diff --git a/charts/alfresco-share/.helmignore b/charts/alfresco-share/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/alfresco-share/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/alfresco-share/Chart.lock b/charts/alfresco-share/Chart.lock new file mode 100644 index 00000000..1e4ef329 --- /dev/null +++ b/charts/alfresco-share/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: alfresco-common + repository: https://alfresco.github.io/alfresco-helm-charts + version: 2.1.0-alpha.0 +digest: sha256:6922cc13c87c5fe6eed669f956cd5f0da86a96793da89e27099b73054e60024e +generated: "2023-07-10T16:32:19.328012924Z" diff --git a/charts/alfresco-share/Chart.yaml b/charts/alfresco-share/Chart.yaml new file mode 100644 index 00000000..7181773f --- /dev/null +++ b/charts/alfresco-share/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: alfresco-share +description: Alfresco Share Helm chart for Kubernetes +type: application +version: 0.1.0-alpha.0 +appVersion: 7.4.0 +dependencies: + - repository: https://alfresco.github.io/alfresco-helm-charts + version: 2.1.0-alpha.0 + name: alfresco-common diff --git a/charts/alfresco-share/README.md b/charts/alfresco-share/README.md new file mode 100644 index 00000000..fd957410 --- /dev/null +++ b/charts/alfresco-share/README.md @@ -0,0 +1,76 @@ +# alfresco-share + +![Version: 0.1.0-alpha.0](https://img.shields.io/badge/Version-0.1.0--alpha.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 7.4.0](https://img.shields.io/badge/AppVersion-7.4.0-informational?style=flat-square) + +Alfresco Share Helm chart for Kubernetes + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://alfresco.github.io/alfresco-helm-charts | alfresco-common | 2.1.0-alpha.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| args | list | `[]` | | +| command | list | `[]` | | +| environment.CATALINA_OPTS | string | `"-XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80"` | | +| extraInitContainers | list | `[]` | | +| extraSideContainers | list | `[]` | | +| extraVolumeMounts | list | `[]` | | +| extraVolumes | list | `[]` | | +| fullnameOverride | string | `""` | Define a fully static name | +| global.alfrescoRegistryPullSecrets | string | `"quay-registry-secret"` | If a private image registry a secret can be defined and passed to kubernetes, see: https://github.com/Alfresco/acs-deployment/blob/a924ad6670911f64f1bba680682d266dd4ea27fb/docs/helm/eks-deployment.md#docker-registry-secret | +| global.known_urls | string | `nil` | a fallback for .Values.known_urls that can be shared between charts | +| image.port | int | `8080` | Internal port where the pod is listening. Should only be changed is you use a custom image which uses a different port. | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"quay.io/alfresco/alfresco-share"` | | +| image.tag | string | `"7.4.0.1"` | | +| imagePullSecrets | list | `[]` | | +| ingress.annotations."nginx.ingress.kubernetes.io/affinity" | string | `"cookie"` | | +| ingress.annotations."nginx.ingress.kubernetes.io/proxy-body-size" | string | `"5g"` | | +| ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-expires" | string | `"604800"` | | +| ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-max-age" | string | `"604800"` | | +| ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-name" | string | `"alfrescoShare"` | | +| ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-path" | string | `"/share"` | | +| ingress.enabled | bool | `true` | | +| ingress.hosts[0].paths[0].path | string | `"/share"` | | +| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | +| ingress.tls | list | `[]` | | +| known_urls | string | `nil` | Provide the list of URL considered allowed to access Share resources (used for CSRF protection). The value be either a list of strings or a single string separated by spaces. | +| livenessProbe.initialDelaySeconds | int | `15` | | +| livenessProbe.periodSeconds | int | `20` | | +| livenessProbe.timeoutSeconds | int | `5` | | +| nameOverride | string | `""` | Define a partially static name | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | | +| podSecurityContext.runAsNonRoot | bool | `true` | | +| readinessProbe.initialDelaySeconds | int | `15` | | +| readinessProbe.periodSeconds | int | `30` | | +| readinessProbe.timeoutSeconds | int | `5` | | +| repository.existingConfigMap | string | `nil` | a pre-existing configmap which provides expected configuration for Share REPO_HOST REPO_PORT CSRF_FILTER_REFERER CSRF_FILTER_ORIGIN EXTERNAL_HOST | +| repository.host | string | `"localhost"` | repository hostname/servicename | +| repository.port | int | `8080` | repository port where service is exposed | +| resources.limits.cpu | string | `"4"` | | +| resources.limits.memory | string | `"2000Mi"` | | +| resources.requests.cpu | string | `"250m"` | | +| resources.requests.memory | string | `"512Mi"` | | +| securityContext.capabilities.drop[0] | string | `"NET_RAW"` | | +| securityContext.capabilities.drop[1] | string | `"ALL"` | | +| securityContext.runAsNonRoot | bool | `false` | | +| service.name | string | `"share"` | | +| service.port | int | `80` | | +| service.type | string | `"ClusterIP"` | | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `"share-sa"` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| strategy.rollingUpdate.maxSurge | int | `1` | | +| strategy.rollingUpdate.maxUnavailable | int | `0` | | +| strategy.type | string | `"RollingUpdate"` | | +| tolerations | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/alfresco-share/templates/_helpers.tpl b/charts/alfresco-share/templates/_helpers.tpl new file mode 100644 index 00000000..55682b87 --- /dev/null +++ b/charts/alfresco-share/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "alfresco-share.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "alfresco-share.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "alfresco-share.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "alfresco-share.labels" -}} +helm.sh/chart: {{ include "alfresco-share.chart" . }} +{{ include "alfresco-share.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "alfresco-share.selectorLabels" -}} +app.kubernetes.io/name: {{ include "alfresco-share.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "alfresco-share.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "alfresco-share.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/alfresco-share/templates/config-share.yaml b/charts/alfresco-share/templates/config-share.yaml new file mode 100644 index 00000000..4fc0b237 --- /dev/null +++ b/charts/alfresco-share/templates/config-share.yaml @@ -0,0 +1,16 @@ +{{- if not .Values.repository.existingConfigMap -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "alfresco-share.fullname" . }}-configmap + labels: + {{- include "alfresco-share.labels" . | nindent 4 }} +data: + REPO_HOST: {{ .Values.repository.host | quote }} + REPO_PORT: {{ .Values.repository.port | quote }} + {{- $known_urls := coalesce .Values.known_urls .Values.global.known_urls "http://localhost,https://localhost" }} + CSRF_FILTER_REFERER: {{ include "alfresco-common.csrf.referer" $known_urls }} + CSRF_FILTER_ORIGIN: {{ include "alfresco-common.csrf.origin" $known_urls }} + EXTERNAL_HOST: {{ include "alfresco-common.external.url" $known_urls }} +{{- end -}} diff --git a/charts/alfresco-share/templates/deployment-share.yaml b/charts/alfresco-share/templates/deployment-share.yaml new file mode 100644 index 00000000..3fd80f12 --- /dev/null +++ b/charts/alfresco-share/templates/deployment-share.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "alfresco-share.fullname" . }} + labels: + {{- include "alfresco-share.labels" . | nindent 4 }} + annotations: + checkov.io/skip1: CKV_K8S_20=Requires APPS-1832 + checkov.io/skip2: CKV_K8S_23=Requires APPS-1832 + checkov.io/skip3: CKV_K8S_40=Requires APPS-1832 +spec: + replicas: 1 + selector: + matchLabels: + {{- include "alfresco-share.selectorLabels" . | nindent 6 }} + strategy: + {{- toYaml (.Values.strategy | default .Values.global.strategy) | nindent 4 }} + template: + metadata: + annotations: + {{- if not .Values.repository.existingConfigMap }} + checksum/config: {{ include (print $.Template.BasePath "/config-share.yaml") . | sha256sum }} + {{- end }} + labels: + {{- include "alfresco-share.selectorLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ include "alfresco-share.serviceAccountName" . }} + {{- include "component-pod-security-context" .Values | indent 4 }} + {{- include "alfresco-content-services.imagePullSecrets" . | indent 6 }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} + containers: + - name: alfresco-share + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- include "component-security-context" .Values | indent 8 }} + {{- if .Values.command }} + command: + {{- toYaml .Values.command | nindent 12 }} + args: + {{- toYaml .Values.args | nindent 12 }} + {{- end }} + ports: + - name: tomcat-shutdown + containerPort: 8005 + protocol: TCP + - name: http + containerPort: {{ .Values.image.port }} + protocol: TCP + resources: + {{- toYaml .Values.resources | nindent 12 }} + envFrom: + - configMapRef: + name: {{ .Values.repository.existingConfigMap | default (print (include "alfresco-share.fullname" .) "-configmap") }} + env: + {{- range $key, $value := (omit .Values.environment "JAVA_OPTS") }} + - name: {{ $key }} + value: {{ $value }} + {{- end }} + - name: JAVA_OPTS + value: >- + {{ (printf "%s %s" (.Values.environment.JAVA_OPTS | default "") "-Dalfresco.proxy=$EXTERNAL_HOST") }} + volumeMounts: + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + readinessProbe: + httpGet: + path: /share + port: {{ .Values.image.port }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + livenessProbe: + httpGet: + path: /share + port: {{ .Values.image.port }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + {{- if .Values.extraSideContainers }} + {{- toYaml .Values.extraSideContainers | nindent 8 }} + {{- end }} + initContainers: + {{- toYaml .Values.extraInitContainers | nindent 8 }} + volumes: + {{- toYaml .Values.extraVolumes | nindent 8 }} diff --git a/charts/alfresco-share/templates/ingress.yaml b/charts/alfresco-share/templates/ingress.yaml new file mode 100644 index 00000000..2cbdae34 --- /dev/null +++ b/charts/alfresco-share/templates/ingress.yaml @@ -0,0 +1,67 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "alfresco-share.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{/* +We only support nginx ingress for now: https://alfresco.atlassian.net/browse/OPSEXP-131 +*/}} +{{- if not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + {{- $_ := unset .Values.ingress.annotations "kubernetes.io/ingress.class" }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" "nginx" }} +*/}} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "alfresco-share.labels" . | nindent 4 }} + annotations: + checkov.io/skip1: CKV_K8S_153=We're filtering out snippet in named template + {{- include "alfresco-common.nginx.annotations" .Values }} + {{- include "alfresco-common.nginx.secure.annotations" .Values }} +spec: +{{/* +We only support nginx ingress for now: https://alfresco.atlassian.net/browse/OPSEXP-131 +*/}} + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: nginx + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/alfresco-share/templates/service-share.yaml b/charts/alfresco-share/templates/service-share.yaml new file mode 100644 index 00000000..e9a52a21 --- /dev/null +++ b/charts/alfresco-share/templates/service-share.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "alfresco-share.fullname" . }} + labels: + {{- include "alfresco-share.selectorLabels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.image.port }} + name: {{ .Values.service.name }} + selector: + {{- include "alfresco-share.selectorLabels" . | nindent 4 }} diff --git a/charts/alfresco-share/templates/serviceaccount.yaml b/charts/alfresco-share/templates/serviceaccount.yaml new file mode 100644 index 00000000..73256799 --- /dev/null +++ b/charts/alfresco-share/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "alfresco-share.serviceAccountName" . }} + labels: + {{- include "alfresco-share.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/alfresco-share/tests/cm_test.yaml b/charts/alfresco-share/tests/cm_test.yaml new file mode 100644 index 00000000..95099619 --- /dev/null +++ b/charts/alfresco-share/tests/cm_test.yaml @@ -0,0 +1,71 @@ +--- +suite: test Alfresco Share ingress +templates: + - config-share.yaml +tests: + - it: should not render a configmap + set: + repository: + existingConfigMap: myns/mycm + asserts: + - hasDocuments: + count: 0 + template: config-share.yaml + + - it: | + should render custom repo & CSRF config. + referers MUST be a regex with pipes escaped (due to the way vars are substitued in Share pods + origins MUST be a list of hosts (without paths) separated by commas. + set: + repository: + host: release-service.cluster.local + port: 80 + known_urls: + - https://ecm.domain.tld/myapp/callback + - https://ecm.domain.tld/alfresco + - http://app.domain.local:8000 + asserts: + - equal: + path: data.CSRF_FILTER_REFERER + value: >- + https://ecm.domain.tld/myapp/callback/.*\|https://ecm.domain.tld/alfresco/.*\|http://app.domain.local:8000/.* + template: config-share.yaml + - equal: + path: data.CSRF_FILTER_ORIGIN + value: https://ecm.domain.tld,https://ecm.domain.tld,http://app.domain.local:8000 + template: config-share.yaml + - equal: + path: data.REPO_HOST + value: release-service.cluster.local + template: config-share.yaml + - equal: + path: data.REPO_PORT + value: "80" + template: config-share.yaml + + - it: should render a default config + asserts: + - equal: + path: data.CSRF_FILTER_REFERER + value: http://localhost/.*\|https://localhost/.* + template: config-share.yaml + - equal: + path: data.CSRF_FILTER_ORIGIN + value: http://localhost,https://localhost + template: config-share.yaml + - equal: + path: data.REPO_HOST + value: localhost + template: config-share.yaml + - equal: + path: data.REPO_PORT + value: "8080" + template: config-share.yaml + + - it: should render a default Xorigin restriction config + asserts: + - equal: + path: data.CSRF_FILTER_REFERER + value: >- + http://localhost/.*\|https://localhost/.* + template: config-share.yaml diff --git a/charts/alfresco-share/tests/deployment_test.yaml b/charts/alfresco-share/tests/deployment_test.yaml new file mode 100644 index 00000000..5716755a --- /dev/null +++ b/charts/alfresco-share/tests/deployment_test.yaml @@ -0,0 +1,68 @@ +--- +suite: test Alfresco Share deployment +templates: + - deployment-share.yaml + - config-share.yaml +tests: + - it: should have basic metadata in place in deployment + asserts: + - equal: + path: metadata.name + value: RELEASE-NAME-alfresco-share + template: deployment-share.yaml + + - it: should leverage provided exisintg configmap + set: + repository: + existingConfigMap: myns/mycm + asserts: + - contains: + path: spec.template.spec.containers[0].envFrom + content: + configMapRef: + name: myns/mycm + template: deployment-share.yaml + + - it: should render extra configs + set: + extraSideContainers: + - image: busybox:latest + extraVolumes: + - name: share-config + configMap: + name: anotherns/morecm + extraVolumeMounts: + - name: share-config + mountPath: /usr/local/tomcat/shared/classes/Alfresco/web-extension/share-config-custom.xml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: share-config + configMap: + name: anotherns/morecm + template: deployment-share.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: >- + /usr/local/tomcat/shared/classes/Alfresco/web-extension/share-config-custom.xml + name: share-config + template: deployment-share.yaml + - lengthEqual: + path: spec.template.spec.containers + count: 2 + template: deployment-share.yaml + + - it: should render cpu and memory limits + asserts: + - equal: + path: spec.template.spec.containers[0].resources + value: + requests: + cpu: "250m" + memory: "512Mi" + limits: + cpu: "4" + memory: "2000Mi" + template: deployment-share.yaml diff --git a/charts/alfresco-share/tests/ingress_test.yaml b/charts/alfresco-share/tests/ingress_test.yaml new file mode 100644 index 00000000..2b1e75d8 --- /dev/null +++ b/charts/alfresco-share/tests/ingress_test.yaml @@ -0,0 +1,25 @@ +--- +suite: test Alfresco Share ingress +templates: + - ingress.yaml +tests: + - it: should render with default security annotations + asserts: + - equal: + path: metadata.annotations['nginx.ingress.kubernetes.io/server-snippet'] + value: | + location ~ ^/.*/(wc)?s(ervice)?/api/solr/.*$ {return 403;} + location ~ ^/.*/proxy/.*/api/solr/.*$ {return 403;} + location ~ ^/.*/-default-/proxy/.*/api/.*$ {return 403;} + location ~ ^/.*/s/prometheus$ {return 403;} + template: ingress.yaml + - it: should trim out any custom server-snippet + set: + ingress: + annotations: + nginx.ingress.kubernetes.io/server-snippet: listen 6666; + asserts: + - notMatchRegex: + path: metadata.annotations['nginx.ingress.kubernetes.io/server-snippet'] + pattern: listen 6666; + template: ingress.yaml diff --git a/charts/alfresco-share/values.yaml b/charts/alfresco-share/values.yaml new file mode 100644 index 00000000..dccf0d78 --- /dev/null +++ b/charts/alfresco-share/values.yaml @@ -0,0 +1,126 @@ +# Default values for alfresco-share. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +repository: + # -- repository hostname/servicename + host: localhost + # -- repository port where service is exposed + port: 8080 + # -- a pre-existing configmap which provides expected configuration for Share + # REPO_HOST + # REPO_PORT + # CSRF_FILTER_REFERER + # CSRF_FILTER_ORIGIN + # EXTERNAL_HOST + existingConfigMap: + +# -- Provide the list of URL considered allowed to access Share resources (used +# for CSRF protection). The value be either a list of strings or a single +# string separated by spaces. +known_urls: + +image: + repository: quay.io/alfresco/alfresco-share + tag: 7.4.0.1 + pullPolicy: IfNotPresent + # -- Internal port where the pod is listening. Should only be changed is you + # use a custom image which uses a different port. + port: 8080 + +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + +imagePullSecrets: [] +# -- Define a partially static name +nameOverride: "" +# -- Define a fully static name +fullnameOverride: "" + +serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: share-sa + +podAnnotations: {} + +podSecurityContext: + runAsNonRoot: true + +securityContext: + runAsNonRoot: false + capabilities: + drop: + - NET_RAW + - ALL + +service: + name: share + type: ClusterIP + port: 80 + +ingress: + enabled: true + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: 5g + nginx.ingress.kubernetes.io/affinity: "cookie" + nginx.ingress.kubernetes.io/session-cookie-name: "alfrescoShare" + nginx.ingress.kubernetes.io/session-cookie-path: "/share" + nginx.ingress.kubernetes.io/session-cookie-max-age: "604800" + nginx.ingress.kubernetes.io/session-cookie-expires: "604800" + + hosts: + - paths: + - path: /share + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: + requests: + cpu: "250m" + memory: "512Mi" + limits: + cpu: "4" + memory: "2000Mi" + +nodeSelector: {} + +tolerations: [] + +affinity: {} +environment: + CATALINA_OPTS: >- + -XX:MinRAMPercentage=50 + -XX:MaxRAMPercentage=80 +readinessProbe: + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 +livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 +extraVolumeMounts: [] +extraVolumes: [] +extraSideContainers: [] +extraInitContainers: [] +command: [] +args: [] + +global: + # -- If a private image registry a secret can be defined and passed to + # kubernetes, see: + # https://github.com/Alfresco/acs-deployment/blob/a924ad6670911f64f1bba680682d266dd4ea27fb/docs/helm/eks-deployment.md#docker-registry-secret + alfrescoRegistryPullSecrets: quay-registry-secret + # -- a fallback for .Values.known_urls that can be shared between charts + known_urls: