From ae4a949452ad7f56f4bc623d78fbecf5878df316 Mon Sep 17 00:00:00 2001 From: Philip Haupt <“der.mad.mob@gmail.com”> Date: Sun, 12 Oct 2025 17:57:35 +0200 Subject: [PATCH] nextcloud cnpg --- netbox/src/values.yaml | 1805 ++++++++++++++++++++++++++++++ nextcloud/main.yaml | 100 +- nextcloud/src/kustomization.yaml | 12 +- nextcloud/src/values-cnpg.yaml | 503 +++++++++ 4 files changed, 2410 insertions(+), 10 deletions(-) create mode 100644 netbox/src/values.yaml create mode 100644 nextcloud/src/values-cnpg.yaml diff --git a/netbox/src/values.yaml b/netbox/src/values.yaml new file mode 100644 index 0000000..75acf6a --- /dev/null +++ b/netbox/src/values.yaml @@ -0,0 +1,1805 @@ +# Default values for NetBox. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +## @section Global parameters +## Global container image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global container image parameters: imageRegistry, imagePullSecrets and storageClass + +## @param global.imageRegistry Global container image registry +## @param global.imagePullSecrets Global container registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + +## @section Common parameters + +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param clusterDomain Kubernetes cluster domain name +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## Example: +## extraDeploy: +## - | +## apiVersion: v1 +## kind: ConfigMap +## metadata: +## name: sso-pipeline-roles +## namespace: netbox +## data: +## sso_pipeline_roles.py: | +## from netbox.authentication import Group +## ... +## +extraDeploy: [] + +## @section NetBox Image parameters +## @param image.registry Image registry +## @param image.repository Image repository +## @param image.tag Image tag +## @param image.digest Image digest in the way sha256:aa... +## @param image.pullPolicy MariaDB image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## +image: + registry: ghcr.io + repository: netbox-community/netbox + pullPolicy: IfNotPresent + ## Defaults to '{{ .Chart.AppVersion }}' + ## + tag: "" + ## If set, override the tag + ## + digest: "" + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + +## @section NetBox Configuration parameters + +# You can also use an existing secret for the superuser password and API token +# See `existingSecret` for details +superuser: + name: admin + email: admin@example.com + password: "" + apiToken: "" + existingSecret: "" + +# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox +# server. NetBox will not permit write access to the server via any other +# hostnames. The first FQDN in the list will be treated as the preferred name. +allowedHosts: + - "*" + +# Include Pod IP in list of allowed hosts by providing it as the 'POD_IP' envvar +# at runtime, which is then used in the configuration.py. +allowedHostsIncludesPodIP: true + +# Specify one or more name and email address tuples representing NetBox +# administrators. These people will be notified of application errors (assuming +# correct email settings are provided). +# admins: +# - ['John Doe', 'jdoe@example.com'] +admins: [] + +# Permit the retrieval of API tokens after their creation. +allowTokenRetrieval: false + +# This parameter acts as a pass-through for configuring Django's built-in +# password validators for local user accounts. If configured, these will be +# applied whenever a user's password is updated to ensure that it meets minimum +# criteria such as length or complexity. +# https://netboxlabs.com/docs/netbox/en/stable/configuration/security/#auth_password_validators +authPasswordValidators: [] + +# URL schemes that are allowed within links in NetBox +allowedUrlSchemes: + - file + - ftp + - ftps + - http + - https + - irc + - mailto + - sftp + - ssh + - tel + - telnet + - tftp + - vnc + - xmpp + +banner: + # Optionally display a persistent banner at the top and/or bottom of every + # page. HTML is allowed. + top: "" + bottom: "" + + # Text to include on the login page above the login form. HTML is allowed. + login: "" + +# Base URL path if accessing NetBox within a directory. For example, if +# installed at http://example.com/netbox/, set to 'netbox/'. If using +# Kubernetes Ingress, make sure you set ingress.hosts[].paths[] appropriately. +# This will also require customising the NGINX Unit application server +# configuration. +basePath: "" + +# Maximum number of days to retain logged changes. Set to 0 to retain change +# logs indefinitely. (Default: 90) +changelogRetention: 90 + +# This is a mapping of models to custom validators that have been defined +# locally to enforce custom validation logic. +# https://netboxlabs.com/docs/netbox/en/stable/configuration/data-validation/#custom_validators +customValidators: {} + +# This is a dictionary defining the default preferences to be set for newly- +# created user accounts. +# https://netboxlabs.com/docs/netbox/en/stable/configuration/default-values/#default_user_preferences +# defaultUserPreferences: +# pagination: +# per_page: 100 +defaultUserPreferences: {} + +# API Cross-Origin Resource Sharing (CORS) settings. If originAllowAll +# is set to true, all origins will be allowed. Otherwise, define a list of +# allowed origins using either originWhitelist or originRegexWhitelist. For +# more information, see https://github.com/ottoyiu/django-cors-headers +cors: + originAllowAll: false + originWhitelist: [] + originRegexWhitelist: [] + # - '^(https?://)?(\w+\.)?example\.com$' + +# CSRF settings. Needed for netbox v3.2.0 and newer. For more information +# see https://netboxlabs.com/docs/netbox/en/stable/configuration/security/#csrf_trusted_origins +csrf: + # The name of the cookie to use for the cross-site request forgery (CSRF) + # authentication token. + cookieName: csrftoken + # Defines a list of trusted origins for unsafe (e.g. POST) requests. This is + # a pass-through to Django's CSRF_TRUSTED_ORIGINS setting. Note that each + # host listed must specify a scheme (e.g. http:// or `https://). + trustedOrigins: [] + +# Note: this is where the CUSTOM_VALIDATORS setting naturally fits in relation +# to the upstream NetBox configuration, but the setting cannot be reflected in +# YAML/JSON as it depends on creating instances of Python classes. + +# Set the default preferred language/locale +defaultLanguage: en-us + +# The maximum size (in bytes) of an incoming HTTP request (i.e. GET or POST data). +# Requests which exceed this size will raise a RequestDataTooBig exception. +dataUploadMaxMemorySize: 2621440 + +# Set to True to enable server debugging. WARNING: Debugging introduces a +# substantial performance penalty and may reveal sensitive information about +# your installation. Only enable debugging while performing testing. Never +# enable debugging on a production system. +debug: false + +# Display full traceback of errors that occur when applying database +# migrations. +dbWaitDebug: false + +# Email settings +email: + server: localhost + port: 25 + username: "" + password: "" + useSSL: false + useTLS: false + sslCertFile: "" + sslKeyFile: "" + # Timeout in seconds + timeout: 10 + from: "" + existingSecretName: "" + existingSecretKey: email-password + +# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce +# unique IP space within the global table (all prefixes and IP addresses not +# assigned to a VRF), set enforceGlobalUnique to True. +enforceGlobalUnique: true + +# Exempt certain models from the enforcement of view permissions. Models listed +# here will be viewable by all users and by anonymous users. List models in the +# form `.`. Add '*' to this list to exempt all models. +exemptViewPermissions: [] +# - dcim.site +# - dcim.region +# - ipam.prefix + +# Some static choice fields on models can be configured with custom values. +# Each choice in the list must have a database value and a human-friendly +# label, and may optionally specify a color. +# https://netboxlabs.com/docs/netbox/en/stable/configuration/data-validation/#field_choices +# fieldChoices: +# 'dcim.Site.status': +# - [foo, Foo, red] +# - [bar, Bar, green] +# - [baz, Baz, blue] +# 'dcim.Site.status+': +# ... +fieldChoices: {} + +# The maximum amount (in bytes) of uploaded data that will be held in memory before being written to the filesystem. +# Changing this setting can be useful for example to be able to upload files bigger than 2.5MB to custom scripts +# for processing. +fileUploadMaxMemorySize: 2621440 + +# Enable the GraphQL API +graphQlEnabled: true + +# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for +# webhooks). +# httpProxies: +# http: http://10.10.1.10:3128 +# https: http://10.10.1.10:1080 +httpProxies: {} + +# IP addresses recognized as internal to the system. The debugging toolbar will +# be available only to clients accessing NetBox from an internal IP. +internalIPs: ["127.0.0.1", "::1"] + +# The number of days to retain job results (scripts and reports). Set this to 0 +# to retain job results in the database indefinitely. +# https://netboxlabs.com/docs/netbox/en/stable/configuration/miscellaneous/#job_retention +jobRetention: 90 + +# Enable custom logging. Please see the Django documentation for detailed +# guidance on configuring custom logs: +# https://docs.djangoproject.com/en/1.11/topics/logging/ +logging: {} + +# Automatically reset the lifetime of a valid session upon each authenticated +# request. Enables users to remain authenticated to NetBox indefinitely. +loginPersistence: false + +# Setting this to True will permit only authenticated users to access any part +# of NetBox. By default, anonymous users are permitted to access most data in +# NetBox but not make any changes. +loginRequired: false + +# The length of time (in seconds) for which a user will remain logged into the +# web UI before being prompted to re-authenticate. +# Default value 1209600 is 14 days +loginTimeout: 1209600 + +# The view name or URL to which users are redirected after logging out. +logoutRedirectUrl: home + +# Setting this to True will display a "maintenance mode" banner at the top of +# every page. +maintenanceMode: false + +# The URL to use when mapping physical addresses or GPS coordinates +mapsUrl: "https://maps.google.com/?q=" + +# An API consumer can request an arbitrary number of objects by appending the +# "limit" parameter to the URL (e.g. "?limit=1000"). This setting defines the +# maximum limit. Setting it to 0 or None will allow an API consumer to request +# all objects by specifying "?limit=0". +maxPageSize: 1000 + +## The backend storage engine for handling uploaded files such as image +## attachments and custom scripts. NetBox integrates with the +## django-storages and django-storage-swift libraries, which provide backends +## for several popular file storage services. If not configured, local +## filesystem storage will be used. +## Note these values are not stored securely. If the configuration must be +## setup in a more secure way, a propor Secret can be used with extraEnvVarsSecret. +## ref: https://netboxlabs.com/docs/netbox/en/stable/configuration/system/#storages +## e.g: +## storages: +## default: +## BACKEND: "django.core.files.storage.FileSystemStorage" +## scripts: +## BACKEND: "storages.backends.s3.S3Storage" +## OPTIONS: +## access_key: "access key" +## secret_key: "secret key" +storages: {} + +# Determine how many objects to display per page within a list. (Default: 50) +paginateCount: 50 + +# Enable installed plugins. Add the name of each plugin to the list. +plugins: [] + +# Plugins configuration settings. These settings are used by various plugins +# that the user may have installed. Each key in the dictionary is the name of +# an installed plugin and its value is a dictionary of settings. +pluginsConfig: {} + +# The default value for the amperage field when creating new power feeds. +# https://netboxlabs.com/docs/netbox/en/stable/configuration/default-values/#powerfeed_default_amperage +powerFeedDefaultAmperage: 15 + +# The default value (percentage) for the max_utilization field when creating +# new power feeds. +# https://netboxlabs.com/docs/netbox/en/stable/configuration/default-values/#powerfeed_default_max_utilization +powerFeedMaxUtilisation: 80 + +# The default value for the voltage field when creating new power feeds. +# https://netboxlabs.com/docs/netbox/en/stable/configuration/default-values/#powerfeed_default_voltage +powerFeedDefaultVoltage: 120 + +# When determining the primary IP address for a device, IPv6 is preferred over +# IPv4 by default. Set this to True to prefer IPv4 instead. +preferIPv4: false + +# Rack elevation size defaults, in pixels. For best results, the ratio of width +# to height should be roughly 10:1. +rackElevationDefaultUnitHeight: 22 +rackElevationDefaultUnitWidth: 220 + +# Remote authentication support +remoteAuth: + enabled: false + backends: + - netbox.authentication.RemoteUserBackend + header: HTTP_REMOTE_USER + userFirstName: HTTP_REMOTE_USER_FIRST_NAME + userLastName: HTTP_REMOTE_USER_LAST_NAME + userEmail: HTTP_REMOTE_USER_EMAIL + autoCreateUser: false + autoCreateGroups: false + defaultGroups: [] + defaultPermissions: {} + groupSyncEnabled: false + groupHeader: HTTP_REMOTE_USER_GROUP + superuserGroups: [] + superusers: [] + staffGroups: [] + staffUsers: [] + groupSeparator: "|" + + # The following options are specific for backend "netbox.authentication.LDAPBackend" + # you can use an existing netbox secret with "ldap_bind_password" instead of "bindPassword" + # see https://django-auth-ldap.readthedocs.io + ldap: + # serverUri: ldap://example.com + serverUri: "" + startTls: true + ignoreCertErrors: false + caCertDir: "" + caCertData: "" + # bindDn: CN=Netbox,OU=EmbeddedDevices,OU=MyCompany,DC=example,dc=com + bindDn: "" + bindPassword: "" + userDnTemplate: "" + # userSearchBaseDn: OU=Users,OU=MyCompany,DC=example,dc=com + userSearchBaseDn: "" + userSearchAttr: sAMAccountName + # groupSearchBaseDn: OU=Groups,OU=MyCompany,DC=example,dc=com + groupSearchBaseDn: "" + groupSearchClass: group + groupType: GroupOfNamesType + # requireGroupDn: + # - CN=Network Configuration Operators,CN=Builtin,DC=example,dc=com + # - CN=Domain Admins,CN=Users,DC=example,dc=com + requireGroupDn: [] + # isAdminDn: + # - CN=Domain Admins,CN=Users,DC=example,dc=com + isAdminDn: [] + # isSuperUserDn: + # - CN=Domain Admins,CN=Users,DC=example,dc=com + isSuperUserDn: [] + findGroupPerms: true + mirrorGroups: true + mirrorGroupsExcept: [] + cacheTimeout: 3600 + attrFirstName: givenName + attrLastName: sn + attrMail: mail + +releaseCheck: + # This repository is used to check whether there is a new release of NetBox + # available. Set to null to disable the version check or use the URL below to + # check for release in the official NetBox repository. + # url: https://api.github.com/repos/netbox-community/netbox/releases + url: "" + +# Maximum execution time for background tasks, in seconds. +# Default value 300 is 5 minutes +rqDefaultTimeout: 300 + +# The name to use for the session cookie. +sessionCookieName: sessionid + +# Localization +enableLocalization: false + +# Time zone (default: UTC) +timeZone: UTC + +# Date/time formatting. See the following link for supported formats: +# https://docs.djangoproject.com/en/dev/ref/templates/builtins/#date +dateFormat: "N j, Y" +shortDateFormat: "Y-m-d" +timeFormat: "g:i a" +shortTimeFormat: "H:i:s" +dateTimeFormat: "N j, Y g:i a" +shortDateTimeFormat: "Y-m-d H:i" + +## Extra configuration settings +# You can pass additional YAML files to be loaded into NetBox's configuration. +# These can be passed as arbitrary configuration values set in the chart, or +# you can load arbitrary *.yaml keys from ConfigMaps and Secrets. +# extraConfig: +# - values: +# EXTRA_SETTING_ONE: example +# ANOTHER_SETTING: foobar +# - configMap: # pod.spec.volumes.configMap +# name: netbox-extra +# items: [] +# optional: false +# - secret: # same as pod.spec.volumes.secret +# secretName: netbox-extra +# items: [] +# optional: false +extraConfig: [] + +# If provided, this should be a 50+ character string of random characters. It +# will be randomly generated if left blank. +# You can also use an existing secret with "secret_key" instead of "secretKey" +# See `existingSecret` for details +secretKey: "" + +## Provide passwords using existing secret +# If set, this Secret must contain the following keys: +# - secret_key: session encryption token (50+ random characters) +existingSecret: "" + +# Override the NGINX Unit configuration inside the container. When enabled, this +# overrides the default configuration loaded into Unit. The upstream config is: +# https://github.com/netbox-community/netbox-docker/blob/release/docker/nginx-unit.json +# Remember that JSON is valid YAML: you can safely copy-and-paste from the above +# into your values.yaml, or you can copy the YAML version from below as a +# starting point. +# overrideUnitConfig: +# listeners: +# "0.0.0.0:8080": +# pass: routes/main +# "[::]:8080": +# pass: routes/main +# "0.0.0.0:8081": +# pass: routes/status +# "[::]:8081": +# pass: routes/status +# routes: +# main: +# - match: +# uri: "/static/*" +# action: +# share: "/opt/netbox/netbox${uri}" +# - action: +# pass: applications/netbox +# status: +# - match: +# uri: "/status/*" +# action: +# proxy: "http://unix:/opt/unit/unit.sock" +# applications: +# netbox: +# type: "python 3" +# path: /opt/netbox/netbox/ +# module: netbox.wsgi +# home: /opt/netbox/venv +# processes: +# max: 4 +# spare: 1 +# idle_timeout: 120 +# access_log: /dev/stdout +overrideUnitConfig: {} + +## @section Deployment parameters + +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] + +## @param replicaCount Number of replicas to deploy +## NOTE: ReadWriteMany PVC(s) are required if replicaCount > 1 +## +replicaCount: 1 +## Enable persistence using Persistent Volume Claims +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ +## @param persistence.enabled Enable persistence using PVC +## @param persistence.storageClass PVC Storage Class for volume +## @param persistence.accessMode PVC Access Mode for volume +## @param persistence.size PVC Storage Request for volume +## @param persistence.subPath Existing claim's subPath to use, e.g. "media" (optional) +## @param persistence.existingClaim Name of an existing PVC to be used +## @param persistence.annotations Annotations to add to the PVC +## +persistence: + enabled: true + ## Data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: openebs-3-replicas + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + existingClaim: "" + annotations: {} +## Enable reports persistence using Persistent Volume Claims +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ +## @param reportsPersistence.enabled Enable reports persistence using PVC +## @param reportsPersistence.storageClass PVC Storage Class for volume +## @param reportsPersistence.accessMode PVC Access Mode for volume +## @param reportsPersistence.size PVC Storage Request for volume +## @param reportsPersistence.subPath Existing claim's subPath to use, e.g. "media" (optional) +## @param reportsPersistence.existingClaim Name of an existing PVC to be used +## @param reportsPersistence.annotations Annotations to add to the PVC +## +reportsPersistence: + enabled: false + existingClaim: "" + subPath: "" + ## Data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: openebs-3-replicas + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} +## Enable scripts persistence using Persistent Volume Claims +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ +## @param scriptsPersistence.enabled Enable reports persistence using PVC +## @param scriptsPersistence.storageClass PVC Storage Class for volume +## @param scriptsPersistence.accessMode PVC Access Mode for volume +## @param scriptsPersistence.size PVC Storage Request for volume +## @param scriptsPersistence.subPath Existing claim's subPath to use, e.g. "media" (optional) +## @param scriptsPersistence.existingClaim Name of an existing PVC to be used +## @param scriptsPersistence.annotations Annotations to add to the PVC +## +scriptsPersistence: + enabled: false + existingClaim: "" + subPath: "" + ## Data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: openebs-3-replicas + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} +## @param updateStrategy.type Deployment strategy type +## @param updateStrategy.rollingUpdate Deployment rolling update configuration parameters +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## NOTE: Set it to `Recreate` if you use a PV that cannot be mounted on multiple pods +## e.g: +## updateStrategy: +## type: RollingUpdate +## rollingUpdate: +## maxSurge: 25% +## maxUnavailable: 25% +## +updateStrategy: + type: RollingUpdate +## Pods Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## @param serviceAccount.create Specifies whether a ServiceAccount should be created +## @param serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template. +## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account +## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. +## +serviceAccount: + create: true + annotations: {} + name: "" + automountServiceAccountToken: false +## Role Based Access +## ref: https://kubernetes.io/docs/admin/authorization/rbac/ +## +rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + ## + create: true + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] +## @param hostAliases [array] Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` +## e.g: +## extraVolumes: +## - name: kv-ca +## secret: +## secretName: kv-ca +## +extraVolumes: [] +## @param extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. +## e.g: +## extraVolumeMounts: +## - name: kv-ca +## mountPath: /tmp/kv-ca +## subPath: kv_ca +## readOnly: true +## +extraVolumeMounts: [] +## @param sidecars Add additional sidecar containers to the pod +## e.g: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: [] +## @param initContainers Add additional init containers to the pods +## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ +## e.g: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## command: ['sh', '-c', 'echo "init"'] +## +initContainers: [] +## @param podLabels Extra labels for pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations Annotations for pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param nodeSelector Node labels for pod assignment +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## @param tolerations Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param priorityClassName Pods' priorityClassName +## +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) for pods +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param terminationGracePeriodSeconds Seconds pods need to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +terminationGracePeriodSeconds: +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template. +## e.g: +## topologySpreadConstraints: +## - maxSkew: 1 +## topologyKey: topology.kubernetes.io/zone +## whenUnsatisfiable: DoNotSchedule +## labelSelector: +## matchLabels: +## "app.kubernetes.io/component": netbox +## "app.kubernetes.io/name": netbox +## +topologySpreadConstraints: [] +## @section Pod disruption budget +## Configure PodDisruptionBudget for NetBox web pods +## @param pdb.enabled Enable PodDisruptionBudget for NetBox web pods +## @param pdb.minAvailable Minimum number/percentage of pods that must be available +## @param pdb.maxUnavailable Maximum number/percentage of pods that can be unavailable +## If neither minAvailable nor maxUnavailable is set, a sensible default is applied: +## - Single replica: minAvailable: 1 +## - Multiple replicas or HPA enabled: minAvailable: 50% +## +pdb: + enabled: false + minAvailable: "" + maxUnavailable: "" +## Container's resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). +## This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "medium" +## Containers' resource requests and limits +## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## @param resources.limits The resources limits for the container +## @param resources.requests [object] The requested resources for the container +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enable pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Pods' group ID +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1000 +## Configure Container Security Context (only main container) +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param securityContext.enabled Enabled containers' Security Context +## @param securityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param securityContext.runAsUser Set containers' Security Context runAsUser +## @param securityContext.runAsGroup Set containers' Security Context runAsGroup +## @param securityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param securityContext.privileged Set container's Security Context privileged +## @param securityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param securityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param securityContext.capabilities.drop List of capabilities to be dropped +## @param securityContext.seccompProfile.type Set container's Security Context seccomp profile +## +securityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false +## Configure extra options for liveness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 +## Configure extra options for readiness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 +## Configure extra options for startupProbe probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 100 + successThreshold: 1 +## @param customLivenessProbe Override default liveness probe for containers +## +customLivenessProbe: {} +## @param customReadinessProbe Override default readiness probe for containers +## +customReadinessProbe: {} +## @param customStartupProbe Override default startup probe for containers +## +customStartupProbe: {} +## @param lifecycleHooks for containers to automate configuration before or after startup +## +lifecycleHooks: {} +## @param extraEnvs Extra environment variables to be set on containers +## E.g: +## extraEnvs: +## - name: FOO +## valueFrom: +## secretKeyRef: +## key: FOO +## name: secret-resource +extraEnvs: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars for containers +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Name of existing Secret containing extra env vars for containers +## +extraEnvVarsSecret: "" + +## Configure revision history limit for deployments +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy +revisionHistoryLimit: 10 + +## @section Traffic Exposure Parameters + +## Service parameters +## @param service.type Kubernetes Service type +## @param service.loadBalancerSourceRanges Restricts access for LoadBalancer (only with `service.type: LoadBalancer`) +## @param service.loadBalancerIP loadBalancerIP for the service (optional, cloud specific) +## @param service.loadBalancerClass Load Balancer class (optional, cloud specific) +## @param service.nodePort Kubernetes node port +## @param service.externalTrafficPolicy Enable client source IP preservation +## @param service.clusterIP Service Cluster IP +## @param service.annotations Additional custom annotations for Matomo service +## +service: + annotations: {} + type: ClusterIP + port: 80 + ## nodePort: + ## + nodePort: "" + clusterIP: "" + externalTrafficPolicy: Cluster + loadBalancerIP: "" + ## e.g: + ## loadBalancerSourceRanges: + ## - 0.0.0.0/0 + ## + loadBalancerSourceRanges: [] + loadBalancerClass: "" + externalIPs: [] + clusterIPs: [] + ipFamilyPolicy: "" + ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + +## Configure the ingress resource that allows you to access the app +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress record generation + ## + enabled: false + ## @param ingress.pathType Ingress Path type + ## + pathType: ImplementationSpecific + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + className: "" + ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + hosts: + - host: chart-example.local + paths: + # You can manually specify the service name and service port if + # required. This could be useful if for exemple you are using the AWS + # ALB Ingress Controller and want to set up automatic SSL redirect. + # https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/tasks/ssl_redirect/#redirect-traffic-from-http-to-https + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + # + # Or you can let the template set it for you. + # Both types of rule can be combined. + # NB: You may also want to set the basePath above + - / + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +## @section Metrics parameters + +## Prometheus Exporter / Metrics +## +metrics: + ## @param metrics.enabled Enable the export of Prometheus metrics + ## + enabled: false + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) + ## + enabled: false + ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## interval: 10s + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## scrapeTimeout: 10s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.relabelings Specify general relabeling + ## + relabelings: [] + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + additionalLabels: {} + +## @section Databases parameters + +## PostgreSQL chart configuration +## https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml +## +postgresql: + ## @param postgresql.enabled Whether to deploy a PostgreSQL server to satisfy the applications database requirements + ## To use an external database set this to false and configure the externalDatabase parameters + ## + enabled: true + auth: + username: netbox + database: netbox + +## External database configuration +## @param externalDatabase.host Host of the existing database +## @param externalDatabase.port Port of the existing database +## @param externalDatabase.username Existing username in the external db +## @param externalDatabase.password Password for the above username +## @param externalDatabase.database Name of the existing database +## @param externalDatabase.existingSecretName Name of a secret containing the database credentials +## @param externalDatabase.existingSecretKey Key of a secret containing the database credentials +## +externalDatabase: + host: localhost + port: 5432 + database: netbox + username: netbox + password: "" + existingSecretName: "" + existingSecretKey: postgresql-password + + # The following settings also apply when using the bundled PostgreSQL chart: + engine: django.db.backends.postgresql + connMaxAge: 300 + disableServerSideCursors: false + ## @param externalDatabase.options Additional PostgreSQL client parameters + ## Ref: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS + ## + options: + sslmode: "prefer" + target_session_attrs: "read-write" + +## Additional databases configuration +## @param additionalDatabases.*.host Host of the existing database +## @param additionalDatabases.*.port Port of the existing database +## @param additionalDatabases.*.username Existing username in the external db +## @param additionalDatabases.*.password Password for the above username +## @param additionalDatabases.*.database Name of the existing database +## e.g: +## additionalDatabases: +## external2: +## host: localhost +## port: 5432 +## database: netbox +## username: netbox +## password: "" +## engine: django.db.backends.postgresql +## connMaxAge: 300 +## disableServerSideCursors: false +## options: +## sslmode: "prefer" +## target_session_attrs: "read-write" +## +additionalDatabases: {} + +## Valkey chart configuration +## https://github.com/bitnami/charts/blob/main/bitnami/valkey/values.yaml +## @param valkey.enabled Whether to deploy a Valkey server to satisfy the applications database requirements +## +valkey: + enabled: true + sentinel: + enabled: false + primarySet: netbox-kv + auth: + # Sentinel auth is disabled by default, as Netbox does not support configuring SENTINEL_KWARGS. + sentinel: false + +tasksDatabase: + database: 0 + ssl: false + insecureSkipTlsVerify: false + # When defining caCertPath, make sure you mount the secret containing the CA certificate on all the necessary containers + caCertPath: "" + + # Used only when valkey.enabled is false. host and port are not used if + # sentinels are given. + host: netbox-kv + port: 6379 + sentinels: [] + # - mysentinel:26379 + sentinelService: netbox-kv + sentinelTimeout: 300 + username: "" + password: "" + existingSecretName: "" + existingSecretKey: tasks-password + +cachingDatabase: + database: 1 + ssl: false + insecureSkipTlsVerify: false + # When defining caCertPath, make sure you mount the secret containing the CA certificate on all the necessary containers + caCertPath: "" + + # Used only when valkey.enabled is false. host and port are not used if + # sentinels are given. + host: netbox-kv + port: 6379 + sentinels: [] + # - mysentinel:26379 + sentinelService: netbox-kv + sentinelTimeout: 300 + username: "" + password: "" + existingSecretName: "" + existingSecretKey: cache-password + +## @section Autoscaling parameters + +## Autoscaling configuration +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +## @param autoscaling.enabled Enable Horizontal POD autoscaling +## @param autoscaling.minReplicas Minimum number of replicas +## @param autoscaling.maxReplicas Maximum number of replicas +## @param autoscaling.targetCPUUtilizationPercentage Target CPU utilization percentage +## @param autoscaling.targetMemoryUtilizationPercentage Target Memory utilization percentage +## +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +## @section Volume permissions parameters + +## Init Container parameters +## Change the owner and group of the persistent volume mountpoint to 'runAsUser:fsGroup' +## values from the securityContext section. +## +init: + ## @param init.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param init.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image name + ## @param init.image.tag Init container volume-permissions image tag + ## @param init.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param init.image.pullPolicy Init container volume-permissions image pull policy + ## @param init.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: busybox + tag: 1.37.0 + digest: "" + ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param init.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if init.resources is set (init.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param init.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init container' Security Context + ## Note: the chown of the data folder is done to securityContext.runAsUser + ## and not the below init.securityContext.runAsUser + ## @param init.securityContext.enabled Enabled containers' Security Context + ## @param init.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param init.securityContext.runAsUser User ID for the init container + ## @param init.securityContext.runAsGroup Group ID for the init container + ## @param init.securityContext.runAsNonRoot runAsNonRoot for the init container + ## @param init.securityContext.seccompProfile.type seccompProfile.type for the init container + ## + securityContext: + enabled: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + +## @section Test parameters + +test: + ## @param test.image.registry [default: REGISTRY_NAME] test container volume-permissions image registry + ## @param test.image.repository [default: REPOSITORY_NAME/os-shell] test container volume-permissions image name + ## @param test.image.tag test container volume-permissions image tag + ## @param test.image.digest test container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param test.image.pullPolicy test container volume-permissions image pull policy + ## @param test.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: busybox + tag: 1.37.0 + digest: "" + ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## test container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param test.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if test.resources is set (test.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param test.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## test container' Security Context + ## Note: the chown of the data folder is done to securityContext.runAsUser + ## and not the below test.securityContext.runAsUser + ## @param test.securityContext.enabled Enabled containers' Security Context + ## @param test.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param test.securityContext.runAsUser User ID for the test container + ## @param test.securityContext.runAsGroup Group ID for the test container + ## @param test.securityContext.runAsNonRoot runAsNonRoot for the test container + ## @param test.securityContext.seccompProfile.type seccompProfile.type for the test container + ## + securityContext: + enabled: false + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + +## @section Cron housekeeping job parameters + +## Configuration of Cron settings +## +housekeeping: + ## @param housekeeping.enabled Enable housekeeping job + ## + enabled: true + ## @param housekeeping.schedule Schedule in Cron format to save snapshots + ## See https://en.wikipedia.org/wiki/Cron + ## + schedule: "0 0 * * *" + ## @param housekeeping.timezone Set time zone for cron job + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones + ## + timezone: "" + ## @param housekeeping.historyLimit Number of successful finished jobs to retain + ## + successfulJobsHistoryLimit: 5 + ## @param housekeeping.failedHistoryLimit Number of failed finished jobs to retain + ## + failedJobsHistoryLimit: 5 + ## @param housekeeping.command The command to execute in the housekeeping job + ## To append another command, e.g. in order to shut down a DB sidecar container, use something like + ## - /bin/bash + ## - -c + ## - > + ## /opt/netbox/venv/bin/python /opt/netbox/netbox/manage.py housekeeping + ## && curl -X POST http://localhost:9190/quitquitquit" + ## + command: + - /opt/netbox/venv/bin/python + - /opt/netbox/netbox/manage.py + - housekeeping + ## @param housekeeping.args Override default housekeeping args + ## + args: [] + ## @param housekeeping.podAnnotations Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## K8s Security Context for Housekeeping Cronjob pods + ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param housekeeping.podSecurityContext.enabled Enable security context for InfluxDB™ housekeeping pods + ## @param housekeeping.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param housekeeping.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param housekeeping.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param housekeeping.podSecurityContext.fsGroup Group ID for the InfluxDB™ filesystem + ## + podSecurityContext: + enabled: true + fsGroup: 1000 + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + ## K8s Security Context for Housekeeping Cronjob containers + ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param housekeeping.securityContext.enabled Enabled containers' Security Context + ## @param housekeeping.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param housekeeping.securityContext.runAsUser Set containers' Security Context runAsUser + ## @param housekeeping.securityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param housekeeping.securityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param housekeeping.securityContext.privileged Set container's Security Context privileged + ## @param housekeeping.securityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param housekeeping.securityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param housekeeping.securityContext.capabilities.drop List of capabilities to be dropped + ## @param housekeeping.securityContext.seccompProfile.type Set container's Security Context seccomp profile + securityContext: + enabled: true + seLinuxOptions: {} + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + ## @param housekeeping.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if influxdb.resources is set (influxdb.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param housekeeping.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param housekeeping.readOnlyPersistence Whether to mount media, script, and report directories as read-only + ## + readOnlyPersistence: false + ## @param housekeeping.extraEnvs Extra environment variables to be set on containers + ## E.g: + ## extraEnvs: + ## - name: FOO + ## valueFrom: + ## secretKeyRef: + ## key: FOO + ## name: secret-resource + extraEnvs: [] + ## @param housekeeping.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for housekeeping containers + ## + extraEnvVarsCM: "" + ## @param housekeeping.extraEnvVarsSecret Name of existing Secret containing extra env vars for housekeeping containers + ## + extraEnvVarsSecret: "" + ## @param housekeeping.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` + ## e.g: + ## extraVolumes: + ## - name: kv-ca + ## secret: + ## secretName: kv-ca + ## + extraVolumes: [] + ## @param housekeeping.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. + ## e.g: + ## extraVolumeMounts: + ## - name: kv-ca + ## mountPath: /tmp/kv-ca + ## subPath: kv_ca + ## readOnly: true + ## + extraVolumeMounts: [] + ## @param housekeeping.sidecars Add additional sidecar containers to the pod + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param housekeeping.initContainers Add additional init containers to the pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "init"'] + ## + initContainers: [] + ## @param housekeeping.affinity Housekeeping™ Affinity for housekeeping pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param housekeeping.nodeSelector Housekeeping™ Node labels for housekeeping pod assignment + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param housekeeping.tolerations Housekeeping™ Tolerations for housekeeping pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param housekeeping.podLabels Extra labels for pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param housekeeping.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + concurrencyPolicy: Forbid + restartPolicy: OnFailure + suspend: false + +## @section Worker for Netbox parameters + +## Worker for Netbox +## Only required for Netbox Jobs, e.g. Webhooks +## +worker: + ## @param worker.enabled Enable worker job + ## + enabled: true + ## @param worker.command The command to execute in the worker container + ## + command: + - /opt/netbox/venv/bin/python + - /opt/netbox/netbox/manage.py + - rqworker + ## @param worker.args Override worker container args + ## + args: [] + ## @param worker.replicaCount Number of replicas to deploy + ## NOTE: ReadWriteMany PVC(s) are required if replicaCount > 1 + ## + replicaCount: 1 + ## Configure PodDisruptionBudget for worker pods + ## @param worker.pdb.enabled Enable PodDisruptionBudget for worker pods + ## @param worker.pdb.minAvailable Minimum number/percentage of pods that must be available + ## @param worker.pdb.maxUnavailable Maximum number/percentage of pods that can be unavailable + ## If neither minAvailable nor maxUnavailable is set, a sensible default is applied: + ## - Single replica: minAvailable: 1 + ## - Multiple replicas or HPA enabled: minAvailable: 50% + pdb: + enabled: false + minAvailable: "" + maxUnavailable: "" + ## @param worker.podLabels Extra labels for pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param worker.podAnnotations Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## K8s Security Context for worker pods + ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param worker.podSecurityContext.enabled Enable security context for InfluxDB™ housekeeping pods + ## @param worker.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param worker.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param worker.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param worker.podSecurityContext.fsGroup Group ID for the InfluxDB™ filesystem + ## + podSecurityContext: + enabled: true + fsGroup: 1000 + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + ## K8s Security Context for worker containers + ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param worker.securityContext.enabled Enabled containers' Security Context + ## @param worker.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param worker.securityContext.runAsUser Set containers' Security Context runAsUser + ## @param worker.securityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param worker.securityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param worker.securityContext.privileged Set container's Security Context privileged + ## @param worker.securityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param worker.securityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param worker.securityContext.capabilities.drop List of capabilities to be dropped + ## @param worker.securityContext.seccompProfile.type Set container's Security Context seccomp profile + securityContext: + enabled: true + seLinuxOptions: {} + seccompProfile: + type: "RuntimeDefault" + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + ## @param worker.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if influxdb.resources is set (influxdb.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param worker.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param worker.readOnlyPersistence Whether to mount media, script, and report directories as read-only + ## + readOnlyPersistence: false + ## @param worker.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: true + ## @param worker.affinity Affinity for worker pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param worker.nodeSelector Node labels for worker pod assignment + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param worker.tolerations Tolerations for worker pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param worker.priorityClassName Pods' priorityClassName + ## + priorityClassName: "" + ## @param worker.schedulerName Name of the k8s scheduler (other than default) for pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param worker.terminationGracePeriodSeconds Seconds pods need to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: + ## @param worker.topologySpreadConstraints Topology Spread Constraints for pod assignment + ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## The value is evaluated as a template. + ## e.g: + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: topology.kubernetes.io/zone + ## whenUnsatisfiable: DoNotSchedule + ## labelSelector: + ## matchLabels: + ## "app.kubernetes.io/component": netbox + ## "app.kubernetes.io/name": netbox + ## + topologySpreadConstraints: [] + ## @param worker.hostAliases [array] Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param worker.updateStrategy.type Deployment strategy type + ## @param worker.updateStrategy.rollingUpdate Deployment rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## NOTE: Set it to `Recreate` if you use a PV that cannot be mounted on multiple pods + ## e.g: + ## updateStrategy: + ## type: RollingUpdate + ## rollingUpdate: + ## maxSurge: 25% + ## maxUnavailable: 25% + ## + updateStrategy: + type: RollingUpdate + ## Autoscaling configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + ## @param worker.autoscaling.enabled Enable Horizontal POD autoscaling + ## @param worker.autoscaling.minReplicas Minimum number of replicas + ## @param worker.autoscaling.maxReplicas Maximum number of replicas + ## @param worker.autoscaling.targetCPUUtilizationPercentage Target CPU utilization percentage + ## @param worker.autoscaling.targetMemoryUtilizationPercentage Target Memory utilization percentage + ## + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + ## @param worker.extraEnvs Extra environment variables to be set on containers + ## E.g: + ## extraEnvs: + ## - name: FOO + ## valueFrom: + ## secretKeyRef: + ## key: FOO + ## name: secret-resource + extraEnvs: [] + ## @param worker.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for worker containers + ## + extraEnvVarsCM: "" + ## @param worker.extraEnvVarsSecret Name of existing Secret containing extra env vars for worker containers + ## + extraEnvVarsSecret: "" + ## @param worker.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` + ## e.g: + ## extraVolumes: + ## - name: kv-ca + ## secret: + ## secretName: kv-ca + ## + extraVolumes: [] + ## @param worker.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. + ## e.g: + ## extraVolumeMounts: + ## - name: kv-ca + ## mountPath: /tmp/kv-ca + ## subPath: kv_ca + ## readOnly: true + ## + extraVolumeMounts: [] + ## @param worker.sidecars Add additional sidecar containers to the pod + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param worker.initContainers Add additional init containers to the pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "init"'] + ## + initContainers: [] + ## Init containers parameters: + ## wait-for-backend: Wait for NetBox backend before running workers + ## + waitForBackend: + ## @param waitForBackend.enabled Wait for NetBox backend before running workers + ## + enabled: true + ## @param waitForBackend.image.registry [default: REGISTRY_NAME] Init container wait-for-backend image registry + ## @param waitForBackend.image.repository [default: REPOSITORY_NAME/kubectl] Init container wait-for-backend image name + ## @param waitForBackend.image.tag Init container wait-for-backend image tag + ## @param waitForBackend.image.digest Init container wait-for-backend image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param waitForBackend.image.pullPolicy Init container wait-for-backend image pull policy + ## @param waitForBackend.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: rancher/kubectl + tag: v1.34.1 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param waitForBackend.command The command to execute in the wait-for-backend container + ## + command: + - /bin/kubectl + ## @param waitForBackend.args Override wait-for-backend container args + ## + args: + - rollout + - status + - deployment + - "$(DEPLOYMENT_NAME)" + ## waitForBackend containers' Security Context (init container). + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param waitForBackend.containerSecurityContext.enabled Enabled containers' Security Context + ## @param waitForBackend.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param waitForBackend.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param waitForBackend.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param waitForBackend.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param waitForBackend.containerSecurityContext.privileged Set container's Security Context privileged + ## @param waitForBackend.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param waitForBackend.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param waitForBackend.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param waitForBackend.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Init container resource requests and limits. + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param waitForBackend.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if waitForBackend.resources is set (waitForBackend.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param waitForBackend.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + diff --git a/nextcloud/main.yaml b/nextcloud/main.yaml index ad14c5c..760a7af 100644 --- a/nextcloud/main.yaml +++ b/nextcloud/main.yaml @@ -85,8 +85,8 @@ metadata: app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: nextcloud - app.kubernetes.io/version: 31.0.8 - helm.sh/chart: nextcloud-8.0.1 + app.kubernetes.io/version: 32.0.0 + helm.sh/chart: nextcloud-8.4.0 name: nextcloud spec: ports: @@ -133,8 +133,8 @@ metadata: app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: nextcloud - app.kubernetes.io/version: 31.0.8 - helm.sh/chart: nextcloud-8.0.1 + app.kubernetes.io/version: 32.0.0 + helm.sh/chart: nextcloud-8.4.0 name: nextcloud-nextcloud spec: accessModes: @@ -152,8 +152,8 @@ metadata: app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: nextcloud - app.kubernetes.io/version: 31.0.8 - helm.sh/chart: nextcloud-8.0.1 + app.kubernetes.io/version: 32.0.0 + helm.sh/chart: nextcloud-8.4.0 name: nextcloud spec: replicas: 1 @@ -205,7 +205,7 @@ spec: value: cloud.borninpain.de - name: NEXTCLOUD_DATA_DIR value: /var/www/html/data - image: nextcloud:31.0.8-apache + image: nextcloud:32.0.0-apache imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 @@ -290,7 +290,7 @@ spec: value: cloud.borninpain.de - name: NEXTCLOUD_DATA_DIR value: /var/www/html/data - image: nextcloud:31.0.8-apache + image: nextcloud:32.0.0-apache imagePullPolicy: IfNotPresent name: nextcloud-cron resources: {} @@ -636,6 +636,51 @@ spec: app.kubernetes.io/instance: nextcloud app.kubernetes.io/name: postgresql --- +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: database-ping-test + name: cnpg-nextcloud-cluster-ping-test + namespace: nextcloud +spec: + template: + metadata: + labels: + app.kubernetes.io/component: database-ping-test + name: cnpg-nextcloud-cluster-ping-test + spec: + containers: + - args: + - -c + - apk add postgresql-client && psql "postgresql://$PGUSER:$PGPASS@cnpg-nextcloud-cluster-rw.nextcloud.svc.cluster.local:5432/${PGDBNAME:-$PGUSER}" + -c 'SELECT 1' + command: + - sh + env: + - name: PGUSER + valueFrom: + secretKeyRef: + key: username + name: cnpg-nextcloud-cluster-app + - name: PGPASS + valueFrom: + secretKeyRef: + key: password + name: cnpg-nextcloud-cluster-app + - name: PGDBNAME + valueFrom: + secretKeyRef: + key: dbname + name: cnpg-nextcloud-cluster-app + optional: true + image: alpine:3.17 + name: alpine + restartPolicy: Never +--- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -662,3 +707,42 @@ spec: policyTypes: - Ingress - Egress +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + labels: + app.kubernetes.io/instance: cnpg-nextcloud + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cluster + app.kubernetes.io/part-of: cloudnative-pg + helm.sh/chart: cluster-0.3.1 + name: cnpg-nextcloud-cluster + namespace: nextcloud +spec: + affinity: + topologyKey: kubernetes.io/hostname + bootstrap: + initdb: + database: nextcloud + owner: nextcloud + enablePDB: true + enableSuperuserAccess: true + imageName: ghcr.io/cloudnative-pg/postgresql:17 + imagePullPolicy: IfNotPresent + instances: 3 + logLevel: info + monitoring: + disableDefaultQueries: false + enablePodMonitor: false + postgresGID: 26 + postgresUID: 26 + postgresql: null + primaryUpdateMethod: switchover + primaryUpdateStrategy: unsupervised + storage: + size: 10Gi + storageClass: openebs-hostpath + walStorage: + size: 1Gi + storageClass: openebs-hostpath diff --git a/nextcloud/src/kustomization.yaml b/nextcloud/src/kustomization.yaml index 00f3d74..f187108 100644 --- a/nextcloud/src/kustomization.yaml +++ b/nextcloud/src/kustomization.yaml @@ -5,8 +5,16 @@ kind: Kustomization helmCharts: - name: nextcloud repo: https://nextcloud.github.io/helm/ - version: 8.0.1 + version: 8.4.0 releaseName: nextcloud includeCRDs: true namespace: nextcloud - valuesFile: values.yaml \ No newline at end of file + valuesFile: values.yaml + + - name: cluster + repo: https://cloudnative-pg.github.io/charts + version: 0.3.1 + releaseName: cnpg-nextcloud + includeCRDs: true + namespace: nextcloud + valuesFile: values-cnpg.yaml diff --git a/nextcloud/src/values-cnpg.yaml b/nextcloud/src/values-cnpg.yaml new file mode 100644 index 0000000..8d6c650 --- /dev/null +++ b/nextcloud/src/values-cnpg.yaml @@ -0,0 +1,503 @@ +# -- Override the name of the chart +nameOverride: "" +# -- Override the full name of the chart +fullnameOverride: "" +# -- Override the namespace of the chart +namespaceOverride: "" + +### +# -- Type of the CNPG database. Available types: +# * `postgresql` +# * `postgis` +# * `timescaledb` +type: postgresql + +version: + # -- PostgreSQL major version to use + postgresql: "17" + # -- If using TimescaleDB, specify the version + timescaledb: "2.15" + # -- If using PostGIS, specify the version + postgis: "3.4" + +### +# -- Cluster mode of operation. Available modes: +# * `standalone` - default mode. Creates new or updates an existing CNPG cluster. +# * `replica` - Creates a replica cluster from an existing CNPG cluster. # TODO +# * `recovery` - Same as standalone but creates a cluster from a backup, object store or via pg_basebackup. +mode: standalone + +recovery: + ## + # -- Available recovery methods: + # * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace. + # * `object_store` - Recovers a CNPG cluster from a barman object store (PITR supported). + # * `pg_basebackup` - Recovers a CNPG cluster viaa streaming replication protocol. Useful if you want to + # migrate databases to CloudNativePG, even from outside Kubernetes. + # * `import` - Import one or more databases from an existing Postgres cluster. + method: backup + + ## -- Point in time recovery target. Specify one of the following: + pitrTarget: + # -- Time in RFC3339 format + time: "" + + ## + # -- Backup Recovery Method + backupName: "" # Name of the backup to recover from. Required if method is `backup`. + + ## + # -- The original cluster name when used in backups. Also known as serverName. + clusterName: "" + # -- Name of the database used by the application. Default: `app`. + database: app + # -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. + owner: "" + # -- Overrides the provider specific default endpoint. Defaults to: + # S3: https://s3..amazonaws.com" + # Leave empty if using the default S3 endpoint + endpointURL: "" + # -- Specifies a CA bundle to validate a privately signed certificate. + endpointCA: + # -- Creates a secret with the given value if true, otherwise uses an existing secret. + create: false + name: "" + key: "" + value: "" + # -- Overrides the provider specific default path. Defaults to: + # S3: s3:// + # Azure: https://..core.windows.net/ + # Google: gs:// + destinationPath: "" + # -- One of `s3`, `azure` or `google` + provider: s3 + s3: + region: "" + bucket: "" + path: "/" + accessKey: "" + secretKey: "" + # -- Use the role based authentication without providing explicitly the keys + inheritFromIAMRole: false + azure: + path: "/" + connectionString: "" + storageAccount: "" + storageKey: "" + storageSasToken: "" + containerName: "" + serviceName: blob + inheritFromAzureAD: false + google: + path: "/" + bucket: "" + gkeEnvironment: false + applicationCredentials: "" + secret: + # -- Whether to create a secret for the backup credentials + create: true + # -- Name of the backup credentials secret + name: "" + + # See https://cloudnative-pg.io/documentation/1.22/bootstrap/#bootstrap-from-a-live-cluster-pg_basebackup + pgBaseBackup: + # -- Name of the database used by the application. Default: `app`. + database: app + # -- Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch + secret: "" + # -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. + owner: "" + source: + host: "" + port: 5432 + username: "" + database: "app" + sslMode: "verify-full" + passwordSecret: + # -- Whether to create a secret for the password + create: false + # -- Name of the secret containing the password + name: "" + # -- The key in the secret containing the password + key: "password" + # -- The password value to use when creating the secret + value: "" + sslKeySecret: + name: "" + key: "" + sslCertSecret: + name: "" + key: "" + sslRootCertSecret: + name: "" + key: "" + + # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-Import + import: + # -- One of `microservice` or `monolith.` + # See: https://cloudnative-pg.io/documentation/current/database_import/#how-it-works + type: "microservice" + # -- Databases to import + databases: [] + # -- Roles to import + roles: [] + # -- List of SQL queries to be executed as a superuser in the application database right after is imported. + # To be used with extreme care. Only available in microservice type. + postImportApplicationSQL: [] + # -- When set to true, only the pre-data and post-data sections of pg_restore are invoked, avoiding data import. + schemaOnly: false + # -- List of custom options to pass to the `pg_dump` command. IMPORTANT: Use these options with caution and at your + # own risk, as the operator does not validate their content. Be aware that certain options may conflict with the + # operator's intended functionality or design. + pgDumpExtraOptions: [] + # -- List of custom options to pass to the `pg_restore` command. IMPORTANT: Use these options with caution and at + # your own risk, as the operator does not validate their content. Be aware that certain options may conflict with the + # operator's intended functionality or design. + pgRestoreExtraOptions: [] + source: + host: "" + port: 5432 + username: "" + database: "" + sslMode: "verify-full" + passwordSecret: + # -- Whether to create a secret for the password + create: false + # -- Name of the secret containing the password + name: "" + # -- The key in the secret containing the password + key: "password" + # -- The password value to use when creating the secret + value: "" + sslKeySecret: + name: "" + key: "" + sslCertSecret: + name: "" + key: "" + sslRootCertSecret: + name: "" + key: "" + + +cluster: + # -- Number of instances + instances: 3 + + # -- Name of the container image, supporting both tags (:) and digests for deterministic and repeatable deployments: + # :@sha256: + imageName: "" # Default value depends on type (postgresql/postgis/timescaledb) + + # -- Reference to `ImageCatalog` of `ClusterImageCatalog`, if specified takes precedence over `cluster.imageName` + imageCatalogRef: {} + # kind: ImageCatalog + # name: postgresql + + # -- Image pull policy. One of Always, Never or IfNotPresent. If not defined, it defaults to IfNotPresent. Cannot be updated. + # More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + imagePullPolicy: IfNotPresent + + # -- The list of pull secrets to be used to pull the images. + # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-LocalObjectReference + imagePullSecrets: [] + + storage: + size: 10Gi + storageClass: "openebs-hostpath" + + walStorage: + enabled: true + size: 1Gi + storageClass: "openebs-hostpath" + + # -- The UID of the postgres user inside the image, defaults to 26 + postgresUID: -1 + + # -- The GID of the postgres user inside the image, defaults to 26 + postgresGID: -1 + + # -- Customization of service definitions. Please refer to https://cloudnative-pg.io/documentation/1.24/service_management/ + services: {} + + # -- Resources requirements of every generated Pod. + # Please refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for more information. + # We strongly advise you use the same setting for limits and requests so that your cluster pods are given a Guaranteed QoS. + # See: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/ + resources: {} + # limits: + # cpu: 2000m + # memory: 8Gi + # requests: + # cpu: 2000m + # memory: 8Gi + + priorityClassName: "" + + # -- Method to follow to upgrade the primary server during a rolling update procedure, after all replicas have been + # successfully updated. It can be switchover (default) or restart. + primaryUpdateMethod: switchover + + # -- Strategy to follow to upgrade the primary server during a rolling update procedure, after all replicas have been + # successfully updated: it can be automated (unsupervised - default) or manual (supervised) + primaryUpdateStrategy: unsupervised + + # -- The instances' log level, one of the following values: error, warning, info (default), debug, trace + logLevel: "info" + + # -- Affinity/Anti-affinity rules for Pods. + # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-AffinityConfiguration + affinity: + topologyKey: kubernetes.io/hostname + + # -- The configuration for the CA and related certificates. + # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-CertificatesConfiguration + certificates: {} + + # -- When this option is enabled, the operator will use the SuperuserSecret to update the postgres user password. + # If the secret is not present, the operator will automatically create one. + # When this option is disabled, the operator will ignore the SuperuserSecret content, delete it when automatically created, + # and then blank the password of the postgres user by setting it to NULL. + enableSuperuserAccess: true + superuserSecret: "" + + # -- Allow to disable PDB, mainly useful for upgrade of single-instance clusters or development purposes + # See: https://cloudnative-pg.io/documentation/current/kubernetes_upgrade/#pod-disruption-budgets + enablePDB: true + + # -- This feature enables declarative management of existing roles, as well as the creation of new roles if they are not + # already present in the database. + # See: https://cloudnative-pg.io/documentation/current/declarative_role_management/ + roles: [] + # - name: dante + # ensure: present + # comment: Dante Alighieri + # login: true + # superuser: false + # inRoles: + # - pg_monitor + # - pg_signal_backend + + monitoring: + # -- Whether to enable monitoring + enabled: false + podMonitor: + # -- Whether to enable the PodMonitor + enabled: true + # --The list of relabelings for the PodMonitor. + # Applied to samples before scraping. + relabelings: [] + # -- The list of metric relabelings for the PodMonitor. + # Applied to samples before ingestion. + metricRelabelings: [] + prometheusRule: + # -- Whether to enable the PrometheusRule automated alerts + enabled: true + # -- Exclude specified rules + excludeRules: [] + # - CNPGClusterZoneSpreadWarning + # -- Whether the default queries should be injected. + # Set it to true if you don't want to inject default queries into the cluster. + disableDefaultQueries: false + # -- Custom Prometheus metrics + # Will be stored in the ConfigMap + customQueries: [] + # - name: "pg_cache_hit_ratio" + # query: "SELECT current_database() as datname, sum(heap_blks_hit) / (sum(heap_blks_hit) + sum(heap_blks_read)) as ratio FROM pg_statio_user_tables;" + # metrics: + # - datname: + # usage: "LABEL" + # description: "Name of the database" + # - ratio: + # usage: GAUGE + # description: "Cache hit ratio" + # -- The list of secrets containing the custom queries + customQueriesSecret: [] + # - name: custom-queries-secret + # key: custom-queries + + postgresql: + # -- PostgreSQL configuration options (postgresql.conf) + parameters: {} + # max_connections: 300 + # -- Quorum-based Synchronous Replication + synchronous: {} + # method: any + # number: 1 + # -- PostgreSQL Host Based Authentication rules (lines to be appended to the pg_hba.conf file) + pg_hba: [] + # - host all all 10.244.0.0/16 md5 + # -- PostgreSQL User Name Maps rules (lines to be appended to the pg_ident.conf file) + pg_ident: [] + # - mymap /^(.*)@mydomain\.com$ \1 + # -- Lists of shared preload libraries to add to the default ones + shared_preload_libraries: [] + # - pgaudit + # -- PostgreSQL LDAP configuration (see https://cloudnative-pg.io/documentation/current/postgresql_conf/#ldap-configuration) + ldap: {} + # https://cloudnative-pg.io/documentation/1.24/postgresql_conf/#ldap-configuration + # server: 'openldap.default.svc.cluster.local' + # bindSearchAuth: + # baseDN: 'ou=org,dc=example,dc=com' + # bindDN: 'cn=admin,dc=example,dc=com' + # bindPassword: + # name: 'ldapBindPassword' + # key: 'data' + # searchAttribute: 'uid' + + + # -- BootstrapInitDB is the configuration of the bootstrap process when initdb is used. + # See: https://cloudnative-pg.io/documentation/current/bootstrap/ + # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-bootstrapinitdb + initdb: + database: nextcloud + owner: nextcloud # Defaults to the database name + # secret: + # name: "" # Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch + # options: [] + # encoding: UTF8 + # postInitSQL: + # - CREATE EXTENSION IF NOT EXISTS vector; + # postInitApplicationSQL: [] + # postInitTemplateSQL: [] + + # -- Configure the metadata of the generated service account + serviceAccountTemplate: {} + + additionalLabels: {} + annotations: {} + + +backups: + # -- You need to configure backups manually, so backups are disabled by default. + enabled: false + + # -- Overrides the provider specific default endpoint. Defaults to: + # S3: https://s3..amazonaws.com" + endpointURL: "" # Leave empty if using the default S3 endpoint + # -- Specifies a CA bundle to validate a privately signed certificate. + endpointCA: + # -- Creates a secret with the given value if true, otherwise uses an existing secret. + create: false + name: "" + key: "" + value: "" + + # -- Overrides the provider specific default path. Defaults to: + # S3: s3:// + # Azure: https://..core.windows.net/ + # Google: gs:// + destinationPath: "" + # -- One of `s3`, `azure` or `google` + provider: s3 + s3: + region: "" + bucket: "" + path: "/" + accessKey: "" + secretKey: "" + # -- Use the role based authentication without providing explicitly the keys + inheritFromIAMRole: false + azure: + path: "/" + connectionString: "" + storageAccount: "" + storageKey: "" + storageSasToken: "" + containerName: "" + serviceName: blob + inheritFromAzureAD: false + google: + path: "/" + bucket: "" + gkeEnvironment: false + applicationCredentials: "" + secret: + # -- Whether to create a secret for the backup credentials + create: true + # -- Name of the backup credentials secret + name: "" + + wal: + # -- WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. + compression: gzip + # -- Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`. + encryption: AES256 + # -- Number of WAL files to be archived or restored in parallel. + maxParallel: 1 + data: + # -- Data compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. + compression: gzip + # -- Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`. + encryption: AES256 + # -- Number of data files to be archived or restored in parallel. + jobs: 2 + + scheduledBackups: + - + # -- Scheduled backup name + name: daily-backup + # -- Schedule in cron format + schedule: "0 0 0 * * *" + # -- Backup owner reference + backupOwnerReference: self + # -- Backup method, can be `barmanObjectStore` (default) or `volumeSnapshot` + method: barmanObjectStore + + # -- Retention policy for backups + retentionPolicy: "30d" + +imageCatalog: + # -- Whether to provision an image catalog. If imageCatalog.images is empty this option will be ignored. + create: true + # -- List of images to be provisioned in an image catalog. + images: [] + # - image: ghcr.io/your_repo/your_image:your_tag + # major: 16 + +# -- List of PgBouncer poolers +poolers: [] + # - + # # -- Pooler name + # name: rw + # # -- PgBouncer type of service to forward traffic to. + # type: rw + # # -- PgBouncer pooling mode + # poolMode: transaction + # # -- Number of PgBouncer instances + # instances: 3 + # # -- PgBouncer configuration parameters + # parameters: + # max_client_conn: "1000" + # default_pool_size: "25" + # monitoring: + # # -- Whether to enable monitoring + # enabled: false + # podMonitor: + # # -- Whether to enable the PodMonitor + # enabled: true + # # -- Custom PgBouncer deployment template. + # # Use to override image, specify resources, etc. + # template: {} + # - + # # -- Pooler name + # name: ro + # # -- PgBouncer type of service to forward traffic to. + # type: ro + # # -- PgBouncer pooling mode + # poolMode: transaction + # # -- Number of PgBouncer instances + # instances: 3 + # # -- PgBouncer configuration parameters + # parameters: + # max_client_conn: "1000" + # default_pool_size: "25" + # monitoring: + # # -- Whether to enable monitoring + # enabled: false + # podMonitor: + # # -- Whether to enable the PodMonitor + # enabled: true + # # -- Custom PgBouncer deployment template. + # # Use to override image, specify resources, etc. + # template: {} +