Updated mariadb chart to be compatible with openshift

helm/dbrepo/Chart.lock

@@ -7,10 +7,10 @@ dependencies:
   version: 21.6.1
 - name: mariadb-galera
   repository: https://charts.bitnami.com/bitnami
-  version: 10.1.3
+  version: 14.0.12
 - name: mariadb-galera
   repository: https://charts.bitnami.com/bitnami
-  version: 10.1.3
+  version: 14.0.12
 - name: rabbitmq
   repository: https://charts.bitnami.com/bitnami
   version: 14.0.0
@@ -26,5 +26,5 @@ dependencies:
 - name: prometheus
   repository: https://charts.bitnami.com/bitnami
   version: 1.3.22
-digest: sha256:b146630948770f1ae6822564173eecfcc66f75502a0449fd3556c920f7202a2b
-generated: "2024-11-22T09:41:42.713329569+01:00"
+digest: sha256:aa9cee8efad6f30ad296c7908cf4d9a5c50e1d87bcf2dde3b2e02306a686e1fd
+generated: "2024-11-22T19:46:10.620698662+01:00"

helm/dbrepo/Chart.yaml

@@ -6,7 +6,7 @@ description: Helm Chart for installing DBRepo
 sources:
   - https://gitlab.phaidra.org/fair-data-austria-db-repository/fda-services
 type: application
-version: "1.5.2-rc0"
+version: "1.5.1"
 appVersion: "1.5.1"
 keywords:
   - dbrepo
@@ -28,12 +28,12 @@ dependencies:
     condition: authservice.enabled
   - name: mariadb-galera
     alias: datadb
-    version: 10.1.3  # app version: 11.1.3
+    version: 14.0.12  # app version: 11.4.4-debian-12-r0
     repository: https://charts.bitnami.com/bitnami
-    condition: database.enabled
+    condition: datadb.enabled
   - name: mariadb-galera
     alias: metadatadb
-    version: 10.1.3  # app version: 11.1.3
+    version: 14.0.12  # app version: 11.4.4-debian-12-r0
     repository: https://charts.bitnami.com/bitnami
     condition: metadatadb.enabled
   - name: rabbitmq
@@ -46,11 +46,6 @@ dependencies:
     version: 0.4.5
     repository: https://charts.bitnami.com/bitnami
     condition: storageservice.enabled
-  - name: tusd
-    alias: uploadservice
-    version: 0.1.2
-    repository: https://charts.sagikazarmark.dev
-    condition: uploadservice.enabled
   - name: grafana
     alias: dashboardservice
     version: 10.1.1

helm/dbrepo/templates/_resources.tpl

+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return a resource request/limit object based on a given preset.
+These presets are for basic testing and not meant to be used in production
+{{ include "common.resources.preset" (dict "type" "nano") -}}
+*/}}
+{{- define "common.resources.preset" -}}
+{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}}
+{{- $presets := dict
+  "nano" (dict
+      "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi")
+   )
+  "micro" (dict
+      "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi")
+   )
+  "small" (dict
+      "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi")
+   )
+  "medium" (dict
+      "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi")
+   )
+  "large" (dict
+      "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi")
+   )
+  "xlarge" (dict
+      "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi")
+   )
+  "2xlarge" (dict
+      "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi")
+   )
+ }}
+{{- if hasKey $presets .type -}}
+{{- index $presets .type | toYaml -}}
+{{- else -}}
+{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file

helm/dbrepo/templates/analyse-deployment.yaml

@@ -56,5 +56,7 @@ spec:
             periodSeconds: 10
           {{- if .Values.analyseservice.resources }}
           resources: {{- toYaml .Values.analyseservice.resources | nindent 12 }}
+          {{- else if ne .Values.analyseservice.resourcesPreset "none" }}
+          resources: {{- include "common.resources.preset" (dict "type" .Values.analyseservice.resourcesPreset) | nindent 12 }}
           {{- end }}
 {{- end }}

helm/dbrepo/templates/data-deployment.yaml

@@ -56,7 +56,7 @@ spec:
             periodSeconds: 10
           {{- if .Values.dataservice.resources }}
           resources: {{- toYaml .Values.dataservice.resources | nindent 12 }}
+          {{- else if ne .Values.dataservice.resourcesPreset "none" }}
+          resources: {{- include "common.resources.preset" (dict "type" .Values.dataservice.resourcesPreset) | nindent 12 }}
           {{- end }}
-          volumeMounts: []
-      volumes: []
 {{- end }}

helm/dbrepo/templates/identity-statefulset.yaml

@@ -38,6 +38,11 @@ spec:
           envFrom:
             - secretRef:
                 name: identity-service-secret
+          {{- if .Values.identityservice.persistence.enabled }}
+          volumeMounts:
+            - name: openldap-data
+              mountPath: /bitnami/openldap
+          {{- end }}
           livenessProbe:
             exec:
               command:
@@ -56,5 +61,20 @@ spec:
             periodSeconds: 10
           {{- if .Values.identityservice.resources }}
           resources: {{- toYaml .Values.identityservice.resources | nindent 12 }}
+          {{- else if ne .Values.identityservice.resourcesPreset "none" }}
+          resources: {{- include "common.resources.preset" (dict "type" .Values.identityservice.resourcesPreset) | nindent 12 }}
+          {{- end }}
+  {{- if .Values.identityservice.persistence.enabled }}
+  volumeClaimTemplates:
+    - metadata:
+        name: openldap-data
+      spec:
+        accessModes: [ "ReadWriteOnce" ]
+        {{- if .Values.global.storageClass }}
+        storageClassName: {{ .Values.global.storageClass }}
+        {{- end }}
+        resources:
+          requests:
+            storage: 8Gi
   {{- end }}
 {{- end }}

helm/dbrepo/templates/metadata-configmap.yaml

@@ -12,7 +12,7 @@ data:
   02-setup-data.sql: |
     BEGIN;
     INSERT INTO `mdb_containers` (name, internal_name, image_id, host, port, privileged_username, privileged_password)
-    VALUES ('mariadb:11.1.3-debian-11-r6', 'mariadb_11_1_3', 1, 'data-db', 3306, '{{ .Values.datadb.rootUser.user }}', '{{ .Values.datadb.rootUser.password }}');
+    VALUES ('mariadb:11.4.4-debian-12-r0', 'mariadb_11_4_4', 1, 'data-db', 3306, '{{ .Values.datadb.rootUser.user }}', '{{ .Values.datadb.rootUser.password }}');
     COMMIT;
   01-setup-schema.sql: |
     BEGIN;

helm/dbrepo/templates/metadata-deployment.yaml

@@ -56,5 +56,7 @@ spec:
             periodSeconds: 10
           {{- if .Values.metadataservice.resources }}
           resources: {{- toYaml .Values.metadataservice.resources | nindent 12 }}
+          {{- else if ne .Values.metadataservice.resourcesPreset "none" }}
+          resources: {{- include "common.resources.preset" (dict "type" .Values.metadataservice.resourcesPreset) | nindent 12 }}
           {{- end }}
 {{- end }}

helm/dbrepo/templates/upload-deployment.yaml

+{{- if .Values.uploadservice.enabled }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: upload-service
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels:
+    app: upload-service
+    service: upload-service
+spec:
+  replicas: {{ .Values.uploadservice.replicaCount }}
+  strategy:
+    type: {{ .Values.strategyType }}
+  selector:
+    matchLabels:
+      app: upload-service
+      service: upload-service
+  template:
+    metadata:
+      labels:
+        app: upload-service
+        service: upload-service
+    spec:
+      {{- if .Values.uploadservice.podSecurityContext.enabled }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.uploadservice.podSecurityContext "context" $) | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: upload-service
+          image: {{ .Values.uploadservice.image.name }}
+          imagePullPolicy: {{ .Values.uploadservice.image.pullPolicy | default "IfNotPresent" }}
+          {{- if .Values.uploadservice.containerSecurityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.uploadservice.containerSecurityContext "context" $) | nindent 12 }}
+          {{- end }}
+          args:
+            - "-behind-proxy"
+            - "-max-size={{ .Values.uploadservice.s3.maxSize }}"
+            - "-base-path=/api/upload/files/"
+            - "-s3-endpoint={{ .Values.uploadservice.s3.endpoint}}"
+            - "-s3-bucket={{ .Values.uploadservice.s3.bucket }}"
+          ports:
+            - containerPort: 1080
+              protocol: TCP
+          envFrom:
+            - secretRef:
+                name: upload-service-secret
+          livenessProbe:
+            httpGet:
+              port: 1080
+            initialDelaySeconds: 120
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              port: 1080
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          {{- if .Values.uploadservice.resources }}
+          resources: {{- toYaml .Values.uploadservice.resources | nindent 12 }}
+          {{- else if ne .Values.uploadservice.resourcesPreset "none" }}
+          resources: {{- include "common.resources.preset" (dict "type" .Values.uploadservice.resourcesPreset) | nindent 12 }}
+          {{- end }}
+{{- end }}

helm/dbrepo/templates/upload-secret.yaml

-{{- if .Values.uploadservice.enabled }}
 ---
 apiVersion: v1
 kind: Secret
@@ -8,5 +7,4 @@ metadata:
 stringData:
   AWS_ACCESS_KEY_ID: "{{ .Values.storageservice.s3.auth.adminAccessKeyId }}"
   AWS_SECRET_ACCESS_KEY: "{{ .Values.storageservice.s3.auth.adminSecretAccessKey }}"
-  AWS_REGION: "default"
-{{- end }}
\ No newline at end of file
+  AWS_REGION: "{{ .Values.storageservice.s3.region | default "default" }}"

helm/dbrepo/values.yaml

@@ -179,23 +179,60 @@ searchdb:
 uploadservice:
   ## @param uploadservice.enabled Enable the Upload Service.
   enabled: true
-  ## @skip uploadservice.fullnameOverride
-  fullnameOverride: upload-service
   ## @skip uploadservice.image
   image:
-    repository: tusproject/tusd
-    tag: v1.12
-  ## @skip uploadservice.securityContext
-  securityContext:
-    allowPrivilegeEscalation: false
+    name: docker.io/tusproject/tusd:v1.12
+  s3:
+    ## @param dataservice.s3.endpoint The S3-capable endpoint the microservice connects to.
+    endpoint: http://storage-service-s3:8333
+    ## @param dataservice.s3.bucket The S3 bucket name.
+    bucket: dbrepo
+    ## @param dataservice.s3.bucket The maximum file size in bytes.
+    maxSize: "2000000000"
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  podSecurityContext:
+    ## @param uploadservice.podSecurityContext.enabled Enable pods' Security Context
+    enabled: true
+    ## @param uploadservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+    fsGroupChangePolicy: Always
+    ## @param uploadservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+    sysctls: [ ]
+    ## @param uploadservice.podSecurityContext.supplementalGroups Set filesystem extra groups
+    supplementalGroups: [ ]
+    ## @param uploadservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
+    fsGroup: 0
+  containerSecurityContext:
+    ## @param uploadservice.containerSecurityContext.enabled Enable containers' Security Context
+    enabled: true
+    ## @param uploadservice.containerSecurityContext.seLinuxOptions Set SELinux options in container
+    seLinuxOptions: { }
+    ## @param uploadservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
     runAsUser: 1000
+    ## @param uploadservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
     runAsGroup: 1000
+    ## @param uploadservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
+    ## @param uploadservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
+    allowPrivilegeEscalation: false
+    ## @param uploadservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+    readOnlyRootFilesystem: false
     capabilities:
-      drop:
-        - ALL
+      ## @param uploadservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
+      drop: [ "ALL" ]
+    seccompProfile:
+      ## @param uploadservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+      type: "RuntimeDefault"
+  ## @param uploadservice.resourcesPreset The container resource preset
+  resourcesPreset: "micro"
+  ## @param uploadservice.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+  ## Example:
+  ## resources:
+  ##   requests:
+  ##     cpu: 250m
+  ##     memory: 64Mi
+  ##   limits:
+  ##     cpu: 500m
+  ##     memory: 1024Mi
   ## @skip uploadservice.containerArgs
   containerArgs:
     - "-behind-proxy"
@@ -266,6 +303,9 @@ brokerservice:
       sslOptionsVerify: true
       failIfNoPeerCert: true
       existingSecret: ingress-cert
+  rbac:
+    ## @skip brokerservice.rbac.create
+    create: false
   ## @skip brokerservice.advancedConfigurationExistingSecret
   advancedConfigurationExistingSecret: broker-service-secret
   ## @skip brokerservice.loadDefinition
@@ -334,15 +374,18 @@ analyseservice:
     seccompProfile:
       ## @param analyseservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
       type: "RuntimeDefault"
-  ## @skip analyseservice.resources
-  resources:
-    requests:
-      cpu: 250m
-      memory: 512Mi
-    limits:
-      cpu: 500m
-      memory: 2048Mi
-
+  ## @param analyseservice.resourcesPreset The container resource preset
+  resourcesPreset: "micro"
+  ## @param analyseservice.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+  ## Example:
+  ## resources:
+  ##   requests:
+  ##     cpu: 250m
+  ##     memory: 64Mi
+  ##   limits:
+  ##     cpu: 500m
+  ##     memory: 1024Mi
+  resources: { }
   ## @param analyseservice.endpoint The url of the endpoint.
   endpoint: http://analyse-service
   s3:
@@ -398,14 +441,17 @@ metadataservice:
     seccompProfile:
       ## @param metadataservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
       type: "RuntimeDefault"
-  ## @skip metadataservice.resources
-  resources:
-    requests:
-      cpu: 250m
-      memory: 512Mi
-    limits:
-      cpu: 1000m
-      memory: 2048Mi
+  ## @param metadataservice.resourcesPreset The container resource preset
+  resourcesPreset: "micro"
+  ## @param metadataservice.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+  ## Example:
+  ## resources:
+  ##   requests:
+  ##     cpu: 250m
+  ##     memory: 64Mi
+  ##   limits:
+  ##     cpu: 500m
+  ##     memory: 1024Mi
   ## @param metadataservice.endpoint The Metadata Service endpoint.
   endpoint: http://metadata-service
   crossref:
@@ -497,6 +543,17 @@ dataservice:
     seccompProfile:
       ## @param dataservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
       type: "RuntimeDefault"
+  ## @param dataservice.resourcesPreset The container resource preset
+  resourcesPreset: "large"
+  ## @param dataservice.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+  ## Example:
+  ## resources:
+  ##   requests:
+  ##     cpu: 250m
+  ##     memory: 64Mi
+  ##   limits:
+  ##     cpu: 500m
+  ##     memory: 1024Mi
   ## @skip dataservice.resources
   grant:
     ## @param dataservice.grant.read The default database permissions for users with read access.
@@ -577,6 +634,17 @@ searchservice:
     seccompProfile:
       ## @param searchservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
       type: "RuntimeDefault"
+  ## @param searchservice.resourcesPreset The container resource preset
+  resourcesPreset: "nano"
+  ## @param searchservice.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+  ## Example:
+  ## resources:
+  ##   requests:
+  ##     cpu: 250m
+  ##     memory: 64Mi
+  ##   limits:
+  ##     cpu: 500m
+  ##     memory: 1024Mi
   ## @skip searchservice.resources
   resources:
     requests:
@@ -605,6 +673,9 @@ storageservice:
     fullnameOverride: storage-service-db
     ## @skip storageservice.mariadb.enabled
     enabled: true
+    primary:
+      ## @skip storageservice.mariadb.primary.resourcesPreset The container resource preset
+      resourcesPreset: "nano"
     auth:
       ## @param storageservice.mariadb.auth.rootPassword The user password for the root user.
       rootPassword: seaweedfsdb
@@ -675,7 +746,7 @@ identityservice:
     ## @param identityservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
     runAsUser: 1001
     ## @param identityservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
-    runAsGroup: 1001
+    runAsGroup: 0
     ## @param identityservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
     runAsNonRoot: true
     ## @param identityservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
@@ -685,17 +756,22 @@ identityservice:
     capabilities:
       ## @param identityservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
       drop: [ "ALL" ]
+      ## @param identityservice.containerSecurityContext.capabilities.add Set container's Security Context runAsNonRoot
+      add: [ "NET_BIND_SERVICE" ]
     seccompProfile:
       ## @param identityservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
       type: "RuntimeDefault"
-  ## @skip identityservice.resources
-  resources:
-    requests:
-      cpu: 250m
-      memory: 512Mi
-    limits:
-      cpu: 500m
-      memory: 2048Mi
+  ## @param identityservice.resourcesPreset The container resource preset
+  resourcesPreset: "nano"
+  ## @param identityservice.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+  ## Example:
+  ## resources:
+  ##   requests:
+  ##     cpu: 250m
+  ##     memory: 64Mi
+  ##   limits:
+  ##     cpu: 500m
+  ##     memory: 1024Mi
   ## @param identityservice.users The admin username for internal authentication.
   users: admin
   ## @param identityservice.userPasswords The admin user password for internal authentication.
@@ -766,6 +842,17 @@ ui:
     seccompProfile:
       ## @param ui.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
       type: "RuntimeDefault"
+  ## @param ui.resourcesPreset The container resource preset
+  resourcesPreset: "nano"
+  ## @param ui.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+  ## Example:
+  ## resources:
+  ##   requests:
+  ##     cpu: 250m
+  ##     memory: 64Mi
+  ##   limits:
+  ##     cpu: 500m
+  ##     memory: 1024Mi
   ## @skip ui.resources
   resources:
     requests:
@@ -881,6 +968,9 @@ metricdb:
       ## @skip metricdb.alertmanager.service.type
       type: ClusterIP
   server:
+    rbac:
+      ## @skip metricdb.server.rbac.create
+      create: false
     service:
       ## @skip metricdb.server.service.type
       type: ClusterIP