fix: Switch from matomo to umami

2025-09-11 15:28:11 +02:00
parent a7c541b28d
commit 7c7f756a0c
44 changed files with 182 additions and 2824 deletions
@@ -1,4 +0,0 @@
-# Matomo
-
-TO-DO:
- [ ] Move to Digitalist [Chart](https://github.com/Digitalist-Open-Cloud/matomo-kubernetes)
@@ -1,261 +0,0 @@
-global:
-  security:
-    ## @param global.security.allowInsecureImages Allows skipping image verification
-    allowInsecureImages: true
-
-usePasswordFiles: false
-
-image:
-  # repository: digitalist/matomo
-  repository: bitnamilegacy/matomo
-  pullPolicy: IfNotPresent
-
-replicaCount: 1
-matomoUsername: admin
-matomoPassword: "en to tre fire"
-matomoEmail: user@example.com
-matomoWebsiteName: oceanbox
-matomoWebsiteHost: https://matomo.adm.oceanbox.io
-matomoSkipInstall: false
-
-allowEmptyPassword: false
-
-updateStrategy:
-  type: RollingUpdate
-
-existingSecret: ""
-## SMTP mail delivery configuration
-## ref: https://github.com/bitnami/containers/tree/main/bitnami/matomo/#smtp-configuration
-## @param smtpAuth SMTP authentication mechanism (options: Plain, Login, Cram-md5)
-## @param smtpHost SMTP host
-## @param smtpPort SMTP port
-## @param smtpUser SMTP user
-## @param smtpPassword SMTP password
-## @param smtpProtocol SMTP Protocol (options: ssl,tls, nil)
-## @param noreplyName Noreply name
-## @param noreplyAddress Noreply address
-##
-smtpAuth: ""
-smtpHost: ""
-smtpPort: ""
-smtpUser: ""
-smtpPassword: ""
-smtpProtocol: ""
-noreplyName: ""
-noreplyAddress: ""
-## @param smtpExistingSecret The name of an existing secret with SMTP credentials
-## NOTE: Must contain key `smtp-password`
-## NOTE: When it's set, the `smtpPassword` parameter is ignored
-##
-smtpExistingSecret: ""
-## @param containerPorts [object] Container ports
-##
-containerPorts:
-  http: 8080
-  https: 8443
-
-persistence:
-  ## @param persistence.enabled Enable persistence using PVC
-  ##
-  enabled: true
-  ## @param persistence.storageClass PVC Storage Class for Matomo volume
-  ## If defined, storageClassName: <storageClass>
-  ## If set to "-", storageClassName: "", which disables dynamic provisioning
-  ## If undefined (the default) or set to null, no storageClassName spec is
-  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
-  ##   GKE, AWS & OpenStack)
-  ##
-  storageClass: ""
-  ## @param persistence.accessModes PVC Access Mode for Matomo volume
-  ## Requires persistence.enabled: true
-  ## If defined, PVC must be created manually before volume will be bound
-  ##
-  accessModes:
-    - ReadWriteOnce
-  ## @param persistence.size PVC Storage Request for Matomo volume
-  ##
-  size: 8Gi
-  ## @param persistence.dataSource Custom PVC data source
-  ##
-  dataSource: {}
-  ## @param persistence.existingClaim A manually managed Persistent Volume Claim
-  ## Requires persistence.enabled: true
-  ## If defined, PVC must be created manually before volume will be bound
-  ##
-  existingClaim: ""
-  ## @param persistence.hostPath If defined, the matomo-data volume will mount to the specified hostPath.
-  ## Requires persistence.enabled: true
-  ## Requires persistence.existingClaim: nil|false
-  ## Default: nil.
-  ##
-  hostPath: ""
-  ## @param persistence.annotations Persistent Volume Claim annotations
-  ##
-  annotations: {}
-  ## @param persistence.selector Selector to match an existing Persistent Volume for Matomo data PVC
-  ## If set, the PVC can't have a PV dynamically provisioned for it
-  ## E.g.
-  ## selector:
-  ##   matchLabels:
-  ##     app: my-app
-  ##
-  selector: {}
-
-ingress:
-  ## @param ingress.enabled Enable ingress controller resource
-  ##
-  enabled: true
-  ## @param ingress.pathType Ingress Path type
-  ##
-  pathType: ImplementationSpecific
-  ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
-  ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
-  ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
-  ##
-  ingressClassName: nginx
-  ## @param ingress.hostname Default host for the ingress resource
-  ##
-  hostname: "matomo.adm.oceanbox.io"
-  ## @param ingress.path The Path to Matomo. You may need to set this to '/*' in order to use this
-  ## with ALB ingress controllers.
-  ##
-  path: /
-  ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
-  ## For a full list of possible ingress annotations, please see
-  ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
-  ## Use this parameter to set the required annotations for cert-manager, see
-  ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
-  ##
-  ## e.g:
-  ## annotations:
-  ##   kubernetes.io/ingress.class: nginx
-  ##   cert-manager.io/cluster-issuer: cluster-issuer-name
-  ##
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-  ## @param ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter
-  ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
-  ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it
-  ##
-  tls: true
-  ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
-  ##
-  selfSigned: false
-  ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
-  ## key and certificate should start with -----BEGIN CERTIFICATE----- or
-  ## -----BEGIN RSA PRIVATE KEY-----
-  ##
-  ## name should line up with a tlsSecret set further up
-  ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
-  ##
-  ## It is also possible to create and manage the certificates outside of this helm chart
-  ## Please see README.md for more information
-  ## Example:
-  ## - name: matomo.local-tls
-  ##   key:
-  ##   certificate:
-  ##
-  secrets: []
-  ## @param ingress.extraRules Additional rules to be covered with this ingress record
-  ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
-  ## e.g:
-  ## extraRules:
-  ## - host: example.local
-  ##     http:
-  ##       path: /
-  ##       backend:
-  ##         service:
-  ##           name: example-svc
-  ##           port:
-  ##             name: http
-  ##
-  extraRules: []
-## @section Database parameters
-##
-
-## MariaDB chart configuration
-## https://github.com/bitnami/charts/blob/main/bitnami/mariadb/values.yaml
-##
-mariadb:
-  ## @param mariadb.enabled Whether to deploy a mariadb server to satisfy the applications database requirements
-  ## To use an external database set this to false and configure the externalDatabase parameters
-  ##
-  enabled: true
-  ## @param mariadb.architecture MariaDB architecture (`standalone` or `replication`)
-  ##
-  architecture: standalone
-  ## MariaDB Authentication parameters
-  ## @param mariadb.auth.rootPassword Password for the MariaDB `root` user
-  ## @param mariadb.auth.database Database name to create
-  ## @param mariadb.auth.username Database user to create
-  ## @param mariadb.auth.password Password for the database
-  ##
-  auth:
-    usePasswordFiles: false
-    # existingSecret: matomo-mariadb
-    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mariadb#setting-the-root-password-on-first-run
-    ##
-    rootPassword: en to tre fire
-    # ref: https://github.com/bitnami/containers/blob/main/bitnami/mariadb/README.md#creating-a-database-on-first-run
-    ##
-    database: bitnami_matomo
-    ## ref: https://github.com/bitnami/containers/blob/main/bitnami/mariadb/README.md#creating-a-database-user-on-first-run
-    ##
-    username: bn_matomo
-    password: test
-  # passwordUpdateJob:
-  #   enabled: true
-  primary:
-    ## Enable persistence using Persistent Volume Claims
-    ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
-    ## @param mariadb.primary.persistence.enabled Enable database persistence using PVC
-    ## @param mariadb.primary.persistence.storageClass MariaDB primary persistent volume storage Class
-    ## @param mariadb.primary.persistence.accessModes Database Persistent Volume Access Modes
-    ## @param mariadb.primary.persistence.size Database Persistent Volume Size
-    ## @param mariadb.primary.persistence.hostPath Set path in case you want to use local host path volumes (not recommended in production)
-    ## @param mariadb.primary.persistence.existingClaim Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas
-    ##
-    persistence:
-      enabled: true
-      ## mariadb data Persistent Volume Storage Class
-      ## If defined, storageClassName: <storageClass>
-      ## If set to "-", storageClassName: "", which disables dynamic provisioning
-      ## If undefined (the default) or set to null, no storageClassName spec is
-      ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
-      ##   GKE, AWS & OpenStack)
-      ##
-      accessModes:
-        - ReadWriteOnce
-      size: 8Gi
-    ## MariaDB primary container's resource requests and limits
-    ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
-    ## We usually recommend not to specify default resources and to leave this as a conscious
-    ## choice for the user. This also increases chances charts run on environments with little
-    ## resources, such as Minikube. If you do want to specify resources, uncomment the following
-    ## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-    ## @param mariadb.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).
-    ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
-    resourcesPreset: "micro"
-    ## @param mariadb.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
-    ## Example:
-    ## resources:
-    ##   requests:
-    ##     cpu: 2
-    ##     memory: 512Mi
-    ##   limits:
-    ##     cpu: 3
-    ##     memory: 1024Mi
-    ##
-    resources: {}
-
-externalDatabase:
-  host: matomo-mariadb
-  port: 3306
-  user: bn_matomo
-  database: bitnami_matomo
-  existingSecret: matomo-mariadb
-  # existingSecretPasswordKey: mariadb-password
@@ -0,0 +1 @@
+# Umami
@@ -1,3 +1,3 @@
-matomo:
+umami:
  enabled: {{ if eq .Environment.Name "prod" }} true {{ else }} false {{ end }}
  env: prod
@@ -1,4 +1,4 @@
-matomo:
+umami:
  enabled: false
  autosync: {{ if eq .Environment.Name "prod" }} false {{ else }} true {{ end }}
  env: {{ .Environment.Name }}
@@ -0,0 +1,14 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: prod-umami-db
+  namespace: analytics
+spec:
+  instances: 1
+  imageName: ghcr.io/cloudnative-pg/postgresql:17.2-27-bookworm
+  storage:
+    resizeInUseVolumes: true
+    size: 10Gi
+  backup:
+    retentionPolicy: 15d
+    target: prefer-standby
@@ -2,7 +2,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: matomo
+  name: umami
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
@@ -23,9 +23,9 @@ spec:
      - name: CLUSTER_NAME
        value: {{ .Values.clusterConfig.cluster }}
      - name: HELMFILE_ENVIRONMENT
-        value: {{ .Values.matomo.env }}
+        value: {{ .Values.umami.env }}
      - name: HELMFILE_FILE_PATH
-        value: matomo.yaml.gotmpl
+        value: umami.yaml.gotmpl
  syncPolicy:
    managedNamespaceMetadata:
      labels:
@@ -34,7 +34,7 @@ spec:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
      # - ServerSideApply=true
-    {{- if .Values.matomo.autosync }}
+    {{- if .Values.umami.autosync }}
    automated:
      prune: true
      # selfHeal: false
@@ -0,0 +1,149 @@
+image:
+  # -- image registry
+  # registry: ghcr.io
+  # -- image repository
+  repository: umami-software/umami
+  # -- image pull policy
+  # pullPolicy:
+  # -- Overrides the image tag
+  tag: "postgresql-v2.19.0"
+
+replicaCount: 1
+
+revisionHistoryLimit: 10
+
+# -- Resource limits and requests for the controller pods.
+resources:
+  limits:
+    # cpu: 100m
+    # ephemeral-storage: 2Gi
+    memory: 150Mi
+  requests:
+    cpu: 100m
+    # ephemeral-storage: 50Mi
+    memory: 150Mi
+
+securityContext:
+  runAsGroup: 65533
+  runAsNonRoot: true
+  runAsUser: 1001
+
+serviceAccount:
+  create: true
+  automountServiceAccountToken: true
+  # annotations: {}
+  # name: ""
+
+service:
+  # -- Kubernetes service type
+  type: ClusterIP
+  # -- Kubernetes port where service is exposed
+  port: 3000
+
+ingress:
+  # -- Enable ingress record generation
+  enabled: true
+  # -- IngressClass that will be be used to implement the Ingress
+  className: nginx
+  # -- Additional annotations for the Ingress resource
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+  # -- An array with hosts and paths
+  # @default -- see [values.yaml](./values.yaml)
+  hosts:
+    - host: umami.srv.oceanbox.io
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  # -- An array with the tls configuration
+  tls:
+   - secretName: umami-tls
+     hosts:
+       - umami.srv.oceanbox.io
+
+umami:
+  appSecret:
+    # -- Name of an existing secret containing the app secret under the key app-secret.
+    existingSecret: ""
+    # -- A random string used to generate unique values.
+    secret: ""
+  # -- HTTP header to check for the client's IP address. This is useful when you're behind a proxy that uses non-standard headers.
+  clientIpHeader: ""
+  # -- Disables users, teams, and websites settings page.
+  cloudMode: "0"
+  # -- Allows you to send metrics to a location different than the default `/api/send`. This is to help you avoid some ad-blockers.
+  collectApiEndpoint: ""
+  # -- How many seconds a CORS preflight should last. Default is 24 hours.
+  corsMaxAge: "86400"
+  customScript:
+    # -- Create and mount a ConfigMap with a custom script
+    enabled: false
+    # -- The custom script
+    data: ""
+    # -- Key in the ConfigMap
+    key: "script.js"
+    # -- The path to mount the custom script to
+    mountPath: "/app/public/script.js"
+  # -- Console logging for specific areas of the application. Values include `umami:auth`, `umami:clickhouse`, `umami:kafka`, `umami:middleware`, and `umami:prisma`.
+  debug: ""
+  # -- By default bots are excluded from statistics. This disables checking for bots.
+  disableBotCheck: "1"
+  # -- Disables the login page for the application
+  disableLogin: "1"
+  # -- Umami collects completely anonymous telemetry data in order help improve the application. You can choose to disable this if you don't want to participate.
+  disableTelemetry: "1"
+  # -- Disables the check for new versions of Umami
+  disableUpdates: "1"
+  # -- Enables the internal test page, {host}/console. Admin access is required. Users can manually fire pageviews and events to their websites.
+  enableTestConsole: "1"
+  # -- This will redirect all requests from http to https in the Umami application. Note, this does not apply to the tracking script.
+  forceSSL: "1"
+  # -- hostname under which Umami will be reached
+  hostname: "0.0.0.0"
+  # -- This will do a DNS lookup on a hostname and the resulting IP address will be ignored. This can be a comma delimited list of hostnames.
+  ignoreHostname: ""
+  # -- You can provide a comma-delimited list of IP address to exclude from data collection.
+  ignoredIpAddresses: ""
+  # -- If you are running in development mode, this will log database queries to the console for debugging.
+  logQuery: "1"
+  migration:
+    v1v2:
+      # -- enable a job that migrates database structure from v1 to v2
+      enabled: false
+  # -- setting this to true removes the environment variable DISABLE_LOGIN defined in `umami.disableLogin` from the deployment as this caused errors in some setups
+  removeDisableLoginEnv: true
+  # -- Removes the trailing slash from all incoming urls.
+  removeTrailingSlash: "1"
+  # -- Allows you to assign a custom name to the tracker script different from the default umami. This is to help you avoid some ad-blockers.
+  trackerScriptName: "umami"
+
+postgresql:
+  enabled: false
+
+mysql:
+  enabled: false
+
+externalDatabase:
+  auth:
+    # -- Name of the database to use
+    database: app
+    # -- Password to use
+    # password: mychart
+    # -- Name of the user to use
+    username: app
+  # -- Hostname of the database
+  hostname: prod-umami-db-rw
+  # -- Port used to connect to database
+  port: 5432
+  # -- Type of database
+  type: postgresql
+
+database:
+  # -- Key in the existing secret containing the database url
+  databaseUrlKey: database-url
+  # -- use an existing secret containing the database url. If none given, we will generate the database url by using the other values. The password for the database has to be set using `.Values.postgresql.auth.password`, `.Values.mysql.auth.password` or `.Values.externalDatabase.auth.password`.
+  existingSecret: umami-database-url