OPSEXP-2878 Add alfresco-audit-storage chart

helm/alfresco-content-services/7.1.N_values.yaml

@@ -86,6 +86,12 @@ alfresco-connector-ms365:
     tag: 1.1.1
 alfresco-control-center:
   enabled: false
+elasticsearch-audit:
+  enabled: false
+kibana-audit:
+  enabled: false
+alfresco-audit-storage:
+  enabled: false
 global:
   search:
     securecomms: none

helm/alfresco-content-services/7.2.N_values.yaml

@@ -85,6 +85,12 @@ alfresco-connector-ms365:
 alfresco-connector-msteams:
   image:
     tag: 1.1.0
+elasticsearch-audit:
+  enabled: false
+kibana-audit:
+  enabled: false
+alfresco-audit-storage:
+  enabled: false
 dtas:
   config:
     assertions:

helm/alfresco-content-services/7.3.N_values.yaml

@@ -85,6 +85,12 @@ alfresco-connector-ms365:
 alfresco-connector-msteams:
   image:
     tag: 1.1.0
+elasticsearch-audit:
+  enabled: false
+kibana-audit:
+  enabled: false
+alfresco-audit-storage:
+  enabled: false
 dtas:
   config:
     assertions:

helm/alfresco-content-services/7.4.N_values.yaml

@@ -85,6 +85,12 @@ alfresco-connector-ms365:
 alfresco-connector-msteams:
   image:
     tag: 2.0.3
+elasticsearch-audit:
+  enabled: false
+kibana-audit:
+  enabled: false
+alfresco-audit-storage:
+  enabled: false
 dtas:
   config:
     assertions:

helm/alfresco-content-services/Chart.lock

@@ -47,5 +47,14 @@ dependencies:
 - name: elasticsearch
   repository: https://helm.elastic.co
   version: 7.17.3
-digest: sha256:e9fa4ecf744e6ce00def5a2a5381534d01ef4ae588381873b6e2280afdc2a537
-generated: "2024-10-04T08:55:25.325896143Z"
+- name: elasticsearch
+  repository: https://helm.elastic.co
+  version: 7.17.3
+- name: kibana
+  repository: https://helm.elastic.co
+  version: 7.17.3
+- name: alfresco-audit-storage
+  repository: https://alfresco.github.io/alfresco-helm-charts/
+  version: 0.1.0-alpha.0
+digest: sha256:4fc74b1a623e89f47c0033e969ed1fe0f1196142f03445585b09858a5670ac14
+generated: "2024-10-18T10:39:17.693592+02:00"

helm/alfresco-content-services/Chart.yaml

@@ -4,7 +4,7 @@
 # https://www.alfresco.com/platform/content-services-ecm/trial/download
 apiVersion: v2
 name: alfresco-content-services
-version: 8.5.2
+version: 8.6.0-alpha.0
 appVersion: 23.3.2
 description: A Helm chart for deploying Alfresco Content Services
 keywords:
@@ -85,4 +85,18 @@ dependencies:
     repository: https://helm.elastic.co
     version: 7.17.3
     condition: elasticsearch.enabled
+  - name: elasticsearch
+    alias: elasticsearch-audit
+    repository: https://helm.elastic.co
+    version: 7.17.3
+    condition: elasticsearch-audit.enabled
+  - name: kibana
+    alias: kibana-audit
+    repository: https://helm.elastic.co
+    version: 7.17.3
+    condition: kibana-audit.enabled
+  - name: alfresco-audit-storage
+    version: 0.1.0-alpha.0
+    repository: https://alfresco.github.io/alfresco-helm-charts/
+    condition: alfresco-audit-storage.enabled
 icon: https://avatars0.githubusercontent.com/u/391127?s=200&v=4

helm/alfresco-content-services/README.md

@@ -6,7 +6,7 @@ grand_parent: Helm
 
 # alfresco-content-services
 
-![Version: 8.5.2](https://img.shields.io/badge/Version-8.5.2-informational?style=flat-square) ![AppVersion: 23.3.2](https://img.shields.io/badge/AppVersion-23.3.2-informational?style=flat-square)
+![Version: 8.6.0-alpha.0](https://img.shields.io/badge/Version-8.6.0--alpha.0-informational?style=flat-square) ![AppVersion: 23.3.2](https://img.shields.io/badge/AppVersion-23.3.2-informational?style=flat-square)
 
 A Helm chart for deploying Alfresco Content Services
 
@@ -26,6 +26,7 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b
 | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-control-center(alfresco-adf-app) | 0.2.0-alpha.0 |
 | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-digital-workspace(alfresco-adf-app) | 0.2.0-alpha.0 |
 | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-ai-transformer | 3.0.0-alpha.0 |
+| https://alfresco.github.io/alfresco-helm-charts/ | alfresco-audit-storage | 0.1.0-alpha.0 |
 | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-common | 3.1.4 |
 | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-connector-ms365 | 2.2.0-alpha.0 |
 | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-connector-msteams | 1.2.0-alpha.0 |
@@ -36,6 +37,8 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b
 | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-sync-service | 6.1.0-alpha.0 |
 | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-transform-service | 2.1.1 |
 | https://helm.elastic.co | elasticsearch | 7.17.3 |
+| https://helm.elastic.co | elasticsearch-audit(elasticsearch) | 7.17.3 |
+| https://helm.elastic.co | kibana-audit(kibana) | 7.17.3 |
 | oci://registry-1.docker.io/bitnamicharts | postgresql-sync(postgresql) | 12.8.5 |
 | oci://registry-1.docker.io/bitnamicharts | postgresql | 12.8.5 |
 
@@ -58,6 +61,16 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b
 | alfresco-ai-transformer.messageBroker.existingSecret.name | string | `"acs-alfresco-cs-brokersecret"` | Name of the configmap which holds the message broker credentials |
 | alfresco-ai-transformer.sfs.existingConfigMap.keys.url | string | `"SFS_URL"` | Name of the key within the configmap which holds the sfs url |
 | alfresco-ai-transformer.sfs.existingConfigMap.name | string | `"alfresco-infrastructure"` | Name of the configmap which holds the ATS shared filestore URL |
+| alfresco-audit-storage.enabled | bool | `true` |  |
+| alfresco-audit-storage.image.repository | string | `"quay.io/alfresco/alfresco-audit-storage"` |  |
+| alfresco-audit-storage.image.tag | string | `"0.0.1-A8"` |  |
+| alfresco-audit-storage.index.existingConfigMap.keys.url | string | `"AUDIT_ELASTICSEARCH_URL"` |  |
+| alfresco-audit-storage.index.existingConfigMap.name | string | `"alfresco-infrastructure"` |  |
+| alfresco-audit-storage.index.existingSecret.keys.password | string | `"AUDIT_ELASTICSEARCH_PASSWORD"` |  |
+| alfresco-audit-storage.index.existingSecret.keys.username | string | `"AUDIT_ELASTICSEARCH_USERNAME"` |  |
+| alfresco-audit-storage.index.existingSecret.name | string | `"alfresco-aas-elasticsearch-secret"` |  |
+| alfresco-audit-storage.messageBroker.existingConfigMap.name | string | `"alfresco-infrastructure"` | Name of the configmap which holds the message broker URL |
+| alfresco-audit-storage.messageBroker.existingSecret.name | string | `"acs-alfresco-cs-brokersecret"` | Name of the configmap which holds the message broker credentials |
 | alfresco-connector-ms365.enabled | bool | `false` | Enable/Disable Alfresco Content Connector for Microsoft 365 |
 | alfresco-connector-ms365.image.repository | string | `"quay.io/alfresco/alfresco-ooi-service"` |  |
 | alfresco-connector-ms365.image.tag | string | `"2.0.3"` |  |
@@ -226,10 +239,28 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b
 | dtas.image.pullPolicy | string | `"IfNotPresent"` |  |
 | dtas.image.repository | string | `"quay.io/alfresco/alfresco-deployment-test-automation-scripts"` |  |
 | dtas.image.tag | string | `"v1.5.5"` |  |
+| elasticsearch-audit.clusterHealthCheckParams | string | `"wait_for_status=yellow&timeout=1s"` |  |
+| elasticsearch-audit.clusterName | string | `"elasticsearch-aas"` |  |
+| elasticsearch-audit.enabled | bool | `true` | Enables the embedded elasticsearch cluster for alfresco-audit-storage |
+| elasticsearch-audit.extraEnvs[0].name | string | `"ELASTIC_USERNAME"` |  |
+| elasticsearch-audit.extraEnvs[0].valueFrom.secretKeyRef.key | string | `"AUDIT_ELASTICSEARCH_USERNAME"` |  |
+| elasticsearch-audit.extraEnvs[0].valueFrom.secretKeyRef.name | string | `"alfresco-aas-elasticsearch-secret"` |  |
+| elasticsearch-audit.extraEnvs[1].name | string | `"ELASTIC_PASSWORD"` |  |
+| elasticsearch-audit.extraEnvs[1].valueFrom.secretKeyRef.key | string | `"AUDIT_ELASTICSEARCH_PASSWORD"` |  |
+| elasticsearch-audit.extraEnvs[1].valueFrom.secretKeyRef.name | string | `"alfresco-aas-elasticsearch-secret"` |  |
+| elasticsearch-audit.ingress.enabled | bool | `false` | toggle deploying elasticsearch-audit ingress for more details about configuration check https://github.com/elastic/helm-charts/blob/main/elasticsearch/values.yaml#L255 |
+| elasticsearch-audit.nameOverride | string | `"elasticsearch-aas"` |  |
+| elasticsearch-audit.replicas | int | `1` |  |
 | elasticsearch.clusterHealthCheckParams | string | `"wait_for_status=yellow&timeout=1s"` |  |
 | elasticsearch.enabled | bool | `true` | Enables the embedded elasticsearch cluster |
 | elasticsearch.replicas | int | `1` |  |
 | global.alfrescoRegistryPullSecrets | string | `nil` | If a private image registry a secret can be defined and passed to kubernetes, see: https://github.com/Alfresco/acs-deployment/blob/a924ad6670911f64f1bba680682d266dd4ea27fb/docs/helm/eks-deployment.md#docker-registry-secret |
+| global.auditIndex.existingSecretName | string | `nil` | Name of an existing secret that contains AUDIT_ELASTICSEARCH_USERNAME and AUDIT_ELASTICSEARCH_PASSWORD keys. |
+| global.auditIndex.password | string | `nil` | Elasticsearch password |
+| global.auditIndex.publicBaseUrl | string | `nil` | Base url for kibana environment variable `SERVER_PUBLICBASEURL`  |
+| global.auditIndex.secretName | string | `"alfresco-aas-elasticsearch-secret"` | Name of the secret managed by this chart |
+| global.auditIndex.url | string | `nil` | Elasticsearch URL |
+| global.auditIndex.username | string | `nil` | Elasticsearch username |
 | global.known_urls | list | `["https://localhost","http://localhost"]` | list of trusted URLs. URLs a re used to configure Cross-origin protections Also the first entry is considered the main hosting domain of the platform. |
 | global.mail | object | `{"host":null,"password":null,"port":587,"protocol":"smtp","smtp":{"auth":true,"starttls":{"enable":true}},"smtps":{"auth":true},"username":"anonymous"}` | For a full information of configuring the outbound email system, see https://docs.alfresco.com/content-services/latest/config/email/#manage-outbound-emails |
 | global.mail.host | string | `nil` | SMTP server to use for the system to send outgoing email |
@@ -247,6 +278,28 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b
 | global.strategy.rollingUpdate.maxUnavailable | int | `0` |  |
 | infrastructure.configMapName | string | `"alfresco-infrastructure"` |  |
 | keda.components | list | `[]` | The list of components that will be scaled by KEDA (chart names) |
+| kibana-audit.elasticsearchHosts | string | `""` | Makes sure there is no default elasticsearch hosts defined |
+| kibana-audit.enabled | bool | `true` |  |
+| kibana-audit.extraEnvs[0].name | string | `"SERVER_BASEPATH"` |  |
+| kibana-audit.extraEnvs[0].value | string | `"/kibana"` |  |
+| kibana-audit.extraEnvs[1].name | string | `"SERVER_REWRITEBASEPATH"` |  |
+| kibana-audit.extraEnvs[1].value | string | `"true"` |  |
+| kibana-audit.extraEnvs[2].name | string | `"ELASTICSEARCH_HOSTS"` |  |
+| kibana-audit.extraEnvs[2].valueFrom.configMapKeyRef.key | string | `"AUDIT_ELASTICSEARCH_URL"` |  |
+| kibana-audit.extraEnvs[2].valueFrom.configMapKeyRef.name | string | `"alfresco-infrastructure"` |  |
+| kibana-audit.extraEnvs[3].name | string | `"SERVER_PUBLICBASEURL"` |  |
+| kibana-audit.extraEnvs[3].valueFrom.configMapKeyRef.key | string | `"AUDIT_SERVER_PUBLICBASEURL"` |  |
+| kibana-audit.extraEnvs[3].valueFrom.configMapKeyRef.name | string | `"alfresco-infrastructure"` |  |
+| kibana-audit.extraEnvs[4].name | string | `"ELASTICSEARCH_USERNAME"` |  |
+| kibana-audit.extraEnvs[4].valueFrom.secretKeyRef.key | string | `"AUDIT_ELASTICSEARCH_USERNAME"` |  |
+| kibana-audit.extraEnvs[4].valueFrom.secretKeyRef.name | string | `"alfresco-aas-elasticsearch-secret"` |  |
+| kibana-audit.extraEnvs[5].name | string | `"ELASTICSEARCH_PASSWORD"` |  |
+| kibana-audit.extraEnvs[5].valueFrom.secretKeyRef.key | string | `"AUDIT_ELASTICSEARCH_PASSWORD"` |  |
+| kibana-audit.extraEnvs[5].valueFrom.secretKeyRef.name | string | `"alfresco-aas-elasticsearch-secret"` |  |
+| kibana-audit.healthCheckPath | string | `"/kibana/app/kibana"` |  |
+| kibana-audit.ingress.enabled | bool | `true` |  |
+| kibana-audit.ingress.hosts[0].paths[0].path | string | `"/kibana"` |  |
+| kibana-audit.ingress.hosts[0].paths[0].pathType | string | `"Prefix"` |  |
 | messageBroker.brokerName | string | `nil` | name of the message broker as set in the Broker configuration |
 | messageBroker.existingSecretName | string | `nil` | Name of an existing secret that contains BROKER_USERNAME and BROKER_PASSWORD keys. and optionally the credentials to the web console (can be the same as broker access). |
 | messageBroker.password | string | `nil` | External message broker password |

helm/alfresco-content-services/community_values.yaml

@@ -59,3 +59,9 @@ alfresco-connector-ms365:
   enabled: false
 alfresco-connector-msteams:
   enabled: false
+elasticsearch-audit:
+  enabled: false
+kibana-audit:
+  enabled: false
+alfresco-audit-storage:
+  enabled: false

helm/alfresco-content-services/templates/config-infrastructure.yaml

@@ -69,3 +69,22 @@ data:
       {{- fail "Alfresco Intelligence service has been enabled but Transformation service is not available" }}
   {{- end }}
   {{- end }}
+  {{- $elasticsearch_audit_url := "" }}
+    {{- if .Values.global.auditIndex.url }}
+      {{- $elasticsearch_audit_url = .Values.global.auditIndex.url }}
+    {{- else }}
+      {{- with (index .Values "elasticsearch-audit") }}
+        {{- if .enabled }}
+          {{- $auditEsProto := .protocol | default "http" }}
+          {{- $auditEsHost := printf "%s-%s" (.clusterName | default "elasticsearch") (.nodeGroup | default "master") }}
+          {{- $auditEsPort := .port | default 9200 }}
+          {{- $elasticsearch_audit_url = coalesce $.Values.global.auditIndex.url (printf "%s://%s:%v" $auditEsProto $auditEsHost $auditEsPort) }}
+        {{- else if index $.Values "alfresco-audit-storage" "enabled" }}
+          {{- fail "Chart is configured to use Alfresco Audit Storage but no index backend has been provided. Set one using either global.auditIndex.url or elasticsearch-audit.enabled" }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+    {{- printf "AUDIT_ELASTICSEARCH_URL: %s" $elasticsearch_audit_url | nindent 2 }}
+    {{- printf "AUDIT_ELASTICSEARCH_HOST: %s" (include "alfresco-common.url.host" $elasticsearch_audit_url) | nindent 2 }}
+    {{- printf "AUDIT_ELASTICSEARCH_PORT: %s" (include "alfresco-common.url.port" $elasticsearch_audit_url | quote) | nindent 2 }}
+  AUDIT_SERVER_PUBLICBASEURL: {{ .Values.global.auditIndex.publicBaseUrl | default "http://localhost/kibana" }}

helm/alfresco-content-services/templates/secret-aas-elasticearch.yaml

@@ -0,0 +1,14 @@
+{{- if not .Values.global.auditIndex.existingSecretName }}
+{{- with .Values.global.auditIndex }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .secretName }}
+  labels:
+    {{- include "alfresco-content-services.labels" $ | nindent 4 }}
+type: Opaque
+data:
+  AUDIT_ELASTICSEARCH_USERNAME: {{ .username | default "elastic" | b64enc | quote }}
+  AUDIT_ELASTICSEARCH_PASSWORD: {{ .password | default "elastic" | b64enc | quote }}
+{{- end }}
+{{- end }}

helm/alfresco-content-services/values.yaml

@@ -62,6 +62,19 @@ global:
     # -- Name of an existing secret that contains SOLR_SECRET key when flavour
     # is solr6 or SEARCH_USERNAME and SEARCH_PASSWORD keys.
     existingSecretName: null
+  auditIndex:
+    # -- Elasticsearch URL
+    url: null
+    # -- Elasticsearch username
+    username: null
+    # -- Elasticsearch password
+    password: null
+    # -- Name of the secret managed by this chart
+    secretName: &aas_elasticsearch_secretName alfresco-aas-elasticsearch-secret
+    # -- Name of an existing secret that contains AUDIT_ELASTICSEARCH_USERNAME and AUDIT_ELASTICSEARCH_PASSWORD keys.
+    existingSecretName: null
+    # -- Base url for kibana environment variable `SERVER_PUBLICBASEURL` 
+    publicBaseUrl: null
   # -- If a private image registry a secret can be defined and passed to
   # kubernetes, see:
   # https://github.com/Alfresco/acs-deployment/blob/a924ad6670911f64f1bba680682d266dd4ea27fb/docs/helm/eks-deployment.md#docker-registry-secret
@@ -538,6 +551,87 @@ elasticsearch:
   enabled: true
   replicas: 1
   clusterHealthCheckParams: "wait_for_status=yellow&timeout=1s"
+elasticsearch-audit:
+  # -- Enables the embedded elasticsearch cluster for alfresco-audit-storage
+  enabled: true
+  nameOverride: elasticsearch-aas
+  replicas: 1
+  clusterHealthCheckParams: "wait_for_status=yellow&timeout=1s"
+  clusterName: elasticsearch-aas
+  extraEnvs:
+    - name: ELASTIC_USERNAME
+      valueFrom:
+        secretKeyRef: 
+          name: *aas_elasticsearch_secretName
+          key: AUDIT_ELASTICSEARCH_USERNAME
+    - name: ELASTIC_PASSWORD
+      valueFrom:
+        secretKeyRef: 
+          name: *aas_elasticsearch_secretName
+          key: AUDIT_ELASTICSEARCH_PASSWORD
+  ingress:
+    # -- toggle deploying elasticsearch-audit ingress for more details about configuration check
+    # https://github.com/elastic/helm-charts/blob/main/elasticsearch/values.yaml#L255
+    enabled: false
+alfresco-audit-storage:
+  enabled: true
+  image:
+    repository: quay.io/alfresco/alfresco-audit-storage
+    tag: 0.0.1-A8
+  messageBroker:
+    existingConfigMap:
+      # -- Name of the configmap which holds the message broker URL
+      name: *infrastructure_cmName
+    existingSecret:
+      # -- Name of the configmap which holds the message broker credentials
+      name: *acs_messageBroker_secretName
+  index:
+    existingConfigMap:
+      name: *infrastructure_cmName
+      keys:
+        url: AUDIT_ELASTICSEARCH_URL
+    existingSecret:
+      name: *aas_elasticsearch_secretName
+      keys:
+        username: AUDIT_ELASTICSEARCH_USERNAME
+        password: AUDIT_ELASTICSEARCH_PASSWORD
+kibana-audit:
+  enabled: true
+  healthCheckPath: "/kibana/app/kibana"
+  # -- Makes sure there is no default elasticsearch hosts defined
+  elasticsearchHosts: ""
+  # All of the values has to be set there to escape the issue with overriding the values
+  extraEnvs:
+    - name: SERVER_BASEPATH
+      value: "/kibana"
+    - name: SERVER_REWRITEBASEPATH
+      value: "true"
+    - name: ELASTICSEARCH_HOSTS
+      valueFrom:
+        configMapKeyRef: 
+          name: *infrastructure_cmName
+          key: AUDIT_ELASTICSEARCH_URL
+    - name: SERVER_PUBLICBASEURL
+      valueFrom:
+        configMapKeyRef: 
+          name: *infrastructure_cmName
+          key: AUDIT_SERVER_PUBLICBASEURL
+    - name: ELASTICSEARCH_USERNAME
+      valueFrom:
+        secretKeyRef: 
+          name: *aas_elasticsearch_secretName
+          key: AUDIT_ELASTICSEARCH_USERNAME
+    - name: ELASTICSEARCH_PASSWORD
+      valueFrom:
+        secretKeyRef: 
+          name: *aas_elasticsearch_secretName
+          key: AUDIT_ELASTICSEARCH_PASSWORD
+  ingress:
+    enabled: true
+    hosts:
+      - paths:
+          - path: /kibana
+            pathType: Prefix
 dtas:
   # -- Enables the deployment test suite which can run via `helm test` (currently available for Enterprise only)
   enabled: false

test/community-integration-test-values.yaml

@@ -90,6 +90,12 @@ postgresql:
       limits:
         cpu: "2"
         memory: "1Gi"
+elasticsearch-audit:
+  enabled: false
+kibana-audit:
+  enabled: false
+alfresco-audit-storage:
+  enabled: false
 dtas:
   enabled: true
   config:

test/enterprise-integration-test-values.yaml

@@ -46,6 +46,8 @@ elasticsearch:
       cpu: "1"
       memory: "1Gi"
 alfresco-search-enterprise:
+  reindexing:
+    hookExecution: false
   resources:
     requests:
       cpu: "0.1"
@@ -178,5 +180,20 @@ alfresco-ai-transformer:
       memory: "512Mi"
   livenessProbe:
     initialDelaySeconds: 120
+elasticsearch-audit:
+  resources:
+    requests:
+      cpu: "0.01"
+      memory: "256Mi"
+alfresco-audit-storage:
+  resources:
+    requests:
+      cpu: "0.01"
+      memory: "256Mi"
+kibana-audit:
+  resources:
+    requests:
+      cpu: "0.01"
+      memory: "256Mi"
 dtas:
   enabled: true