OPSEXP-1862: preliminary repository chart (#84)

.checkov.yml

@@ -2,6 +2,8 @@ framework:
   - helm
 directory:
   - charts
+skip-path:
+  - charts/[^/]+/ci/
 skip-check:
   - CKV_K8S_15
   - CKV_K8S_21

charts/alfresco-repository/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/alfresco-repository/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: alfresco-common
+  repository: https://alfresco.github.io/alfresco-helm-charts/
+  version: 2.1.0-alpha.2
+- name: postgresql
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 12.5.6
+digest: sha256:2fc15d92a0fa85b0f7b7b5fa3340fa881b3dfc9c64afe0433afd5ebe374158c6
+generated: "2023-07-31T13:57:22.409425+02:00"

charts/alfresco-repository/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: alfresco-repository
+description: Alfresco content repository Helm chart
+type: application
+version: 0.1.0-alpha.0
+appVersion: 23.1.0-A21
+dependencies:
+  - name: alfresco-common
+    version: 2.1.0-alpha.2
+    repository: https://alfresco.github.io/alfresco-helm-charts/
+  - name: postgresql
+    version: 12.5.6
+    repository: oci://registry-1.docker.io/bitnamicharts
+    condition: postgresql.enabled

charts/alfresco-repository/README.md

@@ -0,0 +1,99 @@
+# alfresco-repository
+
+![Version: 0.1.0-alpha.0](https://img.shields.io/badge/Version-0.1.0--alpha.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 23.1.0-A21](https://img.shields.io/badge/AppVersion-23.1.0--A21-informational?style=flat-square)
+
+Alfresco content repository Helm chart
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://alfresco.github.io/alfresco-helm-charts/ | alfresco-common | 2.1.0-alpha.2 |
+| oci://registry-1.docker.io/bitnamicharts | postgresql | 12.5.6 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| args | list | `[]` |  |
+| command | list | `[]` |  |
+| configuration.repository.existingConfigMap | string | `nil` | a configmap containing the "alfresco-global.properties" key populated with actual Alfresco repository properties |
+| configuration.repository.existingSecret | string | `nil` | Name of a pre-existing secret TODO: secret documentation |
+| db.driver | string | `nil` | JDBC driver class of the driver if none is provided the it is guessed from the URL provided |
+| db.existingSecret | object | `{"keys":{"password":"DATABASE_PASSWORD","username":"DATABASE_USERNAME"},"name":null}` | Existing secret and their keys where to find the database username & password. |
+| db.existingSecret.keys.password | string | `"DATABASE_PASSWORD"` | Key within the secret holding the database password |
+| db.existingSecret.keys.username | string | `"DATABASE_USERNAME"` | Key within the secret holding the database username |
+| db.existingSecret.name | string | `nil` | Name of a pre-existing secret containing database credentials |
+| db.password | string | `nil` | Password to authentication to the repository database |
+| db.url | string | `nil` | JDBC url of the database WITHOUT the "jdbc:" prefix This is a mandatory parameter |
+| db.username | string | `nil` | Username to authentication to the repository database |
+| environment.ALFRESCO_OPTS | string | `nil` | Alfresco java system properties. These properties must be provided as a string following the pattern "-Dproperty=value". They override the content of the global properties file but you should prefer using an existing configuration.repository.existingConfigMap. |
+| environment.CATALINA_OPTS | string | `nil` | Apache Tomcat command line options |
+| environment.JAVA_OPTS | string | `"-XX:MaxRAMPercentage=80"` | Set JVM options |
+| extraInitContainers | list | `[]` |  |
+| extraSideContainers | list | `[]` |  |
+| extraVolumeMounts | list | `[]` |  |
+| extraVolumes | list | `[]` |  |
+| fullnameOverride | string | `""` |  |
+| global.alfrescoRegistryPullSecrets | string | `"quay-registry-secret"` | If a private image registry a secret can be defined and passed to kubernetes, see: https://github.com/Alfresco/acs-deployment/blob/a924ad6670911f64f1bba680682d266dd4ea27fb/docs/helm/eks-deployment.md#docker-registry-secret |
+| global.known_urls | string | `nil` | a fallback for .Values.known_urls that can be shared between charts |
+| image.port | int | `8080` |  |
+| image.pullPolicy | string | `"IfNotPresent"` |  |
+| image.repository | string | `"quay.io/alfresco/alfresco-content-repository"` |  |
+| image.tag | string | `"23.1.0-A21"` |  |
+| imagePullSecrets | list | `[]` |  |
+| ingress.annotations."nginx.ingress.kubernetes.io/affinity" | string | `"cookie"` |  |
+| ingress.annotations."nginx.ingress.kubernetes.io/proxy-body-size" | string | `"5g"` |  |
+| ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-hash" | string | `"sha1"` |  |
+| ingress.annotations."nginx.ingress.kubernetes.io/session-cookie-name" | string | `"alfrescoRepo"` |  |
+| ingress.enabled | bool | `true` |  |
+| ingress.hosts[0].paths[0].path | string | `"/"` |  |
+| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
+| ingress.tls | list | `[]` |  |
+| livenessProbe.httpGet.path | string | `"/alfresco/api/-default-/public/alfresco/versions/1/probes/-live-"` |  |
+| livenessProbe.httpGet.port | string | `"http"` |  |
+| livenessProbe.periodSeconds | int | `20` |  |
+| livenessProbe.timeoutSeconds | int | `3` |  |
+| nameOverride | string | `""` |  |
+| nodeSelector | object | `{}` |  |
+| persistence.accessModes | list | `["ReadWriteMany"]` | Specify a storageClass for dynamic provisioning |
+| persistence.baseSize | string | `"20Gi"` |  |
+| persistence.data.mountPath | string | `"/usr/local/tomcat/alf_data"` |  |
+| persistence.data.subPath | string | `"alfresco-content-services/repository-data"` |  |
+| persistence.enabled | bool | `false` | Persist Contentsotre data |
+| persistence.existingClaim | string | `nil` | Use pre-provisioned pv through its claim (e.g. static provisioning) |
+| persistence.storageClass | string | `nil` | Bind PVC based on storageClass (e.g. dynamic provisioning) |
+| podAnnotations | object | `{}` |  |
+| podSecurityContext.fsGroup | int | `1000` |  |
+| podSecurityContext.runAsGroup | int | `1000` |  |
+| podSecurityContext.runAsNonRoot | bool | `true` |  |
+| podSecurityContext.runAsUser | int | `33000` |  |
+| readinessProbe.httpGet.path | string | `"/alfresco/api/-default-/public/alfresco/versions/1/probes/-ready-"` |  |
+| readinessProbe.httpGet.port | string | `"http"` |  |
+| readinessProbe.periodSeconds | int | `20` |  |
+| readinessProbe.timeoutSeconds | int | `3` |  |
+| replicaCount | int | `1` |  |
+| resources.limits.cpu | string | `"4"` |  |
+| resources.limits.memory | string | `"8Gi"` |  |
+| resources.requests.cpu | string | `"250m"` |  |
+| resources.requests.memory | string | `"2Gi"` |  |
+| securityContext | object | `{}` |  |
+| service.name | string | `"repository"` |  |
+| service.port | int | `80` |  |
+| service.type | string | `"ClusterIP"` |  |
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.create | bool | `true` |  |
+| serviceAccount.name | string | `"alfresco-repo-sa"` |  |
+| startupProbe.failureThreshold | int | `5` |  |
+| startupProbe.httpGet.path | string | `"/alfresco/api/-default-/public/alfresco/versions/1/probes/-live-"` |  |
+| startupProbe.httpGet.port | string | `"http"` |  |
+| startupProbe.periodSeconds | int | `30` |  |
+| startupProbe.timeoutSeconds | int | `3` |  |
+| strategy.rollingUpdate.maxSurge | int | `1` |  |
+| strategy.rollingUpdate.maxUnavailable | int | `0` |  |
+| strategy.type | string | `"RollingUpdate"` |  |
+| tolerations | list | `[]` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

charts/alfresco-repository/ci/default-values.yaml

@@ -0,0 +1,13 @@
+db:
+  url: postgresql://pg-postgresql-acs/alfresco
+  username: &pguser pguser
+  password: &pgpass pgpass
+postgresql:
+  enabled: true
+  fullnameOverride: pg-postgresql-acs
+  image:
+    tag: 14.4.0
+  auth:
+    username: *pguser
+    password: *pgpass
+    database: alfresco

charts/alfresco-repository/templates/_helpers-database.tpl

@@ -0,0 +1,105 @@
+{{/*
+Compute JDBC URL opbject
+We're just manipulating the string URl to make it parseable by urlParse.
+It MUST NOT be used directly.
+*/}}
+{{- define "alfresco-repository.jdbc.parser" -}}
+{{- $jdbc_url := required "Alfresco repository needs a database to start. Please provide a valid URL in db.url value" . }}
+{{- if hasPrefix "jdbc:" $jdbc_url }}
+{{- fail "database URL MUST be provided WITHOUT the 'jdbc' prefix." }}
+{{- end }}
+{{- if hasPrefix "oracle:thin:@" $jdbc_url }}
+  {{- $ora_url := trimPrefix "oracle:thin:" $jdbc_url }}
+  {{- $ora_url = (mustRegexReplaceAllLiteral "^@(tcps?://)?" $ora_url "oracle://") }}
+  {{- $jdbc_url = $ora_url }}
+{{- end }}
+{{- if hasPrefix "sqlserver://" $jdbc_url }}
+  {{- $jdbc_url = trimPrefix "sqlserver://" $jdbc_url }}
+  {{- $query := $jdbc_url | splitList ";" }}
+  {{- $host := "" }}
+  {{- if and (not (empty (index $query 0))) (not (contains "=" (index $query 0))) }}
+    {{- $host = index $query 0 }}
+    {{- $query = rest $query }}
+  {{- end }}
+  {{- $path := "" }}
+  {{- range $query }}
+    {{- if and (hasPrefix "serverName=" .) (empty $host) }}
+      {{- $host = trimPrefix "serverName=" . }}
+      {{- $_ := mustWithout $query . }}
+    {{- end }}
+    {{- if hasPrefix "databaseName=" . }}
+      {{- $path = trimPrefix "databaseName=" . }}
+      {{- $_ := mustWithout $query . }}
+    {{- end }}
+  {{- end }}
+  {{- $ms_url := printf "sqlserver://%s/%s?%s" $host $path ($query | join "&") }}
+  {{- $jdbc_url = $ms_url }}
+{{- end }}
+{{- $parsed_url := urlParse $jdbc_url }}
+{{- if or (empty $parsed_url.host) (empty $parsed_url.hostname) (empty $parsed_url.scheme) (eq "/" $parsed_url.path) }}
+  {{- fail "The provided JDBC URL cannot be parsed please check or raise a bug." }}
+{{- end }}
+{{- mustToJson (dict "jdbc" $parsed_url) }}
+{{- end -}}
+
+{{/*
+Compute default ports by RDBMS
+*/}}
+{{- define "alfresco-repository.db.default.port" -}}
+{{- $pg_rdbms := dict "name" "postgresql" "port" 5432 }}
+{{- $my_rdbms := dict "name" "mysql" "port" 3306 }}
+{{- $maria_rdbms := dict "name" "mariadb" "port" 3306 }}
+{{- $ora_rdbms := dict "name" "oracle" "port" 1521 }}
+{{- $ms_rdbms := dict "name" "sqlserver" "port" 1434 }}
+{{- range $rdbms := list $pg_rdbms $my_rdbms $maria_rdbms $ora_rdbms $ms_rdbms }}
+{{- eq $rdbms.name $ | ternary $rdbms.port "" }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Compute default driver by RDBMS
+*/}}
+{{- define "alfresco-repository.db.default.driver" -}}
+{{- $pg_rdbms := dict "name" "postgresql" "driver" "org.postgresql.Driver" }}
+{{- $my_rdbms := dict "name" "mysql" "driver" "com.mysql.jdbc.Driver" }}
+{{- $maria_rdbms := dict "name" "mariadb" "driver" "org.mariadb.jdbc.Driver" }}
+{{- $ora_rdbms := dict "name" "oracle" "driver" "oracle.jdbc.OracleDriver" }}
+{{- $ms_rdbms := dict "name" "sqlserver" "driver" "com.microsoft.sqlserver.jdbc.SQLServerDriver" }}
+{{- range $rdbms := list $pg_rdbms $my_rdbms $maria_rdbms $ora_rdbms $ms_rdbms }}
+{{- eq $rdbms.name $ | ternary $rdbms.driver "" }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Provide repository database engine
+*/}}
+{{- define "alfresco-repository.db.rdbms" -}}
+{{- index (include "alfresco-repository.jdbc.parser" .url | fromJson) "jdbc" "scheme" }}
+{{- end -}}
+
+{{/*
+Provide repository database hostname
+*/}}
+{{- define "alfresco-repository.db.hostname" -}}
+{{- index (include "alfresco-repository.jdbc.parser" .url | fromJson) "jdbc" "hostname" }}
+{{- end -}}
+
+{{/*
+Provide repository database port
+*/}}
+{{- define "alfresco-repository.db.port" -}}
+{{- $socket := (index (include "alfresco-repository.jdbc.parser" .url | fromJson) "jdbc" "host") }}
+{{- if gt ($socket | splitList ":" | len) 1 }}
+  {{- $socket | splitList ":" | last }}
+{{- else }}
+  {{- template "alfresco-repository.db.default.port" (index (include "alfresco-repository.jdbc.parser" .url | fromJson) "jdbc" "scheme") }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Provide repository database driverClass
+*/}}
+{{- define "alfresco-repository.db.driver" -}}
+{{- $scheme := index (include "alfresco-repository.jdbc.parser" .url | fromJson) "jdbc" "scheme" }}
+{{- coalesce .driver (include "alfresco-repository.db.default.driver" $scheme) }}
+{{- end -}}

charts/alfresco-repository/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "alfresco-repository.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "alfresco-repository.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "alfresco-repository.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "alfresco-repository.labels" -}}
+helm.sh/chart: {{ include "alfresco-repository.chart" . }}
+{{ include "alfresco-repository.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "alfresco-repository.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "alfresco-repository.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "alfresco-repository.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "alfresco-repository.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/alfresco-repository/templates/configmap.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: >-
+    {{- $alfoptsCtx := dict "Values" (dict "nameOverride" "alfresco-opts") "Chart" .Chart "Release" .Release }}
+    {{ template "alfresco-repository.fullname" $alfoptsCtx }}
+  labels:
+    {{- include "alfresco-repository.labels" . | nindent 4 }}
+data:
+  ALFRESCO_OPTS: >-
+    -Ddeployment.method=HELM_CHART
+    -Ddb.url=jdbc:{{ .Values.db.url }}
+    -Ddb.username=${DATABASE_USERNAME}
+    -Ddb.password=${DATABASE_PASSWORD}
+    -Ddb.driver={{ include "alfresco-repository.db.driver" .Values.db }}
+    -Dencryption.keystore.type=JCEKS
+    -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
+    -Dencryption.keyAlgorithm=DESede
+    -Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore
+    -Dmetadata-keystore.aliases=metadata
+    -Dmetadata-keystore.metadata.algorithm=DESede
+    -Dmetadata-keystore.password=mp6yc0UD9e
+    -Dmetadata-keystore.metadata.password=oKIWzVdEdA
+    {{ .Values.environment.ALFRESCO_OPTS | default "" }}
+  CATALINA_OPTS: >-
+    $ALFRESCO_OPTS
+    {{ .Values.environment.CATALINA_OPTS | default "" }}
+  JAVA_OPTS: >-
+    {{ .Values.environment.JAVA_OPTS | default "" }}