diff --git a/CHANGELOG.md b/CHANGELOG.md index f51df528..d5076496 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,13 +9,28 @@ TODO: short info about being decoupled from GraphDB - Added `annotations` for common annotations across resources - Added `graphdb.serviceAccount` allowing you to create or use an existing service account for GraphDB pods. -- Values in `labels` and `annotations` are now evaluated as templates - Added separate `labels` and `annotations` for the cluster proxy - Added GraphDB and GraphDB proxy hostnames resolution in the init containers +- Added `properties` for inserting additional GraphDB configurations in the properties configmap +- Added `images.graphdb.sha` to optionally provide an expected SHA checksum of the image +- Added `graphdb.node.persistence.enabled` toggle flag for enabling or disabling the persistence of GraphDB +- Added new configuration options for the default ingress `deployment.ingress`: + - Ability to override the `host` and `path` for GraphDB from `deployment.host` and `graphdb.workbench.subpath` + - Changing the `pathType` + - Inserting additional hosts and TLS configurations with `extraHosts` and `extraTLS` +- Added `labels` for each service resource for insertion of additional labels +- Added `containerPorts` and `proxy.containerPorts` for mapping the ports on which GraphDB listens on +- Added `ports` mappings in each service +- Added `extraContainerPorts` and `proxy.extraContainerPorts` ### Updates - GraphDB properties and logback configuration configmaps are now applied by default +- Values in `labels`, `annotations` and `imagePullSecrets` are now evaluated as templates +- Removed unused busybox image configurations from `images.busybox` +- Updated the ingress resource to be agnostic to the ingress implementation. It will no longer assume that NGINX is the ingress controller in the + cluster +- Service resources and probes now refer to the target ports by their nicknames ### Breaking @@ -24,6 +39,16 @@ TODO: short info about being decoupled from GraphDB - Resource names are no longer hardcoded and are using the templates for `nameOverride` and `fullnameOverride` - Removed setting FQDN as hostnames in GraphDB and the proxy in favor of dynamically resolving and configuring the hostnames in the init containers - Configmaps from `graphdb.configs` are now under `configuration` and with a different structure allowing better reuse of existing configmaps +- Updated `workbench.subpath` to serve GraphDB at context path `/` by default +- Updated `deployment.imagePullSecret` to be a list, e.g. `deployment.imagePullSecrets` +- Removed the default value from `global.imageRegistry`, the chart now uses the value from `images.graphdb.registry` +- Removed `global.storageClass` in favor of using by default the default storage class in the cluster. Templates will no longer + use `global.storageClass`. +- Renamed `graphdb.clusterProxy.persistence.enablePersistence` toggle to just `enabled` +- Removed `maxRequestSize` and `timeout` configurations from `deployment.ingress` as they were specific to the ingress controller implementation of + nginx +- Renamed the port mappings of GraphDB and GraphDB proxy to `http` and `rpc` +- Renamed `graphdb.node.service` to `headlessService` ## Version 10.6.0-R2 @@ -59,7 +84,8 @@ TODO: short info about being decoupled from GraphDB ## Version 10.4.1 -- Added configurations for specifying resource values for all remaining containers, see `graphdb.node.initContainerResources` and `graphdb.jobResources`. +- Added configurations for specifying resource values for all remaining containers, see `graphdb.node.initContainerResources` + and `graphdb.jobResources`. ## Version 10.3.1-R2 diff --git a/README.md b/README.md index 8ad069c6..b99d405f 100644 --- a/README.md +++ b/README.md @@ -475,19 +475,22 @@ about defining resource limits. | configuration.logback.existingConfigmap | string | `""` | | | configuration.properties.configmapKey | string | `"graphdb.properties"` | | | configuration.properties.existingConfigmap | string | `""` | | +| containerPorts.http | int | `7200` | | +| containerPorts.rpc | int | `7300` | | | deployment.host | string | `"localhost"` | | | deployment.imagePullPolicy | string | `"IfNotPresent"` | Defines the policy with which components will request their image. | -| deployment.ingress | object | `{"annotations":{},"class":"nginx","enabled":true,"maxRequestSize":"512M","timeout":{"connect":5,"read":600,"send":600}}` | Ingress related configurations | +| deployment.imagePullSecrets | list | `[]` | Secrets used to pull Docker images. | +| deployment.ingress | object | `{"annotations":{},"className":"","enabled":true,"extraHosts":[],"extraTLS":[],"host":"","labels":{},"path":"","pathType":"Prefix"}` | Ingress related configurations | | deployment.ingress.annotations | object | `{}` | Sets extra ingress annotations | -| deployment.ingress.maxRequestSize | string | `"512M"` | Sets the maximum size for all requests to the underlying Nginx | -| deployment.ingress.timeout | object | `{"connect":5,"read":600,"send":600}` | Default timeouts in seconds for the underlying Nginx. | +| deployment.ingress.className | string | `""` | Specifies the ingress controller implementation that will deploy this ingress. Not defining this would result in using the default ingress controller in the cluster, if there is one. | +| deployment.ingress.enabled | bool | `true` | Toggles the deployment of the default ingress | | deployment.protocol | string | `"http"` | The hostname and protocol at which the graphdb will be accessible. Needed to configure ingress as well as some components require it to properly render their UIs | | deployment.tls.enabled | bool | `false` | Feature toggle for SSL termination. Disabled by default. If TLS is enabled, the protocol should also be updated (https) | | deployment.tls.secretName | string | `nil` | Name of a Kubernetes secret object with the key and certificate. If TLS is enabled, it's required to be provided, depending on the deployment. | +| extraContainerPorts | object | `{}` | | | fullnameOverride | string | `""` | | | global.imagePullSecrets | list | `[]` | | -| global.imageRegistry | string | `"docker.io"` | | -| global.storageClass | string | `"standard"` | | +| global.imageRegistry | string | `""` | | | graphdb.clusterConfig.clusterCreationTimeout | int | `60` | Timeout for the cluster creation CURL query. Note: By default helm waits for Kubernetes commands to complete for 5 minutes. You can increase that by adding "--timeout 10m" to the helm command. | | graphdb.clusterConfig.clusterSecret | string | `"s3cr37"` | A secret used for secure communication amongst the nodes in the cluster. | | graphdb.clusterConfig.electionMinTimeout | int | `8000` | Cluster configuration parameters: Refer to https://graphdb.ontotext.com/documentation/10.6/creating-a-cluster.html#creation-parameters The minimum wait time in milliseconds for a heartbeat from a leader. | @@ -499,27 +502,29 @@ about defining resource limits. | graphdb.clusterConfig.transactionLogMaximumSizeGB | int | `50` | | | graphdb.clusterConfig.verificationTimeout | int | `1500` | | | graphdb.clusterProxy.affinity | object | `{}` | | +| graphdb.clusterProxy.containerPorts.http | int | `7200` | | +| graphdb.clusterProxy.containerPorts.rpc | int | `7300` | | | graphdb.clusterProxy.extraEnv | list | `[]` | | | graphdb.clusterProxy.extraEnvFrom | list | `[]` | | | graphdb.clusterProxy.extraInitContainers | list | `[]` | | | graphdb.clusterProxy.extraVolumeMounts | list | `[]` | | | graphdb.clusterProxy.extraVolumes | list | `[]` | | -| graphdb.clusterProxy.headlessService | object | `{"annotations":{}}` | GraphDB cluster proxy headless service configurations | +| graphdb.clusterProxy.headlessService | object | `{"annotations":{},"labels":{},"ports":{"http":7200,"rpc":7300}}` | GraphDB cluster proxy headless service configurations | | graphdb.clusterProxy.java_args | string | `"-XX:MaxRAMPercentage=70 -Ddefault.min.distinct.threshold=100m -XX:+UseContainerSupport"` | Java arguments with which the cluster proxy instances will be launched. GraphDB configuration properties can also be passed here in the format -Dprop=value | -| graphdb.clusterProxy.livenessProbe | object | `{"httpGet":{"path":"/proxy/health","port":"gdb-proxy-port"},"initialDelaySeconds":120,"periodSeconds":10,"timeoutSeconds":5}` | Configurations for the GraphDB cluster proxy liveness probe. Misconfigured probe can lead to a failing cluster. | +| graphdb.clusterProxy.livenessProbe | object | `{"httpGet":{"path":"/proxy/health","port":"http"},"initialDelaySeconds":120,"periodSeconds":10,"timeoutSeconds":5}` | Configurations for the GraphDB cluster proxy liveness probe. Misconfigured probe can lead to a failing cluster. | | graphdb.clusterProxy.nodeSelector | object | `{}` | | -| graphdb.clusterProxy.persistence | object | `{"enablePersistence":true,"volumeClaimTemplateSpec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"500Mi"}}}}` | Persistence configurations. By default, Helm will use a PV that reads and writes to the host file system. | +| graphdb.clusterProxy.persistence | object | `{"enabled":true,"volumeClaimTemplateSpec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"500Mi"}}}}` | Persistence configurations. By default, Helm will use a PV that reads and writes to the host file system. | | graphdb.clusterProxy.podAnnotations | object | `{}` | | | graphdb.clusterProxy.podLabels | object | `{}` | | | graphdb.clusterProxy.podSecurityContext | object | `{}` | | -| graphdb.clusterProxy.readinessProbe | object | `{"httpGet":{"path":"/proxy/ready","port":"gdb-proxy-port"},"periodSeconds":10,"timeoutSeconds":5}` | Configurations for the GraphDB cluster proxy readiness probe. Misconfigured probe can lead to a failing cluster. | +| graphdb.clusterProxy.readinessProbe | object | `{"httpGet":{"path":"/proxy/ready","port":"http"},"periodSeconds":10,"timeoutSeconds":5}` | Configurations for the GraphDB cluster proxy readiness probe. Misconfigured probe can lead to a failing cluster. | | graphdb.clusterProxy.replicas | int | `1` | Number of cluster proxies used to access the GraphDB cluster | | graphdb.clusterProxy.resources | object | `{"limits":{"memory":"1500Mi"},"requests":{"cpu":"100m","memory":"1500Mi"}}` | Minimum requirements for a successfully running GraphDB cluster proxy | | graphdb.clusterProxy.revisionHistoryLimit | int | `10` | | | graphdb.clusterProxy.securityContext | object | `{}` | | -| graphdb.clusterProxy.service | object | `{"annotations":{}}` | GraphDB cluster proxy service configurations | +| graphdb.clusterProxy.service | object | `{"annotations":{},"labels":{},"nodePort":"","ports":{"http":7200,"rpc":7300}}` | GraphDB cluster proxy service configurations | | graphdb.clusterProxy.serviceType | string | `"LoadBalancer"` | Service type used by the graphdb-cluster-proxy service Note: If using ALB in AWS EKS this will default to being on the public internet | -| graphdb.clusterProxy.startupProbe | object | `{"failureThreshold":60,"httpGet":{"path":"/proxy/ready","port":"gdb-proxy-port"},"periodSeconds":5,"timeoutSeconds":3}` | Configurations for the GraphDB cluster proxy startup probe. Misconfigured probe can lead to a failing cluster. | +| graphdb.clusterProxy.startupProbe | object | `{"failureThreshold":60,"httpGet":{"path":"/proxy/ready","port":"http"},"periodSeconds":5,"timeoutSeconds":3}` | Configurations for the GraphDB cluster proxy startup probe. Misconfigured probe can lead to a failing cluster. | | graphdb.clusterProxy.terminationGracePeriodSeconds | int | `30` | | | graphdb.clusterProxy.tolerations | list | `[]` | | | graphdb.clusterProxy.topologySpreadConstraints | list | `[]` | | @@ -538,23 +543,23 @@ about defining resource limits. | graphdb.node.extraInitContainers | list | `[]` | | | graphdb.node.extraVolumeMounts | list | `[]` | | | graphdb.node.extraVolumes | list | `[]` | | +| graphdb.node.headlessService | object | `{"annotations":{},"labels":{},"ports":{"http":7200,"rpc":7300}}` | GraphDB node headless service configurations | | graphdb.node.initContainerResources | object | `{}` | | | graphdb.node.initContainerSecurityContext | object | `{}` | | | graphdb.node.java_args | string | `"-XX:MaxRAMPercentage=70 -Ddefault.min.distinct.threshold=100m -XX:+UseContainerSupport"` | Java arguments with which node instances will be launched. GraphDB configuration properties can also be passed here in the format -Dprop=value | | graphdb.node.license | string | `nil` | Reference to a secret containing 'graphdb.license' file to be used by the nodes. Important: Must be created beforehand | | graphdb.node.licenseFilename | string | `"graphdb.license"` | File name of the GraphDB license file in the existing license secret. Default is graphdb.license | -| graphdb.node.livenessProbe | object | `{"httpGet":{"path":"/protocol","port":"graphdb"},"initialDelaySeconds":60,"periodSeconds":10,"timeoutSeconds":5}` | Configurations for the GraphDB node liveness probe. Misconfigured probe can lead to a failing cluster. | +| graphdb.node.livenessProbe | object | `{"httpGet":{"path":"/protocol","port":"http"},"initialDelaySeconds":60,"periodSeconds":10,"timeoutSeconds":5}` | Configurations for the GraphDB node liveness probe. Misconfigured probe can lead to a failing cluster. | | graphdb.node.nodeSelector | object | `{}` | | -| graphdb.node.persistence | object | `{"volumeClaimTemplateSpec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"5Gi"}}}}` | Persistence configurations. By default, Helm will use a PV that reads and writes to the host file system. | +| graphdb.node.persistence | object | `{"enabled":true,"volumeClaimTemplateSpec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"5Gi"}}}}` | Persistence configurations. By default, Helm will use a PV that reads and writes to the host file system. | | graphdb.node.podAnnotations | object | `{}` | | | graphdb.node.podLabels | object | `{}` | | | graphdb.node.podSecurityContext | object | `{}` | | -| graphdb.node.readinessProbe | object | `{"httpGet":{"path":"/protocol","port":"graphdb"},"initialDelaySeconds":5,"periodSeconds":10,"timeoutSeconds":5}` | Configurations for the GraphDB node readiness probe. Misconfigured probe can lead to a failing cluster. | +| graphdb.node.readinessProbe | object | `{"httpGet":{"path":"/protocol","port":"http"},"initialDelaySeconds":5,"periodSeconds":10,"timeoutSeconds":5}` | Configurations for the GraphDB node readiness probe. Misconfigured probe can lead to a failing cluster. | | graphdb.node.resources | object | `{"limits":{"memory":"2Gi"},"requests":{"cpu":0.5,"memory":"2Gi"}}` | Below are minimum requirements for data sets of up to 50 million RDF triples For resizing, refer according to the GraphDB documentation https://graphdb.ontotext.com/documentation/10.6/requirements.html | | graphdb.node.revisionHistoryLimit | int | `10` | | | graphdb.node.securityContext | object | `{}` | | -| graphdb.node.service | object | `{"annotations":{}}` | GraphDB node service configurations | -| graphdb.node.startupProbe | object | `{"failureThreshold":30,"httpGet":{"path":"/protocol","port":"graphdb"},"periodSeconds":10,"timeoutSeconds":5}` | Configurations for the GraphDB node startup probe. Misconfigured probe can lead to a failing cluster. | +| graphdb.node.startupProbe | object | `{"failureThreshold":30,"httpGet":{"path":"/protocol","port":"http"},"periodSeconds":10,"timeoutSeconds":5}` | Configurations for the GraphDB node startup probe. Misconfigured probe can lead to a failing cluster. | | graphdb.node.terminationGracePeriodSeconds | int | `120` | | | graphdb.node.tolerations | list | `[]` | | | graphdb.node.topologySpreadConstraints | list | `[]` | | @@ -567,19 +572,22 @@ about defining resource limits. | graphdb.serviceAccount.annotations | object | `{}` | | | graphdb.serviceAccount.create | bool | `true` | | | graphdb.serviceAccount.name | string | `""` | | -| graphdb.workbench.subpath | string | `"/graphdb"` | This is the sub path at which GraphDB workbench can be opened. Should be configured in the API gateway (or any other proxy in front) | -| images.busybox.repository | string | `"busybox"` | | -| images.busybox.tag | string | `"1.36.1"` | | +| graphdb.workbench.subpath | string | `"/"` | This is the sub path at which GraphDB workbench can be opened. | | images.graphdb.registry | string | `"docker.io"` | | | images.graphdb.repository | string | `"ontotext/graphdb"` | | +| images.graphdb.sha | string | `""` | | | images.graphdb.tag | string | `""` | | | labels | object | `{}` | | | nameOverride | string | `""` | | +| properties | object | `{}` | | | provision.settings.configmapKey | string | `"settings.js"` | | | provision.settings.existingConfigmap | string | `""` | | | provision.users.configmapKey | string | `"users.js"` | | | provision.users.existingConfigmap | string | `""` | | | proxy.annotations | object | `{}` | | +| proxy.containerPorts.http | int | `7200` | | +| proxy.containerPorts.rpc | int | `7300` | | +| proxy.extraContainerPorts | object | `{}` | | | proxy.fullnameOverride | string | `""` | | | proxy.labels | object | `{}` | | | proxy.nameOverride | string | `""` | | diff --git a/files/config/cluster-config.json b/files/config/cluster-config.json index a68a36ef..cacbd140 100644 --- a/files/config/cluster-config.json +++ b/files/config/cluster-config.json @@ -5,7 +5,5 @@ "verificationTimeout": {{ .Values.graphdb.clusterConfig.verificationTimeout | int }}, "messageSizeKB": {{ .Values.graphdb.clusterConfig.messageSize | int }}, "transactionLogMaximumSizeGB": {{ .Values.graphdb.clusterConfig.transactionLogMaximumSizeGB | quote }}, - "nodes": [ - {{- include "graphdb.cluster.nodes.json" . | nindent 4 }} - ] + "nodes": {{- include "graphdb.cluster.nodes.json" . | indent 2 }} } diff --git a/files/config/graphdb.properties b/files/config/graphdb.properties index eeb8df0b..ea9c2f43 100644 --- a/files/config/graphdb.properties +++ b/files/config/graphdb.properties @@ -1,524 +1,2 @@ -####### PATHS AND DIRECTORIES ###### -# -# GraphDB home directory. Defines the root directory for GraphDB on the file system. -# It acts as a parent for all configurable paths like repository data, configuration, logs and other runtime -# data unless the location for a specific functionality is explicitly set by its corresponding property. -# The default is the same as the GraphDB distribution directory. -# The actual values for graphdb.home and the other graphdb.home.xxx properties will be printed in the log -# when GraphDB starts. -# -# graphdb.home = -# -# -# GraphDB data directory. Defines the directory where the engine stores all repository data. -# This directory must be writable by the GraphDB process. -# The default is ${graphdb.home}/data. -# -# graphdb.home.data = -# -# -# GraphDB logs directory. Defines the directory where the log files are written. -# This directory must be writable by the GraphDB process. -# The default is ${graphdb.home}/logs. -# -# graphdb.home.logs = -# -# -# GraphDB configuration directory. Used for user-editable configuration, including this file. Stores -# provided runtime license through the application, persisted as ${graphdb.home.conf}/graphdb.license. -# This directory and all files within it may be read-only for GraphDB only if no license is set in the way described above. -# The default is ${graphdb.home}/conf. -# -# Since the location of this config file depends on this property, it does not make sense to set it here. -# Instead you can provide is a system property with -D. -# -# graphdb.home.conf = -# -# -# GraphDB work directory. Used for non-user-editable database configurations. -# This directory must be writable by the GraphDB process. -# The default is ${graphdb.home}/work. -# -# graphdb.home.work = -# -# -# GraphDB external plugins directory. This can be used to add -# additional external plugins outside the distribution's lib/plugins directory. -# -# graphdb.extra.plugins = -# -# -# Graphdb global page cache memory parameter. By default the page cache will -# allocate 50% of the maximum Java heap memory (-Xmx) for the JVM process. -# Setting this value too high will cause OME during the execution of memory intensive queries. -# -# graphdb.page.cache.size=10G - - -###### LICENSE ###### -# -# The license can be set through the GraphDB Workbench, through a file graphdb.license -# in the GraphDB configuration directory (see graphdb.home.conf above), or through this -# property that should point to a license file: -# -# graphdb.license.file = - - -###### GraphDB Ontop JDBC Driver Path ###### -# -# GraphDB directory for the JDBC driver used in the creation of Ontop repositories. -# Use it when you want to set it to a directory different from the lib/jdbc one where the driver is normally placed. -# -# graphdb.ontop.jdbc.path = - - -###### Ontop Properties ###### -# -# Ontop configuration attribute can be passed through a property: -# -# graphdb.ontop.=xxx - - -###### NETWORK SETTINGS ###### -# -# HTTP port for running GraphDB in standalone mode. The default is 7200. -# -# graphdb.connector.port = 7200 -# -# Controls whether it is necessary to rewrite the Location header when no proxy is configured. -# Setting this property to true will use the graphdb.external-url when building the transaction URLs. -# Set it to true when the returned URLs are incorrect due to missing or invalid proxy configurations. -# Set it to false when the server can be called on multiple addresses, -# as it will override the returned address to the one defined by the graphdb.external-url. -# Boolean, default is false. -# -# graphdb.external-url.enforce.transactions = false -# -# Enable SSL (uncomment to enable) -# graphdb.connector.SSLEnabled = true -# graphdb.connector.scheme = https -# graphdb.connector.secure = true -# -# GraphDB uses the Java implementation of SSL, which requires a configured key in the Java keystore. -# To setup keystore uncomment the following properties and set keystorePass and keyPass to the actual values. -# -# The default is the file .keystore in the operating system home directory of the user that is running GraphDB -# graphdb.connector.keystoreFile = -# graphdb.connector.keystorePass = -# graphdb.connector.keyAlias = graphdb -# graphdb.connector.keyPass = -# -# How to generate a keystore? -# -# Option 1: Generate a self-signed key, which would require to trust the certificate in all clients. -# -# keytool -genkey -alias graphdb -keyalg RSA -# -# Option 2: Convert a third party trusted OpenSSL certificate to PKCS12 key and then import to the Java keystore. -# -# keytool -importkeystore -deststorepass MYPASS -srckeystore mypkcs12.p12 -srcstoretype PKCS12 -# -# For any additional information please refer to https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html -# -# In addition to the above settings, you can set any Tomcat Connector attribute through a property: -# graphdb.connector. = xxx -# -# See https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#Attributes for more information. -# -# Another option is to use Self Signed SSL Certificate setting following two properties -# -# graphdb.connector.SSLCertificateFile = -# graphdb.connector.SSLCertificateKeyFile = - - -###### ENGINE OVERRIDE ###### -# -# The GraphDB Engine can be configured through a set of properties that start with the graphdb.engine. prefix. -# These properties correspond to the properties that can be set when creating a repository through the Workbench -# or through a .ttl file. -# -# Note that properties defined here WILL OVERRIDE the properties for each repository, regardless of whether you created -# the repository before or after you set the global value of an engine property. As such, the global overrides -# should be used only in specific cases while for normal everyday needs you should set the corresponding properties -# when you create a repository. -# -# -# graphdb.engine. = xxx - - -# A global setting that ensures IRI validation in the entity pool. It is performed only when an IRI is seen for the first time -# (i.e., when being created in the entity pool). For consistency reasons, not only IRIs coming from RDF serializations, -# but also all new IRIs (via API or SPARQL), will be validated in the same way. -# This property can be turned off by setting its value to false. -# -# graphdb.engine.entity.validate = true - - -###### AUTHENTICATION TOKEN SECRET ###### -# -# GraphDB authentication token secret could be set by passing it as a configuration parameter -# -# graphdb.auth.token.secret = -# -# In case of not explicitly specified, GraphDB will try to obtain one automatically from the SSL -# certificate if present or will randomly generate one - -###### OPENID AUTHENTICATION ###### -# -# OpenId is used for authentication against another authorization database (local or LDAP). -# Password authentication can be disabled in addition. -# -# Enable OpenId authentication. The default value is 'basic, gdb'. -# Provide only 'openid' if password-based login methods (basic and gdb) are not needed. -# graphdb.auth.methods = basic, gdb, openid -# -# OpenID issuer URL, used to derive keys, endpoints and token validation. No default value. -# graphdb.auth.openid.issuer = https://accounts.example.com -# -# OpenID well-known config URL, used to fetch the OpenID configuration of the OpenID provider. -# The default value will be derived by appending /.well-known/openid-configuration to the issuer URL. -# Use this setting if your OpenID does not conform to the specification and the well-known config is -# served on a different URL than the default standard-mandated value. -# graphdb.auth.openid.well_known_config_url = https://openid.example.com/custom/.well-known/openid-configuration -# -# OpenID header types, specifies the allowed values for the field "typ" in the JWT header. -# The value is a comma-delimited list, where 'null' is interpreted as 'no value'. -# The default value is 'jwt, at+jwt, null' and will allow tokens with "typ": "jwt", "typ": "at+jwt", -# as well as tokens with a missing "typ" value. -# graphdb.auth.openid.header_types = jwt, at+jwt, null -# -# OpenID client ID, used to authenticate and validate tokens. No default value. -# graphdb.auth.openid.client_id = my-client-id -# -# OpenID claim to use as the GraphDB username. No default value. -# graphdb.auth.openid.username_claim = email -# -# OpenID authentication flow: code, code_no_pkce or implicit. No default value. -# The recommended value is 'code' if the OpenId provider supports it with PKCE without a client secret. -# graphdb.auth.openid.auth_flow = code -# -# OpenID token type to send to GraphDB. The available values are 'access' and 'id'. No default value. -# Use the access token if it is a JWT token, otherwise use the id token. -# graphdb.auth.openid.token_type = access -# -# OpenID expected issuer URL in tokens, used to validate tokens. The default is the same as the actual issuer URL. -# graphdb.auth.openid.token_issuer = https://accounts.example.com/custom -# -# OpenID expected audience in tokens, used to validate tokens. The default value is the same as the client ID. -# graphdb.auth.openid.token_audience = my-audience -# -# OpenID extra scopes to request. Multiple scopes can be specified by separating them with a space. -# By default GraphDB requests only the 'openid' scope and, if supported, the 'offline_access' scope. -# Scopes are used to request sets of claims, e.g. you might need to set this to a provider-specific value -# in order to obtain the username_name or the roles_claim (if using OAuth as well). The default value is empty. -# graphdb.auth.openid.extra_scopes = profile email -# -# OpenID extra parameters for the authorize endpoint. Some OpenID providers require additional parameters sent -# to the authorize endpoint (e.g. resource=xxx). This is a URL encoded string where each parameter-value pair -# is delimited by &. The string will be appended to the rest of the authorize URL parameters. -# The default value is the empty string. -# graphdb.auth.openid.authorize_parameters = param1=value%201¶m2=value%202 -# -# OpenID Oracle identity domain. Oracle Access Manager has a non-standard OpenID implementation that requires -# an additional parameter: the Oracle identity domain name. If you use OAM set this to your identity domain name. -# graphdb.auth.openid.oracle_domain = my-oracle-domain -# -# OpenID use GraphDB as proxy for the JWKS URL and token endpoints. This can be used to bypass an OpenID provider -# without a proper CORS configuration. The value is a boolean true/false. False by default. -# graphdb.auth.openid.proxy = false - -###### OPENID AUTHENTICATION + OAUTH AUTHORIZATION ###### -# -# OpenId is used for authentication and the authorization is provided via OAuth. -# Password authentication is not available in this mode. -# -# Enable OpenId authentication and disable password-based login. The default value is 'basic, gdb'. -# graphdb.auth.methods = openid -# -# Enable OAuth authorization. The default value is 'local' corresponding to local users. -# graphdb.auth.database = oauth -# -# Set case-insensitive validation for user accounts so that users can log in regardless of the case used at login time. -# The default value is false. -# graphdb.auth.database.case_insensitive = false -# -# OpenID issuer URL, used to derive keys, endpoints and token validation. No default value. -# graphdb.auth.openid.issuer = https://accounts.example.com -# -# OpenID client ID, used to authenticate and validate tokens. No default value. -# graphdb.auth.openid.client_id = my-client-id -# -# OpenID claim to use as the GraphDB username. No default value. -# This will be interpreted as a JSONPath expression, so for example the value "roles.graphdb" -# will first access the object under the "roles" key and then extract the roles from the "graphdb" -# key inside that object. -# graphdb.auth.openid.username_claim = email -# -# OpenID authentication flow: code, code_no_pkce or implicit. No default value. -# The recommended value is 'code' if the OpenId provider supports it with PKCE without a client secret. -# graphdb.auth.openid.auth_flow = code -# -# OpenId token type to send to GraphDB. The available values are 'access' and 'id'. No default value. -# Use the access token if it is a JWT token, otherwise use the id token. -# graphdb.auth.openid.token_type = access -# -# OpenID expected issuer URL in tokens, used to validate tokens. The default is the same as the actual issuer URL. -# graphdb.auth.openid.token_issuer = https://accounts.example.com/custom -# -# OpenID expected audience in tokens, used to validate tokens. The default value is the same as the client ID. -# graphdb.auth.openid.token_audience = my-audience -# -# OpenID extra parameters for the authorize endpoint. Some OpenID providers require additional parameters sent -# to the authorize endpoint (e.g. resource=xxx). This is a URL encoded string where each parameter-value pair -# is delimited by &. The string will be appended to the rest of the authorize URL parameters. -# The default value is the empty string. -# graphdb.auth.openid.authorize_parameters = param1=value%201¶m2=value%202 -# -# OpenID use GraphDB as proxy for the JWKS URL and token endpoints. This can be used to bypass an OpenID provider -# without a proper CORS configuration. The value is a boolean true/false. False by default. -# graphdb.auth.openid.proxy = false -# -# OAuth roles claim. The field from the JWT token that will provide the GraphDB roles. No default value. -# graphdb.auth.oauth.roles_claim = roles -# -# OAuth roles prefix to strip. The roles claim may provide the GraphDB roles with some prefix, e.g. GDB_ROLE_USER. -# The prefix will be stripped when the roles are mapped. The default value is the empty string. -# graphdb.auth.oauth.roles_prefix = GDB_ -# -# OAuth roles suffix to strip. The roles claim may provide the GraphDB roles with some suffix, e.g. ROLE_USER_GDB. -# The suffix will be stripped when the roles are mapped. The default value is the empty string. -# graphdb.auth.oauth.roles_suffix = ROLE_USER_GDB -# -# OAuth default roles to assign. It may be convenient to always assign certain roles without listing them in the roles -# claim. The value is a comma-delimited list of GraphDB roles. The default value is the empty list. -# -# graphdb.auth.oauth.default_roles = ROLE_USER - -###### LDAP AUTHENTICATION AND AUTHORIZATION ###### -# -# Turn on ldap authentication and configure the server. -# -# Note that since GraphDB 9.5 local users will no longer be accessible when using LDAP -# -# graphdb.auth.database = ldap -# graphdb.auth.ldap.url = ldap://localhost:10389/dc=example,dc=org - -# Permit access for all users that are part of the \u201Cpeople\u201D unit of the fictional \u201Cexample.org\u201D organisation. -# -# graphdb.auth.ldap.user.search.base = ou=people -# graphdb.auth.ldap.user.search.filter = (cn={0}) - -# Make all users in the Administration group GraphDB administrators as well. -# -# graphdb.auth.ldap.role.search.base = ou=groups -# graphdb.auth.ldap.role.search.filter = (member={0}) -# graphdb.auth.ldap.role.map.administrator = Administration - -# Make all users in the Management group GraphDB Repository Managers as well. -# -# graphdb.auth.ldap.role.map.repositoryManager = Management - -# Enable all users in the Readers group to read the my_repo repository. -# -# graphdb.auth.ldap.role.map.repository.read.my_repo = Readers - -# Enable all users in the Writers group to write and read the my_repo repository. -# -# graphdb.auth.ldap.role.map.repository.write.my_repo = Writers - -# All entries located under the "groups" organizational unit that have members (i.e., groups), -# will be able to read repositories that share their common name. -# -# graphdb.auth.ldap.repository.read.base = ou=groups -# graphdb.auth.ldap.repository.read.filter = (member={0}) -# graphdb.auth.ldap.repository.read.attribute = cn - -# All entries located under the "groups" organizational unit that have members (i.e., groups), -# will be able to read and write to repositories that share their common name. -# -# graphdb.auth.ldap.repository.write.base = ou=groups -# graphdb.auth.ldap.repository.write.filter = (member={0}) -# graphdb.auth.ldap.repository.write.attribute = cn - -# Required for accessing a LDAP server, that does not allow anonymous binds and anonymous access -# -# graphdb.auth.ldap.bind.userDn = uid=userId,ou=people,dc=example,dc=org -# graphdb.auth.ldap.bind.userDn.password = 123456 - -# Adds to all users in Readers group custom role. -# -# graphdb.auth.ldap.map.role.role_name = Readers - -###### KERBEROS AUTHENTICATION ###### -# -# Enables Kerberos authentication. The default value is 'basic, gdb'. -# -# graphdb.auth.methods = basic, gdb, kerberos -# -# Full or relative (to the GraphDB config directory) path to where the keys -# of the Kerberos service principal are stored. No default value. Required if Kerberos is enabled -# You can find more on how to create a keytab file https://web.mit.edu/kerberos/krb5-devel/doc/basic/keytab_def.html -# -# graphdb.auth.kerberos.keytab = -# -# Name of the Kerberos service principal. No default value. Required if Kerberos is enabled. -# -# graphdb.auth.kerberos.principal = HTTP/data.example.com@EXAMPLE.COM -# -# Determines whether to print additional Kerberos-related messages -# in some of the Spring Kerberos classes. Default value is false. -# -# graphdb.auth.kerberos.debug = true/false - -###### X.509 CERTIFICATE AUTHENTICATION + LOCAL or LDAP AUTHORIZATION ###### -# -# X.509 certificate authentication is used for authentication against another authorization database (local or LDAP). -# -# Enable X.509 certificate authentication. The default value is 'basic, gdb'. -# Provide only 'x509' if password-based login methods (basic and gdb) are not needed. -# graphdb.auth.methods = basic, gdb, x509 -# -# Enable local or LDAP authorization. The default value is 'local' corresponding to local users. -# If LDAP is the chosen authorization database, follow the instructions for its enabling. -# graphdb.auth.database = ldap -# -# Provides the regular expression to extract the username from the certificate. -# The default is "CN=(.*?)(?:,|$)". Uncomment to provide a custom expression. -# graphdb.auth.methods.x509.subject.dn.pattern = CN=(.*?)(?:,|$) -# -# To implement server-side X.509 authentication, enable SSL. -# -# To set up a truststore different from the default JRE one, uncomment the following -# properties and set 'truststoreFile' and 'truststorePass' to their actual values. -# -# graphdb.connector.truststoreFile = -# graphdb.connector.truststorePass = -# -##### X.509 CERTIFICATE AUTHENTICATION REVOCATION STATUS CHECK CONFIGURATION ###### -# -# Controls whether OCSP checks are performed, true by default. -# graphdb.auth.methods.x509.ocsp = true -# -# Controls whether CRLDP checks are performed, true by default. -# graphdb.auth.methods.x509.crldp = true -# -# Uncomment the following to set a Certificate Revocation List to Tomcat, -# which will allow revocation checks for certificates that do not provide -# an Authority Information Access (AIA) extension, or as an alternative -# in case of OCSP or CrlDP responders downtime. -# graphdb.auth.methods.x509.crlFile = - -###### Cloud backup and Restore ###### -# -# Enable tls for connections against s3 compatible services. To set up a truststore different from the default JRE one -# set `graphdb.connector.truststoreFile` and `graphdb.connector.truststorePass` -# graphdb.s3.tls.enabled = false -# -# Timeout in seconds for a cloud backup's single part upload. -# graphdb.s3.backup.httpclient.write.timeout = 3600 - -###### AUDIT TRAIL ###### -# -# Enable the detail audit trail for all operations with the minimal access role of: -# USER, REPO_MANAGER, ADMIN, ANY -# -# graphdb.audit.role = USER -# -# and read, write operations with the minimal access of: -# READ, WRITE -# -# graphdb.audit.repository = READ -# -# Audit the specific headers -# -# graphdb.audit.headers = Origin, Host -# -# List headers that should be included into logs in front of client requests. -# -# graphdb.request.id.alternatives = X-Amz-Request-Id -# -# Enable logging of "X-Request-Id" header and listed in graphdb.request.id.alternatives headers into any log. -# "X-Request-Id" header will be included by default. In case "X-Request-Id" is not present in the headers of -# the request it will be generated randomly in UUID type 5 format. -# -# graphdb.append.request.id.headers = true - -###### CLUSTER CONFIGURATIONS ###### - -# Embedded cluster proxy configurations - -# Uncomment to disable the embedded cluster proxy that redirects requests to the leader in cluster deployment. -# Will be disabled automatically if external proxy is used. -#graphdb.cluster.proxy.enabled=false - -# The following configurations represents the defaults of the HTTP client used to redirect requests. -# Uncomment and change any of the default values -# -1 means infinite timeout -# The connection timeout is in seconds -#graphdb.cluster.proxy.socketTimeout=-1 -#graphdb.cluster.proxy.connectionTimeoutS=15 -# This limits the maximum number of concurrent requests send to the leader -#graphdb.cluster.proxy.maxConnectionsPerRoute=30000 -#graphdb.cluster.proxy.maxConnectionsTotal=50000 - -# Dedicated cluster proxy configurations - -# List the addresses of GraphDB HTTP or RPC address to the nodes that are part of a cluster -# Note that all of the addresses need to be from the same cluster -# graphdb.proxy.hosts = -# The number of times a request to be retried to a different node in the cluster, when a node is not reachable, before failing the request. -# If a request could be handled by other node, other than the initial one, then other node from the cluster will be -# asked to handle the request. -# graphdb.proxy.followerRetries=3 - - -###### CHATGPT INTEGRATION ###### -# -# GraphDB has built-in ChatGPT integration. The minimum required configuration is setting the GPT access token. -# -# GPT API access token, none by default. -# graphdb.gpt.token = -# -# GPT model to use, gpt-3.5-turbo by default. -# graphdb.gpt.model = gpt-3.5-turbo -# -# GPT timeout in seconds, 90 by default. -# graphdb.gpt.timeout = 90 -# -# -# GPT advanced options below - setting these may be needed if the integration should use a different API endpoint -# and/or a different authentication method. See the documentation for more details. -# -# GPT chat completions API endpoint, https://api.openai.com/v1/chat/completions by default. -# graphdb.gpt.url = https://api.openai.com/v1/chat/completions -# -# GPT authentication method, bearer by default. -# graphdb.gpt.auth = bearer - - -# Server report in cluster configuration - -# The maximum time to wait for a triggered report is configured with a default value of 120 minutes. -#graphdb.wait.report.minutes=120 - -###### HEAP DUMPS ###### -# -# GraphDB can dump the heap on out of memory errors in order to provide insight to the cause -# for excessive memory usage. -# -# Enable or disable the heap dump (enabled by default) -# graphdb.heapdump.enable = true -# -# File to write the heap dump to, by default this is the file heapdump.hprof in the configured logs directory. -# See also the properties graphdb.home and graphdb.home.logs. -# graphdb.heapdump.path = - -###### JSON-LD WHITELIST ###### -# -# The configuration property 'graphdb.jsonld.whitelist' is used to define a whitelist -# of URLs or file locations that are permitted for JSON-LD processing in GraphDB. -# -# The whitelist is a comma-separated list of URLs or file locations. -# The wildcard (*) in URLs or file paths allows for fine-grained control, enabling administrators to specify entire domains or directories. -# Each entry in the list represents a resource that is considered safe for JSON-LD operations. -# graphdb.jsonld.whitelist = https://my.good_host.com/prop, https://my.good_host.com/*, file:///my/good/jsonld/prop, file:///my/good/jsonld/* +# See https://graphdb.ontotext.com/documentation/ for supported properties +graphdb.connector.port={{ .Values.containerPorts.http }} diff --git a/files/config/proxy/graphdb.properties b/files/config/proxy/graphdb.properties index 27e1d747..2eac3e72 100644 --- a/files/config/proxy/graphdb.properties +++ b/files/config/proxy/graphdb.properties @@ -1,73 +1,3 @@ -###### NETWORK SETTINGS ###### -# -# HTTP port for running GraphDB in standalone mode. The default is 7200. -# -# graphdb.connector.port = 7200 -# -# Controls whether it is necessary to rewrite the Location header when no proxy is configured. -# Setting this property to true will use the graphdb.external-url when building the transaction URLs. -# Set it to true when the returned URLs are incorrect due to missing or invalid proxy configurations. -# Set it to false when the server can be called on multiple addresses, -# as it will override the returned address to the one defined by the graphdb.external-url. -# Boolean, default is false. -# -# graphdb.external-url.enforce.transactions = false -# -# Enable SSL (uncomment to enable) -# graphdb.connector.SSLEnabled = true -# graphdb.connector.scheme = https -# graphdb.connector.secure = true -# -# GraphDB uses the Java implementation of SSL, which requires a configured key in the Java keystore. -# To setup keystore uncomment the following properties and set keystorePass and keyPass to the actual values. -# -# The default is the file .keystore in the operating system home directory of the user that is running GraphDB -# graphdb.connector.keystoreFile = -# graphdb.connector.keystorePass = -# graphdb.connector.keyAlias = graphdb -# graphdb.connector.keyPass = -# -# How to generate a keystore? -# -# Option 1: Generate a self-signed key, which would require to trust the certificate in all clients. -# -# keytool -genkey -alias graphdb -keyalg RSA -# -# Option 2: Convert a third party trusted OpenSSL certificate to PKCS12 key and then import to the Java keystore. -# -# keytool -importkeystore -deststorepass MYPASS -srckeystore mypkcs12.p12 -srcstoretype PKCS12 -# -# For any additional information please refer to https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html -# -# In addition to the above settings, you can set any Tomcat Connector attribute through a property: -# graphdb.connector. = xxx -# -# See https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#Attributes for more information. -# -# Another option is to use Self Signed SSL Certificate setting following two properties -# -# graphdb.connector.SSLCertificateFile = -# graphdb.connector.SSLCertificateKeyFile = - -###### AUTHENTICATION TOKEN SECRET ###### -# -# GraphDB authentication token secret could be set by passing it as a configuration parameter -# -# graphdb.auth.token.secret = -# -# In case of not explicitly specified, GraphDB will try to obtain one automatically from the SSL -# certificate if present or will randomly generate one - -###### CLUSTER CONFIGURATIONS ###### - -# Dedicated cluster proxy configurations - # List the addresses of GraphDB HTTP or RPC address to the nodes that are part of a cluster -# Note that all of the addresses need to be from the same cluster - +graphdb.connector.port={{ .Values.proxy.containerPorts.http }} graphdb.proxy.hosts={{ include "graphdb-proxy.cluster.nodes" . }} - -# The number of times a request to be retried to a different node in the cluster, when a node is not reachable, before failing the request. -# If a request could be handled by other node, other than the initial one, then other node from the cluster will be -# asked to handle the request. -# graphdb.proxy.followerRetries=3 diff --git a/files/scripts/graphdb.sh b/files/scripts/graphdb.sh index 779862c7..9960c911 100755 --- a/files/scripts/graphdb.sh +++ b/files/scripts/graphdb.sh @@ -14,7 +14,7 @@ function createCluster { --header "Authorization: Basic ${authToken}" \ --header 'Content-Type: application/json' \ --header 'Accept: */*' \ - "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:7200/rest/cluster/config" + "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/cluster/config" if grep -q 'HTTP/1.1 201' "response.json"; then echo "Cluster creation successful!" @@ -54,7 +54,7 @@ function waitAllNodes { for (( c=$node_count; c>0; c )) do c=$((c-1)) - waitService "http://${GRAPHDB_POD_NAME}-$c.${GRAPHDB_SERVICE_NAME}:7200/rest/repositories" + waitService "http://${GRAPHDB_POD_NAME}-$c.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/repositories" done } @@ -75,7 +75,7 @@ function createRepositoryFromFile { -F config=@${filename} \ -H "Authorization: Basic ${authToken}" \ -H 'Content-Type: multipart/form-data' \ - "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:7200/rest/repositories" + "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/repositories" ) if [ -z "$response" ]; then diff --git a/files/scripts/update-cluster.sh b/files/scripts/update-cluster.sh index 6a3402d2..39b4fc21 100644 --- a/files/scripts/update-cluster.sh +++ b/files/scripts/update-cluster.sh @@ -8,13 +8,13 @@ function patchCluster { local timeout=$2 echo "Patching cluster" - waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:7200/proxy/ready" + waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready" curl -o patchResponse.json -isSL -m "$timeout" -X PATCH \ --header "Authorization: Basic ${authToken}" \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ -d @"$configLocation" \ - "http://${GRAPHDB_PROXY_SERVICE_NAME}:7200/rest/cluster/config" + "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config" if grep -q 'HTTP/1.1 200' "patchResponse.json"; then echo "Patch successful" @@ -59,13 +59,13 @@ function removeNodes { done nodes=\{\"nodes\":\[${nodes}\]\} - waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:7200/proxy/ready" + waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready" curl -o clusterRemove.json -isSL -m 15 -X DELETE \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --header "Authorization: Basic ${authToken}" \ -d "${nodes}" \ - "http://${GRAPHDB_PROXY_SERVICE_NAME}:7200/rest/cluster/config/node" + "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config/node" if grep -q 'HTTP/1.1 200' "clusterRemove.json"; then echo "Scaling down successful." @@ -102,13 +102,13 @@ function addNodes { done nodes=\{\"nodes\":\[${nodes}\]\} - waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:7200/proxy/ready" + waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready" curl -o clusterAdd.json -isSL -m ${timeout} -X POST \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --header "Authorization: Basic ${authToken}" \ -d "${nodes}" \ - "http://${GRAPHDB_PROXY_SERVICE_NAME}:7200/rest/cluster/config/node" + "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config/node" if grep -q 'HTTP/1.1 200' "clusterAdd.json"; then echo "Scaling successful." @@ -128,11 +128,11 @@ function addNodes { function deleteCluster { local authToken=$PROVISION_USER_AUTH_TOKEN - waitService "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:7200/rest/repositories" + waitService "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/repositories" curl -o response.json -isSL -m 15 -X DELETE \ --header "Authorization: Basic ${authToken}" \ --header 'Accept: */*' \ - "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:7200/rest/cluster/config?force=false" + "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/cluster/config?force=false" if grep -q 'HTTP/1.1 200' "response.json"; then echo "Cluster deletion successful!" @@ -148,7 +148,7 @@ function deleteCluster { function getNodeCountInCurrentCluster { local authToken=$PROVISION_USER_AUTH_TOKEN - local node_address="http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:7200" + local node_address="http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}" waitService "${node_address}/rest/repositories" curl -o clusterResponse.json -isSL -m 15 -X GET \ --header 'Content-Type: application/json' \ diff --git a/templates/NOTES.txt b/templates/NOTES.txt index 013cb49c..5c55934c 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -20,4 +20,4 @@ You can check their status with kubectl get pods WARNING: You are attempting to make a cluster without providing a license secret! {{ end }} Endpoints: -* GraphDB workbench: {{ .Values.deployment.protocol }}://{{ include "graphdb.resolveDeploymentHost" . }}{{ .Values.graphdb.workbench.subpath }} +* GraphDB workbench: {{ include "graphdb.url.public" . }} diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl new file mode 100644 index 00000000..7893a59f --- /dev/null +++ b/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Renders the URL address at which GraphDB would be accessed +*/}} +{{- define "graphdb.url.public" -}} + {{- printf "%s://%s%s" .Values.deployment.protocol .Values.deployment.host .Values.graphdb.workbench.subpath -}} +{{- end }} + +{{/* +Combined image pull secrets +*/}} +{{- define "graphdb.combinedImagePullSecrets" -}} + {{- $secrets := concat .Values.global.imagePullSecrets .Values.deployment.imagePullSecrets }} + {{- tpl ( toYaml $secrets ) . -}} +{{- end -}} + +{{/* +Renders the container image for GraphDB +*/}} +{{- define "graphdb.image" -}} + {{- $repository := .Values.images.graphdb.repository -}} + {{- $tag := .Values.images.graphdb.tag | default .Chart.AppVersion | toString -}} + {{- $image := printf "%s:%s" $repository $tag -}} + {{/* Add registry if present */}} + {{- $registry := .Values.global.imageRegistry | default .Values.images.graphdb.registry -}} + {{- if $registry -}} + {{- $image = printf "%s/%s" $registry $image -}} + {{- end -}} + {{/* Add SHA if provided */}} + {{- if .Values.images.graphdb.sha -}} + {{- $image = printf "%s@sha256:%s" $image .Values.images.graphdb.sha -}} + {{- end -}} + {{- $image -}} +{{- end -}} + +{{/* +Renders the gRPC address of each GraphDB node that is part of the cluster as a JSON array. Used in the cluster JSON config. +*/}} +{{- define "graphdb.cluster.nodes.json" -}} + {{- $pod_name := include "graphdb.fullname" . -}} + {{- $service_name := include "graphdb.fullname.service.headless" . -}} + {{- $service_rpc_port := .Values.graphdb.node.headlessService.ports.rpc -}} + {{- $nodes := list -}} + {{- range $i, $node_index := until (int .Values.graphdb.clusterConfig.nodesCount) -}} + {{- $nodes = append $nodes (printf "%s-%s.%s.%s.svc.cluster.local:%s" $pod_name (toString $node_index) $service_name $.Release.Namespace (toString $service_rpc_port)) -}} + {{- end -}} + {{- toPrettyJson $nodes -}} +{{- end -}} + +{{/* +Renders the HTTP address of each GraphDB node that is part of the cluster, joined by a comma. +*/}} +{{- define "graphdb-proxy.cluster.nodes" -}} + {{- $pod_name := include "graphdb.fullname" . -}} + {{- $service_name := include "graphdb.fullname.service.headless" . -}} + {{- $service_http_port := .Values.graphdb.node.headlessService.ports.http -}} + {{- range $i, $node_index := until (int $.Values.graphdb.clusterConfig.nodesCount) -}} + http://{{ $pod_name }}-{{ $node_index }}.{{ $service_name }}.{{ $.Release.Namespace }}.svc.cluster.local:{{ $service_http_port }} + {{- if gt (sub (int $.Values.graphdb.clusterConfig.nodesCount) 1 ) $node_index -}} + {{- ", " -}} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/templates/_helpers.yaml b/templates/_helpers.yaml deleted file mode 100644 index 4b3a2974..00000000 --- a/templates/_helpers.yaml +++ /dev/null @@ -1,85 +0,0 @@ -{{- define "graphdb.resolveDeploymentHost" -}} - {{- $global := .Values.global | default dict -}} - {{- $globalDeployment := $global.deployment | default dict -}} - {{- print (index $globalDeployment "host" | default (index $global "ingressHost") | default .Values.deployment.host) -}} -{{- end }} - -{{/* -Renders the URL address at which GraphDB would be accessed -*/}} -{{- define "graphdb.url.public" -}} -{{ $.Values.deployment.protocol }}://{{ include "graphdb.resolveDeploymentHost" $ }}{{ $.Values.graphdb.workbench.subpath }} -{{- end }} - -{{/* -Combined image pull secrets -*/}} -{{- define "graphdb.combinedImagePullSecrets" -}} - {{- $secrets := list -}} - - {{- if .Values.deployment.imagePullSecret -}} - {{- $secret := dict "name" .Values.deployment.imagePullSecret -}} - {{- $secrets = append $secrets $secret -}} - {{- end -}} - - {{- if and .Values.global .Values.global.imagePullSecrets -}} - {{- $secrets = concat $secrets .Values.global.imagePullSecrets -}} - {{- end -}} - - {{- toYaml $secrets -}} -{{- end -}} - -{{/* -Rendenders a volumeClaimTemplate as yaml. -If the storage class name is not specified - 'global.storageClass' is checked and if set it is used as the storageClassName for the template. -Otherwise it is left blank and cluster default will be used. -*/}} -{{- define "graphdb.renderVolumeClaimTemplateSpec" }} - {{- if and .globalStorageClassName (not .spec.storageClassName) }} - {{- $spec := set .spec "storageClassName" .globalStorageClassName }} - {{- $spec | toYaml }} - {{- else }} - {{- .spec | toYaml }} - {{- end }} -{{- end }} - -{{/* -Render the container image for GraphDB -*/}} -{{- define "graphdb.image" -}} - {{- $registry := .Values.images.graphdb.registry -}} - {{- $repository := .Values.images.graphdb.repository -}} - {{- $tag := .Values.images.graphdb.tag | default .Chart.AppVersion | toString -}} - {{- if and .Values.global .Values.global.imageRegistry -}} - {{- $registry = .Values.global.imageRegistry -}} - {{- end -}} - {{- if $registry -}} - {{- printf "%s/%s:%s" $registry $repository $tag -}} - {{- else -}} - {{- printf "%s:%s" $repository $tag -}} - {{- end -}} -{{- end }} - -{{/* -Renders the gRPC address of each GraphDB node that is part of the cluster. Used in the cluster JSON config. -*/}} -{{- define "graphdb.cluster.nodes.json" -}} - {{- range $i, $node_index := until (int .Values.graphdb.clusterConfig.nodesCount) -}} - "{{ include "graphdb.fullname" $ }}-{{ $node_index }}.{{ include "graphdb.fullname.service.headless" $ }}.{{ $.Release.Namespace }}.svc.cluster.local:7300" - {{- if gt (sub (int $.Values.graphdb.clusterConfig.nodesCount) 1 ) $node_index -}} - {{- ", \n" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{/* -Renders the HTTP address of each GraphDB node that is part of the cluster, joined by a comma. -*/}} -{{- define "graphdb-proxy.cluster.nodes" -}} - {{- range $i, $node_index := until (int $.Values.graphdb.clusterConfig.nodesCount) -}} - http://{{ include "graphdb.fullname" $ }}-{{ $node_index }}.{{ include "graphdb.fullname.service.headless" $ }}.{{ $.Release.Namespace }}.svc.cluster.local:7200 - {{- if gt (sub (int $.Values.graphdb.clusterConfig.nodesCount) 1 ) $node_index -}} - {{- ", " -}} - {{- end -}} - {{- end -}} -{{- end -}} diff --git a/templates/_labels.yaml b/templates/_labels.tpl similarity index 100% rename from templates/_labels.yaml rename to templates/_labels.tpl diff --git a/templates/graphdb/configmap-properties.yaml b/templates/graphdb/configmap-properties.yaml index 36ce553d..99db7060 100644 --- a/templates/graphdb/configmap-properties.yaml +++ b/templates/graphdb/configmap-properties.yaml @@ -11,5 +11,13 @@ metadata: {{- end }} data: {{ .Values.configuration.properties.configmapKey }}: |- - {{- tpl ( .Files.Get "files/config/graphdb.properties" ) . | nindent 4 }} + {{- tpl ( .Files.Get "files/config/graphdb.properties" | trim ) . | nindent 4 }} + {{- if .Values.properties }} + ##### Overrides from values.yaml ##### + {{ range $key, $val := .Values.properties }} + {{- if ne $val nil }} + {{- $key }}={{ tpl ($val | toString) $ | quote }} + {{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/templates/graphdb/service-headless.yaml b/templates/graphdb/service-headless.yaml index ba4b6467..1e27b9d6 100644 --- a/templates/graphdb/service-headless.yaml +++ b/templates/graphdb/service-headless.yaml @@ -4,7 +4,10 @@ metadata: name: {{ include "graphdb.fullname.service.headless" . }} labels: {{- include "graphdb.labels" . | nindent 4 }} - {{- with (mergeOverwrite (deepCopy .Values.annotations) .Values.graphdb.node.service.annotations) }} + {{- with .Values.graphdb.node.headlessService.labels }} + {{- tpl ( toYaml . ) $ | nindent 4 }} + {{- end }} + {{- with (mergeOverwrite (deepCopy .Values.annotations) .Values.graphdb.node.headlessService.annotations) }} annotations: {{- tpl ( toYaml . ) $ | nindent 4 }} {{- end }} @@ -13,13 +16,13 @@ spec: selector: {{- include "graphdb.selectorLabels" . | nindent 4 }} ports: - - name: graphdb - port: 7200 - targetPort: 7200 + - name: http + port: {{ .Values.graphdb.node.headlessService.ports.http }} + targetPort: http protocol: TCP {{- if gt (int $.Values.graphdb.clusterConfig.nodesCount) 1 }} - name: rpc - port: 7300 - targetPort: 7300 + port: {{ .Values.graphdb.node.headlessService.ports.rpc }} + targetPort: rpc protocol: TCP {{- end }} diff --git a/templates/graphdb/statefulset.yaml b/templates/graphdb/statefulset.yaml index 804230a6..e4f281f9 100644 --- a/templates/graphdb/statefulset.yaml +++ b/templates/graphdb/statefulset.yaml @@ -18,19 +18,19 @@ spec: selector: matchLabels: {{- include "graphdb.selectorLabels" . | nindent 6 }} - {{- if or (hasKey $.Values.graphdb.node.persistence "volumeClaimTemplateSpec") ($.Values.graphdb.import_directory_mount.enabled) }} + {{- if or .Values.graphdb.node.persistence.enabled .Values.graphdb.import_directory_mount.enabled }} volumeClaimTemplates: - {{- if hasKey $.Values.graphdb.node.persistence "volumeClaimTemplateSpec" }} + {{- if .Values.graphdb.node.persistence.enabled }} - metadata: name: graphdb-storage - {{- $spec := dict "globalStorageClassName" $.Values.global.storageClass "spec" $.Values.graphdb.node.persistence.volumeClaimTemplateSpec }} - spec: {{ include "graphdb.renderVolumeClaimTemplateSpec" $spec | nindent 8 }} + spec: + {{- toYaml .Values.graphdb.node.persistence.volumeClaimTemplateSpec | nindent 8 }} {{- end }} {{- if $.Values.graphdb.import_directory_mount.enabled }} - metadata: - name: graphdb-server-import - {{- $spec := dict "globalStorageClassName" $.Values.global.storageClass "spec" $.Values.graphdb.import_directory_mount.volumeClaimTemplateSpec }} - spec: {{ include "graphdb.renderVolumeClaimTemplateSpec" $spec | nindent 8 }} + name: graphdb-import + spec: + {{- toYaml .Values.graphdb.import_directory_mount.volumeClaimTemplateSpec | nindent 8 }} {{- end }} {{- end }} template: @@ -46,7 +46,6 @@ spec: {{- tpl ( toYaml . ) $ | nindent 8 }} {{- end }} spec: - setHostnameAsFQDN: false terminationGracePeriodSeconds: {{ .Values.graphdb.node.terminationGracePeriodSeconds }} serviceAccountName: {{ include "graphdb.serviceAccountName" . }} volumes: @@ -89,8 +88,10 @@ spec: {{- with .Values.graphdb.node.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} + {{- if or .Values.global.imagePullSecrets .Values.deployment.imagePullSecrets }} imagePullSecrets: - {{- include "graphdb.combinedImagePullSecrets" $ | nindent 8 }} + {{- include "graphdb.combinedImagePullSecrets" . | nindent 8 }} + {{- end }} containers: - name: {{ .Chart.Name }} image: {{ include "graphdb.image" . }} @@ -102,12 +103,15 @@ spec: args: {{ toYaml . | nindent 12 }} {{- end }} ports: - - name: graphdb - containerPort: 7200 - {{- if gt (int (.Values.graphdb.clusterConfig.nodesCount)) 1 }} - - name: graphdb-rpc - containerPort: 7300 - {{- end }} + - name: http + containerPort: {{ .Values.containerPorts.http }} + {{- if gt (int (.Values.graphdb.clusterConfig.nodesCount)) 1 }} + - name: rpc + containerPort: {{ .Values.containerPorts.rpc }} + {{- end }} + {{- with .Values.extraContainerPorts }} + {{- toYaml . | nindent 12 }} + {{- end }} envFrom: - configMapRef: name: {{ include "graphdb.fullname" . }} @@ -118,7 +122,7 @@ spec: env: {{- tpl ( toYaml . ) $ | nindent 12 }} {{- end }} volumeMounts: - {{- if hasKey $.Values.graphdb.node.persistence "volumeClaimTemplateSpec" }} + {{- if .Values.graphdb.node.persistence.enabled }} - name: graphdb-storage mountPath: /opt/graphdb/home {{- end }} @@ -160,8 +164,12 @@ spec: env: - name: GRAPHDB_PUBLIC_URL value: {{ include "graphdb.url.public" . }} + - name: GRAPHDB_HTTP_PORT + value: {{ .Values.containerPorts.http | quote }} + - name: GRAPHDB_RPC_PORT + value: {{ .Values.containerPorts.rpc | quote }} volumeMounts: - {{- if hasKey $.Values.graphdb.node.persistence "volumeClaimTemplateSpec" }} + {{- if .Values.graphdb.node.persistence.enabled }} - name: graphdb-storage mountPath: /opt/graphdb/home {{- end }} @@ -193,11 +201,12 @@ spec: echo 'Configuring graphdb.properties' cat /tmp/graphdb/graphdb.properties > /opt/graphdb/home/conf/graphdb.properties echo "" >> /opt/graphdb/home/conf/graphdb.properties + echo "##### Overrides from initContainer #####" >> /opt/graphdb/home/conf/graphdb.properties echo "Configuring GraphDB hostname: $(hostname --fqdn)" - echo "graphdb.vhosts=$(hostname --fqdn):7200, ${GRAPHDB_PUBLIC_URL}" >> /opt/graphdb/home/conf/graphdb.properties + echo "graphdb.vhosts=$(hostname --fqdn):${GRAPHDB_HTTP_PORT}, ${GRAPHDB_PUBLIC_URL}" >> /opt/graphdb/home/conf/graphdb.properties echo "graphdb.hostname=$(hostname --fqdn)" >> /opt/graphdb/home/conf/graphdb.properties - echo "graphdb.rpc.address=$(hostname --fqdn):7300" >> /opt/graphdb/home/conf/graphdb.properties + echo "graphdb.rpc.address=$(hostname --fqdn):${GRAPHDB_RPC_PORT}" >> /opt/graphdb/home/conf/graphdb.properties if [[ ! -f /opt/graphdb/home/work/workbench/settings.js && ! -f /opt/graphdb/home/data/users.js && -f /tmp/graphdb/users.js ]]; then echo "Provisioning users with users.js file..." diff --git a/templates/ingress.yaml b/templates/ingress.yaml index 9d41b784..a5ed077e 100644 --- a/templates/ingress.yaml +++ b/templates/ingress.yaml @@ -5,48 +5,46 @@ metadata: name: {{ include "graphdb.fullname" . }} labels: {{- include "graphdb.labels" . | nindent 4 }} - annotations: - kubernetes.io/ingress.class: {{ .Values.deployment.ingress.class }} - {{- if .Values.deployment.tls.enabled }} - ingress.kubernetes.io/force-ssl-redirect: "true" - {{- end }} - nginx.ingress.kubernetes.io/proxy-body-size: {{ .Values.deployment.ingress.maxRequestSize }} - nginx.ingress.kubernetes.io/proxy-connect-timeout: {{ .Values.deployment.ingress.timeout.connect | quote }} - nginx.ingress.kubernetes.io/proxy-read-timeout: {{ .Values.deployment.ingress.timeout.read | quote }} - nginx.ingress.kubernetes.io/proxy-send-timeout: {{ .Values.deployment.ingress.timeout.send | quote }} - {{- if eq $.Values.graphdb.workbench.subpath "/" }} - nginx.ingress.kubernetes.io/rewrite-target: /$1 - {{- else }} - nginx.ingress.kubernetes.io/rewrite-target: /$2 + {{- with .Values.deployment.ingress.labels }} + {{- tpl ( toYaml . ) $ | nindent 4 }} {{- end }} - nginx.ingress.kubernetes.io/x-forwarded-prefix: {{ $.Values.graphdb.workbench.subpath | quote }} + annotations: {{- with (mergeOverwrite (deepCopy .Values.annotations) .Values.deployment.ingress.annotations) }} {{- tpl ( toYaml . ) $ | nindent 4 }} {{- end }} spec: - {{- if .Values.deployment.tls.enabled }} + {{- with .Values.deployment.ingress.className }} + ingressClassName: {{ . }} + {{- end }} + {{- if or .Values.deployment.tls.enabled .Values.deployment.ingress.extraTLS }} tls: + {{- if .Values.deployment.tls.enabled }} - hosts: - - {{ include "graphdb.resolveDeploymentHost" . | quote }} + - {{ coalesce .Values.deployment.ingress.host .Values.deployment.host }} secretName: {{ required "TLS secret is required!" .Values.deployment.tls.secretName }} + {{- end }} + {{- with .Values.deployment.ingress.extraTLS }} + {{- tpl ( toYaml . ) $ | nindent 4 }} + {{- end }} {{- end }} rules: - - host: {{ include "graphdb.resolveDeploymentHost" . | quote }} + - host: {{ coalesce .Values.deployment.ingress.host .Values.deployment.host }} http: paths: - {{- if eq $.Values.graphdb.workbench.subpath "/" }} - - path: /(.*) - {{- else }} - - path: {{ $.Values.graphdb.workbench.subpath }}(/|$)(.*) - {{- end }} - pathType: ImplementationSpecific + - path: {{ coalesce .Values.deployment.ingress.path .Values.graphdb.workbench.subpath }} + pathType: {{ .Values.deployment.ingress.pathType }} backend: service: - {{- if gt (int $.Values.graphdb.clusterConfig.nodesCount) 1 }} + {{- if gt (int $.Values.graphdb.clusterConfig.nodesCount) 1 }} name: {{ include "graphdb-proxy.fullname" . }} - {{- else }} + port: + number: {{ .Values.graphdb.clusterProxy.service.ports.http }} + {{- else }} name: {{ include "graphdb.fullname.service.headless" . }} - {{- end }} port: - number: 7200 + number: {{ .Values.graphdb.node.headlessService.ports.http }} + {{- end }} + {{- with .Values.deployment.ingress.extraHosts }} + {{- tpl ( toYaml . ) $ | nindent 4 }} + {{- end }} {{- end }} diff --git a/templates/jobs/job-create-cluster.yaml b/templates/jobs/job-create-cluster.yaml index f7da230a..8f16b8f4 100644 --- a/templates/jobs/job-create-cluster.yaml +++ b/templates/jobs/job-create-cluster.yaml @@ -18,8 +18,10 @@ spec: template: spec: restartPolicy: Never + {{- if or .Values.global.imagePullSecrets .Values.deployment.imagePullSecrets }} imagePullSecrets: - {{- include "graphdb.combinedImagePullSecrets" $ | nindent 8 }} + {{- include "graphdb.combinedImagePullSecrets" . | nindent 8 }} + {{- end }} securityContext: {{- $.Values.graphdb.jobPodSecurityContext | toYaml | nindent 8 }} containers: @@ -30,6 +32,8 @@ spec: value: {{ include "graphdb.fullname" . }} - name: GRAPHDB_SERVICE_NAME value: {{ include "graphdb.fullname.service.headless" . }} + - name: GRAPHDB_SERVICE_PORT + value: {{ .Values.graphdb.node.headlessService.ports.http | quote }} envFrom: - secretRef: name: {{ include "graphdb.fullname.secret.provision-user" . }} diff --git a/templates/jobs/job-patch-cluster.yaml b/templates/jobs/job-patch-cluster.yaml index 0d8069fe..7e4e5cc6 100644 --- a/templates/jobs/job-patch-cluster.yaml +++ b/templates/jobs/job-patch-cluster.yaml @@ -18,8 +18,10 @@ spec: template: spec: restartPolicy: Never + {{- if or .Values.global.imagePullSecrets .Values.deployment.imagePullSecrets }} imagePullSecrets: - {{- include "graphdb.combinedImagePullSecrets" $ | nindent 8 }} + {{- include "graphdb.combinedImagePullSecrets" . | nindent 8 }} + {{- end }} securityContext: {{- $.Values.graphdb.jobPodSecurityContext | toYaml | nindent 8 }} containers: @@ -30,8 +32,12 @@ spec: value: {{ include "graphdb.fullname" . }} - name: GRAPHDB_SERVICE_NAME value: {{ include "graphdb.fullname.service.headless" . }} + - name: GRAPHDB_SERVICE_PORT + value: {{ .Values.graphdb.node.headlessService.ports.http | quote }} - name: GRAPHDB_PROXY_SERVICE_NAME value: {{ include "graphdb-proxy.fullname" . }} + - name: GRAPHDB_PROXY_SERVICE_PORT + value: {{ .Values.graphdb.clusterProxy.headlessService.ports.http | quote }} envFrom: - secretRef: name: {{ include "graphdb.fullname.secret.provision-user" . }} diff --git a/templates/jobs/job-provision-repositories.yaml b/templates/jobs/job-provision-repositories.yaml index 5729eb27..f0e04a57 100644 --- a/templates/jobs/job-provision-repositories.yaml +++ b/templates/jobs/job-provision-repositories.yaml @@ -18,8 +18,10 @@ spec: template: spec: restartPolicy: Never + {{- if or .Values.global.imagePullSecrets .Values.deployment.imagePullSecrets }} imagePullSecrets: - {{- include "graphdb.combinedImagePullSecrets" $ | nindent 8 }} + {{- include "graphdb.combinedImagePullSecrets" . | nindent 8 }} + {{- end }} securityContext: {{- $.Values.graphdb.jobPodSecurityContext | toYaml | nindent 8 }} containers: @@ -30,6 +32,8 @@ spec: value: {{ include "graphdb.fullname" . }} - name: GRAPHDB_SERVICE_NAME value: {{ include "graphdb.fullname.service.headless" . }} + - name: GRAPHDB_SERVICE_PORT + value: {{ .Values.graphdb.node.headlessService.ports.http | quote }} envFrom: - secretRef: name: {{ include "graphdb.fullname.secret.provision-user" . }} diff --git a/templates/jobs/job-scale-down-cluster.yaml b/templates/jobs/job-scale-down-cluster.yaml index da3a7ef0..497b5ce7 100644 --- a/templates/jobs/job-scale-down-cluster.yaml +++ b/templates/jobs/job-scale-down-cluster.yaml @@ -16,8 +16,10 @@ spec: template: spec: restartPolicy: Never + {{- if or .Values.global.imagePullSecrets .Values.deployment.imagePullSecrets }} imagePullSecrets: - {{- include "graphdb.combinedImagePullSecrets" $ | nindent 8 }} + {{- include "graphdb.combinedImagePullSecrets" . | nindent 8 }} + {{- end }} securityContext: {{- $.Values.graphdb.jobPodSecurityContext | toYaml | nindent 8 }} containers: @@ -28,8 +30,12 @@ spec: value: {{ include "graphdb.fullname" . }} - name: GRAPHDB_SERVICE_NAME value: {{ include "graphdb.fullname.service.headless" . }} + - name: GRAPHDB_SERVICE_PORT + value: {{ .Values.graphdb.node.headlessService.ports.http | quote }} - name: GRAPHDB_PROXY_SERVICE_NAME value: {{ include "graphdb-proxy.fullname" . }} + - name: GRAPHDB_PROXY_SERVICE_PORT + value: {{ .Values.graphdb.clusterProxy.headlessService.ports.http | quote }} envFrom: - secretRef: name: {{ include "graphdb.fullname.secret.provision-user" . }} diff --git a/templates/jobs/job-scale-up-cluster.yaml b/templates/jobs/job-scale-up-cluster.yaml index b053339f..31e9a6c5 100644 --- a/templates/jobs/job-scale-up-cluster.yaml +++ b/templates/jobs/job-scale-up-cluster.yaml @@ -18,8 +18,10 @@ spec: template: spec: restartPolicy: Never + {{- if or .Values.global.imagePullSecrets .Values.deployment.imagePullSecrets }} imagePullSecrets: - {{- include "graphdb.combinedImagePullSecrets" $ | nindent 8 }} + {{- include "graphdb.combinedImagePullSecrets" . | nindent 8 }} + {{- end }} securityContext: {{- $.Values.graphdb.jobPodSecurityContext | toYaml | nindent 8 }} containers: @@ -30,8 +32,12 @@ spec: value: {{ include "graphdb.fullname" . }} - name: GRAPHDB_SERVICE_NAME value: {{ include "graphdb.fullname.service.headless" . }} + - name: GRAPHDB_SERVICE_PORT + value: {{ .Values.graphdb.node.headlessService.ports.http | quote }} - name: GRAPHDB_PROXY_SERVICE_NAME value: {{ include "graphdb-proxy.fullname" . }} + - name: GRAPHDB_PROXY_SERVICE_PORT + value: {{ .Values.graphdb.clusterProxy.headlessService.ports.http | quote }} envFrom: - secretRef: name: {{ include "graphdb.fullname.secret.provision-user" . }} diff --git a/templates/proxy/service-headless.yaml b/templates/proxy/service-headless.yaml index 26b29823..fcd16a51 100644 --- a/templates/proxy/service-headless.yaml +++ b/templates/proxy/service-headless.yaml @@ -5,6 +5,9 @@ metadata: name: {{ include "graphdb-proxy.fullname.service.headless" . }} labels: {{- include "graphdb-proxy.labels" . | nindent 4 }} + {{- with .Values.graphdb.clusterProxy.headlessService.labels }} + {{- tpl ( toYaml . ) $ | nindent 4 }} + {{- end }} {{- with (mergeOverwrite (deepCopy .Values.proxy.annotations) .Values.graphdb.clusterProxy.headlessService.annotations) }} annotations: {{- tpl ( toYaml . ) $ | nindent 4 }} @@ -14,8 +17,12 @@ spec: selector: {{- include "graphdb-proxy.selectorLabels" . | nindent 4 }} ports: - - name: gdb-proxy-rpc - port: 7300 - targetPort: 7300 + - name: http + port: {{ .Values.graphdb.clusterProxy.headlessService.ports.http }} + targetPort: http + protocol: TCP + - name: rpc + port: {{ .Values.graphdb.clusterProxy.headlessService.ports.rpc }} + targetPort: rpc protocol: TCP {{- end }} diff --git a/templates/proxy/service.yaml b/templates/proxy/service.yaml index c7c64c72..779c1f17 100644 --- a/templates/proxy/service.yaml +++ b/templates/proxy/service.yaml @@ -5,6 +5,9 @@ metadata: name: {{ include "graphdb-proxy.fullname" . }} labels: {{- include "graphdb-proxy.labels" . | nindent 4 }} + {{- with .Values.graphdb.clusterProxy.service.labels }} + {{- tpl ( toYaml . ) $ | nindent 4 }} + {{- end }} {{- with (mergeOverwrite (deepCopy .Values.proxy.annotations) .Values.graphdb.clusterProxy.service.annotations) }} annotations: {{- tpl ( toYaml . ) $ | nindent 4 }} @@ -14,8 +17,11 @@ spec: selector: {{- include "graphdb-proxy.selectorLabels" . | nindent 4 }} ports: - - name: gdb-proxy-port - port: 7200 - targetPort: 7200 + - name: http + port: {{ .Values.graphdb.clusterProxy.service.ports.http }} + targetPort: http protocol: TCP + {{- if .Values.graphdb.clusterProxy.service.nodePort }} + nodePort: {{ .Values.graphdb.clusterProxy.service.nodePort }} + {{- end }} {{- end }} diff --git a/templates/proxy/statefulset.yaml b/templates/proxy/statefulset.yaml index 9351d74d..340fa40a 100644 --- a/templates/proxy/statefulset.yaml +++ b/templates/proxy/statefulset.yaml @@ -17,13 +17,13 @@ spec: selector: matchLabels: {{- include "graphdb-proxy.selectorLabels" . | nindent 6 }} + {{- if .Values.graphdb.clusterProxy.persistence.enabled }} volumeClaimTemplates: - {{- if $.Values.graphdb.clusterProxy.persistence.enablePersistence }} - metadata: name: graphdb-storage - {{- $spec := dict "globalStorageClassName" $.Values.global.storageClass "spec" $.Values.graphdb.clusterProxy.persistence.volumeClaimTemplateSpec }} - spec: {{ include "graphdb.renderVolumeClaimTemplateSpec" $spec | nindent 8 }} - {{- end }} + spec: + {{- toYaml .Values.graphdb.clusterProxy.persistence.volumeClaimTemplateSpec | nindent 8 }} + {{- end }} template: metadata: labels: @@ -37,7 +37,6 @@ spec: {{- tpl ( toYaml . ) $ | nindent 8 }} {{- end }} spec: - setHostnameAsFQDN: false terminationGracePeriodSeconds: {{ .Values.graphdb.clusterProxy.terminationGracePeriodSeconds }} volumes: - name: graphdb-properties @@ -61,8 +60,10 @@ spec: {{- with .Values.graphdb.clusterProxy.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} + {{- if or .Values.global.imagePullSecrets .Values.deployment.imagePullSecrets }} imagePullSecrets: - {{- include "graphdb.combinedImagePullSecrets" $ | nindent 8 }} + {{- include "graphdb.combinedImagePullSecrets" . | nindent 8 }} + {{- end }} {{- with .Values.graphdb.clusterProxy.extraInitContainers }} initContainers: {{- toYaml . | nindent 8 }} @@ -82,12 +83,15 @@ spec: env: {{- tpl ( toYaml . ) $ | nindent 12 }} {{- end }} ports: - - name: gdb-proxy-port - containerPort: 7200 - - name: gdb-proxy-rpc - containerPort: 7300 + - name: http + containerPort: {{ .Values.proxy.containerPorts.http }} + - name: rpc + containerPort: {{ .Values.proxy.containerPorts.rpc }} + {{- with .Values.proxy.extraContainerPorts }} + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - {{- if $.Values.graphdb.clusterProxy.persistence.enablePersistence }} + {{- if $.Values.graphdb.clusterProxy.persistence.enabled }} - name: graphdb-storage mountPath: /opt/graphdb/home {{- end }} @@ -116,6 +120,10 @@ spec: env: - name: GRAPHDB_PUBLIC_URL value: {{ include "graphdb.url.public" . }} + - name: GRAPHDB_PROXY_HTTP_PORT + value: {{ .Values.proxy.containerPorts.http | quote }} + - name: GRAPHDB_PROXY_RPC_PORT + value: {{ .Values.proxy.containerPorts.rpc | quote }} {{- with .Values.graphdb.node.initContainerSecurityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} @@ -126,7 +134,7 @@ spec: - name: graphdb-properties mountPath: /tmp/graphdb.properties subPath: graphdb.properties - {{- if $.Values.graphdb.clusterProxy.persistence.enablePersistence }} + {{- if $.Values.graphdb.clusterProxy.persistence.enabled }} - name: graphdb-storage mountPath: /opt/graphdb/home {{- end }} @@ -138,11 +146,13 @@ spec: echo 'Configuring graphdb.properties' cat /tmp/graphdb.properties > /opt/graphdb/home/conf/graphdb.properties + echo "" >> /opt/graphdb/home/conf/graphdb.properties + echo "##### Overrides from initContainer #####" >> /opt/graphdb/home/conf/graphdb.properties echo 'Configuring GraphDB cluster proxy hostnames' echo "graphdb.hostname=$(hostname --fqdn)" >> /opt/graphdb/home/conf/graphdb.properties - echo "graphdb.rpc.address=$(hostname --fqdn):7300" >> /opt/graphdb/home/conf/graphdb.properties - echo "graphdb.vhosts=$(hostname --fqdn):7200, ${GRAPHDB_PUBLIC_URL}" >> /opt/graphdb/home/conf/graphdb.properties + echo "graphdb.rpc.address=$(hostname --fqdn):${GRAPHDB_PROXY_RPC_PORT}" >> /opt/graphdb/home/conf/graphdb.properties + echo "graphdb.vhosts=$(hostname --fqdn):${GRAPHDB_PROXY_HTTP_PORT}, ${GRAPHDB_PUBLIC_URL}" >> /opt/graphdb/home/conf/graphdb.properties echo "graphdb.external-url=${GRAPHDB_PUBLIC_URL}" >> /opt/graphdb/home/conf/graphdb.properties echo 'Done' diff --git a/values.yaml b/values.yaml index 75e6f7f5..860e9fe4 100644 --- a/values.yaml +++ b/values.yaml @@ -6,9 +6,8 @@ # See https://helm.sh/docs/chart_template_guide/values_files/ global: + imageRegistry: "" imagePullSecrets: [] - storageClass: "standard" - imageRegistry: docker.io # Top lvl flat for easier maintenance images: @@ -17,9 +16,8 @@ images: repository: ontotext/graphdb # If specified, overrides Chart.AppVersion tag: "" - busybox: - repository: busybox - tag: "1.36.1" + # Expected SHA checksum of the used GraphDB image + sha: "" # Overrides the name of the chart affecting the resources names for GraphDB # To override the GraphDB proxy's name, use proxy.nameOverride @@ -53,13 +51,23 @@ provision: existingConfigmap: "" configmapKey: "users.js" +# Additional GraphDB properties to insert in the properties configmap +properties: {} + +# Ports used by the GraphDB container +containerPorts: + http: 7200 + rpc: 7300 + +# Additional container ports to insert +extraContainerPorts: {} + ####### DEPLOYMENT CONFIGURATIONS ####### deployment: # -- Defines the policy with which components will request their image. imagePullPolicy: IfNotPresent - # Secret used to pull Docker images. Uncomment to use it. - # Important: Must be created beforehand - # imagePullSecret: ontotext + # -- Secrets used to pull Docker images. + imagePullSecrets: [] # -- The hostname and protocol at which the graphdb will be accessible. # Needed to configure ingress as well as some components require it to properly render their UIs @@ -79,17 +87,26 @@ deployment: # -- Ingress related configurations ingress: + # -- Toggles the deployment of the default ingress enabled: true - class: nginx + # -- Specifies the ingress controller implementation that will deploy this ingress. + # Not defining this would result in using the default ingress controller in the cluster, if there is one. + className: "" + # -- Sets extra ingress labels + labels: {} # -- Sets extra ingress annotations annotations: {} - # -- Sets the maximum size for all requests to the underlying Nginx - maxRequestSize: 512M - # -- Default timeouts in seconds for the underlying Nginx. - timeout: - connect: 5 - read: 600 - send: 600 + # Overrides deployment.host + host: "" + # Overrides graphdb.workbench.subpath + path: "" + # Sets the ingress path type. + # If you need to use ImplementationSpecific, make sure to set any annotations needed by the implementation. + pathType: Prefix + # List of additional hostnames to append to the ingress resource + extraHosts: [] + # List of additional TLS records to append to the ingress resource + extraTLS: [] # GraphDB database configurations graphdb: @@ -158,13 +175,20 @@ graphdb: # Extra pod labels and annotations podLabels: {} podAnnotations: {} - # -- GraphDB node service configurations - service: + # -- GraphDB node headless service configurations + headlessService: + # Extra labels to append to the headless service + labels: {} # Extra annotations to append to the service annotations: {} + # Ports exposed by the service + ports: + http: 7200 + rpc: 7300 # -- Persistence configurations. # By default, Helm will use a PV that reads and writes to the host file system. persistence: + enabled: true # use dynamic volume provisioning volumeClaimTemplateSpec: accessModes: @@ -185,7 +209,7 @@ graphdb: startupProbe: httpGet: path: /protocol - port: graphdb + port: http failureThreshold: 30 timeoutSeconds: 5 periodSeconds: 10 @@ -193,7 +217,7 @@ graphdb: readinessProbe: httpGet: path: /protocol - port: graphdb + port: http initialDelaySeconds: 5 timeoutSeconds: 5 periodSeconds: 10 @@ -201,7 +225,7 @@ graphdb: livenessProbe: httpGet: path: /protocol - port: graphdb + port: http initialDelaySeconds: 60 timeoutSeconds: 5 periodSeconds: 10 @@ -242,6 +266,10 @@ graphdb: # -- Service type used by the graphdb-cluster-proxy service # Note: If using ALB in AWS EKS this will default to being on the public internet serviceType: LoadBalancer + # Ports used by GraphDB proxy container + containerPorts: + http: 7200 + rpc: 7300 # Node scheduling options such as nodeSelector, affinity, tolerations, topologySpreadConstraints can be set here for ALL nodes. # By default, no restrictions are applied. nodeSelector: {} @@ -253,12 +281,27 @@ graphdb: podAnnotations: {} # -- GraphDB cluster proxy service configurations service: + # Extra labels to append to the service + labels: {} # Extra annotations to append to the service annotations: {} + # Ports exposed by the service + ports: + http: 7200 + rpc: 7300 + # Exposes the service on a specific node port on the host machine when "serviceType: NodePort" + # If left undefined, K8S will pick a random port from the node port range of the cluster. + nodePort: "" # -- GraphDB cluster proxy headless service configurations headlessService: + # Extra labels to append to the headless service + labels: {} # Extra annotations to append to the service annotations: {} + # Ports exposed by the service + ports: + http: 7200 + rpc: 7300 # -- Minimum requirements for a successfully running GraphDB cluster proxy resources: limits: @@ -270,7 +313,7 @@ graphdb: # By default, Helm will use a PV that reads and writes to the host file system. persistence: # enable or disable proxy persistence - enablePersistence: true + enabled: true # use dynamic volume provisioning volumeClaimTemplateSpec: accessModes: @@ -282,7 +325,7 @@ graphdb: startupProbe: httpGet: path: /proxy/ready - port: gdb-proxy-port + port: http failureThreshold: 60 timeoutSeconds: 3 periodSeconds: 5 @@ -290,14 +333,14 @@ graphdb: readinessProbe: httpGet: path: /proxy/ready - port: gdb-proxy-port + port: http timeoutSeconds: 5 periodSeconds: 10 # -- Configurations for the GraphDB cluster proxy liveness probe. Misconfigured probe can lead to a failing cluster. livenessProbe: httpGet: path: /proxy/health - port: gdb-proxy-port + port: http initialDelaySeconds: 120 timeoutSeconds: 5 periodSeconds: 10 @@ -323,8 +366,7 @@ graphdb: # GraphDB workbench configurations workbench: # -- This is the sub path at which GraphDB workbench can be opened. - # Should be configured in the API gateway (or any other proxy in front) - subpath: /graphdb + subpath: / # WARNING: Setting enabled to true in most cloud providers will result in an error # Attach additional PV which will be used as an import directory @@ -348,7 +390,7 @@ graphdb: # # Service account for the GraphDB nodes. # GraphDB by itself has no need to communicate with the Kubernetes API but the service account tokens can be used - # as ODIC tokens for authentication in cloud APIs. + # as ODIC federated web identity tokens for authentication in cloud APIs. # serviceAccount: # - Specifies whether a service account should be created @@ -372,3 +414,11 @@ proxy: # Additional common annotations to add to the GraphDB proxy resources annotations: {} + + # Ports used by GraphDB proxy and the Service components + containerPorts: + http: 7200 + rpc: 7300 + + # Additional container ports to insert + extraContainerPorts: {}