diff --git a/CHANGELOG.md b/CHANGELOG.md index 27ca3f9..0f6d51f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,18 @@ # GraphDB Helm chart release notes +## Version 10.6.0 + +### New + +- Added `graphdb.node.licenseFilename` for cases where the default filename is not "graphdb.license" + +### Improvements + +- Updated the default ingress's path type to `ImplementationSpecific` +- Updated graphdb.properties example file +- Templates will now use `Chart.AppVersion` by default unless `images.graphdb.tag` is specified. +- Updated busybox image to version 1.36.1 + ## Version 10.5.1-R2 - Fixed `graphdb-cluster-proxy-configmap` to use the correct java_args configuration from [values.yaml](values.yaml). diff --git a/files/config/graphdb.properties b/files/config/graphdb.properties index 3778709..eeb8df0 100644 --- a/files/config/graphdb.properties +++ b/files/config/graphdb.properties @@ -64,351 +64,6 @@ # graphdb.license.file = -###### NETWORK SETTINGS ###### -# -# HTTP port for running GraphDB in standalone mode. The default is 7200. -# -# graphdb.connector.port = 7200 -# -# -# Enable SSL (uncomment to enable) -# graphdb.connector.SSLEnabled = true -# graphdb.connector.scheme = https -# graphdb.connector.secure = true -# -# GraphDB uses the Java implementation of SSL, which requires a configured key in the Java keystore. -# To setup keystore uncomment the following properties and set keystorePass and keyPass to the actual values. -# -# The default is the file .keystore in the operating system home directory of the user that is running GraphDB -# graphdb.connector.keystoreFile = -# graphdb.connector.keystorePass = -# graphdb.connector.keyAlias = graphdb -# graphdb.connector.keyPass = -# -# How to generate a keystore? -# -# Option 1: Generate a self-signed key, which would require to trust the certificate in all clients. -# -# keytool -genkey -alias graphdb -keyalg RSA -# -# Option 2: Convert a third party trusted OpenSSL certificate to PKCS12 key and then import to the Java keystore. -# -# keytool -importkeystore -deststorepass MYPASS -srckeystore mypkcs12.p12 -srcstoretype PKCS12 -# -# For any additional information please refer to https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html -# -# In addition to the above settings, you can set any Tomcat Connector attribute through a property: -# graphdb.connector. = xxx -# -# See https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#Attributes for more information. -# -# Another option is to use Self Signed SSL Certificate setting following two properties -# -# graphdb.connector.SSLCertificateFile = -# graphdb.connector.SSLCertificateKeyFile = - - -###### ENGINE OVERRIDE ###### -# -# The GraphDB Engine can be configured through a set of properties that start with the graphdb.engine. prefix. -# These properties correspond to the properties that can be set when creating a repository through the Workbench -# or through a .ttl file. -# -# Note that properties defined here WILL OVERRIDE the properties for each repository, regardless of whether you created -# the repository before or after you set the global value of an engine property. As such, the global overrides -# should be used only in specific cases while for normal everyday needs you should set the corresponding properties -# when you create a repository. -# -# -# graphdb.engine. = xxx - - -# A global setting that ensures IRI validation in the entity pool. It is performed only when an IRI is seen for the first time -# (i.e., when being created in the entity pool). For consistency reasons, not only IRIs coming from RDF serializations, -# but also all new IRIs (via API or SPARQL), will be validated in the same way. -# This property can be turned off by setting its value to false. -# -# graphdb.engine.entity.validate = true - - -###### AUTHENTICATION TOKEN SECRET ###### -# -# GraphDB authentication token secret could be set by passing it as a configuration parameter -# -# graphdb.auth.token.secret = -# -# In case of not explicitly specified, GraphDB will try to obtain one automatically from the SSL -# certificate if present or will randomly generate one - -###### OPENID AUTHENTICATION ###### -# -# OpenId is used for authentication against another authorization database (local or LDAP). -# Password authentication can be disabled in addition. -# -# Enable OpenId authentication. The default value is 'basic, gdb'. -# Provide only 'openid' if password-based login methods (basic and gdb) are not needed. -# graphdb.auth.methods = basic, gdb, openid -# -# OpenID issuer URL, used to derive keys, endpoints and token validation. No default value. -# graphdb.auth.openid.issuer = https://accounts.example.com -# -# OpenID well-known config URL, used to fetch the OpenID configuration of the OpenID provider. -# The default value will be derived by appending /.well-known/openid-configuration to the issuer URL. -# Use this setting if your OpenID does not conform to the specification and the well-known config is -# served on a different URL than the default standard-mandated value. -# graphdb.auth.openid.well_known_config_url = https://openid.example.com/custom/.well-known/openid-configuration -# -# OpenID client ID, used to authenticate and validate tokens. No default value. -# graphdb.auth.openid.client_id = my-client-id -# -# OpenID claim to use as the GraphDB username. No default value. -# graphdb.auth.openid.username_claim = email -# -# OpenID authentication flow: code, code_no_pkce or implicit. No default value. -# The recommended value is 'code' if the OpenId provider supports it with PKCE without a client secret. -# graphdb.auth.openid.auth_flow = code -# -# OpenID token type to send to GraphDB. The available values are 'access' and 'id'. No default value. -# Use the access token if it is a JWT token, otherwise use the id token. -# graphdb.auth.openid.token_type = access -# -# OpenID expected issuer URL in tokens, used to validate tokens. The default is the same as the actual issuer URL. -# graphdb.auth.openid.token_issuer = https://accounts.example.com/custom -# -# OpenID expected audience in tokens, used to validate tokens. The default value is the same as the client ID. -# graphdb.auth.openid.token_audience = my-audience -# -# OpenID extra scopes to request. Multiple scopes can be specified by separating them with a space. -# By default GraphDB requests only the 'openid' scope and, if supported, the 'offline_access' scope. -# Scopes are used to request sets of claims, e.g. you might need to set this to a provider-specific value -# in order to obtain the username_name or the roles_claim (if using OAuth as well). The default value is empty. -# graphdb.auth.openid.extra_scopes = profile email -# -# OpenID extra parameters for the authorize endpoint. Some OpenID providers require additional parameters sent -# to the authorize endpoint (e.g. resource=xxx). This is a URL encoded string where each parameter-value pair -# is delimited by &. The string will be appended to the rest of the authorize URL parameters. -# The default value is the empty string. -# graphdb.auth.openid.authorize_parameters = param1=value%201¶m2=value%202 -# -# OpenID Oracle identity domain. Oracle Access Manager has a non-standard OpenID implementation that requires -# an additional parameter: the Oracle identity domain name. If you use OAM set this to your identity domain name. -# graphdb.auth.openid.oracle_domain = my-oracle-domain -# -# OpenID use GraphDB as proxy for the JWKS URL and token endpoints. This can be used to bypass an OpenID provider -# without a proper CORS configuration. The value is a boolean true/false. False by default. -# graphdb.auth.openid.proxy = false - -###### OPENID AUTHENTICATION + OAUTH AUTHORIZATION ###### -# -# OpenId is used for authentication and the authorization is provided via OAuth. -# Password authentication is not available in this mode. -# -# Enable OpenId authentication and disable password-based login. The default value is 'basic, gdb'. -# graphdb.auth.methods = openid -# -# Enable OAuth authorization. The default value is 'local' corresponding to local users. -# graphdb.auth.database = oauth -# -# Set case-insensitive validation for user accounts so that users can log in regardless of the case used at login time. -# The default value is false. -# graphdb.auth.database.case_insensitive = false -# -# OpenID issuer URL, used to derive keys, endpoints and token validation. No default value. -# graphdb.auth.openid.issuer = https://accounts.example.com -# -# OpenID client ID, used to authenticate and validate tokens. No default value. -# graphdb.auth.openid.client_id = my-client-id -# -# OpenID claim to use as the GraphDB username. No default value. -# graphdb.auth.openid.username_claim = email -# -# OpenID authentication flow: code, code_no_pkce or implicit. No default value. -# The recommended value is 'code' if the OpenId provider supports it with PKCE without a client secret. -# graphdb.auth.openid.auth_flow = code -# -# OpenId token type to send to GraphDB. The available values are 'access' and 'id'. No default value. -# Use the access token if it is a JWT token, otherwise use the id token. -# graphdb.auth.openid.token_type = access -# -# OpenID expected issuer URL in tokens, used to validate tokens. The default is the same as the actual issuer URL. -# graphdb.auth.openid.token_issuer = https://accounts.example.com/custom -# -# OpenID expected audience in tokens, used to validate tokens. The default value is the same as the client ID. -# graphdb.auth.openid.token_audience = my-audience -# -# OpenID extra parameters for the authorize endpoint. Some OpenID providers require additional parameters sent -# to the authorize endpoint (e.g. resource=xxx). This is a URL encoded string where each parameter-value pair -# is delimited by &. The string will be appended to the rest of the authorize URL parameters. -# The default value is the empty string. -# graphdb.auth.openid.authorize_parameters = param1=value%201¶m2=value%202 -# -# OpenID use GraphDB as proxy for the JWKS URL and token endpoints. This can be used to bypass an OpenID provider -# without a proper CORS configuration. The value is a boolean true/false. False by default. -# graphdb.auth.openid.proxy = false -# -# OAuth roles claim. The field from the JWT token that will provide the GraphDB roles. No default value. -# graphdb.auth.oauth.roles_claim = roles -# -# OAuth roles prefix to strip. The roles claim may provide the GraphDB roles with some prefix, e.g. GDB_ROLE_USER. -# The prefix will be stripped when the roles are mapped. The default value is the empty string. -# graphdb.auth.oauth.roles_prefix = GDB_ -# -# OAuth roles suffix to strip. The roles claim may provide the GraphDB roles with some suffix, e.g. ROLE_USER_GDB. -# The suffix will be stripped when the roles are mapped. The default value is the empty string. -# graphdb.auth.oauth.roles_suffix = ROLE_USER_GDB -# -# OAuth default roles to assign. It may be convenient to always assign certain roles without listing them in the roles -# claim. The value is a comma-delimited list of GraphDB roles. The default value is the empty list. -# -# graphdb.auth.oauth.default_roles = ROLE_USER - -###### LDAP AUTHENTICATION AND AUTHORIZATION ###### -# -# Turn on ldap authentication and configure the server. -# -# Note that since GraphDB 9.5 local users will no longer be accessible when using LDAP -# -# graphdb.auth.database = ldap -# graphdb.auth.ldap.url = ldap://localhost:10389/dc=example,dc=org - -# Permit access for all users that are part of the \u201Cpeople\u201D unit of the fictional \u201Cexample.org\u201D organisation. -# -# graphdb.auth.ldap.user.search.base = ou=people -# graphdb.auth.ldap.user.search.filter = (cn={0}) - -# Make all users in the Administration group GraphDB administrators as well. -# -# graphdb.auth.ldap.role.search.base = ou=groups -# graphdb.auth.ldap.role.search.filter = (member={0}) -# graphdb.auth.ldap.role.map.administrator = Administration - -# Make all users in the Management group GraphDB Repository Managers as well. -# -# graphdb.auth.ldap.role.map.repositoryManager = Management - -# Enable all users in the Readers group to read the my_repo repository. -# -# graphdb.auth.ldap.role.map.repository.read.my_repo = Readers - -# Enable all users in the Writers group to write and read the my_repo repository. -# -# graphdb.auth.ldap.role.map.repository.write.my_repo = Writers - -# All entries located under the "groups" organizational unit that have members (i.e., groups), -# will be able to read repositories that share their common name. -# -# graphdb.auth.ldap.repository.read.base = ou=groups -# graphdb.auth.ldap.repository.read.filter = (member={0}) -# graphdb.auth.ldap.repository.read.attribute = cn - -# All entries located under the "groups" organizational unit that have members (i.e., groups), -# will be able to read and write to repositories that share their common name. -# -# graphdb.auth.ldap.repository.write.base = ou=groups -# graphdb.auth.ldap.repository.write.filter = (member={0}) -# graphdb.auth.ldap.repository.write.attribute = cn - -# Required for accessing a LDAP server, that does not allow anonymous binds and anonymous access -# -# graphdb.auth.ldap.bind.userDn = uid=userId,ou=people,dc=example,dc=org -# graphdb.auth.ldap.bind.userDn.password = 123456 - -###### KERBEROS AUTHENTICATION ###### -# -# Enables Kerberos authentication. The default value is 'basic, gdb'. -# -# graphdb.auth.methods = basic, gdb, kerberos -# -# Full or relative (to the GraphDB config directory) path to where the keys -# of the Kerberos service principal are stored. No default value. Required if Kerberos is enabled -# You can find more on how to create a keytab file https://web.mit.edu/kerberos/krb5-devel/doc/basic/keytab_def.html -# -# graphdb.auth.kerberos.keytab = -# -# Name of the Kerberos service principal. No default value. Required if Kerberos is enabled. -# -# graphdb.auth.kerberos.principal = HTTP/data.example.com@EXAMPLE.COM -# -# Determines whether to print additional Kerberos-related messages -# in some of the Spring Kerberos classes. Default value is false. -# -# graphdb.auth.kerberos.debug = true/false - -###### AUDIT TRAIL ###### -# -# Enable the detail audit trail for all operations with the minimal access role of: -# USER, REPO_MANAGER, ADMIN, ANY -# -# graphdb.audit.role = USER -# -# and read, write operations with the minimal access of: -# READ, WRITE -# -# -# GraphDB home directory. Defines the root directory for GraphDB on the file system. -# It acts as a parent for all configurable paths like repository data, configuration, logs and other runtime -# data unless the location for a specific functionality is explicitly set by its corresponding property. -# The default is the same as the GraphDB distribution directory. -# The actual values for graphdb.home and the other graphdb.home.xxx properties will be printed in the log -# when GraphDB starts. -# -# graphdb.home = -# -# -# GraphDB data directory. Defines the directory where the engine stores all repository data. -# This directory must be writable by the GraphDB process. -# The default is ${graphdb.home}/data. -# -# graphdb.home.data = -# -# -# GraphDB logs directory. Defines the directory where the log files are written. -# This directory must be writable by the GraphDB process. -# The default is ${graphdb.home}/logs. -# -# graphdb.home.logs = -# -# -# GraphDB configuration directory. Used for user-editable configuration, including this file. Stores -# provided runtime license through the application, persisted as ${graphdb.home.conf}/graphdb.license. -# This directory and all files within it may be read-only for GraphDB only if no license is set in the way described above. -# The default is ${graphdb.home}/conf. -# -# Since the location of this config file depends on this property, it does not make sense to set it here. -# Instead you can provide is a system property with -D. -# -# graphdb.home.conf = -# -# -# GraphDB work directory. Used for non-user-editable database configurations. -# This directory must be writable by the GraphDB process. -# The default is ${graphdb.home}/work. -# -# graphdb.home.work = -# -# -# GraphDB external plugins directory. This can be used to add -# additional external plugins outside the distribution's lib/plugins directory. -# -# graphdb.extra.plugins = -# -# -# Graphdb global page cache memory parameter. By default the page cache will -# allocate 50% of the maximum Java heap memory (-Xmx) for the JVM process. -# Setting this value too high will cause OME during the execution of memory intensive queries. -# -# graphdb.page.cache.size=10G - - -###### LICENSE ###### -# -# The license can be set through the GraphDB Workbench, through a file graphdb.license -# in the GraphDB configuration directory (see graphdb.home.conf above), or through this -# property that should point to a license file: -# -# graphdb.license.file = - - ###### GraphDB Ontop JDBC Driver Path ###### # # GraphDB directory for the JDBC driver used in the creation of Ontop repositories. @@ -417,6 +72,13 @@ # graphdb.ontop.jdbc.path = +###### Ontop Properties ###### +# +# Ontop configuration attribute can be passed through a property: +# +# graphdb.ontop.=xxx + + ###### NETWORK SETTINGS ###### # # HTTP port for running GraphDB in standalone mode. The default is 7200. @@ -519,6 +181,12 @@ # served on a different URL than the default standard-mandated value. # graphdb.auth.openid.well_known_config_url = https://openid.example.com/custom/.well-known/openid-configuration # +# OpenID header types, specifies the allowed values for the field "typ" in the JWT header. +# The value is a comma-delimited list, where 'null' is interpreted as 'no value'. +# The default value is 'jwt, at+jwt, null' and will allow tokens with "typ": "jwt", "typ": "at+jwt", +# as well as tokens with a missing "typ" value. +# graphdb.auth.openid.header_types = jwt, at+jwt, null +# # OpenID client ID, used to authenticate and validate tokens. No default value. # graphdb.auth.openid.client_id = my-client-id # @@ -581,6 +249,9 @@ # graphdb.auth.openid.client_id = my-client-id # # OpenID claim to use as the GraphDB username. No default value. +# This will be interpreted as a JSONPath expression, so for example the value "roles.graphdb" +# will first access the object under the "roles" key and then extract the roles from the "graphdb" +# key inside that object. # graphdb.auth.openid.username_claim = email # # OpenID authentication flow: code, code_no_pkce or implicit. No default value. @@ -674,6 +345,10 @@ # graphdb.auth.ldap.bind.userDn = uid=userId,ou=people,dc=example,dc=org # graphdb.auth.ldap.bind.userDn.password = 123456 +# Adds to all users in Readers group custom role. +# +# graphdb.auth.ldap.map.role.role_name = Readers + ###### KERBEROS AUTHENTICATION ###### # # Enables Kerberos authentication. The default value is 'basic, gdb'. @@ -732,7 +407,15 @@ # an Authority Information Access (AIA) extension, or as an alternative # in case of OCSP or CrlDP responders downtime. # graphdb.auth.methods.x509.crlFile = + +###### Cloud backup and Restore ###### # +# Enable tls for connections against s3 compatible services. To set up a truststore different from the default JRE one +# set `graphdb.connector.truststoreFile` and `graphdb.connector.truststorePass` +# graphdb.s3.tls.enabled = false +# +# Timeout in seconds for a cloud backup's single part upload. +# graphdb.s3.backup.httpclient.write.timeout = 3600 ###### AUDIT TRAIL ###### # @@ -788,38 +471,35 @@ # asked to handle the request. # graphdb.proxy.followerRetries=3 -# Server report in cluster configuration - -# The maximum time to wait for a triggered report is configured with a default value of 120 minutes. -#graphdb.wait.report.minutes=120 -###### HEAP DUMPS ###### -# -# GraphDB can dump the heap on out of memory errors in order to provide insight to the cause -# for excessive memory usage. +###### CHATGPT INTEGRATION ###### # -# Enable or disable the heap dump (enabled by default) -# graphdb.heapdump.enable = true +# GraphDB has built-in ChatGPT integration. The minimum required configuration is setting the GPT access token. # -# File to write the heap dump to, by default this is the file heapdump.hprof in the configured logs directory. -# See also the properties graphdb.home and graphdb.home.logs. -# graphdb.heapdump.path = - -# graphdb.audit.repository = READ +# GPT API access token, none by default. +# graphdb.gpt.token = # -# Audit the specific headers +# GPT model to use, gpt-3.5-turbo by default. +# graphdb.gpt.model = gpt-3.5-turbo # -# graphdb.audit.headers = Origin, Host +# GPT timeout in seconds, 90 by default. +# graphdb.gpt.timeout = 90 # -# List headers that should be included into logs in front of client requests. # -# graphdb.request.id.alternatives = X-Amz-Request-Id +# GPT advanced options below - setting these may be needed if the integration should use a different API endpoint +# and/or a different authentication method. See the documentation for more details. # -# Enable logging of "X-Request-Id" header and listed in graphdb.request.id.alternatives headers into any log. -# "X-Request-Id" header will be included by default. In case "X-Request-Id" is not present in the headers of -# the request it will be generated randomly in UUID type 5 format. +# GPT chat completions API endpoint, https://api.openai.com/v1/chat/completions by default. +# graphdb.gpt.url = https://api.openai.com/v1/chat/completions # -# graphdb.append.request.id.headers = true +# GPT authentication method, bearer by default. +# graphdb.gpt.auth = bearer + + +# Server report in cluster configuration + +# The maximum time to wait for a triggered report is configured with a default value of 120 minutes. +#graphdb.wait.report.minutes=120 ###### HEAP DUMPS ###### # @@ -832,3 +512,13 @@ # File to write the heap dump to, by default this is the file heapdump.hprof in the configured logs directory. # See also the properties graphdb.home and graphdb.home.logs. # graphdb.heapdump.path = + +###### JSON-LD WHITELIST ###### +# +# The configuration property 'graphdb.jsonld.whitelist' is used to define a whitelist +# of URLs or file locations that are permitted for JSON-LD processing in GraphDB. +# +# The whitelist is a comma-separated list of URLs or file locations. +# The wildcard (*) in URLs or file paths allows for fine-grained control, enabling administrators to specify entire domains or directories. +# Each entry in the list represents a resource that is considered safe for JSON-LD operations. +# graphdb.jsonld.whitelist = https://my.good_host.com/prop, https://my.good_host.com/*, file:///my/good/jsonld/prop, file:///my/good/jsonld/* diff --git a/templates/_helpers.yaml b/templates/_helpers.yaml index 175f0e2..38d4c09 100644 --- a/templates/_helpers.yaml +++ b/templates/_helpers.yaml @@ -38,18 +38,18 @@ Otherwise it is left blank and cluster default will be used. {{- end }} {{/* -Renders full name of the graphdb pod +Render the container image for GraphDB */}} -{{- define "graphdb.renderFullImageName" -}} - {{- $fullImageName := .image.repository -}} - - {{- if or .globalRegistry .image.registry -}} - {{- $fullImageName = printf "%s/%s" ( .image.registry | default .globalRegistry) .image.repository -}} +{{- define "graphdb.image" -}} + {{- $registry := .Values.images.graphdb.registry -}} + {{- $repository := .Values.images.graphdb.repository -}} + {{- $tag := .Values.images.graphdb.tag | default .Chart.AppVersion | toString -}} + {{- if and .Values.global .Values.global.imageRegistry -}} + {{- $registry = .Values.global.imageRegistry -}} {{- end -}} - - {{- if .image.tag -}} - {{- printf "%s:%s" $fullImageName .image.tag -}} + {{- if $registry -}} + {{- printf "%s/%s:%s" $registry $repository $tag -}} {{- else -}} - {{- print $fullImageName -}} + {{- printf "%s:%s" $repository $tag -}} {{- end -}} -{{- end -}} +{{- end }} diff --git a/templates/gateway/ingress.yaml b/templates/gateway/ingress.yaml index 347ae13..51d4f4e 100644 --- a/templates/gateway/ingress.yaml +++ b/templates/gateway/ingress.yaml @@ -39,7 +39,7 @@ spec: {{- else }} - path: {{ $.Values.graphdb.workbench.subpath }}(/|$)(.*) {{- end }} - pathType: Prefix + pathType: ImplementationSpecific backend: service: {{- if gt (int $.Values.graphdb.clusterConfig.nodesCount) 1 }} diff --git a/templates/graphdb-cluster-proxy.yaml b/templates/graphdb-cluster-proxy.yaml index 4a90dd8..51188a5 100644 --- a/templates/graphdb-cluster-proxy.yaml +++ b/templates/graphdb-cluster-proxy.yaml @@ -64,7 +64,7 @@ spec: {{- include "graphdb.combinedImagePullSecrets" $ | nindent 8 }} containers: - name: graphdb-proxy - image: {{ include "graphdb.renderFullImageName" (dict "globalRegistry" $.Values.global.imageRegistry "image" $.Values.images.graphdb) }} + image: {{ include "graphdb.image" . }} imagePullPolicy: {{ $.Values.deployment.imagePullPolicy }} command: ["/opt/graphdb/dist/bin/cluster-proxy"] envFrom: diff --git a/templates/graphdb-node.yaml b/templates/graphdb-node.yaml index 543d2bb..a5ba646 100644 --- a/templates/graphdb-node.yaml +++ b/templates/graphdb-node.yaml @@ -48,10 +48,10 @@ spec: setHostnameAsFQDN: true terminationGracePeriodSeconds: {{ .Values.graphdb.node.terminationGracePeriodSeconds }} volumes: - {{- if $.Values.graphdb.node.license }} + {{- if .Values.graphdb.node.license }} - name: graphdb-license secret: - secretName: {{ $.Values.graphdb.node.license }} + secretName: {{ .Values.graphdb.node.license }} {{- end }} {{- if or $configs.settingsConfigMap $.Values.graphdb.security.enabled }} - name: graphdb-settings-config @@ -95,7 +95,7 @@ spec: {{- include "graphdb.combinedImagePullSecrets" $ | nindent 8 }} containers: - name: graphdb-node - image: {{ include "graphdb.renderFullImageName" (dict "globalRegistry" $.Values.global.imageRegistry "image" $.Values.images.graphdb) }} + image: {{ include "graphdb.image" . }} imagePullPolicy: {{ $.Values.deployment.imagePullPolicy }} {{- with .Values.graphdb.node.command }} command: {{ toYaml . | nindent 12 }} @@ -124,10 +124,10 @@ spec: - name: graphdb-node-data-dynamic-pvc mountPath: /opt/graphdb/home {{- end }} - {{- if $.Values.graphdb.node.license }} + {{- if .Values.graphdb.node.license }} - name: graphdb-license mountPath: /opt/graphdb/home/conf/graphdb.license - subPath: graphdb.license + subPath: {{ .Values.graphdb.node.licenseFilename }} {{- end }} {{- if $.Values.graphdb.import_directory_mount.enabled }} - name: graphdb-server-import-dir @@ -154,7 +154,7 @@ spec: initContainers: # PROVISION SETTINGS AND SECURITY - name: provision-settings - image: {{ include "graphdb.renderFullImageName" (dict "globalRegistry" $.Values.global.imageRegistry "image" $.Values.images.busybox) }} + image: {{ include "graphdb.image" . }} imagePullPolicy: {{ $.Values.deployment.imagePullPolicy }} volumeMounts: {{- if hasKey $.Values.graphdb.node.persistence "volumeClaimTemplateSpec" }} diff --git a/templates/jobs/patch-cluster-job.yaml b/templates/jobs/patch-cluster-job.yaml index f6da030..1a1dce9 100644 --- a/templates/jobs/patch-cluster-job.yaml +++ b/templates/jobs/patch-cluster-job.yaml @@ -21,7 +21,7 @@ spec: {{- $.Values.graphdb.jobPodSecurityContext | toYaml | nindent 8 }} containers: - name: patch-cluster - image: {{ include "graphdb.renderFullImageName" (dict "globalRegistry" $.Values.global.imageRegistry "image" $.Values.images.graphdb) }} + image: {{ include "graphdb.image" . }} envFrom: - secretRef: name: graphdb-provision-user diff --git a/templates/jobs/post-start-job.yaml b/templates/jobs/post-start-job.yaml index 5a3f601..6bbc4d2 100644 --- a/templates/jobs/post-start-job.yaml +++ b/templates/jobs/post-start-job.yaml @@ -21,7 +21,7 @@ spec: {{- $.Values.graphdb.jobPodSecurityContext | toYaml | nindent 8 }} containers: - name: create-graphdb-cluster - image: {{ include "graphdb.renderFullImageName" (dict "globalRegistry" $.Values.global.imageRegistry "image" $.Values.images.graphdb) }} + image: {{ include "graphdb.image" . }} envFrom: - secretRef: name: graphdb-provision-user diff --git a/templates/jobs/provision-repositories-job.yaml b/templates/jobs/provision-repositories-job.yaml index c019e0e..ed7cfc6 100644 --- a/templates/jobs/provision-repositories-job.yaml +++ b/templates/jobs/provision-repositories-job.yaml @@ -22,7 +22,7 @@ spec: {{- $.Values.graphdb.jobPodSecurityContext | toYaml | nindent 8 }} containers: - name: provision-repositories - image: {{ include "graphdb.renderFullImageName" (dict "globalRegistry" $.Values.global.imageRegistry "image" $.Values.images.graphdb) }} + image: {{ include "graphdb.image" . }} envFrom: - secretRef: name: graphdb-provision-user diff --git a/templates/jobs/scale-down-cluster-job.yaml b/templates/jobs/scale-down-cluster-job.yaml index bf3d1fa..f7fe85b 100644 --- a/templates/jobs/scale-down-cluster-job.yaml +++ b/templates/jobs/scale-down-cluster-job.yaml @@ -19,7 +19,7 @@ spec: {{- $.Values.graphdb.jobPodSecurityContext | toYaml | nindent 8 }} containers: - name: scale-down-cluster - image: {{ include "graphdb.renderFullImageName" (dict "globalRegistry" $.Values.global.imageRegistry "image" $.Values.images.graphdb) }} + image: {{ include "graphdb.image" . }} envFrom: - secretRef: name: graphdb-provision-user diff --git a/templates/jobs/scale-up-cluster-job.yaml b/templates/jobs/scale-up-cluster-job.yaml index 7714106..76d4aab 100644 --- a/templates/jobs/scale-up-cluster-job.yaml +++ b/templates/jobs/scale-up-cluster-job.yaml @@ -21,7 +21,7 @@ spec: {{- $.Values.graphdb.jobPodSecurityContext | toYaml | nindent 8 }} containers: - name: scale-up-cluster - image: {{ include "graphdb.renderFullImageName" (dict "globalRegistry" $.Values.global.imageRegistry "image" $.Values.images.graphdb) }} + image: {{ include "graphdb.image" . }} envFrom: - secretRef: name: graphdb-provision-user diff --git a/trivy.yaml b/trivy.yaml index 49804a8..cee2161 100644 --- a/trivy.yaml +++ b/trivy.yaml @@ -1,7 +1,7 @@ timeout: 5m exit-code: 1 severity: - - HIGH - CRITICAL + - HIGH - MEDIUM format: table diff --git a/values.yaml b/values.yaml index 55c36c9..1d818eb 100644 --- a/values.yaml +++ b/values.yaml @@ -13,11 +13,13 @@ global: # Top lvl flat for easier maintenance images: graphdb: + registry: docker.io repository: ontotext/graphdb - tag: "10.5.1" + # If specified, overrides Chart.AppVersion + tag: "" busybox: repository: busybox - tag: "1.31" + tag: "1.36.1" # Extra labels for the deployed resources extraLabels: {} @@ -116,6 +118,8 @@ graphdb: # -- Reference to a secret containing 'graphdb.license' file to be used by the nodes. # Important: Must be created beforehand license: + # -- File name of the GraphDB license file in the existing license secret. Default is graphdb.license + licenseFilename: graphdb.license # -- Java arguments with which node instances will be launched. GraphDB configuration properties can also be passed here in the format -Dprop=value java_args: "-XX:MaxRAMPercentage=70 -Ddefault.min.distinct.threshold=100m -XX:+UseContainerSupport" # Node scheduling options such as nodeSelector, affinity, tolerations, topologySpreadConstraints can be set here for ALL nodes.