bunch of fixes, integrity cronjob, fixed health check (liveness & red…

…iness & startup probe), added redis support

Makefile

@@ -0,0 +1,2 @@
+template:
+	cd charts/humhub && helm template ./ --debug

charts/humhub/templates/_helpers.tpl

@@ -27,6 +27,87 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+{{- define "humhub.env" -}}
+- name: TZ
+  value: {{ .Values.tz }}
+
+# HTTP
+- name: HUMHUB_PROTO
+  value: {{ .Values.proto }}
+- name: HUMHUB_HOST
+  value: "{{ .Values.host }}"
+
+# NGINX
+- name: NGINX_CLIENT_MAX_BODY_SIZE
+  value: {{ .Values.nginx.clientMaxBodySize | quote }}
+- name: NGINX_KEEPALIVE_TIMEOUT
+  value: {{ .Values.nginx.keepaliveTimeout | quote }}
+
+# PHP
+- name: PHP_POST_MAX_SIZE
+  value: {{ .Values.php.postMaxSize | quote }}
+- name: PHP_UPLOAD_MAX_FILESIZE
+  value: {{ .Values.php.uploadMaxFilesize | quote }}
+- name: PHP_MAX_EXECUTION_TIME
+  value: {{ .Values.php.maxExecutionTime | quote }}
+- name: PHP_MEMORY_LIMIT
+  value: {{ .Values.php.memoryLimit | quote }}
+
+# Database
+- name: HUMHUB_DB_HOST
+  value: {{ .Values.db.host | quote }}
+- name: HUMHUB_DB_USER
+  value: {{ .Values.db.user | quote }}
+- name: HUMHUB_DB_PORT
+  value: {{ .Values.db.port | quote }}
+- name: HUMHUB_DB_NAME
+  value: {{ .Values.db.name | quote }}
+- name: HUMHUB_DB_PASSWORD
+  valueFrom:
+      secretKeyRef:
+          key: {{ .Values.db.password.secretKey }}
+          name: {{ .Values.db.password.secretName }}
+
+# Redis
+{{ if .Values.redis.enabled }}
+- name: HUMHUB_CACHE_CLASS
+  value: yii\redis\Cache
+- name: HUMHUB_QUEUE_CLASS
+  value: humhub\modules\queue\driver\Redis
+- name: HUMHUB_REDIS_HOSTNAME
+  value: {{ .Values.redis.host | quote }}
+- name: HUMHUB_REDIS_PORT
+  value: {{ .Values.redis.port | quote }}
+- name: HUMHUB_REDIS_PASSWORD
+  value: {{ .Values.redis.password | quote }}
+{{ end }}
+
+# todo: move it to an optional cronjob
+- name: HUMHUB_INTEGRITY_CHECK
+  value: "false"
+
+- name: HUMHUB_REVERSEPROXY_WHITELIST
+  value: '{{ join ";" .Values.reverseProxyAllowList }}'
+
+- name: HUMHUB_CACHE_EXPIRE_TIME
+  value: {{ .Values.cache.expireTime | quote }}
+
+# Custom environment variables
+{{ range $env := .Values.env }}
+- {{ toJson $env }}
+{{ end }}
+{{ end }}
+
+{{- define "humhub.mounts" -}}
+{{- range $name, $path := .Values.defaults.mounts }}
+{{- if $path }}
+- mountPath: /var/www/localhost/htdocs/{{ $path }}
+  name: data
+  subPath: {{ $path }}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}

charts/humhub/templates/deployment.yaml

@@ -62,84 +62,31 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
-              - name: TZ
-                value: {{ .Values.tz }}
-
-              # HTTP
-              - name: HUMHUB_PROTO
-                value: {{ .Values.proto }}
-              - name: HUMHUB_HOST
-                value: "{{ .Values.host }}"
-
-              # NGINX
-              - name: NGINX_CLIENT_MAX_BODY_SIZE
-                value: {{ .Values.nginx.clientMaxBodySize | quote }}
-              - name: NGINX_KEEPALIVE_TIMEOUT
-                value: {{ .Values.nginx.keepaliveTimeout | quote }}
-
-              # PHP
-              - name: PHP_POST_MAX_SIZE
-                value: {{ .Values.php.postMaxSize | quote }}
-              - name: PHP_UPLOAD_MAX_FILESIZE
-                value: {{ .Values.php.uploadMaxFilesize | quote }}
-              - name: PHP_MAX_EXECUTION_TIME
-                value: {{ .Values.php.maxExecutionTime | quote }}
-              - name: PHP_MEMORY_LIMIT
-                value: {{ .Values.php.memoryLimit | quote }}
-
-              # Database
-              - name: HUMHUB_DB_HOST
-                value: {{ .Values.db.host | quote }}
-              - name: HUMHUB_DB_USER
-                value: {{ .Values.db.user | quote }}
-              - name: HUMHUB_DB_PORT
-                value: {{ .Values.db.port | quote }}
-              - name: HUMHUB_DB_NAME
-                value: {{ .Values.db.name | quote }}
-              - name: HUMHUB_DB_PASSWORD
-                valueFrom:
-                    secretKeyRef:
-                        key: {{ .Values.db.password.secretKey }}
-                        name: {{ .Values.db.password.secretName }}
-
-              # todo: move it to an optional cronjob
-              - name: HUMHUB_INTEGRITY_CHECK
-                value: "false"
-
-              # Custom environment variables
-              {{ range $env := .Values.env }}
-              - {{ toJson $env }}
-              {{ end }}
-
+              {{ include "humhub.env" . | nindent 14 }}
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}
               protocol: TCP
           volumeMounts:
-              {{- range $name, $path := .Values.defaults.mounts }}
-              {{- if $path }}
-                - mountPath: /var/www/localhost/htdocs/{{ $path }}
-                  name: data
-                  subPath: {{ $path }}
-              {{- end }}
-              {{- end }}
+              {{ include "humhub.mounts" . | nindent 14 }}
+          {{ if .Values.health.enabled }}
           startupProbe:
               {{ toYaml .Values.health.startupProbe | nindent 14 }}
               httpGet:
-                  path: /
+                  path: /ping
                   port: http
           livenessProbe:
               {{ toYaml .Values.health.livenessProbe | nindent 14 }}
               httpGet:
-                  path: /
+                  path: /ping
                   port: http
           readinessProbe:
               {{ toYaml .Values.health.readinessProbe | nindent 14 }}
               httpGet:
-                  path: /
+                  path: /ping
                   port: http
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+          {{ end }}
+          resources: {{toJson .Values.resources }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/humhub/templates/integrity.cronjob.yaml

@@ -0,0 +1,63 @@
+{{ if .Values.jobs.integrity }}
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+    name: {{ include "humhub.fullname" . }}-integrity
+    labels:
+        {{- include "humhub.labels" . | nindent 4 }}
+spec:
+    concurrencyPolicy: Forbid
+    failedJobsHistoryLimit: 1
+    jobTemplate:
+        spec:
+            activeDeadlineSeconds: 3600
+            backoffLimit: 0
+            parallelism: 1
+            template:
+                spec:
+                    automountServiceAccountToken: false
+                    {{- with .Values.imagePullSecrets }}
+                    imagePullSecrets: {{ toJson . }}
+                    {{ end }}
+                    containers:
+                        - name: job
+                          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+                          imagePullPolicy: {{ .Values.image.pullPolicy }}
+                          securityContext:
+                              {{- toYaml .Values.securityContext | nindent 30 }}
+                          command:
+                              - /docker-entrypoint.sh
+                              - /bin/sh
+                              - -c
+                              {{- if .Values.image.isRootImage }}
+                              - 'su nginx -s /bin/sh -c "php ./yii integrity/run"'
+                              {{ else }}
+                              - 'php ./yii integrity/run'
+                              {{- end }}
+                          env:
+                              - name: HUMHUB_AUTO_INSTALL
+                                value: "false"
+                              {{ include "humhub.env" . | nindent 30 }}
+                          resources: {{ toJson .Values.resources }}
+                          volumeMounts:
+                              {{ include "humhub.mounts" . | nindent 30 }}
+
+                    restartPolicy: Never
+                    securityContext:
+                    {{- if .Values.podSecurityContext }}
+                        {{- toYaml .Values.podSecurityContext | nindent 24 }}
+                    {{ else }}
+                       {{- toYaml .Values.defaults.podSecurityContext | nindent 24 }}
+                    {{- end }}
+                    terminationGracePeriodSeconds: 900
+                    volumes:
+                        - name: data
+                          persistentVolumeClaim:
+                              claimName: {{ include "humhub.pvcName" . }}
+                              readOnly: false
+    schedule: {{ .Values.jobs.integrity.schedule }}
+    startingDeadlineSeconds: 100
+    successfulJobsHistoryLimit: 1
+    suspend: false
+{{ end }}

charts/humhub/values.yaml

@@ -4,16 +4,19 @@ image:
   repository: ghcr.io/mriedmann/humhub-allinone
   pullPolicy: IfNotPresent
   tag: ""
+  isRootImage: true
 
 # -- Use PRIVILEGED init container to correct permissions of your volumes (NOTICE: it does not fix them recursively)
 chownInitContainer:
     enabled: true
     image: busybox:1.36.0-musl
 
 health:
+    # -- You can disable it temporarily in case e.g. migration takes too long
+    enabled: true
     startupProbe:
-        # defaults to 300s (5m) - give the migration script a time
-        periodSeconds: 5
+        # defaults to 900s (15m) - give the migration script a time
+        periodSeconds: 15
         failureThreshold: 60
     livenessProbe:
         periodSeconds: 55
@@ -23,7 +26,6 @@ health:
         failureThreshold: 1
 
 env: []
-
 php:
     postMaxSize: 32M
     uploadMaxFilesize: 32M
@@ -44,6 +46,26 @@ db:
         secretName: humhub-db-credentials
         secretKey: password
 
+# -- Redis is used for caching
+redis:
+    enabled: false
+    host: redis-master.redis.svc.cluster.local
+    port: 6379
+    password: ""
+
+reverseProxyAllowList:
+    # -- Allow traffic from whole cluster typically. You can limit this to your specific subnet
+    - 10.0.0.0/8
+    - 127.0.0.1
+
+cache:
+    expireTime: 3600
+
+jobs:
+    integrity:
+        enabled: true
+        schedule: "30 6 * * 6" # At 06:30 on Saturday.
+
 # -- Timezone
 tz: Europe/Warsaw