture MongoDB(®) architecture (`standalone` or `replicaset`) + ## architecture: replicaset + ## @param useStatefulSet Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) + ## useStatefulSet: true + ## MongoDB(®) Authentication parameters + ## auth: + ## @param auth.enabled Enable authentication + ## ref: https://docs.mongodb.com/manual/tutorial/enable-authentication/ + ## + enabled: true + ## MongoDB(®) custom users and databases + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#creating-a-user-and-database-on-first-run + ## @param auth.usernames List of custom users to be created during the initialization + ## @param auth.passwords List of passwords for the custom users set at `auth.usernames` + ## @param auth.databases List of custom databases to be created during the initialization + ## databases: - formsflow passwords: - changeme #use the same password in initdbscript usernames: - mongodb #use the same username in initdbscript - enabled: true + ## @param auth.rootUser MongoDB(®) root user + ## rootUser: root + ## @param auth.rootPassword MongoDB(®) root password + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#setting-the-root-user-and-password-on-first-run + ## rootPassword: "changeme" + ## @param auth.replicaSetKey Key used for authentication in the replicaset (only when `architecture=replicaset`) + ## replicaSetKey: "formsflow" # initdbScripts: # init-mongo.js: | @@ -81,35 +107,99 @@ mongodb: # }, # ], # }); + + ## @param replicaSetName Name of the replica set (only when `architecture=replicaset`) + ## Ignored when mongodb.architecture=standalone + ## replicaSetName: rs0 + ## @param replicaSetHostnames Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) + ## Ignored when mongodb.architecture=standalone + ## Ignored when externalAccess.enabled=true + ## replicaSetHostnames: true + ## @param directoryPerDB Switch to enable/disable DirectoryPerDB on MongoDB(®) + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#enablingdisabling-directoryperdb + ## directoryPerDB: false + ## @param replicaCount Number of MongoDB(®) nodes + ## When `mongodb.architecture=replicaset`, the number of replicas is taken in account + ## When `mongodb.architecture=standalone`, the number of replicas can only be 0 or 1 (value higher then 1 will not be taken in account) + ## replicaCount: 3 + ## MongoDB(®) pods' Security Context. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param podSecurityContext.enabled Enable MongoDB(®) pod(s)' Security Context + ## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param podSecurityContext.fsGroup Group ID for the volumes of the MongoDB(®) pod(s) + ## @param podSecurityContext.sysctls sysctl settings of the MongoDB(®) pod(s)' + ## podSecurityContext: enabled: false + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 + + ## MongoDB(®) containers' Security Context (main and metrics container). + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param containerSecurityContext.enabled Enabled containers' Security Context + ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param containerSecurityContext.privileged Set container's Security Context privileged + ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## containerSecurityContext: enabled: false + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param containerPorts.mongodb MongoDB(®) container port + ## containerPorts: mongodb: 27017 + ## @section Traffic exposure parameters + ## + + ## Service parameters + ## service: nameOverride: "forms-flow-ai-mongodb" type: ClusterIP portName: mongodb ports: mongodb: 27017 + persistence: enabled: true + storageClass: "" accessModes: - ReadWriteOnce size: 8Gi mountPath: /bitnami/mongodb - storageClass: "" + ## @section RBAC parameters + ## + + ## ServiceAccount + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + ## serviceAccount: create: true - + ## @section Arbiter parameters + ## arbiter: enabled: false podSecurityContext: @@ -123,11 +213,15 @@ websocket_encrypt_key: "FormsFlow.AI" insight_api_key: "" redis_host: "" redis_port: "" +EnableRedis: "false" +EnableChatBot: "false" redis_pass_code: "" draft_enabled: "true" export_pdf_enabled: "false" elastic_server: "forms-flow-elastic:9200" redis_url: "redis://redis-exporter:6379/1" +custom_submission_url: "" +custom_submission_enabled: "false" ipaas: embedded_api_key: "" jwt_private_key: "" @@ -135,34 +229,152 @@ ipaas: api_base_url: "" configure_logs: "true" + postgresql-ha: enabled: true + ## @section PostgreSQL with Repmgr parameters + ## PostgreSQL parameters + ## postgresql: + ## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ + ## @param postgresql.image.registry [default: REGISTRY_NAME] PostgreSQL with Repmgr image registry + ## @param postgresql.image.repository [default: REPOSITORY_NAME/postgresql-repmgr] PostgreSQL with Repmgr image repository + ## @skip postgresql.image.tag PostgreSQL with Repmgr image tag + ## @param postgresql.image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param postgresql.image.pullPolicy PostgreSQL with Repmgr image pull policy + ## @param postgresql.image.pullSecrets Specify docker-registry secret names as an array + ## @param postgresql.image.debug Specify if debug logs should be enabled + ## image: registry: docker.io repository: bitnami/postgresql-repmgr - tag: 16.3.0-debian-12-r20 + tag: 17.2.0-debian-12-r3 + ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: + - forms-flow-auth + ## @param postgresql.replicaCount Number of replicas to deploy. Use an odd number. Having 3 replicas is the minimum to get quorum when promoting a new primary. + ## replicaCount: 3 + ## @param postgresql.containerPorts.postgresql PostgreSQL port + ## containerPorts: postgresql: 5432 + ## K8s Security Context + ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param postgresql.podSecurityContext.enabled Enable security context for PostgreSQL with Repmgr + ## @param postgresql.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param postgresql.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param postgresql.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param postgresql.podSecurityContext.fsGroup Group ID for the PostgreSQL with Repmgr filesystem + ## podSecurityContext: enabled: false fsGroup: 1001 + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + ## Container Security Context + ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param postgresql.containerSecurityContext.enabled Enabled containers' Security Context + ## @param postgresql.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param postgresql.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param postgresql.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param postgresql.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param postgresql.containerSecurityContext.privileged Set container's Security Context privileged + ## @param postgresql.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param postgresql.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param postgresql.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param postgresql.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## e.g: + ## containerSecurityContext: + ## enabled: true + ## capabilities: + ## drop: ["NET_RAW"] + ## readOnlyRootFilesystem: true + ## containerSecurityContext: enabled: false + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true - readOnlyRootFilesystem: false - + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## PostgreSQL container's liveness probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param postgresql.livenessProbe.enabled Enable livenessProbe + ## @param postgresql.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param postgresql.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param postgresql.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param postgresql.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param postgresql.livenessProbe.successThreshold Success threshold for livenessProbe + ## livenessProbe: enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + ## PostgreSQL container's readiness probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param postgresql.readinessProbe.enabled Enable readinessProbe + ## @param postgresql.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param postgresql.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param postgresql.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param postgresql.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param postgresql.readinessProbe.successThreshold Success threshold for readinessProbe + ## readinessProbe: enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + ## PostgreSQL configuration parameters + ## @param postgresql.username PostgreSQL username + ## @param postgresql.password PostgreSQL password + ## @param postgresql.database PostgreSQL database + ## username: postgres password: "postgres" database: "forms-flow-ai" + ## @param postgresql.postgresPassword PostgreSQL password for the `postgres` user when `username` is not `postgres` + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-user-on-first-run (see note!) + ## postgresPassword: "changeme" + ## @param postgresql.usePasswordFile Set to `true` to mount PostgreSQL secret as a file instead of passing environment variable + ## usePasswordFile: "false" + ## Repmgr configuration parameters + ## @param postgresql.repmgrUsername PostgreSQL Repmgr username + ## @param postgresql.repmgrPassword PostgreSQL Repmgr password + ## @param postgresql.repmgrDatabase PostgreSQL Repmgr database + ## @param postgresql.repmgrLogLevel Repmgr log level (DEBUG, INFO, NOTICE, WARNING, ERROR, ALERT, CRIT or EMERG) + ## @param postgresql.repmgrConnectTimeout Repmgr backend connection timeout (in seconds) + ## @param postgresql.repmgrReconnectAttempts Repmgr backend reconnection attempts + ## @param postgresql.repmgrReconnectInterval Repmgr backend reconnection interval (in seconds) + ## @param postgresql.repmgrFenceOldPrimary Set if fencing of old primary in multiple primary situation is desired + ## @param postgresql.repmgrChildNodesCheckInterval Repmgr child nodes check interval (in seconds) + ## @param postgresql.repmgrChildNodesConnectedMinCount Repmgr minimum number of connected child nodes before being considered as failed primary for fencing + ## @param postgresql.repmgrChildNodesDisconnectTimeout Repmgr time before node will be fenced when insufficient child nodes are detected (in seconds) + ## repmgrUsername: repmgr repmgrPassword: "changeme" repmgrDatabase: repmgr @@ -174,6 +386,16 @@ postgresql-ha: repmgrChildNodesCheckInterval: 5 repmgrChildNodesConnectedMinCount: 1 repmgrChildNodesDisconnectTimeout: 30 + ## @param postgresql.initdbScripts Dictionary of initdb scripts + ## Specify dictionary of scripts to be run at first boot + ## The allowed extensions are `.sh`, `.sql` and `.sql.gz` + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha#initialize-a-fresh-instance + ## e.g: + ## initdbScripts: + ## my_init_script.sh: | + ## #!/bin/sh + ## echo "Do something." + ## initdbScripts: init_script.sql: | CREATE DATABASE "forms-flow-admin"; @@ -189,53 +411,258 @@ postgresql-ha: alter database "forms-flow-api" set default_transaction_read_only = off; alter database "forms-flow-analytics" set default_transaction_read_only = off; alter database "forms-flow-admin" set default_transaction_read_only = off; - witness: - pdb: - create: false + ## @section Pgpool parameters + ## Pgpool parameters + ## pgpool: + ## ref: https://hub.docker.com/r/bitnami/pgpool/tags/ + ## @param pgpool.image.registry [default: REGISTRY_NAME] Pgpool image registry + ## @param pgpool.image.repository [default: REPOSITORY_NAME/pgpool] Pgpool image repository + ## @skip pgpool.image.tag Pgpool image tag + ## @param pgpool.image.digest Pgpool image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param pgpool.image.pullPolicy Pgpool image pull policy + ## @param pgpool.image.pullSecrets Specify docker-registry secret names as an array + ## @param pgpool.image.debug Specify if debug logs should be enabled + ## image: registry: docker.io repository: bitnami/pgpool - tag: 4.5.2-debian-12-r5 + tag: 4.5.5-debian-12-r0 digest: "" + ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: + - forms-flow-auth + ## @param pgpool.replicaCount The number of replicas to deploy + ## replicaCount: 1 + ## K8s Security Context + ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param pgpool.podSecurityContext.enabled Enable security context for Pgpool + ## @param pgpool.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param pgpool.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param pgpool.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param pgpool.podSecurityContext.fsGroup Group ID for the Pgpool filesystem + ## podSecurityContext: enabled: false + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 + ## Container Security Context + ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param pgpool.containerSecurityContext.enabled Enabled containers' Security Context + ## @param pgpool.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param pgpool.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param pgpool.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param pgpool.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param pgpool.containerSecurityContext.privileged Set container's Security Context privileged + ## @param pgpool.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param pgpool.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param pgpool.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param pgpool.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## e.g: + ## containerSecurityContext: + ## enabled: true + ## capabilities: + ## drop: ["NET_RAW"] + ## readOnlyRootFilesystem: false + ## containerSecurityContext: enabled: false + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true - readOnlyRootFilesystem: false + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Pgpool container's liveness probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param pgpool.livenessProbe.enabled Enable livenessProbe + ## @param pgpool.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param pgpool.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param pgpool.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param pgpool.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param pgpool.livenessProbe.successThreshold Success threshold for livenessProbe + ## livenessProbe: enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## Pgpool container's readiness probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param pgpool.readinessProbe.enabled Enable readinessProbe + ## @param pgpool.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param pgpool.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param pgpool.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param pgpool.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param pgpool.readinessProbe.successThreshold Success threshold for readinessProbe + ## readinessProbe: enabled: false + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param pgpool.containerPorts.postgresql Pgpool port + ## containerPorts: postgresql: 5432 + ## Credentials for the pgpool administrator + ## @param pgpool.adminUsername Pgpool Admin username + ## @param pgpool.adminPassword Pgpool Admin password + ## adminUsername: admin adminPassword: "changeme" - service: - type: ClusterIP - ports: - metrics: 9187 + ## @section Persistence parameters + + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + ## persistence: + ## @param persistence.enabled Enable data persistence + ## enabled: true + ## @param persistence.storageClass Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## storageClass: "" + ## @param persistence.mountPath The path the volume will be mounted at, useful when using different PostgreSQL images. + ## mountPath: /bitnami/postgresql + ## @param persistence.accessModes List of access modes of data volume + ## accessModes: - ReadWriteOnce + ## @param persistence.size Persistent Volume Claim size + ## size: 8Gi + ## @section Traffic Exposure parameters + + ## PostgreSQL service parameters + ## service: + ## @param service.type Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) + ## type: ClusterIP + ## @param service.ports.postgresql PostgreSQL port + ## ports: postgresql: 5432 + ## @param service.portName PostgreSQL service port name + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services + ## portName: postgresql + ## @param service.nodePorts.postgresql Kubernetes service nodePort + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## nodePorts: postgresql: "" + redisExporter: - replica: 1 + replicaCounts: 1 + serviceAnnotations: {} + serviceLabels: {} + service: + ## @param redis-exporter.service.type Redis® redis-exporter service type + ## + type: ClusterIP + ## @param redis-exporter.service.portNames.redis Redis® redis-exporter service port name + ## + portNames: + redis: "client" + redis2: "gossip" + ## @param redis-exporter.service.ports.redis Redis® redis-exporter service port + ## + ports: + redis: 6379 + redis2: 16379 + ## @param redis-exporter.service.nodePorts.redis Node port for Redis® redis-exporter + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + redis: "" + ## @param redis-exporter.service.externalTrafficPolicy Redis® redis-exporter service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param redis-exporter.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param redis-exporter.service.internalTrafficPolicy Redis® redis-exporter service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + ## + internalTrafficPolicy: Cluster + ## @param redis-exporter.service.clusterIP Redis® redis-exporter service Cluster IP + ## + clusterIP: "" + ## @param redis-exporter.service.loadBalancerIP Redis® redis-exporter service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param redis-exporter.service.loadBalancerClass redis-exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerClass: "" + ## @param redis-exporter.service.loadBalancerSourceRanges Redis® redis-exporter service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param redis-exporter.service.externalIPs Redis® redis-exporter service External IPs + ## https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + ## e.g. + ## externalIPs: + ## - 10.10.10.1 + ## - 201.22.30.1 + ## + externalIPs: [] + ## @param redis-exporter.service.annotations Additional custom annotations for Redis® redis-exporter service + ## + annotations: {} + ## @param redis-exporter.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param redis-exporter.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## @param redis-exporter.podLabels Extra labels for Redis® redis-exporter pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + extraEnvVarsCM: {} + extraEnvVars: {} + extraEnvVarsSecret: {} redis: configMap: redis_conf: | @@ -247,18 +674,114 @@ redisExporter: appendonly no protected-mode no maxmemory 1449551462 - image: - registry: docker.io - repository: redis - tag: 7.2.4-alpine + image: + registry: docker.io + repository: redis + tag: 7.4.1 + pullPolicy: IfNotPresent + pullSecrets: [] + livenessProbe: + enabled: true + failureThreshold: 5 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 3 + timeoutSeconds: 5 + ## @param redisExporter.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param redisExporter.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param redisExporter.containerPorts.http redis Exporter HTTP container port + ## + containerPorts: + client: 6379 + gossip: 16379 + ## @param redisExporter.extraVolumes Optionally specify extra list of additional volumes for the redis Exporter pod(s) + ## + extraVolumes: [] + ## @param redisExporter.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the redis Exporter container(s) + ## + extraVolumeMounts: [] + ## @param redisExporter.sidecars Add additional sidecar containers to the redis Exporter pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param redisExporter.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## - persistentVolumeClaim: - size: 2Gi - storageClass: "" resources: limits: cpu: 60m memory: 512Mi requests: cpu: 50m - memory: 256Mi \ No newline at end of file + memory: 256Mi + resourcesPreset: {} + + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + ## + + persistence: + ## @param persistence.enabled Enable persistence on Redis® + ## If enabled, nodes are using Persistent Volume Claims + ## If disabled, an emptyDir volume is used. This is not recommended. + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/redis-cluster#persistence + ## + enabled: true + ## @param persistence.subPath The subdirectory of the volume to mount to, useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param persistence.storageClass Storage class of backing PVC + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param persistence.annotations Persistent Volume Claim annotations + ## + annotations: {} + ## @param persistence.labels Persistent Volume Claim labels + ## + labels: {} + ## @param persistence.accessModes Persistent Volume Access Modes + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size Size of data volume + ## + size: 2Gi + ## @param persistence.matchLabels Persistent Volume selectors + ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + ## + selector: {} + ## @param persistence.matchExpressions matchExpressions Persistent Volume selectors + + + + + diff --git a/charts/forms-flow-analytics/.helmignore b/charts/forms-flow-analytics/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/forms-flow-analytics/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/forms-flow-analytics/Chart.yaml b/charts/forms-flow-analytics/Chart.yaml index 2b256941..3db14bc9 100644 --- a/charts/forms-flow-analytics/Chart.yaml +++ b/charts/forms-flow-analytics/Chart.yaml @@ -1,6 +1,17 @@ ---- apiVersion: v2 name: forms-flow-analytics -tags: forms-flow-analytics -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file +description: forms-flow-analytics leverages Redash to build interactive dashboards and gain insights provided by formsflow. +icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" +version: v8.0.0 +type: application +appVersion: "8.0.0" +dependencies: + - name: redis + version: "^19.1.0" + repository: oci://registry-1.docker.io/bitnamicharts + condition: redis.enabled + - name: postgresql + version: "^15.2.0" + repository: oci://registry-1.docker.io/bitnamicharts + condition: postgresql.enabled + diff --git a/charts/forms-flow-analytics/README.md b/charts/forms-flow-analytics/README.md new file mode 100644 index 00000000..9ded4ffc --- /dev/null +++ b/charts/forms-flow-analytics/README.md @@ -0,0 +1,333 @@ +# Formsflow.ai Analytics + +**formsflow.ai** leverages [Redash](https://github.com/getredash/redash) to build interactive +dashboards and gain insights. + +## Introduction + +This chart bootstraps a forms-flow-analytics deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + + +## Installing the Chart + +To install the chart with the release name `forms-flow-analytics`: + +```console +helm install forms-flow-analytics forms-flow-analytics +``` + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm upgrade --install forms-flow-analytics forms-flow-analytics --set ingress.ingressClassName=INGRESS_CLASS --set ingress.hosts[0].host=HOSTNAME --set ingress.tls[0].secretName="SECRETNAME" --set ingress.tls[0].hosts[0]="HOSTNAME" --set ingress.hosts[0].paths[0]="/" -n NAMESPACE +``` + +> Note: You need to substitute the placeholders `INGRESS_CLASS`, `HOSTNAME` and `SECRETNAME` with a reference to your Helm chart registry and repository. For example, in the case of Formsflow, you need to use `INGRESS_CLASS=nginx` + +These commands deploy Forms-flow-analytics on the Kubernetes cluster + +> **Tip**: List all releases using `helm list` + +### Resource requests and limits + +Forms-flow-analytics charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +## Server + +```yaml + resources: + limits: + cpu: 1500m + memory: 2Gi + requests: + cpu: 900m + memory: 1Gi +``` +## Worker + +```yaml + resources: + limits: + cpu: 300m + memory: 2Gi + requests: + cpu: 200m + memory: 1Gi +``` +## Scheduler + +```yaml + resources: + limits: + cpu: 300m + memory: 2Gi + requests: + cpu: 200m + memory: 1Gi +``` +## Migrations + +```yaml + resources: + limits: + cpu: 300m + memory: 2Gi + requests: + cpu: 200m + memory: 1Gi +``` +## Sidecar Configuration + +To add a sidecar to your `Forms-flow-analytics` deployment, you can use the following configuration. In this case, the sidecar container is an Nginx container used for configuration management. + +### Example Sidecar Configuration + +```yaml +sidecars: + - name: nginx + image: nginx:latest + ports: + - containerPort: 80 + volumeMounts: + - name: nginx-config-volume + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf +``` +## Path Update +The `Forms-flow-analytics` can now be accessed at the `/redash` route. Ensure that all configurations and requests reference this updated path. + +For example: + +``` +https:///redash +``` + +## Parameters + +| Parameter | Description | Default Value | +|----------------------------------|--------------------------------------------------|------------------------| +| `server.replicaCount` | Number of replicas for the server | `1` | +| `server.image.registry` | Docker registry for the image | `docker.io` | +| `server.image.repository` | Repository for the image | `formsflow/redash` | +| `server.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `server.image.tag` | Tag for the image | `24.04.0` | +| `server.image.pullSecrets` | Secrets for pulling images | `forms-flow-ai-auth` | +| `server.nameOverride` | Override for the name | `""` | +| `server.fullnameOverride` | Override for the full name | `""` | +| `server.commonLabels` | Common labels for all deployed objects | `{}` | +| `server.commonAnnotations` | Common annotations for all deployed objects | `{}` | +| `server.nodeSelector` | Node selector for scheduling | `{}` | +| `server.tolerations` | Tolerations for the pod | `[]` | +| `server.affinity` | Affinity rules for the pod | `{}` | +| `server.priorityClassName` | Priority class name for the pod | `""` | +| `server.schedulerName` | Scheduler name for the pod | `""` | +| `server.terminationGracePeriodSeconds` | Grace period for pod termination | `""` | +| `server.topologySpreadConstraints` | Constraints for topology spread | `[]` | +| `server.diagnosticMode.enabled` | Enable diagnostic mode | `false` | +| `server.diagnosticMode.command` | Command for diagnostic mode | `["sleep"]` | +| `server.diagnosticMode.args` | Arguments for diagnostic command | `["infinity"]` | +| `server.hostAliases` | Host aliases for the pod | `[]` | +| `server.serviceAccount.create` | Create a service account | `true` | +| `server.serviceAccount.annotations` | Annotations for the service account | `{}` | +| `server.serviceAccount.name` | Name for the service account | `""` | +| `server.serviceAccount.automountServiceAccountToken` | Automount service account token | `false` | +| `server.podAnnotations` | Annotations for the pod | `{}` | +| `server.podLabels` | Extra labels for the pod | `{}` | +| `server.podAffinityPreset` | Pod affinity preset | `""` | +| `server.podAntiAffinityPreset` | Pod anti-affinity preset | `soft` | +| `server.podSecurityContext.enabled` | Enable pod security context | `false` | +| `server.podSecurityContext.fsGroupChangePolicy` | File system group change policy | `Always` | +| `server.podSecurityContext.fsGroup` | File system group ID | `1001` | +| `server.containerSecurityContext.enabled` | Enable container security context | `false` | +| `server.containerSecurityContext.runAsUser` | Run as user ID | `1001` | +| `server.containerSecurityContext.runAsGroup` | Run as group ID | `1001` | +| `server.containerSecurityContext.runAsNonRoot` | Run as non-root user | `false` | +| `server.containerSecurityContext.privileged` | Privileged mode | `false` | +| `server.containerSecurityContext.readOnlyRootFilesystem` | Read-only root filesystem | `false` | +| `server.containerSecurityContext.allowPrivilegeEscalation` | Allow privilege escalation | `false` | +| `server.containerSecurityContext.capabilities.drop` | Capabilities to drop | `["ALL"]` | +| `server.containerSecurityContext.seccompProfile.type` | Seccomp profile type | `RuntimeDefault` | +| `server.command` | Command to run in the container | `[]` | +| `server.args` | Arguments for the command | `["server"]` | +| `server.lifecycleHooks.postStart` | Post-start lifecycle hooks | `{"exec": {"command": ["/bin/sh", "-c", "python -v ./manage.py database create_tables"]}}` | +| `server.livenessProbe.enabled` | Enable liveness probe | `true` | +| `server.livenessProbe.initialDelaySeconds` | Initial delay for liveness probe | `90` | +| `server.livenessProbe.timeoutSeconds` | Timeout for liveness probe | `1` | +| `server.livenessProbe.periodSeconds` | Period for liveness probe | `10` | +| `server.livenessProbe.successThreshold` | Success threshold for liveness probe | `1` | +| `server.livenessProbe.failureThreshold` | Failure threshold for liveness probe | `10` | +| `server.readinessProbe.enabled` | Enable readiness probe | `false` | +| `server.readinessProbe.initialDelaySeconds` | Initial delay for readiness probe | `10` | +| `server.readinessProbe.timeoutSeconds` | Timeout for readiness probe | `1` | +| `server.readinessProbe.periodSeconds` | Period for readiness probe | `10` | +| `server.readinessProbe.successThreshold` | Success threshold for readiness probe | `1` | +| `server.readinessProbe.failureThreshold` | Failure threshold for readiness probe | `3` | +| `server.automountServiceAccountToken` | Automount service account token | `true` | +| `server.extraEnvVars` | Extra environment variables | `[]` | +| `server.extraEnvVarsCM` | Name of existing ConfigMap for extra env vars | `""` | +| `server.extraEnvVarsSecret` | Name of existing Secret for extra env vars | `""` | +| `server.extraVolumes` | Extra volumes for the pod | `[]` | +| `server.extraVolumeMounts` | Extra volume mounts for the pod | `[]` | +| `server.existingSecret` | Existing secret for database credentials | `""` | +| `server.updateStrategy.type` | Update strategy type | `RollingUpdate` | +| `server.updateStrategy.rollingUpdate.maxSurge` | Max surge during update | `25%` | +| `server.updateStrategy.rollingUpdate.maxUnavailable` | Max unavailable during update | `25%` | +| `server.rbac.create` | Create RBAC resources | `false` | +| `server.rbac.rules` | RBAC rules for the application | `[]` | +| `server.pdb.create` | Create pod disruption budget | `true` | +| `server.pdb.minAvailable` | Minimum available pods for disruption budget | `""` | +| `server.pdb.maxUnavailable` | Maximum unavailable pods for disruption budget | `""` | +| `server.resourcesPreset` | Resource preset for the server | `small` | +| `server.resources.limits.cpu` | CPU limit for the server | `1500m` | +| `server.resources.limits.memory` | Memory limit for the server | `2Gi` | +| `server.resources.requests.cpu` | CPU request for the server | `1000m` | +| `server.resources.requests.memory`| Memory request for the server | `1Gi` | +| `server.customStartupProbe` | Custom startup probe configuration | `{}` | +| `server.customLivenessProbe` | Custom liveness probe configuration | `{}` | +| `server.customReadinessProbe` | Custom readiness probe configuration | `{}` | +| `server.containerPorts.http` | HTTP port for the server | `5000` | +| `server.sidecars` | Sidecar containers for the server | `[]` | +| `server.configuration` | Custom configuration for the server | `[]` | +| `server.autoscaling.enabled` | Enable autoscaling | `false` | +| `server.autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | +| `server.autoscaling.maxReplicas` | Maximum replicas for autoscaling | `11` | +| `server.autoscaling.targetCPU` | Target CPU utilization for autoscaling | `""` | +| `server.autoscaling.targetMemory`| Target memory utilization for autoscaling | `""` | +| `server.autoscaling.behavior.scaleUp.stabilizationWindowSeconds` | Stabilization window for scale up | `120` | +| `server.autoscaling.behavior.scaleUp.selectPolicy` | Select policy for scale up | `Max` | +| `server.autoscaling.behavior.scaleUp.policies` | Scale up policies | `[]` | +| `server.autoscaling.behavior.scaleDown.stabilizationWindowSeconds` | Stabilization window for scale down | `300` | +| `server.autoscaling.behavior.scaleDown.selectPolicy` | Select policy for scale down | `Max` | +| `server.autoscaling.behavior.scaleDown.policies` | Policies for scale down | `[{type: Pods, value: 1, periodSeconds: 300}]` | +| `server.autoscaling.behavior.scaleDown.policies[0].type` | Type of resource for scaling down | `Pods` | +| `server.autoscaling.behavior.scaleDown.policies[0].value` | Number of resources to scale down | `1` | +| `server.autoscaling.behavior.scaleDown.policies[0].periodSeconds` | Period for applying the scale down policy | `300` | +| `workers.adhoc.env.QUEUES` | Queues for ad-hoc workers | `queries` | +| `workers.adhoc.env.WORKERS_COUNT` | Number of ad-hoc workers | `2` | +| `workers.scheduled.env.QUEUES` | Queues for scheduled workers | `scheduled_queries,schemas` | +| `workers.scheduled.env.WORKERS_COUNT` | Number of scheduled workers | `1` | +| `workers.generic.env.QUEUES` | Queues for generic workers | `periodic,emails,default` | +| `workers.generic.env.WORKERS_COUNT` | Number of generic workers | `1` | +| `worker.replicaCount` | Number of replicas for the worker | `1` | +| `worker.image.registry` | Docker registry for the worker image | `docker.io` | +| `worker.image.repository` | Repository for the worker image | `formsflow/redash` | +| `worker.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `worker.image.tag` | Tag for the worker image | `24.04.0` | +| `worker.image.pullSecrets` | Secrets for pulling the image | `forms-flow-ai-auth` | +| `worker.nameOverride` | Override for the worker name | `""` | +| `worker.fullnameOverride` | Full override for the worker name | `""` | +| `worker.commonLabels` | Common labels for the worker | `{}` | +| `worker.commonAnnotations` | Common annotations for the worker | `{}` | +| `worker.podAnnotations` | Annotations for the worker pod | `{}` | +| `worker.podLabels` | Extra labels for the worker pod | `{}` | +| `worker.podSecurityContext.fsGroup` | File system group for the worker | `1001` | +| `worker.containerSecurityContext.runAsUser` | User ID to run the container | `1001` | +| `worker.containerSecurityContext.runAsGroup` | Group ID to run the container | `1001` | +| `worker.resources.limits.cpu` | CPU limit for the worker | `200m` | +| `worker.resources.limits.memory` | Memory limit for the worker | `2Gi` | +| `worker.resources.requests.cpu` | CPU request for the worker | `180m` | +| `worker.resources.requests.memory` | Memory request for the worker | `1Gi` | +| `worker.containerPorts.http` | HTTP port for the worker | `5000` | +| `scheduler.replicaCount` | Number of replicas for the scheduler | `1` | +| `scheduler.image.registry` | Docker registry for the scheduler image | `docker.io` | +| `scheduler.image.repository` | Repository for the scheduler image | `formsflow/redash` | +| `scheduler.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `scheduler.image.tag` | Tag for the scheduler image | `24.04.0` | +| `scheduler.image.pullSecrets` | Secrets for pulling the image | `forms-flow-ai-auth` | +| `scheduler.nameOverride` | Override for the scheduler name | `""` | +| `scheduler.fullnameOverride` | Full override for the scheduler name | `""` | +| `scheduler.commonLabels` | Common labels for the scheduler | `{}` | +| `scheduler.commonAnnotations` | Common annotations for the scheduler | `{}` | +| `scheduler.podAnnotations` | Annotations for the scheduler pod | `{}` | +| `scheduler.podLabels` | Extra labels for the scheduler pod | `{}` | +| `scheduler.podAffinityPreset` | Pod affinity preset for the scheduler | `""` | +| `scheduler.podAntiAffinityPreset` | Pod anti-affinity preset for the scheduler | `soft` | +| `scheduler.nodeSelector` | Node labels for pod assignment | `{}` | +| `scheduler.tolerations` | Tolerations for pod assignment | `[]` | +| `scheduler.affinity` | Affinity rules for pod assignment | `{}` | +| `scheduler.priorityClassName` | Pod priority class name | `""` | +| `scheduler.schedulerName` | Custom scheduler name for the scheduler | `""` | +| `scheduler.terminationGracePeriodSeconds` | Grace period for termination | `""` | +| `scheduler.topologySpreadConstraints` | Topology spread constraints for pod assignment | `[]` | +| `scheduler.diagnosticMode.enabled` | Enable diagnostic mode for the scheduler | `false` | +| `scheduler.hostAliases` | Host aliases for the scheduler | `[]` | +| `scheduler.podSecurityContext.enabled` | Enable pod security context | `false` | +| `scheduler.containerSecurityContext.enabled` | Enable container security context | `false` | +| `scheduler.updateStrategy.type` | Update strategy for the scheduler | `Recreate` | +| `scheduler.rbac.create` | Create RBAC resources for the scheduler | `false` | +| `scheduler.pdb.create` | Create Pod Disruption Budget for the scheduler | `true` | +| `scheduler.resourcesPreset` | Resources preset for the scheduler | `small` | +| `scheduler.customStartupProbe` | Custom startup probe for the scheduler | `{}` | +| `scheduler.customLivenessProbe` | Custom liveness probe for the scheduler | `{}` | +| `scheduler.customReadinessProbe` | Custom readiness probe for the scheduler | `{}` | +| `scheduler.autoscaling.enabled` | Enable autoscaling for the scheduler | `false` | +| `scheduler.autoscaling.minReplicas` | Minimum replicas for autoscaling | `1` | +| `scheduler.autoscaling.maxReplicas` | Maximum replicas for autoscaling | `11` | +| `scheduler.autoscaling.targetCPU` | Target CPU utilization for autoscaling | `""` | +| `scheduler.autoscaling.targetMemory` | Target memory utilization for autoscaling | `""` | +| `autoscaling.behavior.scaleUp.stabilizationWindowSeconds` | Time in seconds to consider past recommendations when scaling up | `120` | +| `autoscaling.behavior.scaleUp.selectPolicy` | Priority of policies that the autoscaler will apply when scaling up | `Max` | +| `autoscaling.behavior.scaleUp.policies` | Policies for scaling up | `[]` | +| `autoscaling.behavior.scaleDown.stabilizationWindowSeconds` | Time in seconds to consider past recommendations when scaling down | `300` | +| `autoscaling.behavior.scaleDown.selectPolicy` | Priority of policies that the autoscaler will apply when scaling down | `Max` | +| `autoscaling.behavior.scaleDown.policies` | Policies for scaling down | `- type: Pods, value: 1, periodSeconds: 300` | + + +## Ingress Parameters + +| Parameter | Description | Default Value | +|-----------------------------------------------------------|-------------------------------------------------------|------------------------------| +| `ingress.enabled` | Enable ingress record generation | `true` | +| `ingress.ingressClassName` | IngressClass to implement the Ingress | `""` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.apiVersion` | Force Ingress API version | `""` | +| `ingress.controller` | The ingress controller type | `default` | +| `ingress.hostname` | Default host for the ingress record | `forms-flow-analytics.local` | +| `ingress.path` | Default path for the ingress record | `/redash` | +| `ingress.servicePort` | Backend service port to use | `5000` | +| `ingress.annotations` | Additional annotations for the Ingress resource | `{}` | +| `ingress.labels` | Additional labels for the Ingress resource | `{}` | +| `ingress.tls` | Enable TLS configuration for the defined hostname | `true` | +| `ingress.selfSigned` | Create a TLS secret with self-signed certificates | `false` | +| `ingress.extraHosts` | Additional hostname(s) to be covered | `[]` | +| `ingress.extraPaths` | Additional paths to be added to the ingress | `[]` | +| `ingress.extraTls` | TLS configuration for additional hostnames | `[]` | +| `ingress.secrets` | Add custom certificates as secrets | `[]` | +| `ingress.extraRules` | Additional rules for the ingress record | `[]` | +| `ingress.subFilterHost` | Sub-filter host for analytics application; Use the default hostname | `forms-flow-analytics.local` | + +## Service Parameters + +| Parameter | Description | Default Value | +|------------------------------------------------------------|--------------------------------------------------------|--------------------| +| `service.type` | Kubernetes service type (`ClusterIP`, `NodePort`, `LoadBalancer`) | `ClusterIP` | +| `service.ports` | Service ports (evaluated as a template) | | +| `service.loadBalancerIP` | LoadBalancer IP if service type is `LoadBalancer` | `""` | +| `service.loadBalancerSourceRanges` | Allowed addresses for LoadBalancer service | `[]` | +| `service.externalTrafficPolicy` | External traffic policy to preserve client source IP | `""` | +| `service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `service.annotations` | Annotations for the service | `{}` | +| `service.sessionAffinity` | Session Affinity for Kubernetes service | `None` | +| `service.sessionAffinityConfig` | Additional settings for sessionAffinity | `{}` | +| `service.headless.annotations` | Annotations for the headless service | `{}` | + +## Redash and Database Parameters + +| Parameter | Description | Default Value | +|------------------------------------------------------------|--------------------------------------------------------|------------------------------------| +| `redash.multiorg` | Multi-organization setting for Redash | `"false"` | +| `redash.database.password` | Admin password for Redash database | `postgres` | +| `redash.database.url` | Redash database URL | `postgresql://postgres:postgres@forms-flow-analytics-postgresql:5432/postgres` | +| `database.username` | Username for the database | `postgres` | +| `database.password` | Password for the database | `postgres` | +| `database.servicename` | Service name for the database | `forms-flow-ai-postgresql-ha-pgpool` | +| `database.port` | Port for the database | `5432` | +| `database.dbName` | Database name for forms-flow-analytics | `forms-flow-analytics` | +| `ExternalDatabase.ExistingDatabaseNameKey` | Existing database name key | `""` | +| `ExternalDatabase.ExistingDatabaseUserNameKey` | Existing database username key | `""` | +| `ExternalDatabase.ExistingDatabasePasswordKey` | Existing database password key | `""` | +| `ExternalDatabase.ExistingDatabaseHostKey` | Existing database host key | `""` | +| `ExternalDatabase.ExistingDatabasePortKey` | Existing database port key | `""` | +| `ExternalDatabase.ExistingSecretName` | Name of the existing secret | `""` | +| `ExternalDatabase.ExistingConfigmapName` | Name of the existing config map | `""` | + diff --git a/charts/forms-flow-analytics/templates/_helpers.tpl b/charts/forms-flow-analytics/templates/_helpers.tpl new file mode 100644 index 00000000..ea4e7f83 --- /dev/null +++ b/charts/forms-flow-analytics/templates/_helpers.tpl @@ -0,0 +1,568 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "redash.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "redash.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 43 chars because some Kubernetes name fields are limited to 64 (by the DNS naming spec), +and we use this as a base for component names (which can add up to 20 chars). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "redash.fullname" -}} +{{- with .Values.fullnameOverride -}} +{{- . | trunc 43 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 43 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 43 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified worker name. +*/}} +{{- define "redash.worker.fullname" -}} +{{- template "redash.fullname" . -}}-{{ .workerName }}-worker +{{- end -}} + +{{/* +Create a default fully qualified scheduler name. +*/}} +{{- define "redash.scheduler.fullname" -}} +{{- template "redash.fullname" . -}}-scheduler +{{- end -}} + +{{/* +Create a default fully qualified postgresql name. +*/}} +{{- define "redash.postgresql.fullname" -}} +{{- if .Values.postgresql.enabled -}} + {{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- printf "%s" .Values.postgresql.fullnameOverride -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified redis name. +*/}} +{{- define "redash.redis.fullname" -}} +{{- printf "%s-%s" .Release.Name "redis-master" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Get the secret name. +*/}} +{{- define "redash.secretName" -}} +{{- if .Values.redash.existingSecret }} + {{- printf "%s" .Values.redash.existingSecret -}} +{{- else -}} + {{- printf "%s" (include "redash.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Shared environment block used across each component. +*/}} +{{- define "redash.env" -}} +{{- if not .Values.postgresql.enabled -}} +{{- if not .Values.redash.selfManagedSecrets -}} +- name: REDASH_DATABASE_URL + {{- with .Values.externalPostgreSQLSecret }} + valueFrom: + secretKeyRef: {{ toYaml . | nindent 6 }} + {{- else }} + value: {{ default "" .Values.externalPostgreSQL | quote }} + {{- end }} +- name: REDASH_DATABASE_USER + value: {{ .Values.postgresql.auth.username | quote }} +- name: REDASH_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "redash.fullname" . }} + key: redashDatabasePassword +- name: REDASH_DATABASE_HOSTNAME + value: {{ include "redash.postgresql.fullname" . }} +- name: REDASH_DATABASE_PORT + value: {{ .Values.postgresql.primary.service.ports.postgresql | quote }} +- name: REDASH_DATABASE_NAME + value: {{ .Values.postgresql.auth.database | quote }} +{{- end }} +{{- else -}} +- name: REDASH_DATABASE_USER + value: {{ .Values.postgresql.auth.username | quote }} +- name: REDASH_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgresql + key: password +- name: REDASH_DATABASE_HOSTNAME + value: {{ include "redash.postgresql.fullname" . }} +- name: REDASH_DATABASE_PORT + value: {{ .Values.postgresql.primary.service.ports.postgresql | quote }} +- name: REDASH_DATABASE_NAME + value: {{ .Values.postgresql.auth.database | quote }} +{{- end -}} +{{- if not .Values.redis.enabled }} +{{- if not .Values.redash.selfManagedSecrets }} +- name: REDASH_REDIS_URL + {{- with .Values.externalRedisSecret }} + valueFrom: + secretKeyRef: {{ toYaml . | nindent 6 }} + {{- else }} + value: {{ default "" .Values.externalRedis | quote }} + {{- end }} +{{- end }} +{{- else }} +- name: REDASH_REDIS_PASSWORD + valueFrom: + secretKeyRef: + {{- with .Values.redis.existingSecret }} + name: {{ . }} + {{- else }} + name: {{ .Release.Name }}-redis + {{- end }} + key: redis-password +- name: REDASH_REDIS_HOSTNAME + value: {{ include "redash.redis.fullname" . }} +- name: REDASH_REDIS_PORT + value: {{ .Values.redis.master.service.ports.redis | quote }} +- name: REDASH_REDIS_NAME + value: {{ .Values.redis.database | quote }} +{{- end }} +{{- range $key, $value := .Values.env }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end }} +## Start primary Redash configuration +{{- if not .Values.redash.selfManagedSecrets }} +{{- if or .Values.redash.secretKey .Values.redash.existingSecret }} +- name: REDASH_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ include "redash.secretName" . }} + key: secretKey +{{- end }} +{{- end }} +{{- with .Values.redash.samlSchemeOverride }} +- name: REDASH_SAML_SCHEME_OVERRIDE + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.disablePublicUrls }} +- name: REDASH_DISABLE_PUBLIC_URLS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.blockedDomains }} +- name: REDASH_BLOCKED_DOMAINS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.proxiesCount }} +- name: REDASH_PROXIES_COUNT + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.statsdEnabled }} +- name: REDASH_STATSD_ENABLED + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.statsdHost }} +- name: REDASH_STATSD_HOST + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.statsdPort }} +- name: REDASH_STATSD_PORT + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.statsdPrefix }} +- name: REDASH_STATSD_PREFIX + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.statsdUseTags }} +- name: REDASH_STATSD_USE_TAGS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.queryResultsCleanupEnabled }} +- name: REDASH_QUERY_RESULTS_CLEANUP_ENABLED + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.queryResultsCleanupCount }} +- name: REDASH_QUERY_RESULTS_CLEANUP_COUNT + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.queryResultsCleanupMaxAge }} +- name: REDASH_QUERY_RESULTS_CLEANUP_MAX_AGE + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.schemasRefreshSchedule }} +- name: REDASH_SCHEMAS_REFRESH_SCHEDULE + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.authType }} +- name: REDASH_AUTH_TYPE + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.enforceHttps }} +- name: REDASH_ENFORCE_HTTPS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.invitationTokenMaxAge }} +- name: REDASH_INVITATION_TOKEN_MAX_AGE + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.multiOrg }} +- name: REDASH_MULTI_ORG + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.googleClientId }} +- name: REDASH_GOOGLE_CLIENT_ID + value: {{ quote . }} +{{- end }} +{{- if not .Values.redash.selfManagedSecrets }} +{{- if or .Values.redash.googleClientSecret .Values.redash.existingSecret }} +- name: REDASH_GOOGLE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ include "redash.secretName" . }} + key: googleClientSecret +{{- end }} +{{- end }} +{{- with .Values.redash.remoteUserLoginEnabled }} +- name: REDASH_REMOTE_USER_LOGIN_ENABLED + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.remoteUserHeader }} +- name: REDASH_REMOTE_USER_HEADER + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.ldapLoginEnabled }} +- name: REDASH_LDAP_LOGIN_ENABLED + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.ldapUrl }} +- name: REDASH_LDAP_URL + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.ldapBindDn }} +- name: REDASH_LDAP_BIND_DN + value: {{ quote . }} +{{- end }} +{{- if not .Values.redash.selfManagedSecrets }} +{{- if or .Values.redash.ldapBindDnPassword .Values.redash.existingSecret }} +- name: REDASH_LDAP_BIND_DN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "redash.secretName" . }} + key: ldapBindDnPassword +{{- end }} +{{- end }} +{{- with .Values.redash.ldapDisplayNameKey }} +- name: REDASH_LDAP_DISPLAY_NAME_KEY + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.ldapEmailKey }} +- name: REDASH_LDAP_EMAIL_KEY + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.ldapCustomUsernamePrompt }} +- name: REDASH_LDAP_CUSTOM_USERNAME_PROMPT + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.ldapSearchTemplate }} +- name: REDASH_LDAP_SEARCH_TEMPLATE + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.ldapSearchDn }} +- name: REDASH_LDAP_SEARCH_DN + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.staticAssetsPath }} +- name: REDASH_STATIC_ASSETS_PATH + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.jobExpiryTime }} +- name: REDASH_JOB_EXPIRY_TIME + value: {{ quote . }} +{{- end }} +{{- if not .Values.redash.selfManagedSecrets }} +{{- if or .Values.redash.cookieSecret .Values.redash.existingSecret }} +- name: REDASH_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ include "redash.secretName" . }} + key: cookieSecret +{{- end }} +{{- end }} +{{- with .Values.redash.logLevel }} +- name: REDASH_LOG_LEVEL + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.mailServer }} +- name: REDASH_MAIL_SERVER + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.mailPort }} +- name: REDASH_MAIL_PORT + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.mailUseTls }} +- name: REDASH_MAIL_USE_TLS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.mailUseSsl }} +- name: REDASH_MAIL_USE_SSL + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.mailUsername }} +- name: REDASH_MAIL_USERNAME + value: {{ quote . }} +{{- end }} +{{- if not .Values.redash.selfManagedSecrets }} +{{- if or .Values.redash.mailPassword .Values.redash.existingSecret }} +- name: REDASH_MAIL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "redash.secretName" . }} + key: mailPassword +{{- end }} +{{- end }} +{{- with .Values.redash.mailDefaultSender }} +- name: REDASH_MAIL_DEFAULT_SENDER + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.mailMaxEmails }} +- name: REDASH_MAIL_MAX_EMAILS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.mailAsciiAttachments }} +- name: REDASH_MAIL_ASCII_ATTACHMENTS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.host }} +- name: REDASH_HOST + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.alertsDefaultMailSubjectTemplate }} +- name: REDASH_ALERTS_DEFAULT_MAIL_SUBJECT_TEMPLATE + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.throttleLoginPattern }} +- name: REDASH_THROTTLE_LOGIN_PATTERN + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.limiterStorage }} +- name: REDASH_LIMITER_STORAGE + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.corsAccessControlAllowOrigin }} +- name: REDASH_CORS_ACCESS_CONTROL_ALLOW_ORIGIN + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.corsAccessControlAllowCredentials }} +- name: REDASH_CORS_ACCESS_CONTROL_ALLOW_CREDENTIALS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.corsAccessControlRequestMethod }} +- name: REDASH_CORS_ACCESS_CONTROL_REQUEST_METHOD + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.corsAccessControlAllowHeaders }} +- name: REDASH_CORS_ACCESS_CONTROL_ALLOW_HEADERS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.enabledQueryRunners }} +- name: REDASH_ENABLED_QUERY_RUNNERS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.additionalQueryRunners }} +- name: REDASH_ADDITIONAL_QUERY_RUNNERS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.disabledQueryRunners }} +- name: REDASH_DISABLED_QUERY_RUNNERS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.scheduledQueryTimeLimit }} +- name: REDASH_SCHEDULED_QUERY_TIME_LIMIT + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.adhocQueryTimeLimit }} +- name: REDASH_ADHOC_QUERY_TIME_LIMIT + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.enabledDestinations }} +- name: REDASH_ENABLED_DESTINATIONS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.additionalDestinations }} +- name: REDASH_ADDITIONAL_DESTINATIONS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.eventReportingWebhooks }} +- name: REDASH_EVENT_REPORTING_WEBHOOKS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.sentryDsn }} +- name: REDASH_SENTRY_DSN + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.allowScriptsInUserInput }} +- name: REDASH_ALLOW_SCRIPTS_IN_USER_INPUT + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.dashboardRefreshIntervals }} +- name: REDASH_DASHBOARD_REFRESH_INTERVALS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.queryRefreshIntervals }} +- name: REDASH_QUERY_REFRESH_INTERVALS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.passwordLoginEnabled }} +- name: REDASH_PASSWORD_LOGIN_ENABLED + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.samlMetadataUrl }} +- name: REDASH_SAML_METADATA_URL + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.samlEntityId }} +- name: REDASH_SAML_ENTITY_ID + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.samlNameidFormat }} +- name: REDASH_SAML_NAMEID_FORMAT + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.dateFormat }} +- name: REDASH_DATE_FORMAT + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.jwtLoginEnabled }} +- name: REDASH_JWT_LOGIN_ENABLED + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.jwtAuthIssuer }} +- name: REDASH_JWT_AUTH_ISSUER + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.jwtAuthPublicCertsUrl }} +- name: REDASH_JWT_AUTH_PUBLIC_CERTS_URL + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.jwtAuthAudience }} +- name: REDASH_JWT_AUTH_AUDIENCE + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.jwtAuthAlgorithms }} +- name: REDASH_JWT_AUTH_ALGORITHMS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.jwtAuthCookieName }} +- name: REDASH_JWT_AUTH_COOKIE_NAME + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.jwtAuthHeaderName }} +- name: REDASH_JWT_AUTH_HEADER_NAME + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.featureShowQueryResultsCount }} +- name: REDASH_FEATURE_SHOW_QUERY_RESULTS_COUNT + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.versionCheck }} +- name: REDASH_VERSION_CHECK + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.featureDisableRefreshQueries }} +- name: REDASH_FEATURE_DISABLE_REFRESH_QUERIES + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.featureShowPermissionsControl }} +- name: REDASH_FEATURE_SHOW_PERMISSIONS_CONTROL + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.featureAllowCustomJsVisualizations }} +- name: REDASH_FEATURE_ALLOW_CUSTOM_JS_VISUALIZATIONS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.featureAutoPublishNamedQueries }} +- name: REDASH_FEATURE_AUTO_PUBLISH_NAMED_QUERIES + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.bigqueryHttpTimeout }} +- name: REDASH_BIGQUERY_HTTP_TIMEOUT + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.schemaRunTableSizeCalculations }} +- name: REDASH_SCHEMA_RUN_TABLE_SIZE_CALCULATIONS + value: {{ quote . }} +{{- end }} +{{- with .Values.redash.webWorkers }} +- name: REDASH_WEB_WORKERS + value: {{ quote . }} +{{- end }} +## End primary Redash configuration +{{- end -}} + +{{/* +Environment variables initialized from secret used across each component. +*/}} +{{- define "redash.envFrom" -}} +{{- with .Values.envSecretName -}} +- secretRef: + name: {{ . }} +{{- end -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "redash.labels" -}} +helm.sh/chart: {{ include "redash.chart" . }} +{{ include "redash.selectorLabels" . }} +{{- with .workerName }} +app.kubernetes.io/component: {{ . }}worker +{{- end }} +{{- if or .Chart.AppVersion .Values.image.tag }} +app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.commonLabels }} +{{ tpl (toYaml .Values.commonLabels) . }} +{{- end }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "redash.selectorLabels" -}} +app.kubernetes.io/name: {{ include "redash.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "redash.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "redash.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +# This ensures a random value is provided for postgresql.auth.password: +required "A secure random value for .postgresql.auth.password is required" .Values.postgresql.auth.password \ No newline at end of file diff --git a/charts/forms-flow-analytics/templates/configmap.yaml b/charts/forms-flow-analytics/templates/configmap.yaml deleted file mode 100644 index cb5edf5f..00000000 --- a/charts/forms-flow-analytics/templates/configmap.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: "{{ .Chart.Name }}" - name: "{{ .Chart.Name }}" -data: - REDASH_HOST: "{{ tpl .Values.ingress.hostname . }}" - REDASH_DATABASE_URL: "{{ tpl .Values.database.url . }}" - REDASH_DATABASE_USERNAME: "{{ .Values.database.username }}" - diff --git a/charts/forms-flow-analytics/templates/deployment.yaml b/charts/forms-flow-analytics/templates/deployment.yaml deleted file mode 100644 index ba3b9136..00000000 --- a/charts/forms-flow-analytics/templates/deployment.yaml +++ /dev/null @@ -1,297 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: "{{ .Chart.Name }}-server" - name: "{{ .Chart.Name }}-server" -spec: - replicas: 1 - selector: - matchLabels: - app: "{{ .Chart.Name }}-server" - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% - type: RollingUpdate - template: - metadata: - labels: - app: "{{ .Chart.Name }}-server" - name: "{{ .Chart.Name }}-server" - spec: - containers: - - args: - - server - envFrom: - - configMapRef: - name: "{{ .Chart.Name }}" # default redash environment variables - - secretRef: - name: "{{ .Chart.Name }}" # default redash environment variables - env: - {{- if .Values.externalDatabase.existingDatabaseUrlKey }} - - name: REDASH_DATABASE_URL - valueFrom: - secretKeyRef: - key: {{ .Values.externalDatabase.existingDatabaseUrlKey }} - name: "{{ .Values.externalDatabase.existingSecretName }}" - {{- end }} - {{- if not .Values.externalDatabase.existingDatabaseUrlKey }} - - name: REDASH_DATABASE_URL - valueFrom: - configMapKeyRef: - key: REDASH_DATABASE_URL - name: "{{ .Chart.Name }}" - {{- end }} - - name: REDASH_WEB_WORKERS - value: "4" - - name: GUNICORN_CMD_ARGS - value: "--timeout 300" - - name: REDASH_MULTI_ORG - valueFrom: - secretKeyRef: - key: REDASH_MULTI_ORG - name: "{{ .Chart.Name }}" - image: "{{ .Values.redash.image.registry}}/{{ .Values.redash.image.repository }}:{{ .Values.redash.image.tag }}" - imagePullPolicy: Always - lifecycle: - postStart: - exec: - command: ["/bin/sh", "-c", "python -v ./manage.py database create_tables"] - name: "{{ .Chart.Name }}-server" - ports: - - containerPort: {{ int .Values.ingress.port }} - protocol: TCP - resources: - limits: - cpu: "{{ .Values.resources.limits.cpu }}" - memory: "{{ .Values.resources.limits.memory }}" - requests: - cpu: "{{ .Values.resources.requests.cpu }}" - memory: "{{ .Values.resources.requests.memory }}" - restartPolicy: Always - imagePullSecrets: - - name: "{{ .Values.formsflow.auth}}" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: "{{ .Chart.Name }}-adhoc-worker" - name: "{{ .Chart.Name }}-adhoc-worker" -spec: - replicas: 1 - selector: - matchLabels: - app: "{{ .Chart.Name }}-adhoc-worker" - strategy: - template: - metadata: - labels: - app: "{{ .Chart.Name }}-adhoc-worker" - spec: - containers: - - args: - - worker - envFrom: - - configMapRef: - name: "{{ .Chart.Name }}" # default redash environment variables - - secretRef: - name: "{{ .Chart.Name }}" # default redash environment variables - env: - {{- if .Values.externalDatabase.existingDatabaseUrlKey }} - - name: REDASH_DATABASE_URL - valueFrom: - secretKeyRef: - key: {{ .Values.externalDatabase.existingDatabaseUrlKey }} - name: "{{ .Values.externalDatabase.existingSecretName }}" - {{- end }} - {{- if not .Values.externalDatabase.existingDatabaseUrlKey }} - - name: REDASH_DATABASE_URL - valueFrom: - configMapKeyRef: - key: REDASH_DATABASE_URL - name: "{{ .Chart.Name }}" - {{- end }} - - name: WORKERS_COUNT - value: "2" - image: "{{ .Values.redash.image.registry}}/{{ .Values.redash.image.repository }}:{{ .Values.redash.image.tag }}" - name: "{{ .Chart.Name }}-adhoc-worker" - imagePullPolicy: Always - resources: - limits: - cpu: "{{ .Values.resources.limits.cpu }}" - memory: "{{ .Values.resources.limits.memory }}" - requests: - cpu: "{{ .Values.resources.requests.cpu }}" - memory: "{{ .Values.resources.requests.memory }}" - restartPolicy: Always - imagePullSecrets: - - name: "{{ .Values.formsflow.auth}}" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: "{{ .Chart.Name }}-scheduled-worker" - name: "{{ .Chart.Name }}-scheduled-worker" -spec: - replicas: 1 - selector: - matchLabels: - app: "{{ .Chart.Name }}-scheduled-worker" - strategy: - template: - metadata: - labels: - app: "{{ .Chart.Name }}-scheduled-worker" - spec: - containers: - - args: - - worker - envFrom: - - configMapRef: - name: "{{ .Chart.Name }}" # default redash environment variables - - secretRef: - name: "{{ .Chart.Name }}" # default redash environment variables - env: - {{- if .Values.externalDatabase.existingDatabaseUrlKey }} - - name: REDASH_DATABASE_URL - valueFrom: - secretKeyRef: - key: {{ .Values.externalDatabase.existingDatabaseUrlKey }} - name: "{{ .Values.externalDatabase.existingSecretName }}" - {{- end }} - {{- if not .Values.externalDatabase.existingDatabaseUrlKey }} - - name: REDASH_DATABASE_URL - valueFrom: - configMapKeyRef: - key: REDASH_DATABASE_URL - name: "{{ .Chart.Name }}" - {{- end }} - - name: WORKERS_COUNT - value: "1" - image: "{{ .Values.redash.image.registry}}/{{ .Values.redash.image.repository }}:{{ .Values.redash.image.tag }}" - name: "{{ .Chart.Name }}-scheduled-worker" - resources: - limits: - cpu: "{{ .Values.resources.limits.cpu }}" - memory: "{{ .Values.resources.limits.memory }}" - requests: - cpu: "{{ .Values.resources.requests.cpu }}" - memory: "{{ .Values.resources.requests.memory }}" - restartPolicy: Always - imagePullSecrets: - - name: "{{ .Values.formsflow.auth}}" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: "{{ .Chart.Name }}-scheduler" - name: "{{ .Chart.Name }}-scheduler" -spec: - replicas: 1 - selector: - matchLabels: - app: "{{ .Chart.Name }}-scheduler" - strategy: - template: - metadata: - labels: - app: "{{ .Chart.Name }}-scheduler" - spec: - containers: - - args: - - scheduler - envFrom: - - configMapRef: - name: "{{ .Chart.Name }}" # default redash environment variables - - secretRef: - name: "{{ .Chart.Name }}" # default redash environment variables - env: - {{- if .Values.externalDatabase.existingDatabaseUrlKey }} - - name: REDASH_DATABASE_URL - valueFrom: - secretKeyRef: - key: {{ .Values.externalDatabase.existingDatabaseUrlKey }} - name: "{{ .Values.externalDatabase.existingSecretName }}" - {{- end }} - {{- if not .Values.externalDatabase.existingDatabaseUrlKey }} - - name: REDASH_DATABASE_URL - valueFrom: - configMapKeyRef: - key: REDASH_DATABASE_URL - name: "{{ .Chart.Name }}" - {{- end }} - image: "{{ .Values.redash.image.registry}}/{{ .Values.redash.image.repository }}:{{ .Values.redash.image.tag }}" - name: "{{ .Chart.Name }}-scheduler" - imagePullPolicy: Always - resources: - limits: - cpu: "{{ .Values.resources.limits.cpu }}" - memory: "{{ .Values.resources.limits.memory }}" - requests: - cpu: "{{ .Values.resources.requests.cpu }}" - memory: "{{ .Values.resources.requests.memory }}" - restartPolicy: Always - imagePullSecrets: - - name: "{{ .Values.formsflow.auth}}" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: "{{ .Chart.Name }}-worker" - name: "{{ .Chart.Name }}-worker" -spec: - replicas: 1 - selector: - matchLabels: - app: "{{ .Chart.Name }}-worker" - strategy: - template: - metadata: - labels: - app: "{{ .Chart.Name }}-worker" - spec: - containers: - - args: - - worker - envFrom: - - configMapRef: - name: "{{ .Chart.Name }}" # default redash environment variables - - secretRef: - name: "{{ .Chart.Name }}" # default redash environment variables - env: - {{- if .Values.externalDatabase.existingDatabaseUrlKey }} - - name: REDASH_DATABASE_URL - valueFrom: - secretKeyRef: - key: {{ .Values.externalDatabase.existingDatabaseUrlKey }} - name: "{{ .Values.externalDatabase.existingSecretName }}" - {{- end }} - {{- if not .Values.externalDatabase.existingDatabaseUrlKey }} - - name: REDASH_DATABASE_URL - valueFrom: - configMapKeyRef: - key: REDASH_DATABASE_URL - name: "{{ .Chart.Name }}" - {{- end }} - - name: QUEUES - value: "periodic_emails,default" - - name: WORKERS_COUNT - value: "1" - image: "{{ .Values.redash.image.registry}}/{{ .Values.redash.image.repository }}:{{ .Values.redash.image.tag }}" - name: "{{ .Chart.Name }}-worker" - imagePullPolicy: Always - resources: - limits: - cpu: "{{ .Values.resources.limits.cpu }}" - memory: "{{ .Values.resources.limits.memory }}" - requests: - cpu: "{{ .Values.resources.requests.cpu }}" - memory: "{{ .Values.resources.requests.memory }}" - restartPolicy: Always - imagePullSecrets: - - name: "{{ .Values.formsflow.auth}}" diff --git a/charts/forms-flow-analytics/templates/extra-manifests.yaml b/charts/forms-flow-analytics/templates/extra-manifests.yaml new file mode 100644 index 00000000..f17b1a93 --- /dev/null +++ b/charts/forms-flow-analytics/templates/extra-manifests.yaml @@ -0,0 +1,8 @@ +{{ range .Values.extraObjects }} +--- +{{- if typeIs "string" . }} + {{- tpl . $ }} +{{- else }} + {{- tpl (toYaml .) $ }} +{{- end }} +{{ end }} diff --git a/charts/forms-flow-analytics/templates/hook-migrations-job.yaml b/charts/forms-flow-analytics/templates/hook-migrations-job.yaml new file mode 100644 index 00000000..3bd245df --- /dev/null +++ b/charts/forms-flow-analytics/templates/hook-migrations-job.yaml @@ -0,0 +1,73 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-migrations" + labels: + {{- include "redash.labels" . | nindent 4 }} + app.kubernetes.io/component: migrations + annotations: + # This is what defines this resource as a hook. + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + ttlSecondsAfterFinished: {{ .Values.migrations.ttlSecondsAfterFinished }} + template: + metadata: + name: "{{ .Release.Name }}" + labels: + {{- include "redash.selectorLabels" . | nindent 8 }} + {{- with .Values.migrations.podLabels }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.migrations.podAnnotations }} + annotations: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "redash.serviceAccountName" . }} + restartPolicy: Never + securityContext: {{ toYaml .Values.migrations.podSecurityContext | nindent 8 }} + {{- $initContainers := concat .Values.initContainers .Values.migrations.initContainers }} + {{- with $initContainers }} + initContainers: {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ include "redash.name" . }}-server + securityContext: {{ toYaml .Values.migrations.securityContext | nindent 10 }} + image: "{{ .Values.image.registry }}/{{ .Values.image.repo }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - create_db + env: + {{- $envCtx := mergeOverwrite (deepCopy .) (dict "Values" (dict "env" .Values.migrations.env)) -}} + {{- include "redash.env" $envCtx | nindent 10 }} + {{- if (include "redash.envFrom" .) }} + envFrom: + {{- include "redash.envFrom" . | nindent 10 }} + {{- end}} + {{- with .Values.migrations.resources }} + resources: {{ toYaml . | nindent 10 }} + {{- end }} + {{- $volumeMounts := concat .Values.volumeMounts .Values.migrations.volumeMounts }} + {{- with $volumeMounts }} + volumeMounts: {{ toYaml . | nindent 10 }} + {{- end }} + {{- $volumes := concat .Values.volumes .Values.migrations.volumes -}} + {{- with $volumes }} + volumes: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.migrations.nodeSelector }} + nodeSelector: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.migrations.affinity }} + affinity: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.migrations.tolerations }} + tolerations: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.migrations.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} \ No newline at end of file diff --git a/charts/forms-flow-analytics/templates/ingress.yaml b/charts/forms-flow-analytics/templates/ingress.yaml index d62d2459..a7d18855 100644 --- a/charts/forms-flow-analytics/templates/ingress.yaml +++ b/charts/forms-flow-analytics/templates/ingress.yaml @@ -1,35 +1,44 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "redash.fullname" . -}} +{{- $ingressPathType := .Values.ingress.pathType -}} +{{- $ingressPortNumber := .Values.ingress.port -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: + name: {{ $fullName }} labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} + {{- include "redash.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} annotations: -{{ toYaml .Values.ingress.annotations | indent 4 }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: - ingressClassName: {{ .Values.ingress.ingressClassName }} - {{- if or (and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} +{{- if .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} +{{- end }} +{{- if .Values.ingress.tls }} tls: - {{- if and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.secrets .Values.ingress.selfSigned) }} + {{- range .Values.ingress.tls }} - hosts: - - {{ (tpl .Values.ingress.hostname .) | quote }} - secretName: {{ printf "%s-tls" (tpl .Values.ingress.hostname .) }} - {{- else }} - - {} - {{- end}} - {{- else }} - tls: - - {} - {{- end}} + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} rules: - - - host: "{{ tpl .Values.ingress.hostname .}}" + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} http: paths: - - path: / - pathType: Prefix + {{- range .paths }} + - path: {{ . }} + pathType: {{ $ingressPathType }} backend: service: - name: {{ .Chart.Name }} + name: {{ $fullName }} port: - number: {{ .Values.ingress.port }} + number: {{ $ingressPortNumber }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/forms-flow-analytics/templates/proxy-config.yaml b/charts/forms-flow-analytics/templates/proxy-config.yaml new file mode 100644 index 00000000..8867d363 --- /dev/null +++ b/charts/forms-flow-analytics/templates/proxy-config.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "redash.fullname" . }}-nginx-config + labels: + {{- include "redash.labels" . | nindent 4 }} +data: + nginx.conf: | + events { worker_connections 1024; } + http { + server { + listen {{ .Values.ingress.port }}; + location /redash/ { + sub_filter ="/" ="/redash/"; + sub_filter ="/static/ ="/redash/static/; + sub_filter ="/api/ ="/redash/api/; + sub_filter ="/static/images/redash_icon_small.png ="/redash/static/images/redash_icon_small.png; + sub_filter url(/static/fonts) url(/redash/static/fonts); + sub_filter_once off; + sub_filter_types application/javascript text/css text/xml text/javascript application/json text/plain; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + sub_filter "http://{{ .Values.ingress.subFilterHost }}/" "https://{{ .Values.ingress.subFilterHost }}/"; + proxy_set_header SCRIPT_NAME /redash; + + proxy_pass http://localhost:{{ .Values.server.httpPort }}; + } + + } + } + pid /tmp/nginx.pid; \ No newline at end of file diff --git a/charts/forms-flow-analytics/templates/scheduler-deployment.yaml b/charts/forms-flow-analytics/templates/scheduler-deployment.yaml new file mode 100644 index 00000000..ea406829 --- /dev/null +++ b/charts/forms-flow-analytics/templates/scheduler-deployment.yaml @@ -0,0 +1,79 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "redash.scheduler.fullname" . }} + labels: + {{- include "redash.labels" . | nindent 4 }} + app.kubernetes.io/component: scheduler +spec: + replicas: {{ .Values.scheduler.replicaCount }} + strategy: + type: Recreate + selector: + matchLabels: + {{- include "redash.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: scheduler + template: + metadata: + labels: + {{- include "redash.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: scheduler + {{- with .Values.scheduler.podLabels }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.scheduler.podAnnotations }} + annotations: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + spec: + {{ with .Values.imagePullSecrets -}} + imagePullSecrets: {{ toYaml . | nindent 8 }} + {{ end -}} + serviceAccountName: {{ include "redash.serviceAccountName" . }} + securityContext: {{ toYaml .Values.scheduler.podSecurityContext | nindent 8 }} + {{- $initContainers := concat .Values.initContainers .Values.scheduler.initContainers }} + {{- with $initContainers }} + initContainers: {{ toYaml . | nindent 8 }} + {{- end }} + containers: + {{- with .Values.scheduler.extraContainers -}} + {{ toYaml . | nindent 8 }} + {{- end }} + - name: {{ include "redash.name" . }}-scheduler + securityContext: {{ toYaml .Values.scheduler.securityContext | nindent 12 }} + image: {{ .Values.image.registry }}/{{ .Values.image.repo }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- $volumeMounts := concat .Values.volumeMounts .Values.scheduler.volumeMounts }} + {{- with $volumeMounts }} + volumeMounts: {{ toYaml . | nindent 12 }} + {{- end }} + args: + - scheduler + env: + {{- $envCtx := mergeOverwrite (deepCopy .) (dict "Values" (dict "env" .Values.scheduler.env)) -}} + {{- include "redash.env" $envCtx | nindent 12 }} + {{- with (include "redash.envFrom" .) }} + envFrom: {{ . | nindent 12 }} + {{- end }} + {{- with .Values.scheduler.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.scheduler.livenessProbe }} + livenessProbe: {{ toYaml . | nindent 12 }} + {{- end }} + {{- $volumes := concat .Values.volumes .Values.scheduler.volumes }} + {{- with $volumes }} + volumes: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.scheduler.nodeSelector }} + nodeSelector: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.scheduler.affinity }} + affinity: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.scheduler.tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.scheduler.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/charts/forms-flow-analytics/templates/secret.yaml b/charts/forms-flow-analytics/templates/secret.yaml deleted file mode 100644 index 44cb0966..00000000 --- a/charts/forms-flow-analytics/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - app: "{{ .Chart.Name }}" - name: "{{ .Chart.Name }}" -stringData: - POSTGRES_HOST_AUTH_METHOD: trust - POSTGRES_PASSWORD: postgres - PYTHONUNBUFFERED: "0" - REDASH_COOKIE_SECRET: redash-selfhosted - REDASH_LOG_LEVEL: INFO - REDASH_REDIS_URL: "redis://redis-exporter:6379/0" # url of the redis database to connect to - REDASH_SECRET_KEY: redash-selfhosted - REDASH_MULTI_ORG: "{{ .Values.redash.multiorg }}" - REDASH_DATABASE_PASSWORD: "{{ .Values.database.password }}" diff --git a/charts/forms-flow-analytics/templates/secrets.yaml b/charts/forms-flow-analytics/templates/secrets.yaml new file mode 100644 index 00000000..f7c3d14a --- /dev/null +++ b/charts/forms-flow-analytics/templates/secrets.yaml @@ -0,0 +1,20 @@ +{{- if not (or .Values.redash.existingSecret .Values.redash.selfManagedSecrets) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "redash.fullname" . }} + labels: + {{- include "redash.labels" . | nindent 4 }} +type: Opaque +data: + ## Start primary Redash configuration + {{- $null := required "A value for one of the following variables is required: redash.secretKey (secure random value), redash.existingSecret (secret name)" (or .Values.redash.secretKey .Values.redash.existingSecret) }} + secretKey: {{ default "" .Values.redash.secretKey | b64enc | quote }} + googleClientSecret: {{ default "" .Values.redash.googleClientSecret | b64enc | quote }} + ldapBindDnPassword: {{ default "" .Values.redash.ldapBindDnPassword | b64enc | quote }} + {{- $null := required "A value for one of the following variables is required: redash.cookieSecret (secure random value), redash.existingSecret (secret name)" (or .Values.redash.cookieSecret .Values.redash.existingSecret) }} + cookieSecret: {{ default "" .Values.redash.cookieSecret | b64enc | quote }} + mailPassword: {{ default "" .Values.redash.mailPassword | b64enc | quote }} + redashDatabasePassword: {{ default "" .Values.postgresql.auth.password | b64enc | quote }} + ## End primary Redash configuration +{{- end -}} diff --git a/charts/forms-flow-analytics/templates/server-deployment.yaml b/charts/forms-flow-analytics/templates/server-deployment.yaml new file mode 100644 index 00000000..a4b74a69 --- /dev/null +++ b/charts/forms-flow-analytics/templates/server-deployment.yaml @@ -0,0 +1,87 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "redash.fullname" . }}-server + labels: + {{- include "redash.labels" . | nindent 4 }} + app.kubernetes.io/component: server +spec: + replicas: {{ .Values.server.replicaCount }} + selector: + matchLabels: + {{- include "redash.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: server + template: + metadata: + labels: + {{- include "redash.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: server + {{- with .Values.server.podLabels }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.server.podAnnotations }} + annotations: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + spec: + {{ with .Values.imagePullSecrets -}} + imagePullSecrets: {{ toYaml . | nindent 8 }} + {{ end -}} + serviceAccountName: {{ include "redash.serviceAccountName" . }} + securityContext: {{ toYaml .Values.server.podSecurityContext | nindent 8 }} + {{- $initContainers := concat .Values.initContainers .Values.server.initContainers }} + {{- with $initContainers }} + initContainers: {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ include "redash.name" . }}-server + securityContext: {{ toYaml .Values.server.securityContext | nindent 12 }} + image: {{ .Values.image.registry }}/{{ .Values.image.repo }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- $volumeMounts := concat .Values.volumeMounts .Values.server.volumeMounts }} + {{- with $volumeMounts }} + volumeMounts: {{ toYaml . | nindent 12 }} + {{- end }} + args: + - server + env: + {{- $envCtx := mergeOverwrite (deepCopy .) (dict "Values" (dict "env" .Values.server.env)) -}} + {{- include "redash.env" $envCtx | nindent 12 }} + {{- with (include "redash.envFrom" .) }} + envFrom: {{ . | nindent 12 }} + {{- end }} + ports: + - containerPort: {{ .Values.server.httpPort }} + {{- $defaultProbe := dict "httpGet" (dict "path" "/ping" "port" .Values.server.httpPort) -}} + {{- with .Values.server.livenessProbe }} + livenessProbe: {{ deepCopy . | mergeOverwrite $defaultProbe | toYaml | nindent 12 }} + {{- end }} + {{- with .Values.server.readinessProbe }} + readinessProbe: {{ deepCopy . | mergeOverwrite $defaultProbe | toYaml | nindent 12 }} + {{- end }} + {{- with .Values.server.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} + - name: nginx + image: {{ .Values.server.extraContainers.image.registry }}/{{ .Values.server.extraContainers.image.repo }}:{{ .Values.server.extraContainers.image.tag }} + ports: + - containerPort: {{ .Values.server.extraContainers.ContainerPort }} + volumeMounts: + - name: nginx-config-volume + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- $volumes := concat .Values.volumes .Values.server.volumes -}} + {{- with $volumes }} + volumes: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.nodeSelector }} + nodeSelector: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.affinity }} + affinity: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.tolerations }} + tolerations: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/charts/forms-flow-analytics/templates/service.yaml b/charts/forms-flow-analytics/templates/service.yaml index e746b50b..19887ed4 100644 --- a/charts/forms-flow-analytics/templates/service.yaml +++ b/charts/forms-flow-analytics/templates/service.yaml @@ -1,13 +1,30 @@ apiVersion: v1 kind: Service metadata: + name: {{ include "redash.fullname" . }} labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} + {{- include "redash.labels" . | nindent 4 }} + annotations: + {{- with .Values.service.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: + type: {{ .Values.service.type }} + {{- if .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} + {{- end }} ports: - - name: "{{.Values.ingress.port}}" - port: {{.Values.ingress.port}} - targetPort: {{.Values.ingress.port}} + - port: {{ .Values.service.port }} + targetPort: {{ .Values.server.httpPort }} + protocol: TCP + name: http + - port: {{ .Values.service.sidecar.port }} + targetPort: {{ .Values.service.sidecar.httpPort }} + protocol: TCP + name: nginx + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} selector: - app: {{ .Chart.Name }}-server + {{- include "redash.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: server diff --git a/charts/forms-flow-analytics/templates/serviceaccount.yaml b/charts/forms-flow-analytics/templates/serviceaccount.yaml new file mode 100644 index 00000000..56564795 --- /dev/null +++ b/charts/forms-flow-analytics/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "redash.serviceAccountName" . }} + labels: + {{- include "redash.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/forms-flow-analytics/templates/worker-deployment.yaml b/charts/forms-flow-analytics/templates/worker-deployment.yaml new file mode 100644 index 00000000..e901db61 --- /dev/null +++ b/charts/forms-flow-analytics/templates/worker-deployment.yaml @@ -0,0 +1,75 @@ +{{ range $workerName, $config := .Values.workers -}} +{{- $workerConfig := mergeOverwrite (deepCopy $.Values.worker) $config }} +{{- $context := mergeOverwrite (deepCopy $) (dict "workerName" $workerName)}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "redash.worker.fullname" $context }} + labels: {{ include "redash.labels" $context | nindent 4 }} +spec: + replicas: {{ $workerConfig.replicaCount }} + selector: + matchLabels: {{ include "redash.selectorLabels" $context | nindent 6 }} + template: + metadata: + labels: + {{- include "redash.selectorLabels" $context | nindent 8 }} + {{- with $workerConfig.podLabels }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with $workerConfig.podAnnotations }} + annotations: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + spec: + {{ with $.Values.imagePullSecrets -}} + imagePullSecrets: {{ toYaml . | nindent 8 }} + {{- end -}} + serviceAccountName: {{ include "redash.serviceAccountName" $context }} + securityContext: {{ toYaml $workerConfig.podSecurityContext | nindent 8 }} + {{- with concat $.Values.initContainers $workerConfig.initContainers }} + initContainers: {{ toYaml . | nindent 8 }} + {{- end }} + containers: + {{- with $workerConfig.extraContainers -}} + {{- toYaml . | nindent 8 }} + {{- end }} + - name: {{ include "redash.name" $context }}-{{ $workerName }}-worker + securityContext: {{ toYaml $workerConfig.securityContext | nindent 12 }} + image: {{ $.Values.image.registry }}/{{ $.Values.image.repo }}:{{ $.Values.image.tag | default $.Chart.AppVersion }} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + args: + - worker + {{- $volumeMounts := concat $.Values.volumeMounts $workerConfig.volumeMounts }} + {{- with $volumeMounts }} + volumeMounts: {{ toYaml . | nindent 12 }} + {{- end -}} + {{- with $workerConfig.livenessProbe }} + livenessProbe: {{ toYaml . | nindent 12 }} + {{- end }} + env: + {{- $envCtx := mergeOverwrite (deepCopy $) (dict "Values" (dict "env" $workerConfig.env)) -}} + {{- include "redash.env" $envCtx | nindent 12 }} + {{- with (include "redash.envFrom" $) }} + envFrom: {{ . | nindent 12 }} + {{- end }} + {{- with $workerConfig.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} + {{- $volumes := concat $.Values.volumes $workerConfig.volumes -}} + {{- with $volumes }} + volumes: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with $workerConfig.nodeSelector }} + nodeSelector: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with $workerConfig.affinity }} + affinity: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with $workerConfig.tolerations }} + tolerations: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with $workerConfig.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} +{{- end }} diff --git a/charts/forms-flow-analytics/values.yaml b/charts/forms-flow-analytics/values.yaml index 091590f6..5f147e75 100644 --- a/charts/forms-flow-analytics/values.yaml +++ b/charts/forms-flow-analytics/values.yaml @@ -1,61 +1,654 @@ -Domain: # - -database: - username: postgres - password: postgres - servicename: forms-flow-ai-postgresql-ha-pgpool - port: 5432 - url: "postgresql://{{.Values.database.username}}:{{.Values.database.password}}@{{.Values.database.servicename}}:{{.Values.database.port}}/{{.Chart.Name}}" -externalDatabase: - existingDatabaseUrlKey: "" - existingSecretName: "" #name of the existing secret -formsflow: - auth: forms-flow-ai-auth -ingress: - ingressClassName: "" - annotations: - enabled: true # create an ingress for this component - hostname: "{{.Chart.Name}}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}" - port: 5000 - tls: true - selfSigned: false - extraTls: - - {} -# redis-exporter: -# exporter: -# image: -# registry: docker.io -# repository: oliver006/redis_exporter -# tag: v1.14.0-alpine -# redis: -# image: -# registry: docker.io -# repository: redis -# tag: 7.0-rc3-alpine -# persistentVolumeClaim: -# size: 2Gi -# storageClass: "" -# resources: -# limits: -# cpu: 60m -# memory: 512Mi -# requests: -# cpu: 50m -# memory: 256Mi +## Default values for Redash. + +image: + registry: docker.io + # image.repo -- Redash image name used for server and worker pods + repo: formsflow/redash + # image.tag -- Redash image [tag](https://hub.docker.com/r/redash/redash/tags) + tag: 24.04.0 + # image.pullPolicy - Image pull policy + pullPolicy: IfNotPresent + +# imagePullSecrets -- Name(s) of secrets to use if pulling images from a private registry +imagePullSecrets: [] +# nameOverride - Override the autogenerated release name based chart name +nameOverride: "forms-flow-analytics" +fullnameOverride: "forms-flow-analytics" + +# env -- Redash global environment variables - applied to both server and worker containers. +env: + PYTHONUNBUFFERED: 0 + REDASH_PRODUCTION: "true" + +# initContainers -- Redash global init containers +initContainers: [] + +# volumes -- Redash global volumes configuration - applied to all containers +volumes: [] + +# volumeMounts -- Redash global volume mounts configuration - applied to all containers +volumeMounts: [] + +# commonLabels -- Redash global labels -- applied to all objects +commonLabels: {} + +## Service account and security context configuration +serviceAccount: + # serviceAccount.create -- Specifies whether a service account should be created + create: true + # serviceAccount.annotations -- Annotations to add to the service account + annotations: {} + # serviceAccount.name -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template + name: + +## Redash application configuration redash: - multiorg: "false" - image: - registry: docker.io #registry to use - repository: formsflow/redash # repoisitory for redash image - tag: 10.1.5 # tag of image being used - database: - password: postgres # admin password - url: "postgresql://postgres:postgres@forms-flow-analytics-postgresql:5432/postgres" # redash database url - i.e forms-flow-analytics-postgresql - -resources: - limits: - cpu: 200m - memory: 2Gi - requests: - cpu: 180m - memory: 1Gi + ## Start primary Redash configuration + ## Note that we document the Redash defaults, but don't explicitly set them. + ## This allows multiple versions of Redash (which may have different defaults) to be more easily used + # -- disables all chart managed secrets providing an ability to set them using redash.envSecretName. Useful, while using together with external secrets + selfManagedSecrets: false + # -- REQUIRED `REDASH_SECRET_KEY` value. Secret key used for data encryption. Stored as a Secret value. + secretKey: test + # -- `REDASH_SAML_SCHEME_OVERRIDE` value. This setting will allow you to override the saml auth url scheme that gets constructed by flask. this is a useful feature if, for example, you're behind a proxy protocol enabled tcp load balancer (aws elb that terminates ssl) and your nginx proxy or similar adds a x-forwarded-proto of http even though your redash url for saml auth is https.. + samlSchemeOverride: "" + # -- `REDASH_DISABLE_PUBLIC_URLS` value. Whether to disable access to public urls. + # @default -- "false" + disablePublicUrls: "" + # -- `REDASH_BLOCKED_DOMAINS` value. Comma separated of email domains that cannot create user accounts. + # @default -- "qq.com" + blockedDomains: "" + # -- `REDASH_PROXIES_COUNT` value. Passed to werkzeug's [proxyfix](https://werkzeug.palletsprojects.com/en/2.1.x/middleware/proxy_fix/) to make sure we get the right referral address even behind proxies like nginx.. + # @default -- 1 + proxiesCount: "" + # -- `REDASH_STATSD_HOST` value. Host for statsd daemon. + # @default -- 127.0.0.1 + statsdHost: "" + # -- `REDASH_STATSD_PORT` value. Port for statsd daemon. + # @default -- 8125 + statsdPort: "" + # -- `REDASH_STATSD_PREFIX` value. Prefix for metrics sent to statsd daemon. + # @default -- redash + statsdPrefix: "" + # -- `REDASH_STATSD_USE_TAGS` value. Whether to use tags in statsd metrics (influxdb’s format). + # @default -- false + statsdUseTags: "" + # -- `REDASH_QUERY_RESULTS_CLEANUP_ENABLED` value. Whether the job to cleanup unused query results should run automatically. + # @default -- true + queryResultsCleanupEnabled: "" + # -- `REDASH_QUERY_RESULTS_CLEANUP_COUNT` value. The number of results to cleanup during each call to `cleanup_query_results`. + # @default -- 100 + queryResultsCleanupCount: "" + # -- `REDASH_QUERY_RESULTS_CLEANUP_MAX_AGE` value. Integer number of days, past which a query result may be cleaned up if it is not referenced by another query.. + # @default -- 7 + queryResultsCleanupMaxAge: "" + # -- `REDASH_SCHEMAS_REFRESH_SCHEDULE` value. How often to refresh the data source schemas (in minutes). + # @default -- 30 + schemasRefreshSchedule: "" + # -- `REDASH_AUTH_TYPE` value. May be either `api_key` or `hmac`. implemented [here](https://github.com/getredash/redash/pull/385). + # @default -- api_key + authType: "" + # -- `REDASH_ENFORCE_HTTPS` value. This is passed to [flask-talisman](https://github.com/googlecloudplatform/flask-talisman). + # @default -- false + enforceHttps: "" + # -- `REDASH_INVITATION_TOKEN_MAX_AGE` value. An integer number of seconds after which an invitation link will expire. + # @default -- 60 _ 60 _ 24 \* 7 + invitationTokenMaxAge: "" + # -- `REDASH_MULTI_ORG` value. Whether to enable multi-org mode. **note**: multi-org mode is not documented or supported at this time. + # @default -- false + multiOrg: "" + # -- `REDASH_GOOGLE_CLIENT_ID` value. The client id to use for google login, be sure to set a client secret as well. + googleClientId: "" + # -- `REDASH_GOOGLE_CLIENT_SECRET` value. The client secret to use for google login, be sure to set a client id as well. Stored as a Secret value. + googleClientSecret: "" + # -- `REDASH_REMOTE_USER_LOGIN_ENABLED` value. Enables the use of an externally-provided and trusted remote user via an http header. the "user" must be an email address. [more details](https://github.com/getredash/redash/blob/e6ebef1e5ab866ce1e706eaee6260edaffdc2bd7/redash/settings/__init__.py#l185-l207). + # @default -- false + remoteUserLoginEnabled: "" + # -- `REDASH_REMOTE_USER_HEADER` value. Name of header to use if `redash_remote_user_login_enabled` is true. + # @default -- X-Forwarded-Remote-User + remoteUserHeader: "" + # -- `REDASH_LDAP_LOGIN_ENABLED` value. + # @default -- false + ldapLoginEnabled: "" + # -- `REDASH_LDAP_URL` value. + # @default -- None + ldapUrl: "" + # -- `REDASH_LDAP_BIND_DN` value. + # @default -- None + ldapBindDn: "" + # -- `REDASH_LDAP_BIND_DN_PASSWORD` value. Stored as a Secret value. + ldapBindDnPassword: "" + # -- `REDASH_LDAP_DISPLAY_NAME_KEY` value. + # @default -- displayName + ldapDisplayNameKey: "" + # -- `REDASH_LDAP_EMAIL_KEY` value. + # @default -- mail + ldapEmailKey: "" + # -- `REDASH_LDAP_CUSTOM_USERNAME_PROMPT` value. + # @default -- LDAP/AD/SSO username: + ldapCustomUsernamePrompt: "" + # -- `REDASH_LDAP_SEARCH_TEMPLATE` value. + # @default -- (cn=%(username)s) + ldapSearchTemplate: "" + # -- `REDASH_LDAP_SEARCH_DN` value. + # @default -- REDASH_SEARCH_DN + ldapSearchDn: "" + # -- `REDASH_STATIC_ASSETS_PATH` value. Directory that contains all front-end assets. relative to the ./redash directory. + # @default -- ”../client/dist/” + staticAssetsPath: "" + # -- `REDASH_JOB_EXPIRY_TIME` value. Ttl in seconds for jobs placed in queue. if a job is not picked up by a worker within this ttl it will expire.. + # @default -- 3600 \* 12 + jobExpiryTime: "" + # -- REQUIRED `REDASH_COOKIE_SECRET` value. Required. used for various cryptographic features of the web server. read more about how redash uses secret keys [here]({% link _kb/open-source/admin-guide/secrets.md %}). Stored as a Secret value. + cookieSecret: test + # -- `REDASH_LOG_LEVEL` value. Logging messages which are less severe than level will be ignored. read more about python logging [here](https://docs.python.org/3/library/logging.html). + # @default -- INFO + logLevel: "" + # -- `REDASH_MAIL_SERVER` value. + # @default -- localhost + mailServer: "" + # -- `REDASH_MAIL_PORT` value. + # @default -- 25 + mailPort: "" + # -- `REDASH_MAIL_USE_TLS` value. + # @default -- false + mailUseTls: "" + # -- `REDASH_MAIL_USE_SSL` value. + # @default -- false + mailUseSsl: "" + # -- `REDASH_MAIL_USERNAME` value. + # @default -- None + mailUsername: "" + # -- `REDASH_MAIL_PASSWORD` value. Stored as a Secret value. + # @default -- None + mailPassword: "" + # -- `REDASH_MAIL_DEFAULT_SENDER` value. + # @default -- None + mailDefaultSender: "" + # -- `REDASH_MAIL_MAX_EMAILS` value. + # @default -- None + mailMaxEmails: "" + # -- `REDASH_MAIL_ASCII_ATTACHMENTS` value. + # @default -- false + mailAsciiAttachments: "" + # -- `REDASH_HOST` value. The url host used in emails sent to users (invites, alerts, notifications) etc.. + host: "" + # -- `REDASH_ALERTS_DEFAULT_MAIL_SUBJECT_TEMPLATE` value. Subject used for email alert notifications. `{state}` and `{alert_name}` are the only available variables.. + # @default -- ({state}) {alert_name} + alertsDefaultMailSubjectTemplate: "" + # -- `REDASH_THROTTLE_LOGIN_PATTERN` value. The [flask-limiter](https://flask-limiter.readthedocs.io/en/stable/) string pattern used to rate limit requests to the /login route.. + # @default -- 50/hour + throttleLoginPattern: "" + # -- `REDASH_LIMITER_STORAGE` value. Mapped directly to flask-limiter's [storage_uri](https://flask-limiter.readthedocs.io/en/stable/configuration.html?highlight=limiter_storage#ratelimit_storage_uri).. + # @default -- REDIS_URL + limiterStorage: "" + # -- `REDASH_CORS_ACCESS_CONTROL_ALLOW_ORIGIN` value. + corsAccessControlAllowOrigin: "" + # -- `REDASH_CORS_ACCESS_CONTROL_ALLOW_CREDENTIALS` value. + # @default -- false + corsAccessControlAllowCredentials: "" + # -- `REDASH_CORS_ACCESS_CONTROL_REQUEST_METHOD` value. + # @default -- GET, POST, PUT + corsAccessControlRequestMethod: "" + # -- `REDASH_CORS_ACCESS_CONTROL_ALLOW_HEADERS` value. + # @default -- Content-Type + corsAccessControlAllowHeaders: "" + # -- `REDASH_ENABLED_QUERY_RUNNERS` value. Comma-separated list of query runners to be enabled (e.g. `redash.query_runner.pg,redash.query_runner.mysql`). + # @default -- ”,”.join(default_query_runners) + enabledQueryRunners: "" + # -- `REDASH_ADDITIONAL_QUERY_RUNNERS` value. Comma-separated list of non-default query runners to be enabled. + additionalQueryRunners: "" + # -- `REDASH_DISABLED_QUERY_RUNNERS` value. Comma-separated list of query runners that will not appear in redash. + disabledQueryRunners: "" + # -- `REDASH_SCHEDULED_QUERY_TIME_LIMIT` value. Time limit for scheduled queries (in seconds). + # @default -- None + scheduledQueryTimeLimit: "" + # -- `REDASH_ADHOC_QUERY_TIME_LIMIT` value. Time limit for adhoc queries (in seconds). + # @default -- None + adhocQueryTimeLimit: "" + # -- `REDASH_ENABLED_DESTINATIONS` value. Comma-separated list of alert destinations to be enabled (e.g. `redash.destinations.email,redash.destinations.slack` ). + # @default -- ”,”.join(default_destinations) + enabledDestinations: "" + # -- `REDASH_ADDITIONAL_DESTINATIONS` value. Comma-separated list of non-default alert destinations to be enabled. + additionalDestinations: "" + # -- `REDASH_EVENT_REPORTING_WEBHOOKS` value. Comma-separated list of webhook urls that to which events will be forwarded. + eventReportingWebhooks: "" + # -- `REDASH_SENTRY_DSN` value. + sentryDsn: "" + # -- `REDASH_ALLOW_SCRIPTS_IN_USER_INPUT` value. Disable sanitization of text input, allowing full html. + # @default -- false + allowScriptsInUserInput: "" + # -- `REDASH_DASHBOARD_REFRESH_INTERVALS` value. Comma-separated list of integer seconds that will be allowed for dashboard refresh. + # @default -- 60,300,600,1800,3600,43200,86400 + dashboardRefreshIntervals: "" + # -- `REDASH_QUERY_REFRESH_INTERVALS` value. Comma-separated list of integer seconds that will be allowed for scheduled query refresh. + # @default -- 60, 300, 600, 900, 1800, 3600, 7200, 10800, 14400, 18000, 21600, 25200, 28800, 32400, 36000, 39600, 43200, 86400, 604800, 1209600, 2592000 + queryRefreshIntervals: "" + # -- `REDASH_PASSWORD_LOGIN_ENABLED` value. Toggle to allow password login. often disabled if google login, saml, ldap, or remote_user_login are enabled.. + # @default -- true + passwordLoginEnabled: "" + # -- `REDASH_SAML_METADATA_URL` value. + samlMetadataUrl: "" + # -- `REDASH_SAML_ENTITY_ID` value. + samlEntityId: "" + # -- `REDASH_SAML_NAMEID_FORMAT` value. + samlNameidFormat: "" + # -- `REDASH_DATE_FORMAT` value. Moment.js format to be used throughout the web application. + # @default -- DD/MM/YY + dateFormat: "" + # -- `REDASH_JWT_LOGIN_ENABLED` value. + # @default -- false + jwtLoginEnabled: "" + # -- `REDASH_JWT_AUTH_ISSUER` value. + jwtAuthIssuer: "" + # -- `REDASH_JWT_AUTH_PUBLIC_CERTS_URL` value. + jwtAuthPublicCertsUrl: "" + # -- `REDASH_JWT_AUTH_AUDIENCE` value. + jwtAuthAudience: "" + # -- `REDASH_JWT_AUTH_ALGORITHMS` value. + # @default -- HS256,RS256,ES256 + jwtAuthAlgorithms: "" + # -- `REDASH_JWT_AUTH_COOKIE_NAME` value. + jwtAuthCookieName: "" + # -- `REDASH_JWT_AUTH_HEADER_NAME` value. + jwtAuthHeaderName: "" + # -- `REDASH_FEATURE_SHOW_QUERY_RESULTS_COUNT` value. Disable/enable showing count of query results in status. + # @default -- true + featureShowQueryResultsCount: "" + # -- `REDASH_VERSION_CHECK` value. Toggle whether to periodically check if a newer version of redash is available.. + # @default -- true + versionCheck: "" + # -- `REDASH_FEATURE_DISABLE_REFRESH_QUERIES` value. Disable scheduled query execution. + # @default -- false + featureDisableRefreshQueries: "" + # -- `REDASH_FEATURE_SHOW_PERMISSIONS_CONTROL` value. Enable experimental multiple owners support. + # @default -- false + featureShowPermissionsControl: "" + # -- `REDASH_FEATURE_ALLOW_CUSTOM_JS_VISUALIZATIONS` value. Enable the custom visualization option. this appears as a sub-type of "chart" visualizations in the ui.. + # @default -- false + featureAllowCustomJsVisualizations: "" + # -- `REDASH_FEATURE_AUTO_PUBLISH_NAMED_QUERIES` value. Automatically publish a new query after its name is changed from "new query". + # @default -- true + featureAutoPublishNamedQueries: "" + # -- `REDASH_BIGQUERY_HTTP_TIMEOUT` value. Http timeout for the bigquery query runner. + # @default -- 600 + bigqueryHttpTimeout: "" + # -- `REDASH_SCHEMA_RUN_TABLE_SIZE_CALCULATIONS` value. Enable showing the size of each table in the schema browser.. + # @default -- false + schemaRunTableSizeCalculations: "" + # -- `REDASH_WEB_WORKERS` value. How many processes will gunicorn spawn to handle web requests. + # @default -- 4 + webWorkers: "" + ## End primary Redash configuration + + # -- `SQLALCHEMY_ENABLE_POOL_PRE_PING` value, controls whether the database connection that's in the pool will be checked by pinging before being used or not. See https://docs.sqlalchemy.org/en/13/core/pooling.html#sqlalchemy.pool.Pool.params.pre_ping + # @default -- true + sqlAlchemyEnablePoolPrePing: "true" + # redash.existingSecret -- Name of existing secret to use instead of either the values above + ## This secret must contain keys matching the items marked "Stored as a Secret value" above. + # existingSecret: + +## Configuration for Redash web server +server: + # server.httpPort -- Server container port (only useful if you are using a customized image) + httpPort: 5000 + + # server.initContainers -- Server init containers configuration + initContainers: [] + + # server.env -- Redash server specific environment variables + # Don't use this for variables that are in the configuration above, however. + env: {} + + # server.replicaCount -- Number of server pods to run + replicaCount: 1 + + # server.resources -- Server resource requests and limits [ref](http://kubernetes.io/docs/user-guide/compute-resources/) + resources: + limits: + cpu: 1500m + memory: 2Gi + requests: + cpu: 900m + memory: 1Gi + + # server.livenessProbe -- Server liveness probe configuration + livenessProbe: + # Redash can take a while to come up initially, so we delay checks. + initialDelaySeconds: 90 + timeoutSeconds: 1 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + + # server.readinessProbe -- Server readiness probe configuration + readinessProbe: + initialDelaySeconds: 10 + timeoutSeconds: 1 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + + # server.podSecurityContext -- Security contexts for server pod assignment [ref](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + podSecurityContext: {} + securityContext: {} + + # server.nodeSelector -- Node labels for server pod assignment [ref](https://kubernetes.io/docs/user-guide/node-selection/) + nodeSelector: {} + + # server.tolerations -- Tolerations for server pod assignment [ref](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + tolerations: [] + + # server.affinity -- Affinity for server pod assignment [ref](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + affinity: {} + + # server.podAnnotations -- Annotations for server pod assignment [ref](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) + podAnnotations: {} + + # server.podLabels -- Labels for server pod assignment [ref](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + podLabels: {} + + # server.volumes -- Volumes for server pod assignment [ref](https://kubernetes.io/docs/concepts/storage/volumes/) + volumes: + - name: nginx-config-volume + configMap: + name: forms-flow-analytics-nginx-config + + # server.volumeMounts -- VolumeMounts for server pod assignment [ref](https://kubernetes.io/docs/concepts/storage/volumes/) + volumeMounts: [] + + # priorityClassName -- Priority class name for server pod assignment [ref](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) + priorityClassName: + + extraContainers: + image: + registry: docker.io + # image.repo -- Redash image name used for server and worker pods + repo: nginxinc/nginx-unprivileged + # image.tag -- Redash image [tag](https://hub.docker.com/r/redash/redash/tags) + tag: latest + # image.pullPolicy - Image pull policy + pullPolicy: IfNotPresent + ContainerPort: 8080 + + +service: + # service.annotations -- Annotations to add to the service + annotations: {} + # service.loadBalancerIP -- Specific IP address to use for cloud providers such as Azure Kubernetes Service [ref](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) + loadBalancerIP: + # service.type -- Kubernetes Service type + type: ClusterIP + # service.externalTraffucPolicy -- external traffic policy for Load Balancer + externalTrafficPolicy: "" + # service.port -- Service external port + port: 5000 + + sidecar: + port: 8080 + httpPort: 8080 +ingress: + # ingress.enabled -- Enable ingress controller resource + enabled: true + # ingress.annotations -- Ingress annotations configuration + annotations: {} + # ingress.ingressClassName -- Sets the ingress controller class name to use. + ingressClassName: "" + + # ingress.hosts -- Ingress resource hostnames and path mappings + hosts: + - host: chart-example.local + paths: [] + #ingress.pathType -- How ingress paths should be treated. + pathType: Prefix + + port: 8080 + # ingress.tls -- Ingress TLS configuration + tls: [] + # - secretName: forms-flow-analytics-test.aot-technologies.com-tls + # hosts: + # - forms-flow-analytics-test.aot-technologies.com + subFilterHost: chart-example.local +## Configuration for Redash workers +workers: + adhoc: + # workers.adhoc.env -- Redash ad-hoc worker specific environment variables. + env: + QUEUES: queries + WORKERS_COUNT: 2 + scheduled: + # workers.scheduled.env -- Redash scheduled worker specific environment variables. + env: + QUEUES: scheduled_queries,schemas + WORKERS_COUNT: 1 + generic: + # workers.generic.env -- Redash generic worker specific environment variables. + env: + QUEUES: periodic,emails,default + WORKERS_COUNT: 1 + +## Common worker configuration, which can be overidden for each worker at workers. +worker: + # worker.replicaCount -- Default number of worker pods to run + replicaCount: 1 + + # worker.initContainers -- Worker default init containers configuration + initContainers: [] + + # worker.resources -- Worker default resource requests and limits [ref](http://kubernetes.io/docs/user-guide/compute-resources/) + resources: + limits: + cpu: 300m + memory: 2Gi + requests: + cpu: 200m + memory: 1Gi + + # worker.podSecurityContext -- Default worker's security context pod assignment [ref](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + podSecurityContext: {} + securityContext: {} + + # worker.nodeSelector -- Default node labels for worker pod assignment [ref](https://kubernetes.io/docs/user-guide/node-selection/) + nodeSelector: {} + + # worker.tolerations -- Default tolerations for worker pod assignment [ref](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + tolerations: [] + + # worker.affinity -- Default affinity for worker pod assignment [ref](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + affinity: {} + + # worker.podAnnotations -- Default annotations for worker pod assignment [ref](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) + podAnnotations: {} + + # worker.podLabels -- Default labels for worker pod assignment [ref](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + podLabels: {} + + # worker.volumes -- Default volumes for pod worker assignment [ref](https://kubernetes.io/docs/concepts/storage/volumes/) + volumes: [] + + # worker.volumeMounts -- Default VolumeMounts for worker pod assignment [ref](https://kubernetes.io/docs/concepts/storage/volumes/) + volumeMounts: [] + + # priorityClassName -- Default priority class name for worker pod assignment [ref](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) + priorityClassName: + + # worker.livenessProbe -- Default worker's liveness probe to ensure workers are running fine + livenessProbe: + exec: + command: + - /bin/sh + - -c + - /app/bin/docker-entrypoint workers_healthcheck + timeoutSeconds: 10 + initialDelaySeconds: 60 + periodSeconds: 100 + +## Configuration for Redash scheduler +scheduler: + # scheduler.env -- Redash scheduler specific environment variables. + env: {} + + # scheduler.replicaCount -- Number of scheduler pods to run + replicaCount: 1 + + # scheduler.initContainers -- Redash scheduler init containers configuration. + initContainers: [] + + # scheduler.resources -- scheduler resource requests and limits [ref](http://kubernetes.io/docs/user-guide/compute-resources/) + resources: + limits: + cpu: 300m + memory: 2Gi + requests: + cpu: 200m + memory: 1Gi + + # scheduler.podSecurityContext -- Security contexts for scheduler pod assignment [ref](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + podSecurityContext: {} + securityContext: {} + + # scheduler.livenessProbe -- Liveness probe for scheduler to ensure workers are running fine + livenessProbe: + exec: + command: + - /bin/sh + - -c + - /app/bin/docker-entrypoint workers_healthcheck + timeoutSeconds: 10 + initialDelaySeconds: 60 + periodSeconds: 100 + + # scheduler.nodeSelector -- Node labels for scheduler pod assignment [ref](https://kubernetes.io/docs/user-guide/node-selection/) + nodeSelector: {} + + # scheduler.tolerations -- Tolerations for scheduler pod assignment [ref](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + tolerations: [] + + # scheduler.affinity -- Affinity for scheduler pod assignment [ref](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + affinity: {} + + # scheduler.podAnnotations -- Annotations for scheduler pod assignment [ref](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) + podAnnotations: {} + + # scheduler.podLabels -- Labels for scheduler pod assignment [ref](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + podLabels: {} + + # scheduler.volumes -- Volumes for scheduler pod assignment [ref](https://kubernetes.io/docs/concepts/storage/volumes/) + volumes: [] + + # scheduler.volumeMounts -- VolumeMounts for scheduler pod assignment [ref](https://kubernetes.io/docs/concepts/storage/volumes/) + volumeMounts: [] + + # priorityClassName -- Default priority class name for scheduler pod assignment [ref](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) + priorityClassName: + +## Configuration for migrations hook +migrations: + # migrations.volumes -- volumes that will be mounted to migrations pods only + volumes: [] + + # migrations.initContainers -- migrations init container configuration + initContainers: [] + + # migrations.volumeMounts -- volume mounts for migrations pods + volumeMounts: [] + + # migrations.ttlSecondsAfterFinished -- ttl for install job [ref](https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) + ttlSecondsAfterFinished: 600 + # migrations.resources -- Scheduled worker resource requests and limits [ref](http://kubernetes.io/docs/user-guide/compute-resources/) + resources: + limits: + cpu: 300m + memory: 2Gi + requests: + cpu: 200m + memory: 1Gi + + # migrations.podSecurityContext -- Security contexts for scheduled worker pod assignment [ref](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + podSecurityContext: {} + securityContext: {} + + # migrations.nodeSelector -- Node labels for scheduled worker pod assignment [ref](https://kubernetes.io/docs/user-guide/node-selection/) + nodeSelector: {} + + # migrations.tolerations -- Tolerations for server pod assignment [ref](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + tolerations: [] + + # migrations.affinity -- Affinity for scheduled worker pod assignment [ref](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + affinity: {} + + # migrations.podAnnotations -- Annotations for scheduled worker pod assignment [ref](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) + podAnnotations: {} + + # migrations.podLabels -- Labels for migration pod [ref](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + podLabels: {} + + # priorityClassName -- Default priority class name for migration pod [ref](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) + priorityClassName: + +# externalPostgreSQL -- External PostgreSQL configuration. To use an external PostgreSQL instead of the automatically deployed postgresql chart: set postgresql.enabled to false then uncomment and configure the externalPostgreSQL connection URL (e.g. postgresql://user:pass@host:5432/database) + +externalPostgreSQL: + +# externalPostgreSQLSecret -- Read external PostgreSQL configuration from a secret. This should point at a secret file with a single key which specifies the connection string. +externalPostgreSQLSecret: + {} + # name: redash-postgres + # key: connectionString + +# envSecretName -- DEPRECIATED, use externalPostgreSQLSecret/externalRedisSecret instead. Contents of this secret will be loaded as environment variables into the container. Useful e.g. to set to set PostgreSQL password in externalPostgreSQL parameter: postgresql://user:$(POSTGRESQL_PASSWORD)@host:5432/database [ref](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#using-environment-variables-inside-of-your-config) +# envSecretName: + +## Configuration values for the postgresql dependency. This PostgreSQL instance is used by default for all Redash state storage [ref](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/README.md) +postgresql: + # postgresql.enabled -- Whether to deploy a PostgreSQL server to satisfy the applications database requirements. To use an external PostgreSQL set this to false and configure the externalPostgreSQL parameter. + enabled: false + fullnameOverride: "forms-flow-ai-postgresql-ha-pgpool" + primary: + service: + ports: + postgresql: 5432 + global: + storageClass: "" + + auth: + # postgresql.auth.username -- PostgreSQL username for redash user (when postgresql chart enabled) + username: postgres + # postgresql.auth.password -- REQUIRED: PostgreSQL password for redash user (when postgresql chart enabled) + password: postgres + # postgresql.auth.database -- PostgreSQL database name (when postgresql chart enabled) + database: forms-flow-analytics + +# externalRedis -- External Redis configuration. To use an external Redis instead of the automatically deployed redis chart: set redis.enabled to false then uncomment and configure the externalRedis connection URL (e.g. redis://user:pass@host:6379/database). +externalRedis: redis://redis-exporter:6379/0 +# externalRedisSecret -- Read external Redis configuration from a secret. This should point at a secret file with a single key which specifies the connection string. +externalRedisSecret: + {} + # name: redash-redis + # key: connectionString + +## Configuration values for the redis dependency. This Redis instance is used by default for caching and temporary storage [ref](https://github.com/bitnami/charts/blob/main/bitnami/redis/README.md) +redis: + # redis.enabled -- Whether to deploy a Redis server to satisfy the applications database requirements. To use an external Redis set this to false and configure the externalRedis parameter. + enabled: false + database: 0 + master: + service: + ports: + redis: 6379 + replica: + replicaCount: 0 + global: + storageClass: "" + +# extraObjects -- Additional kubernetes manifests to deploy alongside the chart. Useful to include external secrets for dependencies. +extraObjects: [] +# - apiVersion: mumoshu.github.io/v1alpha1 +# kind: AWSSecret +# metadata: +# name: redash-postgres +# spec: +# stringDataFrom: +# secretsManagerSecretRef: +# secretId: redash-postgres-prod +# versionId: 00000000-1111-2222-3333-444444444444 diff --git a/charts/forms-flow-api/.helmignore b/charts/forms-flow-api/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/forms-flow-api/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/forms-flow-api/Chart.yaml b/charts/forms-flow-api/Chart.yaml index 007b5f0c..02a91a0b 100644 --- a/charts/forms-flow-api/Chart.yaml +++ b/charts/forms-flow-api/Chart.yaml @@ -1,6 +1,13 @@ ---- apiVersion: v2 name: forms-flow-api -tags: forms-flow-api -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file +description: forms-flow-api is an adaptive tier for correlating form management, BPM and analytics together. The goal of the REST API is to provide access to all relevant interfaces of the system provided by formsflow. +icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" +version: v8.0.0 +type: application +appVersion: "8.0.0" +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x diff --git a/charts/forms-flow-api/README.md b/charts/forms-flow-api/README.md new file mode 100644 index 00000000..32460b33 --- /dev/null +++ b/charts/forms-flow-api/README.md @@ -0,0 +1,256 @@ +# Formsflow.ai API + +formsflow.ai has built this adaptive tier for correlating form management, BPM and analytics together. + +The goal of the REST API is to provide access to all relevant interfaces of the system. + + +## Introduction + +This chart bootstraps a forms-flow-api deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + + +## Installing the Chart + +To install the chart with the release name `forms-flow-api`: + +```console +helm install forms-flow-api forms-flow-api +``` + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + + +```console +helm install forms-flow-api forms-flow-api --set ingress.ingressClassName=INGRESS_CLASS --set ingress.hostname=HOSTNAME +``` + +> Note: You need to substitute the placeholders `INGRESS_CLASS` and `HOSTNAME` with a reference to your Helm chart registry and repository. For example, in the case of Formsflow, you need to use `INGRESS_CLASS=nginx`. Use `--set image.repository=formsflow/forms-flow-webapi-ee` for deploy the enterprise version + +These commands deploy Forms-flow-api on the Kubernetes cluster + +> **Tip**: List all releases using `helm list` + +### Resource requests and limits + +Forms-flow-api charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +```yaml +resources: + limits: + cpu: 300m + memory: 1Gi + requests: + cpu: 200m + memory: 512Mi +``` + +### Change Forms-flow-api version + +To modify the Forms-flow-api version used in this chart you can specify a [valid image tag](https://hub.docker.com/repository/docker/formsflow/forms-flow-webapi) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +#### Using the OpenSource Version +By default, the chart uses the OpenSource version of the `Forms-flow API`. You can change the image tag to any valid version of the OpenSource image, as shown below: + +```yaml +image: + registry: docker.io + repository: formsflow/forms-flow-webapi + tag: X.Y.Z # Replace with the desired OpenSource version +``` +#### Using the Enterprise Version +If you're using the enterprise version of Forms-flow API, you can switch the image repository to `formsflow/forms-flow-webapi-ee`. The enterprise version includes additional features and support designed for larger-scale or production environments. To use the enterprise version, update the repository field as shown below: + +```yaml +image: + registry: docker.io + repository: formsflow/forms-flow-webapi-ee + tag: X.Y.Z # Replace with the desired enterprise version +``` +Make sure to replace X.Y.Z with the specific version number you wish to use for either the OpenSource or enterprise version. + +### EE Specific Environment Variables +When deploying the Enterprise Edition (EE) for `forms-flow-api`, the environment variables specific to the EE deployment are already included in the values.yaml file of [forms-flow-ai](../forms-flow-ai/values.yaml#L223) chart. +Make sure to replace `ipaas.embedded_api_key` and `ipaas.jwt_private_key` with the actual keys provided to you. + +Example: +```yaml +ipaas: + embedded_api_key: IPAAS_EMBEDDED_API_KEY + jwt_private_key: IPAAS_JWT_PRIVATE_KEY +``` + +## Persistence + +The `forms-flow-api` image stores the application logs at the `/forms-flow-api/app/logs` path of the container. + +## Sidecar Configuration + +To add a sidecar to your `Forms-flow-api` deployment, you can use the following configuration. In this case, the sidecar container is an Nginx container used for configuration management. + +### Example Sidecar Configuration + +```yaml +sidecars: + - name: nginx + image: nginx:latest + ports: + - containerPort: 80 + volumeMounts: + - name: nginx-config-volume + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf +``` + +## API Path Update +The `Forms-flow-api` can now be accessed at the `/api` route. Ensure that all configurations and requests reference this updated path. + +For example: + +``` +https:///api +``` +## Parameters + +| Parameter | Description | Default Value | +|-------------------------------------------------------|-----------------------------------------------------|-----------------------------| +| `replicaCount` | Number of replicas for the deployment | `1` | +| `image.registry` | Docker registry for the image | `docker.io` | +| `image.repository` | Repository for the image | `formsflow/forms-flow-webapi` | +| `image.pullSecrets` | Secrets for pulling images from private registries | `[]` | +| `nameOverride` | Override name for the deployment | `""` | +| `fullnameOverride` | Override full name for the deployment | `""` | +| `commonLabels` | Common labels for all resources | `{}` | +| `commonAnnotations` | Common annotations for all resources | `{}` | +| `nodeSelector` | Node selector for pod scheduling | `{}` | +| `tolerations` | Tolerations for scheduling | `[]` | +| `affinity` | Affinity rules for pod scheduling | `{}` | +| `priorityClassName` | Priority class for scheduling | `""` | +| `schedulerName` | Scheduler to use for the deployment | `""` | +| `terminationGracePeriodSeconds` | Grace period for termination | `""` | +| `topologySpreadConstraints` | Constraints for spreading pods across zones | `[]` | +| `diagnosticMode.enabled` | Enable diagnostic mode | `false` | +| `diagnosticMode.command` | Command to run in diagnostic mode | `["sleep"]` | +| `diagnosticMode.args` | Arguments for the command in diagnostic mode | `["infinity"]` | +| `hostAliases` | Host aliases for the pods | `[]` | +| `serviceAccount.create` | Create a service account | `true` | +| `serviceAccount.annotations` | Annotations for the service account | `{}` | +| `serviceAccount.name` | Name of the service account | `""` | +| `serviceAccount.automountServiceAccountToken` | Automount service account token | `false` | +| `podAnnotations` | Annotations for the pods | `{}` | +| `podLabels` | Labels for the pods | `{}` | +| `podAffinityPreset` | Preset for pod affinity | `""` | +| `podAntiAffinityPreset` | Preset for pod anti-affinity | `soft` | +| `nodeAffinityPreset.type` | Type for node affinity | `""` | +| `nodeAffinityPreset.key` | Key for node affinity | `""` | +| `nodeAffinityPreset.values` | Values for node affinity | `[]` | +| `podSecurityContext.enabled` | Enable pod security context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Policy for changing the fsGroup | `Always` | +| `podSecurityContext.sysctls` | Sysctl settings for the pods | `[]` | +| `podSecurityContext.supplementalGroups` | Supplemental groups for the pods | `[]` | +| `podSecurityContext.fsGroup` | fsGroup for the pods | `1001` | +| `containerSecurityContext.enabled` | Enable container security context | `true` | +| `containerSecurityContext.seLinuxOptions` | SELinux options for the container | `{}` | +| `containerSecurityContext.runAsUser` | User ID for running the container | `1001` | +| `containerSecurityContext.runAsGroup` | Group ID for running the container | `1001` | +| `containerSecurityContext.runAsNonRoot` | Run the container as a non-root user | `false` | +| `containerSecurityContext.privileged` | Enable privileged mode for the container | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set root filesystem as read-only | `false` | +| `containerSecurityContext.allowPrivilegeEscalation` | Allow privilege escalation | `false` | +| `containerSecurityContext.capabilities.drop` | Capabilities to drop from the container | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Seccomp profile type | `RuntimeDefault` | +| `command` | Command for the container | `[]` | +| `args` | Arguments for the command | `[]` | +| `lifecycleHooks` | Lifecycle hooks for the container | `{}` | +| `automountServiceAccountToken` | Automount service account token | `true` | +| `extraEnvVars` | Extra environment variables | `[]` | +| `extraEnvVarsCM` | ConfigMap for extra environment variables | `""` | +| `extraVolumes` | Extra volumes for the pods | `{}` | +| `extraVolumeMounts` | Extra volume mounts for the pods | `{}` | +| `existingSecret` | Name of an existing secret | `""` | +| `updateStrategy.type` | Update strategy type for the deployment | `RollingUpdate` | +| `updateStrategy.rollingUpdate.maxSurge` | Maximum surge for the rolling update | `25%` | +| `updateStrategy.rollingUpdate.maxUnavailable` | Maximum unavailable for the rolling update | `25%` | +| `pdb.create` | Create a pod disruption budget for pods | `true` | +| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | +| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `""` | +| `autoscaling.enabled` | Enable autoscaling for forms-flow-api | `false` | +| `autoscaling.minReplicas` | Minimum number of forms-flow-api replicas | `1` | +| `autoscaling.maxReplicas` | Maximum number of forms-flow-api replicas | `11` | +| `autoscaling.targetCPU` | Target CPU utilization percentage | `""` | +| `autoscaling.targetMemory` | Target Memory utilization percentage | `""` | +| `autoscaling.behavior.scaleUp.stabilizationWindowSeconds` | Seconds for which past recommendations are considered while scaling up | `120` | +| `autoscaling.behavior.scaleUp.selectPolicy` | Priority of policies applied when scaling up | `Max` | +| `autoscaling.behavior.scaleUp.policies` | HPA scaling policies when scaling up | `[]` | +| `autoscaling.behavior.scaleDown.stabilizationWindowSeconds` | Seconds for which past recommendations are considered while scaling down | `300` | +| `autoscaling.behavior.scaleDown.selectPolicy` | Priority of policies applied when scaling down | `Max` | +| `autoscaling.behavior.scaleDown.policies` | HPA scaling policies when scaling down | `[ { type: Pods, value: 1, periodSeconds: 300 } ]` | +| `formsflow.configmap` | Name of formsflow.ai configmap | `forms-flow-ai` | +| `formsflow.secret` | Name of formsflow.ai secret | `forms-flow-ai` | + + +## Ingress Parameters + +| Parameter | Description | Default Value | +|---------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `ingress.enabled` | Enable ingress for the service | `true` | +| `ingress.ingressClassName` | Ingress class to be used for the ingress | `""` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.apiVersion` | API version for the ingress (automatically detected if not set) | `""` | +| `ingress.controller` | Ingress controller type. Options: `default`, `gce` | `default` | +| `ingress.hostname` | Default host for the ingress record | `forms-flow-api.local` | +| `ingress.path` | Default path for the ingress record | `"/api"` | +| `ingress.servicePort` | Backend service port to use (default is http) | `5000` | +| `ingress.annotations` | Additional annotations for the Ingress resource | `{}` | +| `ingress.labels` | Additional labels for the Ingress resource | `{}` | +| `ingress.tls` | Enable TLS configuration for the ingress hostname | `true` | +| `ingress.selfSigned` | Create a TLS secret using self-signed certificates | `false` | +| `ingress.extraHosts` | Additional hostname(s) for the ingress | `[]` | +| `ingress.extraPaths` | Additional arbitrary paths to add under the main host | `[]` | +| `ingress.extraTls` | TLS configuration for additional hostnames | `[]` | +| `ingress.secrets` | Custom certificates as secrets (key and certificate must start with appropriate headers) | `[]` | +| `ingress.extraRules` | Additional rules for the ingress | `[]` | + + +## Resource Parameters + +| Parameter | Description | Default Value | +|----------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `resourcesPreset` | Set container resources according to a common preset (none, nano, micro, small, medium, large) | `small` | +| `resources.limits.cpu` | Maximum CPU limit for the container | `300m` | +| `resources.limits.memory` | Maximum memory limit for the container | `1Gi` | +| `resources.requests.cpu` | Minimum CPU request for the container | `200m` | +| `resources.requests.memory` | Minimum memory request for the container | `512Mi` | +| `customStartupProbe` | Custom startup probe for the component | `{}` | +| `customLivenessProbe` | Custom liveness probe for the component | `{}` | +| `customReadinessProbe` | Custom readiness probe for the component | `{}` | + + +## Service Parameters + +| Parameter | Description | Default Value | +|----------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `service.type` | Kubernetes service type (`ClusterIP`, `NodePort`, or `LoadBalancer`) | `ClusterIP` | +| `service.ports` | Ports for the forms-flow-api service | `[ { name: http, port: 5000, targetPort: http, protocol: TCP } ]` | +| `service.loadBalancerIP` | LoadBalancer IP if service type is `LoadBalancer` | `""` | +| `service.loadBalancerSourceRanges` | Allowed addresses when service is LoadBalancer | `[]` | +| `service.externalTrafficPolicy` | External traffic policy to preserve client source IP | `""` | +| `service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `service.annotations` | Annotations for the forms-flow-api service | `{}` | +| `service.sessionAffinity` | Session Affinity for the service, can be "None" or "ClientIP" | `None` | +| `service.sessionAffinityConfig` | Additional settings for sessionAffinity | `{}` | +| `service.headless.annotations` | Annotations for the headless service | `{}` | +| `configuration` | Additional configuration options | `[]` | +| `containerPorts.http` | HTTP port for the container | `5000` | + + +## Database Parameters + +| Parameter | Description | Default Value | +|----------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `database.username` | Database username | `postgres` | +| `database.password` | Database password | `postgres` | +| `database.dbName` | Name of the database | `forms-flow-api` | +| `database.host` | Host for the database | `forms-flow-ai-postgresql-ha-pgpool` | +| `database.port` | Port for the database | `5432` | + diff --git a/charts/forms-flow-api/templates/_helpers.tpl b/charts/forms-flow-api/templates/_helpers.tpl new file mode 100644 index 00000000..f72448e5 --- /dev/null +++ b/charts/forms-flow-api/templates/_helpers.tpl @@ -0,0 +1,91 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "forms-flow-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "forms-flow-api.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "forms-flow-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "forms-flow-api.labels" -}} +helm.sh/chart: {{ include "forms-flow-api.chart" . }} +{{ include "forms-flow-api.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "forms-flow-api.selectorLabels" -}} +app.kubernetes.io/name: {{ include "forms-flow-api.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "forms-flow-api.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "forms-flow-api.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Return true if a configmap object should be created +*/}} +{{- define "forms-flow-api.createConfigmap" -}} +{{- if and .Values.configuration (not .Values.existingConfigmap) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* + Return the proper forms-flow-api image name +*/}} +{{- define "forms-flow-api.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper forms-flow-api side car nginx image name +*/}} +{{- define "forms-flow-api.nginx.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.ExtraContainer.image "global" .Values.global) }} +{{- end -}} +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "forms-flow-api.imagePullSecrets" -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) -}} +{{- end -}} \ No newline at end of file diff --git a/charts/forms-flow-api/templates/configmap.yaml b/charts/forms-flow-api/templates/configmap.yaml index a7a821f3..9b41932f 100644 --- a/charts/forms-flow-api/templates/configmap.yaml +++ b/charts/forms-flow-api/templates/configmap.yaml @@ -1,34 +1,13 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} -data: - DATABASE_URL: "{{tpl .Values.database.url .}}" - FORMSFLOW_API_PORT: "{{ .Values.database.port }}" ---- -{{- if .Values.elastic_search.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Chart.Name }}-fb-config -data: - "filebeat.yml": |- - filebeat.inputs: - - type: log - enabled: true - paths: - - /forms-flow-api/app/logs/* - output.elasticsearch: - hosts: "${ELASTIC_SERVER}" - index: "forms-flow-webapi-%{+yyyy.MM.dd}" - setup.template.name: "forms-flow-webapi" - setup.template.pattern: "forms-flow-webapi-*" - setup.template.overwrite: true - setup.template.enabled: false - setup.template.settings: - index.number_of_shards: 1 - setup.ilm.enabled: false -{{- end}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-api + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + FORMSFLOW_API_PORT: "{{ .Values.database.port }}" + \ No newline at end of file diff --git a/charts/forms-flow-api/templates/deployment.yaml b/charts/forms-flow-api/templates/deployment.yaml index 6894e438..86f17c90 100644 --- a/charts/forms-flow-api/templates/deployment.yaml +++ b/charts/forms-flow-api/templates/deployment.yaml @@ -1,286 +1,317 @@ ---- -apiVersion: apps/v1 +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: - labels: - app: "{{ .Chart.Name }}" - name: "{{ .Chart.Name }}" + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: - replicas: {{ .Values.replicas }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: - app: "{{ .Chart.Name }}" - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% - type: RollingUpdate + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + replicas: {{ .Values.replicaCount }} + strategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }} template: metadata: - labels: - app: "{{ .Chart.Name }}" + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: forms-flow-api + annotations: + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + {{- if (include "forms-flow-api.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} spec: - containers: - {{- if .Values.elastic_search.enabled }} - - name: filebeat-api - image: docker.elastic.co/beats/filebeat:7.14.0 - env: - - name: ELASTIC_SERVER + serviceAccountName: {{ include "forms-flow-api.serviceAccountName" . }} + {{- include "forms-flow-api.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "jenkins-controller" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "jenkins-controller" "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + containers: + - name: forms-flow-api + image: {{ include "forms-flow-api.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: MONGODB_URI valueFrom: configMapKeyRef: - key: ELASTIC_SERVER + key: MONGODB_URI name: "{{ .Values.formsflow.configmap }}" - volumeMounts: - - name: api-logs - mountPath: /forms-flow-api/app/logs - - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - name: api-filebeat - {{- end}} - - env: - - name: MONGODB_URI - valueFrom: - configMapKeyRef: - key: MONGODB_URI - name: "{{ .Values.formsflow.configmap }}" - - name: BPM_API_URL - valueFrom: - configMapKeyRef: - key: BPM_API_URL - name: "{{ .Values.formsflow.configmap }}" - - name: BPM_CLIENT_ID - valueFrom: - secretKeyRef: - key: KEYCLOAK_CLIENTID - name: "{{ .Values.formsflow.secret }}" - - name: BPM_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: KEYCLOAK_CLIENTSECRET - name: "{{ .Values.formsflow.secret }}" - - name: BPM_TOKEN_API - valueFrom: - configMapKeyRef: - key: KEYCLOAK_TOKEN_URL - name: "{{ .Values.formsflow.configmap }}" - {{- if .Values.ExternalDatabase.ExistingDatabaseNameKey }} - - name: FORMSFLOW_API_DB_NAME - valueFrom: - secretKeyRef: - key: {{ .Values.ExternalDatabase.ExistingDatabaseNameKey }} - name: "{{ .Values.ExternalDatabase.ExistingSecretName }}" - {{- end }} - {{- if not .Values.ExternalDatabase.ExistingDatabaseNameKey }} - - name: FORMSFLOW_API_DB_NAME - valueFrom: - secretKeyRef: - key: FORMSFLOW_API_DB_NAME - name: "{{ .Chart.Name }}" - {{- end }} - {{- if .Values.ExternalDatabase.ExistingDatabasePasswordKey }} - - name: FORMSFLOW_API_DB_PASSWORD - valueFrom: - secretKeyRef: - key: {{ .Values.ExternalDatabase.ExistingDatabasePasswordKey }} - name: "{{ .Values.ExternalDatabase.ExistingSecretName }}" - {{- end }} - {{- if not .Values.ExternalDatabase.ExistingDatabasePasswordKey }} - - name: FORMSFLOW_API_DB_PASSWORD - valueFrom: - secretKeyRef: - key: FORMSFLOW_API_DB_PASSWORD - name: "{{ .Chart.Name }}" - {{- end }} - {{- if .Values.ExternalDatabase.ExistingDatabaseUserNameKey }} - - name: FORMSFLOW_API_DB_USER - valueFrom: - secretKeyRef: - key: {{ .Values.ExternalDatabase.ExistingDatabaseUserNameKey }} - name: "{{ .Values.ExternalDatabase.ExistingSecretName }}" - {{- end }} - {{- if not .Values.ExternalDatabase.ExistingDatabaseUserNameKey }} - - name: FORMSFLOW_API_DB_USER - valueFrom: - secretKeyRef: - key: FORMSFLOW_API_DB_USER - name: "{{ .Chart.Name }}" - {{- end }} - - name: FORMSFLOW_API_PORT - valueFrom: - configMapKeyRef: - key: FORMSFLOW_API_PORT - name: "{{ .Chart.Name }}" - {{- if .Values.ExternalDatabase.ExistingDatabasHostKey }} - - name: FORMSFLOW_API_HOSTNAME - valueFrom: - secretKeyRef: - key: {{ .Values.ExternalDatabase.ExistingDatabaseHostKey }} - name: "{{ .Values.ExternalDatabase.ExistingSecretName }}" - {{- end }} - {{- if not .Values.ExternalDatabase.ExistingDatabaseHostKey }} - - name: FORMSFLOW_API_HOSTNAME - valueFrom: - secretKeyRef: - key: FORMSFLOW_API_HOSTNAME - name: "{{ .Chart.Name }}" - {{- end }} - - name: DATABASE_URL - valueFrom: - configMapKeyRef: - key: DATABASE_URL - name: "{{ .Chart.Name }}" - - name: JWT_OIDC_ALGORITHMS - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_ALGORITHMS - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_AUDIENCE - valueFrom: - secretKeyRef: - key: WEB_CLIENTID - name: "{{ .Values.formsflow.secret }}" - - name: JWT_OIDC_CACHING_ENABLED - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_CACHING_ENABLED - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_ISSUER - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_ISSUER - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_JWKS_CACHE_TIMEOUT - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_JWKS_CACHE_TIMEOUT - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_JWKS_URI - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_JWKS_URI - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_WELL_KNOWN_CONFIG - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_CONFIG - name: "{{ .Values.formsflow.configmap }}" - - name: KEYCLOAK_URL - valueFrom: - configMapKeyRef: - key: KEYCLOAK_URL - name: "{{ .Values.formsflow.configmap }}" - - name: WEB_API_BASE_URL - valueFrom: - configMapKeyRef: - key: WEB_API_URL - name: "{{ .Values.formsflow.configmap }}" - - name: KEYCLOAK_URL_REALM - valueFrom: - configMapKeyRef: - key: KEYCLOAK_URL_REALM - name: "{{ .Values.formsflow.configmap }}" - - name: INSIGHT_API_URL - valueFrom: - configMapKeyRef: - key: INSIGHT_API_URL - name: "{{ .Values.formsflow.configmap }}" - - name: INSIGHT_API_KEY - valueFrom: - secretKeyRef: - key: INSIGHT_API_KEY - name: "{{ .Values.formsflow.secret }}" - - name: KEYCLOAK_ENABLE_CLIENT_AUTH - valueFrom: - configMapKeyRef: - key: KEYCLOAK_ENABLE_CLIENT_AUTH - name: "{{ .Values.formsflow.configmap }}" - - name: MULTI_TENANCY_ENABLED - valueFrom: - configMapKeyRef: - key: MULTI_TENANCY_ENABLED - name: "{{ .Values.formsflow.configmap }}" - - name: FORMIO_URL - valueFrom: - configMapKeyRef: - key: FORMIO_URL - name: "{{ .Values.formsflow.configmap }}" - - name: FORMIO_ROOT_EMAIL - valueFrom: - secretKeyRef: - key: FORMIO_ROOT_EMAIL - name: "{{ .Values.formsflow.secret }}" - - name: FORMIO_ROOT_PASSWORD - valueFrom: - secretKeyRef: - key: FORMIO_ROOT_PASSWORD - name: "{{ .Values.formsflow.secret }}" - - name: FORMIO_JWT_SECRET - valueFrom: - secretKeyRef: - key: FORMIO_JWT_SECRET - name: "{{ .Values.formsflow.secret }}" - - name: IPAAS_EMBEDDED_API_KEY - valueFrom: - secretKeyRef: - key: IPAAS_EMBEDDED_API_KEY - name: "{{ .Values.formsflow.secret }}" - - name: IPAAS_JWT_PRIVATE_KEY - valueFrom: - secretKeyRef: - key: IPAAS_JWT_PRIVATE_KEY - name: "{{ .Values.formsflow.secret }}" - - name: IPAAS_EMBED_BASE_URL - valueFrom: - configMapKeyRef: - key: IPAAS_EMBED_BASE_URL - name: "{{ .Values.formsflow.configmap }}" - - name: IPAAS_API_BASE_URL - valueFrom: - configMapKeyRef: - key: IPAAS_API_BASE_URL - name: "{{ .Values.formsflow.configmap }}" - - name: REDIS_URL - valueFrom: - configMapKeyRef: - key: REDIS_URL - name: "{{ .Values.formsflow.configmap }}" - - name: FORMSFLOW_API_CORS_ORIGINS - value: '*' - - name: CONFIGURE_LOGS - valueFrom: - configMapKeyRef: - key: CONFIGURE_LOGS - name: "{{ .Values.formsflow.configmap }}" - - name: KEYCLOAK_URL_HTTP_RELATIVE_PATH - valueFrom: - configMapKeyRef: - key: KEYCLOAK_URL_HTTP_RELATIVE_PATH - name: "{{ .Values.formsflow.configmap }}" - - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" - name: "{{ .Chart.Name }}" - imagePullPolicy: Always - ports: - - containerPort: {{ .Values.ingress.port }} - resources: - limits: - cpu: "{{ .Values.resources.limits.cpu }}" - memory: "{{ .Values.resources.limits.memory }}" - requests: - cpu: "{{ .Values.resources.requests.cpu }}" - memory: "{{ .Values.resources.requests.memory }}" - stdin: true - tty: true - {{- if .Values.elastic_search.enabled }} - volumeMounts: - - name: api-logs - mountPath: /forms-flow-api/app/logs + - name: BPM_API_URL + valueFrom: + configMapKeyRef: + key: BPM_API_URL + name: "{{ .Values.formsflow.configmap }}" + - name: BPM_CLIENT_ID + valueFrom: + secretKeyRef: + key: KEYCLOAK_CLIENTID + name: "{{ .Values.formsflow.secret }}" + - name: BPM_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: KEYCLOAK_CLIENTSECRET + name: "{{ .Values.formsflow.secret }}" + - name: BPM_TOKEN_API + valueFrom: + configMapKeyRef: + key: KEYCLOAK_TOKEN_URL + name: "{{ .Values.formsflow.configmap }}" + {{- $secretName := .Values.ExternalDatabase.ExistingSecretName | default .Chart.Name }} + {{- $configmapName := .Values.ExternalDatabase.ExistingConfigmapName | default .Chart.Name }} + {{- with .Values.ExternalDatabase }} + - name: DATABASE_NAME + valueFrom: + secretKeyRef: + key: {{ .ExistingDatabaseNameKey | default "FORMSFLOW_API_DB_NAME" }} + name: "{{ $secretName }}" + - name: DATABASE_PASSWORD + valueFrom: + secretKeyRef: + key: {{ .ExistingDatabasePasswordKey | default "FORMSFLOW_API_DB_PASSWORD" }} + name: "{{ $secretName }}" + - name: DATABASE_USERNAME + valueFrom: + secretKeyRef: + key: {{ .ExistingDatabaseUserNameKey | default "FORMSFLOW_API_DB_USER" }} + name: "{{ $secretName }}" + - name: DATABASE_PORT + valueFrom: + configMapKeyRef: + key: {{ .ExistingDatabasePortKey | default "FORMSFLOW_API_PORT" }} + name: "{{ $configmapName }}" + - name: DATABASE_HOST + valueFrom: + secretKeyRef: + key: {{ .ExistingDatabaseHostKey | default "FORMSFLOW_API_HOSTNAME" }} + name: "{{ $secretName }}" + {{- end }} + - name: JWT_OIDC_ALGORITHMS + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_ALGORITHMS + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_AUDIENCE + valueFrom: + secretKeyRef: + key: WEB_CLIENTID + name: "{{ .Values.formsflow.secret }}" + - name: JWT_OIDC_CACHING_ENABLED + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_CACHING_ENABLED + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_ISSUER + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_ISSUER + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_JWKS_CACHE_TIMEOUT + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_JWKS_CACHE_TIMEOUT + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_JWKS_URI + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_JWKS_URI + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_WELL_KNOWN_CONFIG + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_CONFIG + name: "{{ .Values.formsflow.configmap }}" + - name: KEYCLOAK_URL + valueFrom: + configMapKeyRef: + key: KEYCLOAK_URL + name: "{{ .Values.formsflow.configmap }}" + - name: WEB_API_BASE_URL + valueFrom: + configMapKeyRef: + key: WEB_API_URL + name: "{{ .Values.formsflow.configmap }}" + - name: KEYCLOAK_URL_REALM + valueFrom: + configMapKeyRef: + key: KEYCLOAK_URL_REALM + name: "{{ .Values.formsflow.configmap }}" + - name: INSIGHT_API_URL + valueFrom: + configMapKeyRef: + key: INSIGHT_API_URL + name: "{{ .Values.formsflow.configmap }}" + - name: INSIGHT_API_KEY + valueFrom: + secretKeyRef: + key: INSIGHT_API_KEY + name: "{{ .Values.formsflow.secret }}" + - name: KEYCLOAK_ENABLE_CLIENT_AUTH + valueFrom: + configMapKeyRef: + key: KEYCLOAK_ENABLE_CLIENT_AUTH + name: "{{ .Values.formsflow.configmap }}" + - name: MULTI_TENANCY_ENABLED + valueFrom: + configMapKeyRef: + key: MULTI_TENANCY_ENABLED + name: "{{ .Values.formsflow.configmap }}" + - name: FORMSFLOW_ADMIN_URL + valueFrom: + configMapKeyRef: + key: FORMSFLOW_ADMIN_URL + name: "{{ .Values.formsflow.configmap }}" + - name: FORMIO_URL + valueFrom: + configMapKeyRef: + key: FORMIO_URL + name: "{{ .Values.formsflow.configmap }}" + - name: FORMIO_ROOT_EMAIL + valueFrom: + secretKeyRef: + key: FORMIO_ROOT_EMAIL + name: "{{ .Values.formsflow.secret }}" + - name: FORMIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + key: FORMIO_ROOT_PASSWORD + name: "{{ .Values.formsflow.secret }}" + - name: FORMIO_JWT_SECRET + valueFrom: + secretKeyRef: + key: FORMIO_JWT_SECRET + name: "{{ .Values.formsflow.secret }}" + - name: IPAAS_EMBEDDED_API_KEY + valueFrom: + secretKeyRef: + key: IPAAS_EMBEDDED_API_KEY + name: "{{ .Values.formsflow.secret }}" + - name: IPAAS_JWT_PRIVATE_KEY + valueFrom: + secretKeyRef: + key: IPAAS_JWT_PRIVATE_KEY + name: "{{ .Values.formsflow.secret }}" + - name: IPAAS_EMBED_BASE_URL + valueFrom: + configMapKeyRef: + key: IPAAS_EMBED_BASE_URL + name: "{{ .Values.formsflow.configmap }}" + - name: IPAAS_API_BASE_URL + valueFrom: + configMapKeyRef: + key: IPAAS_API_BASE_URL + name: "{{ .Values.formsflow.configmap }}" + - name: REDIS_URL + valueFrom: + configMapKeyRef: + key: REDIS_URL + name: "{{ .Values.formsflow.configmap }}" + - name: FORMSFLOW_API_CORS_ORIGINS + value: '*' + - name: CONFIGURE_LOGS + valueFrom: + configMapKeyRef: + key: CONFIGURE_LOGS + name: "{{ .Values.formsflow.configmap }}" + - name: KEYCLOAK_URL_HTTP_RELATIVE_PATH + valueFrom: + configMapKeyRef: + key: KEYCLOAK_URL_HTTP_RELATIVE_PATH + name: "{{ .Values.formsflow.configmap }}" + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 8 }} + {{- end }} + {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.containerPorts.http }} + protocol: TCP + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: api-logs + mountPath: /forms-flow-api/app/logs + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + - name: nginx + image: {{ include "forms-flow-api.nginx.image" . }} + ports: + - containerPort: {{ .Values.ingress.servicePort }} + volumeMounts: + - name: nginx-config-volume + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf volumes: - name: api-logs - - name: api-filebeat + emptyDir: {} + - name: nginx-config-volume configMap: - name: "{{ .Chart.Name }}-fb-config" - {{- end}} - restartPolicy: Always - imagePullSecrets: - - name: "{{ .Values.formsflow.auth }}" + name: forms-flow-api-nginx-config + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + restartPolicy: Always \ No newline at end of file diff --git a/charts/forms-flow-api/templates/hpa.yaml b/charts/forms-flow-api/templates/hpa.yaml index 6097cf6d..187c9065 100644 --- a/charts/forms-flow-api/templates/hpa.yaml +++ b/charts/forms-flow-api/templates/hpa.yaml @@ -1,20 +1,61 @@ -{{- if .Values.hpa.enabled}} -apiVersion: autoscaling/v2 +{{- if .Values.autoscaling.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} kind: HorizontalPodAutoscaler metadata: - name: {{ .Chart.Name }} + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-api + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ .Chart.Name }} - minReplicas: 1 - maxReplicas: {{.Values.hpa.maxReplicas}} + apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} + kind: StatefulSet + name: {{ template "common.names.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: + {{- if .Values.autoscaling.targetCPU }} - type: Resource resource: name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- else }} target: type: Utilization - averageUtilization: {{.Values.hpa.CpuAverageUtilization}} -{{- end}} \ No newline at end of file + averageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- end }} + {{- end }} + {{- if .Values.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- end }} + {{- end }} + {{- if or .Values.autoscaling.behavior.scaleDown.policies .Values.autoscaling.behavior.scaleUp.policies }} + behavior: + {{- if .Values.autoscaling.behavior.scaleDown.policies }} + scaleDown: + stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleDown.stabilizationWindowSeconds }} + selectPolicy: {{ .Values.autoscaling.behavior.scaleDown.selectPolicy }} + policies: + {{- toYaml .Values.autoscaling.behavior.scaleDown.policies | nindent 8 }} + {{- end }} + {{- if .Values.autoscaling.behavior.scaleUp.policies }} + scaleUp: + stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleUp.stabilizationWindowSeconds }} + selectPolicy: {{ .Values.autoscaling.behavior.scaleUp.selectPolicy }} + policies: + {{- toYaml .Values.autoscaling.behavior.scaleUp.policies | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-api/templates/ingress.yaml b/charts/forms-flow-api/templates/ingress.yaml index 081bd3bb..ec643f93 100644 --- a/charts/forms-flow-api/templates/ingress.yaml +++ b/charts/forms-flow-api/templates/ingress.yaml @@ -1,35 +1,56 @@ -apiVersion: networking.k8s.io/v1 +{{- if .Values.ingress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: - annotations: -{{ toYaml .Values.ingress.annotations | indent 4 }} - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-api + {{- if or .Values.ingress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: - ingressClassName: {{ .Values.ingress.ingressClassName }} - {{- if or (and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.ingress.hostname }} + - host: {{ (tpl .Values.ingress.hostname .) | quote }} + http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ include "common.tplvalues.render" ( dict "value" .Values.ingress.path "context" $) }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ (tpl .name $) }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} tls: - {{- if and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.secrets .Values.ingress.selfSigned) }} + {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.secrets .Values.ingress.selfSigned) }} - hosts: - {{ (tpl .Values.ingress.hostname .) | quote }} secretName: {{ printf "%s-tls" (tpl .Values.ingress.hostname .) }} - {{- else }} - - {} - {{- end}} - {{- else }} - tls: - - {} - {{- end}} - rules: - - - host: "{{tpl .Values.ingress.hostname .}}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ .Chart.Name }} - port: - number: {{ .Values.ingress.port }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-api/templates/pdb.yaml b/charts/forms-flow-api/templates/pdb.yaml new file mode 100644 index 00000000..3e5a4c28 --- /dev/null +++ b/charts/forms-flow-api/templates/pdb.yaml @@ -0,0 +1,21 @@ +{{- if .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-api/templates/proxy-config.yaml b/charts/forms-flow-api/templates/proxy-config.yaml new file mode 100644 index 00000000..d052b7a1 --- /dev/null +++ b/charts/forms-flow-api/templates/proxy-config.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }}-nginx-config + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-api + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + nginx.conf: | + events { worker_connections 1024; } + http { + server { + listen {{ .Values.ingress.servicePort }}; + location /webapi { + sub_filter ="/webapi/swaggerui/ ="/webapi/swaggerui/; + sub_filter_once off; + sub_filter_types application/javascript text/css text/xml text/javascript application/json text/plain; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header SCRIPT_NAME /webapi; + proxy_pass http://localhost:{{ .Values.containerPorts.http }}; + } + } + } + pid /tmp/nginx.pid; \ No newline at end of file diff --git a/charts/forms-flow-api/templates/secret.yaml b/charts/forms-flow-api/templates/secret.yaml deleted file mode 100644 index 5ed50917..00000000 --- a/charts/forms-flow-api/templates/secret.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - app: "{{ .Chart.Name }}" - name: "{{ .Chart.Name }}" -stringData: - FORMSFLOW_API_DB_USER: {{ .Values.database.username }} - FORMSFLOW_API_DB_PASSWORD: {{ .Values.database.password }} - FORMSFLOW_API_DB_NAME: {{ .Values.database.dbName }} - FORMSFLOW_API_HOSTNAME: {{ .Values.database.dbName }} - diff --git a/charts/forms-flow-api/templates/secrets.yaml b/charts/forms-flow-api/templates/secrets.yaml new file mode 100644 index 00000000..0980169b --- /dev/null +++ b/charts/forms-flow-api/templates/secrets.yaml @@ -0,0 +1,18 @@ +{{- if not .Values.existingSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }} + app.kubernetes.io/component: forms-flow-api + {{- if or .Values.annotations .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.merge" (dict "values" (list .Values.annotations .Values.commonAnnotations) "context" $) | nindent 4 }} + {{- end }} +type: Opaque +stringData: + FORMSFLOW_API_DB_USER: {{ .Values.database.username }} + FORMSFLOW_API_DB_PASSWORD: {{ .Values.database.password }} + FORMSFLOW_API_DB_NAME: {{ .Values.database.dbName }} + FORMSFLOW_API_HOSTNAME: {{ .Values.database.host }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-api/templates/service.yaml b/charts/forms-flow-api/templates/service.yaml index c627b2f8..18897c86 100644 --- a/charts/forms-flow-api/templates/service.yaml +++ b/charts/forms-flow-api/templates/service.yaml @@ -1,12 +1,34 @@ apiVersion: v1 kind: Service metadata: - name: "{{ .Chart.Name }}" + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} ports: - - name: "{{ .Chart.Name }}" - port: {{ .Values.ingress.port }} - protocol: TCP - targetPort: {{ .Values.ingress.port }} - selector: - app: "{{ .Chart.Name }}" + {{- include "common.tplvalues.render" (dict "value" .Values.service.ports "context" $) | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} diff --git a/charts/forms-flow-api/templates/serviceaccount.yaml b/charts/forms-flow-api/templates/serviceaccount.yaml new file mode 100644 index 00000000..766787a1 --- /dev/null +++ b/charts/forms-flow-api/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "forms-flow-api.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} \ No newline at end of file diff --git a/charts/forms-flow-api/values.yaml b/charts/forms-flow-api/values.yaml index 89637643..896be742 100644 --- a/charts/forms-flow-api/values.yaml +++ b/charts/forms-flow-api/values.yaml @@ -1,49 +1,522 @@ ---- -Domain: # -replicas: 1 +replicaCount: 1 +image: + registry: docker.io + repository: formsflow/forms-flow-webapi + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "v7.0.0" + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: + - forms-flow-ai-auth +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} + +## @param tolerations Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param nodeSelector Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param priorityClassName Pod priority +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param terminationGracePeriodSeconds In seconds, time the given to the forms-flow-api pod needs to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +terminationGracePeriodSeconds: "" +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] + +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +hostAliases: [] + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + ## @param automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false +## @param podAnnotations Pod annotations +## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podLabels Extra labels for forms-flow-api pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + +## K8s Security Context for forms-flow-api pods +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled forms-flow-api pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Set forms-flow-api pod's Security Context fsGroup +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 +## Configure Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: false + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param lifecycleHooks for the forms-flow-api container(s) to automate configuration before or after startup +## +lifecycleHooks: {} +automountServiceAccountToken: true +## @param extraEnvVars Extra environment variables to be set on formsflow api container +## Example: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraVolumes Array to add extra volumes (evaluated as a template) +## extraVolumes: +## - name: myvolume +## configMap: +## name: myconfigmap +## +extraVolumes: {} +## @param extraVolumeMounts Array to add extra mounts (normally used with extraVolumes, evaluated as a template) +## extraVolumeMounts: +## - mountPath: /opt/bitnami/desired-path +## name: myvolume +## readOnly: true +## +extraVolumeMounts: {} +## sidecars configuration +sidecars: {} +ExtraContainer: + ## nginx configuration for sidecar + image: + registry: docker.io + repository: nginxinc/nginx-unprivileged + pullPolicy: IfNotPresent + tag: "latest" +## @param auth.existingSecret Existing secret containing password,username,dbname and + ## +existingSecret: "" +## @param updateStrategy.type Set up update strategy for forms-flow-api installation. +## Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods is destroyed first. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## Example: +## updateStrategy: +## type: RollingUpdate +## rollingUpdate: +## maxSurge: 25% +## maxUnavailable: 25% +## +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + +## forms-flow-api ingress parameters +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress record generation for forms-flow-api + ## + enabled: true + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.pathType Ingress path type + ## + pathType: Prefix + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.controller The ingress controller type. Currently supports `default` and `gce` + ## leave as `default` for most ingress controllers. + ## set to `gce` if using the GCE ingress controller + ## + controller: default + ## @param ingress.hostname Default host for the ingress record (evaluated as template) + ## + hostname: forms-flow-api.local + ## @param ingress.path [string] Default path for the ingress record (evaluated as template) + ## + path: "/webapi" + ## @param ingress.servicePort Backend service port to use + ## Default is http. Alternative is https. + ## + servicePort: 8080 + ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.labels Additional labels for the Ingress resource. + ## e.g: + ## labels: + ## app: forms-flow-api + ## + labels: {} + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: true + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: forms-flow-api.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - forms-flow-api.local + ## secretName: forms-flow-api.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## - name: forms-flow-api.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: airflow.local + ## http: + ## path: / + ## backend: + ## service: + ## name: airflow-svc + ## port: + ## name: http + ## + extraRules: [] +## forms-flow-api admin ingress parameters +## ref: https://kubernetes.io/docs/user-guide/ingress/ +## +## Pod disruption budget configuration +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +## @param pdb.create If true, create a pod disruption budget for pods. +## @param pdb.minAvailable Minimum number / percentage of pods that should remain scheduled +## @param pdb.maxUnavailable Maximum number / percentage of pods that may be made unavailable +## +pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## forms-flow-api containers' resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "small" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: + limits: + cpu: 300m + memory: 1Gi + requests: + cpu: 200m + memory: 512Mi +## @param customStartupProbe Custom startup probe for the Web component +## + +## @param customStartupProbe Custom startup probe for the Web component +## +customStartupProbe: {} +## @param customLivenessProbe Custom liveness probe for the Web component +## +customLivenessProbe: {} +## @param customReadinessProbe Custom readiness probe for the Web component +## +customReadinessProbe: {} +## Service parameters +## +service: + ## @param service.type Kubernetes service type (`ClusterIP`, `NodePort`, or `LoadBalancer`) + ## + type: ClusterIP + ## @param service.ports [array] forms-flow-api service ports (evaluated as a template) + ## + ports: + - name: http + port: 5000 + targetPort: http + protocol: TCP + - name: nginx + port: 8080 + targetPort: 8080 + protocol: TCP + ## - name: system + ## port: 1764 + ## + ## @param service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy External traffic policy, configure to Local to preserve client source IP when using an external loadBalancer + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: "" + ## @param service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.annotations Annotations for forms-flow-api service + ## + annotations: {} + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## + annotations: {} + +configuration: [] + +containerPorts: + http: 5000 + +## forms-flow-api Autoscaling configuration +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +## @param autoscaling.enabled Enable autoscaling for forms-flow-api +## @param autoscaling.minReplicas Minimum number of forms-flow-api replicas +## @param autoscaling.maxReplicas Maximum number of forms-flow-api replicas +## @param autoscaling.targetCPU Target CPU utilization percentage +## @param autoscaling.targetMemory Target Memory utilization percentage +## +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPU: "" + targetMemory: "" + ## HPA Scaling Behavior + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + ## + behavior: + ## HPA behavior when scaling up + ## @param autoscaling.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up + ## @param autoscaling.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up + ## @param autoscaling.behavior.scaleUp.policies [array] HPA scaling policies when scaling up + ## e.g: + ## Policy to scale 20% of the pod in 60s + ## - type: Percent + ## value: 20 + ## periodSeconds: 60 + ## + scaleUp: + stabilizationWindowSeconds: 120 + selectPolicy: Max + policies: [] + ## HPA behavior when scaling down + ## @param autoscaling.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down + ## @param autoscaling.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down + ## @param autoscaling.behavior.scaleDown.policies [array] HPA scaling policies when scaling down + ## e.g: + ## Policy to scale one pod in 300s + ## - type: Pods + ## value: 1 + ## periodSeconds: 300 + ## + scaleDown: + stabilizationWindowSeconds: 300 + selectPolicy: Max + policies: + - type: Pods + value: 1 + periodSeconds: 300 + database: username: "postgres" password: "postgres" dbName: "forms-flow-api" host: "forms-flow-ai-postgresql-ha-pgpool" port: 5432 - url: "postgresql://{{.Values.database.username}}:{{.Values.database.password}}@{{.Values.database.host}}:{{.Values.database.port}}/{{.Chart.Name}}" ExternalDatabase: ExistingDatabaseNameKey: "" ExistingDatabaseUserNameKey: "" ExistingDatabasePasswordKey: "" ExistingDatabaseHostKey: "" + ExistingDatabasePortKey: "" ExistingSecretName: "" #name of the existing secret + ExistingConfigmapName: "" -resources: - limits: - cpu: 300m - memory: 1Gi - requests: - cpu: 200m - memory: 512Mi formsflow: configmap: forms-flow-ai # name of formsflow.ai configmap secret: forms-flow-ai #name of formsflow.ai secret - auth: forms-flow-ai-auth -ingress: - ingressClassName: "" - annotations: - - enabled: true # create an ingress for this component - hostname: "{{.Chart.Name}}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}" - port: 5000 - tls: true - selfSigned: false - extraTls: - - {} -image: - registry: docker.io - repository: formsflow/forms-flow-webapi - tag: v6.0.2 #The image tag to pull from -hpa: - enabled: false - CpuAverageUtilization: 80 - maxReplicas: 3 -elastic_search: - enabled: false \ No newline at end of file diff --git a/charts/forms-flow-bpm/.helmignore b/charts/forms-flow-bpm/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/forms-flow-bpm/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/forms-flow-bpm/Chart.yaml b/charts/forms-flow-bpm/Chart.yaml index 92b5aba9..cd15a6f0 100644 --- a/charts/forms-flow-bpm/Chart.yaml +++ b/charts/forms-flow-bpm/Chart.yaml @@ -1,5 +1,13 @@ ---- apiVersion: v2 name: forms-flow-bpm -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file +description: forms-flow-bpm is a component which leverages Camunda for workflow and decision automation and its provided by formsflow. +icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" +version: v8.0.0 +type: application +appVersion: "8.0.0" +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x diff --git a/charts/forms-flow-bpm/README.md b/charts/forms-flow-bpm/README.md new file mode 100644 index 00000000..fa48088a --- /dev/null +++ b/charts/forms-flow-bpm/README.md @@ -0,0 +1,297 @@ +# Formsflow Workflow Engine + +Formsflow.ai leverages Camunda for workflow and decision automation. + +To know more about Camunda, visit https://camunda.com/. + + +## Introduction + +This chart bootstraps a forms-flow-bpm deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + + +## Installing the Chart + +To install the chart with the release name `forms-flow-bpm`: + +```console +helm install forms-flow-bpm forms-flow-bpm +``` + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install forms-flow-bpm forms-flow-bpm --set ingress.ingressClassName=INGRESS_CLASS --set camunda.websocket.securityOrigin=FORMS_FLOW_WEB_URL --set ingress.hostname=HOSTNAME +``` + +> Note: You need to substitute the placeholders `INGRESS_CLASS`, `FORMS_FLOW_WEB_URL` and `HOSTNAME` with a reference to your Helm chart registry and repository. For example, in the case of Formsflow, you need to use `INGRESS_CLASS=nginx` Use `--set image.repository=formsflow/forms-flow-bpm-ee` for deploy the enterprise version + +These commands deploy Forms-flow-bpm on the Kubernetes cluster + +> **Tip**: List all releases using `helm list` + +### Resource requests and limits + +Forms-flow-bpm charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +```yaml +resources: + limits: + cpu: 600m + memory: 1Gi + requests: + cpu: 500m + memory: 512Mi +``` +### Change Forms-flow-bpm version + +To modify the Forms-flow-bpm version used in this chart you can specify a [valid image tag](https://hub.docker.com/repository/docker/formsflow/forms-flow-bpm) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +#### Using the OpenSource Version +By default, the chart uses the OpenSource version of the `Forms-flow-bpm`. You can change the image tag to any valid version of the OpenSource image, as shown below: + +```yaml +image: + registry: docker.io + repository: formsflow/forms-flow-bpm + tag: X.Y.Z # Replace with the desired OpenSource version +``` +#### Using the Enterprise Version +If you're using the enterprise version of Forms-flow-bpm, you can switch the image repository to `formsflow/forms-flow-bpm-ee`. The enterprise version includes additional features and support designed for larger-scale or production environments. To use the enterprise version, update the repository field as shown below: + +```yaml +image: + registry: docker.io + repository: formsflow/forms-flow-bpm-ee + tag: X.Y.Z # Replace with the desired enterprise version +``` +Make sure to replace X.Y.Z with the specific version number you wish to use for either the OpenSource or enterprise version. + +## Persistence + +The `forms-flow-bpm` image stores the application logs at the `/logs` path of the container. + +The `forms-flow-bpm` image supports mounting a mail configuration file at the `/app/mail-config.properties` path of the container. This can be done using a ConfigMap and mounting it as a volume. + + +### Add extra environment variables for Vault configuration + +These environment variables are used to configure a Vault for storing external secrets. You can use the extraEnvVars property for this purpose. + +```yaml +extraEnvVars: + - name: VAULT_ENABLED + value: "false" + - name: VAULT_URL + value: "http://{your-ip-address}:8200" + - name: VAULT_TOKEN + value: "" + - name: VAULT_PATH + value: "" + - name: VAULT_SECRET + value: "" +``` +## Sidecar Configuration + +To add a sidecar to your `Forms-flow-bpm` deployment, you can use the following configuration. In this case, the sidecar container is an Nginx container used for configuration management. + +### Example Sidecar Configuration + +```yaml +sidecars: + - name: nginx + image: nginx:latest + ports: + - containerPort: 80 + volumeMounts: + - name: nginx-config-volume + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf +``` + +## Path Update +The `Forms-flow-bpm` can now be accessed at the `/camunda` route. Ensure that all configurations and requests reference this updated path. + +For example: + +``` +https:///camunda +``` +## Parameters + +| Parameter | Description | Default Value | +|----------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `replicaCount` | Number of replicas for the deployment | `1` | +| `existingSecret` | Existing secret containing password, username, dbname | `""` | +| `image.registry` | Container image registry | `docker.io` | +| `image.repository` | Container image repository | `formsflow/forms-flow-bpm` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.tag` | Image tag | `v7.0.0` | +| `image.pullSecrets` | Pull secrets for the image | `forms-flow-ai-auth` | +| `nameOverride` | Override for common names | `""` | +| `fullnameOverride` | Full override for common names | `""` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `dnsPolicy` | DNS Policy for pod | `ClusterFirst` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `affinity` | Node affinity rules | `{}` | +| `priorityClassName` | Priority class for the pod | `""` | +| `schedulerName` | Name of the scheduler | `default-scheduler` | +| `terminationGracePeriodSeconds` | Grace period for pod termination | `30` | +| `topologySpreadConstraints` | Constraints for pod topology spread | `[]` | +| `diagnosticMode.enabled` | Enable diagnostic mode | `false` | +| `diagnosticMode.command` | Command to override all containers | `["sleep"]` | +| `diagnosticMode.args` | Arguments to override all containers | `["infinity"]` | +| `hostAliases` | Deployment host aliases | `[]` | +| `serviceAccount.create` | Specifies whether a service account should be created | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | Name of the service account to use (if not set and create is true, a name is generated) | `""` | +| `serviceAccount.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `podManagementPolicy` | Policy for managing pods | `OrderedReady` | +| `podAnnotations` | Annotations for the pod | `{}` | +| `podLabels` | Labels for the pod | `{}` | +| `podSecurityContext.enabled` | Enable pod security context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | File system group change policy | `Always` | +| `podSecurityContext.fsGroup` | File system group for the pod | `1001` | +| `containerSecurityContext.enabled` | Enable container security context | `true` | +| `containerSecurityContext.runAsUser` | User ID for running the container | `1001` | +| `containerSecurityContext.runAsGroup` | Group ID for running the container | `1001` | +| `containerSecurityContext.runAsNonRoot` | Run as non-root user | `false` | +| `containerSecurityContext.privileged` | Privileged mode for the container | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Read-only root filesystem | `false` | +| `containerSecurityContext.allowPrivilegeEscalation` | Allow privilege escalation | `false` | +| `containerSecurityContext.capabilities.drop` | Capabilities to drop for the container | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Seccomp profile type | `RuntimeDefault` | +| `command` | Override default container command (useful for custom images) | `[]` | +| `args` | Override default container args (useful for custom images) | `[]` | +| `lifecycleHooks` | Lifecycle hooks for the forms-flow-bpm container(s) | `{}` | +| `updateStrategy.type` | Update strategy type | `RollingUpdate` | +| `updateStrategy.rollingUpdate.maxSurge` | Maximum surge during updates | `25%` | +| `updateStrategy.rollingUpdate.maxUnavailable` | Maximum unavailable during updates | `25%` | +| `minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | +| `extraEnvVars` | Additional environment variables for the container | See below | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `extraVolumes` | Additional volumes for the pod | `{}` | +| `extraVolumeMounts` | Additional volume mounts for the pod | `{}` | +| `existingSecret` | Existing secret containing password, username, dbname | `""` | +| `rbac.create` | Create RBAC resources | `false` | +| `rbac.rules` | Custom RBAC rules | `[]` | +| `pdb.create` | Create Pod Disruption Budget | `true` | +| `pdb.minAvailable` | Minimum available pods | `""` | +| `pdb.maxUnavailable` | Maximum unavailable pods | `""` | +| `livenessProbe.enabled` | Enable liveness probe | `true` | +| `livenessProbe.failureThreshold` | Liveness probe failure threshold | `5` | +| `livenessProbe.initialDelaySeconds` | Initial delay before liveness probe | `120` | +| `livenessProbe.periodSeconds` | How often to perform the liveness probe | `60` | +| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful | `1` | +| `livenessProbe.timeoutSeconds` | Timeout for the liveness probe | `3` | +| `readinessProbe.enabled` | Enable readiness probe | `true` | +| `readinessProbe.failureThreshold` | Readiness probe failure threshold | `5` | +| `readinessProbe.initialDelaySeconds` | Initial delay before readiness probe | `120` | +| `readinessProbe.periodSeconds` | How often to perform the readiness probe | `60` | +| `readinessProbe.successThreshold` | Minimum consecutive successes for the readiness probe | `1` | +| `readinessProbe.timeoutSeconds` | Timeout for the readiness probe | `3` | +| `autoscaling.enabled` | Enable autoscaling | `false` | +| `autoscaling.minReplicas` | Minimum number of replicas for autoscaling | `1` | +| `autoscaling.maxReplicas` | Maximum number of replicas for autoscaling | `11` | +| `autoscaling.targetCPU` | Target CPU utilization for autoscaling | `""` | +| `autoscaling.targetMemory` | Target memory utilization for autoscaling | `""` | +| `autoscaling.behavior.scaleUp` | Configuration for scale-up behavior | See values below | +| `autoscaling.behavior.scaleDown` | Configuration for scale-down behavior | See values below | +| `autoscaling.behavior.scaleUp.stabilizationWindowSeconds` | Time window to stabilize scale-up events | `120` | +| `autoscaling.behavior.scaleUp.selectPolicy` | Policy for selecting scale-up behavior | `Max` | +| `autoscaling.behavior.scaleUp.policies` | Policies for scaling up | `[]` | +| `autoscaling.behavior.scaleDown.stabilizationWindowSeconds` | Time window to stabilize scale-down events | `300` | +| `autoscaling.behavior.scaleDown.selectPolicy` | Policy for selecting scale-down behavior | `Max` | +| `autoscaling.behavior.scaleDown.policies` | Policies for scaling down | `[{ "type": "Pods", "value": 1, "periodSeconds": 300 }]` | +| `camunda.analytics.database` | Camunda analytics database name | `forms-flow-analytics` | +| `camunda.auth.enabled` | Enable authentication for Camunda | `true` | +| `camunda.database.name` | Name of the Camunda database | `forms-flow-bpm` | +| `camunda.database.port` | Port for the Camunda database | `5432` | +| `camunda.historyLevel` | History level setting for Camunda | `auto` | +| `camunda.securityOrigin` | Allowed security origin for the application | `'*'` | +| `camunda.logLevel` | Logging level for Camunda | `INFO` | +| `mail.protocol` | The protocol used for mail configuration. | `smtp` | +| `mail.from` | The sender's email address. | `` | +| `mail.password` | Password for the email account. | `` | +| `mail.user` | Username for the email account. | `` | +| `mail.alias` | Alias used for sending emails. | `DoNotReply` | +| `mail.folder` | Default folder for incoming emails. | `INBOX` | +| `mail.smtp.auth` | Specifies if SMTP authentication is required. | `true` | +| `mail.smtp.port` | Port number for SMTP server connection. | `5432` | +| `mail.smtp.server` | SMTP server address. | `` | +| `mail.smtp.socketFactory.port` | Port for the SSL socket factory. | `465` | +| `mail.smtp.socketFactory.class` | Class used for the SSL socket factory. | `javax.net.ssl.SSLSocketFactory` | +| `mail.smtp.ssl.enable` | Specifies if SSL is enabled for the SMTP connection. | `false` | +| `mail.store.protocol` | Protocol used for mail storage. | `imaps` | +| `mail.imaps.host` | Hostname of the IMAP server. | `imap.gmail.com` | +| `mail.imaps.port` | Port number for the IMAP server connection. | `993` | +| `mail.imaps.timeout` | Timeout duration for the IMAP connection in milliseconds. | `1000` | +| `mail.attachment.download` | Specifies if attachments should be downloaded. | `true` | +| `mail.attachment.path` | Path where attachments will be saved. | `attachments` | +| `formsflow.configmap` | Name of the FormsFlow configuration map. | `forms-flow-ai` | +| `formsflow.secret` | Name of the FormsFlow secret. | `forms-flow-ai` | +| `waitFor` | Service and port to wait for before starting. | `${CAMUNDA_DATABASE_SERVICE_NAME}:${CAMUNDA_DATABASE_PORT}` | + +## Vault Parameters + +| Name | Value | +|---------------|--------------------------------------| +| `VAULT_ENABLED` | `"false"` | +| `VAULT_URL` | `"http://{your-ip-address}:8200"` | +| `VAULT_TOKEN` | `""` | +| `VAULT_PATH` | `""` | +| `VAULT_SECRET` | `""` | + + +## Ingress Parameters + +## Ingress + +| Parameter | Description | Default Value | +|--------------------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------| +| `ingress.enabled` | Enable ingress record generation for forms-flow-bpm | `true` | +| `ingress.ingressClassName` | Ingress class name to use | `""` | +| `ingress.path` | Ingress path | `"/camunda"` | +| `ingress.servicePort` | Service port for ingress | `8080` | +| `ingress.tls` | Enable TLS for ingress | `true` | +| `ingress.selfSigned` | Use self-signed certificates for TLS | `false` | +| `ingress.extraHosts` | Additional hosts for the ingress | `[]` | +| `ingress.extraPaths` | Additional paths for the ingress | `[]` | +| `ingress.extraTls` | Additional TLS configurations | `[]` | +| `ingress.secrets` | Secrets for TLS configuration | `[]` | +| `ingress.extraRules` | Additional rules for ingress | `[]` | + +## Resource Parameters + +| Parameter | Description | Default Value | +|--------------------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------| +| `resourcesPreset` | Resource preset (e.g., small, medium, large) | `"small"` | +| `resources.limits.cpu` | CPU limit | `600m` | +| `resources.limits.memory` | Memory limit | `1Gi` | +| `resources.requests.cpu` | CPU request | `500m` | +| `resources.requests.memory` | Memory request | `512Mi` | + +## Service Parameters + +| Parameter | Description | Default Value | +|--------------------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------| +| `service.type` | Kubernetes service type (`ClusterIP`, `NodePort`, or `LoadBalancer`) | `ClusterIP` | +| `service.ports` | Array of ports for the service | `[{"name": "http", "port": 8080, "targetPort": "http", "protocol": "TCP"}]` | +| `service.loadBalancerIP` | LoadBalancer IP if service type is `LoadBalancer` | `""` | +| `service.loadBalancerSourceRanges` | Allowed addresses for LoadBalancer | `[]` | +| `service.externalTrafficPolicy` | External traffic policy to preserve client source IP | `""` | +| `service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `service.annotations` | Annotations for the service | `{}` | +| `service.sessionAffinity` | Session affinity for the service (None or ClientIP) | `None` | +| `service.sessionAffinityConfig` | Additional settings for session affinity | `{}` | +| `service.headless.annotations` | Annotations for the headless service | `{}` | + +## Sidecars and Configuration + +| Parameter | Description | Default Value | +|--------------------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------| +| `sidecars` | Additional sidecar containers for the pod | `[]` | +| `configuration` | Custom configuration for the application | `""` | +| `existingConfigmap` | Existing ConfigMap to use | `""` | diff --git a/charts/forms-flow-bpm/templates/_helpers.tpl b/charts/forms-flow-bpm/templates/_helpers.tpl new file mode 100644 index 00000000..147feb35 --- /dev/null +++ b/charts/forms-flow-bpm/templates/_helpers.tpl @@ -0,0 +1,97 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "forms-flow-bpm.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "forms-flow-bpm.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "forms-flow-bpm.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "forms-flow-bpm.labels" -}} +helm.sh/chart: {{ include "forms-flow-bpm.chart" . }} +{{ include "forms-flow-bpm.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "forms-flow-bpm.selectorLabels" -}} +app.kubernetes.io/name: {{ include "forms-flow-bpm.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "forms-flow-bpm.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "forms-flow-bpm.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "forms-flow-bpm.imagePullSecrets" -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) -}} +{{- end -}} + +{{/* +Return the forms-flow-bpm configuration configmap +*/}} +{{- define "forms-flow-bpm.configmapName" -}} +{{- if .Values.existingConfigmap -}} + {{- printf "%s" (tpl .Values.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-configuration" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created +*/}} +{{- define "forms-flow-bpm.createConfigmap" -}} +{{- if and .Values.configuration (not .Values.existingConfigmap) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* + Return the proper forms-flow-bpm image name +*/}} +{{- define "forms-flow-bpm.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} diff --git a/charts/forms-flow-bpm/templates/configmap.yaml b/charts/forms-flow-bpm/templates/configmap.yaml index ba1ccb07..06e98923 100644 --- a/charts/forms-flow-bpm/templates/configmap.yaml +++ b/charts/forms-flow-bpm/templates/configmap.yaml @@ -1,83 +1,28 @@ ---- -apiVersion: v1 -data: - APP_SECURITY_ORIGIN: "*" - CAMUNDA_ANALYTICS_DATABASE_SERVICE_NAME: "{{ .Values.camunda.analytics.database }}" - CAMUNDA_APP_ROOT_LOG_FLAG: "{{ .Values.camunda.logLevel }}" - CAMUNDA_AUTHORIZATION_FLAG: "{{ .Values.camunda.auth.enabled }}" - CAMUNDA_AUTHORIZATION_REVOKE_CHECK_FLAG: "{{ .Values.camunda.auth.revokeCheck }}" - CAMUNDA_DATABASE_NAME: "{{.Values.camunda.database.name}}" - CAMUNDA_DATABASE_PORT: "{{.Values.camunda.database.port}}" - CAMUNDA_FORMBUILDER_PIPELINE_USERNAME: "{{ .Values.camunda.formBuilder.username }}" - CAMUNDA_HIKARI_CONN_TIMEOUT: "{{ .Values.camunda.hikari.timeout.connection }}" - CAMUNDA_HIKARI_IDLE_TIMEOUT: "{{ .Values.camunda.hikari.timeout.idle }}" - CAMUNDA_HIKARI_VALID_TIMEOUT: "{{ .Values.camunda.hikari.timeout.valid }}" - CAMUNDA_HIKARI_MAX_POOLSIZE: "{{ .Values.camunda.hikari.poolsize.max }}" - CAMUNDA_JDBC_DRIVER: "{{ .Values.camunda.jdbc.driver }}" - CAMUNDA_JDBC_URL: "{{ tpl .Values.camunda.jdbc.url .}}" - CAMUNDA_JDBC_USER: "{{ .Values.camunda.jdbc.username}}" - WAIT_FOR: " {{ .Values.waitFor }}" - WEBSOCKET_MESSAGE_TYPE: "{{ .Values.camunda.websocket.messageType }}" - WEBSOCKET_SECURITY_ORIGIN: {{ ternary (.Values.camunda.websocket.securityOrigin | quote) (randAlphaNum 6 | quote) (kindIs "string" .Values.camunda.websocket.securityOrigin) }} - BPM_BASE_URL: "https://{{tpl .Values.ingress.hostname .}}" -kind: ConfigMap -metadata: - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} ---- -apiVersion: v1 -data: - mail-config.properties: | - # send mails via SMTP - mail.transport.protocol={{.Values.mail.protocol}} - mail.smtp.auth={{.Values.mail.smtp.auth}} - mail.smtp.host={{.Values.mail.smtp.server}} - mail.smtp.port={{.Values.mail.smtp.port}} - mail.smtp.ssl.enable={{.Values.mail.smtp.ssl.enable}} - mail.smtp.socketFactory.port={{.Values.mail.smtp.socketFactory.port}} - mail.smtp.socketFactory.class={{.Values.mail.smtp.socketFactory.class}} - # poll mails via IMAPS - #mail.store.protocol={{.Values.mail.store.protocol}} - # mail.imaps.host={{.Values.mail.imaps.host}} - mail.imaps.port={{.Values.mail.imaps.port}} - mail.imaps.timeout={{.Values.mail.imaps.timeout}} - # additional config - #mail.poll.folder={{.Values.mail.folder}} - mail.sender={{.Values.mail.from}} - mail.sender.alias={{.Values.mail.alias}} - mail.attachment.download={{.Values.mail.attachment.download}} - mail.attachment.path={{.Values.mail.attachment.path}} - # credentials - mail.user={{.Values.mail.user}} - mail.password={{.Values.mail.password}} - -kind: ConfigMap -metadata: - labels: - app: {{ .Chart.Name }}-mail-config - name: {{ .Chart.Name }}-mail-config ---- -{{- if .Values.elastic_search.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Chart.Name }}-fb-config -data: - "filebeat.yml": |- - filebeat.inputs: - - type: log - enabled: true - paths: - - /logs/* - output.elasticsearch: - hosts: "${ELASTIC_SERVER}" - index: "forms-flow-bpm-%{+yyyy.MM.dd}" - setup.template.name: "forms-flow-bpm" - setup.template.pattern: "forms-flow-bpm-*" - setup.template.overwrite: true - setup.template.enabled: false - setup.template.settings: - index.number_of_shards: 1 - setup.ilm.enabled: false -{{- end }} \ No newline at end of file +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-bpm + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + APP_SECURITY_ORIGIN: "*" + CAMUNDA_ANALYTICS_DATABASE_SERVICE_NAME: "{{ .Values.camunda.analytics.database }}" + CAMUNDA_APP_ROOT_LOG_FLAG: "{{ .Values.camunda.logLevel }}" + CAMUNDA_AUTHORIZATION_FLAG: "{{ .Values.camunda.auth.enabled }}" + CAMUNDA_AUTHORIZATION_REVOKE_CHECK_FLAG: "{{ .Values.camunda.auth.revokeCheck }}" + CAMUNDA_DATABASE_PORT: "{{.Values.camunda.database.port}}" + CAMUNDA_FORMBUILDER_PIPELINE_USERNAME: "{{ .Values.camunda.formBuilder.username }}" + CAMUNDA_HIKARI_CONN_TIMEOUT: "{{ .Values.camunda.hikari.timeout.connection }}" + CAMUNDA_HIKARI_IDLE_TIMEOUT: "{{ .Values.camunda.hikari.timeout.idle }}" + CAMUNDA_HIKARI_VALID_TIMEOUT: "{{ .Values.camunda.hikari.timeout.valid }}" + CAMUNDA_HIKARI_MAX_POOLSIZE: "{{ .Values.camunda.hikari.poolsize.max }}" + CAMUNDA_JDBC_DRIVER: "{{ .Values.camunda.jdbc.driver }}" + CAMUNDA_JDBC_URL: "{{ tpl .Values.camunda.jdbc.url .}}" + WAIT_FOR: " {{ .Values.waitFor }}" + WEBSOCKET_MESSAGE_TYPE: "{{ .Values.camunda.websocket.messageType }}" + WEBSOCKET_SECURITY_ORIGIN: {{ ternary (.Values.camunda.websocket.securityOrigin | quote) (randAlphaNum 6 | quote) (kindIs "string" .Values.camunda.websocket.securityOrigin) }} + BPM_BASE_URL: "https://{{tpl .Values.ingress.hostname .}}" \ No newline at end of file diff --git a/charts/forms-flow-bpm/templates/deployment.yaml b/charts/forms-flow-bpm/templates/deployment.yaml index 22897179..194a0cb5 100644 --- a/charts/forms-flow-bpm/templates/deployment.yaml +++ b/charts/forms-flow-bpm/templates/deployment.yaml @@ -1,24 +1,43 @@ -apiVersion: apps/v1 +--- +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: - labels: - app: "{{ .Chart.Name }}" - name: "{{ .Chart.Name }}" + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: - replicas: {{ .Values.replicas }} + replicas: {{ .Values.replicaCount }} + strategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: - app: "{{ .Chart.Name }}" - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% - type: RollingUpdate + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} template: metadata: - labels: - app: "{{ .Chart.Name }}" + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + annotations: + checksum/mail-configmap: {{ include (print $.Template.BasePath "/mail-configmap.yaml") . | sha256sum }} + {{- if not .Values.existingSecret }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + {{- end }} + {{- if (include "forms-flow-bpm.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} spec: + {{- include "forms-flow-bpm.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ template "forms-flow-bpm.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -27,73 +46,146 @@ spec: - key: name operator: In values: - - "{{ .Chart.Name }}" - topologyKey: kubernetes.io/hostname - containers: - {{- if .Values.elastic_search.enabled }} - - name: filebeat-bpm - image: docker.elastic.co/beats/filebeat:7.14.0 - env: - - name: ELASTIC_SERVER - valueFrom: - configMapKeyRef: - key: ELASTIC_SERVER - name: "{{ .Values.formsflow.configmap }}" - volumeMounts: - - name: bpm-logs - mountPath: /logs - - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - name: bpm-filebeat + - "{{ include "common.names.fullname" . }}" + topologyKey: kubernetes.io/hostname + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} {{- end }} - - envFrom: - - configMapRef: - name: "{{ .Chart.Name }}" # bpm environment variables - - secretRef: - name: "{{ .Chart.Name }}" # bpm environment variables + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + containers: + - name: forms-flow-bpm + image: {{ include "forms-flow-bpm.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} env: - {{- if .Values.camunda.externalDatabase.existingDatabaseNameKey }} + {{- if .Values.camunda.ExternalDatabase.ExistingDatabaseNameKey }} - name: CAMUNDA_DATABASE_NAME valueFrom: secretKeyRef: - key: {{ .Values.camunda.externalDatabase.existingDatabaseNameKey }} - name: "{{ .Values.camunda.externalDatabase.existingSecretName }}" - {{- end }} - {{- if not .Values.camunda.externalDatabase.existingDatabaseNameKey }} + key: {{ .Values.camunda.ExternalDatabase.ExistingDatabaseNameKey }} + name: {{ .Values.camunda.ExternalDatabase.ExistingSecretName }} + {{- else}} - name: CAMUNDA_DATABASE_NAME valueFrom: - configMapKeyRef: + secretKeyRef: key: CAMUNDA_DATABASE_NAME name: "{{ .Chart.Name }}" + {{- end }} + {{- if .Values.camunda.ExternalDatabase.ExistingDatabaseUsernameKey }} + - name: CAMUNDA_JDBC_USER + valueFrom: + secretKeyRef: + key: {{ .Values.camunda.ExternalDatabase.ExistingDatabaseUsernameKey }} + name: {{ .Values.camunda.ExternalDatabase.ExistingSecretName }} + {{- else}} + - name: CAMUNDA_JDBC_USER + valueFrom: + secretKeyRef: + key: CAMUNDA_JDBC_USER + name: "{{ .Chart.Name }}" {{- end}} - {{- if .Values.camunda.externalDatabase.existingDatabasePortKey }} - - name: CAMUNDA_DATABASE_PORT + {{- if .Values.camunda.ExternalDatabase.ExistingDatabasePasswordKey }} + - name: CAMUNDA_JDBC_PASSWORD valueFrom: secretKeyRef: - key: {{ .Values.camunda.externalDatabase.existingDatabasePortKey }} - name: "{{ .Values.camunda.externalDatabase.existingSecretName }}" - {{- end }} - {{- if not .Values.camunda.externalDatabase.existingDatabasePortKey }} + key: {{ .Values.camunda.ExternalDatabase.ExistingDatabasePasswordKey }} + name: {{ .Values.camunda.ExternalDatabase.ExistingSecretName }} + {{- else}} + - name: CAMUNDA_JDBC_PASSWORD + valueFrom: + secretKeyRef: + key: CAMUNDA_JDBC_PASSWORD + name: "{{ .Chart.Name }}" + {{- end}} + {{- if .Values.camunda.ExternalDatabase.ExistingDatabasePortKey }} + - name: CAMUNDA_DATABASE_PORT + valueFrom: + configMapKeyRef: + key: {{ .Values.camunda.ExternalDatabase.ExistingDatabasePortKey }} + name: {{ .Values.camunda.ExternalDatabase.ExistingConfigmapName }} + {{- else }} - name: CAMUNDA_DATABASE_PORT valueFrom: configMapKeyRef: key: CAMUNDA_DATABASE_PORT name: "{{ .Chart.Name }}" - {{- end}} - {{- if .Values.camunda.externalDatabase.existingDatabaseHostKey }} + {{- end }} + {{- if .Values.camunda.ExternalDatabase.ExistingDatabaseHostKey }} - name: CAMUNDA_DATABASE_SERVICE_NAME valueFrom: secretKeyRef: - key: {{ .Values.camunda.externalDatabase.existingDatabaseHostKey }} - name: "{{ .Values.camunda.externalDatabase.existingSecretName }}" - {{- end }} - {{- if not .Values.camunda.externalDatabase.existingDatabaseHostKey }} + key: {{ .Values.camunda.ExternalDatabase.ExistingDatabaseHostKey }} + name: "{{ .Values.camunda.ExternalDatabase.ExistingSecretName }}" + {{- else }} - name: CAMUNDA_DATABASE_SERVICE_NAME valueFrom: configMapKeyRef: key: DATABASE_SERVICE_NAME name: "{{ .Values.formsflow.configmap }}" - {{- end}} + {{- end }} + - name: CAMUNDA_APP_ROOT_LOG_FLAG + valueFrom: + configMapKeyRef: + key: CAMUNDA_APP_ROOT_LOG_FLAG + name: "{{ .Chart.Name }}" + - name: APP_SECURITY_ORIGIN + valueFrom: + configMapKeyRef: + key: APP_SECURITY_ORIGIN + name: "{{ .Chart.Name }}" + - name: WEBSOCKET_SECURITY_ORIGIN + valueFrom: + configMapKeyRef: + key: WEBSOCKET_SECURITY_ORIGIN + name: "{{ .Chart.Name }}" + - name: WEBSOCKET_MESSAGE_TYPE + valueFrom: + configMapKeyRef: + key: WEBSOCKET_MESSAGE_TYPE + name: "{{ .Chart.Name }}" + - name: CAMUNDA_JDBC_DRIVER + valueFrom: + configMapKeyRef: + key: CAMUNDA_JDBC_DRIVER + name: "{{ .Chart.Name }}" + - name: CAMUNDA_JDBC_URL + valueFrom: + configMapKeyRef: + key: CAMUNDA_JDBC_URL + name: "{{ .Chart.Name }}" - name: KEYCLOAK_URL valueFrom: configMapKeyRef: @@ -206,69 +298,87 @@ spec: configMapKeyRef: key: KEYCLOAK_URL_HTTP_RELATIVE_PATH name: "{{ .Values.formsflow.configmap }}" - - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: Always + - name: FORMSFLOW_DOC_API_URL + valueFrom: + configMapKeyRef: + key: FORMSFLOW_DOC_API_URL + name: "{{ .Values.formsflow.configmap }}" + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 8 }} + {{- end }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.containerPorts.http }} + protocol: TCP + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} livenessProbe: - failureThreshold: 5 + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} httpGet: path: /camunda/actuator/health port: 8080 scheme: HTTP - initialDelaySeconds: 120 - periodSeconds: 60 - successThreshold: 1 - timeoutSeconds: 3 - name: "{{ .Chart.Name }}" - ports: - - containerPort: {{ int .Values.ingress.port }} - protocol: TCP + {{- end }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} readinessProbe: - failureThreshold: 5 + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} httpGet: path: /camunda/actuator/health port: 8080 scheme: HTTP - initialDelaySeconds: 120 - periodSeconds: 60 - successThreshold: 1 - timeoutSeconds: 3 - resources: - limits: - cpu: "{{ .Values.resources.limits.cpu }}" - memory: "{{ .Values.resources.limits.memory }}" - requests: - cpu: "{{ .Values.resources.requests.cpu }}" - memory: "{{ .Values.resources.requests.memory }}" + {{- end }} + {{- end }} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - - mountPath: /app/mail-config.properties - name: "{{ .Chart.Name }}-mail-config" - subPath: mail-config.properties - {{- if .Values.elastic_search.enabled }} - name: bpm-logs - mountPath: /logs - {{- end}} + mountPath: /logs + - name: "forms-flow-bpm-mail-configuration" + mountPath: /app/mail-config.properties + subPath: mail-config.properties + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} volumes: - - configMap: - defaultMode: 420 + - name: bpm-logs + emptyDir: {} + - name: "forms-flow-bpm-mail-configuration" + configMap: + name: "forms-flow-bpm-mail-configuration" items: - key: mail-config.properties path: mail-config.properties - name: "{{ .Chart.Name }}-mail-config" - name: "{{ .Chart.Name }}-mail-config" - {{- if .Values.elastic_search.enabled }} - - name: bpm-logs - - name: bpm-filebeat - configMap: - name: "{{ .Chart.Name }}-fb-config" - {{- end}} - imagePullSecrets: - - name: "{{ .Values.formsflow.auth }}" - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 - + defaultMode: 420 + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + restartPolicy: Always \ No newline at end of file diff --git a/charts/forms-flow-bpm/templates/hpa.yaml b/charts/forms-flow-bpm/templates/hpa.yaml index 6097cf6d..990cba9d 100644 --- a/charts/forms-flow-bpm/templates/hpa.yaml +++ b/charts/forms-flow-bpm/templates/hpa.yaml @@ -1,20 +1,61 @@ -{{- if .Values.hpa.enabled}} -apiVersion: autoscaling/v2 +{{- if .Values.autoscaling.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} kind: HorizontalPodAutoscaler metadata: - name: {{ .Chart.Name }} + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-bpm + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ .Chart.Name }} - minReplicas: 1 - maxReplicas: {{.Values.hpa.maxReplicas}} + apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} + kind: StatefulSet + name: {{ template "common.names.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: + {{- if .Values.autoscaling.targetCPU }} - type: Resource resource: name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- else }} target: type: Utilization - averageUtilization: {{.Values.hpa.CpuAverageUtilization}} -{{- end}} \ No newline at end of file + averageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- end }} + {{- end }} + {{- if .Values.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- end }} + {{- end }} + {{- if or .Values.autoscaling.behavior.scaleDown.policies .Values.autoscaling.behavior.scaleUp.policies }} + behavior: + {{- if .Values.autoscaling.behavior.scaleDown.policies }} + scaleDown: + stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleDown.stabilizationWindowSeconds }} + selectPolicy: {{ .Values.autoscaling.behavior.scaleDown.selectPolicy }} + policies: + {{- toYaml .Values.autoscaling.behavior.scaleDown.policies | nindent 8 }} + {{- end }} + {{- if .Values.autoscaling.behavior.scaleUp.policies }} + scaleUp: + stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleUp.stabilizationWindowSeconds }} + selectPolicy: {{ .Values.autoscaling.behavior.scaleUp.selectPolicy }} + policies: + {{- toYaml .Values.autoscaling.behavior.scaleUp.policies | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-bpm/templates/ingress.yaml b/charts/forms-flow-bpm/templates/ingress.yaml index 7c1ba7ef..992cefdc 100644 --- a/charts/forms-flow-bpm/templates/ingress.yaml +++ b/charts/forms-flow-bpm/templates/ingress.yaml @@ -1,35 +1,56 @@ -apiVersion: networking.k8s.io/v1 +{{- if .Values.ingress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: - annotations: -{{ toYaml .Values.ingress.annotations | indent 4 }} - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-bpm + {{- if or .Values.ingress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: - ingressClassName: {{ .Values.ingress.ingressClassName }} - {{- if or (and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.ingress.hostname }} + - host: {{ (tpl .Values.ingress.hostname .) | quote }} + http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ include "common.tplvalues.render" ( dict "value" .Values.ingress.path "context" $) }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" .Values.ingress.servicePort "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ (tpl .name $) }} + http: + paths: + - path: {{ default "/camunda" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} tls: - {{- if and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.secrets .Values.ingress.selfSigned) }} + {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.secrets .Values.ingress.selfSigned) }} - hosts: - {{ (tpl .Values.ingress.hostname .) | quote }} secretName: {{ printf "%s-tls" (tpl .Values.ingress.hostname .) }} - {{- else }} - - {} - {{- end}} - {{- else }} - tls: - - {} - {{- end}} - rules: - - - host: "{{tpl .Values.ingress.hostname .}}" - http: - paths: - - path: /camunda - pathType: Prefix - backend: - service: - name: {{ .Chart.Name }} - port: - number: {{ .Values.ingress.port }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-bpm/templates/mail-configmap.yaml b/charts/forms-flow-bpm/templates/mail-configmap.yaml new file mode 100644 index 00000000..2d11cdb9 --- /dev/null +++ b/charts/forms-flow-bpm/templates/mail-configmap.yaml @@ -0,0 +1,35 @@ + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-mail-configuration" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-bpm + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mail-config.properties: | + # send mails via SMTP + mail.transport.protocol={{.Values.mail.protocol}} + mail.smtp.auth={{.Values.mail.smtp.auth}} + mail.smtp.host={{.Values.mail.smtp.server}} + mail.smtp.port={{.Values.mail.smtp.port}} + mail.smtp.ssl.enable={{.Values.mail.smtp.ssl.enable}} + mail.smtp.socketFactory.port={{.Values.mail.smtp.socketFactory.port}} + mail.smtp.socketFactory.class={{.Values.mail.smtp.socketFactory.class}} + # poll mails via IMAPS + #mail.store.protocol={{.Values.mail.store.protocol}} + # mail.imaps.host={{.Values.mail.imaps.host}} + mail.imaps.port={{.Values.mail.imaps.port}} + mail.imaps.timeout={{.Values.mail.imaps.timeout}} + # additional config + #mail.poll.folder={{.Values.mail.folder}} + mail.sender={{.Values.mail.from}} + mail.sender.alias={{.Values.mail.alias}} + mail.attachment.download={{.Values.mail.attachment.download}} + mail.attachment.path={{.Values.mail.attachment.path}} + # credentials + mail.user={{.Values.mail.user}} + mail.password={{.Values.mail.password}} \ No newline at end of file diff --git a/charts/forms-flow-bpm/templates/pdb.yaml b/charts/forms-flow-bpm/templates/pdb.yaml new file mode 100644 index 00000000..3e5a4c28 --- /dev/null +++ b/charts/forms-flow-bpm/templates/pdb.yaml @@ -0,0 +1,21 @@ +{{- if .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-bpm/templates/secret.yaml b/charts/forms-flow-bpm/templates/secret.yaml deleted file mode 100644 index 1d244476..00000000 --- a/charts/forms-flow-bpm/templates/secret.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - app: "{{ .Chart.Name }}" - name: "{{ .Chart.Name }}" -stringData: - CAMUNDA_JDBC_PASSWORD: "{{ .Values.camunda.jdbc.password }}" - CAMUNDA_FORMBUILDER_PIPELINE_PASSWORD: "{{ .Values.camunda.formBuilder.password }}" - diff --git a/charts/forms-flow-bpm/templates/secrets.yaml b/charts/forms-flow-bpm/templates/secrets.yaml new file mode 100644 index 00000000..1d1602d0 --- /dev/null +++ b/charts/forms-flow-bpm/templates/secrets.yaml @@ -0,0 +1,18 @@ +{{- if not .Values.existingSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }} + app.kubernetes.io/component: forms-flow-bpm + {{- if or .Values.annotations .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.merge" (dict "values" (list .Values.annotations .Values.commonAnnotations) "context" $) | nindent 4 }} + {{- end }} +type: Opaque +stringData: + CAMUNDA_JDBC_PASSWORD: "{{ .Values.camunda.jdbc.password }}" + CAMUNDA_FORMBUILDER_PIPELINE_PASSWORD: "{{ .Values.camunda.formBuilder.password }}" + CAMUNDA_JDBC_USER: "{{ .Values.camunda.jdbc.username}}" + CAMUNDA_DATABASE_NAME: "{{.Values.camunda.database.name}}" +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-bpm/templates/service.yaml b/charts/forms-flow-bpm/templates/service.yaml index 69ab2c5d..18897c86 100644 --- a/charts/forms-flow-bpm/templates/service.yaml +++ b/charts/forms-flow-bpm/templates/service.yaml @@ -1,13 +1,34 @@ apiVersion: v1 kind: Service metadata: - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} ports: - - name: {{ .Chart.Name }} - port: {{.Values.ingress.port}} - targetPort: {{.Values.ingress.port}} - selector: - app: {{ .Chart.Name }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.ports "context" $) | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} diff --git a/charts/forms-flow-bpm/templates/serviceaccount.yaml b/charts/forms-flow-bpm/templates/serviceaccount.yaml new file mode 100644 index 00000000..6b04e717 --- /dev/null +++ b/charts/forms-flow-bpm/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "forms-flow-bpm.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} \ No newline at end of file diff --git a/charts/forms-flow-bpm/values.yaml b/charts/forms-flow-bpm/values.yaml index a2ffba4d..d0a16c62 100644 --- a/charts/forms-flow-bpm/values.yaml +++ b/charts/forms-flow-bpm/values.yaml @@ -1,5 +1,569 @@ -Domain: # -replicas: 1 +replicaCount: 1 +## @param auth.existingSecret Existing secret containing password,username,dbname and + ## +existingSecret: "" + +image: + registry: docker.io + repository: formsflow/forms-flow-bpm + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "v7.0.0" + pullSecrets: + - forms-flow-ai-auth +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param dnsPolicy DNS Policy for pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsPolicy: ClusterFirst +dnsPolicy: "ClusterFirst" +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param tolerations Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param nodeSelector Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param priorityClassName Pod priority +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "default-scheduler" +## @param terminationGracePeriodSeconds In seconds, time the given to the forms-flow-bpm pod needs to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +terminationGracePeriodSeconds: "30" +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] + +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +## @param hostAliases Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + ## @param automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + +podManagementPolicy: OrderedReady +## @param podAnnotations Pod annotations +## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podLabels Extra labels for forms-flow-bpm pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} + +## K8s Security Context for forms-flow-bpm pods +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled forms-flow-bpm pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Set forms-flow-bpm pod's Security Context fsGroup +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 +## Configure Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: false + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param lifecycleHooks for the forms-flow-bpm container(s) to automate configuration before or after startup +## +lifecycleHooks: {} + +automountServiceAccountToken: true +## @param updateStrategy.type Set up update strategy for forms-flow-bpm installation. +## Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods is destroyed first. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## Example: +## updateStrategy: +## type: RollingUpdate +## rollingUpdate: +## maxSurge: 25% +## maxUnavailable: 25% +## +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + +## @param minReadySeconds How many seconds a pod needs to be ready before killing the next, during update +## +minReadySeconds: 0 +## @param extraEnvVars Extra environment variables to be set on formsflow bpm container +## Example: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: + - name: VAULT_ENABLED + value: "false" + - name: VAULT_URL + value: "" + - name: VAULT_TOKEN + value: "" + - name: VAULT_PATH + value: "" + - name: VAULT_SECRET + value: "" +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraVolumes Optionally specify extra list of additional volumes for formsflow bpm pods +## +## @param extraVolumes Array to add extra volumes (evaluated as a template) +## extraVolumes: +## - name: myvolume +## configMap: +## name: myconfigmap +## +extraVolumes: {} + +## @param extraVolumeMounts Array to add extra mounts (normally used with extraVolumes, evaluated as a template) +## extraVolumeMounts: +## - mountPath: /opt/bitnami/desired-path +## name: myvolume +## readOnly: true +## +extraVolumeMounts: {} + +## @param auth.existingSecret Existing secret containing password,username,dbname and + ## +existingSecret: "" + +## forms-flow-bpm ingress parameters +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress record generation for forms-flow-bpm + ## + enabled: true + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.controller The ingress controller type. Currently supports `default` and `gce` + ## leave as `default` for most ingress controllers. + ## set to `gce` if using the GCE ingress controller + ## + controller: default + ## @param ingress.hostname Default host for the ingress record (evaluated as template) + ## + hostname: forms-flow-bpm.local + ## @param ingress.path [string] Default path for the ingress record (evaluated as template) + ## + path: "/camunda" + ## @param ingress.servicePort Backend service port to use + ## Default is http. Alternative is https. + ## + servicePort: 8080 + ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.labels Additional labels for the Ingress resource. + ## e.g: + ## labels: + ## app: forms-flow-bpm + ## + labels: {} + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: true + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: forms-flow-bpm.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - forms-flow-bpm.local + ## secretName: forms-flow-bpm.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## - name: forms-flow-bpm.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: airflow.local + ## http: + ## path: / + ## backend: + ## service: + ## name: airflow-svc + ## port: + ## name: http + ## + extraRules: [] +## forms-flow-bpm admin ingress parameters +## ref: https://kubernetes.io/docs/user-guide/ingress/ +## + +## Specifies whether RBAC resources should be created +## +rbac: + ## @param rbac.create Whether to create and use RBAC resources or not + ## + create: false + ## @param rbac.rules Custom RBAC rules + ## Example: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] + +## Pod disruption budget configuration +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +## @param pdb.create If true, create a pod disruption budget for pods. +## @param pdb.minAvailable Minimum number / percentage of pods that should remain scheduled +## @param pdb.maxUnavailable Maximum number / percentage of pods that may be made unavailable +## +pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## forms-flow-bpm containers' resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "small" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: + limits: + cpu: 600m + memory: 1Gi + requests: + cpu: 500m + memory: 512Mi +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + failureThreshold: 5 + initialDelaySeconds: 120 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 3 +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + failureThreshold: 5 + initialDelaySeconds: 120 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 3 +## @param customStartupProbe Custom startup probe for the Web component +## + +## @param customStartupProbe Custom startup probe for the Web component +## +customStartupProbe: {} +## @param customLivenessProbe Custom liveness probe for the Web component +## +customLivenessProbe: {} +## @param customReadinessProbe Custom readiness probe for the Web component +## +customReadinessProbe: {} +## Service parameters +## +service: + ## @param service.type Kubernetes service type (`ClusterIP`, `NodePort`, or `LoadBalancer`) + ## + type: ClusterIP + ## @param service.ports [array] forms-flow-bpm service ports (evaluated as a template) + ## + ports: + - name: http + port: 8080 + targetPort: http + protocol: TCP + ## - name: system + ## port: 1764 + ## + ## @param service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy External traffic policy, configure to Local to preserve client source IP when using an external loadBalancer + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: "" + ## @param service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.annotations Annotations for forms-flow-bpm service + ## + annotations: {} + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## + annotations: {} +containerPorts: + http: 8080 + + +## @param sidecars Add additional sidecar containers to the forms-flow-bpm pod + ## Example: + ## sidecars: + ## - name: filebeat-admin + ## image: docker.elastic.co/beats/filebeat:7.14.0 + ## env: + ## - name: ELASTIC_SERVER + ## valueFrom: + ## configMapKeyRef: + ## key: ELASTIC_SERVER + ## name: "{{ .Values.formsflow.configmap }}" + ## volumeMounts: + ## - name: admin-logs + ## mountPath: /opt/app-root/logs + ## - mountPath: /usr/share/filebeat/filebeat.yml + ## subPath: filebeat.yml + ## name: admin-filebeat +sidecars: [] + +## Example: +## configuration: |- +## foo: bar +## baz: +## +configuration: "" +## @param existingConfigmap Name of existing ConfigMap with Keycloak configuration +## NOTE: When it's set the configuration parameter is ignored +## +existingConfigmap: "" + +## forms-flow-bpm Autoscaling configuration +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +## @param autoscaling.enabled Enable autoscaling for forms-flow-bpm +## @param autoscaling.minReplicas Minimum number of forms-flow-bpm replicas +## @param autoscaling.maxReplicas Maximum number of forms-flow-bpm replicas +## @param autoscaling.targetCPU Target CPU utilization percentage +## @param autoscaling.targetMemory Target Memory utilization percentage +## +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPU: "" + targetMemory: "" + ## HPA Scaling Behavior + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + ## + behavior: + ## HPA behavior when scaling up + ## @param autoscaling.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up + ## @param autoscaling.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up + ## @param autoscaling.behavior.scaleUp.policies [array] HPA scaling policies when scaling up + ## e.g: + ## Policy to scale 20% of the pod in 60s + ## - type: Percent + ## value: 20 + ## periodSeconds: 60 + ## + scaleUp: + stabilizationWindowSeconds: 120 + selectPolicy: Max + policies: [] + ## HPA behavior when scaling down + ## @param autoscaling.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down + ## @param autoscaling.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down + ## @param autoscaling.behavior.scaleDown.policies [array] HPA scaling policies when scaling down + ## e.g: + ## Policy to scale one pod in 300s + ## - type: Pods + ## value: 1 + ## periodSeconds: 300 + ## + scaleDown: + stabilizationWindowSeconds: 300 + selectPolicy: Max + policies: + - type: Pods + value: 1 + periodSeconds: 300 + camunda: analytics: database: forms-flow-analytics @@ -30,32 +594,14 @@ camunda: websocket: messageType: TASK_EVENT #WEBSOCKET_MESSAGE_TYPE securityOrigin: #WEBSOCKET_SECURITY_ORIGIN - externalDatabase: - existingDatabaseHostKey: "" - existingDatabasePortKey: "" - existingDatabaseNameKey: "" - existingSecretName: "" #name of the existing secret - -image: - registry: docker.io - repository: formsflow/forms-flow-bpm - tag: v6.0.2 #The image tag to pull from -formsflow: - configmap: forms-flow-ai # name of formsflow.ai configmap - secret: forms-flow-ai #name of formsflow.ai secret - auth: forms-flow-ai-auth -ingress: - ingressClassName: "" - annotations: - nginx.ingress.kubernetes.io/affinity: "cookie" - nginx.ingress.kubernetes.io/session-cookie-name: "session" - enabled: true # create an ingress for this component - hostname: "{{.Chart.Name}}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}" - port: 8080 - tls: true - selfSigned: false - extraTls: - - {} + ExternalDatabase: + ExistingDatabaseHostKey: "" + ExistingDatabasePortKey: "" + ExistingDatabaseNameKey: "" + ExistingDatabaseUsernameKey: "" + ExistingDatabasePasswordKey: "" + ExistingSecretName: "" #name of the existing secret + ExistingConfigmapName: "" mail: protocol: smtp from: "" @@ -81,18 +627,7 @@ mail: attachment: download: true path: attachments - -resources: - limits: - cpu: 600m - memory: 1Gi - requests: - cpu: 500m - memory: 512Mi -hpa: - enabled: false - CpuAverageUtilization: 60 - maxReplicas: 3 -elastic_search: - enabled: false +formsflow: + configmap: forms-flow-ai # name of formsflow.ai configmap + secret: forms-flow-ai #name of formsflow.ai secret waitFor: "${CAMUNDA_DATABASE_SERVICE_NAME}:${CAMUNDA_DATABASE_PORT}" diff --git a/charts/forms-flow-data-analysis/.helmignore b/charts/forms-flow-data-analysis/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/forms-flow-data-analysis/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/forms-flow-data-analysis/Chart.yaml b/charts/forms-flow-data-analysis/Chart.yaml index ebb1d7dc..7f4b7812 100644 --- a/charts/forms-flow-data-analysis/Chart.yaml +++ b/charts/forms-flow-data-analysis/Chart.yaml @@ -1,6 +1,13 @@ ---- apiVersion: v2 name: forms-flow-data-analysis -tags: forms-flow-data-analysis -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file +description: forms-flow-data-analysis is used to understand the sentiments of the customer for products, movies, and other such things, whether they feel positive, negative, or neutral about it. BERT is a very good pre-trained language model which helps machines learn excellent representations of text with respect to context in many natural language tasks provided by formsflow. +icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" +version: v8.0.0 +type: application +appVersion: "8.0.0" +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x diff --git a/charts/forms-flow-data-analysis/README.md b/charts/forms-flow-data-analysis/README.md new file mode 100644 index 00000000..daa452da --- /dev/null +++ b/charts/forms-flow-data-analysis/README.md @@ -0,0 +1,233 @@ +# Formsflow.ai Sentiment Analysis Component + +Sentiment Analysisis used to understand the sentiments of the customer for products, movies, and other such things, whether they feel positive, negative, or neutral about it. BERT is a very good pre-trained language model which helps machines learn excellent representations of text with respect to context in many natural language tasks. + + +## Introduction + +This chart bootstraps a forms-flow-data-analysis-api deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + + +## Installing the Chart + +To install the chart with the release name `forms-flow-data-analysis-api`: + +```console +helm install forms-flow-data-analysis-api forms-flow-data-analysis-api +``` + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + + +```console +helm install forms-flow-data-analysis forms-flow-data-analysis --set ingress.ingressClassName=INGRESS_CLASS --set ingress.hostname=HOSTNAME +``` + +> Note: You need to substitute the placeholders `INGRESS_CLASS` and `HOSTNAME` with a reference to your Helm chart registry and repository. For example, in the case of Formsflow, you need to use `INGRESS_CLASS=nginx` + +These commands deploy Forms-flow-data-analysis-api on the Kubernetes cluster + +> **Tip**: List all releases using `helm list` + +### Resource requests and limits + +Forms-flow-data-analysis-api charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +```yaml +resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi +``` + +### Change Forms-flow-data-analysis-api version + +To modify the Forms-flow-data-analysis-api version used in this chart you can specify a [valid image tag](https://hub.docker.com/repository/docker/formsflow/forms-flow-data-analysis-api) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +#### Using the OpenSource Version +By default, the chart uses the OpenSource version of the `Forms-flow-data-analysis-api`. You can change the image tag to any valid version of the OpenSource image, as shown below: + +```yaml +image: + registry: docker.io + repository: formsflow/forms-flow-data-analysis-api + tag: X.Y.Z # Replace with the desired OpenSource version +``` +#### Using the Enterprise Version +If you're using the enterprise version of Forms-flow-data-analysis-api, you can switch the image repository to `formsflow/forms-flow-data-analysis-api-ee`. The enterprise version includes additional features and support designed for larger-scale or production environments. To use the enterprise version, update the repository field as shown below: + +```yaml +image: + registry: docker.io + repository: formsflow/forms-flow-data-analysis-api-ee + tag: X.Y.Z # Replace with the desired enterprise version +``` +Make sure to replace X.Y.Z with the specific version number you wish to use for either the OpenSource or enterprise version. + +### EE Specific Environment Variables +When deploying the Enterprise Edition (EE) for `forms-flow-data-analysis`, the environment variables specific to the EE deployment are already included in the [values.yaml](values.yaml#L509). +Make sure to replace `openApiKey` with the actual keys provided to you. + +Example: +```yaml +openApiKey: "OPENAI_API_KEY" +``` + +## Persistence + +The `forms-flow-data-analysis` image stores the application logs at the `/forms-flow-data-analysis/app/logs` path of the container. + +## Sidecar Configuration + +To add a sidecar to your `Forms-flow-data-analysis` deployment, you can use the following configuration. In this case, the sidecar container is an Nginx container used for configuration management. + +### Example Sidecar Configuration + +```yaml +sidecars: + - name: nginx + image: nginx:latest + ports: + - containerPort: 80 + volumeMounts: + - name: nginx-config-volume + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf +``` + +## Path Update +The `Forms-flow-data-analysis` can now be accessed at the `/analysis` route. Ensure that all configurations and requests reference this updated path. + +For example: + +``` +https:///analysis +``` +## Parameters + +| Parameter | Description | Default Value | +|------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `replicaCount` | Number of replicas for the deployment. | `1` | +| `image.registry` | Docker registry for the image. | `docker.io` | +| `image.repository` | Repository for the image. | `formsflow/forms-flow-data-analysis-api` | +| `image.pullPolicy` | Image pull policy. | `IfNotPresent` | +| `image.tag` | Tag of the image to use. | `v7.0.0` | +| `image.pullSecrets` | Array of image pull secrets. | `forms-flow-ai-auth` | +| `nameOverride` | Override the name of the deployment. | `""` | +| `fullnameOverride` | Override the full name of the deployment. | `""` | +| `commonLabels` | Common labels to apply to all resources. | `{}` | +| `commonAnnotations` | Common annotations to apply to all resources. | `{}` | +| `nodeSelector` | Node selector for pod scheduling. | `{}` | +| `tolerations` | Tolerations for scheduling pods. | `[]` | +| `affinity` | Affinity rules for pod scheduling. | `{}` | +| `priorityClassName` | Priority class name for scheduling. | `""` | +| `schedulerName` | Name of the scheduler to use for scheduling pods. | `""` | +| `terminationGracePeriodSeconds` | Grace period for pod termination. | `""` | +| `topologySpreadConstraints` | Constraints for spreading pods across nodes. | `[]` | +| `diagnosticMode.enabled` | Enables diagnostic mode for the deployment. | `false` | +| `diagnosticMode.command` | Command to run for diagnostic mode. | `["sleep"]` | +| `diagnosticMode.args` | Arguments for the diagnostic command. | `["infinity"]` | +| `hostAliases` | Host aliases for the pods. | `[]` | +| `serviceAccount.create` | Specifies whether a service account should be created. | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account. | `{}` | +| `serviceAccount.name` | Name of the service account to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Specifies if the service account token should be automatically mounted. | `false` | +| `podAnnotations` | Annotations to apply to the pods. | `{}` | +| `podLabels` | Labels to apply to the pods. | `{}` | +| `podAffinityPreset` | Pod affinity preset to use. | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset to use. | `soft` | +| `nodeAffinityPreset` | Node affinity preset to use. | `{}` | +| `podSecurityContext.enabled` | Specifies if the pod security context is enabled. | `true` | +| `podSecurityContext.fsGroup` | FS group for the pods. | `1001` | +| `containerSecurityContext.enabled` | Specifies if the container security context is enabled. | `true` | +| `containerSecurityContext.runAsUser` | User ID to run the container. | `1001` | +| `containerSecurityContext.runAsGroup` | Group ID to run the container. | `1001` | +| `containerSecurityContext.runAsNonRoot` | Specifies if the container should run as a non-root user. | `false` | +| `containerSecurityContext.privileged` | Specifies if the container should run in privileged mode. | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Specifies if the root filesystem should be read-only. | `false` | +| `containerSecurityContext.allowPrivilegeEscalation` | Specifies if privilege escalation is allowed. | `false` | +| `containerSecurityContext.capabilities.drop` | Capabilities to drop from the container. | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Seccomp profile type to use. | `RuntimeDefault` | +| `command` | Override default container command (useful when using custom images). | `[]` | +| `args` | Override default container args (useful when using custom images). | `[]` | +| `lifecycleHooks` | Lifecycle hooks for the container(s). | `{}` | +| `automountServiceAccountToken` | Specifies if the service account token should be automatically mounted. | `true` | +| `extraEnvVars` | Additional environment variables to pass to the containers. | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra environment variables. | `""` | +| `extraVolumes` | Additional volumes to mount to the pods. | `{}` | +| `extraVolumeMounts` | Additional volume mounts for the containers. | `{}` | +| `existingSecret` | Existing secret containing password, username, and dbname. | `""` | +| `updateStrategy.type` | Update strategy for deployment. | `RollingUpdate` | +| `updateStrategy.rollingUpdate.maxSurge` | Maximum number of pods that can be created above the desired number during an update. | `25%` | +| `updateStrategy.rollingUpdate.maxUnavailable` | Maximum number of pods that can be unavailable during an update. | `25%` | +| `pdb.create` | Specifies whether a PodDisruptionBudget should be created. | `true` | +| `pdb.minAvailable` | Minimum number of pods that must be available. | `""` | +| `pdb.maxUnavailable` | Maximum number of pods that can be unavailable. | `""` | +| `customStartupProbe` | Custom startup probe for the container. | `{}` | +| `customLivenessProbe` | Custom liveness probe for the container. | `{}` | +| `customReadinessProbe` | Custom readiness probe for the container. | `{}` | +| `autoscaling.enabled` | Enable autoscaling for the deployment. | `false` | +| `autoscaling.minReplicas` | Minimum number of replicas for autoscaling. | `1` | +| `autoscaling.maxReplicas` | Maximum number of replicas for autoscaling. | `11` | +| `autoscaling.targetCPU` | Target CPU utilization for autoscaling. | `""` | +| `autoscaling.targetMemory` | Target memory utilization for autoscaling. | `""` | +| `autoscaling.behavior.scaleUp` | Autoscaling behavior for scale up operations. | `{ stabilizationWindowSeconds: 120, selectPolicy: "Max", policies: [] }` | +| `autoscaling.behavior.scaleDown` | Autoscaling behavior for scale down operations. | `{ stabilizationWindowSeconds: 300, selectPolicy: "Max", policies: [{type: "Pods", value: 1, periodSeconds: 300}] }` | +| `openApiKey` | OpenAI API key for authentication. | `""` | +| `chatbotModelId` | Model ID for the chatbot used in the application. | `gpt-3.5-turbo` | +| `formsflow.configmap` | Name of the FormsFlow configuration map. | `forms-flow-ai` | +| `formsflow.secret` | Name of the FormsFlow secret. | `forms-flow-ai` | + +## Ingress Parameters + +| Parameter | Description | Default Value | +|------------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `ingress.enabled` | Enable ingress record generation for forms-flow-data-analysis. | `true` | +| `ingress.ingressClassName` | Name of the ingress class to use. | `""` | +| `ingress.pathType` | Type of path matching for the ingress. | `ImplementationSpecific` | +| `ingress.apiVersion` | API version for the ingress resource. | `""` | +| `ingress.controller` | Ingress controller to use. | `default` | +| `ingress.hostname` | Hostname for the ingress. | `forms-flow-data-analysis.local` | +| `ingress.path` | Path for the ingress. | `/analysis` | +| `ingress.servicePort` | Service port for the ingress. | `5000` | +| `ingress.annotations` | Annotations for the ingress resource. | `{}` | +| `ingress.labels` | Labels for the ingress resource. | `{}` | +| `ingress.tls` | Enable TLS for the ingress. | `true` | +| `ingress.selfSigned` | Create a TLS secret using self-signed certificates generated by Helm. | `false` | +| `ingress.extraHosts` | Additional hostnames for the ingress. | `[]` | +| `ingress.extraPaths` | Additional paths for the ingress. | `[]` | +| `ingress.extraTls` | Additional TLS settings for the ingress. | `[]` | +| `ingress.secrets` | TLS secrets for the ingress. | `[]` | +| `ingress.extraRules` | Additional rules for the ingress. | `[]` | + + +## Resource Parameters + +| Parameter | Description | Default Value | +|------------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `resourcesPreset` | Preset resource allocation for the deployment. | `small` | +| `resources.limits.cpu` | CPU limit for the pods. | `500m` | +| `resources.limits.memory` | Memory limit for the pods. | `1Gi` | +| `resources.requests.cpu` | CPU request for the pods. | `250m` | +| `resources.requests.memory` | Memory request for the pods. | `512Mi` | + + +## Service Parameters + +| Parameter | Description | Default Value | +|------------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `service.type` | Service type for the application. | `ClusterIP` | +| `service.ports` | Ports configuration for the service. | `[{name: "http", port: 5000, targetPort: "http", protocol: "TCP"}]` | +| `service.loadBalancerIP` | Load balancer IP for the service. | `""` | +| `service.loadBalancerSourceRanges` | Source ranges for load balancer. | `[]` | +| `service.externalTrafficPolicy` | External traffic policy for the service. | `""` | +| `service.clusterIP` | Cluster IP for the service. | `""` | +| `service.annotations` | Annotations for the service. | `{}` | +| `service.sessionAffinity` | Session affinity for the service. | `None` | +| `service.sessionAffinityConfig` | Configuration for session affinity. | `{}` | +| `service.headless.annotations` | Annotations for the headless service. | `{}` | + + diff --git a/charts/forms-flow-data-analysis/templates/_helpers.tpl b/charts/forms-flow-data-analysis/templates/_helpers.tpl new file mode 100644 index 00000000..1fb5cedb --- /dev/null +++ b/charts/forms-flow-data-analysis/templates/_helpers.tpl @@ -0,0 +1,91 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "forms-flow-data-analysis.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "forms-flow-data-analysis.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "forms-flow-data-analysis.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "forms-flow-data-analysis.labels" -}} +helm.sh/chart: {{ include "forms-flow-data-analysis.chart" . }} +{{ include "forms-flow-data-analysis.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "forms-flow-data-analysis.selectorLabels" -}} +app.kubernetes.io/name: {{ include "forms-flow-data-analysis.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "forms-flow-data-analysis.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "forms-flow-data-analysis.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Return true if a configmap object should be created +*/}} +{{- define "forms-flow-data-analysis.createConfigmap" -}} +{{- if and .Values.configuration (not .Values.existingConfigmap) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* + Return the proper forms-flow-data-analysis image name +*/}} +{{- define "forms-flow-data-analysis.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} +{{/* +Return the proper forms-flow-data-analysis side car nginx image name +*/}} +{{- define "forms-flow-data-analysis.nginx.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.ExtraContainer.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "forms-flow-data-analysis.imagePullSecrets" -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) -}} +{{- end -}} \ No newline at end of file diff --git a/charts/forms-flow-data-analysis/templates/configmap.yaml b/charts/forms-flow-data-analysis/templates/configmap.yaml index df40ab7d..c761390b 100644 --- a/charts/forms-flow-data-analysis/templates/configmap.yaml +++ b/charts/forms-flow-data-analysis/templates/configmap.yaml @@ -1,36 +1,15 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} -data: - DATABASE_SUPPORT: "DISABLED" - OPENAI_API_KEY: "{{ .Values.openApiKey }}" - CHAT_BOT_MODEL_ID: "{{ .Values.chatbotModelId }}" - KEYCLOAK_WEB_CLIENT_ID: "forms-flow-web" ---- -{{- if .Values.elastic_search.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Chart.Name }}-fb-config -data: - "filebeat.yml": |- - filebeat.inputs: - - type: log - enabled: true - paths: - - /forms-flow-data-analysis/app/logs/* - output.elasticsearch: - hosts: "${ELASTIC_SERVER}" - index: "forms-flow-data-analysis-%{+yyyy.MM.dd}" - setup.template.name: "forms-flow-data-analysis" - setup.template.pattern: "forms-flow-data-analysis-*" - setup.template.overwrite: true - setup.template.enabled: false - setup.template.settings: - index.number_of_shards: 1 - setup.ilm.enabled: false -{{- end}} \ No newline at end of file +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-data-analysis + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + DATABASE_SUPPORT: "DISABLED" + OPENAI_API_KEY: "{{ .Values.openApiKey }}" + CHAT_BOT_MODEL_ID: "{{ .Values.chatbotModelId }}" + KEYCLOAK_WEB_CLIENT_ID: "forms-flow-web" \ No newline at end of file diff --git a/charts/forms-flow-data-analysis/templates/deployment.yaml b/charts/forms-flow-data-analysis/templates/deployment.yaml index a101f4ef..e0157146 100644 --- a/charts/forms-flow-data-analysis/templates/deployment.yaml +++ b/charts/forms-flow-data-analysis/templates/deployment.yaml @@ -1,158 +1,215 @@ --- -apiVersion: apps/v1 +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: - labels: - app: "{{ .Chart.Name }}" - name: "{{ .Chart.Name }}" + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: - replicas: {{ .Values.replicas }} + replicas: {{ .Values.replicaCount }} + strategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: - app: "{{ .Chart.Name }}" - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% - type: RollingUpdate + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} template: metadata: - labels: - app: "{{ .Chart.Name }}" + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + annotations: + {{- if (include "forms-flow-data-analysis.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} spec: + {{- include "forms-flow-data-analysis.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ template "forms-flow-data-analysis.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} + {{- end }} containers: - {{- if .Values.elastic_search.enabled }} - - name: filebeat-data-analysis - image: docker.elastic.co/beats/filebeat:7.14.0 - env: - - name: ELASTIC_SERVER + - name: forms-flow-data-analysis + image: {{ include "forms-flow-data-analysis.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: OPENAI_API_KEY valueFrom: configMapKeyRef: - key: ELASTIC_SERVER + key: OPENAI_API_KEY + name: "{{ .Chart.Name }}" + - name: CHAT_BOT_MODEL_ID + valueFrom: + configMapKeyRef: + key: CHAT_BOT_MODEL_ID + name: "{{ .Chart.Name }}" + - name: KEYCLOAK_URL + valueFrom: + configMapKeyRef: + key: KEYCLOAK_URL + name: "{{ .Values.formsflow.configmap }}" + - name: KEYCLOAK_URL_REALM + valueFrom: + configMapKeyRef: + key: KEYCLOAK_URL_REALM + name: "{{ .Values.formsflow.configmap }}" + - name: KEYCLOAK_WEB_CLIENT_ID + valueFrom: + configMapKeyRef: + key: KEYCLOAK_WEB_CLIENT_ID + name: "{{ .Chart.Name }}" + - name: DATA_ANALYSIS_API_BASE_URL + valueFrom: + configMapKeyRef: + key: DATA_ANALYSIS_URL + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_ALGORITHMS + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_ALGORITHMS + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_AUDIENCE + valueFrom: + secretKeyRef: + key: ADMIN_WEB_CLIENTID + name: "{{ .Values.formsflow.secret }}" + - name: JWT_OIDC_CACHING_ENABLED + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_CACHING_ENABLED + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_ISSUER + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_ISSUER + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_JWKS_CACHE_TIMEOUT + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_JWKS_CACHE_TIMEOUT + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_JWKS_URI + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_JWKS_URI + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_WELL_KNOWN_CONFIG + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_CONFIG + name: "{{ .Values.formsflow.configmap }}" + - name: DATABASE_SUPPORT + valueFrom: + configMapKeyRef: + key: DATABASE_SUPPORT + name: "{{ .Chart.Name }}" + - name: MODEL_ID + valueFrom: + configMapKeyRef: + key: MODEL_ID + name: "{{ .Values.formsflow.configmap }}" + - name: KEYCLOAK_URL_HTTP_RELATIVE_PATH + valueFrom: + configMapKeyRef: + key: KEYCLOAK_URL_HTTP_RELATIVE_PATH name: "{{ .Values.formsflow.configmap }}" - volumeMounts: - - name: data-analysis-logs - mountPath: /forms-flow-data-analysis/app/logs - - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - name: data-analysis-filebeat - {{- end}} - - env: - # - name: DATABASE_URL - # valueFrom: - # configMapKeyRef: - # key: DATABASE_URL - # name: "{{ .Chart.Name }}" - - - name: OPENAI_API_KEY - valueFrom: - configMapKeyRef: - key: OPENAI_API_KEY - name: "{{ .Chart.Name }}" - - name: CHAT_BOT_MODEL_ID - valueFrom: - configMapKeyRef: - key: CHAT_BOT_MODEL_ID - name: "{{ .Chart.Name }}" - - - name: KEYCLOAK_URL - valueFrom: - configMapKeyRef: - key: KEYCLOAK_URL - name: "{{ .Values.formsflow.configmap }}" - - - name: KEYCLOAK_URL_REALM - valueFrom: - configMapKeyRef: - key: KEYCLOAK_URL_REALM - name: "{{ .Values.formsflow.configmap }}" - - - name: KEYCLOAK_WEB_CLIENT_ID - valueFrom: - configMapKeyRef: - key: KEYCLOAK_WEB_CLIENT_ID - name: "{{ .Chart.Name }}" - - - name: DATA_ANALYSIS_API_BASE_URL - valueFrom: - configMapKeyRef: - key: DATA_ANALYSIS_URL - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_ALGORITHMS - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_ALGORITHMS - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_AUDIENCE - valueFrom: - secretKeyRef: - key: ADMIN_WEB_CLIENTID - name: "{{ .Values.formsflow.secret }}" - - name: JWT_OIDC_CACHING_ENABLED - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_CACHING_ENABLED - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_ISSUER - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_ISSUER - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_JWKS_CACHE_TIMEOUT - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_JWKS_CACHE_TIMEOUT - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_JWKS_URI - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_JWKS_URI - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_WELL_KNOWN_CONFIG - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_CONFIG - name: "{{ .Values.formsflow.configmap }}" - - name: DATABASE_SUPPORT - valueFrom: - configMapKeyRef: - key: DATABASE_SUPPORT - name: "{{ .Chart.Name }}" - - name: MODEL_ID - valueFrom: - configMapKeyRef: - key: MODEL_ID - name: "{{ .Values.formsflow.configmap }}" - - name: KEYCLOAK_URL_HTTP_RELATIVE_PATH - valueFrom: - configMapKeyRef: - key: KEYCLOAK_URL_HTTP_RELATIVE_PATH - name: "{{ .Values.formsflow.configmap }}" - - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" - name: "{{ .Chart.Name }}" - imagePullPolicy: Always - ports: - - containerPort: {{ .Values.ingress.port }} - resources: - limits: - cpu: "{{ .Values.resources.limits.cpu }}" - memory: "{{ .Values.resources.limits.memory }}" - requests: - cpu: "{{ .Values.resources.requests.cpu }}" - memory: "{{ .Values.resources.requests.memory }}" - stdin: true - tty: true - {{- if .Values.elastic_search.enabled }} - volumeMounts: - - name: data-analysis-logs - mountPath: /forms-flow-data-analysis/app/logs + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 8 }} + {{- end }} + {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.containerPorts.http }} + protocol: TCP + stdin: true + tty: true + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: data-analysis-logs + mountPath: /forms-flow-data-analysis/app/logs + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + - name: nginx + image: {{ include "forms-flow-data-analysis.nginx.image" . }} + ports: + - containerPort: {{ .Values.ingress.servicePort }} + volumeMounts: + - name: nginx-config-volume + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf volumes: - name: data-analysis-logs - - name: data-analysis-filebeat + emptyDir: {} + - name: nginx-config-volume configMap: - name: "{{ .Chart.Name }}-fb-config" - {{- end}} - restartPolicy: Always - imagePullSecrets: - - name: "{{ .Values.formsflow.auth }}" \ No newline at end of file + name: forms-flow-data-analysis-nginx-config + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + restartPolicy: Always \ No newline at end of file diff --git a/charts/forms-flow-data-analysis/templates/hpa.yaml b/charts/forms-flow-data-analysis/templates/hpa.yaml index 6097cf6d..0e3b1a1a 100644 --- a/charts/forms-flow-data-analysis/templates/hpa.yaml +++ b/charts/forms-flow-data-analysis/templates/hpa.yaml @@ -1,20 +1,61 @@ -{{- if .Values.hpa.enabled}} -apiVersion: autoscaling/v2 +{{- if .Values.autoscaling.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} kind: HorizontalPodAutoscaler metadata: - name: {{ .Chart.Name }} + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-data-analysis + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ .Chart.Name }} - minReplicas: 1 - maxReplicas: {{.Values.hpa.maxReplicas}} + apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} + kind: StatefulSet + name: {{ template "common.names.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: + {{- if .Values.autoscaling.targetCPU }} - type: Resource resource: name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- else }} target: type: Utilization - averageUtilization: {{.Values.hpa.CpuAverageUtilization}} -{{- end}} \ No newline at end of file + averageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- end }} + {{- end }} + {{- if .Values.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- end }} + {{- end }} + {{- if or .Values.autoscaling.behavior.scaleDown.policies .Values.autoscaling.behavior.scaleUp.policies }} + behavior: + {{- if .Values.autoscaling.behavior.scaleDown.policies }} + scaleDown: + stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleDown.stabilizationWindowSeconds }} + selectPolicy: {{ .Values.autoscaling.behavior.scaleDown.selectPolicy }} + policies: + {{- toYaml .Values.autoscaling.behavior.scaleDown.policies | nindent 8 }} + {{- end }} + {{- if .Values.autoscaling.behavior.scaleUp.policies }} + scaleUp: + stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleUp.stabilizationWindowSeconds }} + selectPolicy: {{ .Values.autoscaling.behavior.scaleUp.selectPolicy }} + policies: + {{- toYaml .Values.autoscaling.behavior.scaleUp.policies | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-data-analysis/templates/ingress.yaml b/charts/forms-flow-data-analysis/templates/ingress.yaml index d62d2459..657b3ffb 100644 --- a/charts/forms-flow-data-analysis/templates/ingress.yaml +++ b/charts/forms-flow-data-analysis/templates/ingress.yaml @@ -1,35 +1,56 @@ -apiVersion: networking.k8s.io/v1 +{{- if .Values.ingress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} - annotations: -{{ toYaml .Values.ingress.annotations | indent 4 }} + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-data-analysis + {{- if or .Values.ingress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: - ingressClassName: {{ .Values.ingress.ingressClassName }} - {{- if or (and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.ingress.hostname }} + - host: {{ (tpl .Values.ingress.hostname .) | quote }} + http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ include "common.tplvalues.render" ( dict "value" .Values.ingress.path "context" $) }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ (tpl .name $) }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} tls: - {{- if and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.secrets .Values.ingress.selfSigned) }} + {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.secrets .Values.ingress.selfSigned) }} - hosts: - {{ (tpl .Values.ingress.hostname .) | quote }} secretName: {{ printf "%s-tls" (tpl .Values.ingress.hostname .) }} - {{- else }} - - {} - {{- end}} - {{- else }} - tls: - - {} - {{- end}} - rules: - - - host: "{{ tpl .Values.ingress.hostname .}}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ .Chart.Name }} - port: - number: {{ .Values.ingress.port }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-data-analysis/templates/pdb.yaml b/charts/forms-flow-data-analysis/templates/pdb.yaml new file mode 100644 index 00000000..3e5a4c28 --- /dev/null +++ b/charts/forms-flow-data-analysis/templates/pdb.yaml @@ -0,0 +1,21 @@ +{{- if .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-data-analysis/templates/proxy-config.yaml b/charts/forms-flow-data-analysis/templates/proxy-config.yaml new file mode 100644 index 00000000..a23be105 --- /dev/null +++ b/charts/forms-flow-data-analysis/templates/proxy-config.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }}-nginx-config + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-api + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + nginx.conf: | + events { worker_connections 1024; } + http { + server { + listen {{ .Values.ingress.servicePort }}; + location /analysis { + rewrite ^/analysis/(.*)$ /$1 break; + sub_filter '="/' '="/analysis/'; + sub_filter '="/swaggerui/' '="/analysis/swaggerui/'; + sub_filter_once off; + sub_filter_types application/javascript text/css text/xml text/javascript application/json text/plain; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header SCRIPT_NAME /analysis; + proxy_pass http://localhost:{{ .Values.containerPorts.http }}; + } + location /analysis/swagger.json { + proxy_set_header Host $http_host; + proxy_pass http://localhost:{{ .Values.containerPorts.http }}/swagger.json; + } + } + } + pid /tmp/nginx.pid; \ No newline at end of file diff --git a/charts/forms-flow-data-analysis/templates/service.yaml b/charts/forms-flow-data-analysis/templates/service.yaml index c627b2f8..18897c86 100644 --- a/charts/forms-flow-data-analysis/templates/service.yaml +++ b/charts/forms-flow-data-analysis/templates/service.yaml @@ -1,12 +1,34 @@ apiVersion: v1 kind: Service metadata: - name: "{{ .Chart.Name }}" + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} ports: - - name: "{{ .Chart.Name }}" - port: {{ .Values.ingress.port }} - protocol: TCP - targetPort: {{ .Values.ingress.port }} - selector: - app: "{{ .Chart.Name }}" + {{- include "common.tplvalues.render" (dict "value" .Values.service.ports "context" $) | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} diff --git a/charts/forms-flow-data-analysis/templates/serviceaccount.yaml b/charts/forms-flow-data-analysis/templates/serviceaccount.yaml new file mode 100644 index 00000000..12eced41 --- /dev/null +++ b/charts/forms-flow-data-analysis/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "forms-flow-data-analysis.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} \ No newline at end of file diff --git a/charts/forms-flow-data-analysis/values.yaml b/charts/forms-flow-data-analysis/values.yaml index 78963c11..ed7f0df8 100644 --- a/charts/forms-flow-data-analysis/values.yaml +++ b/charts/forms-flow-data-analysis/values.yaml @@ -1,6 +1,375 @@ ---- -Domain: # -replicas: 1 +replicaCount: 1 +image: + registry: docker.io + repository: formsflow/forms-flow-data-analysis-api + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "v7.0.0" + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: + - forms-flow-ai-auth +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} + +nodeSelector: {} +## @param tolerations Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param nodeSelector Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param priorityClassName Pod priority +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param terminationGracePeriodSeconds In seconds, time the given to the forms-flow-data-analysis pod needs to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +terminationGracePeriodSeconds: "" +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] + +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +hostAliases: [] + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + ## @param automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false +## @param podAnnotations Pod annotations +## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podLabels Extra labels for forms-flow-data-analysis pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + +## K8s Security Context for forms-flow-data-analysis pods +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled forms-flow-data-analysis pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Set forms-flow-data-analysis pod's Security Context fsGroup +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 +## Configure Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: false + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param lifecycleHooks for the forms-flow-data-analysis container(s) to automate configuration before or after startup +## +lifecycleHooks: {} +automountServiceAccountToken: true +## @param extraEnvVars Extra environment variables to be set on formsflow api container +## Example: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraVolumes Array to add extra volumes (evaluated as a template) +## extraVolumes: +## - name: myvolume +## configMap: +## name: myconfigmap +## +extraVolumes: {} +## @param extraVolumeMounts Array to add extra mounts (normally used with extraVolumes, evaluated as a template) +## extraVolumeMounts: +## - mountPath: /opt/bitnami/desired-path +## name: myvolume +## readOnly: true +## +extraVolumeMounts: {} + +## sidecars configuration +sidecars: {} +ExtraContainer: + ## nginx configuration for sidecar + image: + registry: docker.io + repository: nginxinc/nginx-unprivileged + pullPolicy: IfNotPresent + tag: "latest" + +## @param auth.existingSecret Existing secret containing password,username,dbname and + ## +existingSecret: "" +## @param updateStrategy.type Set up update strategy for forms-flow-data-analysis installation. +## Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods is destroyed first. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## Example: +## updateStrategy: +## type: RollingUpdate +## rollingUpdate: +## maxSurge: 25% +## maxUnavailable: 25% +## +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + +## forms-flow-data-analysis ingress parameters +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress record generation for forms-flow-data-analysis + ## + enabled: true + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.controller The ingress controller type. Currently supports `default` and `gce` + ## leave as `default` for most ingress controllers. + ## set to `gce` if using the GCE ingress controller + ## + controller: default + ## @param ingress.hostname Default host for the ingress record (evaluated as template) + ## + hostname: forms-flow-data-analysis.local + ## @param ingress.path [string] Default path for the ingress record (evaluated as template) + ## + path: "/analysis" + ## @param ingress.servicePort Backend service port to use + ## Default is http. Alternative is https. + ## + servicePort: 8080 + ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.labels Additional labels for the Ingress resource. + ## e.g: + ## labels: + ## app: forms-flow-data-analysis + ## + labels: {} + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: true + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: forms-flow-data-analysis.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - forms-flow-data-analysis.local + ## secretName: forms-flow-data-analysis.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## - name: forms-flow-data-analysis.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: airflow.local + ## http: + ## path: / + ## backend: + ## service: + ## name: airflow-svc + ## port: + ## name: http + ## + extraRules: [] +## forms-flow-data-analysis admin ingress parameters +## ref: https://kubernetes.io/docs/user-guide/ingress/ +## +## Pod disruption budget configuration +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +## @param pdb.create If true, create a pod disruption budget for pods. +## @param pdb.minAvailable Minimum number / percentage of pods that should remain scheduled +## @param pdb.maxUnavailable Maximum number / percentage of pods that may be made unavailable +## +pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## forms-flow-data-analysis containers' resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "small" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## resources: limits: cpu: 500m @@ -8,30 +377,136 @@ resources: requests: cpu: 250m memory: 512Mi +## @param customStartupProbe Custom startup probe for the Web component +## +## @param customStartupProbe Custom startup probe for the Web component +## +customStartupProbe: {} +## @param customLivenessProbe Custom liveness probe for the Web component +## +customLivenessProbe: {} +## @param customReadinessProbe Custom readiness probe for the Web component +## +customReadinessProbe: {} +## Service parameters +## +service: + ## @param service.type Kubernetes service type (`ClusterIP`, `NodePort`, or `LoadBalancer`) + ## + type: ClusterIP + ## @param service.ports [array] forms-flow-data-analysis service ports (evaluated as a template) + ## + ports: + - name: http + port: 5000 + targetPort: http + protocol: TCP + - name: nginx + port: 8080 + targetPort: 8080 + protocol: TCP + ## - name: system + ## port: 1764 + ## + ## @param service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy External traffic policy, configure to Local to preserve client source IP when using an external loadBalancer + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: "" + ## @param service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.annotations Annotations for forms-flow-data-analysis service + ## + annotations: {} + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## + annotations: {} + +configuration: [] + +containerPorts: + http: 5000 + +## forms-flow-data-analysis Autoscaling configuration +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +## @param autoscaling.enabled Enable autoscaling for forms-flow-data-analysis +## @param autoscaling.minReplicas Minimum number of forms-flow-data-analysis replicas +## @param autoscaling.maxReplicas Maximum number of forms-flow-data-analysis replicas +## @param autoscaling.targetCPU Target CPU utilization percentage +## @param autoscaling.targetMemory Target Memory utilization percentage +## +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPU: "" + targetMemory: "" + ## HPA Scaling Behavior + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + ## + behavior: + ## HPA behavior when scaling up + ## @param autoscaling.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up + ## @param autoscaling.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up + ## @param autoscaling.behavior.scaleUp.policies [array] HPA scaling policies when scaling up + ## e.g: + ## Policy to scale 20% of the pod in 60s + ## - type: Percent + ## value: 20 + ## periodSeconds: 60 + ## + scaleUp: + stabilizationWindowSeconds: 120 + selectPolicy: Max + policies: [] + ## HPA behavior when scaling down + ## @param autoscaling.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down + ## @param autoscaling.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down + ## @param autoscaling.behavior.scaleDown.policies [array] HPA scaling policies when scaling down + ## e.g: + ## Policy to scale one pod in 300s + ## - type: Pods + ## value: 1 + ## periodSeconds: 300 + ## + scaleDown: + stabilizationWindowSeconds: 300 + selectPolicy: Max + policies: + - type: Pods + value: 1 + periodSeconds: 300 + +openApiKey: "" +chatbotModelId: "gpt-3.5-turbo" formsflow: configmap: forms-flow-ai # name of formsflow.ai configmap secret: forms-flow-ai #name of formsflow.ai secret - auth: forms-flow-ai-auth -ingress: - ingressClassName: "" - annotations: - enabled: true # create an ingress for this component - hostname: "{{.Chart.Name}}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}" - port: 5000 - tls: true - selfSigned: false - extraTls: - - {} -image: - registry: docker.io - repository: formsflow/forms-flow-data-analysis-api - tag: v6.0.2 #The image tag to pull from -openApiKey: "" -chatbotModelId: "gpt-3.5-turbo" -hpa: - enabled: false - CpuAverageUtilization: 80 - maxReplicas: 3 -elastic_search: - enabled: false \ No newline at end of file diff --git a/charts/forms-flow-documents-api/.helmignore b/charts/forms-flow-documents-api/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/forms-flow-documents-api/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/forms-flow-documents-api/Chart.yaml b/charts/forms-flow-documents-api/Chart.yaml index 8b782833..c578176f 100644 --- a/charts/forms-flow-documents-api/Chart.yaml +++ b/charts/forms-flow-documents-api/Chart.yaml @@ -1,6 +1,13 @@ ---- apiVersion: v2 name: forms-flow-documents-api -tags: forms-flow-documents-api -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file +description: forms-flow-documents-api is to generate pdf with form submission data and it's provided by formsflow. +icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" +version: v8.0.0 +type: application +appVersion: "8.0.0" +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x diff --git a/charts/forms-flow-documents-api/README.md b/charts/forms-flow-documents-api/README.md new file mode 100644 index 00000000..e4e3a2a3 --- /dev/null +++ b/charts/forms-flow-documents-api/README.md @@ -0,0 +1,224 @@ +# Formsflow Documents API + +The goal of the document API is to generate pdf with form submission data. + +## Introduction + +This chart bootstraps a forms-flow-documents-api deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + + +## Installing the Chart + +To install the chart with the release name `forms-flow-documents-api`: + +```console +helm upgrade --install forms-flow-documents-api forms-flow-documents-api +``` + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm upgrade --install forms-flow-documents-api forms-flow-documents-api --set ingress.ingressClassName=INGRESS_CLASS --set ingress.hostname=HOSTNAME +``` + +> Note: You need to substitute the placeholders `INGRESS_CLASS` and `HOSTNAME` with a reference to your Helm chart registry and repository. For example, in the case of Formsflow, you need to use `INGRESS_CLASS=nginx` + +These commands deploy Forms-flow-documents-api on the Kubernetes cluster + +> **Tip**: List all releases using `helm list` + +### Resource requests and limits + +Forms-flow-documents-api charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +```yaml +resources: + limits: + cpu: 300m + memory: 1Gi + requests: + cpu: 200m + memory: 512Mi +``` + +### Change Forms-flow-documents-api version + +To modify the Forms-flow-documents-api version used in this chart you can specify a [valid image tag](https://hub.docker.com/repository/docker/formsflow/forms-flow-documents-api) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +#### Using the OpenSource Version +By default, the chart uses the OpenSource version of the `Forms-flow-documents-api`. You can change the image tag to any valid version of the OpenSource image, as shown below: + +```yaml +image: + registry: docker.io + repository: formsflow/forms-flow-documents-api + tag: X.Y.Z # Replace with the desired OpenSource version +``` +#### Using the Enterprise Version +If you're using the enterprise version of Forms-flow documents-api, you can switch the image repository to `formsflow/forms-flow-documents-api-ee`. The enterprise version includes additional features and support designed for larger-scale or production environments. To use the enterprise version, update the repository field as shown below: + +```yaml +image: + registry: docker.io + repository: formsflow/forms-flow-documents-api-ee + tag: X.Y.Z # Replace with the desired enterprise version +``` +Make sure to replace X.Y.Z with the specific version number you wish to use for either the OpenSource or enterprise version. + +## Persistence + +The `forms-flow-documents-api` image stores the application logs at the `/forms-flow-documents/app/logs` path of the container. + +## Sidecar Configuration + +To add a sidecar to your `Forms-flow-documents-api` deployment, you can use the following configuration. In this case, the sidecar container is an Nginx container used for configuration management. + +### Example Sidecar Configuration + +```yaml +sidecars: + - name: nginx + image: nginx:latest + ports: + - containerPort: 80 + volumeMounts: + - name: nginx-config-volume + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf +``` + +## Path Update +The `Forms-flow-documents-api` can now be accessed at the `/docapi` route. Ensure that all configurations and requests reference this updated path. + +For example: + +``` +https:///docapi +``` +## Parameters + +| Parameter | Description | Default Value | +|------------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `replicaCount` | Number of replicas for the deployment. | `1` | +| `image.registry` | Container image registry. | `docker.io` | +| `image.repository` | Repository for the container image. | `formsflow/forms-flow-documents-api` | +| `image.pullPolicy` | Image pull policy. | `IfNotPresent` | +| `image.tag` | Tag for the container image. | `v7.0.0` | +| `image.pullSecrets` | Array of image pull secrets. | `["forms-flow-ai-auth"]` | +| `nameOverride` | Override for the name of the deployment. | `""` | +| `fullnameOverride` | Override for the full name of the deployment. | `""` | +| `commonLabels` | Common labels to apply to all resources. | `{}` | +| `commonAnnotations` | Common annotations to apply to all resources. | `{}` | +| `nodeSelector` | Node selector for scheduling pods. | `{}` | +| `tolerations` | Tolerations for scheduling pods. | `[]` | +| `affinity` | Affinity rules for scheduling pods. | `{}` | +| `priorityClassName` | Name of the priority class for the pods. | `""` | +| `schedulerName` | Name of the scheduler to use for the pods. | `""` | +| `terminationGracePeriodSeconds` | Grace period for pod termination. | `""` | +| `topologySpreadConstraints` | Constraints for spreading pods across topology domains. | `[]` | +| `diagnosticMode.enabled` | Enable or disable diagnostic mode. | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment. | `["sleep"]` | +| `diagnosticMode.args` | Arguments to override all containers in the deployment. | `["infinity"]` | +| `serviceAccount.create` | Specifies whether a service account should be created. | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account. | `{}` | +| `serviceAccount.name` | The name of the service account to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Whether to automount the service account token. | `false` | +| `podAnnotations` | Annotations to add to the pod. | `{}` | +| `podLabels` | Labels to add to the pod. | `{}` | +| `podAffinityPreset` | Preset for pod affinity rules. | `""` | +| `podAntiAffinityPreset` | Preset for pod anti-affinity rules. | `soft` | +| `nodeAffinityPreset.type` | Type of node affinity preset. | `""` | +| `nodeAffinityPreset.key` | Key for node affinity preset. | `""` | +| `nodeAffinityPreset.values` | Values for node affinity preset. | `[]` | +| `podSecurityContext.enabled` | Enable pod security context. | `true` | +| `podSecurityContext.fsGroupChangePolicy`| Policy for changing the fsGroup. | `Always` | +| `podSecurityContext.sysctls` | Sysctl settings for the pod. | `[]` | +| `podSecurityContext.supplementalGroups` | Supplemental groups for the pod. | `[]` | +| `podSecurityContext.fsGroup` | fsGroup for the pod. | `1001` | +| `containerSecurityContext.enabled` | Enable container security context. | `true` | +| `containerSecurityContext.seLinuxOptions` | SELinux options for the container. | `{}` | +| `containerSecurityContext.runAsUser` | User ID to run the container as. | `1001` | +| `containerSecurityContext.runAsGroup` | Group ID to run the container as. | `1001` | +| `containerSecurityContext.runAsNonRoot` | Whether to run the container as a non-root user. | `false` | +| `containerSecurityContext.privileged` | Whether to run the container in privileged mode. | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Whether to use a read-only root filesystem. | `false` | +| `containerSecurityContext.allowPrivilegeEscalation` | Whether to allow privilege escalation. | `false` | +| `containerSecurityContext.capabilities.drop` | Capabilities to drop from the container. | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Seccomp profile type for the container. | `RuntimeDefault` | +| `command` | Override default container command (useful for custom images). | `[]` | +| `args` | Override default container args (useful for custom images). | `[]` | +| `lifecycleHooks` | Lifecycle hooks for the container to automate configuration before or after startup. | `{}` | +| `automountServiceAccountToken` | Whether to automount the service account token. | `true` | +| `extraEnvVars` | Additional environment variables for the container. | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars. | `""` | +| `extraVolumes` | Extra volumes for the container. | `{}` | +| `extraVolumeMounts` | Extra volume mounts for the container. | `{}` | +| `auth.existingSecret` | Existing secret containing password, username, and db name. | `""` | +| `auth.annotations` | Annotations for the auth section. | `{}` | +| `updateStrategy.type` | Type of update strategy for the deployment. | `RollingUpdate` | +| `updateStrategy.rollingUpdate.maxSurge`| Maximum surge during updates. | `25%` | +| `updateStrategy.rollingUpdate.maxUnavailable` | Maximum unavailable pods during updates. | `25%` | +| `pdb.create` | Specifies whether a PodDisruptionBudget should be created. | `true` | +| `pdb.minAvailable` | Minimum number of pods that must be available. | `""` | +| `pdb.maxUnavailable` | Maximum number of pods that can be unavailable. | `""` | +| `customStartupProbe` | Custom startup probe for the container. | `{}` | +| `customLivenessProbe` | Custom liveness probe for the container. | `{}` | +| `customReadinessProbe` | Custom readiness probe for the container. | `{}` | +| `autoscaling.enabled` | Enable autoscaling for the deployment. | `false` | +| `autoscaling.minReplicas` | Minimum number of replicas for autoscaling. | `1` | +| `autoscaling.maxReplicas` | Maximum number of replicas for autoscaling. | `11` | +| `autoscaling.targetCPU` | Target CPU utilization for autoscaling. | `""` | +| `autoscaling.targetMemory` | Target memory utilization for autoscaling. | `""` | +| `autoscaling.behavior.scaleUp` | Autoscaling behavior for scale up operations. | `{ stabilizationWindowSeconds: 120, selectPolicy: "Max", policies: [] }` | +| `autoscaling.behavior.scaleDown` | Autoscaling behavior for scale down operations. | `{ stabilizationWindowSeconds: 300, selectPolicy: "Max", policies: [{type: "Pods", value: 1, periodSeconds: 300}] }` | +| `formsflow.configmap` | Name of the FormsFlow configuration map. | `forms-flow-ai` | +| `formsflow.secret` | Name of the FormsFlow secret. | `forms-flow-ai` | + + +## Ingress Parameters + +| Parameter | Description | Default Value | +|------------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `ingress.enabled` | Enable ingress record generation for the application. | `true` | +| `ingress.ingressClassName` | Name of the ingress class to use. | `""` | +| `ingress.pathType` | Type of path matching for the ingress. | `ImplementationSpecific` | +| `ingress.apiVersion` | API version for the ingress resource. | `""` | +| `ingress.controller` | Ingress controller to use. | `default` | +| `ingress.hostname` | Hostname for the ingress. | `forms-flow-documents-api.local` | +| `ingress.path` | Path for the ingress. | `/docapi` | +| `ingress.servicePort` | Service port for the ingress. | `5006` | +| `ingress.annotations` | Annotations for the ingress resource. | `{}` | +| `ingress.labels` | Labels for the ingress resource. | `{}` | +| `ingress.tls` | Enable TLS for the ingress. | `true` | +| `ingress.selfSigned` | Create a TLS secret using self-signed certificates generated by Helm. | `false` | +| `ingress.extraHosts` | Additional hostnames for the ingress. | `[]` | +| `ingress.extraPaths` | Additional paths for the ingress. | `[]` | +| `ingress.extraTls` | Additional TLS settings for the ingress. | `[]` | +| `ingress.secrets` | TLS secrets for the ingress. | `[]` | +| `ingress.extraRules` | Additional rules for the ingress. | `[]` | + +## Resource Parameters + +| Parameter | Description | Default Value | +|------------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `resourcesPreset` | Preset resource allocation for the deployment. | `small` | +| `resources.limits.cpu` | CPU limit for the pods. | `200m` | +| `resources.limits.memory` | Memory limit for the pods. | `1Gi` | +| `resources.requests.cpu` | CPU request for the pods. | `100m` | +| `resources.requests.memory` | Memory request for the pods. | `512Mi` | + +## Service Parameters + +| Parameter | Description | Default Value | +|------------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `service.type` | Service type for the application. | `ClusterIP` | +| `service.ports` | Ports configuration for the service. | `[{name: "http", port: 5006, targetPort: "http", protocol: "TCP"}]` | +| `service.loadBalancerIP` | Load balancer IP for the service. | `""` | +| `service.loadBalancerSourceRanges` | Source ranges for load balancer. | `[]` | +| `service.externalTrafficPolicy` | External traffic policy for the service. | `""` | +| `service.clusterIP` | Cluster IP for the service. | `""` | +| `service.annotations` | Annotations for the service. | `{}` | +| `service.sessionAffinity` | Session affinity for the service. | `None` | +| `service.sessionAffinityConfig` | Configuration for session affinity. | `{}` | +| `service.headless.annotations` | Annotations for the headless service. | `{}` | + diff --git a/charts/forms-flow-documents-api/templates/_helpers.tpl b/charts/forms-flow-documents-api/templates/_helpers.tpl new file mode 100644 index 00000000..5a8b6701 --- /dev/null +++ b/charts/forms-flow-documents-api/templates/_helpers.tpl @@ -0,0 +1,82 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "forms-flow-documents-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "forms-flow-documents-api.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "forms-flow-documents-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "forms-flow-documents-api.labels" -}} +helm.sh/chart: {{ include "forms-flow-documents-api.chart" . }} +{{ include "forms-flow-documents-api.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "forms-flow-documents-api.selectorLabels" -}} +app.kubernetes.io/name: {{ include "forms-flow-documents-api.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "forms-flow-documents-api.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "forms-flow-documents-api.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* + Return the proper forms-flow-documents-api image name +*/}} +{{- define "forms-flow-documents-api.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} +{{/* +Return the proper forms-flow-documents-api side car nginx image name +*/}} +{{- define "forms-flow-documents-api.nginx.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.ExtraContainer.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "forms-flow-documents-api.imagePullSecrets" -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) -}} +{{- end -}} \ No newline at end of file diff --git a/charts/forms-flow-documents-api/templates/configmap.yaml b/charts/forms-flow-documents-api/templates/configmap.yaml deleted file mode 100644 index 91081548..00000000 --- a/charts/forms-flow-documents-api/templates/configmap.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} -data: - ---- -{{- if .Values.elastic_search.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Chart.Name }}-fb-config -data: - "filebeat.yml": |- - filebeat.inputs: - - type: log - enabled: true - paths: - - /forms-flow-documents/app/logs/* - output.elasticsearch: - hosts: "${ELASTIC_SERVER}" - index: "forms-flow-documents-api-%{+yyyy.MM.dd}" - setup.template.name: "forms-flow-documents-api" - setup.template.pattern: "forms-flow-documents-api-*" - setup.template.overwrite: true - setup.template.enabled: false - setup.template.settings: - index.number_of_shards: 1 - setup.ilm.enabled: false -{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-documents-api/templates/deployment.yaml b/charts/forms-flow-documents-api/templates/deployment.yaml index a5311c8c..0ffde0f8 100644 --- a/charts/forms-flow-documents-api/templates/deployment.yaml +++ b/charts/forms-flow-documents-api/templates/deployment.yaml @@ -1,154 +1,217 @@ ---- -apiVersion: apps/v1 +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: - labels: - app: "{{ .Chart.Name }}" - name: "{{ .Chart.Name }}" + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: - replicas: {{ .Values.replicas }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: - app: "{{ .Chart.Name }}" - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% - type: RollingUpdate + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + replicas: {{ .Values.replicaCount }} + strategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }} template: metadata: - labels: - app: "{{ .Chart.Name }}" + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: forms-flow-documents-api + annotations: + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} spec: + serviceAccountName: {{ include "forms-flow-documents-api.serviceAccountName" . }} + {{- include "forms-flow-documents-api.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "jenkins-controller" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "jenkins-controller" "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} + {{- end }} containers: - {{- if .Values.elastic_search.enabled }} - - name: filebeat-documents-api - image: docker.elastic.co/beats/filebeat:7.14.0 - env: - - name: ELASTIC_SERVER + - name: forms-flow-documents-api + image: {{ include "forms-flow-documents-api.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: JWT_OIDC_ALGORITHMS + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_ALGORITHMS + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_AUDIENCE + valueFrom: + secretKeyRef: + key: WEB_CLIENTID + name: "{{ .Values.formsflow.secret }}" + - name: JWT_OIDC_CACHING_ENABLED + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_CACHING_ENABLED + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_ISSUER + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_ISSUER + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_JWKS_CACHE_TIMEOUT + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_JWKS_CACHE_TIMEOUT + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_JWKS_URI + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_JWKS_URI + name: "{{ .Values.formsflow.configmap }}" + - name: JWT_OIDC_WELL_KNOWN_CONFIG + valueFrom: + configMapKeyRef: + key: KEYCLOAK_JWT_OIDC_CONFIG + name: "{{ .Values.formsflow.configmap }}" + - name: FORMIO_URL valueFrom: configMapKeyRef: - key: ELASTIC_SERVER + key: FORMIO_URL name: "{{ .Values.formsflow.configmap }}" - volumeMounts: - - name: documents-logs - mountPath: /forms-flow-documents/app/logs - - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - name: documents-filebeat - {{- end}} - - env: - - name: JWT_OIDC_ALGORITHMS - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_ALGORITHMS - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_AUDIENCE - valueFrom: - secretKeyRef: - key: WEB_CLIENTID - name: "{{ .Values.formsflow.secret }}" - - name: JWT_OIDC_CACHING_ENABLED - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_CACHING_ENABLED - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_ISSUER - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_ISSUER - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_JWKS_CACHE_TIMEOUT - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_JWKS_CACHE_TIMEOUT - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_JWKS_URI - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_JWKS_URI - name: "{{ .Values.formsflow.configmap }}" - - name: JWT_OIDC_WELL_KNOWN_CONFIG - valueFrom: - configMapKeyRef: - key: KEYCLOAK_JWT_OIDC_CONFIG - name: "{{ .Values.formsflow.configmap }}" - - - name: FORMIO_URL - valueFrom: - configMapKeyRef: - key: FORMIO_URL - name: "{{ .Values.formsflow.configmap }}" - - name: FORMIO_ROOT_EMAIL - valueFrom: - secretKeyRef: - key: FORMIO_ROOT_EMAIL - name: "{{ .Values.formsflow.secret }}" - - name: FORMIO_ROOT_PASSWORD - valueFrom: - secretKeyRef: - key: FORMIO_ROOT_PASSWORD - name: "{{ .Values.formsflow.secret }}" - - name: CUSTOM_SUBMISSION_URL - valueFrom: - configMapKeyRef: - key: CUSTOM_SUBMISSION_URL - name: "{{ .Values.formsflow.configmap }}" - - name: CUSTOM_SUBMISSION_ENABLED - valueFrom: - configMapKeyRef: - key: CUSTOM_SUBMISSION_ENABLED - name: "{{ .Values.formsflow.configmap }}" - - name: KEYCLOAK_ENABLE_CLIENT_AUTH - valueFrom: - configMapKeyRef: - key: KEYCLOAK_ENABLE_CLIENT_AUTH - name: "{{ .Values.formsflow.configmap }}" - - name: MULTI_TENANCY_ENABLED - valueFrom: - configMapKeyRef: - key: MULTI_TENANCY_ENABLED - name: "{{ .Values.formsflow.configmap }}" - - name: FORMSFLOW_DOC_API_URL - valueFrom: - configMapKeyRef: - key: FORMSFLOW_DOC_API_URL - name: "{{ .Values.formsflow.configmap }}" - - name: CONFIGURE_LOGS - valueFrom: - configMapKeyRef: - key: CONFIGURE_LOGS - name: "{{ .Values.formsflow.configmap }}" - - name: KEYCLOAK_URL_HTTP_RELATIVE_PATH - valueFrom: - configMapKeyRef: - key: KEYCLOAK_URL_HTTP_RELATIVE_PATH - name: "{{ .Values.formsflow.configmap }}" - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" - name: "{{ .Chart.Name }}" - imagePullPolicy: Always - ports: - - containerPort: {{ .Values.ingress.port }} - resources: - limits: - cpu: "{{ .Values.resources.limits.cpu }}" - memory: "{{ .Values.resources.limits.memory }}" - requests: - cpu: "{{ .Values.resources.requests.cpu }}" - memory: "{{ .Values.resources.requests.memory }}" - stdin: true - tty: true - - {{- if .Values.elastic_search.enabled }} - volumeMounts: - - name: documents-logs - mountPath: /forms-flow-documents/app/logs + - name: FORMIO_ROOT_EMAIL + valueFrom: + secretKeyRef: + key: FORMIO_ROOT_EMAIL + name: "{{ .Values.formsflow.secret }}" + - name: FORMIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + key: FORMIO_ROOT_PASSWORD + name: "{{ .Values.formsflow.secret }}" + - name: CUSTOM_SUBMISSION_URL + valueFrom: + configMapKeyRef: + key: CUSTOM_SUBMISSION_URL + name: "{{ .Values.formsflow.configmap }}" + - name: CUSTOM_SUBMISSION_ENABLED + valueFrom: + configMapKeyRef: + key: CUSTOM_SUBMISSION_ENABLED + name: "{{ .Values.formsflow.configmap }}" + - name: KEYCLOAK_ENABLE_CLIENT_AUTH + valueFrom: + configMapKeyRef: + key: KEYCLOAK_ENABLE_CLIENT_AUTH + name: "{{ .Values.formsflow.configmap }}" + - name: MULTI_TENANCY_ENABLED + valueFrom: + configMapKeyRef: + key: MULTI_TENANCY_ENABLED + name: "{{ .Values.formsflow.configmap }}" + - name: FORMSFLOW_DOC_API_URL + valueFrom: + configMapKeyRef: + key: FORMSFLOW_DOC_API_URL + name: "{{ .Values.formsflow.configmap }}" + - name: CONFIGURE_LOGS + valueFrom: + configMapKeyRef: + key: CONFIGURE_LOGS + name: "{{ .Values.formsflow.configmap }}" + - name: KEYCLOAK_URL_HTTP_RELATIVE_PATH + valueFrom: + configMapKeyRef: + key: KEYCLOAK_URL_HTTP_RELATIVE_PATH + name: "{{ .Values.formsflow.configmap }}" + - name: REDIS_URL + valueFrom: + configMapKeyRef: + key: REDIS_URL + name: "{{ .Values.formsflow.configmap }}" + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 8 }} + {{- end }} + {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.containerPorts.http }} + protocol: TCP + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: documents-logs + mountPath: /forms-flow-documents/app/logs + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + - name: nginx + image: {{ include "forms-flow-documents-api.nginx.image" . }} + ports: + - containerPort: {{ .Values.ingress.servicePort }} + volumeMounts: + - name: nginx-config-volume + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf volumes: - name: documents-logs - - name: documents-filebeat + emptyDir: {} + - name: nginx-config-volume configMap: - name: "{{ .Chart.Name }}-fb-config" - {{- end }} - restartPolicy: Always - imagePullSecrets: - - name: "{{ .Values.formsflow.auth }}" \ No newline at end of file + name: forms-flow-documents-api-nginx-config + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + restartPolicy: Always \ No newline at end of file diff --git a/charts/forms-flow-documents-api/templates/hpa.yaml b/charts/forms-flow-documents-api/templates/hpa.yaml index 6097cf6d..bf6a7341 100644 --- a/charts/forms-flow-documents-api/templates/hpa.yaml +++ b/charts/forms-flow-documents-api/templates/hpa.yaml @@ -1,20 +1,61 @@ -{{- if .Values.hpa.enabled}} -apiVersion: autoscaling/v2 +{{- if .Values.autoscaling.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} kind: HorizontalPodAutoscaler metadata: - name: {{ .Chart.Name }} + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-documents-api + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ .Chart.Name }} - minReplicas: 1 - maxReplicas: {{.Values.hpa.maxReplicas}} + apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} + kind: StatefulSet + name: {{ template "common.names.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: + {{- if .Values.autoscaling.targetCPU }} - type: Resource resource: name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- else }} target: type: Utilization - averageUtilization: {{.Values.hpa.CpuAverageUtilization}} -{{- end}} \ No newline at end of file + averageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- end }} + {{- end }} + {{- if .Values.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- end }} + {{- end }} + {{- if or .Values.autoscaling.behavior.scaleDown.policies .Values.autoscaling.behavior.scaleUp.policies }} + behavior: + {{- if .Values.autoscaling.behavior.scaleDown.policies }} + scaleDown: + stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleDown.stabilizationWindowSeconds }} + selectPolicy: {{ .Values.autoscaling.behavior.scaleDown.selectPolicy }} + policies: + {{- toYaml .Values.autoscaling.behavior.scaleDown.policies | nindent 8 }} + {{- end }} + {{- if .Values.autoscaling.behavior.scaleUp.policies }} + scaleUp: + stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleUp.stabilizationWindowSeconds }} + selectPolicy: {{ .Values.autoscaling.behavior.scaleUp.selectPolicy }} + policies: + {{- toYaml .Values.autoscaling.behavior.scaleUp.policies | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-documents-api/templates/ingress.yaml b/charts/forms-flow-documents-api/templates/ingress.yaml index 081bd3bb..db29d611 100644 --- a/charts/forms-flow-documents-api/templates/ingress.yaml +++ b/charts/forms-flow-documents-api/templates/ingress.yaml @@ -1,35 +1,56 @@ -apiVersion: networking.k8s.io/v1 +{{- if .Values.ingress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: - annotations: -{{ toYaml .Values.ingress.annotations | indent 4 }} - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-documents-api + {{- if or .Values.ingress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: - ingressClassName: {{ .Values.ingress.ingressClassName }} - {{- if or (and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.ingress.hostname }} + - host: {{ (tpl .Values.ingress.hostname .) | quote }} + http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ include "common.tplvalues.render" ( dict "value" .Values.ingress.path "context" $) }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ (tpl .name $) }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} tls: - {{- if and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.secrets .Values.ingress.selfSigned) }} + {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.secrets .Values.ingress.selfSigned) }} - hosts: - {{ (tpl .Values.ingress.hostname .) | quote }} secretName: {{ printf "%s-tls" (tpl .Values.ingress.hostname .) }} - {{- else }} - - {} - {{- end}} - {{- else }} - tls: - - {} - {{- end}} - rules: - - - host: "{{tpl .Values.ingress.hostname .}}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ .Chart.Name }} - port: - number: {{ .Values.ingress.port }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-documents-api/templates/pdb.yaml b/charts/forms-flow-documents-api/templates/pdb.yaml new file mode 100644 index 00000000..3e5a4c28 --- /dev/null +++ b/charts/forms-flow-documents-api/templates/pdb.yaml @@ -0,0 +1,21 @@ +{{- if .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-documents-api/templates/proxy-config.yaml b/charts/forms-flow-documents-api/templates/proxy-config.yaml new file mode 100644 index 00000000..32a8b0ae --- /dev/null +++ b/charts/forms-flow-documents-api/templates/proxy-config.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }}-nginx-config + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-documents-api + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + nginx.conf: | + events { worker_connections 1024; } + http { + server { + listen {{ .Values.ingress.servicePort }}; + location /docapi { + sub_filter ="/docapi/swaggerui/ ="/docapi/swaggerui/; + sub_filter_once off; + sub_filter_types application/javascript text/css text/xml text/javascript application/json text/plain; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header SCRIPT_NAME /docapi; + proxy_pass http://localhost:{{ .Values.containerPorts.http }}; + } + } + } + pid /tmp/nginx.pid; \ No newline at end of file diff --git a/charts/forms-flow-documents-api/templates/service.yaml b/charts/forms-flow-documents-api/templates/service.yaml index c627b2f8..18897c86 100644 --- a/charts/forms-flow-documents-api/templates/service.yaml +++ b/charts/forms-flow-documents-api/templates/service.yaml @@ -1,12 +1,34 @@ apiVersion: v1 kind: Service metadata: - name: "{{ .Chart.Name }}" + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} ports: - - name: "{{ .Chart.Name }}" - port: {{ .Values.ingress.port }} - protocol: TCP - targetPort: {{ .Values.ingress.port }} - selector: - app: "{{ .Chart.Name }}" + {{- include "common.tplvalues.render" (dict "value" .Values.service.ports "context" $) | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} diff --git a/charts/forms-flow-documents-api/templates/serviceaccount.yaml b/charts/forms-flow-documents-api/templates/serviceaccount.yaml new file mode 100644 index 00000000..fb1eb65c --- /dev/null +++ b/charts/forms-flow-documents-api/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "forms-flow-documents-api.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} \ No newline at end of file diff --git a/charts/forms-flow-documents-api/values.yaml b/charts/forms-flow-documents-api/values.yaml index 6ffa5142..fd418f2d 100644 --- a/charts/forms-flow-documents-api/values.yaml +++ b/charts/forms-flow-documents-api/values.yaml @@ -1,6 +1,380 @@ ---- -Domain: # -replicas: 1 +replicaCount: 1 +image: + registry: docker.io + repository: formsflow/forms-flow-documents-api + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "v7.0.0" + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: + - forms-flow-ai-auth +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} + +nodeSelector: {} +## @param tolerations Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param nodeSelector Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param priorityClassName Pod priority +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param terminationGracePeriodSeconds In seconds, time the given to the forms-flow-documents-api pod needs to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +terminationGracePeriodSeconds: "" +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] + +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +hostAliases: [] + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + ## @param automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false +## @param podAnnotations Pod annotations +## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podLabels Extra labels for forms-flow-documents-api pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + +## K8s Security Context for forms-flow-documents-api pods +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled forms-flow-documents-api pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Set forms-flow-documents-api pod's Security Context fsGroup +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 +## Configure Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: false + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param lifecycleHooks for the forms-flow-documents-api container(s) to automate configuration before or after startup +## +lifecycleHooks: {} +automountServiceAccountToken: true +## @param extraEnvVars Extra environment variables to be set on formsflow documents-api container +## Example: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraVolumes Array to add extra volumes (evaluated as a template) +## extraVolumes: +## - name: myvolume +## configMap: +## name: myconfigmap +## +extraVolumes: {} +## @param extraVolumeMounts Array to add extra mounts (normally used with extraVolumes, evaluated as a template) +## extraVolumeMounts: +## - mountPath: /opt/bitnami/desired-path +## name: myvolume +## readOnly: true +## +extraVolumeMounts: {} + + + +## sidecars configuration +sidecars: {} +ExtraContainer: + ## nginx configuration for sidecar + image: + registry: docker.io + repository: nginxinc/nginx-unprivileged + pullPolicy: IfNotPresent + tag: "latest" + +## @param auth.existingSecret Existing secret containing password,username,dbname and + ## +auth: + existingSecret: "" + annotations: {} +## @param updateStrategy.type Set up update strategy for forms-flow-documents-api installation. +## Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods is destroyed first. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## Example: +## updateStrategy: +## type: RollingUpdate +## rollingUpdate: +## maxSurge: 25% +## maxUnavailable: 25% +## +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + + +## forms-flow-documents-api ingress parameters +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress record generation for forms-flow-documents-api + ## + enabled: true + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.controller The ingress controller type. Currently supports `default` and `gce` + ## leave as `default` for most ingress controllers. + ## set to `gce` if using the GCE ingress controller + ## + controller: default + ## @param ingress.hostname Default host for the ingress record (evaluated as template) + ## + hostname: forms-flow-documents-api.local + ## @param ingress.path [string] Default path for the ingress record (evaluated as template) + ## + path: "/docapi" + ## @param ingress.servicePort Backend service port to use + ## Default is http. Alternative is https. + ## + servicePort: 8080 + ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.labels Additional labels for the Ingress resource. + ## e.g: + ## labels: + ## app: forms-flow-documents-api + ## + labels: {} + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: true + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: forms-flow-documents-api.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - forms-flow-documents-api.local + ## secretName: forms-flow-documents-api.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## - name: forms-flow-documents-api.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: airflow.local + ## http: + ## path: / + ## backend: + ## service: + ## name: airflow-svc + ## port: + ## name: http + ## + extraRules: [] +## forms-flow-documents-api admin ingress parameters +## ref: https://kubernetes.io/docs/user-guide/ingress/ +## +## Pod disruption budget configuration +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +## @param pdb.create If true, create a pod disruption budget for pods. +## @param pdb.minAvailable Minimum number / percentage of pods that should remain scheduled +## @param pdb.maxUnavailable Maximum number / percentage of pods that may be made unavailable +## +pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## forms-flow-documents-api containers' resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "small" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## resources: limits: cpu: 200m @@ -8,28 +382,133 @@ resources: requests: cpu: 100m memory: 512Mi +## @param customStartupProbe Custom startup probe for the Web component +## + +## @param customStartupProbe Custom startup probe for the Web component +## +customStartupProbe: {} +## @param customLivenessProbe Custom liveness probe for the Web component +## +customLivenessProbe: {} +## @param customReadinessProbe Custom readiness probe for the Web component +## +customReadinessProbe: {} +## Service parameters +## +service: + ## @param service.type Kubernetes service type (`ClusterIP`, `NodePort`, or `LoadBalancer`) + ## + type: ClusterIP + ## @param service.ports [array] forms-flow-documents-api service ports (evaluated as a template) + ## + ports: + - name: http + port: 5006 + targetPort: http + protocol: TCP + - name: nginx + port: 8080 + targetPort: 8080 + protocol: TCP + ## - name: system + ## port: 1764 + ## + ## @param service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy External traffic policy, configure to Local to preserve client source IP when using an external loadBalancer + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: "" + ## @param service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.annotations Annotations for forms-flow-documents-api service + ## + annotations: {} + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## + annotations: {} + +configuration: [] + +containerPorts: + http: 5006 +## forms-flow-documents-api Autoscaling configuration +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +## @param autoscaling.enabled Enable autoscaling for forms-flow-documents-api +## @param autoscaling.minReplicas Minimum number of forms-flow-documents-api replicas +## @param autoscaling.maxReplicas Maximum number of forms-flow-documents-api replicas +## @param autoscaling.targetCPU Target CPU utilization percentage +## @param autoscaling.targetMemory Target Memory utilization percentage +## +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPU: "" + targetMemory: "" + ## HPA Scaling Behavior + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + ## + behavior: + ## HPA behavior when scaling up + ## @param autoscaling.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up + ## @param autoscaling.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up + ## @param autoscaling.behavior.scaleUp.policies [array] HPA scaling policies when scaling up + ## e.g: + ## Policy to scale 20% of the pod in 60s + ## - type: Percent + ## value: 20 + ## periodSeconds: 60 + ## + scaleUp: + stabilizationWindowSeconds: 120 + selectPolicy: Max + policies: [] + ## HPA behavior when scaling down + ## @param autoscaling.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down + ## @param autoscaling.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down + ## @param autoscaling.behavior.scaleDown.policies [array] HPA scaling policies when scaling down + ## e.g: + ## Policy to scale one pod in 300s + ## - type: Pods + ## value: 1 + ## periodSeconds: 300 + ## + scaleDown: + stabilizationWindowSeconds: 300 + selectPolicy: Max + policies: + - type: Pods + value: 1 + periodSeconds: 300 formsflow: configmap: forms-flow-ai # name of formsflow.ai configmap - secret: forms-flow-ai #name of formsflow.ai secret - auth: forms-flow-ai-auth -ingress: - ingressClassName: "" - annotations: - enabled: true # create an ingress for this component - hostname: "{{.Chart.Name}}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}" - port: 5006 - tls: true - selfSigned: false - extraTls: - - {} -image: - registry: docker.io - repository: formsflow/forms-flow-documents-api - tag: v6.0.2 #The image tag to pull from -hpa: - enabled: false - CpuAverageUtilization: 80 - maxReplicas: 3 -elastic_search: - enabled: false \ No newline at end of file + secret: forms-flow-ai #name of formsflow.ai secret \ No newline at end of file diff --git a/charts/forms-flow-forms/.helmignore b/charts/forms-flow-forms/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/forms-flow-forms/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/forms-flow-forms/Chart.yaml b/charts/forms-flow-forms/Chart.yaml index f9e1c163..f92701e4 100644 --- a/charts/forms-flow-forms/Chart.yaml +++ b/charts/forms-flow-forms/Chart.yaml @@ -1,5 +1,13 @@ ---- apiVersion: v2 name: forms-flow-forms -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file +description: forms-flow-forms is a component which leverages form.io to build "serverless" data management applications using a simple drag-and-drop form builder interface and its provided by formsflow. +icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" +version: v8.0.0 +type: application +appVersion: "8.0.0" +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x diff --git a/charts/forms-flow-forms/README.md b/charts/forms-flow-forms/README.md new file mode 100644 index 00000000..59f8052e --- /dev/null +++ b/charts/forms-flow-forms/README.md @@ -0,0 +1,224 @@ +# Form Management Platform + +formsflow.ai leverages form.io to build "serverless" data management applications using a simple drag-and-drop form builder interface. + +To know more about form.io, go to https://form.io. + +## Introduction + +This chart bootstraps a forms-flow-forms deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + + +## Installing the Chart + +To install the chart with the release name `forms-flow-forms`: + +```console +helm install forms-flow-forms forms-flow-forms +``` + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install forms-flow-forms forms-flow-forms --set ingress.ingressClassName=INGRESS_CLASS --set ingress.hostname=HOSTNAME +``` + +> Note: You need to substitute the placeholders `INGRESS_CLASS`, `HOSTNAME` with a reference to your Helm chart registry and repository. For example, in the case of Formsflow, you need to use `INGRESS_CLASS=nginx` + +These commands deploy Forms-flow-forms on the Kubernetes cluster + +> **Tip**: List all releases using `helm list` + +### Resource requests and limits + +Forms-flow-forms charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +```yaml +resources: + limits: + cpu: 200m + memory: 1Gi + requests: + cpu: 100m + memory: 512Mi +``` + +### Change Forms-flow-forms version + +To modify the Forms-flow-forms version used in this chart you can specify a [valid image tag](https://hub.docker.com/repository/docker/formsflow/forms-flow-forms) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +```yaml +image: + registry: docker.io + repository: formsflow/forms-flow-forms + tag: X.Y.Z +``` +## Persistence + +The `forms-flow-forms` image stores the application logs at the `/app/logs` path of the container. + +## Sidecar Configuration + +To add a sidecar to your `Forms-flow-forms` deployment, you can use the following configuration. In this case, the sidecar container is an Nginx container used for configuration management. + +### Example Sidecar Configuration + +```yaml +sidecars: + - name: nginx + image: nginx:latest + ports: + - containerPort: 80 + volumeMounts: + - name: nginx-config-volume + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf +``` + +## Path Update +The `Forms-flow-forms` can now be accessed at the `/formio` route. Ensure that all configurations and requests reference this updated path. + +For example: + +``` +https:///formio +``` +## Parameters + +| Parameter | Description | Default Value | +|------------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `replicaCount` | Number of replicas for the deployment. | `1` | +| `image.registry` | Docker registry for the application image. | `docker.io` | +| `image.repository` | Repository for the application image. | `formsflow/forms-flow-forms` | +| `image.pullPolicy` | Image pull policy. | `IfNotPresent` | +| `image.tag` | Tag of the application image. | `v7.0.0` | +| `image.pullSecrets` | Array of image pull secrets. | `["forms-flow-ai-auth"]` | +| `nameOverride` | Override for the application name. | `""` | +| `fullnameOverride` | Override for the full application name. | `""` | +| `commonLabels` | Common labels to apply to all resources. | `{}` | +| `commonAnnotations` | Common annotations to apply to all resources. | `{}` | +| `nodeSelector` | Node selector for pod scheduling. | `{}` | +| `tolerations` | Tolerations for pod scheduling. | `[]` | +| `affinity` | Affinity settings for pod scheduling. | `{}` | +| `priorityClassName` | Priority class name for the pods. | `""` | +| `schedulerName` | Custom scheduler name for the deployment. | `""` | +| `terminationGracePeriodSeconds` | Termination grace period for pods. | `""` | +| `topologySpreadConstraints` | Constraints to spread pods across topology domains. | `[]` | +| `diagnosticMode.enabled` | Enable or disable diagnostic mode for the deployment. | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment. | `["sleep"]` | +| `diagnosticMode.args` | Arguments to override all containers in the deployment. | `["infinity"]` | +| `podSecurityContext.enabled` | Enable or disable pod security context. | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Policy for changing the filesystem group. | `Always` | +| `podSecurityContext.sysctls` | Sysctl settings for the pod. | `[]` | +| `podSecurityContext.supplementalGroups` | Supplemental groups for the pod. | `[]` | +| `podSecurityContext.fsGroup` | Filesystem group for the pod. | `1001` | +| `containerSecurityContext.enabled` | Enable or disable container security context. | `true` | +| `containerSecurityContext.seLinuxOptions`| SELinux options for the container. | `{}` | +| `containerSecurityContext.runAsUser` | User ID to run the container. | `1001` | +| `containerSecurityContext.runAsGroup` | Group ID to run the container. | `1001` | +| `containerSecurityContext.runAsNonRoot` | Ensure the container does not run as root. | `false` | +| `containerSecurityContext.privileged` | Enable privileged mode for the container. | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Enable read-only root filesystem for the container. | `false` | +| `containerSecurityContext.allowPrivilegeEscalation` | Allow privilege escalation for the container. | `false` | +| `containerSecurityContext.capabilities.drop` | Capabilities to drop from the container. | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Seccomp profile type for the container. | `RuntimeDefault` | +| `command` | Override default container command (useful when using custom images). | `[]` | +| `args` | Override default container args (useful when using custom images). | `[]` | +| `lifecycleHooks` | Lifecycle hooks for the container(s) to automate configuration before or after startup. | `{}` | +| `automountServiceAccountToken` | Specify whether the service account token should be automatically mounted. | `true` | +| `extraEnvVars` | Extra environment variables for the container. | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars. | `""` | +| `extraVolumes` | Extra volumes to attach to the pod. | `{}` | +| `extraVolumeMounts` | Extra volume mounts for the containers. | `{}` | +| `auth.existingSecret` | Existing secret containing password, username, and database name. | `""` | +| `auth.annotations` | Annotations for the auth settings. | `{}` | +| `updateStrategy.type` | Update strategy for the deployment. | `RollingUpdate` | +| `updateStrategy.rollingUpdate.maxSurge` | Maximum number of pods that can be created above the desired number of pods. | `25%` | +| `updateStrategy.rollingUpdate.maxUnavailable` | Maximum number of pods that can be unavailable during the update. | `25%` | +| `rbac.create` | Create RBAC roles and bindings for the application. | `false` | +| `rbac.rules` | RBAC rules to apply for the application. | `[]` | +| `pdb.create` | Create a Pod Disruption Budget for the application. | `true` | +| `pdb.minAvailable` | Minimum number of pods that must be available during a disruption. | `""` | +| `pdb.maxUnavailable` | Maximum number of pods that can be unavailable during a disruption. | `""` | +| `livenessProbe.enabled` | Enable liveness probe for the application. | `true` | +| `livenessProbe.failureThreshold` | Number of failures before the pod is considered unhealthy. | `5` | +| `livenessProbe.initialDelaySeconds` | Initial delay before starting liveness checks. | `120` | +| `livenessProbe.periodSeconds` | Frequency of liveness checks. | `60` | +| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful. | `1` | +| `livenessProbe.timeoutSeconds` | Timeout for liveness checks. | `3` | +| `readinessProbe.enabled` | Enable readiness probe for the application. | `true` | +| `readinessProbe.failureThreshold` | Number of failures before the pod is considered not ready. | `5` | +| `readinessProbe.initialDelaySeconds` | Initial delay before starting readiness checks. | `120` | +| `readinessProbe.periodSeconds` | Frequency of readiness checks. | `60` | +| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful. | `1` | +| `readinessProbe.timeoutSeconds` | Timeout for readiness checks. | `3` | +| `customStartupProbe` | Custom startup probe for the application. | `{}` | +| `customLivenessProbe` | Custom liveness probe for the application. | `{}` | +| `customReadinessProbe` | Custom readiness probe for the application. | `{}` | +| `ExternalAuth.ExistingMailAuthKey` | Existing key for mail authentication. | `""` | +| `ExternalAuth.ExistingPwdAuthKey` | Existing key for password authentication. | `""` | +| `ExternalAuth.ExistingSecretName` | Name of the existing secret for external authentication. | `""` | +| `formsflow.configmap` | Name of the Formsflow configmap for integration environment variables. | `forms-flow-ai` | +| `formsflow.secret` | Name of the Formsflow secret for integration environment variables. | `forms-flow-ai` | +| `autoscaling.enabled` | Enable autoscaling for the application. | `false` | +| `autoscaling.minReplicas` | Minimum number of replicas for the application. | `1` | +| `autoscaling.maxReplicas` | Maximum number of replicas for the application. | `11` | +| `autoscaling.targetCPU` | Target CPU utilization percentage for autoscaling. | `""` | +| `autoscaling.targetMemory` | Target memory utilization percentage for autoscaling. | `""` | +| `autoscaling.behavior.scaleUp.stabilizationWindowSeconds` | Stabilization window for scaling up. | `120` | +| `autoscaling.behavior.scaleUp.selectPolicy` | Select policy for scaling up. | `Max` | +| `autoscaling.behavior.scaleUp.policies` | HPA scaling policies when scaling up. | `[]` | +| `autoscaling.behavior.scaleDown.stabilizationWindowSeconds` | Stabilization window for scaling down. | `300` | +| `autoscaling.behavior.scaleDown.selectPolicy` | Select policy for scaling down. | `Max` | +| `autoscaling.behavior.scaleDown.policies` | HPA scaling policies when scaling down. | `[{type: "Pods", value: 1, periodSeconds: 300}]` | + + +## Ingress Parameters + +| Parameter | Description | Default Value | +|-----------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `ingress.enabled` | Enable ingress record generation for the application. | `true` | +| `ingress.ingressClassName` | Ingress class name to use for the ingress resource. | `""` | +| `ingress.pathType` | Path type for the ingress resource. | `ImplementationSpecific` | +| `ingress.apiVersion` | API version for the ingress resource. | `""` | +| `ingress.controller` | Ingress controller to use. | `default` | +| `ingress.hostname` | Hostname for the ingress resource. | `forms-flow-forms.local` | +| `ingress.path` | Path for the ingress resource. | `/formio` | +| `ingress.servicePort` | Service port for the ingress resource. | `3001` | +| `ingress.annotations` | Annotations for the ingress resource. | `{}` | +| `ingress.labels` | Labels for the ingress resource. | `{}` | +| `ingress.tls` | Enable TLS for the ingress resource. | `true` | +| `ingress.selfSigned` | Create a self-signed TLS certificate for the ingress. | `false` | +| `ingress.extraHosts` | Additional hostnames for the ingress. | `[]` | +| `ingress.extraPaths` | Additional paths for the ingress. | `[]` | +| `ingress.extraTls` | Additional TLS settings for the ingress. | `[]` | +| `ingress.secrets` | TLS secrets for the ingress. | `[]` | +| `ingress.extraRules` | Extra rules for the ingress resource. | `[]` | + +## Resource Parameters + +| Parameter | Description | Default Value | +|-----------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `resourcesPreset` | Preset for resource requests and limits. | `small` | +| `resources.limits.cpu` | Maximum CPU limit for the pod. | `200m` | +| `resources.limits.memory` | Maximum memory limit for the pod. | `1Gi` | +| `resources.requests.cpu` | Requested CPU for the pod. | `100m` | +| `resources.requests.memory` | Requested memory for the pod. | `512Mi` | + +## Service Parameters + +| Parameter | Description | Default Value | +|-----------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `service.type` | Kubernetes service type (e.g., `ClusterIP`, `NodePort`, `LoadBalancer`). | `ClusterIP` | +| `service.ports` | Array of service ports for the application. | `[{name: "http", port: 3001, targetPort: "http", protocol: "TCP"}]` | +| `service.loadBalancerIP` | LoadBalancer IP if service type is `LoadBalancer`. | `""` | +| `service.loadBalancerSourceRanges` | Allowed source ranges for LoadBalancer service. | `[]` | +| `service.externalTrafficPolicy` | External traffic policy for the service. | `""` | +| `service.clusterIP` | Static clusterIP or `None` for headless services. | `""` | +| `service.annotations` | Annotations for the service. | `{}` | +| `service.sessionAffinity` | Session affinity for the service. | `None` | +| `service.sessionAffinityConfig` | Additional settings for session affinity. | `{}` | +| `service.headless.annotations` | Annotations for the headless service. | `{}` | + + + diff --git a/charts/forms-flow-forms/templates/_helpers.tpl b/charts/forms-flow-forms/templates/_helpers.tpl new file mode 100644 index 00000000..3de29208 --- /dev/null +++ b/charts/forms-flow-forms/templates/_helpers.tpl @@ -0,0 +1,93 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "forms-flow-forms.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "forms-flow-forms.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "forms-flow-forms.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "forms-flow-forms.labels" -}} +helm.sh/chart: {{ include "forms-flow-forms.chart" . }} +{{ include "forms-flow-forms.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "forms-flow-forms.selectorLabels" -}} +app.kubernetes.io/name: {{ include "forms-flow-forms.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "forms-flow-forms.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "forms-flow-forms.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "forms-flow-forms.imagePullSecrets" -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created +*/}} +{{- define "forms-flow-forms.createConfigmap" -}} +{{- if and .Values.configuration (not .Values.existingConfigmap) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* + Return the proper forms-flow-bpm image name +*/}} +{{- define "forms-flow-forms.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper forms-flow-forms side car nginx image name +*/}} +{{- define "forms-flow-forms.nginx.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.ExtraContainer.image "global" .Values.global) }} +{{- end -}} \ No newline at end of file diff --git a/charts/forms-flow-forms/templates/configmap.yaml b/charts/forms-flow-forms/templates/configmap.yaml index 81019a65..87c8eff7 100644 --- a/charts/forms-flow-forms/templates/configmap.yaml +++ b/charts/forms-flow-forms/templates/configmap.yaml @@ -1,32 +1,12 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Chart.Name }} -data: - DEBUG: "formio:*" ---- -{{- if .Values.elastic_search.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Chart.Name }}-fb-config -data: - "filebeat.yml": |- - filebeat.inputs: - - type: log - enabled: true - paths: - - /app/logs/* - output.elasticsearch: - hosts: "${ELASTIC_SERVER}" - index: "forms-flow-forms-%{+yyyy.MM.dd}" - setup.template.name: "forms-flow-forms" - setup.template.pattern: "forms-flow-forms-*" - setup.template.overwrite: true - setup.template.enabled: false - setup.template.settings: - index.number_of_shards: 1 - setup.ilm.enabled: false -{{- end}} - +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-forms + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + DEBUG: "formio:*" \ No newline at end of file diff --git a/charts/forms-flow-forms/templates/deployment.yaml b/charts/forms-flow-forms/templates/deployment.yaml index 94135f72..950755a0 100644 --- a/charts/forms-flow-forms/templates/deployment.yaml +++ b/charts/forms-flow-forms/templates/deployment.yaml @@ -1,136 +1,209 @@ -apiVersion: apps/v1 +--- +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: - replicas: {{ .Values.replicas }} + replicas: {{ .Values.replicaCount }} + strategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: - app: {{ .Chart.Name }} - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% - type: RollingUpdate + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} template: metadata: - labels: - app: {{ .Chart.Name }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + annotations: + {{- if (include "forms-flow-forms.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} spec: + {{- include "forms-flow-forms.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ template "forms-flow-forms.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} + {{- end }} containers: - {{- if .Values.elastic_search.enabled }} - - name: filebeat-forms - image: docker.elastic.co/beats/filebeat:7.14.0 - env: - - name: ELASTIC_SERVER + - name: forms-flow-forms + image: {{ include "forms-flow-forms.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: NODE_CONFIG valueFrom: configMapKeyRef: - key: ELASTIC_SERVER + key: NODE_CONFIG name: "{{ .Values.formsflow.configmap }}" - volumeMounts: - - name: forms-logs - mountPath: /app/logs - - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - name: forms-filebeat - {{- end}} - - env: - - name: NODE_CONFIG - valueFrom: - configMapKeyRef: - key: NODE_CONFIG - name: "{{ .Values.formsflow.configmap }}" - {{- if .Values.ExternalAuth.ExistingMailAuthKey }} - - name: ROOT_EMAIL - valueFrom: - secretKeyRef: - key: {{ .Values.ExternalAuth.ExistingMailAuthKey }} - name: "{{ .Values.ExternalAuth.ExistingSecretName }}" - {{- end }} - {{- if not .Values.ExternalAuth.ExistingMailAuthKey }} - - name: ROOT_EMAIL - valueFrom: - secretKeyRef: - key: FORMIO_ROOT_EMAIL - name: "{{ .Values.formsflow.secret }}" - {{- end }} - {{- if .Values.ExternalAuth.ExistingPwdAuthKey }} - - name: ROOT_PASSWORD - valueFrom: - secretKeyRef: - key: {{ .Values.ExternalAuth.ExistingPwdAuthKey }} - name: "{{ .Values.ExternalAuth.ExistingSecretName }}" - {{- end }} - {{- if not .Values.ExternalAuth.ExistingPwdAuthKey }} - - name: ROOT_PASSWORD - valueFrom: - secretKeyRef: - key: FORMIO_ROOT_PASSWORD - name: "{{ .Values.formsflow.secret }}" - {{- end }} - - name: FORMIO_JWT_SECRET - valueFrom: - secretKeyRef: - key: FORMIO_JWT_SECRET - name: "{{ .Values.formsflow.secret }}" - - name: FORMIO_DOMAIN - valueFrom: - configMapKeyRef: - key: FORMIO_DOMAIN - name: "{{ .Values.formsflow.configmap }}" - - name: MULTI_TENANCY_ENABLED - valueFrom: - configMapKeyRef: - key: MULTI_TENANCY_ENABLED - name: "{{ .Values.formsflow.configmap }}" - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: Always - livenessProbe: - failureThreshold: 10 - initialDelaySeconds: 120 - periodSeconds: 60 - successThreshold: 1 - tcpSocket: - port: 3001 - timeoutSeconds: 1 - name: {{ .Chart.Name }} - ports: - - containerPort: {{ int .Values.ingress.port }} - readinessProbe: - failureThreshold: 10 - initialDelaySeconds: 120 - periodSeconds: 60 - successThreshold: 1 - tcpSocket: - port: 3001 - timeoutSeconds: 1 - resources: - limits: - cpu: "{{ .Values.resources.limits.cpu }}" - memory: "{{ .Values.resources.limits.memory }}" - requests: - cpu: "{{ .Values.resources.requests.cpu }}" - memory: "{{ .Values.resources.requests.memory }}" - stdin: true - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - tty: true - {{- if .Values.elastic_search.enabled }} - volumeMounts: - - name: forms-logs - mountPath: /app/logs + {{- if .Values.ExternalAuth.ExistingMailAuthKey }} + - name: ROOT_EMAIL + valueFrom: + secretKeyRef: + key: {{ .Values.ExternalAuth.ExistingMailAuthKey }} + name: "{{ .Values.ExternalAuth.ExistingSecretName }}" + {{- end }} + {{- if not .Values.ExternalAuth.ExistingMailAuthKey }} + - name: ROOT_EMAIL + valueFrom: + secretKeyRef: + key: FORMIO_ROOT_EMAIL + name: "{{ .Values.formsflow.secret }}" + {{- end }} + {{- if .Values.ExternalAuth.ExistingPwdAuthKey }} + - name: ROOT_PASSWORD + valueFrom: + secretKeyRef: + key: {{ .Values.ExternalAuth.ExistingPwdAuthKey }} + name: "{{ .Values.ExternalAuth.ExistingSecretName }}" + {{- end }} + {{- if not .Values.ExternalAuth.ExistingPwdAuthKey }} + - name: ROOT_PASSWORD + valueFrom: + secretKeyRef: + key: FORMIO_ROOT_PASSWORD + name: "{{ .Values.formsflow.secret }}" + {{- end }} + - name: FORMIO_JWT_SECRET + valueFrom: + secretKeyRef: + key: FORMIO_JWT_SECRET + name: "{{ .Values.formsflow.secret }}" + - name: FORMIO_DOMAIN + valueFrom: + configMapKeyRef: + key: FORMIO_DOMAIN + name: "{{ .Values.formsflow.configmap }}" + - name: MULTI_TENANCY_ENABLED + valueFrom: + configMapKeyRef: + key: MULTI_TENANCY_ENABLED + name: "{{ .Values.formsflow.configmap }}" + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 8 }} + {{- end }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.containerPorts.http }} + protocol: TCP + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} + livenessProbe: + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + tcpSocket: + port: 3001 + {{- end }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} + readinessProbe: + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + tcpSocket: + port: 3001 + {{- end }} + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + tty: true + stdin: true + volumeMounts: + - name: forms-logs + mountPath: /app/logs + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + - name: nginx + image: {{ include "forms-flow-forms.nginx.image" . }} + ports: + - containerPort: {{ .Values.ingress.servicePort }} + volumeMounts: + - name: nginx-config-volume + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf volumes: - name: forms-logs - - name: forms-filebeat + emptyDir: {} + - name: nginx-config-volume configMap: - name: "{{ .Chart.Name }}-fb-config" - {{- end}} - imagePullSecrets: - - name: "{{ .Values.formsflow.auth }}" - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 + name: forms-flow-forms-nginx-config + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + restartPolicy: Always \ No newline at end of file diff --git a/charts/forms-flow-forms/templates/hpa.yaml b/charts/forms-flow-forms/templates/hpa.yaml index 6097cf6d..6f0f2b9f 100644 --- a/charts/forms-flow-forms/templates/hpa.yaml +++ b/charts/forms-flow-forms/templates/hpa.yaml @@ -1,20 +1,61 @@ -{{- if .Values.hpa.enabled}} -apiVersion: autoscaling/v2 +{{- if .Values.autoscaling.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} kind: HorizontalPodAutoscaler metadata: - name: {{ .Chart.Name }} + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-forms + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ .Chart.Name }} - minReplicas: 1 - maxReplicas: {{.Values.hpa.maxReplicas}} + apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} + kind: StatefulSet + name: {{ template "common.names.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: + {{- if .Values.autoscaling.targetCPU }} - type: Resource resource: name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- else }} target: type: Utilization - averageUtilization: {{.Values.hpa.CpuAverageUtilization}} -{{- end}} \ No newline at end of file + averageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- end }} + {{- end }} + {{- if .Values.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- end }} + {{- end }} + {{- if or .Values.autoscaling.behavior.scaleDown.policies .Values.autoscaling.behavior.scaleUp.policies }} + behavior: + {{- if .Values.autoscaling.behavior.scaleDown.policies }} + scaleDown: + stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleDown.stabilizationWindowSeconds }} + selectPolicy: {{ .Values.autoscaling.behavior.scaleDown.selectPolicy }} + policies: + {{- toYaml .Values.autoscaling.behavior.scaleDown.policies | nindent 8 }} + {{- end }} + {{- if .Values.autoscaling.behavior.scaleUp.policies }} + scaleUp: + stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleUp.stabilizationWindowSeconds }} + selectPolicy: {{ .Values.autoscaling.behavior.scaleUp.selectPolicy }} + policies: + {{- toYaml .Values.autoscaling.behavior.scaleUp.policies | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-forms/templates/ingress.yaml b/charts/forms-flow-forms/templates/ingress.yaml index 081bd3bb..415974a9 100644 --- a/charts/forms-flow-forms/templates/ingress.yaml +++ b/charts/forms-flow-forms/templates/ingress.yaml @@ -1,35 +1,56 @@ -apiVersion: networking.k8s.io/v1 +{{- if .Values.ingress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: - annotations: -{{ toYaml .Values.ingress.annotations | indent 4 }} - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-forms + {{- if or .Values.ingress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: - ingressClassName: {{ .Values.ingress.ingressClassName }} - {{- if or (and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.ingress.hostname }} + - host: {{ (tpl .Values.ingress.hostname .) | quote }} + http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ include "common.tplvalues.render" ( dict "value" .Values.ingress.path "context" $) }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ (tpl .name $) }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} tls: - {{- if and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.secrets .Values.ingress.selfSigned) }} + {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.secrets .Values.ingress.selfSigned) }} - hosts: - {{ (tpl .Values.ingress.hostname .) | quote }} secretName: {{ printf "%s-tls" (tpl .Values.ingress.hostname .) }} - {{- else }} - - {} - {{- end}} - {{- else }} - tls: - - {} - {{- end}} - rules: - - - host: "{{tpl .Values.ingress.hostname .}}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ .Chart.Name }} - port: - number: {{ .Values.ingress.port }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-forms/templates/pdb.yaml b/charts/forms-flow-forms/templates/pdb.yaml new file mode 100644 index 00000000..3e5a4c28 --- /dev/null +++ b/charts/forms-flow-forms/templates/pdb.yaml @@ -0,0 +1,21 @@ +{{- if .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-forms/templates/proxy-config.yaml b/charts/forms-flow-forms/templates/proxy-config.yaml new file mode 100644 index 00000000..f8d43ab4 --- /dev/null +++ b/charts/forms-flow-forms/templates/proxy-config.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }}-nginx-config + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-forms + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + nginx.conf: | + events { worker_connections 1024; } + http { + server { + listen {{ .Values.ingress.servicePort }}; + location /formio/ { + rewrite ^/formio/(.*)$ /$1 break; + proxy_set_header Host $http_host; + proxy_set_header Authorization $http_authorization; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Content-Type application/json; + proxy_pass http://localhost:{{ .Values.containerPorts.http }}; + } + } + } + pid /tmp/nginx.pid; \ No newline at end of file diff --git a/charts/forms-flow-forms/templates/secret.yaml b/charts/forms-flow-forms/templates/secret.yaml deleted file mode 100644 index a1f1119c..00000000 --- a/charts/forms-flow-forms/templates/secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - app: "{{ .Chart.Name }}" - name: "{{ .Chart.Name }}" -stringData: diff --git a/charts/forms-flow-forms/templates/service.yaml b/charts/forms-flow-forms/templates/service.yaml index 69ab2c5d..18897c86 100644 --- a/charts/forms-flow-forms/templates/service.yaml +++ b/charts/forms-flow-forms/templates/service.yaml @@ -1,13 +1,34 @@ apiVersion: v1 kind: Service metadata: - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} ports: - - name: {{ .Chart.Name }} - port: {{.Values.ingress.port}} - targetPort: {{.Values.ingress.port}} - selector: - app: {{ .Chart.Name }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.ports "context" $) | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} diff --git a/charts/forms-flow-forms/templates/serviceaccount.yaml b/charts/forms-flow-forms/templates/serviceaccount.yaml new file mode 100644 index 00000000..d32e0e29 --- /dev/null +++ b/charts/forms-flow-forms/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "forms-flow-forms.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} \ No newline at end of file diff --git a/charts/forms-flow-forms/values.yaml b/charts/forms-flow-forms/values.yaml index 022b4697..7c5f679c 100644 --- a/charts/forms-flow-forms/values.yaml +++ b/charts/forms-flow-forms/values.yaml @@ -1,28 +1,391 @@ -Domain: # -replicas: 1 -ExternalAuth: - ExistingMailAuthKey: "" - ExistingPwdAuthKey: "" - ExistingSecretName: "" -formsflow: - configmap: forms-flow-ai #integration env vars - secret: forms-flow-ai # integration env vars secret - auth: forms-flow-ai-auth +replicaCount: 1 image: registry: docker.io repository: formsflow/forms-flow-forms - tag: v6.0.0 #The image tag to pull from - secret: "" + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "v7.0.0" + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: + - forms-flow-ai-auth +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} + +nodeSelector: {} +## @param tolerations Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param nodeSelector Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param priorityClassName Pod priority +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param terminationGracePeriodSeconds In seconds, time the given to the forms-flow-forms pod needs to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +terminationGracePeriodSeconds: "" +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] + +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +## @param hostAliases Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + ## @param automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false +## @param podAnnotations Pod annotations +## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podLabels Extra labels for forms-flow-forms pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + +## K8s Security Context for forms-flow-forms pods +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled forms-flow-forms pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Set forms-flow-forms pod's Security Context fsGroup +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 +## Configure Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: false + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param lifecycleHooks for the forms-flow-forms container(s) to automate configuration before or after startup +## +lifecycleHooks: {} +automountServiceAccountToken: true +## @param extraEnvVars Extra environment variables to be set on formsflow forms container +## Example: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraVolumes Array to add extra volumes (evaluated as a template) +## extraVolumes: +## - name: myvolume +## configMap: +## name: myconfigmap +## +extraVolumes: {} +## @param extraVolumeMounts Array to add extra mounts (normally used with extraVolumes, evaluated as a template) +## extraVolumeMounts: +## - mountPath: /opt/bitnami/desired-path +## name: myvolume +## readOnly: true +## +extraVolumeMounts: {} + +## @param auth.existingSecret Existing secret containing password,username,dbname and + ## +auth: + existingSecret: "" + annotations: {} + +## @param updateStrategy.type Set up update strategy for forms-flow-forms installation. +## Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods is destroyed first. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## Example: +## updateStrategy: +## type: RollingUpdate +## rollingUpdate: +## maxSurge: 25% +## maxUnavailable: 25% +## +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% +## forms-flow-forms ingress parameters +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## ingress: + ## @param ingress.enabled Enable ingress record generation for forms-flow-forms + ## + enabled: true + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## ingressClassName: "" - annotations: - enabled: true # create an ingress for this component - hostname: "{{.Chart.Name}}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}" - port: 3001 + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.controller The ingress controller type. Currently supports `default` and `gce` + ## leave as `default` for most ingress controllers. + ## set to `gce` if using the GCE ingress controller + ## + controller: default + ## @param ingress.hostname Default host for the ingress record (evaluated as template) + ## + hostname: forms-flow-forms.local + ## @param ingress.path [string] Default path for the ingress record (evaluated as template) + ## + path: "/formio" + ## @param ingress.servicePort Backend service port to use + ## Default is http. Alternative is https. + ## + servicePort: 8080 + ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.labels Additional labels for the Ingress resource. + ## e.g: + ## labels: + ## app: forms-flow-forms + ## + labels: {} + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## tls: true + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## selfSigned: false - extraTls: - - {} + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: forms-flow-forms.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - forms-flow-forms.local + ## secretName: forms-flow-forms.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## - name: forms-flow-forms.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: airflow.local + ## http: + ## path: / + ## backend: + ## service: + ## name: airflow-svc + ## port: + ## name: http + ## + extraRules: [] +## forms-flow-forms admin ingress parameters +## ref: https://kubernetes.io/docs/user-guide/ingress/ +## + +## Specifies whether RBAC resources should be created +## +rbac: + ## @param rbac.create Whether to create and use RBAC resources or not + ## + create: false + ## @param rbac.rules Custom RBAC rules + ## Example: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] + +## Pod disruption budget configuration +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +## @param pdb.create If true, create a pod disruption budget for pods. +## @param pdb.minAvailable Minimum number / percentage of pods that should remain scheduled +## @param pdb.maxUnavailable Maximum number / percentage of pods that may be made unavailable +## +pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## forms-flow-forms containers' resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "small" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +#resources: {} resources: limits: cpu: 200m @@ -30,9 +393,193 @@ resources: requests: cpu: 100m memory: 512Mi -hpa: - enabled: false - CpuAverageUtilization: 70 - maxReplicas: 3 -elastic_search: - enabled: false \ No newline at end of file +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + failureThreshold: 5 + initialDelaySeconds: 120 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 3 +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + failureThreshold: 5 + initialDelaySeconds: 120 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 3 +## @param customStartupProbe Custom startup probe for the Web component +## + +## @param customStartupProbe Custom startup probe for the Web component +## +customStartupProbe: {} +## @param customLivenessProbe Custom liveness probe for the Web component +## +customLivenessProbe: {} +## @param customReadinessProbe Custom readiness probe for the Web component +## +customReadinessProbe: {} +## Service parameters +## +service: + ## @param service.type Kubernetes service type (`ClusterIP`, `NodePort`, or `LoadBalancer`) + ## + type: ClusterIP + ## @param service.ports [array] forms-flow-forms service ports (evaluated as a template) + ## + ports: + - name: http + port: 3001 + targetPort: http + protocol: TCP + - name: nginx + port: 8080 + targetPort: 8080 + protocol: TCP + ## - name: system + ## port: 1764 + ## + ## @param service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy External traffic policy, configure to Local to preserve client source IP when using an external loadBalancer + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: "" + ## @param service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.annotations Annotations for forms-flow-forms service + ## + annotations: {} + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## + annotations: {} + +containerPorts: + http: 3001 + +## @param sidecars Add additional sidecar containers to the forms-flow-forms pod + ## Example: + ## sidecars: + ## - name: filebeat-admin + ## image: docker.elastic.co/beats/filebeat:7.14.0 + ## env: + ## - name: ELASTIC_SERVER + ## valueFrom: + ## configMapKeyRef: + ## key: ELASTIC_SERVER + ## name: "{{ .Values.formsflow.configmap }}" + ## volumeMounts: + ## - name: admin-logs + ## mountPath: /opt/app-root/logs + ## - mountPath: /usr/share/filebeat/filebeat.yml + ## subPath: filebeat.yml + ## name: admin-filebeat +## sidecars configuration +sidecars: {} +ExtraContainer: + ## nginx configuration for sidecar + image: + registry: docker.io + repository: nginxinc/nginx-unprivileged + pullPolicy: IfNotPresent + tag: "latest" + +configuration: [] + +## forms-flow-forms Autoscaling configuration +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +## @param autoscaling.enabled Enable autoscaling for forms-flow-forms +## @param autoscaling.minReplicas Minimum number of forms-flow-forms replicas +## @param autoscaling.maxReplicas Maximum number of forms-flow-forms replicas +## @param autoscaling.targetCPU Target CPU utilization percentage +## @param autoscaling.targetMemory Target Memory utilization percentage +## +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPU: "" + targetMemory: "" + ## HPA Scaling Behavior + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + ## + behavior: + ## HPA behavior when scaling up + ## @param autoscaling.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up + ## @param autoscaling.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up + ## @param autoscaling.behavior.scaleUp.policies [array] HPA scaling policies when scaling up + ## e.g: + ## Policy to scale 20% of the pod in 60s + ## - type: Percent + ## value: 20 + ## periodSeconds: 60 + ## + scaleUp: + stabilizationWindowSeconds: 120 + selectPolicy: Max + policies: [] + ## HPA behavior when scaling down + ## @param autoscaling.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down + ## @param autoscaling.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down + ## @param autoscaling.behavior.scaleDown.policies [array] HPA scaling policies when scaling down + ## e.g: + ## Policy to scale one pod in 300s + ## - type: Pods + ## value: 1 + ## periodSeconds: 300 + ## + scaleDown: + stabilizationWindowSeconds: 300 + selectPolicy: Max + policies: + - type: Pods + value: 1 + periodSeconds: 300 + +ExternalAuth: + ExistingMailAuthKey: "" + ExistingPwdAuthKey: "" + ExistingSecretName: "" +formsflow: + configmap: forms-flow-ai #integration env vars + secret: forms-flow-ai # integration env vars secret \ No newline at end of file diff --git a/charts/forms-flow-idm/.helmignore b/charts/forms-flow-idm/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/forms-flow-idm/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/forms-flow-idm/Chart.yaml b/charts/forms-flow-idm/Chart.yaml index b03267ac..9290e5bf 100644 --- a/charts/forms-flow-idm/Chart.yaml +++ b/charts/forms-flow-idm/Chart.yaml @@ -1,15 +1,14 @@ ---- apiVersion: v2 name: forms-flow-idm -version: v7.1.2 +version: v8.0.0 dependencies: - name: keycloak - version: 19.1.0 + version: 22.2.6 repository: "https://charts.bitnami.com/bitnami" - name: postgresql-ha condition: postgresql-ha.enabled - repository: https://charts.bitnami.com/bitnami - version: 14.2.16 + repository: oci://registry-1.docker.io/bitnamicharts + version: 15.x.x - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.x.x diff --git a/charts/forms-flow-idm/README.md b/charts/forms-flow-idm/README.md new file mode 100644 index 00000000..2a810794 --- /dev/null +++ b/charts/forms-flow-idm/README.md @@ -0,0 +1,807 @@ + + +# Forms-flow-idm + +The **formsflow.ai** framework could be hooked up with any OpenID Connect compliant Identity Management Server. To date, we have only tested [Keycloak](https://github.com/keycloak/keycloak). + +## Introduction + +This chart bootstraps a forms-flow-idm deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## TL;DR + +```console +helm upgrade --install forms-flow-idm forms-flow-idm +``` + +## Prerequisites + +- Kubernetes 1.23+ +- Helm 3.8.0+ + +## Installing the Chart + +> NOTE: If you are having an External Keycloak, then you don't have to install this chart. For references on formsflow realm configuration and support please check [here](https://github.com/AOT-Technologies/forms-flow-ai/blob/master/forms-flow-idm/realm-exports/Group%20based%20auth.json) + + +To install the chart with the release name `my-release`: + +```console +helm upgrade --install forms-flow-idm forms-flow-idm +``` + +> Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + + +```console +helm upgrade --install forms-flow-idm forms-flow-idm --set keycloak.ingress.hostname=KEYCLOAK_URL --set postgresql-ha.postgresql.podSecurityContext.enabled=true --set keycloak.ingress.ingressClassName=INGRESS_CLASS +``` + +These commands deploy a Keycloak application on the Kubernetes cluster in the default configuration. + +> **Tip**: List all releases using `helm list` + +## Configuration and installation details + +### Resource requests and limits + +Forms-flow-idm charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling vs Immutable tags](https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Use an external database + +Sometimes, you may want to have Keycloak connect to an external PostgreSQL database rather than a database within your cluster - for example, when using a managed database service, or when running a single database server for all your applications. To do this, set the `postgresql.enabled` parameter to `false` and specify the credentials for the external database using the `externalDatabase.*` parameters. Here is an example: + +```text +postgresql.enabled=false +externalDatabase.host=myexternalhost +externalDatabase.user=myuser +externalDatabase.password=mypassword +externalDatabase.database=mydatabase +externalDatabase.port=5432 +``` + +> NOTE: Only PostgreSQL database server is supported as external database + +It is not supported but possible to run Keycloak with an external MSSQL database with the following settings: + +```yaml +externalDatabase: + host: "mssql.example.com" + port: 1433 + user: keycloak + database: keycloak + existingSecret: passwords +extraEnvVars: + - name: KC_DB # override values from the conf file + value: 'mssql' + - name: KC_DB_URL + value: 'jdbc:sqlserver://mssql.example.com:1433;databaseName=keycloak;' +``` + +### Importing and exporting a realm + +#### Importing a realm + +You can import a realm by setting the `KEYCLOAK_EXTRA_ARGS` to contain the `--import-realm` argument. + +This will import all `*.json` under `/opt/bitnami/keycloak/data/import` files as a realm into keycloak as per the +official documentation [here](https://www.keycloak.org/server/importExport#_importing_a_realm_from_a_directory). You +can supply the files by mounting a volume e.g. with docker compose as follows: + +```yaml +keycloak: + image: bitnami/keycloak:latest + volumes: + - /local/path/to/realms/folder:/opt/bitnami/keycloak/data/import +``` + +#### Exporting a realm + +You can export a realm through the GUI but it will not export users even the option is set, this is a known keycloak +[bug](https://github.com/keycloak/keycloak/issues/23970). + +By using the `kc.sh` script you can export a realm with users. Be sure to mount the export folder to a local folder: + +```yaml +keycloak: + image: bitnami/keycloak:latest + volumes: + - /local/path/to/export/folder:/export +``` + +Then open a terminal in the running keycloak container and run: + +```bash +kc.sh export --dir /export/ --users realm_file +```` + +This will export the all the realms with users to the `/export` folder. + +### Configure Ingress + +This chart provides support for Ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress-controller](https://github.com/bitnami/charts/tree/main/bitnami/nginx-ingress-controller) or [contour](https://github.com/bitnami/charts/tree/main/bitnami/contour) you can utilize the ingress controller to serve your application.To enable Ingress integration, set `ingress.enabled` to `true`. + +The most common scenario is to have one host name mapped to the deployment. In this case, the `ingress.hostname` property can be used to set the host name. The `ingress.tls` parameter can be used to add the TLS configuration for this host. + +However, it is also possible to have more than one host. To facilitate this, the `ingress.extraHosts` parameter (if available) can be set with the host names specified as an array. The `ingress.extraTLS` parameter (if available) can also be used to add the TLS configuration for extra hosts. + +> NOTE: For each host specified in the `ingress.extraHosts` parameter, it is necessary to set a name, path, and any annotations that the Ingress controller should know about. Not all annotations are supported by all Ingress controllers, but [this annotation reference document](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) lists the annotations supported by many popular Ingress controllers. + +Adding the TLS parameter (where available) will cause the chart to generate HTTPS URLs, and the application will be available on port 443. The actual TLS secrets do not have to be generated by this chart. However, if TLS is enabled, the Ingress record will not work until the TLS secret exists. + +[Learn more about Ingress controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/). + +### Configure admin Ingress + +In addition to the Ingress resource described above, this chart also provides the ability to define an Ingress for the admin area of Keycloak, for example the `master` realm. + +For this scenario, you can use the Keycloak Config CLI integration with the following values, where `keycloak-admin.example.com` is to be replaced by the actual hostname: + +```yaml +adminIngress: + enabled: true + hostname: keycloak-admin.example.com +keycloakConfigCli: + enabled: true + configuration: + master.json: | + { + "realm" : "master", + "attributes": { + "frontendUrl": "https://keycloak-admin.example.com" + } + } +``` + +### Configure TLS Secrets for use with Ingress + +This chart facilitates the creation of TLS secrets for use with the Ingress controller (although this is not mandatory). There are several common use cases: + +- Generate certificate secrets based on chart parameters. +- Enable externally generated certificates. +- Manage application certificates via an external service (like [cert-manager](https://github.com/jetstack/cert-manager/)). +- Create self-signed certificates within the chart (if supported). + +In the first two cases, a certificate and a key are needed. Files are expected in `.pem` format. + +Here is an example of a certificate file: + +> NOTE: There may be more than one certificate if there is a certificate chain. + +```text +-----BEGIN CERTIFICATE----- +MIID6TCCAtGgAwIBAgIJAIaCwivkeB5EMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +... +jScrvkiBO65F46KioCL9h5tDvomdU1aqpI/CBzhvZn1c0ZTf87tGQR8NK7v7 +-----END CERTIFICATE----- +``` + +Here is an example of a certificate key: + +```text +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAvLYcyu8f3skuRyUgeeNpeDvYBCDcgq+LsWap6zbX5f8oLqp4 +... +wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc= +-----END RSA PRIVATE KEY----- +``` + +- If using Helm to manage the certificates based on the parameters, copy these values into the `certificate` and `key` values for a given `*.ingress.secrets` entry. +- If managing TLS secrets separately, it is necessary to create a TLS secret with name `INGRESS_HOSTNAME-tls` (where INGRESS_HOSTNAME is a placeholder to be replaced with the hostname you set using the `*.ingress.hostname` parameter). +- If your cluster has a [cert-manager](https://github.com/jetstack/cert-manager) add-on to automate the management and issuance of TLS certificates, add to `*.ingress.annotations` the [corresponding ones](https://cert-manager.io/docs/usage/ingress/#supported-annotations) for cert-manager. +- If using self-signed certificates created by Helm, set both `*.ingress.tls` and `*.ingress.selfSigned` to `true`. + +### Use with ingress offloading SSL + +If your ingress controller has the SSL Termination, you should set `proxy` to `edge`. + +### Manage secrets and passwords + +This chart provides several ways to manage passwords: + +- Values passed to the chart: In this scenario, a new secret including all the passwords will be created during the chart installation. When upgrading, it is necessary to provide the secrets to the chart as shown below. Replace the KEYCLOAK_ADMIN_PASSWORD, POSTGRESQL_PASSWORD and POSTGRESQL_PVC placeholders with the correct passwords and PVC name. + +```console +helm upgrade keycloak bitnami/keycloak \ + --set auth.adminPassword=KEYCLOAK_ADMIN_PASSWORD \ + --set postgresql.postgresqlPassword=POSTGRESQL_PASSWORD \ + --set postgresql.persistence.existingClaim=POSTGRESQL_PVC +``` + +- An existing secret with all the passwords via the `existingSecret` parameter. + +### Add extra environment variables + +In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property. + +```yaml +extraEnvVars: + - name: KEYCLOAK_LOG_LEVEL + value: DEBUG +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values. + +### Use Sidecars and Init Containers + +If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +### Initialize a fresh instance + +The [Bitnami Keycloak](https://github.com/bitnami/containers/tree/main/bitnami/keycloak) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `initdbScripts` parameter as dict. + +In addition to this option, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the previous option. + +The allowed extensions is `.sh`. + +### Deploy extra resources + +There are cases where you may want to deploy extra objects, such a ConfigMap containing your app's configuration or some extra deployment with a micro service used by your app. For covering this case, the chart allows adding the full specification of other objects using the `extraDeploy` parameter. + +### Set Pod affinity + +This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | +| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | + +### Common parameters + +| Name | Description | Value | +| ------------------------ | --------------------------------------------------------------------------------------- | --------------- | +| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | +| `nameOverride` | String to partially override common.names.fullname | `""` | +| `fullnameOverride` | String to fully override common.names.fullname | `""` | +| `namespaceOverride` | String to fully override common.names.namespace | `""` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `enableServiceLinks` | If set to false, disable Kubernetes service links in the pod spec | `true` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `dnsPolicy` | DNS Policy for pod | `""` | +| `dnsConfig` | DNS Configuration pod | `{}` | +| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the the statefulset | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the the statefulset | `["infinity"]` | + +### Keycloak parameters + +| Name | Description | Value | +| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------- | +| `image.registry` | Keycloak image registry | `REGISTRY_NAME` | +| `image.repository` | Keycloak image repository | `REPOSITORY_NAME/keycloak` | +| `image.digest` | Keycloak image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | Keycloak image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Specify if debug logs should be enabled | `false` | +| `auth.adminUser` | Keycloak administrator user | `user` | +| `auth.adminPassword` | Keycloak administrator password for the new user | `""` | +| `auth.existingSecret` | Existing secret containing Keycloak admin password | `""` | +| `auth.passwordSecretKey` | Key where the Keycloak admin password is being stored inside the existing secret. | `""` | +| `auth.annotations` | Additional custom annotations for Keycloak auth secret object | `{}` | +| `customCaExistingSecret` | Name of the secret containing the Keycloak custom CA certificates. The secret will be mounted as a directory and configured using KC_TRUSTSTORE_PATHS. | `""` | +| `tls.enabled` | Enable TLS encryption. Required for HTTPs traffic. | `false` | +| `tls.autoGenerated` | Generate automatically self-signed TLS certificates. Currently only supports PEM certificates | `false` | +| `tls.existingSecret` | Existing secret containing the TLS certificates per Keycloak replica | `""` | +| `tls.usePem` | Use PEM certificates as input instead of PKS12/JKS stores | `false` | +| `tls.truststoreFilename` | Truststore filename inside the existing secret | `keycloak.truststore.jks` | +| `tls.keystoreFilename` | Keystore filename inside the existing secret | `keycloak.keystore.jks` | +| `tls.keystorePassword` | Password to access the keystore when it's password-protected | `""` | +| `tls.truststorePassword` | Password to access the truststore when it's password-protected | `""` | +| `tls.passwordsSecret` | Secret containing the Keystore and Truststore passwords. | `""` | +| `spi.existingSecret` | Existing secret containing the Keycloak truststore for SPI connection over HTTPS/TLS | `""` | +| `spi.truststorePassword` | Password to access the truststore when it's password-protected | `""` | +| `spi.truststoreFilename` | Truststore filename inside the existing secret | `keycloak-spi.truststore.jks` | +| `spi.passwordsSecret` | Secret containing the SPI Truststore passwords. | `""` | +| `spi.hostnameVerificationPolicy` | Verify the hostname of the server's certificate. Allowed values: "ANY", "WILDCARD", "STRICT". | `""` | +| `adminRealm` | Name of the admin realm | `master` | +| `production` | Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. | `false` | +| `proxyHeaders` | Set Keycloak proxy headers | `""` | +| `proxy` | reverse Proxy mode edge, reencrypt, passthrough or none | `""` | +| `httpRelativePath` | Set the path relative to '/' for serving resources. Useful if you are migrating from older version which were using '/auth/' | `/` | +| `configuration` | Keycloak Configuration. Auto-generated based on other parameters when not specified | `""` | +| `existingConfigmap` | Name of existing ConfigMap with Keycloak configuration | `""` | +| `extraStartupArgs` | Extra default startup args | `""` | +| `enableDefaultInitContainers` | Deploy default init containers | `true` | +| `initdbScripts` | Dictionary of initdb scripts | `{}` | +| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `""` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `extraEnvVars` | Extra environment variables to be set on Keycloak container | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` | + +### Keycloak statefulset parameters + +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `replicaCount` | Number of Keycloak replicas to deploy | `1` | +| `revisionHistoryLimitCount` | Number of controller revisions to keep | `10` | +| `containerPorts.http` | Keycloak HTTP container port | `8080` | +| `containerPorts.https` | Keycloak HTTPS container port | `8443` | +| `extraContainerPorts` | Optionally specify extra list of additional port-mappings for Keycloak container | `[]` | +| `statefulsetAnnotations` | Optionally add extra annotations on the statefulset resource | `{}` | +| `podSecurityContext.enabled` | Enabled Keycloak pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Set Keycloak pod's Security Context fsGroup | `1001` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `livenessProbe.enabled` | Enable livenessProbe on Keycloak containers | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `300` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `1` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe on Keycloak containers | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe on Keycloak containers | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `5` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `60` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Custom Liveness probes for Keycloak | `{}` | +| `customReadinessProbe` | Custom Rediness probes Keycloak | `{}` | +| `customStartupProbe` | Custom Startup probes for Keycloak | `{}` | +| `lifecycleHooks` | LifecycleHooks to set additional configuration at startup | `{}` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `true` | +| `hostAliases` | Deployment pod host aliases | `[]` | +| `podLabels` | Extra labels for Keycloak pods | `{}` | +| `podAnnotations` | Annotations for Keycloak pods | `{}` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `podManagementPolicy` | Pod management policy for the Keycloak statefulset | `Parallel` | +| `priorityClassName` | Keycloak pods' Priority Class Name | `""` | +| `schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `terminationGracePeriodSeconds` | Seconds Keycloak pod needs to terminate gracefully | `""` | +| `updateStrategy.type` | Keycloak statefulset strategy type | `RollingUpdate` | +| `updateStrategy.rollingUpdate` | Keycloak statefulset rolling update configuration parameters | `{}` | +| `minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | +| `extraVolumes` | Optionally specify extra list of additional volumes for Keycloak pods | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Keycloak container(s) | `[]` | +| `initContainers` | Add additional init containers to the Keycloak pods | `[]` | +| `sidecars` | Add additional sidecar containers to the Keycloak pods | `[]` | + +### Exposure parameters + +| Name | Description | Value | +| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `service.type` | Kubernetes service type | `ClusterIP` | +| `service.http.enabled` | Enable http port on service | `true` | +| `service.ports.http` | Keycloak service HTTP port | `80` | +| `service.ports.https` | Keycloak service HTTPS port | `443` | +| `service.nodePorts` | Specify the nodePort values for the LoadBalancer and NodePort service types. | `{}` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.clusterIP` | Keycloak service clusterIP IP | `""` | +| `service.loadBalancerIP` | loadBalancerIP for the SuiteCRM Service (optional, cloud specific) | `""` | +| `service.loadBalancerSourceRanges` | Address that are allowed when service is LoadBalancer | `[]` | +| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `service.annotations` | Additional custom annotations for Keycloak service | `{}` | +| `service.extraPorts` | Extra port to expose on Keycloak service | `[]` | +| `service.extraHeadlessPorts` | Extra ports to expose on Keycloak headless service | `[]` | +| `service.headless.annotations` | Annotations for the headless service. | `{}` | +| `service.headless.extraPorts` | Extra ports to expose on Keycloak headless service | `[]` | +| `ingress.enabled` | Enable ingress record generation for Keycloak | `false` | +| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `ingress.controller` | The ingress controller type. Currently supports `default` and `gce` | `default` | +| `ingress.hostname` | Default host for the ingress record (evaluated as template) | `keycloak.local` | +| `ingress.hostnameStrict` | Disables dynamically resolving the hostname from request headers. | `false` | +| `ingress.path` | Default path for the ingress record (evaluated as template) | `""` | +| `ingress.servicePort` | Backend service port to use | `http` | +| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `ingress.labels` | Additional labels for the Ingress resource. | `{}` | +| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | +| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `ingress.extraPaths` | Any additional arbitrary paths that may need to be added to the ingress under the main host. | `[]` | +| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` | +| `ingress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` | +| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| `adminIngress.enabled` | Enable admin ingress record generation for Keycloak | `false` | +| `adminIngress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `adminIngress.pathType` | Ingress path type | `ImplementationSpecific` | +| `adminIngress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `adminIngress.controller` | The ingress controller type. Currently supports `default` and `gce` | `default` | +| `adminIngress.hostname` | Default host for the admin ingress record (evaluated as template) | `keycloak.local` | +| `adminIngress.path` | Default path for the admin ingress record (evaluated as template) | `""` | +| `adminIngress.servicePort` | Backend service port to use | `http` | +| `adminIngress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `adminIngress.labels` | Additional labels for the Ingress resource. | `{}` | +| `adminIngress.tls` | Enable TLS configuration for the host defined at `adminIngress.hostname` parameter | `false` | +| `adminIngress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `adminIngress.extraHosts` | An array with additional hostname(s) to be covered with the admin ingress record | `[]` | +| `adminIngress.extraPaths` | Any additional arbitrary paths that may need to be added to the admin ingress under the main host. | `[]` | +| `adminIngress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` | +| `adminIngress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` | +| `adminIngress.extraRules` | Additional rules to be covered with this ingress record | `[]` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | + +### RBAC parameter + +| Name | Description | Value | +| --------------------------------------------- | --------------------------------------------------------- | ------- | +| `serviceAccount.create` | Enable the creation of a ServiceAccount for Keycloak pods | `true` | +| `serviceAccount.name` | Name of the created ServiceAccount | `""` | +| `serviceAccount.automountServiceAccountToken` | Auto-mount the service account token in the pod | `false` | +| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| `serviceAccount.extraLabels` | Additional labels for the ServiceAccount | `{}` | +| `rbac.create` | Whether to create and use RBAC resources or not | `false` | +| `rbac.rules` | Custom RBAC rules | `[]` | + +### Other parameters + +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------- | ------- | +| `pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | +| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | +| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `""` | +| `autoscaling.enabled` | Enable autoscaling for Keycloak | `false` | +| `autoscaling.minReplicas` | Minimum number of Keycloak replicas | `1` | +| `autoscaling.maxReplicas` | Maximum number of Keycloak replicas | `11` | +| `autoscaling.targetCPU` | Target CPU utilization percentage | `""` | +| `autoscaling.targetMemory` | Target Memory utilization percentage | `""` | +| `autoscaling.behavior.scaleUp.stabilizationWindowSeconds` | The number of seconds for which past recommendations should be considered while scaling up | `120` | +| `autoscaling.behavior.scaleUp.selectPolicy` | The priority of policies that the autoscaler will apply when scaling up | `Max` | +| `autoscaling.behavior.scaleUp.policies` | HPA scaling policies when scaling up | `[]` | +| `autoscaling.behavior.scaleDown.stabilizationWindowSeconds` | The number of seconds for which past recommendations should be considered while scaling down | `300` | +| `autoscaling.behavior.scaleDown.selectPolicy` | The priority of policies that the autoscaler will apply when scaling down | `Max` | +| `autoscaling.behavior.scaleDown.policies` | HPA scaling policies when scaling down | `[]` | + +### Metrics parameters + +| Name | Description | Value | +| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------- | ------- | +| `metrics.enabled` | Enable exposing Keycloak statistics | `false` | +| `metrics.service.ports.http` | Metrics service HTTP port | `8080` | +| `metrics.service.annotations` | Annotations for enabling prometheus to access the metrics endpoints | `{}` | +| `metrics.service.extraPorts` | Add additional ports to the keycloak metrics service (i.e. admin port 9000) | `[]` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.port` | Metrics service HTTP port | `http` | +| `metrics.serviceMonitor.endpoints` | The endpoint configuration of the ServiceMonitor. Path is mandatory. Interval, timeout and labellings can be overwritten. | `[]` | +| `metrics.serviceMonitor.path` | Metrics service HTTP path. Deprecated: Use @param metrics.serviceMonitor.endpoints instead | `""` | +| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.prometheusRule.enabled` | Create PrometheusRule Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.prometheusRule.namespace` | Namespace which Prometheus is running in | `""` | +| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.groups` | Groups, containing the alert rules. | `[]` | + +### keycloak-config-cli parameters + +| Name | Description | Value | +| --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| `keycloakConfigCli.enabled` | Whether to enable keycloak-config-cli job | `false` | +| `keycloakConfigCli.image.registry` | keycloak-config-cli container image registry | `REGISTRY_NAME` | +| `keycloakConfigCli.image.repository` | keycloak-config-cli container image repository | `REPOSITORY_NAME/keycloak-config-cli` | +| `keycloakConfigCli.image.digest` | keycloak-config-cli container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `keycloakConfigCli.image.pullPolicy` | keycloak-config-cli container image pull policy | `IfNotPresent` | +| `keycloakConfigCli.image.pullSecrets` | keycloak-config-cli container image pull secrets | `[]` | +| `keycloakConfigCli.annotations` | Annotations for keycloak-config-cli job | `{}` | +| `keycloakConfigCli.command` | Command for running the container (set to default if not set). Use array form | `[]` | +| `keycloakConfigCli.args` | Args for running the container (set to default if not set). Use array form | `[]` | +| `keycloakConfigCli.automountServiceAccountToken` | Mount Service Account token in pod | `true` | +| `keycloakConfigCli.hostAliases` | Job pod host aliases | `[]` | +| `keycloakConfigCli.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if keycloakConfigCli.resources is set (keycloakConfigCli.resources is recommended for production). | `small` | +| `keycloakConfigCli.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `keycloakConfigCli.containerSecurityContext.enabled` | Enabled keycloak-config-cli Security Context | `true` | +| `keycloakConfigCli.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `keycloakConfigCli.containerSecurityContext.runAsUser` | Set keycloak-config-cli Security Context runAsUser | `1001` | +| `keycloakConfigCli.containerSecurityContext.runAsGroup` | Set keycloak-config-cli Security Context runAsGroup | `1001` | +| `keycloakConfigCli.containerSecurityContext.runAsNonRoot` | Set keycloak-config-cli Security Context runAsNonRoot | `true` | +| `keycloakConfigCli.containerSecurityContext.privileged` | Set keycloak-config-cli Security Context privileged | `false` | +| `keycloakConfigCli.containerSecurityContext.readOnlyRootFilesystem` | Set keycloak-config-cli Security Context readOnlyRootFilesystem | `true` | +| `keycloakConfigCli.containerSecurityContext.allowPrivilegeEscalation` | Set keycloak-config-cli Security Context allowPrivilegeEscalation | `false` | +| `keycloakConfigCli.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `keycloakConfigCli.containerSecurityContext.seccompProfile.type` | Set keycloak-config-cli Security Context seccomp profile | `RuntimeDefault` | +| `keycloakConfigCli.podSecurityContext.enabled` | Enabled keycloak-config-cli pods' Security Context | `true` | +| `keycloakConfigCli.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `keycloakConfigCli.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `keycloakConfigCli.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `keycloakConfigCli.podSecurityContext.fsGroup` | Set keycloak-config-cli pod's Security Context fsGroup | `1001` | +| `keycloakConfigCli.backoffLimit` | Number of retries before considering a Job as failed | `1` | +| `keycloakConfigCli.podLabels` | Pod extra labels | `{}` | +| `keycloakConfigCli.podAnnotations` | Annotations for job pod | `{}` | +| `keycloakConfigCli.extraEnvVars` | Additional environment variables to set | `[]` | +| `keycloakConfigCli.nodeSelector` | Node labels for pod assignment | `{}` | +| `keycloakConfigCli.podTolerations` | Tolerations for job pod assignment | `[]` | +| `keycloakConfigCli.extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | +| `keycloakConfigCli.extraEnvVarsSecret` | Secret with extra environment variables | `""` | +| `keycloakConfigCli.extraVolumes` | Extra volumes to add to the job | `[]` | +| `keycloakConfigCli.extraVolumeMounts` | Extra volume mounts to add to the container | `[]` | +| `keycloakConfigCli.initContainers` | Add additional init containers to the Keycloak config cli pod | `[]` | +| `keycloakConfigCli.sidecars` | Add additional sidecar containers to the Keycloak config cli pod | `[]` | +| `keycloakConfigCli.configuration` | keycloak-config-cli realms configuration | `{}` | +| `keycloakConfigCli.existingConfigmap` | ConfigMap with keycloak-config-cli configuration | `""` | +| `keycloakConfigCli.cleanupAfterFinished.enabled` | Enables Cleanup for Finished Jobs | `false` | +| `keycloakConfigCli.cleanupAfterFinished.seconds` | Sets the value of ttlSecondsAfterFinished | `600` | + +### Database parameters + +| Name | Description | Value | +| -------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------ | +| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | +| `postgresql.auth.postgresPassword` | Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided | `""` | +| `postgresql.auth.username` | Name for a custom user to create | `bn_keycloak` | +| `postgresql.auth.password` | Password for the custom user to create | `""` | +| `postgresql.auth.database` | Name for a custom database to create | `bitnami_keycloak` | +| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | +| `postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `password` | +| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | +| `externalDatabase.host` | Database host | `""` | +| `externalDatabase.port` | Database port number | `5432` | +| `externalDatabase.user` | Non-root username for Keycloak | `bn_keycloak` | +| `externalDatabase.password` | Password for the non-root username for Keycloak | `""` | +| `externalDatabase.database` | Keycloak database name | `bitnami_keycloak` | +| `externalDatabase.existingSecret` | Name of an existing secret resource containing the database credentials | `""` | +| `externalDatabase.existingSecretHostKey` | Name of an existing secret key containing the database host name | `""` | +| `externalDatabase.existingSecretPortKey` | Name of an existing secret key containing the database port | `""` | +| `externalDatabase.existingSecretUserKey` | Name of an existing secret key containing the database user | `""` | +| `externalDatabase.existingSecretDatabaseKey` | Name of an existing secret key containing the database name | `""` | +| `externalDatabase.existingSecretPasswordKey` | Name of an existing secret key containing the database credentials | `""` | +| `externalDatabase.annotations` | Additional custom annotations for external database secret object | `{}` | + +### Keycloak Cache parameters + +| Name | Description | Value | +| ----------------- | -------------------------------------------------------------------------- | ------------ | +| `cache.enabled` | Switch to enable or disable the keycloak distributed cache for kubernetes. | `true` | +| `cache.stackName` | Set infinispan cache stack to use | `kubernetes` | +| `cache.stackFile` | Set infinispan cache stack filename to use | `""` | + +### Keycloak Logging parameters + +| Name | Description | Value | +| ---------------- | ------------------------------------------------------------------------------ | --------- | +| `logging.output` | Alternates between the default log output format or json format | `default` | +| `logging.level` | Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF | `INFO` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install my-release --set auth.adminPassword=secretpassword oci://REGISTRY_NAME/REPOSITORY_NAME/keycloak +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The above command sets the Keycloak administrator password to `secretpassword`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/keycloak +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/keycloak/values.yaml) + +Keycloak realms, users and clients can be created from the Keycloak administration panel. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +### To 21.0.0 + +This major release updates the keycloak branch to its newest major, 24.x.x. Follow the [upstream documentation](https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-24-0-0) for upgrade instructions. + +### To 20.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + +### To 19.0.0 + +This major release bumps the PostgreSQL chart version to [14.x.x](https://github.com/bitnami/charts/pull/22750); no major issues are expected during the upgrade. + +### To 17.0.0 + +This major updates the PostgreSQL subchart to its newest major, 13.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1300) you can find more information about the changes introduced in that version. + +### To 15.0.0 + +This major updates the default serviceType from `LoadBalancer` to `ClusterIP` to avoid inadvertently exposing Keycloak directly to the internet without an Ingress. + +### To 12.0.0 + +This major updates the PostgreSQL subchart to its newest major, 12.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1200) you can find more information about the changes introduced in that version. + +### To 10.0.0 + +This major release updates Keycloak to its major version `19`. Please, refer to the official [Keycloak migration documentation](https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-19-0-0) for a complete list of changes and further information. + +### To 9.0.0 + +This major release updates Keycloak to its major version `18`. Please, refer to the official [Keycloak migration documentation](https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-18-0-0) for a complete list of changes and further information. + +### To 8.0.0 + +This major release updates Keycloak to its major version `17`. Among other features, this new version has deprecated WildFly in favor of Quarkus, which introduces breaking changes like: + +- Removal of `/auth` from the default context path. +- Changes in the configuration and deployment of custom providers. +- Significant changes in configuring Keycloak. + +Please, refer to the official [Keycloak migration documentation](https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-17-0-0) and [Migrating to Quarkus distribution document](https://www.keycloak.org/migration/migrating-to-quarkus) for a complete list of changes and further information. + +### To 7.0.0 + +This major release updates the PostgreSQL subchart to its newest major *11.x.x*, which contain several changes in the supported values (check the [upgrade notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1100) to obtain more information). + +#### Upgrading Instructions + +To upgrade to *7.0.0* from *6.x*, it should be done reusing the PVC(s) used to hold the data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is *keycloak* and the release namespace *default*): + +1. Obtain the credentials and the names of the PVCs used to hold the data on your current release: + +```console +export KEYCLOAK_PASSWORD=$(kubectl get secret --namespace default keycloak -o jsonpath="{.data.admin-password}" | base64 --decode) +export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default keycloak-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=keycloak,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +``` + +1. Delete the PostgreSQL statefulset (notice the option *--cascade=false*) and secret: + +```console +kubectl delete statefulsets.apps --cascade=false keycloak-postgresql +kubectl delete secret keycloak-postgresql --namespace default +``` + +1. Upgrade your release using the same PostgreSQL version: + +```console +CURRENT_PG_VERSION=$(kubectl exec keycloak-postgresql-0 -- bash -c 'echo $BITNAMI_IMAGE_VERSION') +helm upgrade keycloak bitnami/keycloak \ + --set auth.adminPassword=$KEYCLOAK_PASSWORD \ + --set postgresql.image.tag=$CURRENT_PG_VERSION \ + --set postgresql.auth.password=$POSTGRESQL_PASSWORD \ + --set postgresql.persistence.existingClaim=$POSTGRESQL_PVC +``` + +1. Delete the existing PostgreSQL pods and the new statefulset will create a new one: + +```console +kubectl delete pod keycloak-postgresql-0 +``` + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +#### What changes were introduced in this major version? + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Move dependency information from the *requirements.yaml* to the *Chart.yaml* +- After running *helm dependency update*, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock* +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Chart. + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version does not support Helm v2 anymore. +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3. + +#### Useful links + +- [Bitnami Tutorial](https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-resolve-helm2-helm3-post-migration-issues-index.html) +- [Helm docs](https://helm.sh/docs/topics/v2_v3_migration) +- [Helm Blog](https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3) + +## License + +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/charts/forms-flow-idm/templates/configmap.yaml b/charts/forms-flow-idm/templates/configmap.yaml deleted file mode 100644 index 13a73184..00000000 --- a/charts/forms-flow-idm/templates/configmap.yaml +++ /dev/null @@ -1,2490 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: "forms-flow-idm" -data: - "realm.json": |- - { - "id": "forms-flow-ai", - "realm": "forms-flow-ai", - "notBefore": 0, - "revokeRefreshToken": false, - "refreshTokenMaxReuse": 0, - "accessTokenLifespan": 300, - "accessTokenLifespanForImplicitFlow": 900, - "ssoSessionIdleTimeout": 1800, - "ssoSessionMaxLifespan": 36000, - "ssoSessionIdleTimeoutRememberMe": 0, - "ssoSessionMaxLifespanRememberMe": 0, - "offlineSessionIdleTimeout": 2592000, - "offlineSessionMaxLifespanEnabled": false, - "offlineSessionMaxLifespan": 5184000, - "clientSessionIdleTimeout": 0, - "clientSessionMaxLifespan": 0, - "clientOfflineSessionIdleTimeout": 0, - "clientOfflineSessionMaxLifespan": 0, - "accessCodeLifespan": 60, - "accessCodeLifespanUserAction": 300, - "accessCodeLifespanLogin": 1800, - "actionTokenGeneratedByAdminLifespan": 43200, - "actionTokenGeneratedByUserLifespan": 300, - "enabled": true, - "sslRequired": "external", - "registrationAllowed": false, - "registrationEmailAsUsername": false, - "rememberMe": false, - "verifyEmail": false, - "loginWithEmailAllowed": true, - "duplicateEmailsAllowed": false, - "resetPasswordAllowed": false, - "editUsernameAllowed": false, - "bruteForceProtected": false, - "permanentLockout": false, - "maxFailureWaitSeconds": 900, - "minimumQuickLoginWaitSeconds": 60, - "waitIncrementSeconds": 60, - "quickLoginCheckMilliSeconds": 1000, - "maxDeltaTimeSeconds": 43200, - "failureFactor": 30, - "roles": { - "realm": [ - { - "name": "offline_access", - "description": "${role_offline-access}", - "composite": false, - "clientRole": false, - "containerId": "forms-flow-ai", - "attributes": {} - }, - { - "name": "uma_authorization", - "description": "${role_uma_authorization}", - "composite": false, - "clientRole": false, - "containerId": "forms-flow-ai", - "attributes": {} - } - ], - "client": { - "realm-management": [ - { - "name": "query-groups", - "description": "${role_query-groups}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "query-clients", - "description": "${role_query-clients}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "view-events", - "description": "${role_view-events}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "impersonation", - "description": "${role_impersonation}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "manage-events", - "description": "${role_manage-events}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "query-realms", - "description": "${role_query-realms}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "query-users", - "description": "${role_query-users}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "create-client", - "description": "${role_create-client}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "view-clients", - "description": "${role_view-clients}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-clients" - ] - } - }, - "clientRole": true, - - "attributes": {} - }, - { - "name": "manage-authorization", - "description": "${role_manage-authorization}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "view-identity-providers", - "description": "${role_view-identity-providers}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "view-users", - "description": "${role_view-users}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-users", - "query-groups" - ] - } - }, - "clientRole": true, - - "attributes": {} - }, - { - "name": "realm-admin", - "description": "${role_realm-admin}", - "composite": true, - "composites": { - "client": { - "realm-management": [ - "query-groups", - "query-clients", - "view-events", - "impersonation", - "manage-events", - "query-realms", - "query-users", - "create-client", - "view-clients", - "manage-authorization", - "view-identity-providers", - "view-users", - "view-realm", - "view-authorization", - "manage-identity-providers", - "manage-users", - "manage-realm", - "manage-clients" - ] - } - }, - "clientRole": true, - - "attributes": {} - }, - { - "name": "view-realm", - "description": "${role_view-realm}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "view-authorization", - "description": "${role_view-authorization}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "manage-identity-providers", - "description": "${role_manage-identity-providers}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "manage-users", - "description": "${role_manage-users}", - "composite": false, - "clientRole": true, - "attributes": {} - }, - { - "name": "manage-realm", - "description": "${role_manage-realm}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "manage-clients", - "description": "${role_manage-clients}", - "composite": false, - "clientRole": true, - - "attributes": {} - } - ], - "forms-flow-web": [ - { - "name": "formsflow-client", - "description": "Provides access to use the formsflow.ai solution. Required to access and submit forms.", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "formsflow-designer", - "description": "Provides access to use the formsflow.ai solution. Access to wok on form designer studio.", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "formsflow-reviewer", - "description": "Provides access to use the formsflow.ai solution. Identifies the staff to work on applications and forms submissions.", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "formsflow-analytics", - "description": "", - "composite": false, - "clientRole": true, - - "attributes": {} - } - ], - "security-admin-console": [], - "admin-cli": [], - "forms-flow-bpm": [], - "account-console": [], - "broker": [ - { - "name": "read-token", - "description": "${role_read-token}", - "composite": false, - "clientRole": true, - - "attributes": {} - } - ], - "forms-flow-analytics": [], - "account": [ - { - "name": "view-profile", - "description": "${role_view-profile}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "manage-account", - "description": "${role_manage-account}", - "composite": true, - "composites": { - "client": { - "account": [ - "manage-account-links" - ] - } - }, - "clientRole": true, - - "attributes": {} - }, - { - "name": "manage-account-links", - "description": "${role_manage-account-links}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "view-consent", - "description": "${role_view-consent}", - "composite": false, - "clientRole": true, - - "attributes": {} - }, - { - "name": "manage-consent", - "description": "${role_manage-consent}", - "composite": true, - "composites": { - "client": { - "account": [ - "view-consent" - ] - } - }, - "clientRole": true, - - "attributes": {} - }, - { - "name": "view-applications", - "description": "${role_view-applications}", - "composite": false, - "clientRole": true, - - "attributes": {} - } - ] - } - }, - "groups": [ - { - "name": "camunda-admin", - "path": "/camunda-admin", - "attributes": {}, - "realmRoles": [], - "clientRoles": {}, - "subGroups": [] - }, - { - "name": "formsflow", - "path": "/formsflow", - "attributes": {}, - "realmRoles": [], - "clientRoles": {}, - "subGroups": [ - { - "name": "formsflow-client", - "path": "/formsflow/formsflow-client", - "attributes": {}, - "realmRoles": [], - "clientRoles": { - "forms-flow-web": [ - "formsflow-client" - ] - }, - "subGroups": [] - }, - { - "name": "formsflow-designer", - "path": "/formsflow/formsflow-designer", - "attributes": {}, - "realmRoles": [], - "clientRoles": { - "forms-flow-web": [ - "formsflow-designer" - ] - }, - "subGroups": [] - }, - { - "name": "formsflow-reviewer", - "path": "/formsflow/formsflow-reviewer", - "attributes": {}, - "realmRoles": [], - "clientRoles": { - "forms-flow-web": [ - "formsflow-reviewer" - ] - }, - "subGroups": [ - { - "name": "clerk", - "path": "/formsflow/formsflow-reviewer/clerk", - "attributes": {}, - "realmRoles": [], - "clientRoles": {}, - "subGroups": [] - }, - { - "name": "approver", - "path": "/formsflow/formsflow-reviewer/approver", - "attributes": {}, - "realmRoles": [], - "clientRoles": {}, - "subGroups": [] - } - ] - } - ] - } - ], - "defaultRoles": [ - "offline_access", - "uma_authorization" - ], - "defaultGroups": [ - "/camunda-admin", - "/formsflow" - ], - "requiredCredentials": [ - "password" - ], - "otpPolicyType": "totp", - "otpPolicyAlgorithm": "HmacSHA1", - "otpPolicyInitialCounter": 0, - "otpPolicyDigits": 6, - "otpPolicyLookAheadWindow": 1, - "otpPolicyPeriod": 30, - "otpSupportedApplications": [ - "FreeOTP", - "Google Authenticator" - ], - "webAuthnPolicyRpEntityName": "keycloak", - "webAuthnPolicySignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyRpId": "", - "webAuthnPolicyAttestationConveyancePreference": "not specified", - "webAuthnPolicyAuthenticatorAttachment": "not specified", - "webAuthnPolicyRequireResidentKey": "not specified", - "webAuthnPolicyUserVerificationRequirement": "not specified", - "webAuthnPolicyCreateTimeout": 0, - "webAuthnPolicyAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyAcceptableAaguids": [], - "webAuthnPolicyPasswordlessRpEntityName": "keycloak", - "webAuthnPolicyPasswordlessSignatureAlgorithms": [ - "ES256" - ], - "webAuthnPolicyPasswordlessRpId": "", - "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", - "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", - "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", - "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", - "webAuthnPolicyPasswordlessCreateTimeout": 0, - "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyPasswordlessAcceptableAaguids": [], - "users" : [ { - "createdTimestamp" : 1621862607660, - "username" : "formsflow-client", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "firstName" : "Client", - "lastName" : "FFA", - "email" : "formsflow-client@example.com", - "credentials" : [ { - "type" : "password", - "createdDate" : 1621863987325, - "secretData" : "{\"value\":\"9R9a8Onha7JcZt59SIq8ngfqwDJwPKiKb8mJ2WO6p2eI3S9qhzR1GPDFtKjOWq8qpm8vsGfp/a/DyHWQuIvmlA==\",\"salt\":\"R/OTBeSXHzsKtJOV/bufEA==\"}", - "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ "UPDATE_PASSWORD" ], - "realmRoles" : [ "uma_authorization", "offline_access" ], - "clientRoles" : { - "account" : [ "view-profile", "manage-account" ] - }, - "notBefore" : 0, - "groups" : [ "/camunda-admin", "/formsflow/formsflow-client" ] - }, { - "createdTimestamp" : 1621862546931, - "username" : "formsflow-designer", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "firstName" : "Designer", - "lastName" : "FFA", - "email" : "formsflow-designer@example.com", - "credentials" : [ { - "type" : "password", - "createdDate" : 1621864001408, - "secretData" : "{\"value\":\"XlcFXNSJAfv5YzTh5vd4NtyEjWm4B47CS9MA3aHmEjLNjdRMbnGFVFZwlZx3alXYBCg4Evs3md25DQ6Xvl+nZg==\",\"salt\":\"TefHE1L0xpqlAMg/h6w6BA==\"}", - "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ "UPDATE_PASSWORD" ], - "realmRoles" : [ "uma_authorization", "offline_access" ], - "clientRoles" : { - "account" : [ "view-profile", "manage-account" ] - }, - "notBefore" : 0, - "groups" : [ "/camunda-admin", "/formsflow/formsflow-designer" ] - }, { - "createdTimestamp" : 1625009614956, - "username" : "formsflow-approver", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "firstName" : "Approver", - "lastName" : "FFA", - "email" : "formsflow-approver@aot-technologies.com", - "credentials" : [ { - "type" : "password", - "createdDate" : 1625009625540, - "secretData" : "{\"value\":\"Ej6BGTe5D+jLChY9zmoty3Jzt8i+KoV+UTPK6+1Vi+GaUpVfdJ0RFJ/7M4+1Y1jNGBcvMgc8knQT2AJDtixxRQ==\",\"salt\":\"MDP6nouKEx0l7hdJA+lIJw==\"}", - "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ "UPDATE_PASSWORD" ], - "notBefore" : 0, - "groups" : [ "/formsflow/formsflow-reviewer/approver", "/camunda-admin", "/formsflow" ] - }, { - "createdTimestamp" : 1625009564217, - "username" : "formsflow-clerk", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "firstName" : "Clerk", - "lastName" : "FFA", - "email" : "formsflow-clerk@aot-technologies.com", - "credentials" : [ { - "type" : "password", - "createdDate" : 1625009575561, - "secretData" : "{\"value\":\"iWFPywh7ck8FesufjXu81lxpJ0XKSvPd9ladBcJrE4TTXLeQOhvqBOC5e+bwVg20Y61EwtkTta0L9MWtGpSraw==\",\"salt\":\"noE1kDJ7Lo20VYuTOHOBTw==\"}", - "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ "UPDATE_PASSWORD" ], - "notBefore" : 0, - "groups" : [ "/camunda-admin", "/formsflow/formsflow-reviewer/clerk", "/formsflow" ] - }, { - "createdTimestamp" : 1621862578318, - "username" : "formsflow-reviewer", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "firstName" : "Reviewer", - "lastName" : "FFA", - "email" : "formsflow-reviewer@example.com", - "credentials" : [ { - "type" : "password", - "createdDate" : 1621864014317, - "secretData" : "{\"value\":\"bXzhJ0BrMJBWMzRRjO2khWgCRgDAA6vfTrE0UNNO1DNRzp1aMrGCz5kF20H76PjyuqNDZaKF1nKApEjccg+KRA==\",\"salt\":\"gmoZwO3i7Y6B+jpgnsnixw==\"}", - "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" - } ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ "UPDATE_PASSWORD" ], - "realmRoles" : [ "uma_authorization", "offline_access" ], - "clientRoles" : { - "account" : [ "view-profile", "manage-account" ] - }, - "notBefore" : 0, - "groups" : [ "/camunda-admin", "/formsflow/formsflow-reviewer" ] - }, { - "createdTimestamp" : 1621585233480, - "username" : "service-account-forms-flow-bpm", - "enabled" : true, - "totp" : false, - "emailVerified" : false, - "serviceAccountClientId" : "forms-flow-bpm", - "credentials" : [ ], - "disableableCredentialTypes" : [ ], - "requiredActions" : [ ], - "realmRoles" : [ "uma_authorization", "offline_access" ], - "clientRoles" : { - "realm-management" : [ "query-users", "query-groups", "view-users", "view-clients" ], - "account" : [ "view-profile", "manage-account" ] - }, - "notBefore" : 0, - "groups" : [ "/camunda-admin" ] - } ], - "scopeMappings" : [ { - "clientScope" : "offline_access", - "roles" : [ "offline_access" ] - } ], - "clientScopeMappings" : { - "account" : [ { - "client" : "account-console", - "roles" : [ "manage-account" ] - } ] - }, - "clients": [ - { - "clientId": "account", - "name": "${client_account}", - "rootUrl": "${authBaseUrl}", - "baseUrl": "/realms/forms-flow-ai/account/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "defaultRoles": [ - "view-profile", - "manage-account" - ], - "redirectUris": [ - "/realms/forms-flow-ai/account/*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "account-console", - "name": "${client_account-console}", - "rootUrl": "${authBaseUrl}", - "baseUrl": "/realms/forms-flow-ai/account/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [ - "/realms/forms-flow-ai/account/*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "pkce.code.challenge.method": "S256" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "protocolMappers": [ - { - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - } - ], - "defaultClientScopes": [ - "web-origins", - "role_list", - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "admin-cli", - "name": "${client_admin-cli}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "broker", - "name": "${client_broker}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "forms-flow-analytics", - "description": "Redash-Analytics", - "adminUrl": "http://localhost:7000/saml/callback?org_slug=default", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [ - "http://localhost:7000/*", - "*" - ], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "saml", - "attributes": { - "saml.assertion.signature": "true", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "saml.signature.algorithm": "RSA_SHA256", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "true", - "display.on.consent.screen": "false", - "saml_name_id_format": "email", - "saml.onetimeuse.condition": "false", - "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#WithComments" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "name": "X500 surname", - "protocol": "saml", - "protocolMapper": "saml-user-property-mapper", - "consentRequired": false, - "config": { - "user.attribute": "lastName", - "friendly.name": "LastName", - "attribute.name": "urn:oid:2.5.4.4" - } - }, - { - "name": "X500 givenName", - "protocol": "saml", - "protocolMapper": "saml-user-property-mapper", - "consentRequired": false, - "config": { - "user.attribute": "firstName", - "friendly.name": "FirstName", - "attribute.name": "urn:oid:2.5.4.42" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "forms-flow-bpm", - "description": "Camunda Process Engine Components", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "786001d6-68a8-4519-903c-bc5b5a870d68", - "redirectUris": [ - "http://localhost:8000/camunda/*", - "*" - ], - "webOrigins": [ - "*" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": true, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String" - } - }, - { - "name": "formsflow-web-mapper", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-mapper", - "consentRequired": false, - "config": { - "included.client.audience": "forms-flow-web", - "id.token.claim": "false", - "access.token.claim": "true", - "userinfo.token.claim": "false" - } - }, - { - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String" - } - }, - { - "name": "camunda-rest-api", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "false", - "access.token.claim": "true", - "included.custom.audience": "camunda-rest-api" - } - }, - { - "name": "username", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "preferred_username", - "jsonType.label": "String" - } - }, - { - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String" - } - }, - { - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", - "consentRequired": false, - "config": { - "full.path": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "userinfo.token.claim": "true" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "camunda-rest-api", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "forms-flow-web", - "description": "React based FormIO web components", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [ - "http://localhost:3000/*", - "*" - ], - "webOrigins": [ - "*" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "name": "formsflow-web-mapper", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-mapper", - "consentRequired": false, - "config": { - "included.client.audience": "forms-flow-web", - "id.token.claim": "false", - "access.token.claim": "true", - "userinfo.token.claim": "false" - } - }, - { - "name": "camunda-rest-api", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "false", - "access.token.claim": "true", - "included.custom.audience": "camunda-rest-api" - } - }, - { - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-group-membership-mapper", - "consentRequired": false, - "config": { - "full.path": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "userinfo.token.claim": "true" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "camunda-rest-api", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "realm-management", - "name": "${client_realm-management}", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": true, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": {}, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "clientId": "security-admin-console", - "name": "${client_security-admin-console}", - "rootUrl": "${authAdminUrl}", - "baseUrl": "/admin/forms-flow-ai/console/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [ - "/admin/forms-flow-ai/console/*" - ], - "webOrigins": [ - "+" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "pkce.code.challenge.method": "S256" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "nodeReRegistrationTimeout": 0, - "protocolMappers": [ - { - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - } - ], - "clientScopes": [ - { - "name": "role_list", - "description": "SAML role list", - "protocol": "saml", - "attributes": { - "consent.screen.text": "${samlRoleListScopeConsentText}", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "name": "role list", - "protocol": "saml", - "protocolMapper": "saml-role-list-mapper", - "consentRequired": false, - "config": { - "single": "false", - "attribute.nameformat": "Basic", - "attribute.name": "Role" - } - } - ] - }, - { - "name": "offline_access", - "description": "OpenID Connect built-in scope: offline_access", - "protocol": "openid-connect", - "attributes": { - "consent.screen.text": "${offlineAccessScopeConsentText}", - "display.on.consent.screen": "true" - } - }, - { - "name": "profile", - "description": "OpenID Connect built-in scope: profile", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${profileScopeConsentText}" - }, - "protocolMappers": [ - { - "name": "full name", - "protocol": "openid-connect", - "protocolMapper": "oidc-full-name-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "true", - "access.token.claim": "true", - "userinfo.token.claim": "true" - } - }, - { - "name": "profile", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "profile", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "profile", - "jsonType.label": "String" - } - }, - { - "name": "gender", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "gender", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "gender", - "jsonType.label": "String" - } - }, - { - "name": "website", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "website", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "website", - "jsonType.label": "String" - } - }, - { - "name": "zoneinfo", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "zoneinfo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "zoneinfo", - "jsonType.label": "String" - } - }, - { - "name": "given name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "firstName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "given_name", - "jsonType.label": "String" - } - }, - { - "name": "nickname", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "nickname", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "nickname", - "jsonType.label": "String" - } - }, - { - "name": "locale", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "locale", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "locale", - "jsonType.label": "String" - } - }, - { - "name": "updated at", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "updatedAt", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "updated_at", - "jsonType.label": "String" - } - }, - { - "name": "birthdate", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "birthdate", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "birthdate", - "jsonType.label": "String" - } - }, - { - "name": "family name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "lastName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "family_name", - "jsonType.label": "String" - } - }, - { - "name": "middle name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "middleName", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "middle_name", - "jsonType.label": "String" - } - }, - { - "name": "username", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "preferred_username", - "jsonType.label": "String" - } - }, - { - "name": "picture", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "picture", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "picture", - "jsonType.label": "String" - } - } - ] - }, - { - "name": "email", - "description": "OpenID Connect built-in scope: email", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${emailScopeConsentText}" - }, - "protocolMappers": [ - { - "name": "email verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "emailVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email_verified", - "jsonType.label": "boolean" - } - }, - { - "name": "email", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "email", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email", - "jsonType.label": "String" - } - } - ] - }, - { - "name": "address", - "description": "OpenID Connect built-in scope: address", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${addressScopeConsentText}" - }, - "protocolMappers": [ - { - "name": "address", - "protocol": "openid-connect", - "protocolMapper": "oidc-address-mapper", - "consentRequired": false, - "config": { - "user.attribute.formatted": "formatted", - "user.attribute.country": "country", - "user.attribute.postal_code": "postal_code", - "userinfo.token.claim": "true", - "user.attribute.street": "street", - "id.token.claim": "true", - "user.attribute.region": "region", - "access.token.claim": "true", - "user.attribute.locality": "locality" - } - } - ] - }, - { - "name": "phone", - "description": "OpenID Connect built-in scope: phone", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${phoneScopeConsentText}" - }, - "protocolMappers": [ - { - "name": "phone number verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumberVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number_verified", - "jsonType.label": "boolean" - } - }, - { - "name": "phone number", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "phoneNumber", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "phone_number", - "jsonType.label": "String" - } - } - ] - }, - { - "name": "roles", - "description": "OpenID Connect scope for add user roles to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "true", - "consent.screen.text": "${rolesScopeConsentText}" - }, - "protocolMappers": [ - { - "name": "realm roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "realm_access.roles", - "jsonType.label": "String", - "multivalued": "true" - } - }, - { - "name": "client roles", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "user.attribute": "foo", - "access.token.claim": "true", - "claim.name": "resource_access.${client_id}.roles", - "jsonType.label": "String", - "multivalued": "true" - } - }, - { - "name": "Role", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-client-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "role", - "usermodel.clientRoleMapping.clientId": "forms-flow-web" - } - }, - { - "name": "audience resolve", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-resolve-mapper", - "consentRequired": false, - "config": {} - } - ] - }, - { - "name": "web-origins", - "description": "OpenID Connect scope for add allowed web origins to the access token", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false", - "consent.screen.text": "" - }, - "protocolMappers": [ - { - "name": "allowed web origins", - "protocol": "openid-connect", - "protocolMapper": "oidc-allowed-origins-mapper", - "consentRequired": false, - "config": {} - } - ] - }, - { - "name": "microprofile-jwt", - "description": "Microprofile - JWT built-in scope", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "user.attribute": "foo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "jsonType.label": "String" - } - }, - { - "name": "upn", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "upn", - "jsonType.label": "String" - } - } - ] - }, - { - "name": "camunda-rest-api", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "name": "camunda-rest-api", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-mapper", - "consentRequired": false, - "config": { - "id.token.claim": "false", - "access.token.claim": "true", - "included.custom.audience": "camunda-rest-api", - "userinfo.token.claim": "false" - } - } - ] - } - ], - "defaultDefaultClientScopes": [ - "role_list", - "profile", - "email", - "roles", - "web-origins", - "camunda-rest-api" - ], - "defaultOptionalClientScopes": [ - "offline_access", - "address", - "phone", - "microprofile-jwt" - ], - "browserSecurityHeaders": { - "contentSecurityPolicyReportOnly": "", - "xContentTypeOptions": "nosniff", - "xRobotsTag": "none", - "xFrameOptions": "SAMEORIGIN", - "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", - "xXSSProtection": "1; mode=block", - "strictTransportSecurity": "max-age=31536000; includeSubDomains" - }, - "smtpServer": {}, - "eventsEnabled": false, - "eventsListeners": [ - "jboss-logging" - ], - "enabledEventTypes": [], - "adminEventsEnabled": false, - "adminEventsDetailsEnabled": false, - "components": { - "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ - { - "name": "Consent Required", - "providerId": "consent-required", - "subType": "anonymous", - "subComponents": {}, - "config": {} - }, - { - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "name": "Allowed Client Scopes", - "providerId": "allowed-client-templates", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allow-default-scopes": [ - "true" - ] - } - }, - { - "name": "Full Scope Disabled", - "providerId": "scope", - "subType": "anonymous", - "subComponents": {}, - "config": {} - }, - { - "name": "Trusted Hosts", - "providerId": "trusted-hosts", - "subType": "anonymous", - "subComponents": {}, - "config": { - "host-sending-registration-request-must-match": [ - "true" - ], - "client-uris-must-match": [ - "true" - ] - } - }, - { - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "authenticated", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "oidc-usermodel-attribute-mapper", - "oidc-full-name-mapper", - "saml-user-attribute-mapper", - "saml-user-property-mapper", - "oidc-address-mapper", - "saml-role-list-mapper", - "oidc-sha256-pairwise-sub-mapper", - "oidc-usermodel-property-mapper" - ] - } - }, - { - "name": "Max Clients Limit", - "providerId": "max-clients", - "subType": "anonymous", - "subComponents": {}, - "config": { - "max-clients": [ - "200" - ] - } - }, - { - "name": "Allowed Protocol Mapper Types", - "providerId": "allowed-protocol-mappers", - "subType": "anonymous", - "subComponents": {}, - "config": { - "allowed-protocol-mapper-types": [ - "saml-role-list-mapper", - "oidc-usermodel-attribute-mapper", - "oidc-address-mapper", - "oidc-sha256-pairwise-sub-mapper", - "oidc-full-name-mapper", - "saml-user-attribute-mapper", - "oidc-usermodel-property-mapper", - "saml-user-property-mapper" - ] - } - } - ], - "org.keycloak.keys.KeyProvider": [ - { - "name": "hmac-generated", - "providerId": "hmac-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ], - "algorithm": [ - "HS256" - ] - } - }, - { - "name": "rsa-generated", - "providerId": "rsa-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ] - } - }, - { - "name": "aes-generated", - "providerId": "aes-generated", - "subComponents": {}, - "config": { - "priority": [ - "100" - ] - } - } - ] - }, - "internationalizationEnabled": false, - "supportedLocales": [], - "authenticationFlows": [ - { - "alias": "Account verification options", - "description": "Method with which to verity the existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-email-verification", - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "ALTERNATIVE", - "priority": 20, - "flowAlias": "Verify Existing Account by Re-authentication", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "alias": "Authentication Options", - "description": "Authentication options.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "basic-auth", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "basic-auth-otp", - "requirement": "DISABLED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-spnego", - "requirement": "DISABLED", - "priority": 30, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "alias": "Browser - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-otp-form", - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "alias": "Direct Grant - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "direct-grant-validate-otp", - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "alias": "First broker login - Conditional OTP", - "description": "Flow to determine if the OTP is required for the authentication", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-otp-form", - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "alias": "Handle Existing Account", - "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-confirm-link", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "REQUIRED", - "priority": 20, - "flowAlias": "Account verification options", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "alias": "Reset - Conditional OTP", - "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "conditional-user-configured", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "reset-otp", - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "alias": "User creation or linking", - "description": "Flow for the existing/non-existing user alternatives", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "create unique user config", - "authenticator": "idp-create-user-if-unique", - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "ALTERNATIVE", - "priority": 20, - "flowAlias": "Handle Existing Account", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "alias": "Verify Existing Account by Re-authentication", - "description": "Reauthentication of existing account", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "idp-username-password-form", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "CONDITIONAL", - "priority": 20, - "flowAlias": "First broker login - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "alias": "browser", - "description": "browser based authentication", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-cookie", - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "auth-spnego", - "requirement": "DISABLED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "identity-provider-redirector", - "requirement": "ALTERNATIVE", - "priority": 25, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "ALTERNATIVE", - "priority": 30, - "flowAlias": "forms", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "alias": "clients", - "description": "Base authentication for clients", - "providerId": "client-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "client-secret", - "requirement": "ALTERNATIVE", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "client-jwt", - "requirement": "ALTERNATIVE", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "client-secret-jwt", - "requirement": "ALTERNATIVE", - "priority": 30, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "client-x509", - "requirement": "ALTERNATIVE", - "priority": 40, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "alias": "direct grant", - "description": "OpenID Connect Resource Owner Grant", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "direct-grant-validate-username", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "direct-grant-validate-password", - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "CONDITIONAL", - "priority": 30, - "flowAlias": "Direct Grant - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "alias": "docker auth", - "description": "Used by Docker clients to authenticate against the IDP", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "docker-http-basic-authenticator", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "alias": "first broker login", - "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticatorConfig": "review profile config", - "authenticator": "idp-review-profile", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "REQUIRED", - "priority": 20, - "flowAlias": "User creation or linking", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "alias": "forms", - "description": "Username, password, otp and other auth forms.", - "providerId": "basic-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "auth-username-password-form", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "CONDITIONAL", - "priority": 20, - "flowAlias": "Browser - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "alias": "http challenge", - "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "no-cookie-redirect", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "REQUIRED", - "priority": 20, - "flowAlias": "Authentication Options", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "alias": "registration", - "description": "registration flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-page-form", - "requirement": "REQUIRED", - "priority": 10, - "flowAlias": "registration form", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "alias": "registration form", - "description": "registration form", - "providerId": "form-flow", - "topLevel": false, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "registration-user-creation", - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "registration-profile-action", - "requirement": "REQUIRED", - "priority": 40, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "registration-password-action", - "requirement": "REQUIRED", - "priority": 50, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "registration-recaptcha-action", - "requirement": "DISABLED", - "priority": 60, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - }, - { - "alias": "reset credentials", - "description": "Reset credentials for a user if they forgot their password or something", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "reset-credentials-choose-user", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "reset-credential-email", - "requirement": "REQUIRED", - "priority": 20, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "authenticator": "reset-password", - "requirement": "REQUIRED", - "priority": 30, - "userSetupAllowed": false, - "autheticatorFlow": false - }, - { - "requirement": "CONDITIONAL", - "priority": 40, - "flowAlias": "Reset - Conditional OTP", - "userSetupAllowed": false, - "autheticatorFlow": true - } - ] - }, - { - "alias": "saml ecp", - "description": "SAML ECP Profile Authentication Flow", - "providerId": "basic-flow", - "topLevel": true, - "builtIn": true, - "authenticationExecutions": [ - { - "authenticator": "http-basic-authenticator", - "requirement": "REQUIRED", - "priority": 10, - "userSetupAllowed": false, - "autheticatorFlow": false - } - ] - } - ], - "authenticatorConfig": [ - { - "alias": "create unique user config", - "config": { - "require.password.update.after.registration": "false" - } - }, - { - "alias": "review profile config", - "config": { - "update.profile.on.first.login": "missing" - } - } - ], - "requiredActions": [ - { - "alias": "CONFIGURE_TOTP", - "name": "Configure OTP", - "providerId": "CONFIGURE_TOTP", - "enabled": true, - "defaultAction": false, - "priority": 10, - "config": {} - }, - { - "alias": "terms_and_conditions", - "name": "Terms and Conditions", - "providerId": "terms_and_conditions", - "enabled": false, - "defaultAction": false, - "priority": 20, - "config": {} - }, - { - "alias": "UPDATE_PASSWORD", - "name": "Update Password", - "providerId": "UPDATE_PASSWORD", - "enabled": true, - "defaultAction": false, - "priority": 30, - "config": {} - }, - { - "alias": "UPDATE_PROFILE", - "name": "Update Profile", - "providerId": "UPDATE_PROFILE", - "enabled": true, - "defaultAction": false, - "priority": 40, - "config": {} - }, - { - "alias": "VERIFY_EMAIL", - "name": "Verify Email", - "providerId": "VERIFY_EMAIL", - "enabled": true, - "defaultAction": false, - "priority": 50, - "config": {} - }, - { - "alias": "update_user_locale", - "name": "Update User Locale", - "providerId": "update_user_locale", - "enabled": true, - "defaultAction": false, - "priority": 1000, - "config": {} - } - ], - "browserFlow": "browser", - "registrationFlow": "registration", - "directGrantFlow": "direct grant", - "resetCredentialsFlow": "reset credentials", - "clientAuthenticationFlow": "clients", - "dockerAuthenticationFlow": "docker auth", - "attributes": { - "clientOfflineSessionMaxLifespan": "0", - "clientSessionIdleTimeout": "0", - "clientSessionMaxLifespan": "0", - "clientOfflineSessionIdleTimeout": "0" - }, - "keycloakVersion": "11.0.0", - "userManagedAccessAllowed": false - } diff --git a/charts/forms-flow-idm/values.yaml b/charts/forms-flow-idm/values.yaml index bfa3b30e..4ec9bb1d 100644 --- a/charts/forms-flow-idm/values.yaml +++ b/charts/forms-flow-idm/values.yaml @@ -1,13 +1,42 @@ + --- keycloak: + ## @section Keycloak statefulset parameters + + ## @param replicaCount Number of Keycloak replicas to deploy + ## replicas: 1 + ## Keycloak authentication parameters + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials + ## auth: + ## @param auth.adminUser Keycloak administrator user + ## adminUser: admin + ## @param production Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. + ## production: true + ## @param proxy reverse Proxy mode edge, reencrypt, passthrough or none + ## DEPRECATED: use proxyHeaders instead + ## ref: https://www.keycloak.org/server/reverseproxy + ## proxy: edge + ## HTTPS settings + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption + ## tls: + ## @param tls.enabled Enable TLS encryption. Required for HTTPs traffic. + ## enabled: true + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates + ## autoGenerated: true + ## @param extraEnvVars Extra environment variables to be set on Keycloak container + ## Example: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## extraEnvVars: - name: KEYCLOAK_ADMIN_USER value: admin @@ -22,50 +51,109 @@ keycloak: -Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.profile.feature.upload_scripts=enabled -Djava.net.preferIPv4Stack=true - + ## @param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods + ## extraVolumes: - - name: "forms-flow-idm-realm-config" - configMap: - name: "forms-flow-idm" - name: formsflow-themes - emptyDir: {} + emptyDir: {} + ## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Keycloak container(s) + ## extraVolumeMounts: - - name: "forms-flow-idm-realm-config" + - name: "formsflow-themes" mountPath: "/opt/bitnami/keycloak/data/import" + subPath: import readOnly: false - mountPath: /opt/bitnami/keycloak/themes name: formsflow-themes subPath: themes + - mountPath: /opt/bitnami/keycloak/providers + name: formsflow-themes + subPath: providers + ## @param initContainers Add additional init containers to the Keycloak pods + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## initContainers: - name: formsflow-themes - image: formsflow/forms-flow-idm-theme:v6.0 + image: formsflow/keycloak-customizations:v7.0.0 imagePullPolicy: Always securityContext: runAsUser: 1001 command: ["/bin/sh","-c"] args: - - "mkdir /opt/bitnami/keycloak/themes && \ - cp -rf /my-theme/* /opt/bitnami/keycloak/themes && \ - ls -ltra /opt/bitnami/keycloak/themes" + - "mkdir -p /opt/bitnami/keycloak/themes && \ + mkdir -p /opt/bitnami/keycloak/providers && \ + mkdir -p /opt/bitnami/keycloak/import && \ + cp -rf /custom/themes/* /opt/bitnami/keycloak/themes && \ + cp -rf /custom/imports/* /opt/bitnami/keycloak/import && \ + cp -rf /custom/providers/* /opt/bitnami/keycloak/providers" volumeMounts: - mountPath: /opt/bitnami/keycloak - name: formsflow-themes - + name: formsflow-themes + ## Bitnami Keycloak image version + ## ref: https://hub.docker.com/r/bitnami/keycloak/tags/ + ## @param image.registry [default: REGISTRY_NAME] Keycloak image registry + ## @param image.repository [default: REPOSITORY_NAME/keycloak] Keycloak image repository + ## @skip image.tag Keycloak image tag (immutable tags are recommended) + ## @param image.digest Keycloak image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param image.pullPolicy Keycloak image pull policy + ## @param image.pullSecrets Specify docker-registry secret names as an array + ## @param image.debug Specify if debug logs should be enabled + ## image: registry: "docker.io" repository: "bitnami/keycloak" - tag: 23.0.7 - + tag: 25.0.6-debian-12-r0 + ## PostgreSQL chart configuration + ## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml + ## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart + ## @param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided + ## @param postgresql.auth.username Name for a custom user to create + ## @param postgresql.auth.password Password for the custom user to create + ## @param postgresql.auth.database Name for a custom database to create + ## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials + ## @param postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) + ## postgresql: enabled: false - + ## External PostgreSQL configuration + ## All of these values are only used when postgresql.enabled is set to false + ## @param externalDatabase.host Database host + ## @param externalDatabase.port Database port number + ## @param externalDatabase.user Non-root username for Keycloak + ## @param externalDatabase.password Password for the non-root username for Keycloak + ## @param externalDatabase.database Keycloak database name + ## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials + ## @param externalDatabase.existingSecretHostKey Name of an existing secret key containing the database host name + ## @param externalDatabase.existingSecretPortKey Name of an existing secret key containing the database port + ## @param externalDatabase.existingSecretUserKey Name of an existing secret key containing the database user + ## @param externalDatabase.existingSecretDatabaseKey Name of an existing secret key containing the database name + ## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials + ## @param externalDatabase.annotations Additional custom annotations for external database secret object + ## externalDatabase: - host: "forms-flow-idm-postgresql-ha-pgpool" + host: "forms-flow-idm-postgresql-pgpool" port: 5432 user: postgres database: postgres password: "postgres" - + ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## resources: limits: cpu: 700m @@ -73,20 +161,42 @@ keycloak: requests: cpu: 500m memory: 2Gi - + ## Keycloak containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param containerSecurityContext.enabled Enabled containers' Security Context + ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param containerSecurityContext.privileged Set container's Security Context privileged + ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## containerSecurityContext: enabled: false + ## + ## Keycloak pods' SecurityContext + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param podSecurityContext.enabled Enabled Keycloak pods' Security Context + ## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param podSecurityContext.fsGroup Set Keycloak pod's Security Context fsGroup + ## podSecurityContext: enabled: false + ## @section Exposure parameters + ## - keycloakConfigCli: - containerSecurityContext: - enabled: false - podSecurityContext: - enabled: false - + ## Service configuration + ## service: type: ClusterIP + ## Keycloak ingress parameters + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ## ingress: ingressClassName: "" annotations: @@ -99,38 +209,156 @@ keycloak: pathtype: Prefix servicePort: http tls: true - + ## @param httpRelativePath Set the path relative to '/' for serving resources. Useful if you are migrating from older version which were using '/auth/' + ## ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed + ## httpRelativePath: /auth/ + ## Keycloak cache configuration + ## ref: https://www.keycloak.org/server/caching + ## @param cache.enabled Switch to enable or disable the keycloak distributed cache for kubernetes. + ## NOTE: Set to false to use 'local' cache (only supported when replicaCount=1). + ## @param cache.stackName Set infinispan cache stack to use + ## @param cache.stackFile Set infinispan cache stack filename to use + ## cache: enabled: false - postgresql-ha: - enabled: true + enabled: true + ## @param fullnameOverride String to fully override common.names.fullname template + ## + fullnameOverride: "forms-flow-idm-postgresql" + ## @section PostgreSQL with Repmgr parameters + + ## PostgreSQL parameters + ## postgresql: - enabled: true + ## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ + ## @param postgresql.image.registry [default: REGISTRY_NAME] PostgreSQL with Repmgr image registry + ## @param postgresql.image.repository [default: REPOSITORY_NAME/postgresql-repmgr] PostgreSQL with Repmgr image repository + ## @skip postgresql.image.tag PostgreSQL with Repmgr image tag + ## @param postgresql.image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param postgresql.image.pullPolicy PostgreSQL with Repmgr image pull policy + ## @param postgresql.image.pullSecrets Specify docker-registry secret names as an array + ## @param postgresql.image.debug Specify if debug logs should be enabled + ## image: registry: docker.io repository: bitnami/postgresql-repmgr - tag: 16.3.0-debian-12-r20 - fullnameOverride: "forms-flow-idm-postgresql" + tag: 17.2.0-debian-12-r3 + ## @param postgresql.replicaCount Number of replicas to deploy. Use an odd number. Having 3 replicas is the minimum to get quorum when promoting a new primary. + ## replicaCount: 3 + ## @param postgresql.containerPorts.postgresql PostgreSQL port + ## containerPorts: postgresql: 5432 + ## K8s Security Context + ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param postgresql.podSecurityContext.enabled Enable security context for PostgreSQL with Repmgr + ## @param postgresql.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param postgresql.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param postgresql.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param postgresql.podSecurityContext.fsGroup Group ID for the PostgreSQL with Repmgr filesystem + ## podSecurityContext: enabled: false + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## Container Security Context + ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param postgresql.containerSecurityContext.enabled Enabled containers' Security Context + ## @param postgresql.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param postgresql.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param postgresql.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param postgresql.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param postgresql.containerSecurityContext.privileged Set container's Security Context privileged + ## @param postgresql.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param postgresql.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param postgresql.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param postgresql.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## e.g: + ## containerSecurityContext: + ## enabled: true + ## capabilities: + ## drop: ["NET_RAW"] + ## readOnlyRootFilesystem: true + ## containerSecurityContext: enabled: false + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## PostgreSQL container's liveness probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param postgresql.livenessProbe.enabled Enable livenessProbe + ## @param postgresql.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param postgresql.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param postgresql.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param postgresql.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param postgresql.livenessProbe.successThreshold Success threshold for livenessProbe + ## livenessProbe: enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + ## PostgreSQL container's readiness probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param postgresql.readinessProbe.enabled Enable readinessProbe + ## @param postgresql.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param postgresql.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param postgresql.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param postgresql.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param postgresql.readinessProbe.successThreshold Success threshold for readinessProbe + ## readinessProbe: enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + ## PostgreSQL configuration parameters + ## @param postgresql.username PostgreSQL username + ## @param postgresql.password PostgreSQL password + ## @param postgresql.database PostgreSQL database + ## username: postgres password: "postgres" database: "forms-flow-idm" + ## @param postgresql.postgresPassword PostgreSQL password for the `postgres` user when `username` is not `postgres` + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-user-on-first-run (see note!) + ## postgresPassword: "changeme" + ## @param postgresql.usePasswordFile Set to `true` to mount PostgreSQL secret as a file instead of passing environment variable + ## usePasswordFile: "false" + ## Repmgr configuration parameters + ## @param postgresql.repmgrUsername PostgreSQL Repmgr username + ## @param postgresql.repmgrPassword PostgreSQL Repmgr password + ## @param postgresql.repmgrDatabase PostgreSQL Repmgr database + ## @param postgresql.repmgrLogLevel Repmgr log level (DEBUG, INFO, NOTICE, WARNING, ERROR, ALERT, CRIT or EMERG) + ## @param postgresql.repmgrConnectTimeout Repmgr backend connection timeout (in seconds) + ## @param postgresql.repmgrReconnectAttempts Repmgr backend reconnection attempts + ## @param postgresql.repmgrReconnectInterval Repmgr backend reconnection interval (in seconds) + ## @param postgresql.repmgrFenceOldPrimary Set if fencing of old primary in multiple primary situation is desired + ## @param postgresql.repmgrChildNodesCheckInterval Repmgr child nodes check interval (in seconds) + ## @param postgresql.repmgrChildNodesConnectedMinCount Repmgr minimum number of connected child nodes before being considered as failed primary for fencing + ## @param postgresql.repmgrChildNodesDisconnectTimeout Repmgr time before node will be fenced when insufficient child nodes are detected (in seconds) + ## repmgrUsername: repmgr repmgrPassword: "changeme" repmgrDatabase: repmgr @@ -142,6 +370,16 @@ postgresql-ha: repmgrChildNodesCheckInterval: 5 repmgrChildNodesConnectedMinCount: 1 repmgrChildNodesDisconnectTimeout: 30 + ## @param postgresql.initdbScripts Dictionary of initdb scripts + ## Specify dictionary of scripts to be run at first boot + ## The allowed extensions are `.sh`, `.sql` and `.sql.gz` + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha#initialize-a-fresh-instance + ## e.g: + ## initdbScripts: + ## my_init_script.sh: | + ## #!/bin/sh + ## echo "Do something." + ## initdbScripts: init_script.sql: | GRANT pg_read_all_data TO postgres; @@ -159,45 +397,163 @@ postgresql-ha: GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO repmgr; alter database "forms-flow-idm" set default_transaction_read_only = off; + ## @section Pgpool parameters + + ## Pgpool parameters + ## pgpool: + ## Bitnami Pgpool image + ## ref: https://hub.docker.com/r/bitnami/pgpool/tags/ + ## @param pgpool.image.registry [default: REGISTRY_NAME] Pgpool image registry + ## @param pgpool.image.repository [default: REPOSITORY_NAME/pgpool] Pgpool image repository + ## @skip pgpool.image.tag Pgpool image tag + ## @param pgpool.image.digest Pgpool image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param pgpool.image.pullPolicy Pgpool image pull policy + ## @param pgpool.image.pullSecrets Specify docker-registry secret names as an array + ## @param pgpool.image.debug Specify if debug logs should be enabled + ## image: registry: docker.io repository: bitnami/pgpool - tag: 4.5.2-debian-12-r5 + tag: 4.5.5-debian-12-r0 digest: "" + ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## pullPolicy: IfNotPresent + ## @param pgpool.replicaCount The number of replicas to deploy + ## replicaCount: 1 + ## K8s Security Context + ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param pgpool.podSecurityContext.enabled Enable security context for Pgpool + ## @param pgpool.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param pgpool.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param pgpool.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param pgpool.podSecurityContext.fsGroup Group ID for the Pgpool filesystem + ## podSecurityContext: enabled: false + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 + ## Container Security Context + ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param pgpool.containerSecurityContext.enabled Enabled containers' Security Context + ## @param pgpool.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param pgpool.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param pgpool.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param pgpool.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param pgpool.containerSecurityContext.privileged Set container's Security Context privileged + ## @param pgpool.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param pgpool.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param pgpool.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param pgpool.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## e.g: + ## containerSecurityContext: + ## enabled: true + ## capabilities: + ## drop: ["NET_RAW"] + ## readOnlyRootFilesystem: false + ## containerSecurityContext: + seLinuxOptions: {} enabled: false runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true - readOnlyRootFilesystem: false + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Pgpool container's liveness probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param pgpool.livenessProbe.enabled Enable livenessProbe + ## @param pgpool.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param pgpool.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param pgpool.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param pgpool.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param pgpool.livenessProbe.successThreshold Success threshold for livenessProbe + ## livenessProbe: enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## Pgpool container's readiness probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param pgpool.readinessProbe.enabled Enable readinessProbe + ## @param pgpool.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param pgpool.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param pgpool.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param pgpool.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param pgpool.readinessProbe.successThreshold Success threshold for readinessProbe + ## readinessProbe: enabled: false + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param pgpool.containerPorts.postgresql Pgpool port + ## containerPorts: postgresql: 5432 + ## Credentials for the pgpool administrator + ## @param pgpool.adminUsername Pgpool Admin username + ## @param pgpool.adminPassword Pgpool Admin password + ## adminUsername: admin adminPassword: "changeme" - service: - type: ClusterIP - ports: - metrics: 9187 + ## @section Persistence parameters + + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + ## persistence: + ## @param persistence.enabled Enable data persistence + ## enabled: true + ## @param persistence.storageClass Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## storageClass: "" + ## @param persistence.mountPath The path the volume will be mounted at, useful when using different PostgreSQL images. + ## mountPath: /bitnami/postgresql + ## @param persistence.accessModes List of access modes of data volume + ## accessModes: - ReadWriteOnce size: 8Gi + ## @section Traffic Exposure parameters + + ## PostgreSQL service parameters + ## service: + ## @param service.type Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) + ## type: ClusterIP + ## @param service.ports.postgresql PostgreSQL port + ## ports: postgresql: 5432 + ## @param service.portName PostgreSQL service port name + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services + ## portName: postgresql + ## @param service.nodePorts.postgresql Kubernetes service nodePort + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## nodePorts: - postgresql: "" \ No newline at end of file + postgresql: "" diff --git a/charts/forms-flow-ssl/forms-flow-admin/Chart.yaml b/charts/forms-flow-ssl/forms-flow-admin/Chart.yaml deleted file mode 100644 index d0755c33..00000000 --- a/charts/forms-flow-ssl/forms-flow-admin/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v2 -name: forms-flow-admin -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-admin/templates/cert.yaml b/charts/forms-flow-ssl/forms-flow-admin/templates/cert.yaml deleted file mode 100644 index a2854b16..00000000 --- a/charts/forms-flow-ssl/forms-flow-admin/templates/cert.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} -spec: - secretName: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}-tls - issuerRef: - name: {{ .Chart.Name }}-{{.Release.Namespace}} - kind: ClusterIssuer - commonName: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} - dnsNames: - - {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-admin/templates/issuer.yaml b/charts/forms-flow-ssl/forms-flow-admin/templates/issuer.yaml deleted file mode 100644 index 4e5f2f58..00000000 --- a/charts/forms-flow-ssl/forms-flow-admin/templates/issuer.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: "{{ .Chart.Name }}-{{.Release.Namespace}}" -spec: - acme: - # The ACME server URL - server: https://acme-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: {{ .Values.issuer.acmeEmail }} - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: "{{ .Chart.Name }}-{{.Release.Namespace}}" - # Enable the HTTP-01 challenge provider - solvers: - - http01: - ingress: - class: {{ .Values.issuer.ingressClass }} \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-admin/values.yaml b/charts/forms-flow-ssl/forms-flow-admin/values.yaml deleted file mode 100644 index 826458f3..00000000 --- a/charts/forms-flow-ssl/forms-flow-admin/values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -Domain: # -issuer: - acmeEmail: "" - ingressClass: nginx \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-analytics/Chart.yaml b/charts/forms-flow-ssl/forms-flow-analytics/Chart.yaml deleted file mode 100644 index df1a327b..00000000 --- a/charts/forms-flow-ssl/forms-flow-analytics/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v2 -name: forms-flow-analytics -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-analytics/templates/cert.yaml b/charts/forms-flow-ssl/forms-flow-analytics/templates/cert.yaml deleted file mode 100644 index a2854b16..00000000 --- a/charts/forms-flow-ssl/forms-flow-analytics/templates/cert.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} -spec: - secretName: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}-tls - issuerRef: - name: {{ .Chart.Name }}-{{.Release.Namespace}} - kind: ClusterIssuer - commonName: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} - dnsNames: - - {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-analytics/templates/issuer.yaml b/charts/forms-flow-ssl/forms-flow-analytics/templates/issuer.yaml deleted file mode 100644 index 4e5f2f58..00000000 --- a/charts/forms-flow-ssl/forms-flow-analytics/templates/issuer.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: "{{ .Chart.Name }}-{{.Release.Namespace}}" -spec: - acme: - # The ACME server URL - server: https://acme-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: {{ .Values.issuer.acmeEmail }} - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: "{{ .Chart.Name }}-{{.Release.Namespace}}" - # Enable the HTTP-01 challenge provider - solvers: - - http01: - ingress: - class: {{ .Values.issuer.ingressClass }} \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-analytics/values.yaml b/charts/forms-flow-ssl/forms-flow-analytics/values.yaml deleted file mode 100644 index 826458f3..00000000 --- a/charts/forms-flow-ssl/forms-flow-analytics/values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -Domain: # -issuer: - acmeEmail: "" - ingressClass: nginx \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-api/Chart.yaml b/charts/forms-flow-ssl/forms-flow-api/Chart.yaml deleted file mode 100644 index a9ff6b10..00000000 --- a/charts/forms-flow-ssl/forms-flow-api/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v2 -name: forms-flow-api -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-api/templates/cert.yaml b/charts/forms-flow-ssl/forms-flow-api/templates/cert.yaml deleted file mode 100644 index a2854b16..00000000 --- a/charts/forms-flow-ssl/forms-flow-api/templates/cert.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} -spec: - secretName: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}-tls - issuerRef: - name: {{ .Chart.Name }}-{{.Release.Namespace}} - kind: ClusterIssuer - commonName: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} - dnsNames: - - {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-api/templates/issuer.yaml b/charts/forms-flow-ssl/forms-flow-api/templates/issuer.yaml deleted file mode 100644 index 4e5f2f58..00000000 --- a/charts/forms-flow-ssl/forms-flow-api/templates/issuer.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: "{{ .Chart.Name }}-{{.Release.Namespace}}" -spec: - acme: - # The ACME server URL - server: https://acme-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: {{ .Values.issuer.acmeEmail }} - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: "{{ .Chart.Name }}-{{.Release.Namespace}}" - # Enable the HTTP-01 challenge provider - solvers: - - http01: - ingress: - class: {{ .Values.issuer.ingressClass }} \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-api/values.yaml b/charts/forms-flow-ssl/forms-flow-api/values.yaml deleted file mode 100644 index 826458f3..00000000 --- a/charts/forms-flow-ssl/forms-flow-api/values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -Domain: # -issuer: - acmeEmail: "" - ingressClass: nginx \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-bpm/Chart.yaml b/charts/forms-flow-ssl/forms-flow-bpm/Chart.yaml deleted file mode 100644 index 44388967..00000000 --- a/charts/forms-flow-ssl/forms-flow-bpm/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v2 -name: forms-flow-bpm -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-bpm/templates/cert.yaml b/charts/forms-flow-ssl/forms-flow-bpm/templates/cert.yaml deleted file mode 100644 index a2854b16..00000000 --- a/charts/forms-flow-ssl/forms-flow-bpm/templates/cert.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} -spec: - secretName: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}-tls - issuerRef: - name: {{ .Chart.Name }}-{{.Release.Namespace}} - kind: ClusterIssuer - commonName: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} - dnsNames: - - {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-bpm/templates/issuer.yaml b/charts/forms-flow-ssl/forms-flow-bpm/templates/issuer.yaml deleted file mode 100644 index 4e5f2f58..00000000 --- a/charts/forms-flow-ssl/forms-flow-bpm/templates/issuer.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: "{{ .Chart.Name }}-{{.Release.Namespace}}" -spec: - acme: - # The ACME server URL - server: https://acme-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: {{ .Values.issuer.acmeEmail }} - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: "{{ .Chart.Name }}-{{.Release.Namespace}}" - # Enable the HTTP-01 challenge provider - solvers: - - http01: - ingress: - class: {{ .Values.issuer.ingressClass }} \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-bpm/values.yaml b/charts/forms-flow-ssl/forms-flow-bpm/values.yaml deleted file mode 100644 index 826458f3..00000000 --- a/charts/forms-flow-ssl/forms-flow-bpm/values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -Domain: # -issuer: - acmeEmail: "" - ingressClass: nginx \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-data-analysis/Chart.yaml b/charts/forms-flow-ssl/forms-flow-data-analysis/Chart.yaml deleted file mode 100644 index 19ff0869..00000000 --- a/charts/forms-flow-ssl/forms-flow-data-analysis/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v2 -name: forms-flow-data-analysis -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-data-analysis/templates/cert.yaml b/charts/forms-flow-ssl/forms-flow-data-analysis/templates/cert.yaml deleted file mode 100644 index a2854b16..00000000 --- a/charts/forms-flow-ssl/forms-flow-data-analysis/templates/cert.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} -spec: - secretName: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}-tls - issuerRef: - name: {{ .Chart.Name }}-{{.Release.Namespace}} - kind: ClusterIssuer - commonName: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} - dnsNames: - - {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-data-analysis/templates/issuer.yaml b/charts/forms-flow-ssl/forms-flow-data-analysis/templates/issuer.yaml deleted file mode 100644 index 4e5f2f58..00000000 --- a/charts/forms-flow-ssl/forms-flow-data-analysis/templates/issuer.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: "{{ .Chart.Name }}-{{.Release.Namespace}}" -spec: - acme: - # The ACME server URL - server: https://acme-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: {{ .Values.issuer.acmeEmail }} - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: "{{ .Chart.Name }}-{{.Release.Namespace}}" - # Enable the HTTP-01 challenge provider - solvers: - - http01: - ingress: - class: {{ .Values.issuer.ingressClass }} \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-data-analysis/values.yaml b/charts/forms-flow-ssl/forms-flow-data-analysis/values.yaml deleted file mode 100644 index 826458f3..00000000 --- a/charts/forms-flow-ssl/forms-flow-data-analysis/values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -Domain: # -issuer: - acmeEmail: "" - ingressClass: nginx \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-documents-api/Chart.yaml b/charts/forms-flow-ssl/forms-flow-documents-api/Chart.yaml deleted file mode 100644 index f2fff9fd..00000000 --- a/charts/forms-flow-ssl/forms-flow-documents-api/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v2 -name: forms-flow-documents-api -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-documents-api/templates/cert.yaml b/charts/forms-flow-ssl/forms-flow-documents-api/templates/cert.yaml deleted file mode 100644 index a2854b16..00000000 --- a/charts/forms-flow-ssl/forms-flow-documents-api/templates/cert.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} -spec: - secretName: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}-tls - issuerRef: - name: {{ .Chart.Name }}-{{.Release.Namespace}} - kind: ClusterIssuer - commonName: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} - dnsNames: - - {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-documents-api/templates/issuer.yaml b/charts/forms-flow-ssl/forms-flow-documents-api/templates/issuer.yaml deleted file mode 100644 index 4e5f2f58..00000000 --- a/charts/forms-flow-ssl/forms-flow-documents-api/templates/issuer.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: "{{ .Chart.Name }}-{{.Release.Namespace}}" -spec: - acme: - # The ACME server URL - server: https://acme-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: {{ .Values.issuer.acmeEmail }} - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: "{{ .Chart.Name }}-{{.Release.Namespace}}" - # Enable the HTTP-01 challenge provider - solvers: - - http01: - ingress: - class: {{ .Values.issuer.ingressClass }} \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-documents-api/values.yaml b/charts/forms-flow-ssl/forms-flow-documents-api/values.yaml deleted file mode 100644 index 826458f3..00000000 --- a/charts/forms-flow-ssl/forms-flow-documents-api/values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -Domain: # -issuer: - acmeEmail: "" - ingressClass: nginx \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-forms/Chart.yaml b/charts/forms-flow-ssl/forms-flow-forms/Chart.yaml deleted file mode 100644 index 7b971ef1..00000000 --- a/charts/forms-flow-ssl/forms-flow-forms/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v2 -name: forms-flow-forms -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-forms/templates/cert.yaml b/charts/forms-flow-ssl/forms-flow-forms/templates/cert.yaml deleted file mode 100644 index a2854b16..00000000 --- a/charts/forms-flow-ssl/forms-flow-forms/templates/cert.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} -spec: - secretName: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}-tls - issuerRef: - name: {{ .Chart.Name }}-{{.Release.Namespace}} - kind: ClusterIssuer - commonName: {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} - dnsNames: - - {{ .Chart.Name }}-{{.Release.Namespace}}.{{tpl .Values.Domain .}} \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-forms/templates/issuer.yaml b/charts/forms-flow-ssl/forms-flow-forms/templates/issuer.yaml deleted file mode 100644 index 4e5f2f58..00000000 --- a/charts/forms-flow-ssl/forms-flow-forms/templates/issuer.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: "{{ .Chart.Name }}-{{.Release.Namespace}}" -spec: - acme: - # The ACME server URL - server: https://acme-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: {{ .Values.issuer.acmeEmail }} - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: "{{ .Chart.Name }}-{{.Release.Namespace}}" - # Enable the HTTP-01 challenge provider - solvers: - - http01: - ingress: - class: {{ .Values.issuer.ingressClass }} \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-forms/values.yaml b/charts/forms-flow-ssl/forms-flow-forms/values.yaml deleted file mode 100644 index 826458f3..00000000 --- a/charts/forms-flow-ssl/forms-flow-forms/values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -Domain: # -issuer: - acmeEmail: "" - ingressClass: nginx \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-idm/Chart.yaml b/charts/forms-flow-ssl/forms-flow-idm/Chart.yaml index 73cbcc96..ace0d169 100644 --- a/charts/forms-flow-ssl/forms-flow-idm/Chart.yaml +++ b/charts/forms-flow-ssl/forms-flow-idm/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 name: forms-flow-idm -version: v7.1.2 +version: v8.0.0 icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file diff --git a/charts/forms-flow-ssl/forms-flow-web/Chart.yaml b/charts/forms-flow-ssl/forms-flow-web/Chart.yaml index 6ae5c375..d946c6c1 100644 --- a/charts/forms-flow-ssl/forms-flow-web/Chart.yaml +++ b/charts/forms-flow-ssl/forms-flow-web/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 name: forms-flow-web -version: v7.1.2 +version: v8.0.0 icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file diff --git a/charts/forms-flow-web/.helmignore b/charts/forms-flow-web/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/forms-flow-web/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/forms-flow-web/Chart.yaml b/charts/forms-flow-web/Chart.yaml index 94b701f4..13c99f9a 100644 --- a/charts/forms-flow-web/Chart.yaml +++ b/charts/forms-flow-web/Chart.yaml @@ -1,5 +1,13 @@ ---- apiVersion: v2 name: forms-flow-web -version: v7.1.2 -icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" \ No newline at end of file +description: forms-flow-web delivers progressive web application with React provided by formsflow. +icon: "https://raw.githubusercontent.com/AOT-Technologies/forms-flow-ai/develop/.images/logo.png" +version: v8.0.0 +type: application +appVersion: "8.0.0" +dependencies: +- name: common + repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x diff --git a/charts/forms-flow-web/README.md b/charts/forms-flow-web/README.md new file mode 100644 index 00000000..7cb0faab --- /dev/null +++ b/charts/forms-flow-web/README.md @@ -0,0 +1,226 @@ +# Formsflow.ai Web Application + +formsflow.ai delivers progressive web application with React version 17.0.2 and create-react-app. Also currently uses form.io version 3.2.0. + +## Introduction + +This chart bootstraps a forms-flow-web deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + + +## Installing the Chart + +To install the chart with the release name `forms-flow-web`: + +```console +helm install forms-flow-web forms-flow-web +``` + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + + +```console +helm install forms-flow-web forms-flow-web --set ingress.ingressClassName=INGRESS_CLASS --set ingress.hostname=HOSTNAME +``` + +> Note: You need to substitute the placeholders `INGRESS_CLASS`, `HOSTNAME` with a reference to your Helm chart registry and repository. For example, in the case of Formsflow, you need to use `DOMAIN_NAME=example.com` and `INGRESS_CLASS=nginx` + +These commands deploy Forms-flow-web on the Kubernetes cluster + +> **Tip**: List all releases using `helm list` + +### Resource requests and limits + +Forms-flow-web charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +```yaml +resources: + limits: + cpu: 200m + memory: 1Gi + requests: + cpu: 100m + memory: 512Mi +``` + +### Change Forms-flow-web version + +To modify the Forms-flow-web version used in this chart you can specify a [valid image tag](https://hub.docker.com/repository/docker/formsflow/forms-flow-web) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +#### Using the OpenSource Version +By default, the chart uses the OpenSource version of the `Forms-flow-WEB`. You can change the image tag to any valid version of the OpenSource image, as shown below: + +```yaml +image: + registry: docker.io + repository: formsflow/forms-flow-web + tag: X.Y.Z # Replace with the desired OpenSource version +``` +#### Using the Enterprise Version +If you're using the enterprise version of Forms-flow-web, you can switch the image repository to `formsflow/forms-flow-web-ee`. The enterprise version includes additional features and support designed for larger-scale or production environments. To use the enterprise version, update the repository field as shown below: + +```yaml +image: + registry: docker.io + repository: formsflow/forms-flow-web-ee + tag: X.Y.Z # Replace with the desired enterprise version +``` +Make sure to replace X.Y.Z with the specific version number you wish to use for either the OpenSource or enterprise version. + +### EE Specific Environment Variables +When deploying the Enterprise Edition (EE) for forms-flow-web, the environment variables specific to the EE deployment are already included in the `values.yaml` file of the forms-flow-web chart. + +Make sure to replace `clarity_key` and `show_premium_icon` with the appropriate values provided to you. + +Example: +```yaml +ShowPremiumIcon: SHOW_PREMIUM_ICON +ClarityKey: true +``` + +- `CLARITY_KEY_VALUE` should be replaced with the actual clarity key provided to you. +- `SHOW_PREMIUM_ICON` should be set to "true" to display the premium icon in the EE version of the application. + +These environment variables will be used to enable EE-specific features in forms-flow-web. + +## Parameters + +| Parameter | Description | Default Value | +|-----------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `replicaCount` | Number of replicas to run for the application. | `1` | +| `image.registry` | Docker registry for the application image. | `docker.io` | +| `image.repository` | Repository name for the application image. | `formsflow/forms-flow-web` | +| `image.pullPolicy` | Image pull policy for the application. | `IfNotPresent` | +| `image.tag` | Tag of the image to use for the application. | `v7.0.0` | +| `image.pullSecrets` | Secrets to use for pulling the application image. | `["forms-flow-ai-auth"]` | +| `nameOverride` | Override for the name of the application. | `""` | +| `fullnameOverride` | Override for the full name of the application. | `""` | +| `commonLabels` | Common labels to apply to all resources. | `{}` | +| `commonAnnotations` | Common annotations to apply to all resources. | `{}` | +| `nodeSelector` | Node selector for scheduling pods. | `{}` | +| `tolerations` | Tolerations for scheduling pods. | `[]` | +| `affinity` | Affinity rules for scheduling pods. | `{}` | +| `priorityClassName` | Name of the priority class for the application pods. | `""` | +| `schedulerName` | Name of the scheduler to use for scheduling pods. | `""` | +| `terminationGracePeriodSeconds` | Grace period for pod termination. | `""` | +| `topologySpreadConstraints` | Constraints for spreading pods across nodes. | `[]` | +| `diagnosticMode.enabled` | Enable diagnostic mode for the application. | `false` | +| `diagnosticMode.command` | Command to run in diagnostic mode. | `["sleep"]` | +| `diagnosticMode.args` | Arguments for the diagnostic mode command. | `["infinity"]` | +| `hostAliases` | Host aliases for the application pods. | `[]` | +| `serviceAccount.create` | Create a service account for the application. | `true` | +| `serviceAccount.annotations` | Annotations for the service account. | `{}` | +| `serviceAccount.name` | Name of the service account to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Automount the service account token. | `false` | +| `podAnnotations` | Annotations for the application pods. | `{}` | +| `podLabels` | Labels for the application pods. | `{}` | +| `podAffinityPreset` | Pod affinity preset for the application. | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset for the application. | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type for the application. | `""` | +| `nodeAffinityPreset.key` | Key for node affinity preset. | `""` | +| `nodeAffinityPreset.values` | Values for node affinity preset. | `[]` | +| `podSecurityContext.enabled` | Enable pod security context. | `false` | +| `podSecurityContext.fsGroupChangePolicy`| Policy for changing filesystem group. | `Always` | +| `podSecurityContext.sysctls` | Sysctl settings for the pod. | `[]` | +| `podSecurityContext.supplementalGroups` | Supplemental groups for the pod. | `[]` | +| `podSecurityContext.fsGroup` | Filesystem group for the pod. | `1001` | +| `containerSecurityContext.enabled` | Enable container security context. | `false` | +| `containerSecurityContext.seLinuxOptions` | SELinux options for the container. | `{}` | +| `containerSecurityContext.runAsUser` | User ID to run the container as. | `1001` | +| `containerSecurityContext.runAsGroup` | Group ID to run the container as. | `1001` | +| `containerSecurityContext.runAsNonRoot` | Run the container as a non-root user. | `false` | +| `containerSecurityContext.privileged` | Allow the container to run in privileged mode. | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Mount the root filesystem as read-only. | `false` | +| `containerSecurityContext.allowPrivilegeEscalation` | Allow privilege escalation. | `false` | +| `containerSecurityContext.capabilities.drop` | Capabilities to drop from the container. | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Seccomp profile type for the container. | `RuntimeDefault` | +| `command` | Command to run in the container. | `[]` | +| `args` | Arguments to pass to the command. | `[]` | +| `lifecycleHooks.postStart` | Lifecycle hooks for the pod, such as post-start actions. | `{exec: {command: ["/bin/sh", "-c", "envsubst < /tmp/{{.Chart.Name}}-config.template/config.js > {{.Values.config_path}}/config.js;"]}}` | +| `automountServiceAccountToken` | Automount the service account token in the pod. | `true` | +| `extraEnvVars` | Extra environment variables to add to the container. | `[]` | +| `extraEnvVarsCM` | ConfigMap for extra environment variables. | `""` | +| `extraVolumes` | Extra volumes to add to the pod. | `{}` | +| `extraVolumeMounts` | Extra volume mounts for the pod. | `{}` | +| `existingSecret` | Existing secret containing username, password, and database name. | `""` | +| `updateStrategy.type` | Update strategy for the deployment (e.g., `RollingUpdate`). | `RollingUpdate` | +| `updateStrategy.rollingUpdate.maxSurge` | Maximum number of pods that can be created above the desired number of pods during an update. | `25%` | +| `updateStrategy.rollingUpdate.maxUnavailable` | Maximum number of pods that can be unavailable during an update. | `25%` | +| `pdb.create` | Create a Pod Disruption Budget for the application. | `true` | +| `pdb.minAvailable` | Minimum number of available pods during disruptions. | `""` | +| `pdb.maxUnavailable` | Maximum number of unavailable pods during disruptions. | `""` | +| `customStartupProbe` | Custom startup probe configuration for the application. | `{}` | +| `customLivenessProbe` | Custom liveness probe configuration for the application. | `{}` | +| `customReadinessProbe` | Custom readiness probe configuration for the application. | `{}` | +| `formsflow.configmap` | Name of the FormsFlow configmap for integration environment variables. | `forms-flow-ai` | +| `formsflow.secret` | Name of the FormsFlow secret for integration environment variables. | `forms-flow-ai` | +| `analytics.configmap` | Name of the FormsFlow analytics configmap for integration. | `forms-flow-analytics` | +| `analytics.secret` | Name of the FormsFlow analytics secret for integration. | `forms-flow-analytics` | +| `web.base_custom_url` | Base URL for the web application. | `""` | +| `web.custom_theme_url` | Custom theme URL for the web application. | `""` | +| `config_path` | Path for configuration files. | `/usr/share/nginx/html/config/` | +| `webclient` | Name of the web client application. | `"{{.Chart.Name}}"` | +| `webname` | Name of the web application. | `formsflow` | +| `UserAccesPermissions` | User access permissions for the application. | `""` | +| `autoscaling.enabled` | Enable or disable autoscaling for the application. | `false` | +| `autoscaling.minReplicas` | Minimum number of replicas for autoscaling. | `1` | +| `autoscaling.maxReplicas` | Maximum number of replicas for autoscaling. | `11` | +| `autoscaling.targetCPU` | Target CPU utilization percentage for autoscaling. | `""` | +| `autoscaling.targetMemory` | Target memory utilization percentage for autoscaling. | `""` | +| `autoscaling.behavior.scaleUp` | Scaling behavior when scaling up. | `{ stabilizationWindowSeconds: 120, selectPolicy: Max, policies: [] }` | +| `autoscaling.behavior.scaleDown` | Scaling behavior when scaling down. | `{ stabilizationWindowSeconds: 300, selectPolicy: Max, policies: [{ type: Pods, value: 1, periodSeconds: 300 }] }` | +| `enable_forms_module` | Enable or disable tasks module | `true` | +| `enable_tasks_module` | Enable or disable tasks module | `true` | +| `enable_dashboards_module` | Enable or disable dashboards module | `true` | +| `enable_processes_module` | Enable or disable process module | `true` | +| `enable_applications_module` | Enable or disable application module | `true` | +| `public_workflow_enabled` | Enable or disable workflow - public | `false` | +| `opentelemetry_service` | Enable or disable opentelemetry service | `false` | + + +## Ingress Parameters + +| Parameter | Description | Default Value | +|-----------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `ingress.enabled` | Enable or disable ingress for the application. | `true` | +| `ingress.ingressClassName` | Class name for the ingress resource. | `""` | +| `ingress.pathType` | Type of path matching for the ingress. | `ImplementationSpecific` | +| `ingress.apiVersion` | API version of the ingress resource. | `""` | +| `ingress.controller` | Ingress controller to use. | `default` | +| `ingress.hostname` | Hostname for the ingress resource. | `forms-flow-web.local` | +| `ingress.path` | Path for the ingress resource. | `/` | +| `ingress.servicePort` | Service port to route traffic to. | `8080` | +| `ingress.annotations` | Annotations for the ingress resource. | `{}` | +| `ingress.labels` | Labels for the ingress resource. | `{}` | +| `ingress.tls` | Enable TLS for the ingress. | `true` | +| `ingress.selfSigned` | Whether to use self-signed certificates. | `false` | +| `ingress.extraHosts` | Additional hosts for the ingress. | `[]` | +| `ingress.extraPaths` | Additional paths for the ingress. | `[]` | +| `ingress.extraTls` | Additional TLS settings for the ingress. | `[]` | +| `ingress.secrets` | Secrets for TLS configuration. | `[]` | +| `ingress.extraRules` | Additional rules for the ingress. | `[]` | + +## Resource Parameters + +| Parameter | Description | Default Value | +|-----------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `resourcesPreset` | Resource preset for the application. | `small` | +| `resources.limits.cpu` | Maximum CPU resource limit for the application. | `200m` | +| `resources.limits.memory` | Maximum memory resource limit for the application. | `1Gi` | +| `resources.requests.cpu` | Minimum CPU resource request for the application. | `100m` | +| `resources.requests.memory` | Minimum memory resource request for the application. | `512Mi` | + +## Service Parameters + +| Parameter | Description | Default Value | +|-----------------------------------------|------------------------------------------------------------------------------------------------------|-----------------------------| +| `service.type` | Type of the service (e.g., `ClusterIP`, `NodePort`, `LoadBalancer`). | `ClusterIP` | +| `service.ports` | Ports for the service. | `[{ name: http, port: 8080, targetPort: http, protocol: TCP }]` | +| `service.loadBalancerIP` | LoadBalancer IP for the service (if applicable). | `""` | +| `service.loadBalancerSourceRanges` | Allowed IP ranges for LoadBalancer source. | `[]` | +| `service.externalTrafficPolicy` | External traffic policy for the service. | `""` | +| `service.clusterIP` | Static ClusterIP for the service. | `""` | +| `service.annotations` | Annotations for the service. | `{}` | +| `service.sessionAffinity` | Session affinity settings for the service (e.g., `None` or `ClientIP`). | `None` | +| `service.sessionAffinityConfig` | Additional settings for session affinity. | `{}` | +| `service.headless.annotations` | Annotations for the headless service. | `{}` | + diff --git a/charts/forms-flow-web/templates/_helpers.tpl b/charts/forms-flow-web/templates/_helpers.tpl new file mode 100644 index 00000000..9979f329 --- /dev/null +++ b/charts/forms-flow-web/templates/_helpers.tpl @@ -0,0 +1,86 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "forms-flow-web.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "forms-flow-web.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "forms-flow-web.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "forms-flow-web.labels" -}} +helm.sh/chart: {{ include "forms-flow-web.chart" . }} +{{ include "forms-flow-web.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "forms-flow-web.selectorLabels" -}} +app.kubernetes.io/name: {{ include "forms-flow-web.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "forms-flow-web.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "forms-flow-web.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Return true if a configmap object should be created +*/}} +{{- define "forms-flow-web.createConfigmap" -}} +{{- if and .Values.configuration (not .Values.existingConfigmap) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* + Return the proper forms-flow-web image name +*/}} +{{- define "forms-flow-web.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "forms-flow-web.imagePullSecrets" -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) -}} +{{- end -}} \ No newline at end of file diff --git a/charts/forms-flow-web/templates/configmap.yaml b/charts/forms-flow-web/templates/configmap.yaml index 06ba1bfb..1696efd3 100644 --- a/charts/forms-flow-web/templates/configmap.yaml +++ b/charts/forms-flow-web/templates/configmap.yaml @@ -1,70 +1,27 @@ ---- apiVersion: v1 kind: ConfigMap metadata: - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-web + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} data: - KEYCLOAK_CLIENT: "{{tpl .Values.webclient .}}" - APPLICATION_NAME: "{{tpl .Values.webname .}}" + KEYCLOAK_CLIENT: "{{ tpl .Values.webclient . }}" + APPLICATION_NAME: "{{ tpl .Values.webname . }}" USER_ACCESS_PERMISSIONS: "{{ .Values.UserAccesPermissions }}" - PUBLIC_WORKFLOW_ENABLED: "false" - OPENTELEMETRY_SERVICE: "false" - WEB_BASE_CUSTOM_URL: "{{tpl .Values.web.base_custom_url .}}" - CUSTOM_THEME_URL: "{{tpl .Values.web.custom_theme_url .}}" - ENABLE_FORMS_MODULE: "true" - ENABLE_TASKS_MODULE: "true" - ENABLE_DASHBOARDS_MODULE: "true" - ENABLE_PROCESSES_MODULE: "true" - ENABLE_APPLICATIONS_MODULE: "true" - REACT_APP_LANGUAGE: "{{tpl .Values.Language .}}" - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: {{ .Chart.Name }}-config.template - name: {{ .Chart.Name }}-config.template -data: - config.js: |- - // runtime-config.js vars - window["_env_"] = { - "NODE_ENV": "${NODE_ENV}", - "REACT_APP_API_SERVER_URL": "${REACT_APP_API_SERVER_URL}", - "REACT_APP_API_PROJECT_URL": "${REACT_APP_API_PROJECT_URL}", - "REACT_APP_BPM_URL": "${REACT_APP_BPM_URL}", - "REACT_APP_KEYCLOAK_CLIENT": "${REACT_APP_KEYCLOAK_CLIENT}", - "REACT_APP_WEB_BASE_URL": "${REACT_APP_WEB_BASE_URL}", - "REACT_APP_WEBSOCKET_ENCRYPT_KEY": "${REACT_APP_WEBSOCKET_ENCRYPT_KEY}", - "REACT_APP_KEYCLOAK_URL_REALM": "${REACT_APP_KEYCLOAK_URL_REALM}", - "REACT_APP_KEYCLOAK_URL": "${REACT_APP_KEYCLOAK_URL}", - "REACT_APP_APPLICATION_NAME": "${REACT_APP_APPLICATION_NAME}", - "REACT_APP_USER_ACCESS_PERMISSIONS": "${REACT_APP_USER_ACCESS_PERMISSIONS}", - "REACT_APP_MT_ADMIN_BASE_URL": "${REACT_APP_MT_ADMIN_BASE_URL}", - "REACT_APP_MT_ADMIN_BASE_URL_VERSION": "v1", - "REACT_APP_MULTI_TENANCY_ENABLED": "${REACT_APP_MULTI_TENANCY_ENABLED}", - "REACT_APP_KEYCLOAK_ENABLE_CLIENT_AUTH": "${REACT_APP_KEYCLOAK_ENABLE_CLIENT_AUTH}", - "REACT_APP_CUSTOM_SUBMISSION_URL": "${REACT_APP_CUSTOM_SUBMISSION_URL}", - "REACT_APP_CUSTOM_SUBMISSION_ENABLED": "${REACT_APP_CUSTOM_SUBMISSION_ENABLED}", - "REACT_APP_DOCUMENT_SERVICE_URL": "${REACT_APP_DOCUMENT_SERVICE_URL}", - "REACT_APP_DRAFT_ENABLED": "${REACT_APP_DRAFT_ENABLED}", - "REACT_APP_DRAFT_POLLING_RATE": "${REACT_APP_DRAFT_POLLING_RATE}", - "REACT_APP_EXPORT_PDF_ENABLED": "${REACT_APP_EXPORT_PDF_ENABLED}", - - "REACT_APP_OPENTELEMETRY_SERVICE": "${OPENTELEMETRY_SERVICE}", - "REACT_APP_PUBLIC_WORKFLOW_ENABLED": "${REACT_APP_PUBLIC_WORKFLOW_ENABLED}", - "REACT_APP_WEB_BASE_CUSTOM_URL": "${WEB_BASE_CUSTOM_URL}", - "REACT_APP_CUSTOM_THEME_URL": "${CUSTOM_THEME_URL}", - "ENABLE_FORMS_MODULE": "${ENABLE_FORMS_MODULE}", - "ENABLE_TASKS_MODULE": "${ENABLE_TASKS_MODULE}", - "ENABLE_DASHBOARDS_MODULE": "${ENABLE_DASHBOARDS_MODULE}", - "ENABLE_PROCESSES_MODULE": "${ENABLE_PROCESSES_MODULE}", - "ENABLE_APPLICATIONS_MODULE": "${ENABLE_APPLICATIONS_MODULE}", - "REACT_APP_ENABLE_CHATBOT": "${REACT_APP_ENABLE_CHATBOT}", - "REACT_APP_CHATBOT_URL": "${REACT_APP_CHATBOT_URL}", - "REACT_APP_ENABLE_LOW_CODE_DESIGNER": "${ENABLE_LOW_CODE_DESIGNER}", - "REACT_APP_KEYCLOAK_URL_HTTP_RELATIVE_PATH": "${KEYCLOAK_URL_HTTP_RELATIVE_PATH}", - "REACT_APP_LANGUAGE": "${REACT_APP_LANGUAGE}" - } + PUBLIC_WORKFLOW_ENABLED: "{{ tpl .Values.web.public_workflow_enabled . }}" + OPENTELEMETRY_SERVICE: "{{ tpl .Values.web.opentelemetry_service . }}" + WEB_BASE_CUSTOM_URL: "{{ tpl .Values.web.base_custom_url . }}" + CUSTOM_THEME_URL: "{{ tpl .Values.web.custom_theme_url . }}" + ENABLE_FORMS_MODULE: "{{ tpl .Values.web.enable_forms_module . }}" + ENABLE_TASKS_MODULE: "{{ tpl .Values.web.enable_tasks_module . }}" + ENABLE_DASHBOARDS_MODULE: "{{ tpl .Values.web.enable_dashboards_module . }}" + ENABLE_PROCESSES_MODULE: "{{ tpl .Values.web.enable_processes_module . }}" + ENABLE_APPLICATIONS_MODULE: "{{ tpl .Values.web.enable_applications_module . }}" + REACT_APP_LANGUAGE: "{{ tpl .Values.Language . }}" + REACT_APP_SHOW_PREMIUM_ICON: "{{ tpl .Values.ShowPremiumIcon . }}" + REACT_APP_IS_ENTERPRISE: "{{ tpl .Values.IsEnterPrise . }}" + REACT_APP_CLARITY_KEY: "{{ tpl .Values.ClarityKey . }}" diff --git a/charts/forms-flow-web/templates/deployment.yaml b/charts/forms-flow-web/templates/deployment.yaml index 20c85558..e6473085 100644 --- a/charts/forms-flow-web/templates/deployment.yaml +++ b/charts/forms-flow-web/templates/deployment.yaml @@ -1,235 +1,315 @@ ---- -apiVersion: apps/v1 +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} kind: Deployment metadata: - labels: - app: "{{ .Chart.Name }}" - name: "{{ .Chart.Name }}" + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: - replicas: {{ .Values.replicas }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: - matchLabels: - app: "{{ .Chart.Name }}" - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% - type: RollingUpdate + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + replicas: {{ .Values.replicaCount }} + strategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }} template: metadata: - labels: - app: "{{ .Chart.Name }}" + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: forms-flow-web + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/template-configmap.yaml") . | sha256sum }} + {{- if (include "forms-flow-web.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} spec: + serviceAccountName: {{ include "forms-flow-web.serviceAccountName" . }} + {{- include "forms-flow-web.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "jenkins-controller" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "jenkins-controller" "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} + {{- end }} containers: - - env: - - name: NODE_ENV - valueFrom: - configMapKeyRef: - key: NODE_ENV - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_ENABLE_CHATBOT - valueFrom: - configMapKeyRef: - key: ENABLE_CHATBOT - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_CHATBOT_URL - valueFrom: - configMapKeyRef: - key: CHATBOT_URL - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_ENABLE_LOW_CODE_DESIGNER - valueFrom: - configMapKeyRef: - key: ENABLE_LOW_CODE_DESIGNER - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_API_SERVER_URL - valueFrom: - configMapKeyRef: - key: FORMIO_URL - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_API_PROJECT_URL - valueFrom: - configMapKeyRef: - key: FORMIO_URL - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_BPM_URL - valueFrom: - configMapKeyRef: - key: BPM_API_URL - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_KEYCLOAK_CLIENT - valueFrom: - configMapKeyRef: - key: KEYCLOAK_CLIENT - name: "{{ .Chart.Name }}" - - name: REACT_APP_WEB_BASE_URL - valueFrom: - configMapKeyRef: - key: WEB_API_URL - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_APPLICATION_NAME - valueFrom: - configMapKeyRef: - key: APPLICATION_NAME - name: "{{ .Chart.Name }}" - - name: REACT_APP_USER_ACCESS_PERMISSIONS - valueFrom: - configMapKeyRef: - key: USER_ACCESS_PERMISSIONS - name: "{{ .Chart.Name }}" - - name: REACT_APP_WEBSOCKET_ENCRYPT_KEY - valueFrom: - secretKeyRef: - key: WEBSOCKET_ENCRYPT_KEY - name: "{{ .Values.formsflow.secret }}" - - name: REACT_APP_KEYCLOAK_URL_REALM - valueFrom: - configMapKeyRef: - key: KEYCLOAK_URL_REALM - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_KEYCLOAK_URL - valueFrom: - configMapKeyRef: - key: KEYCLOAK_URL - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_FORMIO_JWT_SECRET - valueFrom: - secretKeyRef: - key: FORMIO_JWT_SECRET - name: "{{ .Values.formsflow.secret }}" - - name: REACT_APP_MT_ADMIN_BASE_URL - valueFrom: - configMapKeyRef: - key: FORMSFLOW_ADMIN_BASE - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_MULTI_TENANCY_ENABLED - valueFrom: - configMapKeyRef: - key: MULTI_TENANCY_ENABLED - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_KEYCLOAK_ENABLE_CLIENT_AUTH - valueFrom: - configMapKeyRef: - key: KEYCLOAK_ENABLE_CLIENT_AUTH - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_CUSTOM_SUBMISSION_URL - valueFrom: - configMapKeyRef: - key: CUSTOM_SUBMISSION_URL - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_CUSTOM_SUBMISSION_ENABLED - valueFrom: - configMapKeyRef: - key: CUSTOM_SUBMISSION_ENABLED - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_DOCUMENT_SERVICE_URL - valueFrom: - configMapKeyRef: - key: FORMSFLOW_DOC_API_URL - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_DRAFT_ENABLED - valueFrom: - configMapKeyRef: - key: DRAFT_ENABLED - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_DRAFT_POLLING_RATE - valueFrom: - configMapKeyRef: - key: DRAFT_POLLING_RATE - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_EXPORT_PDF_ENABLED - valueFrom: - configMapKeyRef: - key: EXPORT_PDF_ENABLED - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_PUBLIC_WORKFLOW_ENABLED - valueFrom: - configMapKeyRef: - key: PUBLIC_WORKFLOW_ENABLED - name: "{{ .Chart.Name }}" - - name: REACT_APP_OPENTELEMETRY_SERVICE - valueFrom: - configMapKeyRef: - key: OPENTELEMETRY_SERVICE - name: "{{ .Chart.Name }}" - - name: REACT_APP_WEB_BASE_CUSTOM_URL - valueFrom: - configMapKeyRef: - key: WEB_BASE_CUSTOM_URL - name: "{{ .Chart.Name }}" - - name: CUSTOM_THEME_URL - valueFrom: - configMapKeyRef: - key: CUSTOM_THEME_URL - name: "{{ .Chart.Name }}" - - name: ENABLE_FORMS_MODULE - valueFrom: - configMapKeyRef: - key: ENABLE_FORMS_MODULE - name: "{{ .Chart.Name }}" - - name: ENABLE_TASKS_MODULE - valueFrom: - configMapKeyRef: - key: ENABLE_TASKS_MODULE - name: "{{ .Chart.Name }}" - - name: ENABLE_DASHBOARDS_MODULE - valueFrom: - configMapKeyRef: - key: ENABLE_DASHBOARDS_MODULE - name: "{{ .Chart.Name }}" - - name: ENABLE_PROCESSES_MODULE - valueFrom: - configMapKeyRef: - key: ENABLE_PROCESSES_MODULE - name: "{{ .Chart.Name }}" - - name: ENABLE_APPLICATIONS_MODULE - valueFrom: - configMapKeyRef: - key: ENABLE_APPLICATIONS_MODULE - name: "{{ .Chart.Name }}" - - name: KEYCLOAK_URL_HTTP_RELATIVE_PATH - valueFrom: - configMapKeyRef: - key: KEYCLOAK_URL_HTTP_RELATIVE_PATH - name: "{{ .Values.formsflow.configmap }}" - - name: REACT_APP_LANGUAGE - valueFrom: - configMapKeyRef: - key: REACT_APP_LANGUAGE - name: "{{ .Chart.Name }}" - - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" - lifecycle: - postStart: - exec: - command: ["/bin/sh", "-c", "\ - envsubst < /tmp/{{.Chart.Name}}-config.template/config.js > {{.Values.config_path}}/config.js;" ] - imagePullPolicy: Always - name: {{ .Chart.Name }} - ports: - - containerPort: {{ int .Values.ingress.port }} - protocol: TCP - resources: - limits: - cpu: "{{ .Values.resources.limits.cpu }}" - memory: "{{ .Values.resources.limits.memory }}" - requests: - cpu: "{{ .Values.resources.requests.cpu }}" - memory: "{{ .Values.resources.requests.memory }}" - tty: true - volumeMounts: - - mountPath: {{.Values.config_path}} - name: tmpfs - - mountPath: /tmp/{{ .Chart.Name }}-config.template - name: {{ .Chart.Name }}-config-template - readOnly: true - imagePullSecrets: - - name: "{{ .Values.formsflow.auth }}" - restartPolicy: Always + - name: forms-flow-web + image: {{ include "forms-flow-web.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: NODE_ENV + valueFrom: + configMapKeyRef: + key: NODE_ENV + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_ENABLE_CHATBOT + valueFrom: + configMapKeyRef: + key: ENABLE_CHATBOT + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_CHATBOT_URL + valueFrom: + configMapKeyRef: + key: CHATBOT_URL + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_ENABLE_LOW_CODE_DESIGNER + valueFrom: + configMapKeyRef: + key: ENABLE_LOW_CODE_DESIGNER + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_API_SERVER_URL + valueFrom: + configMapKeyRef: + key: FORMIO_URL + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_API_PROJECT_URL + valueFrom: + configMapKeyRef: + key: FORMIO_URL + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_BPM_URL + valueFrom: + configMapKeyRef: + key: BPM_API_URL + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_KEYCLOAK_CLIENT + valueFrom: + configMapKeyRef: + key: KEYCLOAK_CLIENT + name: "{{ .Chart.Name }}" + - name: REACT_APP_WEB_BASE_URL + valueFrom: + configMapKeyRef: + key: WEB_API_URL + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_APPLICATION_NAME + valueFrom: + configMapKeyRef: + key: APPLICATION_NAME + name: "{{ .Chart.Name }}" + - name: REACT_APP_USER_ACCESS_PERMISSIONS + valueFrom: + configMapKeyRef: + key: USER_ACCESS_PERMISSIONS + name: "{{ .Chart.Name }}" + - name: REACT_APP_WEBSOCKET_ENCRYPT_KEY + valueFrom: + secretKeyRef: + key: WEBSOCKET_ENCRYPT_KEY + name: "{{ .Values.formsflow.secret }}" + - name: REACT_APP_KEYCLOAK_URL_REALM + valueFrom: + configMapKeyRef: + key: KEYCLOAK_URL_REALM + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_KEYCLOAK_URL + valueFrom: + configMapKeyRef: + key: KEYCLOAK_URL + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_FORMIO_JWT_SECRET + valueFrom: + secretKeyRef: + key: FORMIO_JWT_SECRET + name: "{{ .Values.formsflow.secret }}" + - name: REACT_APP_MT_ADMIN_BASE_URL + valueFrom: + configMapKeyRef: + key: FORMSFLOW_ADMIN_BASE + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_MULTI_TENANCY_ENABLED + valueFrom: + configMapKeyRef: + key: MULTI_TENANCY_ENABLED + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_KEYCLOAK_ENABLE_CLIENT_AUTH + valueFrom: + configMapKeyRef: + key: KEYCLOAK_ENABLE_CLIENT_AUTH + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_CUSTOM_SUBMISSION_URL + valueFrom: + configMapKeyRef: + key: CUSTOM_SUBMISSION_URL + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_CUSTOM_SUBMISSION_ENABLED + valueFrom: + configMapKeyRef: + key: CUSTOM_SUBMISSION_ENABLED + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_DOCUMENT_SERVICE_URL + valueFrom: + configMapKeyRef: + key: FORMSFLOW_DOC_API_URL + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_DRAFT_ENABLED + valueFrom: + configMapKeyRef: + key: DRAFT_ENABLED + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_DRAFT_POLLING_RATE + valueFrom: + configMapKeyRef: + key: DRAFT_POLLING_RATE + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_EXPORT_PDF_ENABLED + valueFrom: + configMapKeyRef: + key: EXPORT_PDF_ENABLED + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_PUBLIC_WORKFLOW_ENABLED + valueFrom: + configMapKeyRef: + key: PUBLIC_WORKFLOW_ENABLED + name: "{{ .Chart.Name }}" + - name: REACT_APP_OPENTELEMETRY_SERVICE + valueFrom: + configMapKeyRef: + key: OPENTELEMETRY_SERVICE + name: "{{ .Chart.Name }}" + - name: REACT_APP_WEB_BASE_CUSTOM_URL + valueFrom: + configMapKeyRef: + key: WEB_BASE_CUSTOM_URL + name: "{{ .Chart.Name }}" + - name: CUSTOM_THEME_URL + valueFrom: + configMapKeyRef: + key: CUSTOM_THEME_URL + name: "{{ .Chart.Name }}" + - name: ENABLE_FORMS_MODULE + valueFrom: + configMapKeyRef: + key: ENABLE_FORMS_MODULE + name: "{{ .Chart.Name }}" + - name: ENABLE_TASKS_MODULE + valueFrom: + configMapKeyRef: + key: ENABLE_TASKS_MODULE + name: "{{ .Chart.Name }}" + - name: ENABLE_DASHBOARDS_MODULE + valueFrom: + configMapKeyRef: + key: ENABLE_DASHBOARDS_MODULE + name: "{{ .Chart.Name }}" + - name: ENABLE_PROCESSES_MODULE + valueFrom: + configMapKeyRef: + key: ENABLE_PROCESSES_MODULE + name: "{{ .Chart.Name }}" + - name: ENABLE_APPLICATIONS_MODULE + valueFrom: + configMapKeyRef: + key: ENABLE_APPLICATIONS_MODULE + name: "{{ .Chart.Name }}" + - name: KEYCLOAK_URL_HTTP_RELATIVE_PATH + valueFrom: + configMapKeyRef: + key: KEYCLOAK_URL_HTTP_RELATIVE_PATH + name: "{{ .Values.formsflow.configmap }}" + - name: REACT_APP_LANGUAGE + valueFrom: + configMapKeyRef: + key: REACT_APP_LANGUAGE + name: "{{ .Chart.Name }}" + - name: REACT_APP_CLARITY_KEY + valueFrom: + configMapKeyRef: + key: REACT_APP_CLARITY_KEY + name: "{{ .Chart.Name }}" + - name: REACT_APP_IS_ENTERPRISE + valueFrom: + configMapKeyRef: + key: REACT_APP_IS_ENTERPRISE + name: "{{ .Chart.Name }}" + - name: REACT_APP_SHOW_PREMIUM_ICON + valueFrom: + configMapKeyRef: + key: REACT_APP_SHOW_PREMIUM_ICON + name: "{{ .Chart.Name }}" + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 8 }} + {{- end }} + {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.containerPorts.http }} + protocol: TCP + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + tty: true + volumeMounts: + - name: tmpfs + mountPath: {{.Values.config_path}} + - name: forms-flow-web-template-configuration + mountPath: /tmp/forms-flow-web-config.template + readOnly: true + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} volumes: - - configMap: + - name: forms-flow-web-template-configuration + configMap: + name: forms-flow-web-template-configuration defaultMode: 420 - name: {{ .Chart.Name }}-config.template - name: {{ .Chart.Name }}-config-template - - emptyDir: {} - name: tmpfs + - name: tmpfs + emptyDir: {} + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + restartPolicy: Always \ No newline at end of file diff --git a/charts/forms-flow-web/templates/hpa.yaml b/charts/forms-flow-web/templates/hpa.yaml new file mode 100644 index 00000000..dbea10a7 --- /dev/null +++ b/charts/forms-flow-web/templates/hpa.yaml @@ -0,0 +1,61 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-web + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} + kind: StatefulSet + name: {{ template "common.names.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPU }} + - type: Resource + resource: + name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- end }} + {{- end }} + {{- if .Values.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- end }} + {{- end }} + {{- if or .Values.autoscaling.behavior.scaleDown.policies .Values.autoscaling.behavior.scaleUp.policies }} + behavior: + {{- if .Values.autoscaling.behavior.scaleDown.policies }} + scaleDown: + stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleDown.stabilizationWindowSeconds }} + selectPolicy: {{ .Values.autoscaling.behavior.scaleDown.selectPolicy }} + policies: + {{- toYaml .Values.autoscaling.behavior.scaleDown.policies | nindent 8 }} + {{- end }} + {{- if .Values.autoscaling.behavior.scaleUp.policies }} + scaleUp: + stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleUp.stabilizationWindowSeconds }} + selectPolicy: {{ .Values.autoscaling.behavior.scaleUp.selectPolicy }} + policies: + {{- toYaml .Values.autoscaling.behavior.scaleUp.policies | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-web/templates/ingress.yaml b/charts/forms-flow-web/templates/ingress.yaml index d047da10..c876f31e 100644 --- a/charts/forms-flow-web/templates/ingress.yaml +++ b/charts/forms-flow-web/templates/ingress.yaml @@ -1,36 +1,56 @@ ---- -apiVersion: networking.k8s.io/v1 +{{- if .Values.ingress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: - annotations: -{{ toYaml .Values.ingress.annotations | indent 4 }} - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-web + {{- if or .Values.ingress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: - ingressClassName: {{ .Values.ingress.ingressClassName }} - {{- if or (and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.ingress.hostname }} + - host: {{ (tpl .Values.ingress.hostname .) | quote }} + http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ include "common.tplvalues.render" ( dict "value" .Values.ingress.path "context" $) }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" .Values.ingress.servicePort "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ (tpl .name $) }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }} tls: - {{- if and .Values.ingress.tls (or ( dict "annotations" .Values.ingress.annotations ) .Values.ingress.secrets .Values.ingress.selfSigned) }} + {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.secrets .Values.ingress.selfSigned) }} - hosts: - {{ (tpl .Values.ingress.hostname .) | quote }} secretName: {{ printf "%s-tls" (tpl .Values.ingress.hostname .) }} - {{- else }} - - {} - {{- end}} - {{- else }} - tls: - - {} - {{- end}} - rules: - - - host: "{{tpl .Values.ingress.hostname .}}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ .Chart.Name }} - port: - number: {{ .Values.ingress.port }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-web/templates/pdb.yaml b/charts/forms-flow-web/templates/pdb.yaml new file mode 100644 index 00000000..3e5a4c28 --- /dev/null +++ b/charts/forms-flow-web/templates/pdb.yaml @@ -0,0 +1,21 @@ +{{- if .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} +{{- end }} \ No newline at end of file diff --git a/charts/forms-flow-web/templates/service.yaml b/charts/forms-flow-web/templates/service.yaml index d9edab55..18897c86 100644 --- a/charts/forms-flow-web/templates/service.yaml +++ b/charts/forms-flow-web/templates/service.yaml @@ -1,14 +1,34 @@ ---- apiVersion: v1 kind: Service metadata: - labels: - app: {{ .Chart.Name }} - name: {{ .Chart.Name }} + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.service.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} ports: - - name: {{ .Chart.Name }} - port: {{.Values.ingress.port}} - targetPort: {{.Values.ingress.port}} - selector: - app: {{ .Chart.Name }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.ports "context" $) | nindent 4 }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} diff --git a/charts/forms-flow-web/templates/serviceaccount.yaml b/charts/forms-flow-web/templates/serviceaccount.yaml new file mode 100644 index 00000000..683f28e4 --- /dev/null +++ b/charts/forms-flow-web/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "forms-flow-web.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} \ No newline at end of file diff --git a/charts/forms-flow-web/templates/template-configmap.yaml b/charts/forms-flow-web/templates/template-configmap.yaml new file mode 100644 index 00000000..a915ebfe --- /dev/null +++ b/charts/forms-flow-web/templates/template-configmap.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-template-configuration" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: forms-flow-web + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + config.js: |- + // runtime-config.js vars + window["_env_"] = { + "NODE_ENV": "${NODE_ENV}", + "REACT_APP_API_SERVER_URL": "${REACT_APP_API_SERVER_URL}", + "REACT_APP_API_PROJECT_URL": "${REACT_APP_API_PROJECT_URL}", + "REACT_APP_BPM_URL": "${REACT_APP_BPM_URL}", + "REACT_APP_KEYCLOAK_CLIENT": "${REACT_APP_KEYCLOAK_CLIENT}", + "REACT_APP_WEB_BASE_URL": "${REACT_APP_WEB_BASE_URL}", + "REACT_APP_WEBSOCKET_ENCRYPT_KEY": "${REACT_APP_WEBSOCKET_ENCRYPT_KEY}", + "REACT_APP_KEYCLOAK_URL_REALM": "${REACT_APP_KEYCLOAK_URL_REALM}", + "REACT_APP_KEYCLOAK_URL": "${REACT_APP_KEYCLOAK_URL}", + "REACT_APP_APPLICATION_NAME": "${REACT_APP_APPLICATION_NAME}", + "REACT_APP_USER_ACCESS_PERMISSIONS": "${REACT_APP_USER_ACCESS_PERMISSIONS}", + "REACT_APP_MT_ADMIN_BASE_URL": "${REACT_APP_MT_ADMIN_BASE_URL}", + "REACT_APP_MT_ADMIN_BASE_URL_VERSION": "v1", + "REACT_APP_MULTI_TENANCY_ENABLED": "${REACT_APP_MULTI_TENANCY_ENABLED}", + "REACT_APP_KEYCLOAK_ENABLE_CLIENT_AUTH": "${REACT_APP_KEYCLOAK_ENABLE_CLIENT_AUTH}", + "REACT_APP_CUSTOM_SUBMISSION_URL": "${REACT_APP_CUSTOM_SUBMISSION_URL}", + "REACT_APP_CUSTOM_SUBMISSION_ENABLED": "${REACT_APP_CUSTOM_SUBMISSION_ENABLED}", + "REACT_APP_DOCUMENT_SERVICE_URL": "${REACT_APP_DOCUMENT_SERVICE_URL}", + "REACT_APP_DRAFT_ENABLED": "${REACT_APP_DRAFT_ENABLED}", + "REACT_APP_DRAFT_POLLING_RATE": "${REACT_APP_DRAFT_POLLING_RATE}", + "REACT_APP_EXPORT_PDF_ENABLED": "${REACT_APP_EXPORT_PDF_ENABLED}", + "REACT_APP_LANGUAGE": "${REACT_APP_LANGUAGE}", + "REACT_APP_OPENTELEMETRY_SERVICE": "${OPENTELEMETRY_SERVICE}", + "REACT_APP_PUBLIC_WORKFLOW_ENABLED": "${REACT_APP_PUBLIC_WORKFLOW_ENABLED}", + "REACT_APP_WEB_BASE_CUSTOM_URL": "${WEB_BASE_CUSTOM_URL}", + "REACT_APP_CUSTOM_THEME_URL": "${CUSTOM_THEME_URL}", + "ENABLE_FORMS_MODULE": "${ENABLE_FORMS_MODULE}", + "ENABLE_TASKS_MODULE": "${ENABLE_TASKS_MODULE}", + "ENABLE_DASHBOARDS_MODULE": "${ENABLE_DASHBOARDS_MODULE}", + "ENABLE_PROCESSES_MODULE": "${ENABLE_PROCESSES_MODULE}", + "ENABLE_APPLICATIONS_MODULE": "${ENABLE_APPLICATIONS_MODULE}", + "REACT_APP_ENABLE_CHATBOT": "${REACT_APP_ENABLE_CHATBOT}", + "REACT_APP_CHATBOT_URL": "${REACT_APP_CHATBOT_URL}", + "REACT_APP_ENABLE_LOW_CODE_DESIGNER": "${ENABLE_LOW_CODE_DESIGNER}", + "REACT_APP_KEYCLOAK_URL_HTTP_RELATIVE_PATH": "${KEYCLOAK_URL_HTTP_RELATIVE_PATH}", + "REACT_APP_SHOW_PREMIUM_ICON": "${REACT_APP_SHOW_PREMIUM_ICON}", + "REACT_APP_IS_ENTERPRISE": "${REACT_APP_IS_ENTERPRISE}", + "REACT_APP_CLARITY_KEY": "${REACT_APP_CLARITY_KEY}" + } \ No newline at end of file diff --git a/charts/forms-flow-web/values.yaml b/charts/forms-flow-web/values.yaml index 8b77eb0f..1e027a60 100644 --- a/charts/forms-flow-web/values.yaml +++ b/charts/forms-flow-web/values.yaml @@ -1,26 +1,369 @@ ---- -Domain: # -replicas: 1 -analytics: - configmap: forms-flow-analytics # name of formsflow analytics configmap - secret: forms-flow-analytics #name of formsflow analytics secret -formsflow: - configmap: forms-flow-ai # name of formsflow.ai configmap - secret: forms-flow-ai #name of formsflow.ai secret - auth: forms-flow-ai-auth -web: - base_custom_url: "" - custom_theme_url: "" +replicaCount: 1 +image: + registry: docker.io + repository: formsflow/forms-flow-web + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "v7.0.0" + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: + - forms-flow-ai-auth +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} + +nodeSelector: {} +## @param tolerations Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param nodeSelector Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param priorityClassName Pod priority +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param terminationGracePeriodSeconds In seconds, time the given to the forms-flow-web pod needs to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +terminationGracePeriodSeconds: "" +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] + +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +hostAliases: [] + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + ## @param automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false +## @param podAnnotations Pod annotations +## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podLabels Extra labels for forms-flow-web pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + +## K8s Security Context for forms-flow-web pods +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled forms-flow-web pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Set forms-flow-web pod's Security Context fsGroup +## +podSecurityContext: + enabled: false + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 +## Configure Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: false + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: false + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param lifecycleHooks for the forms-flow-web container(s) to automate configuration before or after startup +## +lifecycleHooks: + postStart: + exec: + command: ["/bin/sh", "-c", "envsubst < /tmp/{{.Chart.Name}}-config.template/config.js > {{.Values.config_path}}/config.js;" ] +automountServiceAccountToken: true +## @param extraEnvVars Extra environment variables to be set on formsflow documents-api container +## Example: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraVolumes Array to add extra volumes (evaluated as a template) +## extraVolumes: +## - name: myvolume +## configMap: +## name: myconfigmap +## +extraVolumes: {} +## @param extraVolumeMounts Array to add extra mounts (normally used with extraVolumes, evaluated as a template) +## extraVolumeMounts: +## - mountPath: /opt/bitnami/desired-path +## name: myvolume +## readOnly: true +## +extraVolumeMounts: {} + +## @param auth.existingSecret Existing secret containing password,username,dbname and + ## +existingSecret: "" + +## @param updateStrategy.type Set up update strategy for forms-flow-web installation. +## Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods is destroyed first. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## Example: +## updateStrategy: +## type: RollingUpdate +## rollingUpdate: +## maxSurge: 25% +## maxUnavailable: 25% +## +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + +## forms-flow-web ingress parameters +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## ingress: + ## @param ingress.enabled Enable ingress record generation for forms-flow-web + ## + enabled: true + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## ingressClassName: "" - annotations: - enabled: true # create an ingress for this component - hostname: "{{.Chart.Name}}-{{.Release.Namespace}}.{{tpl .Values.Domain .}}" - port: 8080 + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.controller The ingress controller type. Currently supports `default` and `gce` + ## leave as `default` for most ingress controllers. + ## set to `gce` if using the GCE ingress controller + ## + controller: default + ## @param ingress.hostname Default host for the ingress record (evaluated as template) + ## + hostname: forms-flow-web.local + ## @param ingress.path [string] Default path for the ingress record (evaluated as template) + ## + path: "/" + ## @param ingress.servicePort Backend service port to use + ## Default is http. Alternative is https. + ## + servicePort: 8080 + ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.labels Additional labels for the Ingress resource. + ## e.g: + ## labels: + ## app: forms-flow-web + ## + labels: {} + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## tls: true + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## selfSigned: false - extraTls: - - {} + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: forms-flow-web.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - forms-flow-web.local + ## secretName: forms-flow-web.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## - name: forms-flow-web.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: airflow.local + ## http: + ## path: / + ## backend: + ## service: + ## name: airflow-svc + ## port: + ## name: http + ## + extraRules: [] +## forms-flow-web admin ingress parameters +## ref: https://kubernetes.io/docs/user-guide/ingress/ +## +## Pod disruption budget configuration +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +## @param pdb.create If true, create a pod disruption budget for pods. +## @param pdb.minAvailable Minimum number / percentage of pods that should remain scheduled +## @param pdb.maxUnavailable Maximum number / percentage of pods that may be made unavailable +## +pdb: + create: true + minAvailable: "" + maxUnavailable: "" +## forms-flow-web containers' resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "small" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## resources: limits: cpu: 200m @@ -28,12 +371,150 @@ resources: requests: cpu: 100m memory: 512Mi -image: - registry: docker.io - repository: formsflow/forms-flow-web - tag: v6.0.2 +## @param customStartupProbe Custom startup probe for the Web component +## + +## @param customStartupProbe Custom startup probe for the Web component +## +customStartupProbe: {} +## @param customLivenessProbe Custom liveness probe for the Web component +## +customLivenessProbe: {} +## @param customReadinessProbe Custom readiness probe for the Web component +## +customReadinessProbe: {} +## Service parameters +## +service: + ## @param service.type Kubernetes service type (`ClusterIP`, `NodePort`, or `LoadBalancer`) + ## + type: ClusterIP + ## @param service.ports [array] forms-flow-web service ports (evaluated as a template) + ## + ports: + - name: http + port: 8080 + targetPort: http + protocol: TCP + ## - name: system + ## port: 1764 + ## + ## @param service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy External traffic policy, configure to Local to preserve client source IP when using an external loadBalancer + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: "" + ## @param service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.annotations Annotations for forms-flow-web service + ## + annotations: {} + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## + annotations: {} + +configuration: [] + +containerPorts: + http: 8080 + +## forms-flow-web Autoscaling configuration +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +## @param autoscaling.enabled Enable autoscaling for forms-flow-web +## @param autoscaling.minReplicas Minimum number of forms-flow-web replicas +## @param autoscaling.maxReplicas Maximum number of forms-flow-web replicas +## @param autoscaling.targetCPU Target CPU utilization percentage +## @param autoscaling.targetMemory Target Memory utilization percentage +## +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPU: "" + targetMemory: "" + ## HPA Scaling Behavior + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + ## + behavior: + ## HPA behavior when scaling up + ## @param autoscaling.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up + ## @param autoscaling.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up + ## @param autoscaling.behavior.scaleUp.policies [array] HPA scaling policies when scaling up + ## e.g: + ## Policy to scale 20% of the pod in 60s + ## - type: Percent + ## value: 20 + ## periodSeconds: 60 + ## + scaleUp: + stabilizationWindowSeconds: 120 + selectPolicy: Max + policies: [] + ## HPA behavior when scaling down + ## @param autoscaling.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down + ## @param autoscaling.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down + ## @param autoscaling.behavior.scaleDown.policies [array] HPA scaling policies when scaling down + ## e.g: + ## Policy to scale one pod in 300s + ## - type: Pods + ## value: 1 + ## periodSeconds: 300 + ## + scaleDown: + stabilizationWindowSeconds: 300 + selectPolicy: Max + policies: + - type: Pods + value: 1 + periodSeconds: 300 +formsflow: + configmap: forms-flow-ai # name of formsflow.ai configmap + secret: forms-flow-ai #name of formsflow.ai secret +analytics: + configmap: forms-flow-analytics # name of formsflow analytics configmap + secret: forms-flow-analytics #name of formsflow analytics secret +web: + base_custom_url: "" + custom_theme_url: "" + enable_forms_module: "true" + enable_tasks_module: "true" + enable_dashboards_module: "true" + enable_processes_module: "true" + enable_applications_module: "true" + public_workflow_enabled: "false" + opentelemetry_service: "false" config_path: /usr/share/nginx/html/config/ -webclient: "{{.Chart.Name}}" +webclient: "{{ .Chart.Name }}" webname: formsflow UserAccesPermissions: "" Language: "" +ShowPremiumIcon: "" +IsEnterPrise: "" +ClarityKey: "" diff --git a/scripts/get_redash_api_key.sh b/scripts/get_redash_api_key.sh new file mode 100644 index 00000000..fc4c2ce5 --- /dev/null +++ b/scripts/get_redash_api_key.sh @@ -0,0 +1,54 @@ +#!/bin/bash + +# Ensure namespace is provided +if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then + echo "Usage: $0 " + exit 1 +fi + +NAMESPACE="$1" +DOMAIN_NAME="$2" +ANALYTICS_SUBDOMAIN="$3" + +# Check if forms-flow-analytics is installed +if helm status "forms-flow-analytics" -n "$NAMESPACE" > /dev/null 2>&1; then + echo "forms-flow-analytics is already installed." +else + echo "forms-flow-analytics does not exist. Installing now." + helm install "forms-flow-analytics" ./forms-flow-analytics-chart -n "$NAMESPACE" +fi + +REDASH_URL="https://$ANALYTICS_SUBDOMAIN-$NAMESPACE.$DOMAIN_NAME/redash" + +# Prompt for credentials +echo "Redash URL: $REDASH_URL" +read -p "Enter your Redash username: " USERNAME +read -s -p "Enter your Redash password: " PASSWORD +echo + +# Authenticate and retrieve API key +LOGIN_RESPONSE=$(curl -s -X POST "$REDASH_URL/login" \ + -H "Content-Type: application/x-www-form-urlencoded" \ + --data-urlencode "email=$USERNAME" \ + --data-urlencode "password=$PASSWORD" \ + -c cookies.txt) + +if ! echo "$LOGIN_RESPONSE" | grep -q 'Redirecting'; then + echo "Login failed! Verify your credentials or URL." + rm cookies.txt + exit 1 +fi + +API_RESPONSE=$(curl -s -X GET "$REDASH_URL/api/users/me" -b cookies.txt) +API_KEY=$(echo "$API_RESPONSE" | jq -r '.api_key') + +if [ -z "$API_KEY" ]; then + echo "Failed to retrieve API key!" + rm cookies.txt + exit 1 +fi + +echo "Redash API Key: $API_KEY" + +# Cleanup +rm cookies.txt diff --git a/scripts/install-forms-flow.sh b/scripts/install-forms-flow.sh index 278e437f..eddff5b1 100644 --- a/scripts/install-forms-flow.sh +++ b/scripts/install-forms-flow.sh @@ -2,131 +2,209 @@ main() { - # Make sure that this is being run from the scripts folder - checkdirectory + # Make sure that this is being run from the scripts folder + checkdirectory - # Get user input for install instructions - displayPrompts + # Get user input for install instructions + displayPrompts - # Make sure all prompts have been answered - # Checks if number of arguments = 5 - checkEmptyInput $is_from_registry $domain_name $namespace $is_premium $is_latest_release + # Make sure all prompts have been answered + checkEmptyInput $is_from_registry $domain_name $namespace $is_premium $is_latest_release $classname $analytics_subdomain - printf "\nInstalling forms flow ...\n" + if [[ $is_premium =~ ^[Yy]$ ]]; then + # Get username and access token for premium users + read -p "Please enter your username for premium access:" premium_username + read -s -p "Please enter your access token for premium access:" access_token + echo + fi - # Decide whether to install from formsflow registry (https://aot-technologies.github.io/forms-flow-ai-charts) or from this local repo - configureInstall + printf "\nInstalling forms flow ...\n" - # Decide whether to use latest Chart release - # The stable versions have been coded into this script, - # you can customize the versions that you would like to install by editing the versions within this function - configureLatestOrStableReleases + # Decide whether to install from formsflow registry or local repo + configureInstall - # Run helm install commands - runHelmInstall + # Decide whether to use the latest Chart release + configureLatestOrStableReleases - printf "\nInstallation complete!\n" + # Run helm install commands + runHelmInstall + printf "\nInstallation complete!\n" } runHelmInstall() { - echo - helm install forms-flow-ai $directory/forms-flow-ai --set Domain=$domain_name --set forms-flow-idm.keycloak.ingress.hostname=forms-flow-idm-$namespace.$domain_name --namespace $namespace --version $version_ff_ai - helm install forms-flow-analytics $directory/forms-flow-analytics --set Domain=$domain_name --namespace $namespace --version $version_ff_analytics - helm install forms-flow-forms $directory/forms-flow-forms --set Domain=$domain_name --namespace $namespace --version $version_ff_forms - helm install forms-flow-idm $directory/forms-flow-idm --set Domain=$domain_name --set keycloak.ingress.hostname=forms-flow-idm-$namespace.$domain_name --namespace $namespace --version $version_ff_idm - - if [[ $is_premium =~ ^[Yy]$ ]]; then - helm install forms-flow-admin $directory/forms-flow-admin --set Domain=$domain_name --namespace $namespace --version $version_ff_admin - fi - - helm install forms-flow-api $directory/forms-flow-api --set Domain=$domain_name --namespace $namespace --version $version_ff_api - helm install forms-flow-bpm $directory/forms-flow-bpm --set Domain=$domain_name --set camunda.websocket.securityOrigin=https://*.$domain_name --namespace $namespace --version $version_ff_bpm - helm install forms-flow-data-analysis $directory/forms-flow-data-analysis --set Domain=$domain_name --namespace $namespace --version $version_ff_data_analysis - helm install forms-flow-web $directory/forms-flow-web --set Domain=$domain_name --namespace $namespace --version $version_ff_web - helm install forms-flow-documents-api $directory/forms-flow-documents-api --set Domain=$domain_name --namespace $namespace --version $version_ff_documents_api + echo + + # Multitenancy check + read -p "Is this a multitenant installation? (y/n):" is_multitenant + + if [[ $is_premium =~ ^[Yy]$ ]]; then + if [[ $is_multitenant =~ ^[Yy]$ ]]; then + # Commands for premium users with multitenancy enabled + helm upgrade --install forms-flow-ai ../charts/forms-flow-ai --set Domain=$domain_name --set postgresql-ha.postgresql.podSecurityContext.enabled=true --set mongodb.podSecurityContext.enabled=true --set insight_api_key=$insight_api_key --set imageCredentials.registry=docker.io --set imageCredentials.username=$premium_username --set imageCredentials.password=$access_token --set forms-flow-idm.keycloak.EnableKeycloakClientAuth=true --set forms-flow-web.EnableMultitenant=true --set forms-flow-idm.realm=multitenant --set EnableChatBot=true -n $namespace --version $version_ff_ai + read -p "Include forms-flow-analytics? (y/n):" include_analytics + if [[ $include_analytics =~ ^[Yy]$ ]]; then + helm upgrade --install forms-flow-analytics ../charts/forms-flow-analytics --set ingress.ingressClassName=$classname --set ingress.subFilterHost=forms-flow-web-$namespace.$domain_name --set redash.multiOrg=true --set ingress.hosts[0].host=forms-flow-web-$namespace.$domain_name --set ingress.tls[0].secretName="forms-flow-web-$namespace.$domain_name-tls" --set ingress.tls[0].hosts[0]="forms-flow-web-$namespace.$domain_name" --set ingress.hosts[0].paths[0]="/" -n $namespace --version $version_ff_analytics + # Call external script to get Redash API Key + getRedashApiKey $namespace $domain_name $analytics_subdomain + # Store Redash API key in a variable + REDASH_API_KEY=$? + echo "Redash API Key: $REDASH_API_KEY" + # Step 3: Re-run forms-flow-ai with the Redash API Key + helm upgrade --install forms-flow-ai ../charts/forms-flow-ai --set Domain=$domain_name --set postgresql-ha.postgresql.podSecurityContext.enabled=true --set mongodb.podSecurityContext.enabled=true --set insight_api_key=$REDASH_API_KEY --set imageCredentials.registry=docker.io --set imageCredentials.username=$premium_username --set imageCredentials.password=$access_token --set forms-flow-idm.keycloak.EnableKeycloakClientAuth=true --set forms-flow-web.EnableMultitenant=true --set forms-flow-idm.realm=multitenant --set EnableChatBot=true -n $namespace --version $version_ff_ai + # Step 4: Re-run analytics if chosen + if [[ $include_analytics =~ ^[Yy]$ ]]; then + helm upgrade --install forms-flow-analytics ../charts/forms-flow-analytics --set ingress.ingressClassName=$classname --set ingress.subFilterHost=forms-flow-web-$namespace.$domain_name --set ingress.hosts[0].host=form--set redash.multiOrg=true -flow-analytics-$namespace.$domain_name --set ingress.tls[0].secretName="forms-flow-analytics-$namespace.$domain_name-tls" --set ingress.tls[0].hosts[0]="forms-flow-analytics-$namespace.$domain_name" --set ingress.hosts[0].paths[0]="/" -n $namespace --version $version_ff_analytics + fi + fi + helm upgrade --install forms-flow-idm ../charts/forms-flow-idm --set keycloak.ingress.hostname=forms-flow-idm-$namespace.$domain_name --set postgresql-ha.postgresql.podSecurityContext.enabled=true --set keycloak.ingress.ingressClassName=$classname -n $namespace --version $version_ff_idm + helm upgrade --install forms-flow-forms ../charts/forms-flow-forms --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set ingress.tls=true -n $namespace --version $version_ff_forms + helm upgrade --install forms-flow-api ../charts/forms-flow-api --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set image.repository=formsflow/forms-flow-webapi-ee -n $namespace --version $version_ff_api + helm upgrade --install forms-flow-bpm ../charts/forms-flow-bpm --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set image.repository=formsflow/forms-flow-bpm-ee --set camunda.websocket.securityOrigin=https://forms-flow-web-$namespace.$domain_name --set image.repository=formsflow/forms-flow-bpm-ee -n $namespace --version $version_ff_bpm + helm upgrade --install forms-flow-documents-api ../charts/forms-flow-documents-api --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set image.repository=formsflow/forms-flow-documents-api-ee -n $namespace --version $version_ff_documents_api + helm upgrade --install forms-flow-data-analysis ../charts/forms-flow-data-analysis --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set ingress.tls=true --set image.repository=formsflow/forms-flow-data-analysis-api-ee -n $namespace --version $version_ff_data_analysis + helm upgrade --install forms-flow-web ../charts/forms-flow-web --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set image.repository=formsflow/forms-flow-web-ee -n $namespace --version $version_ff_web + else + helm upgrade --install forms-flow-ai ../charts/forms-flow-ai --set Domain=$domain_name --set postgresql-ha.postgresql.podSecurityContext.enabled=true --set mongodb.podSecurityContext.enabled=true -–set imageCredentials.registry=docker.io -–set imageCredentials.username=$premium_username -–set imageCredentials.password=$access_token -n $namespace --version $version_ff_ai + read -p "Include forms-flow-analytics? (y/n):" include_analytics + if [[ $include_analytics =~ ^[Yy]$ ]]; then + helm upgrade --install forms-flow-analytics ../charts/forms-flow-analytics --set ingress.ingressClassName=$classname --set ingress.subFilterHost=forms-flow-web-$namespace.$domain_name --set redash.multiOrg=true --set ingress.hosts[0].host=forms-flow-analytics-$namespace.$domain_name --set ingress.tls[0].secretName="forms-flow-analytics-$namespace.$domain_name-tls" --set ingress.tls[0].hosts[0]="forms-flow-analytics-$namespace.$domain_name" --set ingress.hosts[0].paths[0]="/" -n $namespace --version $version_ff_analytics + # Call external script to get Redash API Key + getRedashApiKey $namespace $domain_name $analytics_subdomain + # Store Redash API key in a variable + REDASH_API_KEY=$? + echo "Redash API Key: $REDASH_API_KEY" + # Step 3: Re-run forms-flow-ai with the Redash API Key + helm upgrade --install forms-flow-ai ../charts/forms-flow-ai --set Domain=$domain_name --set postgresql-ha.postgresql.podSecurityContext.enabled=true --set mongodb.podSecurityContext.enabled=true -–set imageCredentials.registry=docker.io -–set imageCredentials.username=$premium_username -–set imageCredentials.password=$access_token -n $namespace --version $version_ff_ai + # Step 4: Re-run analytics if chosen + if [[ $include_analytics =~ ^[Yy]$ ]]; then + helm upgrade --install forms-flow-analytics ../charts/forms-flow-analytics --set ingress.ingressClassName=$classname --set ingress.subFilterHost=forms-flow-web-$namespace.$domain_name --set ingress.hosts[0].host=forms-flow-web-$namespace.$domain_name --set redash.multiOrg=true -flow-analytics-$namespace.$domain_name --set ingress.tls[0].secretName="forms-flow-web-$namespace.$domain_name-tls" --set ingress.tls[0].hosts[0]="forms-flow-web-$namespace.$domain_name" --set ingress.hosts[0].paths[0]="/" -n $namespace --version $version_ff_analytics + fi + fi + helm upgrade --install forms-flow-idm ../charts/forms-flow-idm --set keycloak.ingress.hostname=forms-flow-idm-$namespace.$domain_name --set postgresql-ha.postgresql.podSecurityContext.enabled=true --set keycloak.ingress.ingressClassName=$classname -n $namespace --version $version_ff_idm + helm upgrade --install forms-flow-forms ../charts/forms-flow-forms --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set ingress.tls=true -n $namespace --version $version_ff_forms + helm upgrade --install forms-flow-api ../charts/forms-flow-api --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set image.repository=formsflow/forms-flow-webapi-ee -n $namespace --version $version_ff_api + helm upgrade --install forms-flow-bpm ../charts/forms-flow-bpm --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set image.repository=formsflow/forms-flow-bpm-ee --set camunda.websocket.securityOrigin=https://forms-flow-web-$namespace.$domain_name --set image.repository=formsflow/forms-flow-bpm-ee -n $namespace --version $version_ff_bpm + helm upgrade --install forms-flow-documents-api ../charts/forms-flow-documents-api --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set image.repository=formsflow/forms-flow-documents-api-ee -n $namespace --version $version_ff_documents_api + helm upgrade --install forms-flow-data-analysis ../charts/forms-flow-data-analysis --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set ingress.tls=true --set image.repository=formsflow/forms-flow-data-analysis-api-ee -n $namespace --version $version_ff_data_analysis + helm upgrade --install forms-flow-web ../charts/forms-flow-web --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set image.repository=formsflow/forms-flow-web-ee -n $namespace --version $version_ff_web + fi + + else + # Commands for open-source users + # Optional components for open-source users + helm upgrade --install forms-flow-ai ../charts/forms-flow-ai --set Domain=$domain_name --set postgresql-ha.postgresql.podSecurityContext.enabled=true --set mongodb.podSecurityContext.enabled=true -n $namespace --version $version_ff_ai + read -p "Include forms-flow-analytics? (y/n):" include_analytics + if [[ $include_analytics =~ ^[Yy]$ ]]; then + helm upgrade --install forms-flow-analytics ../charts/forms-flow-analytics --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-analytics-$namespace.$domain_name -n $namespace --version $version_ff_analytics + # Call external script to get Redash API Key + getRedashApiKey $namespace $domain_name $analytics_subdomain + # Store Redash API key in a variable + REDASH_API_KEY=$? + echo "Redash API Key: $REDASH_API_KEY" + # Step 3: Re-run forms-flow-ai with the Redash API Key + helm upgrade --install forms-flow-ai ../charts/forms-flow-ai --set Domain=$domain_name --set postgresql-ha.postgresql.podSecurityContext.enabled=true --set mongodb.podSecurityContext.enabled=true -n $namespace --version $version_ff_ai + # Step 4: Re-run analytics if chosen + if [[ $include_analytics =~ ^[Yy]$ ]]; then + helm upgrade --install forms-flow-analytics ../charts/forms-flow-analytics --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-analytics-$namespace.$domain_name -n $namespace --version $version_ff_analytics + fi + fi + helm upgrade --install forms-flow-idm ../charts/forms-flow-idm --set keycloak.ingress.hostname=forms-flow-idm-$namespace.$domain_name --set postgresql-ha.postgresql.podSecurityContext.enabled=true --set keycloak.ingress.ingressClassName=$classname -n $namespace --version $version_ff_idm + helm upgrade --install forms-flow-forms ../charts/forms-flow-forms --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set ingress.tls=true -n $namespace --version $version_ff_forms + helm upgrade --install forms-flow-api ../charts/forms-flow-api --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set ingress.tls=true -n $namespace --version $version_ff_api + helm upgrade --install forms-flow-bpm ../charts/forms-flow-bpm --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set ingress.tls=true --set camunda.websocket.securityOrigin=https://forms-flow-web-$namespace.$domain_name -n $namespace --version $version_ff_bpm + helm upgrade --install forms-flow-documents-api ../charts/forms-flow-documents-api --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set ingress.tls=true -n $namespace --version $version_ff_documents_api + helm upgrade --install forms-flow-web ../charts/forms-flow-web --set ingress.ingressClassName=$classname --set ingress.hostname=forms-flow-web-$namespace.$domain_name --set ingress.tls=true -n $namespace --version $version_ff_web + fi +} + +getRedashApiKey() { + # Call the external script to get Redash API Key + bash ./get_redash_api_key.sh "$1" "$2" "$3" + return $REDASH_API_KEY } configureInstall() { - directory="../charts" - if [[ $is_from_registry =~ ^[Yy]$ ]]; then - addRegistry - directory="formsflow" - else - updateLocalDependencies - fi + directory="../charts" + if [[ $is_from_registry =~ ^[Yy]$ ]]; then + addRegistry + directory="formsflow" + else + updateLocalDependencies + fi } configureLatestOrStableReleases() { - if [[ $is_latest_release =~ ^[Yy]$ ]]; then - version_ff_admin="latest" - version_ff_ai="latest" - version_ff_analytics="latest" - version_ff_api="latest" - version_ff_bpm="latest" - version_ff_data_analysis="latest" - version_ff_documents_api="latest" - version_ff_forms="latest" - version_ff_idm="latest" - version_ff_web="latest" - else - # See https://github.com/AOT-Technologies/forms-flow-ai-charts/releases - version_ff_admin="v2.2.0" - version_ff_ai="v2.2.0" - version_ff_analytics="v2.2.0" - version_ff_api="v2.2.0" - version_ff_bpm="v2.2.0" - version_ff_data_analysis="v2.2.0" - version_ff_documents_api="v2.2.0" - version_ff_forms="v2.2.0" - version_ff_idm="v2.2.0" - version_ff_web="v2.2.0" - fi + if [[ $is_latest_release =~ ^[Yy]$ ]]; then + version_ff_admin="latest" + version_ff_ai="latest" + version_ff_analytics="latest" + version_ff_api="latest" + version_ff_bpm="latest" + version_ff_data_analysis="latest" + version_ff_documents_api="latest" + version_ff_forms="latest" + version_ff_idm="latest" + version_ff_web="latest" + else + # See https://github.com/AOT-Technologies/forms-flow-ai-charts/releases + version_ff_admin="v7.1.1" + version_ff_ai="v7.1.1" + version_ff_analytics="v7.1.1" + version_ff_api="v7.1.1" + version_ff_bpm="v7.1.1" + version_ff_data_analysis="v7.1.1" + version_ff_documents_api="v7.1.1" + version_ff_forms="v7.1.1" + version_ff_idm="v7.1.1" + version_ff_web="v7.1.1" + fi } addRegistry() { - helm repo remove formsflow - helm repo add formsflow https://aot-technologies.github.io/forms-flow-ai-charts - echo - helm repo update formsflow + helm repo remove formsflow + helm repo add formsflow https://aot-technologies.github.io/forms-flow-ai-charts + echo + helm repo update formsflow } updateLocalDependencies(){ - helm dependency update $directory/forms-flow-ai/ - helm dependency update $directory/forms-flow-analytics/ - helm dependency update $directory/forms-flow-forms/ - helm dependency update $directory/forms-flow-idm/ - helm dependency update $directory/forms-flow-admin/ - helm dependency update $directory/forms-flow-api/ - helm dependency update $directory/forms-flow-bpm/ - helm dependency update $directory/forms-flow-data-analysis/ - helm dependency update $directory/forms-flow-web/ - helm dependency update $directory/forms-flow-documents-api/ + helm dependency build $directory/forms-flow-ai/ + helm dependency build $directory/forms-flow-analytics/ + helm dependency build $directory/forms-flow-forms/ + helm dependency build $directory/forms-flow-idm/ + helm dependency build $directory/forms-flow-admin/ + helm dependency build $directory/forms-flow-api/ + helm dependency build $directory/forms-flow-bpm/ + helm dependency build $directory/forms-flow-data-analysis/ + helm dependency build $directory/forms-flow-web/ + helm dependency build $directory/forms-flow-documents-api/ } displayPrompts() { - read -p "Install using forms-flow package registry? (y/n):" is_from_registry - read -p "Please enter the domain name (ex: apps.bronze.aot-technologies.com):" domain_name - read -p "Please enter the namespace (ex: forms-flow):" namespace - read -p "Is this a premium installation? (y/n):" is_premium - read -p "Use the latest version release? (y) or stable release (n):" is_latest_release + read -p "Install using forms-flow package registry? (y/n):" is_from_registry + read -p "Please enter the domain name (ex: apps.bronze.$domain_name):" domain_name + read -p "Please enter the namespace (ex: forms-flow):" namespace + read -p "Please enter the ingress class name (ex: formsflow):" classname + read -p "Is this a premium installation? (y/n):" is_premium + read -p "Use the latest version release? (y) or stable release (n):" is_latest_release + analytics_subdomain="forms-flow-web" } checkdirectory() { - pwd=$(pwd) - dirname=$(basename ${pwd}) - if [ ! ${dirname} = "scripts" ]; then - echo "Must run from scripts folder" - exit 1 - fi + pwd=$(pwd) + dirname=$(basename ${pwd}) + if [ ! ${dirname} = "scripts" ]; then + echo "Must run from scripts folder" + exit 1 + fi } checkEmptyInput() { - if [ ! ${#} = 5 ]; then - echo "Please provide input for all prompts." - exit 2 - fi + if [ ! ${#} = 7 ]; then + echo "Please provide input for all prompts." + exit 2 + fi } - -main "$@" \ No newline at end of file +main "$@" diff --git a/sonar-project.properties b/sonar-project.properties new file mode 100644 index 00000000..cbe0eb1a --- /dev/null +++ b/sonar-project.properties @@ -0,0 +1,13 @@ +sonar.projectKey=AOT-Technologies_forms-flow-ai-charts +sonar.organization=aot-technologies + +# This is the name and version displayed in the SonarCloud UI. +#sonar.projectName=forms-flow-ai-charts +#sonar.projectVersion=1.0 + + +# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows. +#sonar.sources=. + +# Encoding of the source code. Default is default system encoding +#sonar.sourceEncoding=UTF-8 \ No newline at end of file